diff options
Diffstat (limited to 'network/dropbox/policies')
| -rw-r--r-- | network/dropbox/policies | 1588 |
1 files changed, 1588 insertions, 0 deletions
diff --git a/network/dropbox/policies b/network/dropbox/policies new file mode 100644 index 0000000000..3392464a16 --- /dev/null +++ b/network/dropbox/policies @@ -0,0 +1,1588 @@ +Dropbox Terms of Service + + Posted: November 4, 2015 + + Thanks for using Dropbox! These terms of service ("Terms") cover your + use and access to our services, client software and websites + ("Services"). If you reside outside of the United States of America, + Canada and Mexico (“North America”) your agreement is with Dropbox + Ireland, and if you reside in North America your agreement is with + Dropbox, Inc. Our [45]Privacy Policy explains how we collect and use + your information while our [46]Acceptable Use Policy outlines your + responsibilities when using our Services. By using our Services, you're + agreeing to be bound by these Terms, and to review our [47]Privacy and + [48]Acceptable Use policies. If you're using our Services for an + organization, you're agreeing to these Terms on behalf of that + organization. + +Your Stuff & Your Permissions + + When you use our Services, you provide us with things like your files, + content, email messages, contacts and so on ("Your Stuff"). Your Stuff + is yours. These Terms don't give us any rights to Your Stuff except for + the limited rights that enable us to offer the Services. + + We need your permission to do things like hosting Your Stuff, backing + it up, and sharing it when you ask us to. Our Services also provide you + with features like photo thumbnails, document previews, email + organization, easy sorting, editing, sharing and searching. These and + other features may require our systems to access, store and scan Your + Stuff. You give us permission to do those things, and this permission + extends to our affiliates and trusted third parties we work with. + +Sharing Your Stuff + + Our Services let you share Your Stuff with others, so please think + carefully about what you share. + +Your Responsibilities + + You're responsible for your conduct, Your Stuff and you must comply + with our [49]Acceptable Use Policy. Content in the Services may be + protected by others' intellectual property rights. Please don't copy, + upload, download or share content unless you have the right to do so. + + We may review your conduct and content for compliance with these Terms + and our [50]Acceptable Use Policy. With that said, we have no + obligation to do so. We aren't responsible for the content people post + and share via the Services. + + Please safeguard your password to the Services, make sure that others + don't have access to it, and keep your account information current. + + Finally, our Services are not intended for and may not be used by + people under the age of 13. By using our Services, you are representing + to us that you're over 13. + +Software + + Some of our Services allow you to download client software ("Software") + which may update automatically. So long as you comply with these Terms, + we give you a limited, nonexclusive, nontransferable, revocable license + to use the Software, solely to access the Services. To the extent any + component of the Software may be offered under an open source license, + we'll make that license available to you and the provisions of that + license may expressly override some of these Terms. Unless the + following restrictions are prohibited by law, you agree not to reverse + engineer or decompile the Services, attempt to do so, or assist anyone + in doing so. + +Beta Services + + We sometimes release products and features that we are still testing + and evaluating. Those Services have been marked beta, preview, early + access, or evaluation (or with words or phrases with similar meanings) + and may not be as reliable as Dropbox’s other services, so please keep + that in mind. + +Our Stuff + + The Services are protected by copyright, trademark, and other US and + foreign laws. These Terms don't grant you any right, title or interest + in the Services, others' content in the Services, Dropbox trademarks, + logos and other brand features. We welcome feedback, but note that we + may use comments or suggestions without any obligation to you. + +Copyright + + We respect the intellectual property of others and ask that you do too. + We respond to notices of alleged copyright infringement if they comply + with the law, and such notices should be reported using our + [51]Copyright Policy. We reserve the right to delete or disable content + alleged to be infringing and terminate accounts of repeat infringers. + Our designated agent for notice of alleged copyright infringement on + the Services is: + + Copyright Agent + Dropbox, Inc. + 333 Brannan Street + San Francisco, CA 94107 + copyright@dropbox.com + +Paid Accounts + + Billing. You can increase your storage space and add paid features to + your account (turning your account into a "Paid Account"). We'll + automatically bill you from the date you convert to a Paid Account and + on each periodic renewal until cancellation. You're responsible for all + applicable taxes, and we'll charge tax when required to do so. + + No Refunds. You may cancel your Dropbox Paid Account at any time but + you won't be issued a refund [52]unless it's legally required. + + Downgrades. Your Paid Account will remain in effect until it's + cancelled or terminated under these Terms. If you don't pay for your + Paid Account on time, we reserve the right to suspend it or reduce your + storage to free space levels. + + Changes. We may change the fees in effect but will give you advance + notice of these changes via a message to the email address associated + with your account. + +Dropbox Business + + Email address. If you sign up for a Dropbox account with an email + address provisioned by your employer, your employer may be able to + block your use of Dropbox until you transition to a Dropbox Business or + Dropbox Enterprise account or you associate your Dropbox account with a + personal email address. + + Using Dropbox Business or Dropbox Enterprise. If you join a Dropbox + Business or Dropbox Enterprise account, you must use it in compliance + with your employer's terms and policies. Please note that Dropbox + Business and Dropbox Enterprise accounts are subject to your employer's + control. Your administrators may be able to access, disclose, restrict, + or remove information in or from your Dropbox Business or Dropbox + Enterprise account. They may also be able to restrict or terminate your + access to a Dropbox Business or Dropbox Enterprise account. If you + convert an existing Dropbox account into a Dropbox Business or Dropbox + Enterprise account, your administrators may prevent you from later + disassociating your account from the Dropbox Business or Dropbox + Enterprise account. + +Termination + + You're free to stop using our Services at any time. We also reserve the + right to suspend or end the Services at any time at our discretion and + without notice. For example, we may suspend or terminate your use of + the Services if you're not complying with these Terms, or use the + Services in a manner that would cause us legal liability, disrupt the + Services or disrupt others' use of the Services. Except for Paid + Accounts, we reserve the right to terminate and delete your account if + you haven't accessed our Services for 12 consecutive months. We'll of + course provide you with notice via the email address associated with + your account before we do so. + +Services "AS IS" + + We strive to provide great Services, but there are certain things that + we can't guarantee. TO THE FULLEST EXTENT PERMITTED BY LAW, DROPBOX AND + ITS AFFILIATES, SUPPLIERS AND DISTRIBUTORS MAKE NO WARRANTIES, EITHER + EXPRESS OR IMPLIED, ABOUT THE SERVICES. THE SERVICES ARE PROVIDED "AS + IS." WE ALSO DISCLAIM ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A + PARTICULAR PURPOSE AND NON-INFRINGEMENT. Some places don't allow the + disclaimers in this paragraph, so they may not apply to you. + +Limitation of Liability + + TO THE FULLEST EXTENT PERMITTED BY LAW, EXCEPT FOR ANY LIABILITY FOR + DROPBOX’S OR ITS AFFILIATES’ FRAUD, FRAUDULENT MISREPRESENTATION, OR + GROSS NEGLIGENCE, IN NO EVENT WILL DROPBOX, ITS AFFILIATES, SUPPLIERS + OR DISTRIBUTORS BE LIABLE FOR: + + (A) ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, EXEMPLARY OR + CONSEQUENTIAL DAMAGES, OR + + (B) ANY LOSS OF USE, DATA, BUSINESS, OR PROFITS, REGARDLESS OF LEGAL + THEORY. + + THIS WILL BE REGARDLESS OF WHETHER OR NOT DROPBOX OR ANY OF ITS + AFFILIATES HAS BEEN WARNED OF THE POSSIBILITY OF SUCH DAMAGES, AND EVEN + IF A REMEDY FAILS OF ITS ESSENTIAL PURPOSE. + + ADDITIONALLY, DROPBOX, ITS AFFILIATES, SUPPLIERS AND DISTRIBUTORS WILL + NOT BE LIABLE FOR AGGREGATE LIABILITY FOR ALL CLAIMS RELATING TO THE + SERVICES FOR MORE THAN THE GREATER OF $20 OR THE AMOUNTS PAID BY YOU TO + DROPBOX FOR THE PAST 12 MONTHS OF THE SERVICES IN QUESTION. + + Some places don't allow the types of limitations in this paragraph, so + they may not apply to you. + +Resolving Disputes + + Let's Try To Sort Things Out First. We want to address your concerns + without needing a formal legal case. Before filing a claim against + Dropbox, you agree to try to resolve the dispute informally by + contacting dispute-notice@dropbox.com. We'll try to resolve the dispute + informally by contacting you via email. If a dispute is not resolved + within 15 days of submission, you or Dropbox may bring a formal + proceeding. + + Judicial forum for disputes. You and Dropbox agree that any judicial + proceeding to resolve claims relating to these Terms or the Services + will be brought in the federal or state courts of San Francisco County, + California, subject to the mandatory arbitration provisions below. Both + you and Dropbox consent to venue and personal jurisdiction in such + courts. + +IF YOU’RE A U.S. RESIDENT, YOU ALSO AGREE TO THE FOLLOWING MANDATORY +ARBITRATION PROVISIONS: + + We Both Agree To Arbitrate. You and Dropbox agree to resolve any claims + relating to these Terms or the Services through final and binding + arbitration, except as set forth under Exceptions to Agreement to + Arbitrate below. + + Opt-out of Agreement to Arbitrate. You can decline this agreement to + arbitrate by [53]clicking here and submitting the opt-out form within + 30 days of first accepting these Terms. + + Arbitration Procedures. The [54]American Arbitration Association (AAA) + will administer the arbitration under its Commercial Arbitration Rules + and the Supplementary Procedures for Consumer Related Disputes. The + arbitration will be held in the United States county where you live or + work, San Francisco (CA), or any other location we agree to. + + Arbitration Fees and Incentives. The AAA rules will govern payment of + all arbitration fees. Dropbox will pay all arbitration fees for claims + less than $75,000. If you receive an arbitration award that is more + favorable than any offer we make to resolve the claim, we will pay you + $1,000 in addition to the award. Dropbox will not seek its attorneys' + fees and costs in arbitration unless the arbitrator determines that + your claim is frivolous. + + Exceptions to Agreement to Arbitrate. Either you or Dropbox may assert + claims, if they qualify, in small claims court in San Francisco (CA) or + any United States county where you live or work. Either party may bring + a lawsuit solely for injunctive relief to stop unauthorized use or + abuse of the Services, or intellectual property infringement (for + example, trademark, trade secret, copyright, or patent rights) without + first engaging in arbitration or the informal dispute-resolution + process described above. If the agreement to arbitrate is found not to + apply to you or your claim, you agree to the exclusive jurisdiction of + the state and federal courts in San Francisco County, California to + resolve your claim. + + NO CLASS ACTIONS. You may only resolve disputes with us on an + individual basis, and may not bring a claim as a plaintiff or a class + member in a class, consolidated, or representative action. Class + arbitrations, class actions, private attorney general actions, and + consolidation with other arbitrations aren't allowed. + +Controlling Law + + These Terms will be governed by California law except for its conflicts + of laws principles, unless otherwise required by a mandatory law of any + other jurisdiction. + +Entire Agreement + + These Terms constitute the entire agreement between you and Dropbox + with respect to the subject matter of these Terms, and supersede and + replace any other prior or contemporaneous agreements, or terms and + conditions applicable to the subject matter of these Terms. These Terms + create no third party beneficiary rights. + +Waiver, Severability & Assignment + + Dropbox's failure to enforce a provision is not a waiver of its right + to do so later. If a provision is found unenforceable, the remaining + provisions of the Terms will remain in full effect and an enforceable + term will be substituted reflecting our intent as closely as possible. + You may not assign any of your rights under these Terms, and any such + attempt will be void. Dropbox may assign its rights to any of its + affiliates or subsidiaries, or to any successor in interest of any + business associated with the Services. + +Modifications + + We may revise these Terms from time to time, and will always post the + most current version on our website. If a revision meaningfully reduces + your rights, we will notify you (by, for example, sending a message to + the email address associated with your account, posting on our blog or + on this page). By continuing to use or access the Services after the + revisions come into effect, you agree to be bound by the revised Terms. + + If your organization signed a Dropbox Business or Dropbox Enterprise + Agreement with Dropbox, that Agreement may have modified the privacy + policy below. Please [55]contact your organization’s Admin for details. + +Dropbox Privacy Policy + + Posted: February 12, 2016 + + Thanks for using Dropbox! Here we describe how we collect, use and + handle your information when you use our websites, software and + services ("Services"). + +What & Why + + We collect and use the following information to provide, improve and + protect our Services: + + Account. We collect, and associate with your account, information like + your name, email address, phone number, payment info, and physical + address. Some of our services let you access your accounts and your + information with other service providers. + + Services. When you use our Services, we store, process and transmit + your files (including stuff like your photos, [56]structured data and + emails) and information related to them (for example, location tags in + photos). If you give us access to your contacts, we'll store those + contacts on our servers for you to use. This will make it easy for you + to do things like share your stuff, send emails, and invite others to + use the Services. + + Usage. We collect information from and about the devices you use to + access the Services. This includes things like IP addresses, the type + of browser and device you use, the web page you visited before coming + to our sites, and identifiers associated with your devices. Your + devices (depending on their settings) may also transmit location + information to the Services. + + Cookies and other technologies. We use technologies like [57]cookies + and pixel tags to provide, improve, protect and promote our Services. + For example, cookies help us with things like remembering your username + for your next visit, understanding how you are interacting with our + Services, and improving them based on that information. You can set + your browser to not accept cookies, but this may limit your ability to + use the Services. If our systems receive a DNT:1 signal from your + browser, we'll respond to that signal as outlined [58]here. + +With whom + + We may share information as discussed below, but we won't sell it to + advertisers or other third-parties. + + Others working for Dropbox. Dropbox uses certain trusted third parties + to help us provide, improve, protect, and promote our Services. These + third parties will access your information only to perform tasks on our + behalf and in compliance with this Privacy Policy. + + Other users. Our Services display information like your name and email + address to other users in places like your user profile and sharing + notifications. Certain features let you make additional information + available to other users. + + Other applications. You can also give third parties access to your + information and account - for example, via [59]Dropbox APIs. Just + remember that their use of your information will be governed by their + privacy policies and terms. + + Dropbox Business and Dropbox Enterprise Admins. If you are a Dropbox + Business or Dropbox Enterprise user, your administrator may have the + ability to access and control your Dropbox Business or Dropbox + Enterprise account. Please refer to your employer's internal policies + if you have questions about this. If you are not a Dropbox Business + user but interact with a Dropbox Business or Dropbox Enterprise user + (by, for example, joining a shared folder or accessing stuff shared by + that user), members of that organization may be able to view the name, + email address and IP address that were associated with your account at + the time of that interaction. + + Law & Order. We may disclose your information to third parties if we + determine that such disclosure is reasonably necessary to (a) comply + with the law; (b) protect any person from death or serious bodily + injury; (c) prevent fraud or abuse of Dropbox or our users; or (d) + protect Dropbox's property rights. + + Stewardship of your data is critical to us and a responsibility that we + embrace. We believe that our users' data should receive the same legal + protections regardless of whether it's stored on our services or on + their home computer's hard drive. We'll abide by the following + [60]Government Request Principles when receiving, scrutinizing and + responding to government requests for our users' data: + * Be transparent, + * Fight blanket requests, + * Protect all users, and + * Provide trusted services. + + Please visit our [61]Government Request Principles and [62]Transparency + Report for more detailed information. + +How + + Security. We have a team dedicated to keeping your information secure + and testing for vulnerabilities. We also continue to work on features + to keep your information safe in addition to things like two-factor + authentication, encryption of files at rest, and alerts when new + devices and apps are linked to your account. + + Retention. We'll retain information you store on our Services for as + long as we need it to provide you the Services. If you delete your + account, we'll also delete this information. But please note: (1) there + might be some latency in deleting this information from our servers and + back-up storage; and (2) we may retain this information if necessary to + comply with our legal obligations, resolve disputes, or enforce our + agreements. + +Where + + Around the world. To provide you with the Services, we may store, + process and transmit information in the United States and locations + around the world - including those outside your country. Information + may also be stored locally on the devices you use to access the + Services. + + Safe Harbor. Dropbox complies with the EU-U.S. and Swiss-U.S. Safe + Harbor ("Safe Harbor") frameworks and principles. We have certified our + compliance, and you can view our certifications [63]here. You can learn + more about Safe Harbor by visiting [64]http://export.gov/safeharbor. + JAMS is the independent organization responsible for reviewing and + resolving complaints about our Safe Harbor compliance. We ask that you + first submit any such complaints directly to us via + privacy@dropbox.com. If you aren't satisfied with our response, please + contact JAMS at + [65]http://www.jamsinternational.com/rules-procedures/safeharbor/file-s + afe-harbor-claim. + + NOTE: When transferring data from the European Union, the European + Economic Area, and Switzerland, Dropbox relies upon a variety of legal + mechanisms, including contracts with our users. Dropbox doesn’t rely + upon Safe Harbor as a legal basis for data transfer but does adhere to + the [66]Safe Harbor Privacy Principles while specific guidance for the + forthcoming EU-US Privacy Shield program is developed. For information + about data transfers from Europe to the United States, please visit + [67]this page. + +Changes + + If we are involved in a reorganization, merger, acquisition or sale of + our assets, your information may be transferred as part of that deal. + We will notify you (for example, via a message to the email address + associated with your account) of any such deal and outline your choices + in that event. + + We may revise this Privacy Policy from time to time, and will post the + most current version on our website. If a revision meaningfully reduces + your rights, we will notify you. + +Contact + + Have questions or concerns about Dropbox, our Services and privacy? + Contact us at [68]privacy@dropbox.com. + + This section of the agreement only applies to [69]Dropbox Business + customers. If your organization signed a Dropbox Business or Dropbox + Enterprise Agreement with Dropbox, that Agreement may be different from + the terms below. Please [70]contact your organization’s Admin for + details. + +Dropbox Business Agreement + + Posted: June 2, 2016 + + This Dropbox Business Agreement (the "Agreement") is between Dropbox + Ireland if your organization is based outside of the United States, + Canada and Mexico ("North America") or, if your organization is based + in North America, with Dropbox, Inc., a Delaware corporation (each, + "Dropbox") and the organization agreeing to these terms ("Customer"). + This Agreement governs access to and use of the Dropbox Business client + software and services (together, "Dropbox Business"), as well as those + Beta Services that are made available to you (together, with Dropbox + Business, the "Services"). By clicking "I Agree," signing your contract + for the Services or using the Services, you agree to this Agreement as + a Customer. + + To the extent Dropbox, Inc. is, on behalf of Customer, processing + Customer Data that is subject to national laws implementing EU Data + Protection Directive (95/46/EC) ("EU Data Protection Laws"), then, by + clicking "I agree," you are also agreeing to the EU Standard + Contractual Clauses with Dropbox, Inc. for the transfer of personal + data to processors set forth in Schedule 1. + + If you are agreeing to this Agreement and Schedule 1 (if applicable) + for use of the Services by an organization, you are agreeing on behalf + of that organization. You must have the authority to bind that + organization to these terms, otherwise you must not sign up for the + Services. + 1. Services. + a. Provision of Services. Customer and users of Customer's + Services account ("End Users") may access and use the Services + in accordance with this Agreement. + b. Facilities and Data Processing. Dropbox will use, at a + minimum, industry standard technical and organizational + security measures to transfer, store, and process Customer + Data. These measures are designed to protect the integrity of + Customer Data and guard against the unauthorized or unlawful + access to, use, and processing of Customer Data. Customer + agrees that Dropbox may transfer, store, and process Customer + Data in the United States and locations other than Customer's + country. To the extent that Customer Data is subject to EU + Data Protection Laws and is processed by Dropbox as a data + processor acting on Customer's behalf (as a data controller), + Dropbox will use and process such Customer Data as Customer + instructs in order to provide the Services and fulfil + Dropbox's obligations under the Agreement. "Customer Data" + means Stored Data and Account Data. "Stored Data" means the + files and structured data submitted to the Services by + Customer or End Users. "Account Data" means the account and + contact information submitted to the Services by Customer or + End Users. + c. Modifications to the Services. Dropbox may update the Services + from time to time. If Dropbox changes the Services in a manner + that materially reduces their functionality, Dropbox will + inform Customer via the email address associated with the + account. + d. Software. Some Services allow Customer to download Dropbox + software which may update automatically. Customer may use the + software only to access the Services. If any component of the + software is offered under an open source license, Dropbox will + make the license available to Customer and the provisions of + that license may expressly override some of the terms of this + Agreement. + e. Beta Services. Dropbox may provide features or products that + we are still testing and evaluating. These products and + features are identified as alpha, beta, preview, early access, + or evaluation (or words or phrases with similar meanings) + (collectively, "Beta Services"). Notwithstanding anything to + the contrary in this Agreement or in Schedule 1, the following + terms apply to all Beta Services: (a) you may use or decline + to use any Beta Services; (b) Beta Services may not be + supported and may be changed at any time without notice to + you; (c) Beta Services may not be as reliable or available as + Dropbox Business; (d) Beta Services have not been subjected to + the same security measures and auditing to which Dropbox + Business has been subjected; and (e) DROPBOX WILL HAVE NO + LIABILITY ARISING OUT OF OR IN CONNECTION WITH BETA + SERVICES—USE AT YOUR OWN RISK. + 2. Customer Obligations. + a. Compliance. Customer is responsible for use of the Services by + its End Users. Customer and its End Users must use the + Services in compliance with the [71]Acceptable Use Policy. + Customer will obtain from End Users any consents necessary to + allow Administrators to engage in the activities described in + this Agreement and to allow Dropbox to provide the Services. + Customer will comply with laws and regulations applicable to + Customer's use of the Services, if any. + b. Customer Administration of the Services. Customer may specify + End Users as "Administrators" through the administrative + console. Administrators may have the ability to access, + disclose, restrict or remove Customer Data in or from Services + accounts. Administrators may also have the ability to monitor, + restrict, or terminate access to Services accounts. Dropbox's + responsibilities do not extend to the internal management or + administration of the Services. Customer is responsible for: + (i) maintaining the confidentiality of passwords and + Administrator accounts; (ii) managing access to Administrator + accounts; and (iii) ensuring that Administrators' use of the + Services complies with this Agreement. Customer acknowledges + that if Customer purchases the Services through a reseller and + delegates any of such reseller's personnel as Administrators + of Customer's Services account, such reseller may be able to + control account information, including Customer Data, and + access Customer's Services account as further described above. + c. Unauthorized Use & Access. Customer will prevent unauthorized + use of the Services by its End Users and terminate any + unauthorized use of or access to the Services. The Services + are not intended for End Users under the age of 13. Customer + will ensure that it does not allow any person under 13 to use + the Services. Customer will promptly notify Dropbox of any + unauthorized use of or access to the Services. + d. Restricted Uses. Customer will not (i) sell, resell, or lease + the Services; (ii) use the Services for activities where use + or failure of the Services could lead to physical damage, + death, or personal injury; or (iii) reverse engineer the + Services, nor attempt nor assist anyone else to do so, unless + this restriction is prohibited by law. + e. Third Party Requests. + i. "Third Party Request" means a request from a third party + for records relating to an End User's use of the Services + including information in or from an End User or + Customer's Services account. Third Party Requests may + include valid search warrants, court orders, or + subpoenas, or any other request for which there is + written consent from End Users permitting a disclosure. + ii. Customer is responsible for responding to Third Party + Requests via its own access to information. Customer will + seek to obtain information required to respond to Third + Party Requests and will contact Dropbox only if it cannot + obtain such information despite diligent efforts. + iii. Dropbox will make commercially reasonable efforts, to + the extent allowed by law and by the terms of the Third + Party Request, to: (A) promptly notify Customer of + Dropbox's receipt of a Third Party Request; (B) comply + with Customer's commercially reasonable requests + regarding its efforts to oppose a Third Party Request; + and (C) provide Customer with information or tools + required for Customer to respond to the Third Party + Request (if Customer is otherwise unable to obtain the + information). If Customer fails to promptly respond to + any Third Party Request, then Dropbox may, but will not + be obligated to do so. + 3. Third-Party Services. If Customer uses any third-party service + (e.g., a service that uses a Dropbox API) with the Services, (a) + Dropbox will not be responsible for any act or omission of the + third party, including the third party's access to or use of + Customer Data and (b) Dropbox does not warrant or support any + service provided by the third party. + 4. Suspension + a. Of End User Accounts by Dropbox. If an End User (i) violates + this Agreement or (ii) uses the Services in a manner that + Dropbox reasonably believes will cause it liability, then + Dropbox may request that Customer suspend or terminate the + applicable End User account. If Customer fails to promptly + suspend or terminate the End User account, then Dropbox may do + so. + b. Security Emergencies. Notwithstanding anything in this + Agreement, if there is a Security Emergency then Dropbox may + automatically suspend use of the Services. Dropbox will make + commercially reasonable efforts to narrowly tailor the + suspension as needed to prevent or terminate the Security + Emergency. "Security Emergency" means: (i) use of the Services + that do or could disrupt the Services, other customers' use of + the Services, or the infrastructure used to provide the + Services and (ii) unauthorized third-party access to the + Services. + 5. Intellectual Property Rights. + a. Reservation of Rights. Except as expressly set forth herein, + this Agreement does not grant (i) Dropbox any Intellectual + Property Rights in Customer Data or (ii) Customer any + Intellectual Property Rights in the Services or Dropbox + trademarks and brand features. "Intellectual Property Rights" + means current and future worldwide rights under patent, + copyright, trade secret, trademark, moral rights, and other + similar rights. + b. Limited Permission. Customer grants Dropbox only the limited + rights that are reasonably necessary for Dropbox to offer the + Services (e.g., hosting Stored Data). This permission also + extends to our affiliates and trusted third parties Dropbox + works with to offer the Services (e.g., payment provider used + to process payment of fees). + c. Suggestions. Dropbox may, at its discretion and for any + purpose, use, modify, and incorporate into its products and + services, license and sublicense, any feedback, comments, or + suggestions Customer or End Users send Dropbox or post in + Dropbox's forums without any obligation to Customer. + d. Customer List. Dropbox may include Customer's name in a list + of Dropbox customers on the Dropbox website or in promotional + materials. + 6. Fees & Payment. + a. Fees. Customer will pay, and authorizes Dropbox or Customer's + reseller to charge using Customer's selected payment method, + for all applicable fees. Fees are non-refundable except as + required by law. Customer is responsible for providing + complete and accurate billing and contact information to + Dropbox or Customer's reseller. Dropbox may suspend or + terminate the Services if fees are past due. + b. Auto Renewals and Trials. IF CUSTOMER'S ACCOUNT IS SET TO AUTO + RENEWAL OR IS IN A TRIAL PERIOD, DROPBOX (OR CUSTOMER'S + RESELLER) MAY AUTOMATICALLY CHARGE AT THE END OF THE TRIAL OR + FOR THE RENEWAL, UNLESS CUSTOMER NOTIFIES DROPBOX (OR + CUSTOMER'S RESELLER, AS APPLICABLE) THAT CUSTOMER WANTS TO + CANCEL OR DISABLE AUTO RENEWAL. Dropbox may revise Service + rates by providing Customer at least 30 days notice prior to + the next charge. + c. Taxes. Customer is responsible for all taxes. Dropbox or + Customer's reseller will charge tax when required to do so. If + Customer is required by law to withhold any taxes, Customer + must provide Dropbox or Customer's reseller with an official + tax receipt or other appropriate documentation. + d. Purchase Orders. If Customer requires the use of a purchase + order orpurchase order number, Customer (i) must provide the + purchase order number at the time of purchase and (ii) agrees + that any terms and conditions on a Customer purchase order + will not apply to this Agreement and are null and void. If + Customer is purchasing through a reseller, any terms and + conditions from Customer's reseller or in a purchase order + between Customer and its reseller that conflict with the + Dropbox Business Agreement are null and void. + 7. Term & Termination. + a. Term. This Agreement will remain in effect until Customer's + subscription to the Services expires or terminates, or until + the Agreement is terminated. + b. Termination for Breach. Either Dropbox or Customer may + terminate this Agreement if: (i) the other party is in + material breach of the Agreement and fails to cure that breach + within 30 days after receipt of written notice or (ii) the + other party ceases its business operations or becomes subject + to insolvency proceedings and the proceedings are not + dismissed within 90 days. + c. Effects of Termination. If this Agreement terminates: (i) the + rights granted by Dropbox to Customer will cease immediately + (except as set forth in this section); (ii) Dropbox may + provide Customer access to its account at then-current fees so + that Customer may export its Stored Data; and (iii) after a + commercially reasonable period of time, Dropbox may delete any + Stored Data relating to Customer's account. The following + sections will survive expiration or termination of this + Agreement: 2(e) (Third Party Requests), 5 (Intellectual + Property Rights), 6 (Fees & Payment), 7(c) (Effects of + Termination), 8 (Indemnification), 9 (Disclaimers), 10 + (Limitation of Liability), 11 (Disputes), and 12 + (Miscellaneous). + 8. Indemnification. + a. By Customer. Customer will indemnify, defend, and hold + harmless Dropbox from and against all liabilities, damages, + and costs (including settlement costs and reasonable + attorneys' fees) arising out of any claim by a third party + against Dropbox and its affiliates regarding: (i) Customer + Data; (ii) Customer's use of the Services in violation of this + Agreement; or (iii) End Users' use of the Services in + violation of this Agreement. + b. By Dropbox. Dropbox will indemnify, defend, and hold harmless + Customer from and against all liabilities, damages, and costs + (including settlement costs and reasonable attorneys' fees) + arising out of any claim by a third party against Customer to + the extent based on an allegation that Dropbox's technology + used to provide the Services to the Customer infringes or + misappropriates any copyright, trade secret, U.S. patent, or + trademark right of the third party. In no event will Dropbox + have any obligations or liability under this section arising + from: (i) use of any Services in a modified form or in + combination with materials not furnished by Dropbox and (ii) + any content, information, or data provided by Customer, End + Users, or other third parties. + c. Possible Infringement. If Dropbox believes the Services + infringe or may be alleged to infringe a third party's + Intellectual Property Rights, then Dropbox may: (i) obtain the + right for Customer, at Dropbox's expense, to continue using + the Services; (ii) provide a non-infringing functionally + equivalent replacement; or (iii) modify the Services so that + they no longer infringe. If Dropbox does not believe the + options described in this section are commercially reasonable + then Dropbox may suspend or terminate Customer's use of the + affected Services (with a pro-rata refund of prepaid fees for + the Services). + d. General. The party seeking indemnification will promptly + notify the other party of the claim and cooperate with the + other party in defending the claim. The indemnifying party + will have full control and authority over the defense, except + that: (i) any settlement requiring the party seeking + indemnification to admit liability requires prior written + consent, not to be unreasonably withheld or delayed and (ii) + the other party may join in the defense with its own counsel + at its own expense. THE INDEMNITIES ABOVE ARE DROPBOX AND + CUSTOMER'S ONLY REMEDY UNDER THIS AGREEMENT FOR VIOLATION BY + THE OTHER PARTY OF A THIRD PARTY'S INTELLECTUAL PROPERTY + RIGHTS. + 9. Disclaimers. THE SERVICES ARE PROVIDED "AS IS." TO THE FULLEST + EXTENT PERMITTED BY LAW, EXCEPT AS EXPRESSLY STATED IN THIS + AGREEMENT, NEITHER CUSTOMER NOR DROPBOX AND ITS AFFILIATES, + SUPPLIERS, AND DISTRIBUTORS MAKE ANY WARRANTY OF ANY KIND, WHETHER + EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR USE, OR NON-INFRINGEMENT. + CUSTOMER IS RESPONSIBLE FOR MAINTAINING AND BACKING UP ANY STORED + DATA. + 10. Limitation of Liability. + a. Limitation on Indirect Liability. TO THE FULLEST EXTENT + PERMITTED BY LAW, EXCEPT FOR DROPBOX OR CUSTOMER'S + INDEMNIFICATION OBLIGATIONS, NEITHER CUSTOMER NOR DROPBOX AND + ITS AFFILIATES, SUPPLIERS, AND DISTRIBUTORS WILL BE LIABLE + UNDER THIS AGREEMENT FOR (I) INDIRECT, SPECIAL, INCIDENTAL, + CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR (II) LOSS OF + USE, DATA, BUSINESS, REVENUES, OR PROFITS (IN EACH CASE + WHETHER DIRECT OR INDIRECT), EVEN IF THE PARTY KNEW OR SHOULD + HAVE KNOWN THAT SUCH DAMAGES WERE POSSIBLE AND EVEN IF A + REMEDY FAILS OF ITS ESSENTIAL PURPOSE. + b. Limitation on Amount of Liability. TO THE FULLEST EXTENT + PERMITTED BY LAW, DROPBOX'S AGGREGATE LIABILITY UNDER THIS + AGREEMENT WILL NOT EXCEED THE LESSER OF $100,000 OR THE AMOUNT + PAID BY CUSTOMER FOR THE SERVICES HEREUNDER DURING THE TWELVE + MONTHS PRIOR TO THE EVENT GIVING RISE TO LIABILITY. + 11. Disputes. + a. Informal Resolution. Dropbox wants to address your concerns + without resorting to a formal legal case. Before filing a + claim, each party agrees to try to resolve the dispute by + contacting the other party through the notice procedures in + section 12(e). If a dispute is not resolved within 30 days of + notice, Customer or Dropbox may bring a formal proceeding. + b. Agreement to Arbitrate. Customer and Dropbox agree to resolve + any claims relating to this Agreement or the Services through + final and binding arbitration, except as set forth below. The + [72]American Arbitration Association (AAA) will administer the + arbitration under its Commercial Arbitration Rules. The + arbitration will be held in San Francisco (CA), or any other + location both parties agree to in writing. + c. Exception to Agreement to Arbitrate. Either party may bring a + lawsuit in the federal or state courts of San Francisco + County, California solely for injunctive relief to stop + unauthorized use or abuse of the Services or infringement of + Intellectual Property Rights without first engaging in the + informal dispute notice process described above. Both Customer + and Dropbox consent to venue and personal jurisdiction there. + d. NO CLASS ACTIONS. Customer may only resolve disputes with + Dropbox on an individual basis and will not bring a claim in a + class, consolidated, or representative action. Class + arbitrations, class actions, private attorney general actions, + and consolidation with other arbitrations are not allowed. + 12. Miscellaneous. + a. Terms Modification. Dropbox may revise this Agreement from + time to time and the most current version will always be + posted on the Dropbox Business website. If a revision, in + Dropbox's sole discretion, is material, Dropbox will notify + Customer (by, for example, sending an email to the email + address associated with the applicable account). Other + revisions may be posted to Dropbox's blog or terms page, and + Customer is responsible for checking such postings regularly. + By continuing to access or use the Services after revisions + become effective, Customer agrees to be bound by the revised + Agreement. If Customer does not agree to the revised Agreement + terms, Customer may terminate the Services within 30 days of + receiving notice of the change. + b. Entire Agreement. This Agreement, including Customer's invoice + and order form with Dropbox (if applicable), constitutes the + entire agreement between Customer and Dropbox with respect to + the subject matter of this Agreement and supersedes and + replaces any prior or contemporaneous understandings and + agreements, whether written or oral, with respect to the + subject matter of this Agreement. If there is a conflict + between the documents that make up this Agreement, the + documents will control in the following order: the Dropbox + invoice, the Dropbox order form, the Agreement. + c. Governing Law. THE AGREEMENT WILL BE GOVERNED BY CALIFORNIA + LAW EXCEPT FOR ITS CONFLICTS OF LAWS PRINCIPLES. + d. Severability. Unenforceable provisions will be modified to + reflect the parties' intention and only to the extent + necessary to make them enforceable, and the remaining + provisions of the Agreement will remain in full effect. + e. Notice. Notices must be sent via first class, airmail, or + overnight courier and are deemed given when received. Notices + to Customer may also be sent to the applicable account email + address and are deemed given when sent. Notices to Dropbox + must be sent to Dropbox, Inc., P.O. Box 77767, San Francisco, + CA 94107, with a copy to the Legal Department. + f. Waiver. A waiver of any default is not a waiver of any + subsequent default. + g. Assignment. Customer may not assign or transfer this Agreement + or any rights or obligations under this Agreement without the + written consent of Dropbox. Dropbox may not assign this + Agreement without providing notice to Customer, except Dropbox + may assign this Agreement or any rights or obligations under + this Agreement to an affiliate or in connection with a merger, + acquisition, corporate reorganization, or sale of all or + substantially all of its assets without providing notice. Any + other attempt to transfer or assign is void. + h. No Agency. Dropbox and Customer are not legal partners or + agents, but are independent contractors. + i. Force Majeure. Except for payment obligations, neither Dropbox + nor Customer will be liable for inadequate performance to the + extent caused by a condition that was beyond the party's + reasonable control (for example, natural disaster, act of war + or terrorism, riot, labor condition, governmental action, and + Internet disturbance). + j. No Third-Party Beneficiaries. There are no third-party + beneficiaries to this Agreement. Without limiting this + section, a Customer's End Users are not third-party + beneficiaries to Customer's rights under this Agreement. + k. Export Restrictions. The export and re-export of Customer Data + via the Services may be controlled by the United States Export + Administration Regulations or other applicable export + restrictions or embargo. The Services may not be used in Cuba, + Iran, North Korea, Sudan, or Syria or any country that is + subject to an embargo by the United States and Customer must + not use the Services in violation of any export restriction or + embargo by the United States or any other applicable + jurisdiction. In addition, Customer must ensure that the + Services are not provided to persons on the United States + Table of Denial Orders, the Entity List, or the List of + Specially Designated Nationals. + __________________________________________________________________ + +Schedule 1 + +Commission Decision C(2010)593 + +Standard Contractual Clauses (processors) + + For the purposes of Article 26(2) of Directive 95/46/EC for the + transfer of personal data to processors established in third countries + which do not ensure an adequate level of data protection + + Name of the data exporting organisation: The Customer that is a party + to the Dropbox Business Agreement with Dropbox Ireland + (the data exporter) + + And + + Name of the data importing organisation: Dropbox, Inc. + Address: 333 Brannan Street, San Francisco, CA 94107 USA + (the data importer) + + each a "party"; together "the parties", + + HAVE AGREED on the following Contractual Clauses (the Clauses) in order + to adduce adequate safeguards with respect to the protection of privacy + and fundamental rights and freedoms of individuals for the transfer by + the data exporter to the data importer of the personal data specified + in [73]Appendix 1. + +Clause 1 + +Definitions + + For the purposes of the Clauses: + a. 'personal data', 'special categories of data', + 'process/processing', 'controller', 'processor', 'data subject' and + 'supervisory authority' shall have the same meaning as in Directive + 95/46/EC of the European Parliament and of the Council of 24 + October 1995 on the protection of individuals with regard to the + processing of personal data and on the free movement of such + data^[74]1; + b. 'the data exporter' means the controller who transfers the personal + data; + c. 'the data importer' means the processor who agrees to receive from + the data exporter personal data intended for processing on his + behalf after the transfer in accordance with his instructions and + the terms of the Clauses and who is not subject to a third + country's system ensuring adequate protection within the meaning of + Article 25(1) of Directive 95/46/EC; + d. 'the subprocessor' means any processor engaged by the data importer + or by any other subprocessor of the data importer who agrees to + receive from the data importer or from any other subprocessor of + the data importer personal data exclusively intended for processing + activities to be carried out on behalf of the data exporter after + the transfer in accordance with his instructions, the terms of the + Clauses and the terms of the written subcontract; + e. 'the applicable data protection law' means the legislation + protecting the fundamental rights and freedoms of individuals and, + in particular, their right to privacy with respect to the + processing of personal data applicable to a data controller in the + Member State in which the data exporter is established; + f. 'technical and organisational security measures' means those + measures aimed at protecting personal data against accidental or + unlawful destruction or accidental loss, alteration, unauthorised + disclosure or access, in particular where the processing involves + the transmission of data over a network, and against all other + unlawful forms of processing. + +Clause 2 + +Details of the transfer + + The details of the transfer and in particular the special categories of + personal data where applicable are specified in Appendix 1 which forms + an integral part of the Clauses. + +Clause 3 + +Third-party beneficiary clause + + 1. The data subject can enforce against the data exporter this Clause, + Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) + and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party + beneficiary. + 2. The data subject can enforce against the data importer this Clause, + Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and + Clauses 9 to 12, in cases where the data exporter has factually + disappeared or has ceased to exist in law unless any successor + entity has assumed the entire legal obligations of the data + exporter by contract or by operation of law, as a result of which + it takes on the rights and obligations of the data exporter, in + which case the data subject can enforce them against such entity. + 3. The data subject can enforce against the subprocessor this Clause, + Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and + Clauses 9 to 12, in cases where both the data exporter and the data + importer have factually disappeared or ceased to exist in law or + have become insolvent, unless any successor entity has assumed the + entire legal obligations of the data exporter by contract or by + operation of law as a result of which it takes on the rights and + obligations of the data exporter, in which case the data subject + can enforce them against such entity. Such third-party liability of + the subprocessor shall be limited to its own processing operations + under the Clauses. + 4. The parties do not object to a data subject being represented by an + association or other body if the data subject so expressly wishes + and if permitted by national law. + +Clause 4 + +Obligations of the data exporter + + The data exporter agrees and warrants: + a. that the processing, including the transfer itself, of the personal + data has been and will continue to be carried out in accordance + with the relevant provisions of the applicable data protection law + (and, where applicable, has been notified to the relevant + authorities of the Member State where the data exporter is + established) and does not violate the relevant provisions of that + State; + b. that it has instructed and throughout the duration of the personal + data processing services will instruct the data importer to process + the personal data transferred only on the data exporter's behalf + and in accordance with the applicable data protection law and the + Clauses; + c. that the data importer will provide sufficient guarantees in + respect of the technical and organisational security measures + specified in [75]Appendix 2 to this contract; + d. that after assessment of the requirements of the applicable data + protection law, the security measures are appropriate to protect + personal data against accidental or unlawful destruction or + accidental loss, alteration, unauthorised disclosure or access, in + particular where the processing involves the transmission of data + over a network, and against all other unlawful forms of processing, + and that these measures ensure a level of security appropriate to + the risks presented by the processing and the nature of the data to + be protected having regard to the state of the art and the cost of + their implementation; + e. that it will ensure compliance with the security measures; + f. that, if the transfer involves special categories of data, the data + subject has been informed or will be informed before, or as soon as + possible after, the transfer that its data could be transmitted to + a third country not providing adequate protection within the + meaning of Directive 95/46/EC; + g. to forward any notification received from the data importer or any + subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data + protection supervisory authority if the data exporter decides to + continue the transfer or to lift the suspension; + h. to make available to the data subjects upon request a copy of the + Clauses, with the exception of Appendix 2, and a summary + description of the security measures, as well as a copy of any + contract for subprocessing services which has to be made in + accordance with the Clauses, unless the Clauses or the contract + contain commercial information, in which case it may remove such + commercial information; + i. that, in the event of subprocessing, the processing activity is + carried out in accordance with Clause 11 by a subprocessor + providing at least the same level of protection for the personal + data and the rights of data subject as the data importer under the + Clauses; and + j. that it will ensure compliance with Clause 4(a) to (i). + +Clause 5 + +Obligations of the data importer^[76]2 + + The data importer agrees and warrants: + a. to process the personal data only on behalf of the data exporter + and in compliance with its instructions and the Clauses; if it + cannot provide such compliance for whatever reasons, it agrees to + inform promptly the data exporter of its inability to comply, in + which case the data exporter is entitled to suspend the transfer of + data and/or terminate the contract; + b. that it has no reason to believe that the legislation applicable to + it prevents it from fulfilling the instructions received from the + data exporter and its obligations under the contract and that in + the event of a change in this legislation which is likely to have a + substantial adverse effect on the warranties and obligations + provided by the Clauses, it will promptly notify the change to the + data exporter as soon as it is aware, in which case the data + exporter is entitled to suspend the transfer of data and/or + terminate the contract; + c. that it has implemented the technical and organisational security + measures specified in Appendix 2 before processing the personal + data transferred; + d. that it will promptly notify the data exporter about: + i. any legally binding request for disclosure of the personal + data by a law enforcement authority unless otherwise + prohibited, such as a prohibition under criminal law to + preserve the confidentiality of a law enforcement + investigation, + ii. any accidental or unauthorised access, and + iii. any request received directly from the data subjects without + responding to that request, unless it has been otherwise + authorised to do so; + e. to deal promptly and properly with all inquiries from the data + exporter relating to its processing of the personal data subject to + the transfer and to abide by the advice of the supervisory + authority with regard to the processing of the data transferred; + f. at the request of the data exporter to submit its data processing + facilities for audit of the processing activities covered by the + Clauses which shall be carried out by the data exporter or an + inspection body composed of independent members and in possession + of the required professional qualifications bound by a duty of + confidentiality, selected by the data exporter, where applicable, + in agreement with the supervisory authority; + g. to make available to the data subject upon request a copy of the + Clauses, or any existing contract for subprocessing, unless the + Clauses or contract contain commercial information, in which case + it may remove such commercial information, with the exception of + Appendix 2 which shall be replaced by a summary description of the + security measures in those cases where the data subject is unable + to obtain a copy from the data exporter; + h. that, in the event of subprocessing, it has previously informed the + data exporter and obtained its prior written consent; + i. that the processing services by the subprocessor will be carried + out in accordance with Clause 11; + j. to send promptly a copy of any subprocessor agreement it concludes + under the Clauses to the data exporter. + +Clause 6 + +Liability + + 1. The parties agree that any data subject, who has suffered damage as + a result of any breach of the obligations referred to in Clause 3 + or in Clause 11 by any party or subprocessor is entitled to receive + compensation from the data exporter for the damage suffered. + 2. If a data subject is not able to bring a claim for compensation in + accordance with paragraph 1 against the data exporter, arising out + of a breach by the data importer or his subprocessor of any of + their obligations referred to in Clause 3 or in Clause 11, because + the data exporter has factually disappeared or ceased to exist in + law or has become insolvent, the data importer agrees that the data + subject may issue a claim against the data importer as if it were + the data exporter, unless any successor entity has assumed the + entire legal obligations of the data exporter by contract of by + operation of law, in which case the data subject can enforce its + rights against such entity. + The data importer may not rely on a breach by a subprocessor of its + obligations in order to avoid its own liabilities. + 3. If a data subject is not able to bring a claim against the data + exporter or the data importer referred to in paragraphs 1 and 2, + arising out of a breach by the subprocessor of any of their + obligations referred to in Clause 3 or in Clause 11 because both + the data exporter and the data importer have factually disappeared + or ceased to exist in law or have become insolvent, the + subprocessor agrees that the data subject may issue a claim against + the data subprocessor with regard to its own processing operations + under the Clauses as if it were the data exporter or the data + importer, unless any successor entity has assumed the entire legal + obligations of the data exporter or data importer by contract or by + operation of law, in which case the data subject can enforce its + rights against such entity. The liability of the subprocessor shall + be limited to its own processing operations under the Clauses. + +Clause 7 + +Mediation and jurisdiction + + 1. The data importer agrees that if the data subject invokes against + it third-party beneficiary rights and/or claims compensation for + damages under the Clauses, the data importer will accept the + decision of the data subject: + a. to refer the dispute to mediation, by an independent person + or, where applicable, by the supervisory authority; + b. to refer the dispute to the courts in the Member State in + which the data exporter is established. + 2. The parties agree that the choice made by the data subject will not + prejudice its substantive or procedural rights to seek remedies in + accordance with other provisions of national or international law. + +Clause 8 + +Cooperation with supervisory authorities + + 1. The data exporter agrees to deposit a copy of this contract with + the supervisory authority if it so requests or if such deposit is + required under the applicable data protection law. + 2. The parties agree that the supervisory authority has the right to + conduct an audit of the data importer, and of any subprocessor, + which has the same scope and is subject to the same conditions as + would apply to an audit of the data exporter under the applicable + data protection law. + 3. The data importer shall promptly inform the data exporter about the + existence of legislation applicable to it or any subprocessor + preventing the conduct of an audit of the data importer, or any + subprocessor, pursuant to paragraph 2. In such a case the data + exporter shall be entitled to take the measures foreseen in Clause + 5 (b). + +Clause 9 + +Governing Law + + The Clauses shall be governed by the law of the Member State in which + the data exporter is established. + +Clause 10 + +Variation of the contract + + The parties undertake not to vary or modify the Clauses. This does not + preclude the parties from adding clauses on business related issues + where required as long as they do not contradict the Clause. + +Clause 11 + +Subprocessing + + 1. The data importer shall not subcontract any of its processing + operations performed on behalf of the data exporter under the + Clauses without the prior written consent of the data exporter. + Where the data importer subcontracts its obligations under the + Clauses, with the consent of the data exporter, it shall do so only + by way of a written agreement with the subprocessor which imposes + the same obligations on the subprocessor as are imposed on the data + importer under the Clauses^[77]3. Where the subprocessor fails to + fulfil its data protection obligations under such written agreement + the data importer shall remain fully liable to the data exporter + for the performance of the subprocessor's obligations under such + agreement. + 2. The prior written contract between the data importer and the + subprocessor shall also provide for a third-party beneficiary + clause as laid down in Clause 3 for cases where the data subject is + not able to bring the claim for compensation referred to in + paragraph 1 of Clause 6 against the data exporter or the data + importer because they have factually disappeared or have ceased to + exist in law or have become insolvent and no successor entity has + assumed the entire legal obligations of the data exporter or data + importer by contract or by operation of law. Such third-party + liability of the subprocessor shall be limited to its own + processing operations under the Clauses. + 3. The provisions relating to data protection aspects for + subprocessing of the contract referred to in paragraph 1 shall be + governed by the law of the Member State in which the data exporter + is established. + 4. The data exporter shall keep a list of subprocessing agreements + concluded under the Clauses and notified by the data importer + pursuant to Clause 5 (j), which shall be updated at least once a + year. The list shall be available to the data exporter's data + protection supervisory authority. + +Clause 12 + + Obligation after the termination of personal data processing services + 1. The parties agree that on the termination of the provision of data + processing services, the data importer and the subprocessor shall, + at the choice of the data exporter, return all the personal data + transferred and the copies thereof to the data exporter or shall + destroy all the personal data and certify to the data exporter that + it has done so, unless legislation imposed upon the data importer + prevents it from returning or destroying all or part of the + personal data transferred. In that case, the data importer warrants + that it will guarantee the confidentiality of the personal data + transferred and will not actively process the personal data + transferred anymore. + 2. The data importer and the subprocessor warrant that upon request of + the data exporter and/or of the supervisory authority, it will + submit its data processing facilities for an audit of the measures + referred to in paragraph 1. + +Additional Provisions + + Capitalised terms used in Sections A to C and the Appendices but not + defined in the Clauses shall have the meaning provided in the Dropbox + Business Agreement between the data exporter and Dropbox Ireland. + A. Security Audit. The data importer maintains ISO/IEC 27001:2013 and + ISO/IEC 27018:2014 certifications, which are issued by an + independent third party auditor. The data importer will continue to + undergo regular ISO/IEC 27001:2013 and ISO/IEC 27018 audits + necessary for maintaining such certifications for the Services + during the Term. The data importer also regularly undergoes Service + Organization Control 2 (SOC 2) Type II audits. Subject to the data + importer's confidentiality obligations and no more than once a + year, the data importer will provide the data exporter with a copy + of the SOC 2 Type II Report upon written request. The data importer + will make new SOC 2 reports available as they are completed subject + to the data importer's confidentiality requirements. The data + importer regularly reviews its third party subservice + organizations, which undergo Standards for Attestation Engagements + No. 16 (SSAE 16) / International Standard on Assurance Engagements + No. 3402 (ISAE 3402) Service Organization Control 1 (SOC 1) Type II + or Service Organization Control 2 (SOC 2) Type II audits that + evaluate the design and effectiveness of their security policies, + procedures, and controls. + The data exporter agrees that the data importer's obligations set + forth in this Section A fully satisfy the audit rights under Clause + 5(f) and Clause 12 (2) of the Clauses. + B. Sub-processing. The data importer may engage other companies to + provide limited parts of the Services (including support services) + on the data importer's behalf, and the data exporter consents to + the data importer subcontracting the processing of personal data to + such sub-processors as described in the Clauses. The data importer + will ensure that any sub-processor will only access and use + personal data to provide the Services as set forth in a written + agreement between the data importer and the sub-processor. The data + exporter acknowledges that any requirements applicable to the data + importer under the Clauses in respect of agreements with + sub-processors shall be satisfied in full provided that the + sub-processing agreement between the data importer and the + sub-processor provides at least the level of data protection + required under the Dropbox Business Agreement. + C. Liability. The Clauses shall be subject to the limitations and + exclusions of liability contained in the "Limitation of Liability" + section of the Dropbox Business Agreement, such that the total + liability of the data importer and Dropbox Ireland, in aggregate, + shall not exceed the limitations set out in the Dropbox Business + Agreement. For the avoidance of doubt, the data exporter shall not + be entitled to recover from both the data importer and Dropbox + Ireland in respect of the same loss. + __________________________________________________________________ + +Appendix 1 to the Standard Contractual Clauses + + This Appendix forms part of the Clauses and must be completed and + signed by the parties. + + The Member States may complete or specify, according to their national + procedures, any additional necessary information to be contained in + this Appendix. + +Data exporter + + The data exporter is (please specify briefly your activities relevant + to the transfer): + + The Customer to the Dropbox Business Agreement with Dropbox Ireland. + +Data importer + + The data importer is (please specify briefly activities relevant to the + transfer): + + Dropbox, Inc., a global provider of cloud services for individuals and + business. Dropbox, Inc., and its affiliates provide a website, software + and mobile applications that allow people to store files, synchronize + files across multiple devices, and collaborate with others. Dropbox, + Inc.'s service may also be accessed by Application Programming + Interfaces (APIs). + +Data subjects + + The personal data transferred concern the following categories of data + subjects (please specify): + + The data exporter and data exporter's affiliates' end users including + employees, consultants and contractors of the data exporter, as well as + any individuals collaborating or sharing with these end users using the + services provided by data importer. + +Categories of data + + The personal data transferred concern the following categories of data + (please specify): + + End users identifying information and organization data (both on-line + and off-line) as well as documents, images and other content or data in + electronic form stored or transmitted by end users via data importer's + services. + +Processing operations + + The personal data transferred will be subject to the following basic + processing activities (please specify): + + The data importer or its sub-processors will use and process personal + data and the data exporter instructs the data importer to use and + process personal data in order to provide the Services under the + Dropbox Business Agreement. + __________________________________________________________________ + +Appendix 2 to the Standard Contractual Clauses + + This Appendix forms part of the Clauses and must be completed and + signed by the parties. + + Description of the technical and organisational security measures + implemented by the data importer in accordance with Clauses 4(d) and + 5(c) (or document/legislation attached): + +Data Privacy Contact + + The data privacy officer of the data importer can be reached at + privacy@dropbox.com + +Security Measures + + The data importer has implemented and will maintain appropriate + administrative, technical and physical safeguards to protect personal + data as further described in the Dropbox for Business Security + Whitepaper (available as of the Effective Date at: + [78]https://www.dropbox.com/…/Security_Whitepaper.pdf) and additionally + set forth below. The data importer may update these security measures + from time to time, with the most recent version available at the above + URL (or other URL as communicated by data importer), provided however + that data importer will notify data exporter if data importer updates + the security measures in a manner that materially diminishes the + administrative, technical or physical security features described + therein or in this Appendix 2. + 1. Service Security + 1. Dropbox Architecture. The data importer's service is designed + with multiple layers of protection, covering data transfer, + encryption, network configuration and application-level + controls that are distributed across a scalable, secure + infrastructure. End users of data importer's service can + access files and folders at any time from the desktop, web and + mobile clients. All of these clients connect to secure + services to provide access to files, allow file sharing with + others, and update linked devices when files are added, + changed or deleted. The service can be utilized and accessed + through a number of interfaces. Each has security settings and + features that process and protect the data while ensuring ease + of access. + 2. Reliability. The data importer's service is developed with + multiple layers of redundancy to guard against data loss and + ensure availability. + 3. Encryption. To protect the data in transit between the data + exporter and data importer, data importer uses Secure Sockets + Layer (SSL)/Transport Layer Security (TLS) for data transfer, + creating a secure tunnel protected by 128-bit or higher + Advanced Encryption Standard (AES) encryption. File data at + rest is encrypted using 256-bit AES encryption. The data + importer's encryption key management infrastructure is + designed with operational, technical and procedural security + controls with very limited direct access to keys. Encryption + key generation, exchange and storage are distributed for + decentralized processing. + 4. User Management Features. End users of data importer's service + have the ability to restore lost files and recover previous + versions of files, ensuring changes to those files can be + tracked and retrieved. The data importer's service allows for + the use of a two-step authentication procedure which adds an + extra layer of protection. + 5. Data Centers. The data importer's corporate and production + systems are housed at third-party subservice organization data + centers located in the United States. The data importer + reviews all subservice organization data center Service + Organization Control (SOC) 1 and/or SOC 2 reports at a minimum + annually for sufficient security controls. + 2. Information Security. + 1. Policies. The data importer has established a thorough set of + security policies covering areas of information security, + physical security, incident response, logical access, physical + production access, change management and support. These + policies are reviewed and approved at least annually. The data + importer personnel are notified of updates to these policies + and are provided security training. + 2. Personnel Policy and Access. The data importer's internal + policies require onboarding procedures that include background + checks (as allowed by local laws), security policy + acknowledgement, communicating updates to security policy, and + non-disclosure agreements. All personnel access is promptly + removed when an employee or contractor leaves the company. The + data importer employs technical access controls and internal + policies to prohibit employees or contractors from arbitrarily + accessing file data and to restrict access to metadata and + other information about end users' accounts. In order to + protect end user privacy and security, only a small number of + employees or contractors have access to the environment where + end user files are stored. A record of access request, + justification and approval are recorded by management and + access is granted by appropriate individuals. + 3. Network Security. The data importer maintains network security + and monitoring techniques that are designed to provide + multiple layers of protection and defense. The data importer + employs industry-standard protection techniques, including + firewalls, network security monitoring, and intrusion + detection systems to ensure only eligible traffic is able to + reach data importer's infrastructure. + 4. Change Management. The data importer ensures that + security-related changes have been authorized prior to + implementation into the production environments. Source code + changes are initiated by developers that would like to make an + enhancement to a data importer application or service. Changes + to data importer's infrastructure are restricted to authorized + personnel only. Changes to the application level of the + services are required to go through automated quality + assurance ("QA") testing procedures to verify that security + requirements are met. Successful completion of QA procedures + leads to implementation of the change. + 5. Compliance. The data importer, its data center providers, and + its managed service provider undergo regular security audits + which are performed by an independent third party. The data + importer will continue to participate in regular ISO/IEC + 27001:2013 and ISO/IEC 27018:2014 audits. Data importer also + reviews SOC 1 and/or SOC 2 reports for all subservice + organizations. In the event a subservice organization's SOC 1 + and/or SOC 2 report is unavailable, data importer performs + security site visits to verify applicable physical, + environmental, and operational security controls satisfy + control criteria and contractual requirements. The data + importer evaluates additional certifications and compliance + attestations, as made available to data importer by the + subservice providers, on an ongoing basis. + 3. Physical Security + 1. Infrastructure. Physical access to subservice organization + facilities where production systems reside are restricted to + personnel authorized by data importer, as required to perform + their job function. Any individuals requiring additional + access to production environment facilities are granted that + access through explicit approval by appropriate management. + 2. Office. The data importer maintains a physical security team + that is responsible for enforcing physical security policy and + overseeing the security of data importer's corporate offices. + Access to areas containing corporate services is restricted to + authorized personnel via elevated roles granted through the + badge access system. + __________________________________________________________________ + +Footnotes + + 1. Parties may reproduce definitions and meanings contained in + Directive 95/46/EC within this Clause if they considered it better + for the contract to stand alone. [79]↩ + 2. Mandatory requirements of the national legislation applicable to + the data importer which do not go beyond what is necessary in a + democratic society on the basis of one of the interests listed in + Article 13(1) of Directive 95/46/EC, that is, if they constitute a + necessary measure to safeguard national security, defence, public + security, the prevention, investigation, detection and prosecution + of criminal offences or of breaches of ethics for the regulated + professions, an important economic or financial interest of the + State or the protection of the data subject or the rights and + freedoms of others, are not in contradiction with the standard + contractual clauses. Some examples of such mandatory requirements + which do not go beyond what is necessary in a democratic society + are, inter alia, internationally recognised sanctions, + tax-reporting requirements or anti-money-laundering reporting + requirements. [80]↩ + 3. This requirement may be satisfied by the subprocessor co-signing + the contract entered into between the data exporter and the data + importer under this Decision. [81]↩ + +Dropbox DMCA Policy + + Dropbox (“Dropbox”) respects the intellectual property rights of others + and expects its users to do the same. In accordance with the Digital + Millennium Copyright Act of 1998, the text of which may be found on the + U.S. Copyright Office website at + [82]http://www.copyright.gov/legislation/dmca.pdf, Dropbox will respond + expeditiously to claims of copyright infringement committed using the + Dropbox service and/or the Dropbox website (the “Site”) if such claims + are reported to Dropbox’s Designated Copyright Agent identified in the + sample notice below. + + If you are a copyright owner, authorized to act on behalf of one, or + authorized to act under any exclusive right under copyright, please + report alleged copyright infringements taking place on or through the + Site by completing the following DMCA Notice of Alleged Infringement + and delivering it to Dropbox’s Designated Copyright Agent. Upon receipt + of Notice as described below, Dropbox will take whatever action, in its + sole discretion, it deems appropriate, including removal of the + challenged content from the Site. + + DMCA Notice of Alleged Infringement (“Notice”) + + 1. Identify the copyrighted work that you claim has been infringed, or + - if multiple copyrighted works are covered by this Notice - you + may provide a representative list of the copyrighted works that you + claim have been infringed. + 2. Identify the material or link you claim is infringing (or the + subject of infringing activity) and to which access is to be + disabled, including at a minimum, if applicable, the URL of the + link shown on the Site or the exact location where such material + may be found. + 3. Provide your company affiliation (if applicable), mailing address, + telephone number, and, if available, email address. + 4. Include both of the following statements in the body of the Notice: + + “I hereby state that I have a good faith belief that the + disputed use of the copyrighted material is not authorized by + the copyright owner, its agent, or the law (e.g., as a fair + use).” + + “I hereby state that the information in this Notice is + accurate and, under penalty of perjury, that I am the owner, + or authorized to act on behalf of, the owner, of the copyright + or of an exclusive right under the copyright that is allegedly + infringed.” + 5. Provide your full legal name and your electronic or physical + signature. + + Deliver this Notice, with all items completed, to Dropbox’s Designated + Copyright Agent: + Copyright Agent + Dropbox Inc. + 333 Brannan Street + San Francisco, CA 94107 + [83]copyright@dropbox.com + [84]Submit DMCA notice + +Dropbox Acceptable Use Policy + + Dropbox is used by millions of people, and we're proud of the trust + placed in us. In exchange, we trust you to use our services + responsibly. + + You agree not to misuse the Dropbox services ("Services") or help + anyone else to do so. For example, you must not even try to do any of + the following in connection with the Services: + * probe, scan, or test the vulnerability of any system or network; + * breach or otherwise circumvent any security or authentication + measures; + * access, tamper with, or use non-public areas or parts of the + Services, or shared areas of the Services you haven't been invited + to; + * interfere with or disrupt any user, host, or network, for example + by sending a virus, overloading, flooding, spamming, or + mail-bombing any part of the Services; + * access, search, or create accounts for the Services by any means + other than our publicly supported interfaces (for example, + "scraping" or creating accounts in bulk); + * send unsolicited communications, promotions or advertisements, or + spam; + * send altered, deceptive or false source-identifying information, + including "spoofing" or "phishing"; + * promote or advertise products or services other than your own + without appropriate authorization; + * abuse referrals or promotions to get more storage space than + deserved; + * circumvent storage space limits; + * sell the Services unless specifically authorized to do so; + * publish or share materials that are unlawfully pornographic or + indecent, or that contain extreme acts of violence; + * advocate bigotry or hatred against any person or group of people + based on their race, religion, ethnicity, sex, gender identity, + sexual preference, disability, or impairment; + * violate the law in any way, including storing, publishing or + sharing material that's fraudulent, defamatory, or misleading; or + * violate the privacy or infringe the rights of others. |