SKILLGYM – TERMS AND CONDITIONS OF SERVICE

 

 

 

This Agreement and General Terms and Conditions govern the use of the Services mande available to the prospect as a free trial by Lifelike. Selecting (or flagging) the appropriate box on the acceptance, the Prospect declares (1) have received a copy of the below Terms and Conditions and / or to have a copy downloaded from the official and / or product website of Lifelike, (2) to have read and understood the contents, and (3) to accept the content in all parts.

 

Background and Whereas:

• Lifelike SA, incorporated and registered in Chiasso (CH), V.A.T. number CHE-178.566.624 IVA, whose registered office is at C.so San Gottardo 16, 6830 Chiasso (CH), hereinafter referred to as “LIFELIKE” or “Supplier”, has developed a software application with the aim of providing a training and / or assessment service (branded as “Skillgym”), by means of an innovative multimedia interactive simulation approach. Scope of Skillgym is the on-line training and / or measurement of the interpersonal communication and negotiation skills of people;
• Skillgym is a Software as a Service available to subscribers via the internet (the “Service”) on www.skillgym.com or other applicable website (including mobile applications) of the Supplier;
• The Prospect of Lifelike has expressed the interest to try, free of charge and for a limited period of 14 days, SkillGym;
• The Supplier has agreed to provide to the Prospect the Supplier’s SaaS Service for free trial, subject to the terms and conditions of this Agreement.

 

Agreed terms

1.               Interpretation

1.1      The definitions and rules of interpretation in this clause shall apply in this agreement as follows:

Prospect: any physical person who has been delivered, by Lifelike a personal login to use the Service for a limited-time and free-of-charge evaluation and has agreed with the applicable Terms and Conditions.

Prospect Data: the data inputted by the Prospect, Authorized Users, or the Supplier on the Prospect’s behalf, for the purpose of using the Service or facilitating the Prospect’s use of the Service.

Documentation: the document made available to the Prospect by the Supplier online via www.skillgym.com or such other web address notified by the Supplier to the Prospect from time to time, which sets out a description of the SaaS Services and the user instructions for the SaaS Services.

SkillGym SaaS Services (or “SaaS Services” or “Service”): the web-based services provided by the Supplier to the Prospect under this Agreement with the scope of the evaluation of the fit of the training of the interpersonal communication and negotiation skills of individuals as detailed and available on www.skillgym.com.

Free Trial Term: means that period of 14 (fourteen) days, during which Prospect and / or Authorized Users will have on-line access and use of the Software through Lifelike’s SaaS Services.

User Subscriptions: the user subscriptions assigned free-of-charge to the Prospect for the Free Trial Term by the Supplier which entitle the Prospect to access to the Service and the Documentation.

 

2.               User subscription

2.1      Subject to the Prospect accepting this Agreement, the Supplier hereby grants to the Prospect a non-exclusive, free of charge, non-transferable right to use the SaaS Services and the Documentation during the Free Trial Term solely for the scope of evaluation of the Service. Title to and ownership of all proprietary rights in or related to the Service and all partial or complete copies of the Service’s technology shall at all times remain with LIFELIKE. This Agreement shall not be construed as a sale of any rights in the Software, any copies or any part thereof.

3.               Supplier’s obligations and limitation of liability

3.1      The Supplier undertakes that the Service will be performed substantially in accordance with the Documentation and with reasonable skill and care and warrants that it has and will maintain all necessary licences, consents, and permissions necessary for the performance of its obligations under this agreement.

3.2      The undertaking at clause 3.1 shall not apply to the extent of any non-conformance which is caused by use of the Service contrary to the Supplier’s instructions, or modification or alteration of the Service by any party other than the Supplier or the Supplier’s duly authorized contractors or agents.

3.3      The Supplier:

(a)    does not warrant that the use of the Service will be uninterrupted or error-free; nor that the Services and/or the Documentation will meet the Authorized User’s requirements; and

(b)   is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet, and the Prospect acknowledges that the Services and Documentation may be subject to limitations, delays and other problems inherent in the use of such communications facilities; and

(c)    Except for the above express limited warranties, the Supplier makes and the Prospect receive no warranties, express, implied, statutory or in any communication with the Authorized User, and the Supplier specifically disclaims any implied warranty of merchantability or fitness for a particular purpose; and

(d)   Is not responsible, not even in any part, for any difficulty, defect, failure, interruption or inability to access and / or use of the Service and / or related to the hardware equipment and software of the Prospect or his internet connection, or to actions and / or behavior of the Prospect  which prove to be inappropriate, harmful or against the law (including copyright infringement) whether national or international.

(e)    In no event will the Supplier be liable for any damages, including loss of data, lost profits, cost of cover or other special, incidental, consequential or indirect damages arising in any way out of this agreement, or from the use of the Service and the Software and the accompanying Documentation, however caused and on any theory of liability. This limitation will apply even if the Supplier has been advised of the possibility of such damage and notwithstanding the failure of any limited remedy provided herein. The Authorized User acknowledges that the consideration agreed reflects this allocation of risks.

4.               Prospect’s obligations

4.1      The Prospect shall:

(a)    provide the Supplier with:

(i)      all necessary co-operation in relation to this agreement; and

(ii)    all necessary access to such information as may be required by the Supplier in order to render the Service, including but not limited to Prospect Data, security access information and configuration services;

(b)   comply with all applicable laws and regulations with respect to its activities under this agreement; and

(c)    carry out all other Authorized User responsibilities set out in this agreement in a timely and efficient manner. In the event of any delays in the Prospect’s provision of such assistance as agreed by the parties, the Supplier may adjust any agreed timetable or delivery schedule as reasonably necessary; and

(d)   ensure that the use of the Service and the Documentation shall happen in accordance with the terms and conditions of this agreement and Prospect shall be responsible for any breach of this agreement; and

(e)    obtain and shall maintain all necessary licences, consents, and permissions necessary for the Supplier, its contractors and agents to perform their obligations under this agreement, including without limitation the Service; and

(f)    ensure that its network and systems comply with the relevant specifications provided by the Supplier from time to time; and

(g)   assume full responsibility for the accuracy and truthfulness of the information provided to the Supplier and ensures that all the information provided, including any text, graphics, data, images, sounds, are lawfully available, and do not violate any law copyright, trademark, patent or other rights of third parties arising from law, contract or custom. Therefore, undertaking to indemnify the Supplier for any claim of compensation and / or damages claimed by third parties as a result of the publication of these materials; and

(h)   be solely responsible for procuring and maintaining its network connections and telecommunications links from its systems to the Supplier’s data centres, and all problems, conditions, delays, delivery failures and all other loss or damage arising from or relating to the Prospect ‘s network connections or telecommunications links or caused by the internet.

4.2      The Prospect agrees:

(a)    to prevent access / unauthorized use of the Service and immediately notify the Supplier any possible access / unauthorized use; and

(b)   to use the Service in compliance with the directives made ​​by the Supplier, and – in any case – in a manner consistent with applicable laws and regulations; and

(c)    to use the Service only for personal use; and

(d)   not to use the Service to store, process or transmit material illegitimately and / or illegal (software or anything else potentially dangerous viral malicious) or disclose material that violates the privacy / copyright of any third party, or any other kind of material deemed inappropriate by the Supplier; and

(e)    not to use the Services to store, process or transmit any malicious code; and

(f)    not to interfere with or undermine the integrity and performance of the services or information contained in such third-party services; and

(g)   not to make unauthorized access to the Services or related to these systems and networks.

4.3      In relation to the use of the Service:

(a)    In order to use the Services, Prospect must obtain a valid Skillgym account, which can be obtained by registering on the website www.skillgym.com (or any other website, including mobile applications, notified to the Prospect by the Supplier from time to time) by filling in the registration form, accepting the Prospect’s Terms and Conditions and providing all the required information, including a valid e-mail address (“Registration Data”); and

(b)    it will not allow or suffer the assigned User Subscription to be used by other physical persons; Prospect is responsible for maintaining the confidentiality of account login information (username / password), and is fully responsible for all activities performed on his account. The Authorized User agrees to: (a) provide true, accurate, current and complete information about himself as prompted by the registration form to the Service, and (b) maintain and promptly update the Registration Data to keep the information true, accurate, current and complete, (c) immediately inform Lifelike of any unauthorized use of his personal account or any other breach of security, and (d) exit from his account (“logout”) at the end of each work session; and

(c)    The Supplier undertakes no obligation to verify the data provided by the Prospect. However, if Lifelike finds or even just suspects that such information is untrue, inaccurate, not updated or incomplete, Lifelike may suspend or terminate any account and refuse any and all current or future use of the Service; and

(d)    The Supplier cannot and will not be liable for any loss or damage arising from Authorized Users failure to comply with this section.

4.4      The Prospect shall not:

(a)    except as may be allowed by any applicable law which is incapable of exclusion by agreement between the parties:

(i)      and except to the extent expressly permitted under this agreement, attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Software and/or Documentation (as applicable) in any form or media or by any means; or

(ii)    attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Software; or

(b)   access all or any part of the Services and Documentation in order to build a product or service which competes with the Services and/or the Documentation; or

(c)    license, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the Services and/or Documentation available to any third party.

4.5      The Prospect shall use all reasonable endeavours to prevent any unauthorized access to, or use of, the Service and/or the Documentation and, in the event of any such unauthorized access or use, promptly notify the Supplier

5.               Prospect’s data

5.1      Referring to the Service and to the use of the Software, the parties specify that it has been represented to Prospect, and Prospect accepts:

(a)    the need that the use of the Service and of the Software has to follow the explicit or clear acceptance by means of adhesion in electronic format of the use conditions as established by the present Agreement as available at the “Terms&Conditions” link on the www.skillgym.com website;

(b)   the need that every use of the Service and of the Software has to register (with a tracking log), every kind of use by Prospect, and also (where applicable) personal identifying data;

(c)    the need that such tracking log (not accessible to the Prospect) has to be stored by LIFELIKE during and at the end of each use of the Service and of the Software.

5.2      Supplier is committed to administrative, physical and technical safeguards to ensure the security, confidentiality and integrity of Prospect’s Data. Supplier also is committed to not access the Prospect’s Data, except to the extent required for the proper delivery of services purchased, including actions to prevent technical problems.

5.3      Supplier declares that no data, of every nature, existing on the computers of the Prospect, with the exception for those generated inside every single use of the Service and of the Software, will be available to third parties, excluding moreover the presence in the Software of spyware or other malware.

5.4      If the Supplier processes any personal data on the Prospect’s behalf when performing its obligations under this Agreement, the parties record their intention that the Prospect shall be the data controller and the Supplier shall be a data processor and in any such case and data shall be processed according to the rules defined in the Data Processing Agreement  in Annex A.

 

6.     product support and Lifelike service levels

6.1      The Prospect acknowledges that the Service is subject to processes of bug fixing, software updates, or features updates, new apps and new modules. Lifelike will not be required to make any notice to the Prospect.

7.     Proprietary rights

7.1      The Prospect acknowledges and agrees that the Supplier owns all intellectual property rights in the Service, in the related technology and the Documentation. Except as expressly stated herein, this agreement does not grant the Prospect any rights to, or in, patents, copyrights, database rights, trade secrets, trade names, trademarks (whether registered or unregistered), or any other rights or licences in respect of the Service and/or the related technology and/or the Documentation.

7.2      The software made ​​available online and associated with the Services is protected by copyright laws and international copyright treaties, as well as other intellectual property laws. Lifelike not allow the activation and / or use of its services for the purposes of monitoring and / or copying and / or testing of the services provided by Lifelike, or comparative analysis not commissioned by Lifelike itself. Lifelike therefore reserves the right to suspend the provision of the service and access to its products whenever there is even a suspicion that the verses in such hypothesis.

8.     Term and termination

 

8.1      This agreement shall commence on the date of acceptance of this Terms and Conditions and shall continue for the entire validity of the Free Trial Term, unless the Prospect and the Supplier have in the meantime terminated their agreement, in which case the Supplier shall have the right to terminate this agreement at any time and without notice.

8.2      Prospect may terminate this agreement at any time using the appropriate facility inside the Service.

8.3      On termination of this agreement for any reason: (i) all rights granted to the Prospect under this agreement shall immediately terminate and; (ii) the accrued rights of the parties as at termination, or the continuation after termination of any provision expressly stated to survive or implicitly surviving termination, shall not be affected or prejudiced.

9.     Entire agreement

9.1      This agreement, and any documents referred to in it, constitute the whole agreement between the parties and supersede any previous arrangement, understanding or agreement between them relating to the subject matter they cover.

9.2      The Supplier may modify and / or update their Terms and Conditions from time to time without notice or acceptance by the Prospect. In the case of contracts providing for automatic renewal, those changes will take effect only from the first tacit renewal following the changes made in time to allow the Prospect the notice within contractual time limits.

10.  Notices

10.1    Any notice required to be given under this Agreement shall be in writing.

11.  Governing law and jurisdiction

11.1    This agreement and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) are governed by, and construed in accordance with, the law of Switzerland.

11.2    The parties irrevocably agree that the courts of Lugano have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this agreement or its subject matter or formation (including non-contractual disputes or claims).

 

 

 

 

 

 

 

ANNEX A – Data Processing Agreement

 

1.               General

1.1                Scope

This Data Processing Agreement (“DPA“) sets out the Supplier’s obligations as a contractor of the Prospect (“Controller” or “data controller”) related to any data processing performed on his behalf as part of  the service “Skillgym” provided by the Supplier to the Prospect (the “Service”).

The Supplier shall perform the Processing activities described in DPA-Sub-Annex 1 to this DPA. The purposes of the Processing, as well as the categories of Personal Data to be Processed and the categories of Data Subjects, are described in DPA-Sub-Annex 1 to this DPA.

1.2                Interpretation and Hierarchy

A reference in this DPA to “writing” or “written” includes email.

The Annexes form part of this DPA. Any reference to this DPA includes the Annexes.

2.                  Definitions

 

TERM	DEFINITION
Data  Protection Requirements	Means all applicable laws and regulations relating to the Processing of Personal Data, including the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), sector-specific laws and applicable guidance and codes of practice issued  by supervisory authorities.
Data Subject	Means an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data	Means any information relating to a Data Subject.
Processing	Means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction erasure or destruction.
Security Breach	Shall have the meaning given in Section 9.1.
TOMs	Shall have the meaning given in Section 8.1.

3.                  Instructions; Compliance with Data Protection Requirements

3.1                Instructions and controller’s obbligations

The Supplier shall process Personal Data only within the scope of this DPA and according to specific individual instructions from the Controller. The Controller is the sole responsible of the Data Processing. Therefore, the Controller is in charge of the respect of the Data Protection Requirements and is responsible for ensuring that its processing activities are compliant with the requirements of the EU Regulation 2016/679 and any other relevant applicable law.

The Supplier shall nominate an individual that is duly qualified on Data Protection Requirements who is authorized to represent the Supplier in respect of this DPA and to receive instructions from the Controller. The Controller shall without undue delay confirm oral instructions in writing. The Supplier will inform the Controller in writing if it considers that any instruction issued by the Controller potentially violates Data Protection Requirements.

3.2                Compliance with Data Protection Requirements

The Supplier shall comply with Data Protection Requirements when Processing Personal Data.  The Supplier shall reasonably assist the Controller in defending any claim that may be brought against the Controller for the violation of any Data Protection Requirements.

4.                  Provision of Information and Support

Upon the Controller´ request, the Supplier shall provide all information necessary to comply with the Data Protection Requirements. Moreover, the Supplier shall support the Controller in meeting the Data Protection Requirements, in particular regarding privacy by design, records of Processing activities, fulfilling the Controller’s obbligation to respond to requests for exercising the data subject’s rights, cooperation with and notifications to the relevant supervisory authority and security of Processing and conduction of a data protection/privacy impact assessment.

5.                  No Onward Transfer of Personal Data

5.1    Any Processing of Personal Data under this DPA shall take place on the Supplier premises as specified in DPA-Sub-Annex 1 to this DPA, unless prior written approval to the contrary has been provided by the Controller.

5.2    The Supplier shall not transfer or Process Personal Data outside the European Economic Area without the prior written consent of the Controller; however, in consideration of the European Commission adequacy decision concerning Switzerland, the transfer of Personal Data to Switzerland is permitted.

6.                  Subcontractors

6.1                Approval Requirement

The Supplier shall receive from the Controller written approval about the appointment of the Subprocessor.

6.2                Auditing of the Subcontractor

The Controller shall be entitled at any time to demand copies of relevant agreements concluded between the Supplier and its subcontractorssubject to the reasonable protection of commercial details, and trade and business secrets.

7.                  Rights to, Confidentiality, Return and Destruction of Personal Data

7.1                Rights to Personal Data

All Personal Data is and shall remain the sole and exclusive property of The Controller. The Supplier hereby: (i) irrevocably assigns, transfers and conveys to The Controller any of its rights, titles and interests in respect of the Personal Data; and (ii) waives any and all rights to cease performance of the Processing and/or to deny fulfilment of any of the obligations under this DPA towards The Controller, provided that the respective counterclaim of Supplier is not undisputed or not established legally binding. Upon The Controller’s request, Supplier shall execute and deliver any documents that may be necessary or desirable under any law to preserve, or enable The Controller to enforce, its rights hereunder with respect to the Personal Data.

7.2                Confidentiality and Notifications

The Supplier shall observe data secrecy and maintain confidentiality when Processing Personal Data under this DPA and shall procure the same from any personnel engaged in connection with this DPA. The Supplier shall therefore only engage employees for Processing Personal Data, who are properly instructed, adequately and regularly trained on Data Protection Requirements relevant to their work, and who are bound to confidentiality. The Supplier shall verify its compliance with this obligation to The Controller on request by means of a signed declaration form.

The parties shall treat as strictly confidential all matters not in the public domain and in particular the business and company secrets of the other party, only to use such information for purposes of this DPA, and not to record, disclose or make use of such information.

Where Personal Data becomes subject to audits, inspections, investigations, search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, disclosure order, any (including pending or threatened) enforcement proceeding, action, lawsuit brought or threatened against the Supplier or a subcontractor relating to Personal Data, or similar events or measures by third parties, the Supplier shall inform the Controller without undue delay. The Supplier shall, without undue delay, notify the Controller to all to such action, that any affected Personal Data is in the Controller’s sole property and area of responsibility, that Personal Data is at the Controller’s sole disposition, and that the Controller is the responsible body in the sense of Data Protection Requirements.

7.3                Deletion or Return of Personal Data

The Supplier shall retain Personal Data only for as long as it is necessary to fulfil the Processing of Personal Data under this DPA. The Supplier shall not create copies or duplicates without the prior written approval of the Controller, with the exception of back-up copies to the extent these are necessary to ensure orderly Processing of the Personal Data, and data required to meet regulatory data retention requirements.

Upon termination or expiry of the Agreement, the Supplier shall at the Controller’ request delete or return in a structured, commonly used and machine-readable format to the Controller all documents, Processing and work results, and data sets relating to the Agreement.

The Supplier shall confirm in writing that it has complied with this Section 7.3 and shall provide a log of the deletion on The Controller’ request.

The Supplier shall retain documentation used to demonstrate the orderly Processing of Personal Data under this DPA beyond the Agreement term in accordance with statutory retention periods.

8.                  Technical and Organizational Measures; Records

8.1                Technical and Organizational Measures

The Supplier shall implement and maintain, operational, managerial, physical, technical and organizational measures (“TOMs”) to protect the Personal Data against accidental, unauthorized or unlawful destruction, loss, alteration, disclosure or access appropriate to the risk concerning confidentiality, integrity, availability and resilience of systems as required by the Data Protection Requirements. The Supplier’s TOMs shall at all times ensure a strict separation between the Personal Data Processed under this DPA, the Supplier’s own data and the data of the Supplier’s other Prospects.   The TOMs Supplier shall implement as of the date of this DPA are set out in DPA-Sub-Annex 3 to this DPA.

8.2                Information about and changes of TOMs

The Supplier shall inform the Controller of: (i) any planned changes to the TOMs; and (ii) all relevant events (including any audits performed in respect of the Personal Data) in respect of the privacy, confidentiality or protection of the Personal Data. Any changes to the TOMs that the Supplier intends to implement shall require prior written approval of the Controller, except if and to the extent such change has to be implemented immediately in order to safeguard Personal Data without allowing Supplier to wait for The Controller’s approval in which case The Controller’s approval shall be requested ex post and the change shall be maintained only with The Controller’s approval or if indispensable in order to safeguard Personal Data. The security level of defined measures should not be reduced as a result of a change.

9.                  Security Breaches

9.1                Notification Obligation

The Supplier shall provide the Controller with detailed written notice (for the attention of The Controller’ Chief Information Security Officer and Data Protection Officer) within twelve (12) hours: (i) of discovering or being informed of any loss of or unauthorized access to Personal Data maintained or stored by the Supplier or a subcontractor; or (ii) any violation of the Data Protection Requirements by the Supplier, or a subcontractor (“Security Breach”). The notice shall in particular include a description of: (i) the nature of the Security Breach; (ii) the likely consequences of the Security Breach; and (iii) the measures taken or proposed to be taken to address the Security Breach. In this case the Supplier, in addition to any obligation contained in this DPA and the Agreement, shall at its own expense:

(i)          conduct a state of the art forensic and security review and audit in connection with a Security Breach and inform The Controller of the outcome of such review and the corrective and preventive action taken in order to avoid identical or similar Security Breaches in the future; and

(ii)         reasonably cooperate with The Controller in responding to such Security Breach and taking the required corrective and/or preventive action.

10.                Rectification, Restriction and Erasure; Rights of Data Subjects

The Supplier may not on its own authority rectify, erase or restrict the Processing of Personal Data, but only on the written instructions of the Controller. Supplier will inform the Controller promptly upon becoming aware of any errors or inaccuracies related to Personal Data which may arise in connection with the Processing of the Personal Data. The Supplier shall promptly correct any errors or inaccuracies in the Personal Data upon the Controller’s written request.

In the event that a Data Subject contacts the Supplier directly in respect of their Personal Data requesting access, rectification, erasure, restriction of Processing or data portability, the Supplier shall immediately forward the Data Subject’s request to the Controller.

The Supplier shall implement technical and organizational measures to, and shall otherwise assist the Controller in responding to requests from Data Subjects exercising their rights in respect of their Personal Data to enable the Controller to comply with Data Protection Requirements. This includes in particular the following: Upon request by The Controller the Supplier will (i) without undue delay provide the Controller via the Supplier with a copy of the data subject’s Personal Data in a structured, commonly used and machine-readable format or, (ii) at the Controller’s discretion, provide reasonable access to the Personal Data, and (iii) promptly provide the Controller with such information regarding the Processing of Personal Data as the Controller may reasonably request.

11.                Audits

The Supplier shall permit the Controller and any company within the Controller Group that is a recipient of services under the Agreement, the Controller’ appointed auditors, and where required the relevant supervisory authorities to inspect and audit the Supplier’s Processing operations (including as to the execution of TOMs) and compliance with The Controller’s instructions and Data Protection Requirements. The Supplier shall provide such parties (including their respective authorised representatives) with all information and access rights (including to premises and databases) relating to the Processing of the Personal Data.

In the event of any finding resulting from such inspections or audits, the Supplier shall promptly take all required corrective actions at its own cost and shall procure the same from its subcontractors.

The Supplier shall audit on a recurring basis (at least once a year) its compliance with this DPA, the Agreement and Data Protection Requirements in regards to the Processing. The previous paragraph shall apply mutatis mutandis to findings in such self-audits. The Supplier shall promptly notify the Controller in writing of any findings indicating that the Supplier, or its Processing of the Personal Data, is not in compliance with Data Protection Requirements or the provisions of this DPA and/or the Agreement.

If audits are carried out by a supervisory authority at the Controller Group which in whole or in part relate to this DPA, the Supplier shall provide reasonable support to the Controller via the Supplier within the scope of this DPA.

If a supervisory authority which is responsible for an entity of the Controller Group carries out an audit at the Supplier, this audit shall be carried out in the presence of the Controller.

If audits of the Supplier are carried out by a supervisory authority responsible for the Supplier, the Supplier shall immediately notify The Controller, in particular with regard to any findings that exert a direct or indirect effect on the contractual relationship.

12.                Duration of this DPA

The duration of this DPA shall correspond with the duration of the Service.  The expiry or termination of the Service shall not relieve the parties of their respective obligations regarding the privacy and data protection of Personal Data for as long as such Processing is performed after such expiration or termination.

 

 

 

DPA-SUB-ANNEX 1
Data Description and Processing Activities

 

 

1. Details of the Data Processor’s premises where Personal Data will be Processed:

 

All The Controller‘s Personal Data are managed by the Supplier: Lifelike SA, based on Corso San Gottardo 16, 6830 Chiasso (TI) Switzerland. Lifelike SA stores The Controller‘s Personal Data on dedicated servers which are physically located in the European Union and are housed by Lifelike’s Subcontractor Fastera Swiss SA, Via Penate 16, 6850 Mendrisio (CHE) who, in order to comply to the TOM of Lifelike has physically located all the Lifelike’s server at EQUINIX, Data center IBX® ML2, Milano, Via Savona 125, 20144 – Milano (MI) – Italy. Neither Fastera Swiss SA, nor EQUINIX Data Center  has any logic access to the databases of Lifelike, in accordance with the Lifelike’s TOM Policies.

 

2. Description of the purposes and ways of Processing Personal Data:

 

The purposes of Processing Personal Data is: to dispose of a personal unique identification access key (personal email) to allow the access to a on-line educational service requested by The Controller to train its personnel on specific educational content related to the job description of certain employees.

 

3. Processing Activities

 

• Collection
• Recording
• Storage
• Consultation
• Extraction
• Disclosure by transmission (to the Supplier and/or the Data Controller)
• Retrieval

 

4. Categories of Data Subjects

 

• Employees
• Business partners (Providers, clients, brokers, intermediaries…)

 

5. Categories of Personal Data

 

• Full name
• Email
• Job title/role
• Company /Entity

 

DPA-SUB-ANNEX 2
Supplier’s details

 

The following details define the Supplier authorizations to carry out work as the Controller’s contractor:

 

Supplier Corporate Name

LIFELIKE SA

Supplier Registered Offices

Corso San Gottardo 16 6830 Chiasso (TI) Switzerland

Supplier’s Premises where Processing will occur

LIFELIKE Registered Office, with remote secure access to database hosted by EQUINIX, Data center IBX® ML2, Milano, Via Savona 125, 20144 – Milano (MI) – Italy.

Subprocessor representative responsible for data privacy (e.g. Data Protection Officer) contact details

Arianna Laus, CHRO and CFO of Lifelike SA, C.so San Gottardo 16, Chiasso (CHE)

 

 

DPA-SUB-ANNEX 3
Technical and Organizational Security Measures

 

 

LifeLike believes that its Prospects’ confidential and personal information is among the most important data stored in its databases. So Lifelike management and personnel make sure and strive to keep it safe and secured at all times.

LifeLike stores all Prospect information in redundant databases in our cloud datacentre. Access to this data is restricted to employees working on the project concerned.

LifeLike ‘s appointed IT administrator alone has administration access to the database and database user management credentials.

All additional procedure access or database usage by any other standard user requires formal and written senior management approval before being authorized.

Significant aspects and procedures of Lifelike’s user access management policy and procedures are as follows:

 

• All access requests (creation/change of access) to Lifelike IT systems storing Prospect information must be formally approved by a clearly identified set of Prospect employees.
• Requests to access any of our IT systems storing Prospect information must be justified on the grounds of a business requirement (creation/change of access) clearly related to the scope of the project for which the data has been stored
• Documented checks ensure that access-rights are provided on a need-to-know basis (least privileged approach)
• Shared user IDs are forbidden (unless formally authorised by security and time limited exception request)
• Lifelike carries out a formal quarterly review of user access to Lifelike’s IT systems storing or handling Prospect information.
• The datacentre owner cannot access Lifelike’s server

 

User responsibility

 

Users must make sure their user IDs and passwords are not used to gain unauthorised access to Company systems by:

 

• Following the Lifelike’s password policy
• Ensuring that any PC they are using that is left unattended is locked or logged out.
• Leaving nothing on display that may contain access information, such as login names and passwords.
• Informing the IT team of any changes to their role and access requirements.

 

Network access control

 

The use of modems on non-Company owned PC’s connected to the Company’s network can seriously compromise the security of the network.  The normal operation of the network must not be interfered with. Lifelike’s IT team must give specific advance approval to the connection of any equipment to the Company’s network, which is normally denied if not in connection with the specific purposes of the company and/or the projects.

 

Remote supplier access to the Company network

 

Partner agencies and 3rd party suppliers must not be given details of how to access the Company’s network without permission from IT team.  The IT team must be informed immediately of any change to a supplier’s connections so that access can be updated or stopped.  All permissions and access methods must be checked by our IT team.

Partners and 3^rd party suppliers must contact the IT team before connecting to the company network and a log of activity must be maintained.  Remote access software must be disabled when not in use.

 

Operating system access control

 

Access to operating systems is controlled by a secure login process. The login procedure must also be protected by:

 

• Not displaying any previous login information e.g. username.
• Limiting the number of unsuccessful attempts and locking the account if exceeded.
• Hiding password characters using symbols.
• Displaying a general warning notice that only authorised users are allowed.

 

All access to operating systems is via a unique login ID that will be audited and can be traced back to each individual user.  The login ID must not give any indication of the level of access that it provides to the system (e.g. administration rights).

System administrators must have personal administrator accounts that will be logged and audited. The administrator account must not be used by individuals for normal day to day activities.

 

Application and Information access

 

Access within software applications must be restricted using the security features built into the individual product. The IT team is responsible for granting access to the information within the system.  The access must:

 

• Be separated into clearly defined roles.
• Give the appropriate level of access required for the role of the user.
• Not be overridable (admin settings removed or hidden from the user).
• Be free from alteration by rights inherited from the operating system that could allow unauthorised higher levels of access.
• Be logged and auditable.

 

Privileged user access – Management policy and process

 

Access to our data or database uses a special user hierarchy that depends on data type (confidential/not confidential) and type of privilege (dba/non-dba)

This means that Lifelike’s employees can work as efficiently as possible on data that concerns their own projects alone (e.g. a user might be able to change database structure but will not be able to see any confidential data in the database tables)

User permission rules include:

 

• All high-privilege access must be approved at management level
• The log of all users with high-privilege access is kept up to date at all times
• A set of processes and tools allows temporary high-privilege access to address immediate and critical operational requirements
• All actions by users with extraordinary and temporary high-privilege access are recorded.
• Privileged access is allowed to trustworthy persons alone.
• Duties are segregated for all privileged access rights (e.g. log vs. operations, database vs. backup, developer vs. acceptance tester).
• All privileged access rights are revoked immediately they are no longer required.

 

End user device protection – Policy and procedures

 

All LifeLike client and server devices are safe:

 

• All computers have antivirus software with:
  • AntiSpyware
  • AntiMalware
  • Host intrusion detection / prevention
• PERSONAL firewalls are disabled because we use a network firewall
• Network access is monitored
• Removable devices (USB, DVDs etc.) are not encrypted
• Host intrusion detection / prevention
• Hard drives are not encrypted.

The IT team constantly monitors the status of all devices and keeps antivirus and security software updated.

Checks are made via a network console with update override where necessary. This cannot be stopped by the end user.

Employees with portable, laptop, notebook, handheld, tablet and other transportable computers containing confidential information must not leave these computers unattended at any time unless the information is stored in encrypted form.

Whenever confidential information is written to a disk or other storage media, the storage media must be marked as confidential. When not in use, the media should then be kept under lock and key (e.g. a safe) or in a similarly secure location.

Every multi-user computer or communications system must have enough automated tools to allow the system administrator to verify the security status of the system. These tools must include methods for the recording, detecting, and correcting commonly-encountered security problems.

Where systems software permits, computer and communications systems handling sensitive, valuable, or critical Lifelike information must securely log all significant security events. Examples of security events include users switching user ID during an online session, attempts to guess passwords, attempts to use privileges that have not been authorized, modifications to production application software, modifications to system software, changes to user privileges, and changes to logging system configurations.

Certain information must be captured whenever it is suspected that computer or network related crime or abuse has taken place. The information that must be immediately collected includes system logs, application audit trails, other indications of current system states, and copies of all potentially involved files.

Although system administrators are not required to load the most recent version of operating systems promptly, they are required promptly to apply all security patches to the operating system that have been released by knowledgeable and trusted user groups, well-known systems security authorities, or the operating system vendor. Only system security tools supplied by these sources or by commercial software organizations may be used on Lifelike computers and networks. Additionally, only vendor-supported versions of operating systems and applications must be used on production systems. This will generally require regular upgrades to the current release or the most recent prior version (current -1)

All computers permanently or intermittently connected to Lifelike local area networks must have password access controls. If the computers contain confidential or protected information, an extended user authentication system approved by the IT Department must be used. Multi-user systems (servers) should employ user IDs and passwords unique to each user, and user privilege restriction mechanisms with privileges based on an individual’s need to know. Network-connected, single-user systems must employ hardware or software controls approved by the IT Department that prevent unauthorized access.

 

Whenever system security has been compromised or if there is a reason to believe that it has been compromised, the system administrator involved must take steps to restore the system to secure operation. This may involve reloading a trusted version of the operating system and all security-related software from trusted storage media or original source-code disks/sites. The system involved must then be rebooted. All changes to user privileges since suspected system compromise must be reviewed by the system administrator for unauthorized modifications.

 

Logon and logoff process 

 

All users must be positively identified before they can use any Lifelike multi-user computer or communications system resources. Positive identification for internal Lifelike networks involves a user ID and password, both of which are unique to an individual user, or an extended user authentication system.

Positive identification for all Internet and remote lines involves the use of an approved extended user authentication technique. The combination of a user ID and fixed password does not provide sufficient security for Internet or remote connections to Lifelike systems or networks. Modems, wireless access points, routers, switches and other devices attached to network-connected workstations located in Lifelike offices are forbidden unless they meet all technical requirements and have a user authentication system approved by the IT Department.

The logon process for network-connected Lifelike computer systems must simply ask the user to log on, providing prompts as needed. Specific information about the organization managing the computer, the computer operating system, the network configuration, or other internal matters may not be provided until a user has successfully provided both a valid user ID and a valid password.

If there has been no activity on a computer terminal, workstation, or personal computer for a certain time period, the system must automatically blank the screen and suspend the session. The session must not be resumed until the user has provided a valid password. The recommended time period is 30 minutes. An exception to this policy will be made if the immediate area surrounding a system is physically secured by locked doors, secured-room badge readers, or similar technologies or if the suspended session interferes with the ability of an instructor to complete his/her classroom instruction.

Users are prohibited from logging into any Lifelike system or network anonymously. If users employ systems facilities that permit them to change the active user ID to gain certain privileges, they must have initially logged on using a user ID that clearly indicates their identity or affiliation.

 

Limiting system access 

 

The computer and communications system privileges of all users, systems, and independently operating programs such as agents, must be based on the need to know. This means that privileges must not be granted without a legitimate business need for them.

Default user file permissions must not automatically permit anyone on the system to read, write, execute or delete a system file. Although users may reset permissions on a file-by-file basis, such permissive default file permissions are prohibited. Default file permissions may be granted to small groups of people who have a genuine need to know.

Users with personally-owned computers must install a screen saver that secures to their machine’s hard disk drive, and must set passwords for all applications and systems software that allow connection to Lifelike resources.

Lifelike computer and communications systems must restrict access to the computers that users can reach over Lifelike networks. These restrictions can be implemented through routers, gateways, firewalls, wireless access points, and other network components. These restrictions must be used to, for example, control the ability of a user to log on to one computer then move from that computer to another computer.