Contracts
- Main Legal Center Landing Page
- SaaS Security Attachment
- Professional Services Schedule
- Support Prioritization Attachment
- Acceptable Use Policy Attachment - AUP
- HxP Acceptable Use Policy
- HxP and Sharebase Privacy Policy
- Hyland Experience Technical Support
- Hyland Experience Security
- Hyland Experience Service Levels
- Data Processing Addendum - Brazil
- Data Processing Addendum - GDPR
- Hyland Anti-Bribery/Anti-Corruption Policy and Guide - English
- Hyland Anti-Bribery and Anti-Corruption Policy and Guide - Portuguese
- Hyland Anti-Bribery and Anti-Corruption Policy and Guide - Spanish
- Hyland Anti-Bribery and Anti-Corruption Policy and Guide - German
- HIPAA Subcontractor Addendum
- Hyland Purchase Order Terms and Conditions
- Hyland Poland Sp. zoo Purchase Order Terms and Conditions
- Software-as-a-Service Schedule
- Software License and Maintenance Schedule - Subscription
- SaaS Agreement - AWS
- Hyland's Compliance and Due Diligence Form
- Supplement to Hyland's Compliance and Due Diligence Form
- Contractor Use Agreement - SF V1
- Global Data Processing Addendum
- Customer GDPR DPA
- Service Class Manual
- Healthcare Service Class Manual
- Healthcare Schedule - SaaS
- Healthcare Schedule
- Global Customer Data Processing Schedule
- GDPR Partner Data Processing Schedule
- Service Class Manual - Partner Contracts with Customer
- Amendment for Customer Repository Access (Maven)
- Amendment for Partner Repository Acces (Maven)
- Professional Services Terms for Services Proposals
- Managed Services Schedule
- General Terms Schedule
- Global Services
- Executable Add-On Subscription Amendment
- Support Prioritization Attachment - Portuguese - Hyland Cloud Services
- SaaS Security Attachment - Portuguese
- Nuxeo Subscription Terms
- Under Construction
- Support Prioritization Attachment - Subscription Licenses
- Support Prioritization Attachment - Hyland Cloud Services
- Add-On Subscription Terms
- YouTube Integration Schedule
- Hyland Content Portal Terms of Use
- Subscription Terms - Full Conversion to Subscription Licenses
- Agenda Media Schedule
- Pacsgear Equipment Schedule
- Enterprise License Schedule
- Professional Services Terms and Conditions
- PaaS Security Attachment
- Platform-as-a-Service Schedule
- Nuxeo Cloud Services Specification
- Software Maintenance and Support Terms
- Resource as a Service (RaaS) Schedule
- Hyland Office Broker Terms
- Hyland Experience Guide
- Hyland Offerings
- IMR Solution Version Information
- Hyland Experience Schedule
- Success Paths Schedule
- IAConnect AP Base Requirements Document
- VPConnect Base Solution Requirements Document
- Managed GovCloud Platform Schedule
- Hyland Care for Employee File Management Solution Requirements
- Hyland Care AP for New D4D Customer Schedule
- Hyland Care for Employee File Management
- Hyland Insight Pilot Program
Main Legal Center Landing Page
SaaS Security Attachment
Effective June 17th 2023
DownloadTable of Contents
- Risk Management.
- Conducting an annual risk assessment designed to identify threats and vulnerabilities in the administrative, physical, legal, regulatory, and technical safeguards used to protect the Hyland Cloud Service.
- Maintaining a documented risk remediation process to assign ownership of identified risks, establish remediation plans and timeframes, and provide for periodic monitoring of progress.
- Information Security Program.
- Maintaining a documented comprehensive Hyland Cloud Service information security program. This program will include policies and procedures based on industry standard practices, which may include ISO 27001/27002, or other equivalent standards.
- Such information security program shall include, as applicable: (i) adequate physical and cyber security where Customer Data will be processed and/or stored; and (ii) reasonable precautions taken with respect to Hyland personnel employment.
- These policies will be reviewed and updated by Hyland management annually.
- Organization of Information Security. Assigning security responsibilities to appropriate Hyland individuals or groups to facilitate protection of the Hyland Cloud Service and associated assets.
- Human Resources Security.
- Hyland employees undergo comprehensive screening during the hiring process. Background checks and reference validation will be performed to determine whether candidate qualifications are appropriate for the proposed position. Subject to any restrictions imposed by applicable law and based on jurisdiction, these background checks include criminal background checks, employment validation, and education verification as applicable.
- Ensuring all Hyland employees are subject to confidentiality and non-disclosure commitments before access is provisioned to the Hyland Cloud Service or Customer Data.
- Ensuring applicable Hyland employees receive security awareness training designed to provide such employees with information security knowledge to provide for the security, availability, and confidentiality of Customer Data.
- Upon Hyland employee separation or change in roles, Hyland shall ensure any Hyland employee access to the Hyland Cloud Service is revoked in a timely manner and all applicable Hyland assets, both information and physical, are returned.
- Asset Management.
- Maintaining asset and information management policies and procedures. This includes ownership of assets, an inventory of assets, classification guidelines, and handling standards pertaining to Hyland assets.
- Maintaining media handling procedures to ensure media containing Customer Data as part of the Hyland Cloud Service is encrypted and stored in a secure location subject to strict physical access controls.
- When a Hyland Cloud Service storage device has reached the end of its useful life, procedures include a decommissioning process that is designed to prevent Customer Data from being exposed to unauthorized individuals using the techniques recommended by NIST to destroy data as part of the decommissioning process.
- If a Hyland storage device is unable to be decommissioned using these procedures, the device will be virtually shredded, degaussed, purged/wiped, or physically destroyed in accordance with industry-standard practices.
- Access Controls.
- Maintaining a logical access policy and corresponding procedures. The logical access procedures will define the request, approval and access provisioning process for Hyland personnel. The logical access process will restrict Hyland user (local and remote) access based on Hyland user job function (role/profile based, appropriate access) for applications and databases. Hyland user access recertification to determine access and privileges will be performed periodically. Procedures for onboarding and offboarding Hyland personnel users in a timely manner will be documented. Procedures for Hyland personnel user inactivity threshold leading to account suspension and removal threshold will be documented.
- Limiting Hyland’s access to Customer Data to its personnel who have a need to access Customer Data as a condition to Hyland’s performance of the services under this Agreement. Hyland shall utilize the principle of “least privilege” and the concept of “minimum necessary” when determining the level of access for all Hyland users to Customer Data. Hyland shall require strong passwords subject to complexity requirements and periodic rotation and the use of multi-factor authentication.
- Ensuring strict access controls are in place for Customer Data access by Hyland. Customer administrators control its user access, user permissions, and Customer Data retention to the extent such controls are available to Customer with respect to the Hyland Cloud Service.
- System Boundaries.
- Hyland is not responsible for any system components that are not within the Hyland Cloud Platform, including network devices, network connectivity, workstations, servers, and software owned and operated by the Customer or other third parties. Hyland may provide support for these components at its reasonable discretion.
- The processes executed within the Hyland Cloud Platform are limited to those that are executed by a Hyland employee (or Hyland authorized third party) or processes that are executed within Hyland’s established system boundaries, in whole. This includes, but is not limited to, hardware installation, software installation, data replication, data security, and authentication processes.
- Certain business processes may cross these boundaries, meaning one or more tasks are executed outside of Hyland’s established system boundaries for the Hyland Cloud Platform, one or more tasks are executed by individuals who are not Hyland personnel (or authorized third-parties), or one or more tasks are executed based on written requests placed by Customer. In such event, Hyland will provide support for such processes to the extent they occur within Hyland’s established system boundaries, but Hyland is not responsible for providing support for such processes to the extent they occur outside of such established system boundaries. At its reasonable discretion, Hyland may provide limited support for processes that occur outside such established system boundaries for the Hyland Cloud Platform. Examples of business processes that cross these boundaries include, but are not limited to, Hyland Cloud Service configuration changes, processing that occurs within the Hyland Cloud Service, user authorization, and file transfers.
- Encryption.
- Customer Data shall only be uploaded to the Hyland Cloud Services in an encrypted format such as via SFTP, TLS/SSL, or other equivalent method.
- Customer Data shall be encrypted at rest.
- Where use of encryption functionality may be controlled or modified by Customer, in the event Customer elects to modify the use of or turn off any encryption functionality, Customer does so at its own risk.
- Physical and Environment Security.
- The Hyland Cloud Platform uses data centers or third party service providers who have demonstrated compliance with one or more of the following standards (or a reasonable equivalent): International Organization for Standardization (“ISO”) 27001 and/or American Institute of Certified Public Accountants (“AICPA”) Service Organization Controls (“SOC”) Reports for Services Organizations. These providers provide Internet connectivity, physical security, power, and environmental systems and other services for the Hyland Cloud Platform.
- Hyland uses architecture and technologies designed to promote both security and high availability.
- Operations Security.
- Maintaining documented Hyland cloud operating procedures.
- Maintaining change management controls to ensure changes to Hyland Cloud Service production systems made by Hyland are properly authorized and reviewed prior to implementation. Customer is responsible for testing all configuration changes, authentication changes and upgrades implemented by Customer or implemented by Hyland at the request of Customer prior to production use of the Hyland Cloud Service. In cases where the Customer relies upon Hyland to implement changes on its behalf, a written request describing the change must be submitted (e.g. an e-mail, or another method provided by Hyland) by Customer’s designated Customer Security Administrators (“CSAs”) or set forth in a Services Proposal. Hyland will make scheduled configuration changes that are expected to impact Customer access to their Hyland Cloud Service during a planned maintenance window. Hyland may make configuration changes that are not expected to impact Customer during normal business hours.
- Monitoring usage and capacity levels within the Hyland Cloud Platform to adequately and proactively plan for future growth.
- Utilizing virus and malware protection technologies, which are configured to meet common industry standards designed to protect the Customer Data and equipment located within the Hyland Cloud Platform from virus infections or similar malicious payloads.
- Implementing disaster recovery and business continuity procedures. These will include replication of Customer Data to a secondary location.
- Maintaining a system and security logging process to capture system logs deemed critical by Hyland. These logs shall be maintained for at least six months and reviewed on a periodic basis.
- Maintaining system hardening requirements and configuration standards for components deployed within the Hyland Cloud Platform. Ensuring servers, operating systems, and supporting software used in the Hyland Cloud Platform receive all Critical and High security patches within a timely manner, but in no event more than 90 days after release, subject to the next sentence. In the event any such security patch would materially adversely affect the Hyland Cloud Service, then Hyland will use reasonable efforts to implement compensating controls until a security patch is available that would not materially adversely affect the Hyland Cloud Service.
- Conducting Hyland Cloud Platform vulnerability scans or analysis on at least a quarterly basis and remediate all critical and high vulnerabilities identified in accordance with its patch management procedures.
- Conducting Hyland Cloud Platform penetration tests at least annually.
- Communications Security
- Implementing Hyland Cloud Platform security controls to protect information resources within the Hyland Cloud Platform.
- When supported, upon implementation and once annually thereafter, Customer may request Hyland limit access to Customer’s Hyland Cloud Service to a list of pre-defined IP addresses at no additional cost.
- Supplier Relationships. Maintaining a Vendor Management Program for its critical vendors. This program will ensure critical vendors are evaluated on an annual basis.
- Security Incident.
- Employing incident response standards that are based upon applicable industry standards, such as ISO 27001:2013 and National Institute for Standards and Technology (“NIST”), to maintain the information security components of the Hyland Cloud Service environment.
- Responses to these incidents follow the Hyland documented incident response sequence. This sequence includes the incident trigger phase, evaluation phase, escalation phase, response phase, recovery phase, de-escalation phase, and post-incident review phase.
- If Hyland has determined Customer’s Hyland Cloud Service has been negatively impacted by a security incident, Hyland will deliver a root cause analysis summary. Such notice will not be unreasonably delayed, but will occur after initial corrective actions have been taken to contain the security threat or stabilize the Hyland Cloud Service.
- The root cause analysis will include the duration of the event, resolution, technical summary, outstanding issues, and follow-up, including steps Customer needs to take in order to prevent further issues. Hyland Cloud Service information including data elements that require additional confidentiality and security measures (including that of other customers impacted in the event) will not be publicly disclosed. If Customer needs additional details of an incident, a request to the Hyland GCS Support team must be submitted and handled on a case by case basis. The release of information process may require an on-site review to protect the confidentiality and security of the requested information.
- Hyland will notify Customer of a Security Incident within 48 hours. A “Security Incident” means a determination by Hyland of an actual disclosure of unencrypted Customer Data to an unauthorized person or entity that compromises the security, confidentiality, or integrity of the Customer Data.
- Information Security Aspects of Business Continuity Management.
- Maintaining a business continuity and disaster recovery plan.
- Reviewing and testing this plan annually.
- Aggregated Data.
- Hyland owns all Customer and User registration and billing data collected and used by Hyland that is required for user set-up, use and billing for the Hyland Cloud Service (“Account Information”) and all aggregated, anonymized and statistical data derived from the use and operation of the Hyland Cloud Service, including without limitation, the number of records in the Hyland Cloud Service, the number and types of transactions, configurations, and reports processed as part of the Hyland Cloud Service and the performance results of the Hyland Cloud Service (the “Aggregated Data”).
- Hyland may utilize the Account Information and Aggregated Data for purposes of operating Hyland’s business. For clarity, Account Information and Aggregated Data does not include Customer Data.
- Security Inquiries.
- Monitoring its compliance with its information security program. This includes periodic internal reviews. Results are shared with Hyland leadership and deviations tracked through to remediation.
- Maintaining a periodic external audit program. Completed attestations, such as available SOC 2 reports, are provided to Customer upon written request.
- Customer may conduct audits (which includes assessments, questionnaires, guided reviews or other requests to validate Hyland’s security controls) (each a “Security Inquiry”) of Hyland’s operations that participate in the ongoing delivery and support of the Hyland Cloud Service purchased by Customer on an annual basis (but no more than once during any 12-month period); provided, that Customer provides Hyland with advance written notice of its desire to conduct such Security Inquiry and the proposed Security Inquiry does not overlap with, or otherwise cover the same or similar information as, or scope of: (1) any controls already provided for by an external audit or assessment already performed by Hyland, such as a SOC 2 report, ISO 27001 or other similar audit or assessment that is made available to Customer upon Customer’s request; or (2) any content already provided by Hyland through its completed SIG, CAIQ or similar questionnaire that is made available to Customer upon request. For each Security Inquiry, (1) Hyland and Customer must mutually agree upon the timing, scope, and criteria of such Security Inquiry, which, subject to the foregoing, may include the completion of questionnaires supplied by Customer; (2) confidential and restricted documentation, such as Hyland internal policies, practices, and procedures, including any documentation requested by Customer that cannot be removed from Hyland’s premises as a result of physical limitations or policy restrictions will not be provided externally or removed from Hyland’s premises and such reviews must be conducted onsite at Hyland’s corporate headquarters in Ohio or through a secure screenshare which may be arranged by Hyland to prohibit any type of copying or screen shots; (3) Customer understands and agrees that Hyland will not permit access to internal systems or devices used to host or support Hyland’s offerings; (4) to the extent Customer desires to engage a third party to perform such Security Inquiry, Hyland must approve of such third party in writing in advance, Customer shall cause such third party to enter into a Non-Disclosure Agreement with Hyland and agree to abide by Hyland’s security standards, and Customer shall manage the engagement with the third party, ensuring the third party understands the scope of the Security Inquiry as mutually agreed upon between Hyland and Customer and how Customer utilizes the Hyland Cloud Service; and (5) Customer shall pay Hyland fees (at Hyland’s standard rates) for the Professional Services (including any out-of-pocket costs and expenses) that are required or requested of Hyland in connection with such Security Inquiry. Where necessary, Hyland will provide private and reasonable accommodation at Hyland’s corporate headquarters in Ohio for data analysis and meetings. Upon reasonable advance written request, Hyland and Customer may mutually agree to make necessary employees or contractors available for interviews in person or on the phone during such Security Inquiry at Customer’s cost and expense. Customer is prohibited, , and Customer shall prohibit each third party Security Inquiry from distributing or publishing the results of such Security Inquiry to any third party without Hyland’s prior written approval. Notwithstanding anything to the contrary within this Agreement, nothing in this Agreement (including this section) will require Hyland or any of its affiliates to disclose information that is subject to attorney-client privilege.
Effective June 17th 2023
DownloadSAAS-SICHERHEITSANHANG
Einleitung: Hyland unterhält und verwaltet ein umfassendes schriftliches Sicherheitsprogramm, das den Hyland Cloud-Dienst abdeckt und zum Schutz: (a) der Sicherheit und Integrität der Kundendaten; (b) vor Bedrohungen und Gefahren, die sich negativ auf die Kundendaten auswirken können; und (c) vor unbefugtem Zugriff auf die Kundendaten, dient. Dieses Programm umfasst Folgendes :
- Risikomanagement.
- Durchführung einer jährlichen Risikobewertung um Bedrohungen und Schwachstellen in den administrativen, physischen, rechtlichen, behördlichen und technischen Sicherheitsvorkehrungen zu identifizieren, die zum Schutz des Hyland Cloud-Dienstes eingesetzt werden.
- Aufrechterhaltung eines dokumentierten Risikosanierungsprozesses, um die Verantwortung für identifizierte Risiken zuzuweisen, Sanierungspläne und Zeitrahmen festzulegen und eine regelmäßige Überwachung des Fortschritts zu gewährleisten.
- Informationssicherheitsprogramm.
- Aufrechterhaltung eines dokumentierten, umfassenden Informationssicherheitsprogramms für den Hyland Cloud-Dienst. Dieses Programm umfasst Richtlinien und Verfahren, die auf Industriestandards basieren, wie z. B. ISO 27001/27002 oder anderen gleichwertige Standards.
- Ein solches Informationssicherheitsprogramm muss, gegebenenfalls, Folgendes umfassen: (i) angemessene physische Sicherheit und Cybersicherheit an den Orten, an denen Kundendaten verarbeitet und/oder gespeichert werden; und (ii) angemessene Vorsichtsmaßnahmen in Bezug auf die Beschäftigung von Hyland-Mitarbeitern.
- Diese Richtlinien werden jährlich vom Hyland-Management überprüft und aktualisiert.
- Organisation der Informationssicherheit. Zuweisung von Sicherheitsverantwortlichkeiten an geeignete Hyland-Einzelpersonen oder -Gruppen, um den Schutz des Hyland Cloud-Dienstes und der damit verbundenen Vermögenswerte zu erleichtern.
- Sicherheit im Personalwesen.
- Hyland-Mitarbeiter werden während des Einstellungsprozesses einer umfassenden Prüfung unterzogen. Es werden Hintergrundüberprüfungen und Referenzvalidierungen durchgeführt, um festzustellen, ob die Qualifikationen des Kandidaten für die vorgeschlagene Position geeignet sind. Vorbehaltlich jeglicher Einschränkungen, die durch geltendes Recht auferlegt werden und auf der Grundlage der Rechtsprechung, umfassen diese Hintergrundüberprüfungen gegebenenfalls eine strafrechtliche Hintergrundüberprüfung, eine überprüfung der vorhergehender Beschäftigungen und der Ausbildung.
- Sicherstellung, dass alle Hyland-Mitarbeiter einer Vertraulichkeits- und Geheimhaltungsverpflichtung unterliegen, bevor der Zugriff auf den Hyland Cloud-Dienst oder die Kundendaten bereitgestellt wird.
- Sicherstellung, dass alle Hyland-Mitarbeiter eine Sicherheitsbewusstseinsschulung erhalten, welche diesen Mitarbeitern Kenntnisse zur Informationssicherheit vermittelt, um die Sicherheit, Verfügbarkeit und Vertraulichkeit der Kundendaten zu gewährleisten.
- Nach dem Ausscheiden eines Hyland-Mitarbeiters oder einem Rollenwechsel stellt Hyland sicher, dass der Zugriff eines Hyland-Mitarbeiters auf den Hyland Cloud-Dienst zeitnah widerrufen wird und alle anwendbaren Hyland-Vermögenswerte, sowohl Informationen als auch physische Werte, zurückgegeben werden.
- Vermögensverwaltung.
- Aufrechterhaltung von Richtlinien und Verfahren zur Verwaltung von Vermögenswerten und Informationen. Dies umfasst Eigentumsrechte an Vermögenswerten, eine Bestandsaufnahme von Vermögenswerten, Klassifizierungsrichtlinien und Handhabungsstandards für Hyland-Vermögenswerte.
- Aufrechterhaltung von Verfahren zur Handhabung von Medien, um sicherzustellen, dass Medien, die Kundendaten als Teil des Hyland Cloud-Dienstes enthalten, verschlüsselt und an einem sicheren Ort aufbewahrt werden, der strengen physischen Zugangskontrollen unterliegt.
- Wenn ein Hyland Cloud-Dienst-Speichergerät das Ende seiner Nutzungsdauer erreicht hat, beinhalten die Verfahren einen Stilllegungsprozess, der verhindern soll, dass Kundendaten unbefugten Personen zugänglich gemacht werden, in dem die von NIST empfohlenen Techniken zur Datenvernichtung als Teil des Stilllegungsprozesses angewendet werden.
- Wenn ein Hyland-Speichergerät mit diesen Verfahren außer Betrieb genommen werden kann, wird das Gerät virtuell geschreddert, entmagnetisiert, bereinigt/gelöscht oder physisch zerstört, in Übereinstimmung mit branchenüblichen Verfahren.
- Zugriffskontrollen.
- Aufrechterhaltung einer logischen Zugriffsrichtlinie und entsprechender Verfahren. Die Verfahren für den logischen Zugriff definieren den Antrags-, Genehmigungs- und Zugriffsprozess für Hyland-Mitarbeiter. Der logische Zugriffsprozess beschränkt den Zugriff von Hyland-Benutzern (lokal und remote) basierend auf der Arbeitsfunktion des Hyland-Benutzers (rollen-/profilbasiert, angemessener Zugriff) für Anwendungen und Datenbanken. Der Zugriff der Hyland-Benutz wird in regelmäßigen Abständen rezertifiziert, um Zugriffe und Privilegien zu bestimmen. Die Verfahren für den Einstellungs- und Kündigungsprozess von Hyland-Mitarbeitern in einer zeitgemässen Weise werden dokumentiert. Die Verfahren für die Inaktivitätsschwelle des Hyland-Mitarbeiters, welche zu einer Kontosperrung und -entfernung führt, werden dokumentiert.
- Beschränkung des Zugriffs von Hyland-Mitarbeitern auf Kundendaten, die den Zugriff auf die Kundendaten als Voraussetzung für die Erbringung der Leistungen von Hyland im Rahmen dieser Vereinbarung benötigen. Hyland wendet das Prinzip des „geringsten Privilegs“ und das Konzept des „minimal Notwendigen“ an, um den Grad des Zugriffs aller Hyland-Benutzer auf Kundendaten zu bestimmen. Hyland verlangt sichere Passwörter, die den Komplexitätsanforderungen und der regelmäßigen Rotation unterliegen, sowie die Verwendung der Multi-Faktor-Authentifizierung.
- Sicherstellung, dass strenge Zugriffskontrollen für den Zugriff auf Kundendaten durch Hyland vorhanden sind. Die Administratoren des Kunden kontrollieren den Benutzerzugriff, die Benutzerberechtigungen und die Aufbewahrung der Kundendaten in dem Umfang, in dem solche Kontrollen für den Kunden in Bezug auf den Hyland Cloud-Dienst zur Verfügung stehen.
- Systemgrenzen.
- Hyland ist nicht verantwortlich für Systemkomponenten, die sich nicht innerhalb der Hyland Cloud Plattform befinden, einschließlich Netzwerkgeräte, Netzwerkverbindungen, Workstations, Server und Software, die im Besitz des Kunden oder Dritter sind und von diesen betrieben werden. Hyland kann nach eigenem Ermessen Unterstützung für diese Komponenten anbieten.
- Die innerhalb der Hyland Cloud Plattform ausgeführten Prozesse beschränken sich auf diejenigen, die von einem Hyland-Mitarbeiter (oder einem von Hyland autorisierten Dritten) ausgeführt werden, oder auf Prozesse, die in ihrer Gesamtheit innerhalb der etablierten Systemgrenzen von Hyland ausgeführt werden. Dies beinhaltet, ist aber nicht beschränkt auf, Hardware-Installation, Software-Installation, Datenreplikation, Datensicherheit und Authentifizierungsprozesse.
- Bestimmte Geschäftsprozesse können diese Grenzen überschreiten, d.h. eine oder mehrere Aufgaben werden außerhalb der von Hyland festgelegten Systemgrenzen für die Hyland Cloud Plattform ausgeführt, eine oder mehrere Aufgaben werden von Personen ausgeführt, die keine Hyland-Mitarbeiter (oder autorisierte Dritte) sind, oder einer oder mehrere Aufgaben werden auf der Grundlage schriftlicher Anfragen des Kunden ausgeführt. In einem solchen Fall wird Hyland Unterstützung für solche Prozesse leisten, soweit sie innerhalb der von Hyland festgelegten Systemgrenzen auftreten. Hyland ist jedoch nicht dafür verantwortlich, solche Prozesse zu leisten, sofern sie außerhalb dieser festgelegten Systemgrenzen auftreten. Hyland kann nach eigenem Ermessen begrenzte Unterstützung für solche Prozesse bereitstellen, die außerhalb dieser festgelegten Systemgrenzen für die Hyland Cloud Plattform auftreten. Beispiele für Geschäftsprozesse, die diese Grenzen überschreiten, sind unter anderem Konfigurationsänderungen des Hyland Cloud-Dienstes, Verarbeitungen, die innerhalb des Hyland Cloud-Dienstes stattfinden, Benutzerautorisierung und Dateiübertragungen.
- Verschlüsselung.
- Kundendaten dürfen nur in einem verschlüsselten Format, wie z. B. SFTP, TLS / SSL oder einer anderen gleichwertigen Methode im Hyland Cloud-Dienst hochgeladen werden.
- Die Kundendaten werden im Ruhezustand verschlüsselt.
- Wenn die Verwendung der Verschlüsselungsfunktionalität vom Kunden kontrolliert oder geändert werden kann und der Kunde die Verwendung der Verschlüsselungsfunktionalität ändern oder deaktivieren möchte, geschieht dies beim Kunden auf eigenes Risiko.
- Physische Sicherheit und Umgebungssicherheit.
- Die Hyland Cloud Plattform verwendet Rechenzentren oder Drittanbieter, die die Einhaltung eines oder mehrerer der folgenden Standards (oder eines angemessenen Äquivalents) nachgewiesen haben: International Organization for Standardization („ISO“) 27001 und/oder des American Institute of Certified Public Accountants („AICPA“), Service Organization Controls („SOC“) Berichte für Serviceorganisationen. Diese Anbieter stellen Internetverbindungen, physische Sicherheit, Strom- und Umgebungssysteme sowie andere Dienste für die Hyland Cloud Plattform bereit.
- Hyland verwendet Architektur und Technologien, welche darauf ausgelegt sind, sowohl Sicherheit als auch hohe Verfügbarkeit zu fördern.
- Betriebssicherheit.
- Aufrechterhaltung der dokumentierten Hyland Cloud-Betriebsverfahren.
- Aufrechterhaltung von Change Management Kontrollen, um sicherzustellen, dass von Hyland vorgenommene Änderungen an den Hyland Cloud-Dienst Produktionssystemen vor der Implementierung ordnungsgemäss autorisiert und überprüft werden. Der Kunde ist dafür verantwortlich, alle Konfigurationsänderungen, Authentifizierungsänderungen und Upgrades, die vom Kunden oder von Hyland auf Anfrage des Kunden implementiert werden, vor der Produktionsnutzung des Hyland Cloud-Dienstes zu testen. In Fällen, in denen sich der Kunde darauf verlässt, dass Hyland Änderungen in seinem Namen vornimmt, muss eine schriftliche Anfrage, die die Änderung beschreibt (z. B. eine E-Mail oder eine andere von Hyland bereitgestellte Methode), von den vom Kunden benannten Customer Security Administrators („CSAs“) eingereicht oder in einem Dienstleistungsangebot dargelegt werden. Hyland wird während eines geplanten Wartungsfensters Konfigurationsänderungen vornehmen, die sich voraussichtlich auf den Zugriff des Kunden auf seinen Hyland Cloud-Dienst auswirken werden. Hyland darf Konfigurationsänderungen, bei denen keine Auswirkungen auf den Kunden zu erwarten sind, während der normalen Geschäftszeiten vornehmen.
- Überwachung der Nutzung und des Kapazitätsniveaus innerhalb der Hyland Cloud Plattform, um zukünftiges Wachstum angemessen und proaktiv zu planen.
- Verwendung von Viren- und Malware-Schutztechnologien, die so konfiguriert sind, dass sie den gängigen Industriestandards entsprechen, um die Kundendaten und Geräte in der Hyland Cloud Plattform vor Virusinfektionen oder ähnlichen Malicious Payloads zu schützen.
- Implementierung von Disaster Recovery- und Business Continuity-Verfahren. Dazu gehört die Replikation von Kundendaten an einen sekundären Speicherort.
- Aufrechterhaltung eines System- und Sicherheitsprotokollierungsprozesses zur Erfassung von Systemprotokollen, die von Hyland als kritisch eingestuft werden. Diese Protokolle müssen mindestens sechs Monate lang aufbewahrt und regelmäßig überprüft werden.
- Aufrechterhaltung von Systemhärtungsanforderungen und Konfigurationsstandards für Komponenten, die in der Hyland Cloud Plattform bereitgestellt werden. Sicherstellen, dass Server, Betriebssysteme und unterstützende Software, die in der Hyland Cloud Plattform verwendet werden, alle kritischen und Hochsicherheitspatches rechtzeitig erhalten, jedoch in keinem Fall mehr als 90 Tage nach der Veröffentlichung, vorbehaltlich des nächsten Satzes. Für den Fall, dass ein solcher Sicherheitspatch den Hyland Cloud-Dienst erheblich beeinträchtigen würde, wird Hyland angemessene Anstrengungen unternehmen, um Ausgleichskontrollen zu implementieren, bis ein Sicherheitspatch verfügbar ist, der den Hyland Cloud-Dienst nicht wesentlich beeinträchtigt.
- Mindestens vierteljährliche Durchführung von Schwachstellen-Scans oder -Analysen der Hyland Cloud Plattform und Behebung aller identifizierten kritischen und hochgradigen Schwachstellen, in Übereinstimmung mit seinen Patch-Management-Verfahren.
- Mindestens jährliche Durchführung von Penetrationstests der Hyland Cloud Plattform.
- Kommunikationssicherheit
- Implementierung von Sicherheitskontrollen für die Hyland Cloud Plattform zum Schutz von Informationsressourcen innerhalb der Hyland Cloud Plattform.
- Wenn unterstützt, kann der Kunde bei der Implementierung und danach einmal jährlich verlangen, dass Hyland den Zugriff auf den Hyland Cloud-Dienst des Kunden ohne zusätzliche Kosten auf eine Liste von vordefinierter IP-Adressen beschränkt.
- Lieferantenbeziehungen. Aufrechterhaltung eines Lieferantenverwaltungsprogramms für seine kritischen Lieferanten. Dieses Programm stellt sicher, dass kritische Lieferanten auf jährlicher Basis bewertet werden.
- Sicherheitsvorfall.
- Anwendung von Standards zur Reaktion auf Vorfälle, die auf anwendbaren Industriestandards basieren, wie z.B. ISO 27001:2013 und dem Nationalen Institut for Standards and Technology („NIST“), um die Informationssicherheitskomponenten der Hyland Cloud-Dienst-Umgebung aufrechtzuerhalten.
- Die Reaktionen auf solche Vorfälle folgen der von Hyland dokumentierten Reaktionssequenz auf Vorfälle. Diese Sequenz umfasst die Auslösephase des Vorfalls, die Bewertungsphase, die Eskalationsphase, die Reaktionsphase, die Wiederherstellungsphase, die Deeskalationsphase und die Überprüfungsphase nach dem Vorfall.
- Wenn Hyland festgestellt, dass der Hyland Cloud-Dienst des Kunden durch einen Sicherheitsvorfall negativ beeinflusst wurde, wird Hyland eine Zusammenfassung der Ursachenanalyse liefern. Eine solche Benachrichtigung wird nicht unangemessen verzögert, sondern erfolgt, nachdem erste Korrekturmaßnahmen ergriffen wurden, um die Sicherheitsbedrohung einzudämmen oder den Hyland Cloud-Dienst zu stabilisieren.
- Die Ursachenanalyse umfasst die Dauer des Ereignisses, die Lösung, die technische Zusammenfassung, ausstehende Probleme und Folgemassnahmen, einschließlich der Schritte, die der Kunde unternehmen muss, um weitere Probleme zu vermeiden. Die Informationen des Hyland Cloud-Dienstes, einschließlich der Datenelemente, die zusätzliche Vertraulichkeits- und Sicherheitsmaßnahmen erfordern (einschließlich derjenigen anderer Kunden, die von dem Ereignis betroffen sind), werden nicht öffentlich bekannt gegeben. Wenn der Kunde zusätzliche Details zu einem Vorfall benötigt, muss eine Anfrage an das Hyland GCS-Support-Team gestellt werden, die von Fall zu Fall bearbeitet wird. Der Prozess der Informationsfreigabe kann eine Überprüfung vor Ort erfordern, um die Vertraulichkeit und Sicherheit der angeforderten Informationen zu schützen.
- Hyland benachrichtigt den Kunden innerhalb von 48 Stunden über einen Sicherheitsvorfall. Ein „Sicherheitsvorfall“ bedeutet, dass Hyland eine tatsächliche Offenlegung von unverschlüsselten Kundendaten gegenüber einer nicht autorisierten Person oder Organisation feststellt, welche die Sicherheit, Vertraulichkeit oder Integrität der Kundendaten gefährdet.
- Informationssicherheitsaspekte des Business Continuity Managements.
- Aufrechterhaltung eines Business Continuity- und Disaster Recovery-Plans.
- Jährliche Überprüfung und Testung dieses Plans.
- Aggregierte Daten.
- Hyland ist Eigentümer aller von Hyland gesammelten und verwendeten Kunden- und Benutzerregistrierungs- und Abrechnungsdaten, welche für die Einrichtung, Nutzung und Abrechnung des Hyland Cloud-Dienstes erforderlich sind („Kontoinformationen“), sowie aller aggregierten, anonymisierten und statistischen Daten, die aus der Nutzung und dem Betrieb des Hyland Cloud-Dienstes abgeleitet werden, insbesondere die Anzahl der Datensätze im Hyland Cloud-Dienst, die Anzahl und Art der Transaktionen, Konfigurationen und Berichte, die im Rahmen des Hyland Cloud-Dienstes verarbeitet werden, sowie die Leistungsergebnisse des Hyland Cloud-Dienstes (die "Aggregierten Daten").
- Hyland kann die Kontoinformationen und Aggregierten Daten für den Betrieb von Hyland verwenden. Zur Klarstellung: Kontoinformationen und Aggregierte Daten umfassen keine Kundendaten.
- Sicherheitsanfrage.
- Die Überwachung der Einhaltung des Informationssicherheitsprogramms. Dies beinhaltet regelmäßige interne Überprüfungen. Die Ergebnisse werden mit dem Hyland-Management geteilt und Abweichungen werden bis zur Behebung verfolgt.
- Aufrechterhaltung eines regelmäßigen externen Prüfungsprogramms. Abgeschlossene Bescheinigungen, wie z. B. verfügbare SOC 2-Berichte, werden dem Kunden auf schriftliche Anfrage zur Verfügung gestellt.
- Der Kunde ist berechtigt, jährlich (jedoch nicht öfter als einmal innerhalb eines Zeitraums von 12 Monaten) Audits (einschließlich Bewertungen, Fragebögen, geführte Überprüfungen oder anderer Anfragen zur Validierung der Sicherheitskontrollen von Hyland; jeweils eine "Sicherheitsanfrage") der Hyland-Tätigkeiten durchzuführen, die an der laufenden Bereitstellung und Unterstützung des vom Kunden erworbenen Hyland Cloud-Dienstes beteiligt sind. Dies setzt voraus, dass der Kunde Hyland schriftlich vorab mitteilt, dass er eine solche Prüfung durchführen möchte und dass diese Sicherheitsanfrage sich nicht mit den gleichen oder ähnlichen Informationen oder dem Umfang von: (1) Kontrollen, die bereits in einer von Hyland durchgeführten externen Prüfung oder Bewertung vorgesehen sind (wie z. B. einem SOC 2-Bericht, ISO 27001 oder einer anderen ähnlichen Prüfung oder Bewertung), die dem Kunden auf Anfrage zur Verfügung gestellt wird, oder (2) Inhalten, die bereits von Hyland durch den ausgefüllten SIG-, CAIQ- oder ähnlichen Fragebogen dem Kunden auf Anfrage zur Verfügung gestellt werden, überschneidet. Für jede Sicherheitsanfrage gilt Folgendes: (1) Hyland und der Kunde vereinbaren einvernehmlich den Zeitpunkt, den Umfang und die Kriterien einer solchen Sicherheitsanfrage(dies kann unter den oben genannten Voraussetzungen das Ausfüllen der vom Kunden bereitgestellten Fragebögen beinhalten); (2) Dokumentation, die vertraulich oder zugangsbeschränkt ist (wie z. B. interne Richtlinien, Praktiken und Verfahren von Hyland, einschließlich der vom Kunden angeforderten Dokumentation, die aufgrund von physischen Einschränkungen oder Richtlinienbeschränkungen nicht aus den Räumlichkeiten von Hyland entfernt werden kann), wird nicht zur externen Ansicht zur Verfügung gestellt oder aus den Räumlichkeiten von Hyland entfernt; derartige Überprüfungen müssen vor Ort in der Unternehmenszentrale von Hyland in Ohio oder über eine sichere Bildschirmfreigabe durchgeführt werden, die von Hyland so eingerichtet werden kann, dass jede Art von Kopieren oder Screenshots verboten ist; (3) der Kunde nimmt zur Kenntnis und erklärt sich damit einverstanden, dass Hyland keinen Zugriff auf interne Systeme oder Geräte gestattet, die zum Hosten oder Unterstützen der Hyland-Angebote verwendet werden; (4) sofern der Kunde einen Dritten mit der Durchführung einer solchen Sicherheitsanfrage beauftragen möchte, muss Hyland den Einsatz dieses Dritten im Voraus schriftlich genehmigen; der Kunde muss diesen Dritten zudem dazu veranlassen, eine Geheimhaltungsvereinbarung mit Hyland abzuschließen und sich zur Einhaltung der Sicherheitsstandards von Hyland zu verpflichten; die Verwaltung der Zusammenarbeit mit diesem Dritten obliegt dem Kunden; der Kunde muss insbesondere sicherstellen, dass dem Dritte der zwischen Hyland und dem Kunden vereinbarte Umfang der Sicherheitsanfrage und die Nutzung der Hyland-Dienste durch den Kunden bekannt sind; und (5) der Kunde ist verpflichtet, Hyland Gebühren (zu Hyland‘s Standardtarifen) für die Dienstleistungen (einschließlich aller Auslagen und Kosten) zu zahlen , die von Hyland im Zusammenhang mit einer solchen Sicherheitsanfrage in Rechnung gestellt werden. Bei Bedarf wird Hyland in der Unternehmenszentrale von Hyland in Ohio private und angemessene Unterkünfte für Datenanalysen und Besprechungen bereitstellen. Hyland und der Kunde können nach angemessener Ankündigung einvernehmlich vereinbaren, die erforderlichen Mitarbeiter oder Auftragnehmer für persönliche oder telefonische Interviews während einer solchen Sicherheitsanfrage auf Kosten des Kunden zur Verfügung zu stellen. Dem Kunden ist es untersagt, die Ergebnisse dieser Sicherheitsanfrage ohne vorherige schriftliche Genehmigung von Hyland an Dritte weiterzugeben oder zu veröffentlichen. Der Kunde ist verpflichtet, diese Verpflichtung jeder Drittpartei, die an der Sicherheitsanfrage beteiligt ist, aufzuerlegen. Ungeachtet gegenteiliger Bestimmungen in dieser Vereinbarung verpflichtet nichts in dieser Vereinbarung (einschließlich dieses Abschnitts) Hyland oder eines seiner verbundenen Unternehmen zur Offenlegung von Informationen, die unter das Anwaltsgeheimnis fallen.
Effective June 17th 2023
DownloadADJUNTO DE SEGURIDAD DE SAAS
Introducción: Hyland mantiene y gestiona un programa de seguridad integral por escrito que cubre el Servicio en la Nube de Hyland diseñado para proteger: (a) la seguridad e integridad de los Datos del Cliente; (b) contra amenazas y peligros que puedan impactar negativamente los Datos del Cliente, y (c) contra el acceso no autorizado a los Datos del Cliente, y dicho programa incluye lo siguiente:
Effective June 17th 2023
DownloadSOUS-ANNEXE SECURITE SAAS
Introduction : Hyland maintient et gère un programme de sécurité complet, écrit, couvrant le Service Cloud Hyland et conçu pour protéger : (a) la sécurité et l'intégrité des Données Client ; (b) contre les menaces et les dangers pouvant avoir un impact négatif sur les Données Client ; et (c) contre les accès non autorisés aux Données Client. Le programme de sécurité comprend les éléments suivants :
I. Gestion des Risques.
a. Réalisation d'une évaluation annuelle des risques, conçue pour identifier les menaces et les vulnérabilités des mesures de protection administratives, physiques, légales, réglementaires et techniques utilisées pour protéger le Service Cloud Hyland.
b. Maintien d’un process documenté de remédiation des risques, afin d'attribuer la responsabilité des risques identifiés, d'établir les plans et délais de remédiation, et de prévoir un suivi périodique de l’avancement.
II. Programme de Sécurité de l'Information.
a. Maintien d’un programme de sécurité de l’information pour le Service Cloud Hyland, complet et documenté. Ce programme comprend des politiques et procédures établies à partir des pratiques standard de l'industrie, lesquelles peuvent inclure des normes ISO 27001/27002 ou équivalentes.
b. Ce programme de sécurité de l’information comprend, selon le cas : (i) la mise en œuvre de moyens de sécurité physique et de cyber-sécurité adéquats, là où les Données Client sont traitées et/ou stockées ; et (ii) la prise de précautions raisonnables en ce qui concerne les employés de Hyland.
c. Ces politiques seront revues et mises à jour chaque année par la direction d'Hyland.
III. Organisation de la Sécurité de l'Information. Attribution des responsabilités en matière de sécurité aux individus ou groupes Hyland appropriés afin de faciliter la protection du Service Cloud Hyland et des actifs associés.
IV. Sécurité des Ressources Humaines.
a. Les salariés de Hyland font l’objet d’un examen approfondi durant le process d'embauche. Des vérifications des antécédents et la validation des références sont effectuées afin de déterminer si les qualifications du candidat sont appropriées pour le poste proposé. Sous réserve de toute restriction imposée par la loi applicable et en fonction de la juridiction, ces vérifications d'antécédents comprennent la vérification du casier judiciaire, la validation des expériences professionnelles et la vérification des diplômes et formations, le cas échéant.
b. Hyland s'assure que tous ses salariés sont soumis à des engagements de confidentialité et de non-divulgation avant tout accès au Service Cloud Hyland ou aux Données Client.
c. Hyland s'assurer que tous les salariés concernés bénéficient d’une formation de sensibilisation à la sécurité dont l’objectif est de leur fournir les connaissances en matière de sécurité de l'information leur permettant d'assurer la sécurité, la disponibilité et la confidentialité des Données Client.
d. Lors du départ d'un salarié de Hyland ou d'un changement de poste, Hyland s'assure que tout accès salarié au Service Cloud d'Hyland est révoqué en temps utile et que tous les actifs de Hyland concernés, tant les informations que les équipements, lui sont restitués.
V. Gestion des Actifs.
a. Maintien des politiques et procédures de gestion des actifs et des informations, en ce compris la propriété des actifs, leur inventaire, les lignes directrices pour leur classification et les normes de traitement relatives aux actifs Hyland.
b. Maintien des procédures de traitement des supports afin de garantir que les supports contenant des Données Client, dans le cadre du Service Cloud Hyland, sont cryptés et stockés dans un emplacement sécurisé soumis à des contrôles d'accès physiques stricts.
c. Lorsqu'un dispositif de stockage du Service Cloud Hyland a atteint la fin de sa durée de vie utile, les procédures visées par cet article comprennent un processus de mise hors service, appliquant les techniques recommandées par le National Institute of Standards and technology (le « NIST »), afin de détruire les données dans le cadre de process de mise hors service, conçu pour empêcher que les Données Client soient exposées à des personnes non autorisées.
d. Dans le cas où un dispositif de stockage Hyland ne pourrait pas être mis hors service par le biais des procédures visées ci-avant, ce dispositif est alors virtuellement déchiqueté, démagnétisé, purgé/essuyé ou physiquement détruit conformément aux pratiques courantes de l'industrie.
VI. Contrôles d'Accès.
a. Maintien d’une politique d'accès logique et de procédures correspondantes. Les procédures d'accès logique définissent le process de demande, d'approbation et de fourniture d'accès pour le personnel Hyland. Le process d'accès logique limite l'accès des utilisateurs Hyland (locaux et distants) selon leur fonction (basée sur le rôle/profil, accès approprié) pour les applications et les bases de données. La recertification de l'accès des utilisateurs Hyland afin de déterminer leurs accès et privilèges est effectuée périodiquement. Les procédures d’onboarding et d’offboarding, en temps utile, des utilisateurs du personnel Hyland seront documentées, de même que les procédures relatives au seuil d'inactivité des utilisateurs parmi le personnel de Hyland menant à la suspension et à la suppression de leur compte.
b. Limitation de l'accès de Hyland aux Données Client, à son personnel ayant à en connaître pour l'exécution des services fournis par Hyland en vertu du Contrat. Hyland a recours au principe du « moindre privilège » et au concept du « minimum nécessaire » afin de déterminer le niveau d'accès de ses utilisateurs aux Données Client. Hyland exige des mots de passe forts soumis à des exigences de complexité et à une rotation périodique, ainsi que l'utilisation d'une authentification multifactorielle.
c. Hyland s'assure que des contrôles d'accès stricts sont en place pour l'accès aux Données Client par Hyland. Les administrateurs du Client contrôlent l'accès de ses propres utilisateurs, leurs autorisations et la rétention des Données Client dans la mesure où de tels contrôles sont disponibles pour le Client en ce qui concerne le Service Cloud Hyland.
VII. Limites du Système.
a. Hyland n’encourt aucune responsabilité du fait des composants du système qui ne font pas partie de la Plateforme Cloud Hyland, en ce compris, les périphériques réseau, la connectivité réseau, les postes de travail, les serveurs et les logiciels détenus et exploités par le Client ou tiers. Hyland peut – à sa discrétion - fournir un support pour ces composants.
b. Les procédés auxquels il est fait recours au sein de la Plateforme Cloud Hyland sont limités à ceux qui sont exécutés par un salarié de Hyland (ou un tiers autorisé par Hyland) ou ceux qui sont exécutés dans les limites du système établi de Hyland, dans leur ensemble. Cela comprend, sans que cette liste soit exhaustive, l'installation de matériel(s), l'installation de logiciel(s), la réplication de données, la sécurité des données et les procédés d'authentification.
c. Nonobstant ce qui précède, certains procédés commerciaux peuvent s’affranchir de ces limites, dans la mesure où une ou plusieurs tâches sont exécutées hors des limites du système établi par Hyland pour la Plateforme Cloud Hyland, qu’elles soient réalisées par des individus n’étant pas des salariés de Hyland (ou des tiers autorisés par Hyland), ou qu’elles le soient sur le fondement de demandes écrites du Client. Dans un tel cas, Hyland fournit un support pour de tels procédés sous réserve qu’ils soient exécutés dans les limites du système établi de Hyland ; Hyland n’ayant aucune obligation de fournir un tel support dans le cas où les procédés sont exécutés en dehors des limites du système mis en place par Hyland. Hyland se réserve toutefois le droit, à sa discrétion, de fournir un support limité pour les procédés exécutés en dehors des limites de système établies pour la Plateforme Cloud Hyland. Les process commerciaux s’affranchissant des limites susvisées sont notamment, et sans que cette liste soit exhaustive, des changements de configuration du Service Cloud Hyland, des traitements réalisés dans le Service Cloud Hyland, l'autorisation de l'utilisateur et les transferts de fichiers.
VIII. Cryptage.
a. Les Données Client ne doivent être versées au Service Cloud Hyland que dans un format crypté, par exemple, de type SFTP, TLS/SSL, ou toute autre méthode équivalente.
b. Les Données Client doivent être cryptées durant leur stockage.
c. Lorsque l'utilisation de la fonctionnalité de cryptage est contrôlée ou modifiée par le Client, celui-ci en assume seul les risques associés.
IX. Sécurité Physique et de l'Environnement.
a. La Plateforme Cloud Hyland utilise des data centers ou des fournisseurs de services tiers qui ont démontré leur conformité avec une ou plusieurs des normes suivantes (ou objectivement similaires) : Organisation internationale de normalisation (« ISO ») 27001 et/ou rapports de l'American Institute of Certified Public Accountants (« AICPA ») sur les contrôles des organisations de services (« SOC »). Ces fournisseurs fournissent la connexion Internet, la sécurité physique, l'alimentation et les systèmes environnementaux ainsi que d'autres services pour la Plateforme Cloud Hyland.
b. Hyland utilise une architecture et des technologies conçues pour promouvoir à la fois la sécurité et une haute disponibilité.
X. Sécurité des Opérations.
a. Maintien de procédures d'exploitation documentées du cloud Hyland.
b. Maintien de contrôles de gestion des changements visant à s'assurer que les changements apportés aux systèmes de production du Service Cloud Hyland par Hyland sont correctement autorisés et examinés avant leur mise en œuvre. Le Client est seul responsable – avant toute utilisation du Service Cloud Hyland en mode production – de l’évaluation de tous changements de configuration, changements d’authentification et mises à niveau qu’il met en œuvre ou que Hyland met en œuvre à sa demande. Le Client peut, sous réserve d’une demande écrite (par exemple, par e-mail ou tout autre moyen de communication fourni par Hyland) adressée par l’un des Administrateurs de Sécurité du Client (un « ASC », tel que désigné par le Client ou au sein d’une Proposition de Services) et décrivant le(s) changement(s) attendu(s), solliciter Hyland afin qu’elle mette en œuvre celui/ceux-ci en son nom. Dans le cas où ceux-ci sont susceptibles d’impacter l’accès du Client au Service Cloud Hyland, Hyland effectue ces changements de configuration programmés pendant une fenêtre de maintenance planifiée. Dans les autres cas, Hyland se réserve le droit d’effectuer ces changements de configuration pendant les heures normales de travail.
c. Surveillance des niveaux d'utilisation et de capacité au sein de la Plateforme Cloud Hyland afin de planifier de manière adéquate et proactive une augmentation future.
d. Utilisation de technologies de protection contre les virus et les logiciels malveillants, configurées pour répondre aux normes communes reconnues par l’industrie conçues pour protéger les Données Client et les équipements situés dans la Plateforme Cloud Hyland contre les attaques par virus ou tout autre charge associée à des programmes malveillants.
e. Mise en œuvre de plans de continuité et de reprise de l’activité après sinistre. Ceux-ci comprendront la réplication des Données Client sur un site secondaire.
f. Maintien d’un process de journalisation du système et de la sécurité afin de capturer les registres du système jugés critiques par Hyland. Ces registres sont conservés pendant au moins six (6) mois et examinés sur une base périodique.
g. Maintien des exigences de renforcement du système et des normes de configuration pour les composants déployés au sein de la Plateforme Cloud Hyland. Hyland s'assure que les serveurs, les systèmes d'exploitation et les logiciels de support utilisés dans la Plateforme Cloud Hyland reçoivent tous les correctifs de sécurité critiques et élevés en temps opportun, mais en aucun cas plus de quatre-vingt-dix (90) jours après leur publication, sous réserve de ce qui suit. Dans le cas où un correctif de sécurité, tel que susvisé, affecterait le Service Cloud Hyland de manière substantielle, Hyland s’efforce de mettre en œuvre des contrôles compensatoires dans l’attente de la disponibilité d’un correctif de sécurité n'affectant pas de manière substantielle le Service Cloud Hyland.
h. Réalisation de scans ou analyses de vulnérabilité de la Plateforme Cloud Hyland, a minima une (1) fois par trimestre, et réalisation d’opérations visant à remédier à toutes les vulnérabilités critiques et élevées identifiées conformément aux procédures de gestion des correctifs.
i. Réalisation de tests de pénétration de la Plateforme Hyland Cloud, a minima annuellement.
XI. Sécurité des Communications
a. Mise en œuvre de contrôles de sécurité de la Plateforme Hyland Cloud afin de protéger les ressources documentaires au sein de la Plateforme Hyland Cloud.
b. Lorsque cela est pris en charge, et lors de la mise en œuvre du Service Cloud Hyland, puis une (1) fois par période annuelle, le Client peut demander à Hyland de limiter l'accès au Service Cloud Hyland à une liste d'adresses IP prédéfinies, et ce sans frais supplémentaires.
XII. Relations Avec les Fournisseurs. Maintien d’un Programme de Gestion des Fournisseurs pour les fournisseurs critiques de Hyland. Ce programme garantit que les fournisseurs critiques sont évalués annuellement.
XIII. Incident de Sécurité.
a. Emploi des normes de réponse aux incidents basées sur les normes industrielles applicables, telles que ISO 27001:2013 et « National Institute for Standards and Technology » (“NIST »), afin de maintenir les composants de sécurité de l’information de l'environnement du Service Cloud Hyland.
b. Les réponses aux incidents susvisés suivent la procédure de réponse aux incidents documentée par Hyland, laquelle comprend la phase de déclenchement de l'incident, la phase d'évaluation, la phase d'escalade, la phase de réponse, la phase de récupération, la phase de désescalade et la phase d'examen post-incident.
c. Lorsque Hyland détermine que le Service Cloud Hyland du Client a été négativement impacté par un incident de sécurité, Hyland fournit un résumé de l'analyse des causes profondes de l’incident. La notification de ce résumé ne sera pas retardée de manière déraisonnable, mais n’interviendra qu’après la mise en place des actions correctives initiales visant à contenir la menace de sécurité ou stabiliser le Service Cloud Hyland.
d. L'analyse des causes profondes de l’incident comprend la durée de l'événement, sa résolution, le résumé technique, les problèmes en suspens et le suivi, y compris les mesures que le Client doit prendre afin d'éviter d'autres problèmes. Les informations contenues dans le Service Cloud Hyland, en ce compris les données nécessitant des mesures de confidentialité et de sécurité additionnelles (en ce compris celles d’autres clients touchés par l’incident), ne sont pas divulguées publiquement. Le Client peut, s’il nécessite des détails supplémentaires sur un incident, en faire la demande à l’équipe de support Hyland GCS, laquelle est traitée au cas par cas. La procédure de divulgation d'informations peut nécessiter une évaluation sur site, afin de protéger la confidentialité et la sécurité des informations demandées.
e. Hyland notifie le Client d'un Incident de Sécurité dans les quarante-huit (48) heures. Un « Incident de Sécurité » désigne le cas où Hyland identifie une divulgation réelle de Données Client, non cryptées, à une personne ou entité non autorisée, et qui compromet la sécurité, la confidentialité ou l'intégrité des Données Client.
XIV. Aspects de la Gestion de la Continuité des Activités liés à la Sécurité de l'Information.
a. Maintien d’un plan de continuité de l’activité et de reprise après sinistre.
b. Révision et évaluation annuelle du plan susvisé.
XV. Données Agrégées.
a. Hyland est propriétaire de toutes les données d'enregistrement et de facturation du Client et de l'Utilisateur collectées et utilisées par Hyland, requises pour la configuration, l'utilisation du Service Cloud Hyland, ainsi que pour la facturation relative à ce dernier (les « Informations de Compte ») et de toutes les données agrégées, anonymisées et statistiques dérivées de l'utilisation et du fonctionnement du Service Cloud Hyland, en ce compris, mais sans s’y limiter, le nombre d'enregistrements dans le Service Cloud Hyland, le nombre et le type de transactions, les configurations , les rapports traités dans le cadre du Service Cloud Hyland, ainsi que les résultats de performance du Service Cloud Hyland (les « Données Agrégées »).
b. Hyland se réserve le droit d’utiliser les Informations de Compte et les Données Agrégées à des fins commerciales. Afin de lever toute ambiguïté, il est précisé que les Informations de Compte et les Données Agrégées ne comprennent pas les Données Client.
XVI. Enquêtes de Sécurité.
a. Contrôle de la conformité avec le programme de sécurité de l'information, constitué par des évaluations internes périodiques. Les résultats sont partagés avec la direction de Hyland et tout écart est suivi jusqu'à sa remédiation.
b. Maintien d’un programme d'audit externe périodique. Les attestations complètes, telles que les rapports SOC 2 disponibles, sont fournies - sur demande écrite – au Client.
c. Dans la limite d’une (1) fois par an (mais pas plus d'une fois au cours d'une période de 12 mois), le Client peut réaliser un audit (qui comprend des évaluations, des questionnaires, des revues guidées ou d'autres demandes de validation des contrôles de sécurité de Hyland) (chacun une « Enquête de Sécurité ») des opérations de Hyland dans le cadre de la fourniture et du support du Service Cloud Hyland auquel il a souscrit, sous réserve d’une notification préalable écrite à Hyland et des critères suivants à condition que le Client informe à l'avance Hyland de son désir de mener une telle Enquête de Sécurité et que l'Enquête de Sécurité proposée ne chevauche pas, ou couvrir autrement les mêmes informations ou des informations similaires que, ou portée de: (1) tout contrôle déjà prévu par un audit ou une évaluation externe déjà effectué par Hyland, tel qu'un rapport SOC 2, ISO 27001 ou tout autre audit ou évaluation similaire mis à la disposition du Client à la demande du Client; ou ( 2 ) tout contenu déjà fourni par Hyland via son SIG, CAIQ ou un questionnaire similaire rempli qui est mis à la disposition du Client sur demande: (1) Hyland et le Client doivent s'entendre mutuellement sur le calendrier, la portée et les critères de cette Enquête de Sécurité, qui, sous réserve de ce qui précède, peut inclure l'achèvement des questionnaires fournis par le Client; (2) la documentation confidentielle et restreinte, telle que les politiques, pratiques et procédures internes de Hyland, y compris toute documentation demandée par le client qui ne peut pas être retirée des locaux de Hyland en raison de limitations physiques ou de restrictions de politique ne sera pas fournie à l'extérieur ou retirée des locaux de Hyland et de tels examens doit être effectuée sur place au siège social de Hyland dans l'Ohio ou par le biais d'une capture d'écran sécurisée qui peut être organisée par Hyland pour interdire tout type de copie ou de capture d'écran; ( 3 ) Le client comprend et accepte que Hyland ne permettra pas l'accès aux systèmes ou appareils internes utilisés pour héberger ou prendre en charge les offres de Hyland; ( 4 ) dans la mesure où le client souhaite engager un tiers pour effectuer une telle Enquête de Sécurité, Hyland doit approuver ce tiers par écrit à l'avance, Le client doit amener ce tiers à conclure un accord de non-divulgation avec Hyland et à accepter de respecter les normes de sécurité de Hyland, et le client doit gérer l'engagement avec le tiers, s'assurer que le tiers comprend la portée de l'Enquête de Sécurité comme convenu d'un commun accord entre Hyland et le client et comment le client utilise le service Hyland Cloud, et, et (b) le Client paiera à Hyland les montants requis par Hyland en lien avec les Prestations de Services (y compris les frais et dépenses remboursables ) fournies dans le cadre d’ Enquête de Sécurité (aux tarifs publics de Hyland alors en vigueur). Le cas échéant, Hyland fournit dans une mesure raisonnable un accès privé au siège social de Hyland, Ohio, U.S., pour analyser des données et des réunions. Sous réserve d’un demande écrite préalable raisonnable, les parties peut conviennent de rendre disponible les salariés ou prestataires dont l’intervention est nécessaire en vue d’entretiens dans le cadre de réunions physiques ou par téléphone, pendant la durée de l’Enquête de Sécurité, ce, aux seuls frais du Client. Le Client s’interdit, et le client interdira chaque tiers Enquête de Sécurité de distribuer ou de publier les résultats de l’ Enquête de Sécurité à tout tiers, sans le consentement préalable écrit de Hyland. Nonobstant toute disposition contraire de la présente entente, rien dans la présente entente (, y compris cette section ), n'obligera Hyland ou l'une de ses sociétés affiliées à divulguer des informations soumises au privilège avocat-client.
Effective June 17th 2023
DownloadAPÊNDICE DE SEGURANÇA DE SAAS
Introdução: A Hyland mantém e gerencia um programa abrangente de segurança por escrito para cobertura do Serviço de Nuvem da Hyland projetado para proteger: (a) a segurança e integridade dos Dados do Cliente; (b) contra ameaças e perigos que possam afetar negativamente os Dados do Cliente; e (c) contra acesso não autorizado aos Dados do Cliente, cujo programa inclui o seguinte:
Effective December 7th 2022 to June 17th 2023
DownloadTable of Contents
- Risk Management.
- Conducting an annual risk assessment designed to identify threats and vulnerabilities in the administrative, physical, legal, regulatory, and technical safeguards used to protect the Hyland Cloud Service.
- Maintaining a documented risk remediation process to assign ownership of identified risks, establish remediation plans and timeframes, and provide for periodic monitoring of progress.
- Information Security Program.
- Maintaining a documented comprehensive Hyland Cloud Service information security program. This program will include policies and procedures based on industry standard practices, which may include ISO 27001/27002, or other equivalent standards.
- Such information security program shall include, as applicable: (i) adequate physical and cyber security where Customer Data will be processed and/or stored; and (ii) reasonable precautions taken with respect to Hyland personnel employment.
- These policies will be reviewed and updated by Hyland management annually.
- Organization of Information Security. Assigning security responsibilities to appropriate Hyland individuals or groups to facilitate protection of the Hyland Cloud Service and associated assets.
- Human Resources Security.
- Hyland employees undergo comprehensive screening during the hiring process. Background checks and reference validation will be performed to determine whether candidate qualifications are appropriate for the proposed position. Subject to any restrictions imposed by applicable law and based on jurisdiction, these background checks include criminal background checks, employment validation, and education verification as applicable.
- Ensuring all Hyland employees are subject to confidentiality and non-disclosure commitments before access is provisioned to the Hyland Cloud Service or Customer Data.
- Ensuring applicable Hyland employees receive security awareness training designed to provide such employees with information security knowledge to provide for the security, availability, and confidentiality of Customer Data.
- Upon Hyland employee separation or change in roles, Hyland shall ensure any Hyland employee access to the Hyland Cloud Service is revoked in a timely manner and all applicable Hyland assets, both information and physical, are returned.
- Asset Management.
- Maintaining asset and information management policies and procedures. This includes ownership of assets, an inventory of assets, classification guidelines, and handling standards pertaining to Hyland assets.
- Maintaining media handling procedures to ensure media containing Customer Data as part of the Hyland Cloud Service is encrypted and stored in a secure location subject to strict physical access controls.
- When a Hyland Cloud Service storage device has reached the end of its useful life, procedures include a decommissioning process that is designed to prevent Customer Data from being exposed to unauthorized individuals using the techniques recommended by NIST to destroy data as part of the decommissioning process.
- If a Hyland storage device is unable to be decommissioned using these procedures, the device will be virtually shredded, degaussed, purged/wiped, or physically destroyed in accordance with industry-standard practices.
- Access Controls.
- Maintaining a logical access policy and corresponding procedures. The logical access procedures will define the request, approval and access provisioning process for Hyland personnel. The logical access process will restrict Hyland user (local and remote) access based on Hyland user job function (role/profile based, appropriate access) for applications and databases. Hyland user access recertification to determine access and privileges will be performed periodically. Procedures for onboarding and offboarding Hyland personnel users in a timely manner will be documented. Procedures for Hyland personnel user inactivity threshold leading to account suspension and removal threshold will be documented.
- Limiting Hyland’s access to Customer Data to its personnel who have a need to access Customer Data as a condition to Hyland’s performance of the services under this Agreement. Hyland shall utilize the principle of “least privilege” and the concept of “minimum necessary” when determining the level of access for all Hyland users to Customer Data. Hyland shall require strong passwords subject to complexity requirements and periodic rotation and the use of multi-factor authentication.
- Ensuring strict access controls are in place for Customer Data access by Hyland. Customer administrators control its user access, user permissions, and Customer Data retention to the extent such controls are available to Customer with respect to the Hyland Cloud Service.
- System Boundaries.
- Hyland is not responsible for any system components that are not within the Hyland Cloud Platform, including network devices, network connectivity, workstations, servers, and software owned and operated by the Customer or other third parties. Hyland may provide support for these components at its reasonable discretion.
- The processes executed within the Hyland Cloud Platform are limited to those that are executed by a Hyland employee (or Hyland authorized third party) or processes that are executed within Hyland’s established system boundaries, in whole. This includes, but is not limited to, hardware installation, software installation, data replication, data security, and authentication processes.
- Certain business processes may cross these boundaries, meaning one or more tasks are executed outside of Hyland’s established system boundaries for the Hyland Cloud Platform, one or more tasks are executed by individuals who are not Hyland personnel (or authorized third-parties), or one or more tasks are executed based on written requests placed by Customer. In such event, Hyland will provide support for such processes to the extent they occur within Hyland’s established system boundaries, but Hyland is not responsible for providing support for such processes to the extent they occur outside of such established system boundaries. At its reasonable discretion, Hyland may provide limited support for processes that occur outside such established system boundaries for the Hyland Cloud Platform. Examples of business processes that cross these boundaries include, but are not limited to, Hyland Cloud Service configuration changes, processing that occurs within the Hyland Cloud Service, user authorization, and file transfers.
- Encryption.
- Customer Data shall only be uploaded to the Hyland Cloud Services in an encrypted format such as via SFTP, TLS/SSL, or other equivalent method.
- Customer Data shall be encrypted at rest.
- Where use of encryption functionality may be controlled or modified by Customer, in the event Customer elects to modify the use of or turn off any encryption functionality, Customer does so at its own risk.
- Physical and Environment Security.
- The Hyland Cloud Platform uses data centers or third party service providers who have demonstrated compliance with one or more of the following standards (or a reasonable equivalent): International Organization for Standardization (“ISO”) 27001 and/or American Institute of Certified Public Accountants (“AICPA”) Service Organization Controls (“SOC”) Reports for Services Organizations. These providers provide Internet connectivity, physical security, power, and environmental systems and other services for the Hyland Cloud Platform.
- Hyland uses architecture and technologies designed to promote both security and high availability.
- Operations Security.
- Maintaining documented Hyland cloud operating procedures.
- Maintaining change management controls to ensure changes to Hyland Cloud Service production systems made by Hyland are properly authorized and reviewed prior to implementation. Customer is responsible for testing all configuration changes, authentication changes and upgrades implemented by Customer or implemented by Hyland at the request of Customer prior to production use of the Hyland Cloud Service. In cases where the Customer relies upon Hyland to implement changes on its behalf, a written request describing the change must be submitted (e.g. an e-mail, or another method provided by Hyland) by Customer’s designated Customer Security Administrators (“CSAs”) or set forth in a Services Proposal. Hyland will make scheduled configuration changes that are expected to impact Customer access to their Hyland Cloud Service during a planned maintenance window. Hyland may make configuration changes that are not expected to impact Customer during normal business hours.
- Monitoring usage and capacity levels within the Hyland Cloud Platform to adequately and proactively plan for future growth.
- Utilizing virus and malware protection technologies, which are configured to meet common industry standards designed to protect the Customer Data and equipment located within the Hyland Cloud Platform from virus infections or similar malicious payloads.
- Implementing disaster recovery and business continuity procedures. These will include replication of Customer Data to a secondary location.
- Maintaining a system and security logging process to capture system logs deemed critical by Hyland. These logs shall be maintained for at least six months and reviewed on a periodic basis.
- Maintaining system hardening requirements and configuration standards for components deployed within the Hyland Cloud Platform. Ensuring servers, operating systems, and supporting software used in the Hyland Cloud Platform receive all Critical and High security patches within a timely manner, but in no event more than 90 days after release, subject to the next sentence. In the event any such security patch would materially adversely affect the Hyland Cloud Service, then Hyland will use reasonable efforts to implement compensating controls until a security patch is available that would not materially adversely affect the Hyland Cloud Service.
- Conducting Hyland Cloud Platform vulnerability scans or analysis on at least a quarterly basis and remediate all critical and high vulnerabilities identified in accordance with its patch management procedures.
- Conducting Hyland Cloud Platform penetration tests at least annually.
- Communications Security
- Implementing Hyland Cloud Platform security controls to protect information resources within the Hyland Cloud Platform.
- When supported, upon implementation and once annually thereafter, Customer may request Hyland limit access to Customer’s Hyland Cloud Service to a list of pre-defined IP addresses at no additional cost.
- Supplier Relationships. Maintaining a Vendor Management Program for its critical vendors. This program will ensure critical vendors are evaluated on an annual basis.
- Security Incident.
- Employing incident response standards that are based upon applicable industry standards, such as ISO 27001:2013 and National Institute for Standards and Technology (“NIST”), to maintain the information security components of the Hyland Cloud Service environment.
- Responses to these incidents follow the Hyland documented incident response sequence. This sequence includes the incident trigger phase, evaluation phase, escalation phase, response phase, recovery phase, de-escalation phase, and post-incident review phase.
- If Hyland has determined Customer’s Hyland Cloud Service has been negatively impacted by a security incident, Hyland will deliver a root cause analysis summary. Such notice will not be unreasonably delayed, but will occur after initial corrective actions have been taken to contain the security threat or stabilize the Hyland Cloud Service.
- The root cause analysis will include the duration of the event, resolution, technical summary, outstanding issues, and follow-up, including steps Customer needs to take in order to prevent further issues. Hyland Cloud Service information including data elements that require additional confidentiality and security measures (including that of other customers impacted in the event) will not be publicly disclosed. If Customer needs additional details of an incident, a request to the Hyland GCS Support team must be submitted and handled on a case by case basis. The release of information process may require an on-site review to protect the confidentiality and security of the requested information.
- Hyland will notify Customer of a Security Incident within 48 hours. A “Security Incident” means a determination by Hyland of an actual disclosure of unencrypted Customer Data to an unauthorized person or entity that compromises the security, confidentiality, or integrity of the Customer Data.
- Information Security Aspects of Business Continuity Management.
- Maintaining a business continuity and disaster recovery plan.
- Reviewing and testing this plan annually.
- Aggregated Data.
- Hyland owns all Customer and User registration and billing data collected and used by Hyland that is required for user set-up, use and billing for the Hyland Cloud Service (“Account Information”) and all aggregated, anonymized and statistical data derived from the use and operation of the Hyland Cloud Service, including without limitation, the number of records in the Hyland Cloud Service, the number and types of transactions, configurations, and reports processed as part of the Hyland Cloud Service and the performance results of the Hyland Cloud Service (the “Aggregated Data”).
- Hyland may utilize the Account Information and Aggregated Data for purposes of operating Hyland’s business. For clarity, Account Information and Aggregated Data does not include Customer Data.
- Security Inquiries.
- Monitoring its compliance with its information security program. This includes periodic internal reviews. Results are shared with Hyland leadership and deviations tracked through to remediation.
- Maintaining a periodic external audit program. Completed attestations, such as available SOC 2 reports, are provided to Customer upon written request.
- Customer may conduct audits (which includes assessments, questionnaires, guided reviews or other requests to validate Hyland’s security controls) (each a “Security Inquiry”) of Hyland’s operations that participate in the ongoing delivery and support of the Hyland Cloud Service purchased by Customer on an annual basis (but no more than once during any 12-month period); provided, that Customer provides Hyland with advance written notice of its desire to conduct such Security Inquiry and the proposed Security Inquiry does not overlap with, or otherwise cover the same or similar information as, or scope of: (1) any controls already provided for by an external audit or assessment already performed by Hyland, such as a SOC 2 report, ISO 27001 or other similar audit or assessment that is made available to Customer upon Customer’s request; or (2) any content already provided by Hyland through its completed SIG, CAIQ or similar questionnaire that is made available to Customer upon request. For each Security Inquiry, (1) Hyland and Customer must mutually agree upon the timing, scope, and criteria of such Security Inquiry, which, subject to the foregoing, may include the completion of questionnaires supplied by Customer; (2) confidential and restricted documentation, such as Hyland internal policies, practices, and procedures, including any documentation requested by Customer that cannot be removed from Hyland’s premises as a result of physical limitations or policy restrictions will not be provided externally or removed from Hyland’s premises and such reviews must be conducted onsite at Hyland’s corporate headquarters in Ohio or through a secure screenshare which may be arranged by Hyland to prohibit any type of copying or screen shots; (3) Customer understands and agrees that Hyland will not permit access to internal systems or devices used to host or support Hyland’s offerings; (4) to the extent Customer desires to engage a third party to perform such Security Inquiry, Hyland must approve of such third party in writing in advance, Customer shall cause such third party to enter into a Non-Disclosure Agreement with Hyland and agree to abide by Hyland’s security standards, and Customer shall manage the engagement with the third party, ensuring the third party understands the scope of the Security Inquiry as mutually agreed upon between Hyland and Customer and how Customer utilizes the Hyland Cloud Service; and (5) Customer shall pay Hyland fees (at Hyland’s standard rates) for the Professional Services (including any out-of-pocket costs and expenses) that are required or requested of Hyland in connection with such Security Inquiry. Where necessary, Hyland will provide private and reasonable accommodation at Hyland’s corporate headquarters in Ohio for data analysis and meetings. Upon reasonable advance written request, Hyland and Customer may mutually agree to make necessary employees or contractors available for interviews in person or on the phone during such Security Inquiry at Customer’s cost and expense. Customer is prohibited, , and Customer shall prohibit each third party Security Inquiry from distributing or publishing the results of such Security Inquiry to any third party without Hyland’s prior written approval. Notwithstanding anything to the contrary within this Agreement, nothing in this Agreement (including this section) will require Hyland or any of its affiliates to disclose information that is subject to attorney-client privilege.
Effective November 30th 2022 to December 7th 2022
DownloadTable of Contents
- Risk Management.
- Conducting an annual risk assessment designed to identify threats and vulnerabilities in the administrative, physical, legal, regulatory, and technical safeguards used to protect the Hyland Cloud Service.
- Maintaining a documented risk remediation process to assign ownership of identified risks, establish remediation plans and timeframes, and provide for periodic monitoring of progress.
- Information Security Program.
- Maintaining a documented comprehensive Hyland Cloud Service information security program. This program will include policies and procedures based on industry standard practices, which may include ISO 27001/27002, or other equivalent standards.
- Such information security program shall include, as applicable: (i) adequate physical and cyber security where Customer Data will be processed and/or stored; and (ii) reasonable precautions taken with respect to Hyland personnel employment.
- These policies will be reviewed and updated by Hyland management annually.
- Organization of Information Security. Assigning security responsibilities to appropriate Hyland individuals or groups to facilitate protection of the Hyland Cloud Service and associated assets.
- Human Resources Security.
- Hyland employees undergo comprehensive screening during the hiring process. Background checks and reference validation will be performed to determine whether candidate qualifications are appropriate for the proposed position. Subject to any restrictions imposed by applicable law and based on jurisdiction, these background checks include criminal background checks, employment validation, and education verification as applicable.
- Ensuring all Hyland employees are subject to confidentiality and non-disclosure commitments before access is provisioned to the Hyland Cloud Service or Customer Data.
- Ensuring applicable Hyland employees receive security awareness training designed to provide such employees with information security knowledge to provide for the security, availability, and confidentiality of Customer Data.
- Upon Hyland employee separation or change in roles, Hyland shall ensure any Hyland employee access to the Hyland Cloud Service is revoked in a timely manner and all applicable Hyland assets, both information and physical, are returned.
- Asset Management.
- Maintaining asset and information management policies and procedures. This includes ownership of assets, an inventory of assets, classification guidelines, and handling standards pertaining to Hyland assets.
- Maintaining media handling procedures to ensure media containing Customer Data as part of the Hyland Cloud Service is encrypted and stored in a secure location subject to strict physical access controls.
- When a Hyland Cloud Service storage device has reached the end of its useful life, procedures include a decommissioning process that is designed to prevent Customer Data from being exposed to unauthorized individuals using the techniques recommended by NIST to destroy data as part of the decommissioning process.
- If a Hyland storage device is unable to be decommissioned using these procedures, the device will be virtually shredded, degaussed, purged/wiped, or physically destroyed in accordance with industry-standard practices.
- Access Controls.
- Maintaining a logical access policy and corresponding procedures. The logical access procedures will define the request, approval and access provisioning process for Hyland personnel. The logical access process will restrict Hyland user (local and remote) access based on Hyland user job function (role/profile based, appropriate access) for applications and databases. Hyland user access recertification to determine access and privileges will be performed periodically. Procedures for onboarding and offboarding Hyland personnel users in a timely manner will be documented. Procedures for Hyland personnel user inactivity threshold leading to account suspension and removal threshold will be documented.
- Limiting Hyland’s access to Customer Data to its personnel who have a need to access Customer Data as a condition to Hyland’s performance of the services under this Agreement. Hyland shall utilize the principle of “least privilege” and the concept of “minimum necessary” when determining the level of access for all Hyland users to Customer Data. Hyland shall require strong passwords subject to complexity requirements and periodic rotation and the use of multi-factor authentication.
- Ensuring strict access controls are in place for Customer Data access by Hyland. Customer administrators control its user access, user permissions, and Customer Data retention to the extent such controls are available to Customer with respect to the Hyland Cloud Service.
- System Boundaries.
- Hyland is not responsible for any system components that are not within the Hyland Cloud Platform, including network devices, network connectivity, workstations, servers, and software owned and operated by the Customer or other third parties. Hyland may provide support for these components at its reasonable discretion.
- The processes executed within the Hyland Cloud Platform are limited to those that are executed by a Hyland employee (or Hyland authorized third party) or processes that are executed within Hyland’s established system boundaries, in whole. This includes, but is not limited to, hardware installation, software installation, data replication, data security, and authentication processes.
- Certain business processes may cross these boundaries, meaning one or more tasks are executed outside of Hyland’s established system boundaries for the Hyland Cloud Platform, one or more tasks are executed by individuals who are not Hyland personnel (or authorized third-parties), or one or more tasks are executed based on written requests placed by Customer. In such event, Hyland will provide support for such processes to the extent they occur within Hyland’s established system boundaries, but Hyland is not responsible for providing support for such processes to the extent they occur outside of such established system boundaries. At its reasonable discretion, Hyland may provide limited support for processes that occur outside such established system boundaries for the Hyland Cloud Platform. Examples of business processes that cross these boundaries include, but are not limited to, Hyland Cloud Service configuration changes, processing that occurs within the Hyland Cloud Service, user authorization, and file transfers.
- Encryption.
- Customer Data shall only be uploaded to the Hyland Cloud Services in an encrypted format such as via SFTP, TLS/SSL, or other equivalent method.
- Customer Data shall be encrypted at rest.
- Where use of encryption functionality may be controlled or modified by Customer, in the event Customer elects to modify the use of or turn off any encryption functionality, Customer does so at its own risk.
- Physical and Environment Security.
- The Hyland Cloud Platform uses data centers or third party service providers who have demonstrated compliance with one or more of the following standards (or a reasonable equivalent): International Organization for Standardization (“ISO”) 27001 and/or American Institute of Certified Public Accountants (“AICPA”) Service Organization Controls (“SOC”) Reports for Services Organizations. These providers provide Internet connectivity, physical security, power, and environmental systems and other services for the Hyland Cloud Platform.
- Hyland uses architecture and technologies designed to promote both security and high availability.
- Operations Security.
- Maintaining documented Hyland cloud operating procedures.
- Maintaining change management controls to ensure changes to Hyland Cloud Service production systems made by Hyland are properly authorized and reviewed prior to implementation. Customer is responsible for testing all configuration changes, authentication changes and upgrades implemented by Customer or implemented by Hyland at the request of Customer prior to production use of the Hyland Cloud Service. In cases where the Customer relies upon Hyland to implement changes on its behalf, a written request describing the change must be submitted (e.g. an e-mail, or another method provided by Hyland) by Customer’s designated Customer Security Administrators (“CSAs”) or set forth in a Services Proposal. Hyland will make scheduled configuration changes that are expected to impact Customer access to their Hyland Cloud Service during a planned maintenance window. Hyland may make configuration changes that are not expected to impact Customer during normal business hours.
- Monitoring usage and capacity levels within the Hyland Cloud Platform to adequately and proactively plan for future growth.
- Utilizing virus and malware protection technologies, which are configured to meet common industry standards designed to protect the Customer Data and equipment located within the Hyland Cloud Platform from virus infections or similar malicious payloads.
- Implementing disaster recovery and business continuity procedures. These will include replication of Customer Data to a secondary location.
- Maintaining a system and security logging process to capture system logs deemed critical by Hyland. These logs shall be maintained for at least six months and reviewed on a periodic basis.
- Maintaining system hardening requirements and configuration standards for components deployed within the Hyland Cloud Platform. Ensuring servers, operating systems, and supporting software used in the Hyland Cloud Platform receive all Critical and High security patches within a timely manner, but in no event more than 90 days after release, subject to the next sentence. In the event any such security patch would materially adversely affect the Hyland Cloud Service, then Hyland will use reasonable efforts to implement compensating controls until a security patch is available that would not materially adversely affect the Hyland Cloud Service.
- Conducting Hyland Cloud Platform vulnerability scans or analysis on at least a quarterly basis and remediate all critical and high vulnerabilities identified in accordance with its patch management procedures.
- Conducting Hyland Cloud Platform penetration tests at least annually.
- Communications Security
- Implementing Hyland Cloud Platform security controls to protect information resources within the Hyland Cloud Platform.
- When supported, upon implementation and once annually thereafter, Customer may request Hyland limit access to Customer’s Hyland Cloud Service to a list of pre-defined IP addresses at no additional cost.
- Supplier Relationships. Maintaining a Vendor Management Program for its critical vendors. This program will ensure critical vendors are evaluated on an annual basis.
- Security Incident.
- Employing incident response standards that are based upon applicable industry standards, such as ISO 27001:2013 and National Institute for Standards and Technology (“NIST”), to maintain the information security components of the Hyland Cloud Service environment.
- Responses to these incidents follow the Hyland documented incident response sequence. This sequence includes the incident trigger phase, evaluation phase, escalation phase, response phase, recovery phase, de-escalation phase, and post-incident review phase.
- If Hyland has determined Customer’s Hyland Cloud Service has been negatively impacted by a security incident, Hyland will deliver a root cause analysis summary. Such notice will not be unreasonably delayed, but will occur after initial corrective actions have been taken to contain the security threat or stabilize the Hyland Cloud Service.
- The root cause analysis will include the duration of the event, resolution, technical summary, outstanding issues, and follow-up, including steps Customer needs to take in order to prevent further issues. Hyland Cloud Service information including data elements that require additional confidentiality and security measures (including that of other customers impacted in the event) will not be publicly disclosed. If Customer needs additional details of an incident, a request to the Hyland GCS Support team must be submitted and handled on a case by case basis. The release of information process may require an on-site review to protect the confidentiality and security of the requested information.
- Hyland will notify Customer of a Security Incident within 48 hours. A “Security Incident” means a determination by Hyland of an actual disclosure of unencrypted Customer Data to an unauthorized person or entity that compromises the security, confidentiality, or integrity of the Customer Data.
- Information Security Aspects of Business Continuity Management.
- Maintaining a business continuity and disaster recovery plan.
- Reviewing and testing this plan annually.
- Aggregated Data.
- Hyland owns all Customer and User registration and billing data collected and used by Hyland that is required for user set-up, use and billing for the Hyland Cloud Service (“Account Information”) and all aggregated, anonymized and statistical data derived from the use and operation of the Hyland Cloud Service, including without limitation, the number of records in the Hyland Cloud Service, the number and types of transactions, configurations, and reports processed as part of the Hyland Cloud Service and the performance results of the Hyland Cloud Service (the “Aggregated Data”).
- Hyland may utilize the Account Information and Aggregated Data for purposes of operating Hyland’s business. For clarity, Account Information and Aggregated Data does not include Customer Data.
- Audit and Security Testing.
- Monitoring its compliance with its information security program. This includes periodic internal reviews. Results are shared with Hyland leadership and deviations tracked through to remediation.
- Maintaining a periodic external audit program. Completed attestations, such as available SOC 2 reports, are provided to Customer upon written request.
- Customer may conduct audits (which includes assessments, questionnaires, guided reviews or other requests to validate Hyland’s security controls) (each a “Security Inquiry”) of Hyland’s operations that participate in the ongoing delivery and support of the Hyland Cloud Service purchased by Customer on an annual basis (but no more than once during any 12-month period); provided, that Customer provides Hyland with advance written notice of its desire to conduct such Security Inquiry and the proposed Security Inquiry does not overlap with, or otherwise cover the same or similar information as, or scope of: (1) any controls already provided for by an external audit or assessment already performed by Hyland, such as a SOC 2 report, ISO 27001 or other similar audit or assessment that is made available to Customer upon Customer’s request; or (2) any content already provided by Hyland through its completed SIG, CAIQ or similar questionnaire that is made available to Customer upon request. For each Security Inquiry, (1) Hyland and Customer must mutually agree upon the timing, scope, and criteria of such Security Inquiry, which, subject to the foregoing, may include the completion of questionnaires supplied by Customer; (2) confidential and restricted documentation, such as Hyland internal policies, practices, and procedures, including any documentation requested by Customer that cannot be removed from Hyland’s premises as a result of physical limitations or policy restrictions will not be provided externally or removed from Hyland’s premises and such reviews must be conducted onsite at Hyland’s corporate headquarters in Ohio or through a secure screenshare which may be arranged by Hyland to prohibit any type of copying or screen shots; (3) Customer understands and agrees that Hyland will not permit access to internal systems or devices used to host or support Hyland’s offerings; (4) to the extent Customer desires to engage a third party to perform such Security Inquiry, Hyland must approve of such third party in writing in advance, Customer shall cause such third party to enter into a Non-Disclosure Agreement with Hyland and agree to abide by Hyland’s security standards, and Customer shall manage the engagement with the third party, ensuring the third party understands the scope of the Security Inquiry as mutually agreed upon between Hyland and Customer and how Customer utilizes the Hyland Cloud Service; and (5) Customer shall pay Hyland fees (at Hyland’s standard rates) for the Professional Services (including any out-of-pocket costs and expenses) that are required or requested of Hyland in connection with such Security Inquiry. Where necessary, Hyland will provide private and reasonable accommodation at Hyland’s corporate headquarters in Ohio for data analysis and meetings. Upon reasonable advance written request, Hyland and Customer may mutually agree to make necessary employees or contractors available for interviews in person or on the phone during such Security Inquiry at Customer’s cost and expense. Customer is prohibited, , and Customer shall prohibit each third party Security Inquiry from distributing or publishing the results of such Security Inquiry to any third party without Hyland’s prior written approval. Notwithstanding anything to the contrary within this Agreement, nothing in this Agreement (including this section) will require Hyland or any of its affiliates to disclose information that is subject to attorney-client privilege.
Effective February 2nd 2022 to November 30th 2022
DownloadTable of Contents
- Risk Management.
- Conducting an annual risk assessment designed to identify threats and vulnerabilities in the administrative, physical, legal, regulatory, and technical safeguards used to protect the Hyland Cloud Service.
- Maintaining a documented risk remediation process to assign ownership of identified risks, establish remediation plans and timeframes, and provide for periodic monitoring of progress.
- Information Security Program.
- Maintaining a documented comprehensive Hyland Cloud Service information security program. This program will include policies and procedures based on industry standard practices, which may include ISO 27001/27002, or other equivalent standards.
- Such information security program shall include, as applicable: (i) adequate physical and cyber security where Customer Data will be processed and/or stored; and (ii) reasonable precautions taken with respect to Hyland personnel employment.
- These policies will be reviewed and updated by Hyland management annually.
- Organization of Information Security. Assigning security responsibilities to appropriate Hyland individuals or groups to facilitate protection of the Hyland Cloud Service and associated assets.
- Human Resources Security.
- Hyland employees undergo comprehensive screening during the hiring process. Background checks and reference validation will be performed to determine whether candidate qualifications are appropriate for the proposed position. Subject to any restrictions imposed by applicable law and based on jurisdiction, these background checks include criminal background checks, employment validation, and education verification as applicable.
- Ensuring all Hyland employees are subject to confidentiality and non-disclosure commitments before access is provisioned to the Hyland Cloud Service or Customer Data.
- Ensuring applicable Hyland employees receive security awareness training designed to provide such employees with information security knowledge to provide for the security, availability, and confidentiality of Customer Data.
- Upon Hyland employee separation or change in roles, Hyland shall ensure any Hyland employee access to the Hyland Cloud Service is revoked in a timely manner and all applicable Hyland assets, both information and physical, are returned.
- Asset Management.
- Maintaining asset and information management policies and procedures. This includes ownership of assets, an inventory of assets, classification guidelines, and handling standards pertaining to Hyland assets.
- Maintaining media handling procedures to ensure media containing Customer Data as part of the Hyland Cloud Service is encrypted and stored in a secure location subject to strict physical access controls.
- When a Hyland Cloud Service storage device has reached the end of its useful life, procedures include a decommissioning process that is designed to prevent Customer Data from being exposed to unauthorized individuals using the techniques recommended by NIST to destroy data as part of the decommissioning process.
- If a Hyland storage device is unable to be decommissioned using these procedures, the device will be virtually shredded, degaussed, purged/wiped, or physically destroyed in accordance with industry-standard practices.
- Access Controls.
- Maintaining a logical access policy and corresponding procedures. The logical access procedures will define the request, approval and access provisioning process for Hyland personnel. The logical access process will restrict Hyland user (local and remote) access based on Hyland user job function (role/profile based, appropriate access) for applications and databases. Hyland user access recertification to determine access and privileges will be performed periodically. Procedures for onboarding and offboarding Hyland personnel users in a timely manner will be documented. Procedures for Hyland personnel user inactivity threshold leading to account suspension and removal threshold will be documented.
- Limiting Hyland’s access to Customer Data to its personnel who have a need to access Customer Data as a condition to Hyland’s performance of the services under this Agreement. Hyland shall utilize the principle of “least privilege” and the concept of “minimum necessary” when determining the level of access for all Hyland users to Customer Data. Hyland shall require strong passwords subject to complexity requirements and periodic rotation and the use of multi-factor authentication.
- Ensuring strict access controls are in place for Customer Data access by Hyland. Customer administrators control its user access, user permissions, and Customer Data retention to the extent such controls are available to Customer with respect to the Hyland Cloud Service.
- System Boundaries.
- Hyland is not responsible for any system components that are not within the Hyland Cloud Platform, including network devices, network connectivity, workstations, servers, and software owned and operated by the Customer or other third parties. Hyland may provide support for these components at its reasonable discretion.
- The processes executed within the Hyland Cloud Platform are limited to those that are executed by a Hyland employee (or Hyland authorized third party) or processes that are executed within Hyland’s established system boundaries, in whole. This includes, but is not limited to, hardware installation, software installation, data replication, data security, and authentication processes.
- Certain business processes may cross these boundaries, meaning one or more tasks are executed outside of Hyland’s established system boundaries for the Hyland Cloud Platform, one or more tasks are executed by individuals who are not Hyland personnel (or authorized third-parties), or one or more tasks are executed based on written requests placed by Customer. In such event, Hyland will provide support for such processes to the extent they occur within Hyland’s established system boundaries, but Hyland is not responsible for providing support for such processes to the extent they occur outside of such established system boundaries. At its reasonable discretion, Hyland may provide limited support for processes that occur outside such established system boundaries for the Hyland Cloud Platform. Examples of business processes that cross these boundaries include, but are not limited to, Hyland Cloud Service configuration changes, processing that occurs within the Hyland Cloud Service, user authorization, and file transfers.
- Encryption.
- Customer Data shall only be uploaded to the Hyland Cloud Services in an encrypted format such as via SFTP, TLS/SSL, or other equivalent method.
- Customer Data shall be encrypted at rest.
- Where use of encryption functionality may be controlled or modified by Customer, in the event Customer elects to modify the use of or turn off any encryption functionality, Customer does so at its own risk.
- Physical and Environment Security.
- The Hyland Cloud Platform uses data centers or third party service providers who have demonstrated compliance with one or more of the following standards (or a reasonable equivalent): International Organization for Standardization (“ISO”) 27001 and/or American Institute of Certified Public Accountants (“AICPA”) Service Organization Controls (“SOC”) Reports for Services Organizations. These providers provide Internet connectivity, physical security, power, and environmental systems and other services for the Hyland Cloud Platform.
- Hyland uses architecture and technologies designed to promote both security and high availability.
- Operations Security.
- Maintaining documented Hyland cloud operating procedures.
- Maintaining change management controls to ensure changes to Hyland Cloud Service production systems made by Hyland are properly authorized and reviewed prior to implementation. Customer is responsible for testing all configuration changes, authentication changes and upgrades implemented by Customer or implemented by Hyland at the request of Customer prior to production use of the Hyland Cloud Service. In cases where the Customer relies upon Hyland to implement changes on its behalf, a written request describing the change must be submitted (e.g. an e-mail, or another method provided by Hyland) by Customer’s designated Customer Security Administrators (“CSAs”) or set forth in a Services Proposal. Hyland will make scheduled configuration changes that are expected to impact Customer access to their Hyland Cloud Service during a planned maintenance window. Hyland may make configuration changes that are not expected to impact Customer during normal business hours.
- Monitoring usage and capacity levels within the Hyland Cloud Platform to adequately and proactively plan for future growth.
- Utilizing virus and malware protection technologies, which are configured to meet common industry standards designed to protect the Customer Data and equipment located within the Hyland Cloud Platform from virus infections or similar malicious payloads.
- Implementing disaster recovery and business continuity procedures. These will include replication of Customer Data to a secondary location.
- Maintaining a system and security logging process to capture system logs deemed critical by Hyland. These logs shall be maintained for at least six months and reviewed on a periodic basis.
- Maintaining system hardening requirements and configuration standards for components deployed within the Hyland Cloud Platform. Ensuring servers, operating systems, and supporting software used in the Hyland Cloud Platform receive all Critical and High security patches within a timely manner, but in no event more than 90 days after release, subject to the next sentence. In the event any such security patch would materially adversely affect the Hyland Cloud Service, then Hyland will use reasonable efforts to implement compensating controls until a security patch is available that would not materially adversely affect the Hyland Cloud Service.
- Conducting Hyland Cloud Platform vulnerability scans or analysis on at least a quarterly basis and remediate all critical and high vulnerabilities identified in accordance with its patch management procedures.
- Conducting Hyland Cloud Platform penetration tests at least annually.
- Communications Security
- Implementing Hyland Cloud Platform security controls to protect information resources within the Hyland Cloud Platform.
- When supported, upon implementation and once annually thereafter, Customer may request Hyland limit access to Customer’s Hyland Cloud Service to a list of pre-defined IP addresses at no additional cost.
- Supplier Relationships. Maintaining a Vendor Management Program for its critical vendors. This program will ensure critical vendors are evaluated on an annual basis.
- Security Incident.
- Employing incident response standards that are based upon applicable industry standards, such as ISO 27001:2013 and National Institute for Standards and Technology (“NIST”), to maintain the information security components of the Hyland Cloud Service environment.
- Responses to these incidents follow the Hyland documented incident response sequence. This sequence includes the incident trigger phase, evaluation phase, escalation phase, response phase, recovery phase, de-escalation phase, and post-incident review phase.
- If Hyland has determined Customer’s Hyland Cloud Service has been negatively impacted by a security incident, Hyland will deliver a root cause analysis summary. Such notice will not be unreasonably delayed, but will occur after initial corrective actions have been taken to contain the security threat or stabilize the Hyland Cloud Service.
- The root cause analysis will include the duration of the event, resolution, technical summary, outstanding issues, and follow-up, including steps Customer needs to take in order to prevent further issues. Hyland Cloud Service information including data elements that require additional confidentiality and security measures (including that of other customers impacted in the event) will not be publicly disclosed. If Customer needs additional details of an incident, a request to the Hyland GCS Support team must be submitted and handled on a case by case basis. The release of information process may require an on-site review to protect the confidentiality and security of the requested information.
- Hyland will notify Customer of a Security Incident within 48 hours. A “Security Incident” means a determination by Hyland of an actual disclosure of unencrypted Customer Data to an unauthorized person or entity that compromises the security, confidentiality, or integrity of the Customer Data.
- Information Security Aspects of Business Continuity Management.
- Maintaining a business continuity and disaster recovery plan.
- Reviewing and testing this plan annually.
- Aggregated Data.
- Hyland owns all Customer and User registration and billing data collected and used by Hyland that is required for user set-up, use and billing for the Hyland Cloud Service (“Account Information”) and all aggregated, anonymized and statistical data derived from the use and operation of the Hyland Cloud Service, including without limitation, the number of records in the Hyland Cloud Service, the number and types of transactions, configurations, and reports processed as part of the Hyland Cloud Service and the performance results of the Hyland Cloud Service (the “Aggregated Data”).
- Hyland may utilize the Account Information and Aggregated Data for purposes of operating Hyland’s business. For clarity, Account Information and Aggregated Data does not include Customer Data.	
- Audit and Security Testing.
- Monitoring its compliance with its information security program. This includes periodic internal reviews. Results are shared with Hyland leadership and deviations tracked through to remediation.
- Maintaining a periodic external audit program. Completed attestations, such as available SOC 2 reports, are provided to Customer upon written request.
- Customer may conduct audits of Hyland’s operations that participate in the ongoing delivery and support of the Hyland Cloud Service purchased by Customer on an annual basis; provided Customer provides Hyland written notice of its desire to conduct such audit and the following criteria are met: (a) Hyland and Customer mutually agree upon the timing, scope, and criteria of such audit, which may include the completion of questionnaires supplied by Customer and guided review of policies, practices, procedures, Hyland Cloud Service configurations, invoices, or application logs, and (b) Customer agrees to pay Hyland fees (at Hyland’s standard rates) for the Professional Services that are required or requested of Hyland in connection with such audit. Prior to any such audit, any third party engaged by Customer to assist with such audit, must be cleared by Hyland and enter into a Non-Disclosure Agreement directly with Hyland. If any documentation requested by Customer cannot be removed from Hyland’s facilities as a result of physical limitations or policy restrictions, Hyland will allow Customer’s auditors access to such documentation at Hyland’s corporate headquarters in Ohio and may prohibit any type of copying or the taking of screen shots. Where necessary, Hyland will provide private and reasonable accommodation at Hyland’s corporate headquarters in Ohio for data analysis and meetings. Upon reasonable notice, Hyland and Customer mutually agree to make necessary employees or contractors available for interviews in person or on the phone during such audit at Customer’s cost and expense. Customer is prohibited from distributing or publishing the results of such audit to any third party without Hyland’s prior written approval.
- Customer may conduct penetration testing against the public URL used to access the Hyland Cloud Service on an annual basis; provided Customer provides Hyland with written notice of its desire to conduct such testing and the following criteria are met: (a) Hyland and Customer mutually agree upon the timing, scope, and criteria of such testing, which may include common social engineering, application, and network testing techniques used to identify or exploit common vulnerabilities including buffer overflows, cross site scripting, SQL injection, and man in the middle attacks, and (b) such testing is at Customer’s cost and expense and Customer pays to Hyland fees (at Hyland’s standard rates) for the Professional Services that are required or requested of Hyland in connection with such testing. Prior to any such testing, any third party engaged by Customer to assist with such testing, must be cleared by Hyland and enter into a Non-Disclosure Agreement directly with Hyland. Customer acknowledges and agrees that any such testing performed without mutual agreement regarding timing, scope, and criteria may be considered a hostile attack, which may trigger automated and manual responses, including reporting the activity to local and federal law enforcement agencies as well as immediate suspension of Customer’s access to or use of the Hyland Cloud Service. Customer is prohibited from distributing or publishing the results of such penetration testing to any third party without Hyland’s prior written approval.
Effective March 30th 2021 to February 2nd 2022
DownloadTable of Contents
- Risk Management.
- Conducting an annual risk assessment designed to identify threats and vulnerabilities in the administrative, physical, legal, regulatory, and technical safeguards used to protect the Hyland Cloud Service.
- Maintaining a documented risk remediation process to assign ownership of identified risks, establish remediation plans and timeframes, and provide for periodic monitoring of progress.
- Information Security Program.
- Maintaining a documented comprehensive Hyland Cloud Service information security program. This program will include policies and procedures based on industry standard practices, which may include ISO 27001/27002, or other equivalent standards.
- Such information security program shall include, as applicable: (i) adequate physical and cyber security where Customer Data will be processed and/or stored; and (ii) reasonable precautions taken with respect to Hyland personnel employment.
- These policies will be reviewed and updated by Hyland management annually.
- Organization of Information Security. Assigning security responsibilities to appropriate Hyland individuals or groups to facilitate protection of the Hyland Cloud Service and associated assets.
- Human Resources Security.
- Hyland employees undergo comprehensive screening during the hiring process. Background checks and reference validation will be performed to determine whether candidate qualifications are appropriate for the proposed position. Subject to any restrictions imposed by applicable law and based on jurisdiction, these background checks include criminal background checks, employment validation, and education verification as applicable.
- Ensuring all Hyland employees are subject to confidentiality and non-disclosure commitments before access is provisioned to the Hyland Cloud Service or Customer Data.
- Ensuring applicable Hyland employees receive security awareness training designed to provide such employees with information security knowledge to provide for the security, availability, and confidentiality of Customer Data.
- Upon Hyland employee separation or change in roles, Hyland shall ensure any Hyland employee access to the Hyland Cloud Service is revoked in a timely manner and all applicable Hyland assets, both information and physical, are returned.
- Asset Management.
- Maintaining asset and information management policies and procedures. This includes ownership of assets, an inventory of assets, classification guidelines, and handling standards pertaining to Hyland assets.
- Maintaining media handling procedures to ensure media containing Customer Data as part of the Hyland Cloud Service is encrypted and stored in a secure location subject to strict physical access controls.
- When a Hyland Cloud Service storage device has reached the end of its useful life, procedures include a decommissioning process that is designed to prevent Customer Data from being exposed to unauthorized individuals using the techniques recommended by NIST to destroy data as part of the decommissioning process.
- If a Hyland storage device is unable to be decommissioned using these procedures, the device will be virtually shredded, degaussed, purged/wiped, or physically destroyed in accordance with industry-standard practices.
- Access Controls.
- Maintaining a logical access policy and corresponding procedures. The logical access procedures will define the request, approval and access provisioning process for Hyland personnel. The logical access process will restrict Hyland user (local and remote) access based on Hyland user job function (role/profile based, appropriate access) for applications and databases. Hyland user access recertification to determine access and privileges will be performed periodically. Procedures for onboarding and offboarding Hyland personnel users in a timely manner will be documented. Procedures for Hyland personnel user inactivity threshold leading to account suspension and removal threshold will be documented.
- Limiting Hyland’s access to Customer Data to its personnel who have a need to access Customer Data as a condition to Hyland’s performance of the services under this Agreement. Hyland shall utilize the principle of “least privilege” and the concept of “minimum necessary” when determining the level of access for all Hyland users to Customer Data. Hyland shall require strong passwords subject to complexity requirements and periodic rotation and the use of multi-factor authentication.
- Ensuring strict access controls are in place for Customer Data access by Hyland. Customer administrators control its user access, user permissions, and Customer Data retention to the extent such controls are available to Customer with respect to the Hyland Cloud Service.
- System Boundaries.
- Hyland is not responsible for any system components that are not within the Hyland Cloud Platform, including network devices, network connectivity, workstations, servers, and software owned and operated by the Customer or other third parties. Hyland may provide support for these components at its reasonable discretion.
- The processes executed within the Hyland Cloud Platform are limited to those that are executed by a Hyland employee (or Hyland authorized third party) or processes that are executed within Hyland’s established system boundaries, in whole. This includes, but is not limited to, hardware installation, software installation, data replication, data security, and authentication processes.
- Certain business processes may cross these boundaries, meaning one or more tasks are executed outside of Hyland’s established system boundaries for the Hyland Cloud Platform, one or more tasks are executed by individuals who are not Hyland personnel (or authorized third-parties), or one or more tasks are executed based on written requests placed by Customer. In such event, Hyland will provide support for such processes to the extent they occur within Hyland’s established system boundaries, but Hyland is not responsible for providing support for such processes to the extent they occur outside of such established system boundaries. At its reasonable discretion, Hyland may provide limited support for processes that occur outside such established system boundaries for the Hyland Cloud Platform. Examples of business processes that cross these boundaries include, but are not limited to, Hyland Cloud Service configuration changes, processing that occurs within the Hyland Cloud Service, user authorization, and file transfers.
- Encryption.
- Customer Data shall only be uploaded to the Hyland Cloud Services in an encrypted format such as via SFTP, TLS/SSL, or other equivalent method.
- If Customer purchases the applicable encryption service, applicable Customer Data shall be encrypted at rest.
- Where use of encryption functionality may be controlled or modified by Customer, in the event Customer elects to modify the use of or turn off any encryption functionality, Customer does so at its own risk.
- Physical and Environment Security.
- The Hyland Cloud Platform uses data centers or third party service providers who have demonstrated compliance with one or more of the following standards (or a reasonable equivalent): International Organization for Standardization (“ISO”) 27001 and/or American Institute of Certified Public Accountants (“AICPA”) Service Organization Controls (“SOC”) Reports for Services Organizations. These providers provide Internet connectivity, physical security, power, and environmental systems and other services for the Hyland Cloud Platform.
- Hyland uses architecture and technologies designed to promote both security and high availability.
- Operations Security.
- Maintaining documented Hyland cloud operating procedures.
- Maintaining change management controls to ensure changes to Hyland Cloud Service production systems made by Hyland are properly authorized and reviewed prior to implementation. Customer is responsible for testing all configuration changes, authentication changes and upgrades implemented by Customer or implemented by Hyland at the request of Customer prior to production use of the Hyland Cloud Service. In cases where the Customer relies upon Hyland to implement changes on its behalf, a written request describing the change must be submitted (e.g. an e-mail, or another method provided by Hyland) by Customer’s designated Customer Security Administrators (“CSAs”) or set forth in a Services Proposal. Hyland will make scheduled configuration changes that are expected to impact Customer access to their Hyland Cloud Service during a planned maintenance window. Hyland may make configuration changes that are not expected to impact Customer during normal business hours.
- Monitoring usage and capacity levels within the Hyland Cloud Platform to adequately and proactively plan for future growth.
- Utilizing virus and malware protection technologies, which are configured to meet common industry standards designed to protect the Customer Data and equipment located within the Hyland Cloud Platform from virus infections or similar malicious payloads.
- Implementing disaster recovery and business continuity procedures. These will include replication of Customer Data to a secondary location.
- Maintaining a system and security logging process to capture system logs deemed critical by Hyland. These logs shall be maintained for at least six months and reviewed on a periodic basis.
- Maintaining system hardening requirements and configuration standards for components deployed within the Hyland Cloud Platform. Ensuring servers, operating systems, and supporting software used in the Hyland Cloud Platform receive all Critical and High security patches within a timely manner, but in no event more than 90 days after release, subject to the next sentence. In the event any such security patch would materially adversely affect the Hyland Cloud Service, then Hyland will use reasonable efforts to implement compensating controls until a security patch is available that would not materially adversely affect the Hyland Cloud Service.
- Conducting Hyland Cloud Platform vulnerability scans or analysis on at least a quarterly basis and remediate all critical and high vulnerabilities identified in accordance with its patch management procedures.
- Conducting Hyland Cloud Platform penetration tests at least annually.
- Communications Security
- Implementing Hyland Cloud Platform security controls to protect information resources within the Hyland Cloud Platform.
- When supported, upon implementation and once annually thereafter, Customer may request Hyland limit access to Customer’s Hyland Cloud Service to a list of pre-defined IP addresses at no additional cost.
- Supplier Relationships. Maintaining a Vendor Management Program for its critical vendors. This program will ensure critical vendors are evaluated on an annual basis.
- Security Incident.
- Employing incident response standards that are based upon applicable industry standards, such as ISO 27001:2013 and National Institute for Standards and Technology (“NIST”), to maintain the information security components of the Hyland Cloud Service environment.
- Responses to these incidents follow the Hyland documented incident response sequence. This sequence includes the incident trigger phase, evaluation phase, escalation phase, response phase, recovery phase, de-escalation phase, and post-incident review phase.
- If Hyland has determined Customer’s Hyland Cloud Service has been negatively impacted by a security incident, Hyland will deliver a root cause analysis summary. Such notice will not be unreasonably delayed, but will occur after initial corrective actions have been taken to contain the security threat or stabilize the Hyland Cloud Service.
- The root cause analysis will include the duration of the event, resolution, technical summary, outstanding issues, and follow-up, including steps Customer needs to take in order to prevent further issues. Hyland Cloud Service information including data elements that require additional confidentiality and security measures (including that of other customers impacted in the event) will not be publicly disclosed. If Customer needs additional details of an incident, a request to the Hyland GCS Support team must be submitted and handled on a case by case basis. The release of information process may require an on-site review to protect the confidentiality and security of the requested information.
- Hyland will notify Customer of a Security Incident within 48 hours. A “Security Incident” means a determination by Hyland of an actual disclosure of unencrypted Customer Data to an unauthorized person or entity that compromises the security, confidentiality, or integrity of the Customer Data.
- Information Security Aspects of Business Continuity Management.
- Maintaining a business continuity and disaster recovery plan.
- Reviewing and testing this plan annually.
- Aggregated Data.
- Hyland owns all Customer and User registration and billing data collected and used by Hyland that is required for user set-up, use and billing for the Hyland Cloud Service (“Account Information”) and all aggregated, anonymized and statistical data derived from the use and operation of the Hyland Cloud Service, including without limitation, the number of records in the Hyland Cloud Service, the number and types of transactions, configurations, and reports processed as part of the Hyland Cloud Service and the performance results of the Hyland Cloud Service (the “Aggregated Data”).
- Hyland may utilize the Account Information and Aggregated Data for purposes of operating Hyland’s business. For clarity, Account Information and Aggregated Data does not include Customer Data.	
- Audit and Security Testing.
- Monitoring its compliance with its information security program. This includes periodic internal reviews. Results are shared with Hyland leadership and deviations tracked through to remediation.
- Maintaining a periodic external audit program. Completed attestations, such as available SOC 2 reports, are provided to Customer upon written request.
- Customer may conduct audits of Hyland’s operations that participate in the ongoing delivery and support of the Hyland Cloud Service purchased by Customer on an annual basis; provided Customer provides Hyland written notice of its desire to conduct such audit and the following criteria are met: (a) Hyland and Customer mutually agree upon the timing, scope, and criteria of such audit, which may include the completion of questionnaires supplied by Customer and guided review of policies, practices, procedures, Hyland Cloud Service configurations, invoices, or application logs, and (b) Customer agrees to pay Hyland fees (at Hyland’s standard rates) for the Professional Services that are required or requested of Hyland in connection with such audit. Prior to any such audit, any third party engaged by Customer to assist with such audit, must be cleared by Hyland and enter into a Non-Disclosure Agreement directly with Hyland. If any documentation requested by Customer cannot be removed from Hyland’s facilities as a result of physical limitations or policy restrictions, Hyland will allow Customer’s auditors access to such documentation at Hyland’s corporate headquarters in Ohio and may prohibit any type of copying or the taking of screen shots. Where necessary, Hyland will provide private and reasonable accommodation at Hyland’s corporate headquarters in Ohio for data analysis and meetings. Upon reasonable notice, Hyland and Customer mutually agree to make necessary employees or contractors available for interviews in person or on the phone during such audit at Customer’s cost and expense. Customer is prohibited from distributing or publishing the results of such audit to any third party without Hyland’s prior written approval.
- Customer may conduct penetration testing against the public URL used to access the Hyland Cloud Service on an annual basis; provided Customer provides Hyland with written notice of its desire to conduct such testing and the following criteria are met: (a) Hyland and Customer mutually agree upon the timing, scope, and criteria of such testing, which may include common social engineering, application, and network testing techniques used to identify or exploit common vulnerabilities including buffer overflows, cross site scripting, SQL injection, and man in the middle attacks, and (b) such testing is at Customer’s cost and expense and Customer pays to Hyland fees (at Hyland’s standard rates) for the Professional Services that are required or requested of Hyland in connection with such testing. Prior to any such testing, any third party engaged by Customer to assist with such testing, must be cleared by Hyland and enter into a Non-Disclosure Agreement directly with Hyland. Customer acknowledges and agrees that any such testing performed without mutual agreement regarding timing, scope, and criteria may be considered a hostile attack, which may trigger automated and manual responses, including reporting the activity to local and federal law enforcement agencies as well as immediate suspension of Customer’s access to or use of the Hyland Cloud Service. Customer is prohibited from distributing or publishing the results of such penetration testing to any third party without Hyland’s prior written approval.
Professional Services Schedule
Effective March 7th 2024
DownloadTable of Contents
PROFESSIONAL SERVICES SCHEDULE
This Professional Services Schedule (this “Professional Services Schedule”) is part of the Master Agreement, Order Form, or other agreement or document entered into between Customer and Hyland, which incorporates this Professional Services Schedule by reference (the “Incorporating Document”). As used herein, the “Agreement” means the Incorporating Document, inclusive of this Professional Services Schedule, and any other agreement within which the Incorporating Document is incorporated.
DEFINED TERMS
All capitalized terms used in this Professional Services Schedule shall have the meaning ascribed them in this Professional Services Schedule or, if not defined in this Professional Services Schedule, the General Terms Schedule. If any capitalized terms used herein are not defined in this Professional Services Schedule or the General Terms Schedule, they shall have the meaning ascribed to them elsewhere in the Agreement. In the event the same defined term is defined in two (2) or more Schedules, the term shall be given the meaning defined in each Schedule with respect to that Schedule, and, if the term is also used within this Schedule, this Schedule shall be interpreted to include all definitions, as the context requires.
“Professional Services” means any professional services provided by Hyland under a Services Proposal (as defined in this Professional Services Schedule), including but not limited to those services listed at https://www.hyland.com/services. Examples of the services include: (a) installation of the Software; (b) consulting, implementation and integration projects related to the Software, including but not limited to the customized configuration of integration Software or business process automation modules; (c) project management; (d) development projects in connection with the integration of Software with other applications utilizing any Software application programming interface (API).
“Services Proposal” means either: (a) a written proposal issued hereunder, and which sets forth the Professional Services Hyland will provide to Customer and which is signed by Customer and Hyland; or (b) an order form submitted by Customer and accepted by Hyland for Professional Services. Services Proposals are fully incorporated herein by reference.
“Specifications” means the definitive, final functional specifications for Work Products, if any, produced by Hyland under a Services Proposal. If there is an underlying license agreement between the parties, then specifications shall be considered Documentation in the case of Work Products.
“Working Hour” means the services of one (1) person for a period of one (1) hour (or any part thereof) during regular business hours.
“Work Products” means all items in the nature of computer software, including source code, object code, scripts, and any components or elements of the foregoing, or items created using the configuration tools of the Software, together with any and all design documents associated with items in the nature of computer software, in each case which are created, developed, discovered, conceived or introduced by Hyland, working either alone or in conjunction with others, in the performance of services under the Agreement. If applicable, Work Products shall include any pre-configured templates or VBScripts which have been or may be created or otherwise provided by Hyland as part of the configuration of advance capture Software.
1. SERVICES PROPOSAL. Customer may request Professional Services from Hyland. Hyland and Customer will discuss the parameters of the request and Hyland will inform the Customer as to whether the Professional Services shall be performed pursuant to a Services Proposal.
2. FULFILLMENT.
(a) Hyland will provide the Professional Services described in any mutually agreed upon Services Proposal at a time and on a schedule that is mutually agreed upon by the parties. If any delays in such Professional Services occur solely as a result of any incorrect information, incorrect assumption or failure of Customer to perform or fulfill its obligations in connection with any Services Proposal, the performance schedule for the applicable project may be extended. Hyland shall have no liability or responsibility for any costs or expenses resulting from such delays. In the event that performance of any milestone set forth in any Services Proposal is not met due to a delay solely caused by Hyland, and provided that such cause is not an event of force majeure as described in the Agreement, Hyland agrees, at no additional charge, to commit such additional resources and personnel as shall be necessary to ensure that such delay does not result in the slippage of later milestones or completion of such Professional Services. The parties agree that any Professional Services or Work Products described in this Professional Services Schedule that have been performed or developed, in whole or in part, prior to the execution of this Agreement by the parties nevertheless shall be covered by all terms and conditions of this Professional Services Schedule.
(b) Corporate Policies. Hyland acknowledges that Customer maintains corporate policies which apply to individuals who will perform services utilizing Customer’s premises or system (collectively, the “Corporate Policies”). In performing Professional Services under the Agreement, or any Services Proposal entered into pursuant to the terms of the Agreement, Hyland will use reasonable efforts to comply with the Corporate Policies to the extent such Corporate Policies are applicable to the delivery of such Professional Services, do not conflict with the Agreement or any other related agreement in place between Hyland and Customer and have been provided to Hyland reasonably in advance of any Professional Services engagement. Notwithstanding anything to the contrary in such Corporate Policies, if a Hyland resource fails to comply with the Corporate Policies and such failure does not otherwise constitute a breach of this Agreement, then Customer acknowledges and agrees that Hyland will not be in breach of contract or otherwise liable for damages, and as Customer’s sole remedy, Customer may immediately remove from its premises the individual resource(s) responsible for the failure and require that such individual resource(s) do not perform any further Professional Services for Customer.
3. CHANGES TO SERVICES PROPOSAL. Either party may, at any time, reasonably request a change to any Service Proposal. Any requested change that the parties mutually accept (a “Change”) will be set forth in a written change order prepared by Hyland and agreed to and signed by both parties that specifically references the relevant Service Proposal. In the event the parties are unable to mutually agree upon a proposed Change or a proposed change order, and such proposed Change relates to a material component of the project that is the subject of the relevant Services Proposal, either party may terminate such Service Proposal upon not less than thirty (30) days advance written notice to the other party.
4. CUSTOMER’S OBLIGATIONS.
4.1 Assistance and Obligations. Customer agrees that it will cooperate with and assist Hyland in the performance of Professional Services under any Services Proposal; will provide the resources specified in the relevant Services Proposal; and will perform or fulfill all obligations required to be performed or fulfilled by Customer under the terms of the relevant Services Proposal. Customer acknowledges that if it fails to provide assistance and perform or fulfill its obligations in accordance with this Section and the relevant Services Proposal, Hyland’s ability to provide such Professional Services, meet the performance schedule set forth in such Services Proposal and keep services fees reasonably in line with any estimates given in the Services Proposal may be adversely affected. During any period in which Hyland is performing services hereunder, Customer shall provide to the Hyland project team independent local (onsite) and remote (offsite) access through the use of secure connections such as a network connection, VPN connection or other similar methods and dedicated user accounts with appropriate privileges to the applicable Software, hardware or virtual machines allocated to the applicable software system. Remote and local access will be granted for all provisioned environments, including production.
4.2 Third Party Software Rights. Notwithstanding any contrary terms, if Customer requests Hyland to perform Professional Services on or with respect to any third party software, Customer represents and warrants to Hyland that Customer has all necessary rights to allow Hyland to do so.
4.3 Protection of Customer’s Systems. EXCEPT AS IT RELATES TO A HYLAND CLOUD SERVICE HOSTED BY HYLAND, CUSTOMER UNDERSTANDS THAT IT IS SOLELY RESPONSIBLE TO TAKE APPROPRIATE MEASURES TO ISOLATE AND BACKUP OR OTHERWISE ARCHIVE ITS COMPUTER SYSTEMS, INCLUDING ITS COMPUTER PROGRAMS, DATA AND FILES.
4.4 Safe Work Environment. Customer will be responsible for and shall ensure that while Hyland employees, agents or subcontractors are on Customer’s premises, all proper and legal health and safety precautions are in place and fully operational to protect such persons.
5. SERVICES FEES. Except as otherwise provided in any applicable Services Proposal: (a) Hyland will charge services fees for Professional Services at Hyland’s then-current standard list price for the applicable Professional Services; and (b) Hyland shall invoice for Professional Services fees monthly, in arrears, based on the number of Working Hours required to complete the project and the applicable hourly fees; and each such invoice shall be paid in full in accordance with the terms of the Agreement. Any estimates of fees or Working Hours required to complete the project are approximations of the anticipated amount of fees and time needed to complete the project. The actual number of Working Hours may vary.
6. TRAVEL AND EXPENSES. Hyland shall be reimbursed for all customary and reasonable out-of-pocket costs and expenses incurred by Hyland in connection with the performance of services under the Agreement (including fees and expenses relating to travel, meals, lodging and third party vendor registration requirements) in accordance with Hyland’s applicable internal policy for the reimbursement of costs and expenses to its employees. Except as otherwise provided in any applicable Services Proposal, Hyland shall invoice for all reimbursable costs and expenses on a monthly basis, in arrears; and such invoices shall be paid in full each in accordance with the Agreement.
7. LIMITED WARRANTY FOR SERVICES.
7.1 Limited Warranty. For a period of sixty (60) days from the date of completion of Professional Services, Hyland warrants to Customer that such services have been performed in a good and workmanlike manner and substantially according to industry standards. This warranty specifically excludes non-performance issues caused as a result of incorrect data or incorrect procedures used or provided by Customer or a third party or failure of Customer to perform and fulfill its obligations under the Agreement.
7.2 Remedy. Hyland’s sole obligation, and Customer’s sole and exclusive remedy for any non-conformities to the express limited warranties under the immediately preceding Section shall be as follows: provided that, within the applicable warranty period, Customer notifies Hyland in writing of the non-conformity, Hyland will use reasonable efforts to re-perform the non-conforming services in an attempt to correct the non-conformity(ies). If Hyland is unable to correct such non-conformity(ies) after a reasonable period of time, Customer’s sole and exclusive remedy shall be to terminate the Services Proposal under which the non-conforming Services have been performed, in which event Hyland will refund to Customer any portion of the services fees under such Services Proposal relating directly to such non-conforming Professional Services paid prior to the time of such termination.
8. WORK PRODUCTS.
8.1 Work Products License. Hyland grants to Customer a limited, non-exclusive and non-assignable license to use the Work Products only in connection with Customer’s authorized use of the Software, Hyland Cloud Service, or Add-On Services, or other Hyland product or service (collectively “Hyland Core Product”) with which such Work Product was delivered by Hyland for use by Customer. Customer may not: (a) make or authorize the making of copies of any Work Products; (b) remove any Hyland notices in the Work Products; (c) sell, transfer, rent, lease, time share or sublicense the Work Products to any third party; or (d) disassemble, decompile, reverse engineer or otherwise attempt to derive source code from any Work Product for any reason. Customer further agrees that, in connection with any use of the Work Products by Customer, the Work Products shall not be copied and installed on additional servers unless Customer has purchased a license therefore. All restrictions on use of the Hyland Core Product, including without limitation export restrictions and U.S. Government End User provisions, shall apply to the Work Products. If the license to the Hyland Core Product with which such Work Product was delivered by Hyland for use by Customer terminates, Customer’s right to use the applicable Work Product shall also terminate. All post-termination rights and obligations with respect to the applicable Core Hyland Product shall also apply to the Work Product.
8.2 Modification of Work Products.
8.2.1 Form of Delivered Work Products. The form in which Hyland delivers Work Products will be determined by Hyland depending on the purpose and functionality of the Work Product.
8.2.2 Configuration Work Products. If Hyland delivers a Work Product: (a) in the form of (i) source code which is compiled by tools in the Software to machine language form; or (ii) a script; or (b) created using the configuration tools in the Software (a “Configuration Work Product”), then Hyland grants to Customer the limited right to modify the Configuration Work Product, provided such modified Configuration Work Product is used only in compliance with the terms of the limited license to such Work Product granted hereunder.
8.2.3 Independent Work Products. If Hyland delivers a Work Product which is not a Configuration Work Product (an “Independent Work Product”), then, except as otherwise provided in the last sentence of this paragraph, Customer may not alter or modify such Independent Work Product. If Hyland delivers an Independent Work Product, and Customer desires to obtain the right to modify the Independent Work Product, then the parties may mutually agree that Hyland shall deliver to Customer a copy of the format of the Independent Work Product that is necessary to enable the Customer to complete its modifications, subject to and upon the payment by Customer to Hyland of any additional Professional Services fees as Hyland may charge to prepare and deliver such format. In such case, Hyland grants to Customer the right to modify, and if necessary, compile the delivered format of the Independent Work Product, provided such modified Independent Work Product is used only in compliance with the terms of the limited license to such Work Product granted hereunder.
8.3 Work Products Warranty
8.3.1 Limited Warranty. For a period of sixty (60) days from and including the date that Hyland has delivered a completed Work Product to Customer, Hyland warrants to Customer that such Work Product, when properly installed and properly used, will function in all material respects as described in the Specifications. The terms of this warranty shall not apply to, and Hyland shall have no liability for any non-conformity related to, any Work Product that has been (a) modified or added to by Customer or a third party, (b) used in combination with equipment or software other than that which is consistent with the Specification, or (c) misused or abused.
8.3.2 Remedy. Hyland’s sole obligation, and Customer’s sole and exclusive remedy, for any non-conformities to the express limited warranty under the immediately preceding Section shall be as follows: provided that, within the applicable warranty period, Customer notifies Hyland in writing of the non-conformity, Hyland will either (a) repair or replace the non-conforming Work Product, which may include the delivery of a reasonable workaround for the non-conformity; or (b) if Hyland determines that repair or replacement of the Work Product is not commercially practicable, then terminate this Professional Services Schedule with respect to the non-conforming Work Product, in which event, upon compliance by Customer with its obligations upon termination, Hyland will refund any portion of the services fees paid prior to the time of such termination with respect to the creation and implementation of such Work Product.
8.4 Work Products Infringement Indemnification. Hyland agrees to indemnify Customer against all liability and expense, including reasonable attorneys’ fees, arising from or in connection with any third party claim, action or proceeding instituted against Customer based upon any infringement or misappropriation by the Work Products of any patent, registered copyright or registered trademark of a third party, provided that Hyland: (a) is notified immediately after Customer receives notice of such claim; (b) is solely in charge of the defense of and any settlement negotiations with respect to such claim, provided that Hyland will not settle any such claim without the prior written consent of Customer if such settlement contains a stipulation to or admission or acknowledgement of any liability or wrongdoing on the part of Customer or otherwise requires payment by Customer; (c) receives Customer’s reasonable cooperation in the defense or settlement of such claim; and (d) has the right, upon either the occurrence of or the likelihood (in the opinion of Hyland) of the occurrence of a finding of infringement or misappropriation, either to procure for Customer the right to continue use of the Work Products, or to replace the relevant portions of the Work Products with other equivalent, non-infringing portions.
8.4.1 Removal and Refund. If Hyland is unable to accomplish either of the options set forth in Section 8.4(d), Hyland shall remove the infringing portion of the Work Products and refund to Customer the full services fees paid, if any, by Customer for the creation and implementation of the infringing Work Products.
8.4.2 Exclusions. Notwithstanding anything to the contrary, Hyland shall have no obligation to Customer to defend or satisfy any claims made against Customer and otherwise described in this Section that arise from: (a) any Customer Data; (b) use of the Work Products by Customer other than as expressly permitted by this Professional Services Schedule; (c) the combination of the Work Products with any product not furnished by Hyland to Customer; (d) the modification or addition to of the Work Products other than by Hyland or any of its authorized channel partners specifically retained by Hyland to provide such modification or addition; or (e) the Customer’s business methods or processes.
8.4.3 THIS SECTION STATES HYLAND’S ENTIRE LIABILITY AND THE SOLE AND EXCLUSIVE REMEDY OF CUSTOMER WITH RESPECT TO ANY ALLEGED INFRINGEMENT OR MISAPPROPRIATION OF INTELLECTUAL PROPERTY OR PROPRIETARY PROPERTY BY THE WORK PRODUCTS.
9. TERMINATION.
9.1 Generally. In addition to the termination provisions set forth in the General Terms Schedule, Customer or Hyland may terminate this Professional Services Schedule, including any Services Proposal, for any reason, upon not less than thirty (30) days advance written notice to the other party to such effect. In the event this Professional Services Schedule is terminated in its entirety, any Services Proposal not terminated shall survive in accordance with its terms and the terms of this Professional Services Schedule.
9.2 Terminating a Services Proposal. In the case of termination of any Services Proposal, except in the case of termination due to Hyland's breach, all Professional Services fees related to all Professional Services performed by Hyland prior to and including the date of termination, as well as any additional reimbursable costs or expenses for which Hyland has incurred or contracted in connection with such Services Proposal and is unable to avoid, shall be due and payable in full. Additionally, all property of each party in possession of the other party in connection with Professional Services performed under this Schedule shall be returned.
9.3 Effects of Termination. Upon any termination of this Schedule in its entirety (other than by Hyland due to Customer’s breach), Customer’s license to use the Work Products provided in this Schedule shall survive according to its terms.
10 ADDITIONAL TERMS AND CONDITIONS. If Hyland is Hyland Software Germany GmbH, the additional or alternative terms and conditions set forth on Exhibit A shall apply.
11. CONTROLLING LANGAUGE. Hyland may make other versions of this Professional Services Schedule available in other languages at this online location. This English language version of this Professional Services Schedule controls over any version of the Professional Services Schedule made available at this online location in another language if the Incorporating Document is in English. If the Incorporating Document is in a language other than English (such language, the “Other Language”), but this Professional Services Schedule is not made available at this online location in the Other Language, this English language version controls over any other version of the Professional Services Schedule that may be made available at this online location in another language.
Exhibit A
Hyland Software Germany GmbH Additional Terms Exhibit
If Hyland is Hyland Software Germany GmbH, this Exhibit A shall apply:
1. The following provision shall be added to the Limited Warranty Section of the Professional Services Schedule:
To the extent the Professional Services provided under this Agreement constitute a contract for work (“Werkvertrag”), in this regard the statutory customer warranty provisions apply with the following restriction: Except in cases of intent or gross negligence on the part of Hyland the statutory warranty period amounts up to one year and begins upon acceptance of the respective Professional Service concerned.
Any warranty is specifically excluded with regard to non-performance issues caused as a result of a hardware or firmware malfunction or defect, software not developed by Hyland, incorrect data or incorrect procedures used or provided by Customer or a third party or failure of Customer to perform and fulfill its obligations in connection with the project covered by the Agreement. In such cases Customer agrees to reimburse Hyland for time and materials for any Professional Services provided by Hyland at Customer’s request to remedy excluded non-performance problems.
2. The Work Products License Section of the Professional Services Schedule shall be replaced in its entirety as follows:
Hyland grants to Customer a limited, non-exclusive and non-assignable license to use the Work Products only in connection with Customer’s authorized use of the Software, Hyland Cloud Service, or Add-On Services, or other Hyland product or service (collectively “Hyland Core Product”) with which such Work Product was delivered by Hyland for use by Customer. Customer may not: (a) make or authorize the making of copies of any Work Products; (b) remove any Hyland notices in the Work Products; (c) sell, transfer, rent, lease, time share or sublicense the Work Products to any third party; or (d) disassemble, decompile, reverse engineer or otherwise attempt to derive source code from any Work Product for any reason unless expressively permitted by statutory law for reasons indispensable to obtain the information necessary to achieve the interoperability of an independently created computer programs (see 69e of the Germany Copyright Act) or decompuling or reproducing the Software according to the provisions of see 69d of the German Copyright Act. Customer further agrees that, in connection with any use of the Work Products by Customer, the Work Products shall not be copied and installed on additional servers unless Customer has purchased a license therefore. All restrictions on use of the Hyland Core Product, including without limitation export restrictions and U.S. Government End User provisions, shall apply to the Work Products. If the license to the Hyland Core Product with which such Work Product was delivered by Hyland for use by Customer terminates, Customer’s right to use the applicable Work Product shall also terminate. All post-termination rights and obligations with respect to the applicable Core Hyland Product shall also apply to the Work Product.
3. The Work Products Warranty Section of the Professional Services Schedule shall be replaced in its entirety as follows:
For a period of one (1) year from and including the date that Hyland has delivered a completed Work Product to Customer, Hyland warrants to Customer that such Work Product, when properly installed and properly used, will function in all material respects as described in the Specifications. The terms of this warranty shall not apply to, and Hyland shall have no liability for any non-conformity related to, any Work Product that has been (a) modified or added to by Customer or a third party, (b) used in combination with equipment or software other than that which is consistent with the Specification, or (c) misused or abused.
Hyland’s sole obligation, and Customer’s sole and exclusive remedy, for any non-conformities to the express limited warranty under this Section shall be as follows: provided that, within the applicable warranty period, Customer notifies Hyland in writing of the non-conformity, Hyland will either (a) repair or replace the non-conforming Work Product, which may include the delivery of a reasonable workaround for the non-conformity; or (b) if Hyland determines that repair or replacement of the Work Product is not commercially practicable, then terminate this Schedule with respect to the non-conforming Work Product, in which event, upon compliance by Customer with its obligations upon termination, Hyland will refund any portion of the services fees paid prior to the time of such termination with respect to the creation and implementation of such Work Product. The Customer's statutory warranty rights shall remain unaffected subject to the express provisions of the Agreement.
4. The Work Products Infringement Indemnification Section of the Professional Services Schedule shall be replaced in its entirety as follows:
The most current version of this page shall be such in effect as of 12:00am EST (Eastern Standard Time) of the date stamped on such online version.
Effective October 4th 2023 to March 7th 2024
DownloadTable of Contents
PROFESSIONAL SERVICES SCHEDULE
This Professional Services Schedule (this “Professional Services Schedule”) is part of the Master Agreement, Order Form, or other agreement or document entered into between Customer and Hyland, which incorporates this Professional Services Schedule by reference (the “Incorporating Document”). As used herein, the “Agreement” means the Incorporating Document, inclusive of this Professional Services Schedule, and any other agreement within which the Incorporating Document is incorporated.
DEFINED TERMS
All capitalized terms used in this Professional Services Schedule shall have the meaning ascribed them in this Professional Services Schedule or, if not defined in this Professional Services Schedule, the General Terms Schedule. If any capitalized terms used herein are not defined in this Professional Services Schedule or the General Terms Schedule, they shall have the meaning ascribed to them elsewhere in the Agreement. In the event the same defined term is defined in two (2) or more Schedules, the term shall be given the meaning defined in each Schedule with respect to that Schedule, and, if the term is also used within this Schedule, this Schedule shall be interpreted to include all definitions, as the context requires.
“Professional Services” means any professional services provided by Hyland under a Services Proposal (as defined in this Professional Services Schedule), including but not limited to those services listed at https://www.hyland.com/services. Examples of the services include: (a) installation of the Software; (b) consulting, implementation and integration projects related to the Software, including but not limited to the customized configuration of integration Software or business process automation modules; (c) project management; (d) development projects in connection with the integration of Software with other applications utilizing any Software application programming interface (API).
“Services Proposal” means either: (a) a written proposal issued hereunder, and which sets forth the Professional Services Hyland will provide to Customer and which is signed by Customer and Hyland; or (b) an order form submitted by Customer and accepted by Hyland for Professional Services. Services Proposals are fully incorporated herein by reference.
“Specifications” means the definitive, final functional specifications for Work Products, if any, produced by Hyland under a Services Proposal. If there is an underlying license agreement between the parties, then specifications shall be considered Documentation in the case of Work Products.
“Working Hour” means the services of one (1) person for a period of one (1) hour (or any part thereof) during regular business hours.
“Work Products” means all items in the nature of computer software, including source code, object code, scripts, and any components or elements of the foregoing, or items created using the configuration tools of the Software, together with any and all design documents associated with items in the nature of computer software, in each case which are created, developed, discovered, conceived or introduced by Hyland, working either alone or in conjunction with others, in the performance of services under the Agreement. If applicable, Work Products shall include any pre-configured templates or VBScripts which have been or may be created or otherwise provided by Hyland as part of the configuration of advance capture Software.
1. SERVICES PROPOSAL. Customer may request Professional Services from Hyland. Hyland and Customer will discuss the parameters of the request and Hyland will inform the Customer as to whether the Professional Services shall be performed pursuant to a Services Proposal.
2. FULFILLMENT.
(a) Hyland will provide the Professional Services described in any mutually agreed upon Services Proposal at a time and on a schedule that is mutually agreed upon by the parties. If any delays in such Professional Services occur solely as a result of any incorrect information, incorrect assumption or failure of Customer to perform or fulfill its obligations in connection with any Services Proposal, the performance schedule for the applicable project may be extended. Hyland shall have no liability or responsibility for any costs or expenses resulting from such delays. In the event that performance of any milestone set forth in any Services Proposal is not met due to a delay solely caused by Hyland, and provided that such cause is not an event of force majeure as described in the Agreement, Hyland agrees, at no additional charge, to commit such additional resources and personnel as shall be necessary to ensure that such delay does not result in the slippage of later milestones or completion of such Professional Services. The parties agree that any Professional Services or Work Products described in this Professional Services Schedule that have been performed or developed, in whole or in part, prior to the execution of this Agreement by the parties nevertheless shall be covered by all terms and conditions of this Professional Services Schedule.
(b) Corporate Policies. Hyland acknowledges that Customer maintains corporate policies which apply to individuals who will perform services utilizing Customer’s premises or system (collectively, the “Corporate Policies”). In performing Professional Services under the Agreement, or any Services Proposal entered into pursuant to the terms of the Agreement, Hyland will use reasonable efforts to comply with the Corporate Policies to the extent such Corporate Policies are applicable to the delivery of such Professional Services, do not conflict with the Agreement or any other related agreement in place between Hyland and Customer and have been provided to Hyland reasonably in advance of any Professional Services engagement. Notwithstanding anything to the contrary in such Corporate Policies, if a Hyland resource fails to comply with the Corporate Policies and such failure does not otherwise constitute a breach of this Agreement, then Customer acknowledges and agrees that Hyland will not be in breach of contract or otherwise liable for damages, and as Customer’s sole remedy, Customer may immediately remove from its premises the individual resource(s) responsible for the failure and require that such individual resource(s) do not perform any further Professional Services for Customer.
3. CHANGES TO SERVICES PROPOSAL. Either party may, at any time, reasonably request a change to any Service Proposal. Any requested change that the parties mutually accept (a “Change”) will be set forth in a written change order prepared by Hyland and agreed to and signed by both parties that specifically references the relevant Service Proposal. In the event the parties are unable to mutually agree upon a proposed Change or a proposed change order, and such proposed Change relates to a material component of the project that is the subject of the relevant Services Proposal, either party may terminate such Service Proposal upon not less than thirty (30) days advance written notice to the other party.
4. CUSTOMER’S OBLIGATIONS.
4.1 Assistance and Obligations. Customer agrees that it will cooperate with and assist Hyland in the performance of Professional Services under any Services Proposal; will provide the resources specified in the relevant Services Proposal; and will perform or fulfill all obligations required to be performed or fulfilled by Customer under the terms of the relevant Services Proposal. Customer acknowledges that if it fails to provide assistance and perform or fulfill its obligations in accordance with this Section and the relevant Services Proposal, Hyland’s ability to provide such Professional Services, meet the performance schedule set forth in such Services Proposal and keep services fees reasonably in line with any estimates given in the Services Proposal may be adversely affected. During any period in which Hyland is performing services hereunder, Customer shall provide to the Hyland project team independent local (onsite) and remote (offsite) access through the use of secure connections such as a network connection, VPN connection or other similar methods and dedicated user accounts with appropriate privileges to the applicable Software, hardware or virtual machines allocated to the applicable software system. Remote and local access will be granted for all provisioned environments, including production.
4.2 Third Party Software Rights. Notwithstanding any contrary terms, if Customer requests Hyland to perform Professional Services on or with respect to any third party software, Customer represents and warrants to Hyland that Customer has all necessary rights to allow Hyland to do so.
4.3 Protection of Customer’s Systems. EXCEPT AS IT RELATES TO A HYLAND CLOUD SERVICE HOSTED BY HYLAND, CUSTOMER UNDERSTANDS THAT IT IS SOLELY RESPONSIBLE TO TAKE APPROPRIATE MEASURES TO ISOLATE AND BACKUP OR OTHERWISE ARCHIVE ITS COMPUTER SYSTEMS, INCLUDING ITS COMPUTER PROGRAMS, DATA AND FILES.
4.4 Safe Work Environment. Customer will be responsible for and shall ensure that while Hyland employees, agents or subcontractors are on Customer’s premises, all proper and legal health and safety precautions are in place and fully operational to protect such persons.
5. SERVICES FEES. Except as otherwise provided in any applicable Services Proposal: (a) Hyland will charge services fees for Professional Services at Hyland’s then-current standard list price for the applicable Professional Services; and (b) Hyland shall invoice for Professional Services fees monthly, in arrears, based on the number of Working Hours required to complete the project and the applicable hourly fees; and each such invoice shall be paid in full in accordance with the terms of the Agreement. Any estimates of fees or Working Hours required to complete the project are approximations of the anticipated amount of fees and time needed to complete the project. The actual number of Working Hours may vary.
6. TRAVEL AND EXPENSES. Hyland shall be reimbursed for all customary and reasonable out-of-pocket costs and expenses incurred by Hyland in connection with the performance of services under the Agreement (including fees and expenses relating to travel, meals, lodging and third party vendor registration requirements) in accordance with Hyland’s applicable internal policy for the reimbursement of costs and expenses to its employees. Except as otherwise provided in any applicable Services Proposal, Hyland shall invoice for all reimbursable costs and expenses on a monthly basis, in arrears; and such invoices shall be paid in full each in accordance with the Agreement.
7. LIMITED WARRANTY FOR SERVICES.
7.1 Limited Warranty. For a period of sixty (60) days from the date of completion of Professional Services, Hyland warrants to Customer that such services have been performed in a good and workmanlike manner and substantially according to industry standards. This warranty specifically excludes non-performance issues caused as a result of incorrect data or incorrect procedures used or provided by Customer or a third party or failure of Customer to perform and fulfill its obligations under the Agreement.
7.2 Remedy. Hyland’s sole obligation, and Customer’s sole and exclusive remedy for any non-conformities to the express limited warranties under the immediately preceding Section shall be as follows: provided that, within the applicable warranty period, Customer notifies Hyland in writing of the non-conformity, Hyland will use reasonable efforts to re-perform the non-conforming services in an attempt to correct the non-conformity(ies). If Hyland is unable to correct such non-conformity(ies) after a reasonable period of time, Customer’s sole and exclusive remedy shall be to terminate the Services Proposal under which the non-conforming Services have been performed, in which event Hyland will refund to Customer any portion of the services fees under such Services Proposal relating directly to such non-conforming Professional Services paid prior to the time of such termination.
8. WORK PRODUCTS.
8.1 Work Products License. Hyland grants to Customer a limited, non-exclusive and non-assignable license to use the Work Products only in connection with Customer’s authorized use of the Software, Hyland Cloud Service, or Add-On Services, or other Hyland product or service (collectively “Hyland Core Product”) with which such Work Product was delivered by Hyland for use by Customer. Customer may not: (a) make or authorize the making of copies of any Work Products; (b) remove any Hyland notices in the Work Products; (c) sell, transfer, rent, lease, time share or sublicense the Work Products to any third party; or (d) disassemble, decompile, reverse engineer or otherwise attempt to derive source code from any Work Product for any reason. Customer further agrees that, in connection with any use of the Work Products by Customer, the Work Products shall not be copied and installed on additional servers unless Customer has purchased a license therefore. All restrictions on use of the Hyland Core Product, including without limitation export restrictions and U.S. Government End User provisions, shall apply to the Work Products. If the license to the Hyland Core Product with which such Work Product was delivered by Hyland for use by Customer terminates, Customer’s right to use the applicable Work Product shall also terminate. All post-termination rights and obligations with respect to the applicable Core Hyland Product shall also apply to the Work Product.
8.2 Modification of Work Products.
8.2.1 Form of Delivered Work Products. The form in which Hyland delivers Work Products will be determined by Hyland depending on the purpose and functionality of the Work Product.
8.2.2 Configuration Work Products. If Hyland delivers a Work Product: (a) in the form of (i) source code which is compiled by tools in the Software to machine language form; or (ii) a script; or (b) created using the configuration tools in the Software (a “Configuration Work Product”), then Hyland grants to Customer the limited right to modify the Configuration Work Product, provided such modified Configuration Work Product is used only in compliance with the terms of the limited license to such Work Product granted hereunder.
8.2.3 Independent Work Products. If Hyland delivers a Work Product which is not a Configuration Work Product (an “Independent Work Product”), then, except as otherwise provided in the last sentence of this paragraph, Customer may not alter or modify such Independent Work Product. If Hyland delivers an Independent Work Product, and Customer desires to obtain the right to modify the Independent Work Product, then the parties may mutually agree that Hyland shall deliver to Customer a copy of the format of the Independent Work Product that is necessary to enable the Customer to complete its modifications, subject to and upon the payment by Customer to Hyland of any additional Professional Services fees as Hyland may charge to prepare and deliver such format. In such case, Hyland grants to Customer the right to modify, and if necessary, compile the delivered format of the Independent Work Product, provided such modified Independent Work Product is used only in compliance with the terms of the limited license to such Work Product granted hereunder.
8.3 Work Products Warranty
8.3.1 Limited Warranty. For a period of sixty (60) days from and including the date that Hyland has delivered a completed Work Product to Customer, Hyland warrants to Customer that such Work Product, when properly installed and properly used, will function in all material respects as described in the Specifications. The terms of this warranty shall not apply to, and Hyland shall have no liability for any non-conformity related to, any Work Product that has been (a) modified or added to by Customer or a third party, (b) used in combination with equipment or software other than that which is consistent with the Specification, or (c) misused or abused.
8.3.2 Remedy. Hyland’s sole obligation, and Customer’s sole and exclusive remedy, for any non-conformities to the express limited warranty under the immediately preceding Section shall be as follows: provided that, within the applicable warranty period, Customer notifies Hyland in writing of the non-conformity, Hyland will either (a) repair or replace the non-conforming Work Product, which may include the delivery of a reasonable workaround for the non-conformity; or (b) if Hyland determines that repair or replacement of the Work Product is not commercially practicable, then terminate this Professional Services Schedule with respect to the non-conforming Work Product, in which event, upon compliance by Customer with its obligations upon termination, Hyland will refund any portion of the services fees paid prior to the time of such termination with respect to the creation and implementation of such Work Product.
8.4 Work Products Infringement Indemnification. Hyland agrees to indemnify Customer against all liability and expense, including reasonable attorneys’ fees, arising from or in connection with any third party claim, action or proceeding instituted against Customer based upon any infringement or misappropriation by the Work Products of any patent, registered copyright or registered trademark of a third party, provided that Hyland: (a) is notified immediately after Customer receives notice of such claim; (b) is solely in charge of the defense of and any settlement negotiations with respect to such claim, provided that Hyland will not settle any such claim without the prior written consent of Customer if such settlement contains a stipulation to or admission or acknowledgement of any liability or wrongdoing on the part of Customer or otherwise requires payment by Customer; (c) receives Customer’s reasonable cooperation in the defense or settlement of such claim; and (d) has the right, upon either the occurrence of or the likelihood (in the opinion of Hyland) of the occurrence of a finding of infringement or misappropriation, either to procure for Customer the right to continue use of the Work Products, or to replace the relevant portions of the Work Products with other equivalent, non-infringing portions.
8.4.1 Removal and Refund. If Hyland is unable to accomplish either of the options set forth in Section 8.4(d), Hyland shall remove the infringing portion of the Work Products and refund to Customer the full services fees paid, if any, by Customer for the creation and implementation of the infringing Work Products.
8.4.2 Exclusions. Notwithstanding anything to the contrary, Hyland shall have no obligation to Customer to defend or satisfy any claims made against Customer and otherwise described in this Section that arise from: (a) any Customer Data; (b) use of the Work Products by Customer other than as expressly permitted by this Professional Services Schedule; (c) the combination of the Work Products with any product not furnished by Hyland to Customer; (d) the modification or addition to of the Work Products other than by Hyland or any of its authorized channel partners specifically retained by Hyland to provide such modification or addition; or (e) the Customer’s business methods or processes.
8.4.3 THIS SECTION STATES HYLAND’S ENTIRE LIABILITY AND THE SOLE AND EXCLUSIVE REMEDY OF CUSTOMER WITH RESPECT TO ANY ALLEGED INFRINGEMENT OR MISAPPROPRIATION OF INTELLECTUAL PROPERTY OR PROPRIETARY PROPERTY BY THE WORK PRODUCTS.
9. TERMINATION.
9.1 Generally. In addition to the termination provisions set forth in the General Terms Schedule, Customer or Hyland may terminate this Professional Services Schedule, including any Services Proposal, for any reason, upon not less than thirty (30) days advance written notice to Hyland to such effect. In the event this Professional Services Schedule is terminated in its entirety, any Services Proposal not terminated shall survive in accordance with its terms and the terms of this Professional Services Schedule.
9.2 Terminating a Services Proposal. In the case of termination of any Services Proposal, except in the case of termination due to Hyland's breach, all Professional Services fees related to all Professional Services performed by Hyland prior to and including the date of termination, as well as any additional reimbursable costs or expenses for which Hyland has incurred or contracted in connection with such Services Proposal and is unable to avoid, shall be due and payable in full. Additionally, all property of each party in possession of the other party in connection with Professional Services performed under this Schedule shall be returned.
9.3 Effects of Termination. Upon any termination of this Schedule in its entirety (other than by Hyland due to Customer’s breach), Customer’s license to use the Work Products provided in this Schedule shall survive according to its terms.
10 ADDITIONAL TERMS AND CONDITIONS. If Hyland is Hyland Software Germany GmbH, the additional or alternative terms and conditions set forth on Exhibit A shall apply.
11. CONTROLLING LANGAUGE. Hyland may make other versions of this Professional Services Schedule available in other languages at this online location. This English language version of this Professional Services Schedule controls over any version of the Professional Services Schedule made available at this online location in another language if the Incorporating Document is in English. If the Incorporating Document is in a language other than English (such language, the “Other Language”), but this Professional Services Schedule is not made available at this online location in the Other Language, this English language version controls over any other version of the Professional Services Schedule that may be made available at this online location in another language.
Exhibit A
Hyland Software Germany GmbH Additional Terms Exhibit
If Hyland is Hyland Software Germany GmbH, this Exhibit A shall apply:
1. The following provision shall be added to the Limited Warranty Section of the Professional Services Schedule:
To the extent the Professional Services provided under this Agreement constitute a contract for work (“Werkvertrag”), in this regard the statutory customer warranty provisions apply with the following restriction: Except in cases of intent or gross negligence on the part of Hyland the statutory warranty period amounts up to one year and begins upon acceptance of the respective Professional Service concerned.
Any warranty is specifically excluded with regard to non-performance issues caused as a result of a hardware or firmware malfunction or defect, software not developed by Hyland, incorrect data or incorrect procedures used or provided by Customer or a third party or failure of Customer to perform and fulfill its obligations in connection with the project covered by the Agreement. In such cases Customer agrees to reimburse Hyland for time and materials for any Professional Services provided by Hyland at Customer’s request to remedy excluded non-performance problems.
2. The Work Products License Section of the Professional Services Schedule shall be replaced in its entirety as follows:
Hyland grants to Customer a limited, non-exclusive and non-assignable license to use the Work Products only in connection with Customer’s authorized use of the Software, Hyland Cloud Service, or Add-On Services, or other Hyland product or service (collectively “Hyland Core Product”) with which such Work Product was delivered by Hyland for use by Customer. Customer may not: (a) make or authorize the making of copies of any Work Products; (b) remove any Hyland notices in the Work Products; (c) sell, transfer, rent, lease, time share or sublicense the Work Products to any third party; or (d) disassemble, decompile, reverse engineer or otherwise attempt to derive source code from any Work Product for any reason unless expressively permitted by statutory law for reasons indispensable to obtain the information necessary to achieve the interoperability of an independently created computer programs (see 69e of the Germany Copyright Act) or decompuling or reproducing the Software according to the provisions of see 69d of the German Copyright Act. Customer further agrees that, in connection with any use of the Work Products by Customer, the Work Products shall not be copied and installed on additional servers unless Customer has purchased a license therefore. All restrictions on use of the Hyland Core Product, including without limitation export restrictions and U.S. Government End User provisions, shall apply to the Work Products. If the license to the Hyland Core Product with which such Work Product was delivered by Hyland for use by Customer terminates, Customer’s right to use the applicable Work Product shall also terminate. All post-termination rights and obligations with respect to the applicable Core Hyland Product shall also apply to the Work Product.
3. The Work Products Warranty Section of the Professional Services Schedule shall be replaced in its entirety as follows:
For a period of one (1) year from and including the date that Hyland has delivered a completed Work Product to Customer, Hyland warrants to Customer that such Work Product, when properly installed and properly used, will function in all material respects as described in the Specifications. The terms of this warranty shall not apply to, and Hyland shall have no liability for any non-conformity related to, any Work Product that has been (a) modified or added to by Customer or a third party, (b) used in combination with equipment or software other than that which is consistent with the Specification, or (c) misused or abused.
Hyland’s sole obligation, and Customer’s sole and exclusive remedy, for any non-conformities to the express limited warranty under this Section shall be as follows: provided that, within the applicable warranty period, Customer notifies Hyland in writing of the non-conformity, Hyland will either (a) repair or replace the non-conforming Work Product, which may include the delivery of a reasonable workaround for the non-conformity; or (b) if Hyland determines that repair or replacement of the Work Product is not commercially practicable, then terminate this Schedule with respect to the non-conforming Work Product, in which event, upon compliance by Customer with its obligations upon termination, Hyland will refund any portion of the services fees paid prior to the time of such termination with respect to the creation and implementation of such Work Product. The Customer's statutory warranty rights shall remain unaffected subject to the express provisions of the Agreement.
4. The Work Products Infringement Indemnification Section of the Professional Services Schedule shall be replaced in its entirety as follows:
The most current version of this page shall be such in effect as of 12:00am EST (Eastern Standard Time) of the date stamped on such online version.
Effective June 2nd 2023 to October 4th 2023
DownloadTable of Contents
PROFESSIONAL SERVICES SCHEDULE
As of the Effective Date of the Incorporating Document (as defined below), this Professional Services Schedule (this “Professional Services Schedule”) is made part of the Hyland Master Agreement, Order Form, or any other agreement or document entered into between Customer and Hyland, which incorporates this Professional Services Schedule by reference (the “Incorporating Document”). As used herein, the “Agreement” means the Incorporating Document, inclusive of this Professional Services Schedule.
DEFINED TERMS
All capitalized terms used in this Professional Services Schedule shall have the meaning ascribed them in this Professional Services Schedule or, if not defined in this Professional Services Schedule, the General Terms Schedule. If any capitalized terms used herein are not defined in this Professional Services Schedule or the General Terms Schedule, they shall have the meaning ascribed to them elsewhere in this Agreement. In the event the same defined term is defined in two (2) or more Schedules, the term shall be given the meaning defined in each Schedule with respect to that Schedule, and, if the term is also used within this Schedule, this Schedule shall be interpreted to include all definitions, as the context requires.
“Professional Services” means any professional services provided by Hyland under a Services Proposal (as defined in this Professional Services Schedule), including but not limited to those services listed at https://www.hyland.com/services. Examples of the services include: (a) installation of the Software; (b) consulting, implementation and integration projects related to the Software, including but not limited to the customized configuration of integration Software or business process automation modules; (c) project management; (d) development projects in connection with the integration of Software with other applications utilizing any Software application programming interface (API).
“Services Proposal” means either: (a) a written proposal issued hereunder, and which sets forth the Professional Services Hyland will provide to Customer and which is signed by Customer and Hyland; or (b) an order form submitted by Customer and accepted by Hyland for Professional Services. Services Proposals are fully incorporated herein by reference.
“Specifications” means the definitive, final functional specifications for Work Products, if any, produced by Hyland under a Services Proposal. If there is an underlying license agreement between the parties, then specifications shall be considered Documentation in the case of Work Products.
“Working Hour” means the services of one (1) person for a period of one (1) hour (or any part thereof) during regular business hours.
“Work Products” means all items in the nature of computer software, including source code, object code, scripts, and any components or elements of the foregoing, or items created using the configuration tools of the Software, together with any and all design documents associated with items in the nature of computer software, in each case which are created, developed, discovered, conceived or introduced by Hyland, working either alone or in conjunction with others, in the performance of services under this Agreement. If applicable, Work Products shall include any pre-configured templates or VBScripts which have been or may be created or otherwise provided by Hyland as part of the configuration of advance capture Software.
1. SERVICES PROPOSAL. Customer may request Professional Services from Hyland. Hyland and Customer will discuss the parameters of the request and Hyland will inform the Customer as to whether the Professional Services shall be performed pursuant to a Services Proposal.
2. FULFILLMENT.
(a) Hyland will provide the Professional Services described in any mutually agreed upon Services Proposal at a time and on a schedule that is mutually agreed upon by the parties. If any delays in such Professional Services occur solely as a result of any incorrect information, incorrect assumption or failure of Customer to perform or fulfill its obligations in connection with any Services Proposal, the performance schedule for the applicable project may be extended. Hyland shall have no liability or responsibility for any costs or expenses resulting from such delays. In the event that performance of any milestone set forth in any Services Proposal is not met due to a delay solely caused by Hyland, and provided that such cause is not an event of force majeure as described in the Agreement, Hyland agrees, at no additional charge, to commit such additional resources and personnel as shall be necessary to ensure that such delay does not result in the slippage of later milestones or completion of such Professional Services. The parties agree that any Professional Services or Work Products described in this Professional Services Schedule that have been performed or developed, in whole or in part, prior to the execution of this Agreement by the parties nevertheless shall be covered by all terms and conditions of this Professional Services Schedule.
(b) Corporate Policies. Hyland acknowledges that Customer maintains corporate policies which apply to individuals who will perform services utilizing Customer’s premises or system (collectively, the “Corporate Policies”). In performing Professional Services under this Agreement, or any Services Proposal entered into pursuant to the terms of this Agreement, Hyland will use reasonable efforts to comply with the Corporate Policies to the extent such Corporate Policies are applicable to the delivery of such Professional Services, do not conflict with the Agreement or any other related agreement in place between Hyland and Customer and have been provided to Hyland reasonably in advance of any Professional Services engagement. Notwithstanding anything to the contrary in such Corporate Policies, if a Hyland resource fails to comply with the Corporate Policies and such failure does not otherwise constitute a breach of this Agreement, then Customer acknowledges and agrees that Hyland will not be in breach of contract or otherwise liable for damages, and as Customer’s sole remedy, Customer may immediately remove from its premises the individual resource(s) responsible for the failure and require that such individual resource(s) do not perform any further Professional Services for Customer.
3. CHANGES TO SERVICES PROPOSAL. Either party may, at any time, reasonably request a change to any Service Proposal. Any requested change that the parties mutually accept (a “Change”) will be set forth in a written change order prepared by Hyland and agreed to and signed by both parties that specifically references the relevant Service Proposal. In the event the parties are unable to mutually agree upon a proposed Change or a proposed change order, and such proposed Change relates to a material component of the project that is the subject of the relevant Services Proposal, either party may terminate such Service Proposal upon not less than thirty (30) days advance written notice to the other party.
4. CUSTOMER’S OBLIGATIONS.
4.1 Assistance and Obligations. Customer agrees that it will cooperate with and assist Hyland in the performance of Professional Services under any Services Proposal; will provide the resources specified in the relevant Services Proposal; and will perform or fulfill all obligations required to be performed or fulfilled by Customer under the terms of the relevant Services Proposal. Customer acknowledges that if it fails to provide assistance and perform or fulfill its obligations in accordance with this Section and the relevant Services Proposal, Hyland’s ability to provide such Professional Services, meet the performance schedule set forth in such Services Proposal and keep services fees reasonably in line with any estimates given in the Services Proposal may be adversely affected. During any period in which Hyland is performing services hereunder, Customer shall provide to the Hyland project team independent local (onsite) and remote (offsite) access through the use of secure connections such as a network connection, VPN connection or other similar methods and dedicated user accounts with appropriate privileges to the applicable Software, hardware or virtual machines allocated to the applicable software system. Remote and local access will be granted for all provisioned environments, including production.
4.2 Third Party Software Rights. Notwithstanding any contrary terms, if Customer requests Hyland to perform Professional Services on or with respect to any third party software, Customer represents and warrants to Hyland that Customer has all necessary rights to allow Hyland to do so.
4.3 Protection of Customer’s Systems. EXCEPT AS IT RELATES TO A HYLAND CLOUD SERVICE HOSTED BY HYLAND, CUSTOMER UNDERSTANDS THAT IT IS SOLELY RESPONSIBLE TO TAKE APPROPRIATE MEASURES TO ISOLATE AND BACKUP OR OTHERWISE ARCHIVE ITS COMPUTER SYSTEMS, INCLUDING ITS COMPUTER PROGRAMS, DATA AND FILES.
4.4 Safe Work Environment. Customer will be responsible for and shall ensure that while Hyland employees, agents or subcontractors are on Customer’s premises, all proper and legal health and safety precautions are in place and fully operational to protect such persons.
5. SERVICES FEES. Except as otherwise provided in any applicable Services Proposal: (a) Hyland will charge services fees for Professional Services at Hyland’s then-current standard list price for the applicable Professional Services; and (b) Hyland shall invoice for Professional Services fees monthly, in arrears, based on the number of Working Hours required to complete the project and the applicable hourly fees; and each such invoice shall be paid in full in accordance with the terms of this Agreement. Any estimates of fees or Working Hours required to complete the project are approximations of the anticipated amount of fees and time needed to complete the project. The actual number of Working Hours may vary.
6. TRAVEL AND EXPENSES. Hyland shall be reimbursed for all customary and reasonable out-of-pocket costs and expenses incurred by Hyland in connection with the performance of services under this Agreement (including fees and expenses relating to travel, meals, lodging and third party vendor registration requirements) in accordance with Hyland’s applicable internal policy for the reimbursement of costs and expenses to its employees. Except as otherwise provided in any applicable Services Proposal, Hyland shall invoice for all reimbursable costs and expenses on a monthly basis, in arrears; and such invoices shall be paid in full each in accordance with this Agreement.
7. LIMITED WARRANTY FOR SERVICES.
7.1 Limited Warranty. For a period of sixty (60) days from the date of completion of Professional Services, Hyland warrants to Customer that such services have been performed in a good and workmanlike manner and substantially according to industry standards. This warranty specifically excludes non-performance issues caused as a result of incorrect data or incorrect procedures used or provided by Customer or a third party or failure of Customer to perform and fulfill its obligations under this Agreement.
7.2 Remedy. Hyland’s sole obligation, and Customer’s sole and exclusive remedy for any non-conformities to the express limited warranties under the immediately preceding Section shall be as follows: provided that, within the applicable warranty period, Customer notifies Hyland in writing of the non-conformity, Hyland will use reasonable efforts to re-perform the non-conforming services in an attempt to correct the non-conformity(ies). If Hyland is unable to correct such non-conformity(ies) after a reasonable period of time, Customer’s sole and exclusive remedy shall be to terminate the Services Proposal under which the non-conforming Services have been performed, in which event Hyland will refund to Customer any portion of the services fees under such Services Proposal relating directly to such non-conforming Professional Services paid prior to the time of such termination.
8. WORK PRODUCTS.
8.1 Work Products License. Hyland grants to Customer a limited, non-exclusive and non-assignable license to use the Work Products only in connection with Customer’s authorized use of the Software, Hyland Cloud Service, or Add-On Services, or other Hyland product or service (collectively “Hyland Core Product”) with which such Work Product was delivered by Hyland for use by Customer. Customer may not: (a) make or authorize the making of copies of any Work Products; (b) remove any Hyland notices in the Work Products; (c) sell, transfer, rent, lease, time share or sublicense the Work Products to any third party; or (d) disassemble, decompile, reverse engineer or otherwise attempt to derive source code from any Work Product for any reason. Customer further agrees that, in connection with any use of the Work Products by Customer, the Work Products shall not be copied and installed on additional servers unless Customer has purchased a license therefore. All restrictions on use of the Hyland Core Product, including without limitation export restrictions and U.S. Government End User provisions, shall apply to the Work Products. If the license to the Hyland Core Product with which such Work Product was delivered by Hyland for use by Customer terminates, Customer’s right to use the applicable Work Product shall also terminate. All post-termination rights and obligations with respect to the applicable Core Hyland Product shall also apply to the Work Product.
8.2 Modification of Work Products.
8.2.1 Form of Delivered Work Products. The form in which Hyland delivers Work Products will be determined by Hyland depending on the purpose and functionality of the Work Product.
8.2.2 Configuration Work Products. If Hyland delivers a Work Product: (a) in the form of (i) source code which is compiled by tools in the Software to machine language form; or (ii) a script; or (b) created using the configuration tools in the Software (a “Configuration Work Product”), then Hyland grants to Customer the limited right to modify the Configuration Work Product, provided such modified Configuration Work Product is used only in compliance with the terms of the limited license to such Work Product granted hereunder.
8.2.3 Independent Work Products. If Hyland delivers a Work Product which is not a Configuration Work Product (an “Independent Work Product”), then, except as otherwise provided in the last sentence of this paragraph, Customer may not alter or modify such Independent Work Product. If Hyland delivers an Independent Work Product, and Customer desires to obtain the right to modify the Independent Work Product, then the parties may mutually agree that Hyland shall deliver to Customer a copy of the format of the Independent Work Product that is necessary to enable the Customer to complete its modifications, subject to and upon the payment by Customer to Hyland of any additional Professional Services fees as Hyland may charge to prepare and deliver such format. In such case, Hyland grants to Customer the right to modify, and if necessary, compile the delivered format of the Independent Work Product, provided such modified Independent Work Product is used only in compliance with the terms of the limited license to such Work Product granted hereunder.
8.3 Work Products Warranty
8.3.1 Limited Warranty. For a period of sixty (60) days from and including the date that Hyland has delivered a completed Work Product to Customer, Hyland warrants to Customer that such Work Product, when properly installed and properly used, will function in all material respects as described in the Specifications. The terms of this warranty shall not apply to, and Hyland shall have no liability for any non-conformity related to, any Work Product that has been (a) modified or added to by Customer or a third party, (b) used in combination with equipment or software other than that which is consistent with the Specification, or (c) misused or abused.
8.3.2 Remedy. Hyland’s sole obligation, and Customer’s sole and exclusive remedy, for any non-conformities to the express limited warranty under the immediately preceding Section shall be as follows: provided that, within the applicable warranty period, Customer notifies Hyland in writing of the non-conformity, Hyland will either (a) repair or replace the non-conforming Work Product, which may include the delivery of a reasonable workaround for the non-conformity; or (b) if Hyland determines that repair or replacement of the Work Product is not commercially practicable, then terminate this Professional Services Schedule with respect to the non-conforming Work Product, in which event, upon compliance by Customer with its obligations upon termination, Hyland will refund any portion of the services fees paid prior to the time of such termination with respect to the creation and implementation of such Work Product.
8.4 Work Products Infringement Indemnification. Hyland agrees to indemnify Customer against all liability and expense, including reasonable attorneys’ fees, arising from or in connection with any third party claim, action or proceeding instituted against Customer based upon any infringement or misappropriation by the Work Products of any patent, registered copyright or registered trademark of a third party, provided that Hyland: (a) is notified immediately after Customer receives notice of such claim; (b) is solely in charge of the defense of and any settlement negotiations with respect to such claim, provided that Hyland will not settle any such claim without the prior written consent of Customer if such settlement contains a stipulation to or admission or acknowledgement of any liability or wrongdoing on the part of Customer or otherwise requires payment by Customer; (c) receives Customer’s reasonable cooperation in the defense or settlement of such claim; and (d) has the right, upon either the occurrence of or the likelihood (in the opinion of Hyland) of the occurrence of a finding of infringement or misappropriation, either to procure for Customer the right to continue use of the Work Products, or to replace the relevant portions of the Work Products with other equivalent, non-infringing portions.
8.4.1 Removal and Refund. If Hyland is unable to accomplish either of the options set forth in Section 8.4(d), Hyland shall remove the infringing portion of the Work Products and refund to Customer the full services fees paid, if any, by Customer for the creation and implementation of the infringing Work Products.
8.4.2 Exclusions. Notwithstanding anything to the contrary, Hyland shall have no obligation to Customer to defend or satisfy any claims made against Customer and otherwise described in this Section that arise from: (a) any Customer Data; (b) use of the Work Products by Customer other than as expressly permitted by this Professional Services Schedule; (c) the combination of the Work Products with any product not furnished by Hyland to Customer; (d) the modification or addition to of the Work Products other than by Hyland or any of its authorized channel partners specifically retained by Hyland to provide such modification or addition; or (e) the Customer’s business methods or processes.
8.4.3 THIS SECTION STATES HYLAND’S ENTIRE LIABILITY AND THE SOLE AND EXCLUSIVE REMEDY OF CUSTOMER WITH RESPECT TO ANY ALLEGED INFRINGEMENT OR MISAPPROPRIATION OF INTELLECTUAL PROPERTY OR PROPRIETARY PROPERTY BY THE WORK PRODUCTS.
9. TERMINATION.
9.1 Generally. In addition to the termination provisions set forth in the General Terms Schedule, Customer or Hyland may terminate this Professional Services Schedule, including any Services Proposal, for any reason, upon not less than thirty (30) days advance written notice to Hyland to such effect. In the event this Professional Services Schedule is terminated in its entirety, any Services Proposal not terminated shall survive in accordance with its terms and the terms of this Professional Services Schedule.
9.2 Terminating a Services Proposal. In the case of termination of any Services Proposal, except in the case of termination due to Hyland's breach, all Professional Services fees related to all Professional Services performed by Hyland prior to and including the date of termination, as well as any additional reimbursable costs or expenses for which Hyland has incurred or contracted in connection with such Services Proposal and is unable to avoid, shall be due and payable in full. Additionally, all property of each party in possession of the other party in connection with Professional Services performed under this Schedule shall be returned.
9.3 Effects of Termination. Upon any termination of this Schedule in its entirety (other than by Hyland due to Customer’s breach), Customer’s license to use the Work Products provided in this Schedule shall survive according to its terms.
10 ADDITIONAL TERMS AND CONDITIONS. If Hyland is Hyland Software Germany GmbH, the additional or alternative terms and conditions set forth on Exhibit A shall apply.
11. CONTROLLING LANGAUGE. Hyland may make other versions of this Professional Services Schedule available in other languages at this online location. This English language version of this Professional Services Schedule controls over any version of the Professional Services Schedule made available at this online location in another language if the Incorporating Document is in English. If the Incorporating Document is in a language other than English (such language, the “Other Language”), but this Professional Services Schedule is not made available at this online location in the Other Language, this English language version controls over any other version of the Professional Services Schedule that may be made available at this online location in another language.
Exhibit A
Hyland Software Germany GmbH Additional Terms Exhibit
If Hyland is Hyland Software Germany GmbH, this Exhibit A shall apply:
1. The following provision shall be added to the Limited Warranty Section of the Professional Services Schedule:
To the extent the Professional Services provided under this Agreement constitute a contract for work (“Werkvertrag”), in this regard the statutory customer warranty provisions apply with the following restriction: Except in cases of intent or gross negligence on the part of Hyland the statutory warranty period amounts up to one year and begins upon acceptance of the respective Professional Service concerned.
Any warranty is specifically excluded with regard to non-performance issues caused as a result of a hardware or firmware malfunction or defect, software not developed by Hyland, incorrect data or incorrect procedures used or provided by Customer or a third party or failure of Customer to perform and fulfill its obligations in connection with the project covered by this Agreement. In such cases Customer agrees to reimburse Hyland for time and materials for any Professional Services provided by Hyland at Customer’s request to remedy excluded non-performance problems.
2. The Work Products License Section of the Professional Services Schedule shall be replaced in its entirety as follows:
Hyland grants to Customer a limited, non-exclusive and non-assignable license to use the Work Products only in connection with Customer’s authorized use of the Software, Hyland Cloud Service, or Add-On Services, or other Hyland product or service (collectively “Hyland Core Product”) with which such Work Product was delivered by Hyland for use by Customer. Customer may not: (a) make or authorize the making of copies of any Work Products; (b) remove any Hyland notices in the Work Products; (c) sell, transfer, rent, lease, time share or sublicense the Work Products to any third party; or (d) disassemble, decompile, reverse engineer or otherwise attempt to derive source code from any Work Product for any reason unless expressively permitted by statutory law for reasons indispensable to obtain the information necessary to achieve the interoperability of an independently created computer programs (see 69e of the Germany Copyright Act) or decompuling or reproducing the Software according to the provisions of see 69d of the German Copyright Act. Customer further agrees that, in connection with any use of the Work Products by Customer, the Work Products shall not be copied and installed on additional servers unless Customer has purchased a license therefore. All restrictions on use of the Hyland Core Product, including without limitation export restrictions and U.S. Government End User provisions, shall apply to the Work Products. If the license to the Hyland Core Product with which such Work Product was delivered by Hyland for use by Customer terminates, Customer’s right to use the applicable Work Product shall also terminate. All post-termination rights and obligations with respect to the applicable Core Hyland Product shall also apply to the Work Product.
3. The Work Products Warranty Section of the Professional Services Schedule shall be replaced in its entirety as follows:
For a period of one (1) year from and including the date that Hyland has delivered a completed Work Product to Customer, Hyland warrants to Customer that such Work Product, when properly installed and properly used, will function in all material respects as described in the Specifications. The terms of this warranty shall not apply to, and Hyland shall have no liability for any non-conformity related to, any Work Product that has been (a) modified or added to by Customer or a third party, (b) used in combination with equipment or software other than that which is consistent with the Specification, or (c) misused or abused.
Hyland’s sole obligation, and Customer’s sole and exclusive remedy, for any non-conformities to the express limited warranty under this Section shall be as follows: provided that, within the applicable warranty period, Customer notifies Hyland in writing of the non-conformity, Hyland will either (a) repair or replace the non-conforming Work Product, which may include the delivery of a reasonable workaround for the non-conformity; or (b) if Hyland determines that repair or replacement of the Work Product is not commercially practicable, then terminate this Schedule with respect to the non-conforming Work Product, in which event, upon compliance by Customer with its obligations upon termination, Hyland will refund any portion of the services fees paid prior to the time of such termination with respect to the creation and implementation of such Work Product. The Customer's statutory warranty rights shall remain unaffected subject to the express provisions of this Agreement.
4. The Work Products Infringement Indemnification Section of the Professional Services Schedule shall be replaced in its entirety as follows:
The most current version of this page shall be such in effect as of 12:00am EST (Eastern Standard Time) of the date stamped on such online version.
Effective December 8th 2022 to June 2nd 2023
DownloadTable of Contents
Effective March 30th 2021 to December 8th 2022
DownloadTable of Contents
Support Prioritization Attachment
Effective August 22nd 2023
DownloadTable of Contents
Effective May 30th 2023 to August 22nd 2023
DownloadTable of Contents
Effective May 30th 2023 to May 30th 2023
DownloadTable of Contents
Effective December 8th 2022 to May 30th 2023
DownloadTable of Contents
Severity Level | Description | Hyland Response |
Level 1 | “Level 1” means any Error that causes total or substantial Software failure, which means that the Software is down and Customer is unable to access the Software in any way within their production environment. | Upon receiving notification from Customer, Hyland’s Technical Support contact will immediately notify a support manager. Within thirty (30) minutes, the Manager will notify a member of senior management. If there is no Resolution within two (2) hours of the Customer’s notice, Hyland will place the Customer on the High Visibility Ticker (HVT). If there is no Resolution within four (4) hours of the Customer’s notice or by the end of business of that day, Hyland will designate the Error as Code Blue. Designation as Code Blue means a resolution team is immediately formed for the Level 1 Error and the resolution team provides continuous updates on all issues of change or status to all C-level executives and vice presidents of Hyland, and all of Hyland employees are made aware that the Customer is on Code Blue. To provide a Resolution, Hyland will match the Customer’s effort, up to and including 24 hour days, 7 days a week, through holidays and weekends until there is a Resolution. |
Level 2 | “Level 2” means an Error that causes substantial Software failure which prevents a portion of Customer’s users from accessing the Software in any way within the production environment. | Upon receiving notification from Customer, Hyland’s Technical Support contact will notify a support manager within sixty (60) minutes. Within two (2) hours, the manager will notify a member of senior management. If there is no Resolution by the end of business on that day, Hyland will place the Customer on Hyland’s High Visibility Ticker. If there is no Resolution within twenty-four (24) hours of Customer’s notice, Hyland will designate the Error as Code Blue. To provide a Resolution, Hyland will match Customer’s efforts up to 24 hour days, 7 days a week, through holidays and weekends until there is a Resolution. |
Level 3 | “Level 3” means that the Software is usable except that an Error causes an ongoing, system-wide, severe performance degradation. | To provide a Resolution, Hyland will match Customer’s efforts up to 5 days/week, 16 hours/day, through holidays and weekends until there is a Resolution. |
Level 4 | “Level 4” means that the Software is usable except that an Error prevents a specific feature or functionality from working. | To provide a Resolution, Hyland will use reasonable efforts during regular support hours. |
Level 5 | “Level 5” means that the Software is usable except that an Error causes a trivial inconvenience and the task can be completed in another way | Standard Maintenance and Support. |
Level 6 | “Level 6” means Technical Support Services. | Standard Maintenance and Support. |
Effective March 30th 2021 to December 8th 2022
DownloadTable of Contents
Severity Level | Description | Hyland Response |
Level 1 | “Level 1” means any Error that causes total or substantial Software failure, which means that the Software is down and Customer is unable to access the Software in any way within their production environment. | Upon receiving notification from Customer, Hyland’s Technical Support contact will immediately notify a support Manager. Within thirty (30) minutes, the Manager will notify a member of Senior Management or a Vice President. If there is no Resolution within two (2) hours of the Customer’s notice, Hyland will place the Customer on the High Visibility Ticker (HVT). If there is no Resolution within four (4) hours of the Customer’s notice or by the end of business of that day, Hyland will designate the Error as Code Blue. Designation as Code Blue means a resolution team is immediately formed for the Level 1 Error and the resolution team provides continuous updates on all issues of change or status to all C-Level Executives and Vice Presidents of Hyland, and all of Hyland employees are made aware that the Customer is on Code Blue. To provide a Resolution, Hyland will match the Customer’s effort, up to and including 24 hour days, 7 days a week, through holidays and weekends until there is a Resolution. |
Level 2 | “Level 2” means an Error that causes substantial Software failure which prevents a portion of Customer’s users from accessing the Software in any way within the production environment. | Upon receiving notification from Customer, Hyland’s Technical Support contact will notify a support Manager within sixty (60) minutes. Within two (2) hours, the Manager will notify a member of Senior Management or Vice President. If there is no Resolution by the end of business on that day, Hyland will place the Customer on Hyland’s High Visibility Ticker. If there is no Resolution within twenty-four (24) hours of Customer’s notice, Hyland will designate the Error as Code Blue. To provide a Resolution, Hyland will match Customer’s efforts up to 24 hour days, 7 days a week, through holidays and weekends until there is a Resolution. |
Level 3 | “Level 3” means that the Software is usable except that an Error causes an ongoing, system-wide, severe performance degradation. | To provide a Resolution, Hyland will match Customer’s efforts up to 5 days/week, 16 hours/day, through holidays and weekends until there is a Resolution. |
Level 4 | “Level 4” means that the Software is usable except that an Error prevents a specific feature or functionality from working. | To provide a Resolution, Hyland will use reasonable efforts during regular support hours. |
Level 5 | “Level 5” means that the Software is usable except that an Error causes a trivial inconvenience and the task can be completed in another way | Standard Maintenance and Support. |
Level 6 | “Level 6” means Technical Support Services. | Standard Maintenance and Support. |
Acceptable Use Policy Attachment - AUP
Effective June 6th 2023
DownloadTable of Contents
Effective June 6th 2023
DownloadANLAGE - RICHTLINIE ZUR AKZEPTABLEN NUTZUNG
1. EINLEITUNG:
Diese Richtlinie zur akzeptablen Nutzung (diese „RAN“) gilt für alle natürlichen und juristischen Personen (im Folgenden zusammenfassend als „Benutzer“ bezeichnet), welche die von Hyland Software, Inc. oder seinen verbundenen Unternehmen („Hyland“) bereitgestellten Dienste und Softwareprodukte in Verbindung mit dem Hyland Cloud-Dienst nutzen. Diese RAN dient dem Schutz der Sicherheit, Integrität, Zuverlässigkeit und Privatsphäre des Hyland-Netzwerks und des Hyland Cloud-Dienstes, den Hyland für seine Hosting-Kunden hostet.
Mit der Nutzung des Hyland Cloud-Dienstes akzeptiert der Benutzer die Bedingungen dieser RAN in ihrer zum Zeitpunkt der Nutzung gültigen Fassung. Hyland behält sich das Recht vor, diese Richtlinie jederzeit mit sofortiger Wirkung zu ändern, sobald Hyland die geänderte oder überarbeitete RAN auf der Hyland-Website veröffentlicht hat: https://www.hyland.com/community.
2. BENUTZERPFLICHTEN.
2.1 Fehlgebrauch. Der Benutzer ist für jede missbräuchliche Nutzung eines Hyland Cloud-Dienstes verantwortlich. Daher muss der Benutzer alle angemessenen Vorsichtsmaßnahmen ergreifen, um den Zugang und die Nutzung aller von ihm genutzten Hyland Cloud-Dienste zu schützen.
2.2 Nutzungsbeschränkungen. Der Benutzer darf einen Hyland Cloud-Dienst in keiner Weise nutzen, welche gegen geltendes Recht verstößt, einschließlich, aber nicht beschränkt auf:
(a) Verletzung oder widerrechtliche Aneignung von geistigen Eigentumsrechten, einschließlich Urheberrechten, Marken, Dienstleistungsmarken, Software, Patenten und Geschäftsgeheimnissen;
(b) Beteiligung an der Förderung, dem Verkauf, der Herstellung, der Erfüllung oder der Lieferung von illegalen Drogen, illegalem Glücksspiel, obszönem Material oder anderen gesetzlich verbotenen Produkten und Dienstleistungen. Ebenso ist die Aufforderung zu solch illegale Aktivitäten verboten, selbst wenn die Aktivitäten nicht tatsächlich durchgeführt werden;
(c) Das Anzeigen, Übertragen, Speichern oder Bereitstellen von kinderpornografischem Material;
(d) Das Übertragen, Verteilen oder Speichern von Material, das rechtswidrig ist, einschließlich Verschlüsselungssoftware, die gegen die US-, EU- und nationale Exportkontrollgesetze verstößt, oder das ein erhebliches Risiko zivilrechtlicher Haftung für Hyland darstellt;
(e) Das Anzeigen, Übertragen, Speichern oder Veröffentlichen von Informationen, die eine Beleidigung, Verleumdung, Diffamierung, Belästigung, Obszönität darstellen oder anderweitig die Privatsphäre oder die persönlichen Rechte einer Person verletzen;
(f) Das Anzeigen oder Übermitteln von obszönen, bedrohlichen, beleidigenden oder belästigenden Nachrichten; oder
(g) Förderung, Angebot oder Durchführung betrügerischer Finanzpläne, einschließlich Pyramiden, unrechtmäßigen Geldüberweisungen und Belastungen von Kreditkarten.
2.3 Verbotene Handlungen. Dem Benutzer ist es nicht gestattet, einen Hyland Cloud-Dienst zu nutzen, um eine der folgenden Handlungen vorzunehmen:
(a) Störung, unbefugter Zugriff auf oder anderweitige Verletzungen der Sicherheit von Servern, Netzwerken, PCs, Netzwerkzugangs- oder -kontrollgeräten, Software oder Daten oder anderen Systemen von Hyland oder einer anderen Partei oder der Versuch, eine der vorgenannten Handlungen auszuführen, einschließlich, aber nicht beschränkt auf die Entwicklung, Verbreitung oder Ausführung von Internetviren, Würmern, Denial-of-Service-Angriffen, Netzwerküberflutung oder anderen böswilligen Aktivitäten, die darauf abzielen, Computerdienste zu stören oder Daten zu zerstören;
(b) Störung des Hyland-Netzwerks oder der Nutzung des Hyland Cloud-Dienstes, durch andere autorisierte Benutzer;
(c) Das Bewerben oder Verbreiten von Software, Diensten oder Adresslisten, die den Zweck haben, Spam zu ermöglichen;
(d) Bereitstellung falscher oder irreführender Informationen in Nachrichtenkopfzeilen oder anderen Inhalten, Verwendung nicht existierender Domänennamen oder irreführender Adressierung oder Verbergen oder Verschleiern von Informationen, die den Ursprungsort oder Übertragungsweg einer Nachricht identifizieren;
(e) Verletzung von Persönlichkeitsrechten;
(f) Versenden und Sammeln von Antworten auf Spam, unerwünschte elektronische Nachrichten oder Kettenbriefe; und
3. DURCHSETZUNG. Wenn ein Benutzer gegen diese RAN verstößt, kann Hyland, je nach Art und Schwere des Verstoßes, das Hosting eines Hyland Cloud-Dienstes, auf den dieser Benutzer zugreift, so lange aussetzen, bis Maßnahmen ergriffen sind, die nach Hylands vernünftigem Ermessen eine Fortsetzung oder Wiederholung des Verstoßes ausschließen.
4. HINWEIS. Sofern dies nicht gesetzlich verboten ist, wird Hyland den Benutzer schriftlich per E-Mail oder auf andere Weise über einen Verstoß gegen diese RAN informieren, damit dieser Verstoß ohne Auswirkungen auf den Hyland Cloud-Dienst korrigiert werden kann. Hyland setzt dem Benutzer außerdem eine angemessene Frist, innerhalb derer der Benutzer diese RAN einhalten muss. Hyland behält sich jedoch das Recht vor, sofort und ohne vorherige Ankündigung zu handeln, um den Hyland Cloud-Dienst als Reaktion auf eine gerichtliche Anordnung oder eine behördliche Mitteilung, dass ein bestimmtes Verhalten des Benutzers eingestellt werden muss, auszusetzen oder wenn Hyland vernünftigerweise feststellt: (1) dass es Sanktionen, zivilrechtlicher Haftung oder strafrechtlicher Verfolgung ausgesetzt sein könnte; (2) dass ein solcher Verstoß die Integrität oder den normalen Betrieb oder die Sicherheit des Hyland-Netzwerks oder der Netzwerke, mit denen Hyland verbunden ist, schädigen oder beeinträchtigen könnte oder die Nutzung des Hyland Cloud-Dienstes, anderen Diensten oder Softwareprodukten durch einen anderen Hyland-Kunden beeinträchtigen könnte; oder (3) dass ein solcher Verstoß anderweitig eine unmittelbare Gefahr für Hyland oder andere Hyland-Kunden oder deren jeweilige Mitarbeiter darstellt. Anderfalls wird Hyland angemessene Anstrengungen unternehmen, um dem Benutzer eine Frist von mindestens sieben (7) Kalendertagen zu setzen, bevor der Hyland Cloud-Dienst ausgesetzt wird. Der Benutzer ist für alle Gebühren oder Entgelte verantwortlich, die Hyland bis zum Zeitpunkt der Aussetzung durch Hyland gemäß der zwischen dem Benutzer und Hyland bestehenden Vereinbarung in Bezug auf den Hyland Cloud-Dienst zu begleichen sind.
5. HAFTUNGSAUSSCHLUSS. Hyland lehnt jegliche Verantwortung für Schäden ab, die dem Benutzer als Folge der Reaktion von Hyland auf die Verletzung dieser RAN durch den Benutzer entstehen. Der Benutzer ist allein für die Inhalte und Nachrichten verantwortlich, die vom Benutzer über einen Hyland Cloud-Dienst übertragen oder zur Verfügung gestellt werden. Durch die Nutzung eines Hyland Cloud-Dienstes nimmt der Benutzer zur Kenntnis, dass Hyland nicht verpflichtet ist, Aktivitäten oder Inhalte auf Verstöße gegen geltendes Recht oder diese RAN zu überwachen, sich aber das Recht vorbehält, dies zu tun. Hyland lehnt jede Verantwortung für die unangemessene Nutzung eines Hyland Cloud-Dienstes durch den Benutzer und jegliche Haftung für die Verletzung dieser RAN oder geltenden Rechts durch Dritte ab.
6. ENTSCHÄDIGUNG. Der Benutzer erklärt sich damit einverstanden, Hyland von allen Verbindlichkeiten, Verpflichtungen, Verlusten und Schäden sowie von Kosten und Auslagen, einschließlich angemessener Anwaltskosten, freizustellen, die sich aus Ansprüchen, Schäden, Verlusten, Haftungen, Klagen oder Klagen Dritter gegen Hyland aufgrund schuldhaften Verhaltens des Benutzers, das gegen diese RAN verstößt, erhoben werden.
7. VERZICHT. Ein Versäumnis oder eine Verzögerung bei der Ausübung oder Durchsetzung dieser Richtlinie stellt keinen Verzicht auf die Richtlinie oder auf ein anderes Recht oder Rechtsmittel dar. Sollte eine Bestimmung dieser Richtlinie aufgrund eines Gesetzes oder einer Gesetzesänderung als nicht durchsetzbar erachtet werden, wird eine solche Bestimmung nicht berücksichtigt und der Rest der Richtlinie bleibt in Kraft.
8. FRAGEN. Wenn Sie sich nicht sicher sind, ob eine in Betracht gezogene Nutzung oder Handlung zulässig ist, wenden Sie sich bitte an Hyland unter der Nummer 440-788-5000.
Effective June 6th 2023
DownloadANEXO DE POLÍTICA DE USO ACEPTABLE
1. INTRODUCCIÓN.
Esta Política de Uso Aceptable ("AUP” por sus siglas en inglés) aplica a todas las personas y entidades (en su conjunto de denomina "Usuario") que utilizan los servicios y productos de software proporcionados por Hyland Software, Inc. o sus filiales ("Hyland") en relación con el alojamiento de Hyland de una o más Soluciones Alojadas (en su conjunto de denomina "Soluciones Alojadas"). Esta AUP está diseñada para proteger la seguridad, integridad, confiabilidad y privacidad de la red de Hyland y los alojamientos de las Soluciones Alojadas para sus clientes de hosting.
El uso de la Solución Alojada por parte del Usuario constituye la aceptación del Usuario de los términos y condiciones de esta AUP vigentes en el momento de dicho uso. Hyland se reserva el derecho de modificar esta política en cualquier momento a partir de la publicación de la modificación o AUP revisada en el sitio web de Hyland: https://www.hyland.com/community.
2. OBLIGACIONES DEL USUARIO.
2.1 Mal Uso. El Usuario es responsable por cualquier mal uso de la Solución Alojada; por lo tanto, debe tomar todas las precauciones razonables para proteger el acceso y uso de cualquier Solución Alojada que utilice.
2.2 Restricciones de Uso. El Usuario no debe usar una Solución Alojada de ninguna forma que viole la ley aplicable, incluyendo, entre otros, al:
(a) Infringir o apropiarse indebidamente de los derechos de propiedad intelectual, incluidos los derechos de autor, marcas registradas, marcas de servicio, software, patentes y secretos comerciales;
(b) Participar en la promoción, venta, producción o entrega de drogas ilegales, apuestas ilegales, materiales obscenos u otros productos y servicios prohibidos por la ley. Del mismo modo, solicitar actividades ilegales está prohibido incluso si tales actividades no se realizan realmente;
(c) Mostrar, transmitir, almacenar o poner a disposición materiales de pornografía infantil;
(d) Transmitir, distribuir o almacenar cualquier material que sea ilegal, incluyendo software de cifrado en violación de las leyes de control de exportaciones de los Estados Unidos, o que presente un riesgo material de responsabilidad civil para Hyland;
(e) Mostrar, transmitir, almacenar o publicar información que constituya difamación, calumnia, hostigamiento, obscenidad o que viole la privacidad o los derechos personales de cualquier persona;
(f) Mostrar o transmitir mensajes obscenos, amenazantes, abusivos u hostigadores; o
(g) Promover, ofrecer o implementar esquemas financieros fraudulentos, incluyendo pirámides, transferencias ilegales de fondos y cargos a tarjetas de crédito.
2.3 Actos Prohibidos. El Usuario no debe usar la Solución Alojada para ninguna de las actividades siguientes:
(a) Interferir con, obtener acceso no autorizado a o violar la seguridad del servidor, red, computadora personal, dispositivos de acceso o control de red, software, datos u otro sistema de Hyland o tercera parte, o intentar hacer algo de lo anterior, incluyendo, entre otros, el desarrollo, distribución o ejecución de virus de Internet, gusanos, ataques de denegación de servicio, inundación de la red u otras actividades maliciosas destinadas a interrumpir los servicios informáticos o destruir datos;
(b) Interferir con la red de Hyland o con el uso de Soluciones Alojadas recibidas de otros Usuarios autorizados;
(c) Promover o distribuir software, servicios o directorios que tengan el propósito de facilitar el correo no deseado;
(d) Proporcionar información falsa o engañosa en encabezados de mensajes y otro contenido, usar nombres de dominios no existentes o direcciones engañosas, o esconder información que identifique el punto de origen o ruta de transmisión de un mensaje;
(e) Violar los derechos de privacidad personal;
(f) Enviar respuestas al correo no deseado, mensajes electrónicos no solicitados o cadena de correos, y
(g) Participar en actividades que Hyland crea, a su juicio, puedan ser dañinas para las operaciones, imagen pública o reputación de Hyland.
3. CUMPLIMIENTO. Si un Usuario viola esta AUP, Hyland puede, dependiendo de la naturaleza y gravedad de la violación, suspender el alojamiento de cualquier Solución Alojada a la que acceda dicho Usuario durante el tiempo que sea necesario para tomar medidas que, a juicio razonable de Hyland, eviten que la violación continúe u ocurra de nuevo.
4. NOTIFICACIONES. A menos que lo prohíba la ley, Hyland debe proporcionarle al Usuario una notificación escrita por correo electrónico o de otra forma sobre la violación de esta AUP para que se corrija sin afectar el alojamiento de las Soluciones Alojadas; Hyland también debe proporcionarle al Usuario una fecha límite para que cumpla con la AUP. Sin embargo, Hyland se reserva el derecho de actuar inmediatamente y suspender el alojamiento de las Soluciones Alojadas sin previo aviso en respuesta a una orden judicial o notificación gubernamental indicando que se debe suspender cierta conducta del Usuario o cuando Hyland determine: (1) que puede estar expuesto a sanciones, responsabilidad civil o enjuiciamiento; (2) que dicha violación puede dañar o interferir con la integridad o las operaciones normales o la seguridad de la red o redes de Hyland con las que Hyland está interconectada, o interferir con el uso que hace otro cliente de Hyland de los servicios o productos de software de Hyland, o (3) que dicha violación presenta un riesgo inminente de daño para Hyland u otros clientes de Hyland o sus respectivos empleados. En otras circunstancias, Hyland tomará las acciones que resulten comercialmente razonables para proporcionarle al Usuario un aviso por lo menos siete (7) días calendario antes de suspender el alojamiento de las Soluciones Alojadas. El Usuario es responsable de todos los cargos o tarifas que se le deben a Hyland hasta el punto de la suspensión, según el acuerdo existente entre el Usuario y Hyland con relación a las Soluciones Alojadas.
5. DESCARGO DE RESPONSABILIDAD. Hyland no asume ninguna responsabilidad por los daños y perjuicios sufridos por el Usuario como resultado de la respuesta de Hyland a la violación de esta AUP por parte del Usuario. El Usuario es el único responsable del contenido y mensajes transmitidos o puestos a disposición usando una Solución Alojada. Al utilizar una Solución Alojada, el Usuario reconoce que Hyland no tiene la obligación de monitorear las actividades o contenido para ver si violan alguna ley aplicable o esta AUP, pero se reserva el derecho de hacerlo. Hyland rechaza cualquier responsabilidad por el uso inadecuado de una Solución Alojada por parte del Usuario y cualquier responsabilidad por la violación a esta AUP o ley aplicable de un tercero.
6. INDEMNIZACIÓN. El Usuario acepta indemnizar a Hyland por y contra todas las responsabilidades, obligaciones, pérdidas y daños y perjuicios, más los costos y gastos, incluyendo los honorarios razonables de abogados, que surjan de cualquier reclamo, daño, pérdida, responsabilidad, demanda o acción presentada contra Hyland por un tercero como resultado de la conducta del Usuario que viola esta AUP.
7. EXENCIÓN. Ninguna falla o retraso en el cumplimiento de esta política constituirá una exención a la política o a ningún otro derecho o resarcimiento. Si no se puede cumplir alguna disposición de esta política debido a alguna ley o cambio en la ley, dicha disposición deberá ser ignorada y el resto de la política se mantendrá en vigor.
8. PREGUNTAS. Si el Usuario no está seguro si tiene permitido algún uso o acción debe contactar a Hyland al 440-788-5000.
Effective June 6th 2023
Download
1. INTRODUCTION.
La présente Politique d'Utilisation Acceptable (la « PUA ») s'applique à toute personne physique ou morales qui utilise les services et logiciels (collectivement, l’« Utilisateur ») fournis par Hyland Software, Inc. ou ses affiliées (« Hyland ») en lien avec le Service Cloud Hyland. La PUA vise à protéger la sécurité, l'intégrité, la fiabilité et la confidentialité du réseau de Hyland et des Services Cloud Hyland que Hyland héberge pour les clients de ses services d’hébergement.
L'utilisation du Service Cloud Hyland par l’Utilisateur vaut acceptation par ce dernier des termes de la PUA en vigueur à la date d’utilisation dudit service. Hyland se réserve le droit de modifier la PUA à tout moment, toute nouvelle version prenant effet à la date de la publication par Hyland de la modification considérée ou de la PUA révisée, sur son site internet: https://www.hyland.com/community.
2. OBLIGATIONS DE L’UTILISATEUR.
2.1 Mauvaise utilisation. L'Utilisateur est seul responsable de toute utilisation inappropriée d'un Service Cloud Hyland. L'Utilisateur prend donc toutes précautions raisonnables afin de protéger l'accès au(x) et l'utilisation du/des Service Cloud Hyland qu'il utilise.
2.2 Restrictions d'utilisation. L'Utilisateur s’interdit toute utilisation du Service Cloud Hyland en violation de toute loi applicable, en ce compris, sans que cette liste soit exhaustive:
(a) en contrefaisant des ou faisant appropriation illicite de droits de propriété intellectuelle, en ce compris les droits d'auteur, les droits sur les marques, les logiciels, les brevets et les secrets commerciaux;
(b) en promouvant, vendant, produisant, réalisant ou fournissant des drogues ou jeux d'argent illégaux, des produits obscènes ou tout autre produit ou service interdit par la loi. De même, la sollicitation d'activités illégales est interdite, quand bien même ces activités ne seraient pas effectivement réalisées;
(c) en affichant, transmettant, stockant ou rendant disponibles des éléments pédopornographiques;
(d) en transmettant, distribuant ou stockant tout élément illégal, y compris tout logiciel de cryptage en violation des lois américaines – ou de toute autre juridiction, le cas échéant – sur le contrôle des exportations, ou susceptible d’engager la responsabilité civile de Hyland;
(e) en affichant, transmettant, stockant ou publiant des informations qui constituent une diffamation, du harcèlement, une obscénité, ou qui violent de toute autre manière la vie privée ou les droits personnels de tout individu;
(f) en affichant ou transmettant des messages obscènes, menaçants, abusifs ou de harcèlement; ou
(g) en promouvant, proposant ou mettant en œuvre des mécanismes financiers frauduleux, notamment des modèles financiers pyramidaux (« pyramid schemes ») , transferts de fonds illégaux et frais sur les cartes de crédit.
2.3 Actes Prohibés. L'Utilisateur s’interdit d’utiliser le Service Cloud Hyland pour se livrer à l'un quelconque des actes suivants:
(a) interférer avec, obtenir un accès non autorisé au ou violer de toute autre manière la sécurité du serveur, du réseau, d’un ordinateur personnel, des dispositifs d'accès ou de contrôle du réseau, des logiciels ou des données, ou de tout autre système de Hyland ou d’un tiers, ou tenter de faire ce qui précède, en ce compris, mais sans s'y limiter, en utilisant le Service Cloud Hyland dans le développement, la distribution ou l'exécution de virus, de vers, d'attaques par déni de service, d'inondations de réseau ou autres activités malveillantes destinées à perturber des services informatiques ou à détruire des données;
(b) interférer avec le réseau de Hyland ou l'utilisation et la jouissance, par ou pour d’autres Utilisateurs autorisés, des Services Cloud Hyland;
(c) promouvoir ou distribuer des logiciels, des services ou des listes d'adresses dont l’objet est de faciliter les spams;
(d) fournir des informations erronées ou trompeuses en en-têtes des messages ou tout d'autre contenu, utiliser des noms de domaine inexistants ou un adressage trompeur, ou cacher ou obscurcir les informations permettant d'identifier le point d'origine ou le chemin de transmission d'un message;
(e) violer les droits à la vie privée, sauf les cas autorisés par la loi;
(f) envoyer des spams et collecter les réponses qui y sont apportées, des messages électroniques non sollicités ou des chaînes de courriels; et
(g) s'engager dans toute activité que Hyland considère, à sa seule discrétion, comme pouvant être nuisible aux opérations, à l'image ou à la réputation de Hyland.
3. EXÉCUTION. En cas de manquement d’un Utilisateur aux termes de la PUA, et en fonction de la nature et de la gravité dudit manquement, Hyland se réserve le droit de suspendre l’hébergement de tout Service Cloud Hyland auquel cet Utilisateur a accès et ce, pour la durée nécessaire à la mise en place des mesures qui, selon Hyland, permettront de mettre fin audit manquement et en préviendront la poursuite ou répétition.
4. NOTIFICATION. Excepté les cas prévus par la loi, Hyland notifie par écrit à l'Utilisateur, par courriel ou par tout autre moyen, tout manquement à la PUA afin qu’il puisse y être remédié, sans impact sur le Service Cloud Hyland ; Hyland indique également à l'Utilisateur le délai dans lequel celui-ci doit se mettre en conformité avec la PUA. Hyland se réserve toutefois le droit de suspendre sans préavis, et sans délai, le Service Cloud Hyland en réponse à une décision de justice ou administrative indiquant que certains comportements de l'Utilisateur doivent cesser, ou lorsque Hyland considère: (1) qu'elle peut être exposée à une sanction, voir sa responsabilité civile engagée ou qu’elle s’expose à des poursuites; (2) que ce manquement est susceptible de causer un préjudice ou interférer avec l'intégrité ou les opérations normales ou la sécurité du réseau de Hyland ou des réseaux avec lesquels Hyland est interconnectée, ou interférer avec l'utilisation par un autre client de Hyland des Services Cloud Hyland, d'autres services ou logiciels; ou (3) que ce manquement présente un quelconque risque imminent de préjudice pour Hyland ou d'autres clients de Hyland ou leurs salariés respectifs. Sous réserve de ce qui précède, Hyland s’efforce d’allouer à l'Utilisateur un préavis d'au moins sept (7) jours calendaires avant la suspension du Service Cloud Hyland. L'Utilisateur est responsable de l’ensemble des montants dus à Hyland jusqu'au moment de la suspension par Hyland, conformément au contrat en vigueur entre l'Utilisateur et Hyland concernant les Services Cloud Hyland.
5. EXCLUSION DE RESPONSABILITÉ. Hyland décline toute responsabilité en cas de dommage subi par l'Utilisateur suite à la réponse de Hyland à un manquement de la PUA par l'Utilisateur. L'Utilisateur est seul responsable du contenu et des messages transmis ou qu’il met à disposition en utilisant un Service Cloud Hyland. En ayant recours à un Service Cloud Hyland, l'Utilisateur reconnaît que Hyland se réserve le droit mais n’est pas tenue de surveiller toute activité ou tout contenu, afin d’identifier un manquement à la loi applicable ou la PUA. Hyland décline toute responsabilité quant à l'utilisation inappropriée d'un Service Cloud Hyland par l'Utilisateur et ne pourra en aucun cas être tenue responsable de la violation par un tiers de la PUA ou de toute loi applicable.
6. INDEMNISATION. L'Utilisateur s’engage à indemniser Hyland de et contre toutes responsabilités, obligations, pertes et dommages, ainsi que les coûts et dépenses associés, en ce compris les frais d'avocat raisonnables, résultant de toute réclamation, dommage, perte, responsabilité, poursuite ou action intentée contre Hyland par un tiers suite à un manquement de l’Utilisateur à la PUA.
7. TOLERANCE ET NULLITE PARTIELLE. Le fait de renoncer ou invoquer tardivement ou de ne pas invoquer l’application de la PUA ne saurait valoir, pour l'avenir, renonciation à invoquer la PUA ou à tout autre droit ou recours. Si une stipulation de la présente politique se révélait inexécutoire ou contraire à une disposition légale impérative ou un changement de loi, ce caractère inexécutoire ou invalide n'affecte en rien la validité des autres stipulations de la PUA qui reste en vigueur.
8. QUESTIONS. Si vous n'êtes pas sûr qu'une utilisation ou une action envisagée soit autorisée, veuillez contacter Hyland, au 440-788-5000.
Effective June 6th 2023
Download
1. INTRODUÇÃO.
Esta Política de Uso Aceitável (esta "AUP") aplica-se a todas as pessoas e entidades (coletivamente referidas nesta AUP como "Usuário") que usam os serviços e produtos de software fornecidos pela Hyland Software, Inc. ou suas afiliadas (“Hyland”) em conexão com o Serviço de Nuvem da Hyland. Esta AUP foi projetada para proteger a segurança, integridade, confiabilidade e privacidade da rede da Hyland e os Serviços de Nuvem da Hyland que a Hyland hospeda para seus clientes de hospedagem.
O uso do Serviço de Nuvem da Hyland pelo Usuário constitui a aceitação pelo Usuário dos termos e condições desta AUP em vigor no momento de tal uso. A Hyland se reserva o direito de modificar esta política a qualquer momento, sendo esta modificação ou AUP revisada efetiva imediatamente após a publicação pela Hyland no site da Hyland: https://www.hyland.com/community.
2. OBRIGAÇÕES DO USUÁRIO.
2.1 Uso Indevido. O usuário é responsável por qualquer uso indevido de um Serviço de Nuvem da Hyland. Portanto, o Usuário deve tomar todas as precauções razoáveis para proteger o acesso e o uso de qualquer Serviço de Nuvem da Hyland que usar.
2.2 Restrições de Uso. O Usuário não deve usar um Serviço de Nuvem da Hyland de nenhuma maneira que viole a lei aplicável, incluindo, sem limitação:
(a) Violação ou apropriação indevida de direitos de propriedade intelectual, incluindo direitos autorais, marcas, software, patentes e segredos comerciais;
(b) Envolver-se na promoção, venda, produção, cumprimento ou entrega de drogas ilegais, jogos ilegais, materiais obscenos ou outros produtos e serviços proibidos por lei. Da mesma forma, é proibido solicitar atividades ilegais, mesmo que essas atividades não sejam realmente executadas;
(c) Exibição, transmissão, armazenamento ou disponibilização de material de pornografia infantil;
(d) Transmissão, distribuição ou armazenamento de qualquer material ilegal, incluindo software de criptografia que viole as leis de controle de exportação dos EUA ou que apresente um risco substancial de responsabilidade civil para a Hyland;
(e) Exibição, transmissão, armazenamento ou publicação de informações que constituam calúnia, ofensa, difamação, assédio, obscenidade ou que de outra forma violem a privacidade ou os direitos pessoais de qualquer pessoa;
(f) Exibição ou transmissão de mensagens obscenas, ameaçadoras, abusivas ou assediadoras; ou
(g) Promoção, oferta ou implementação de esquemas financeiros fraudulentos, incluindo pirâmides, transferências ilegítimas de fundos e cobranças em cartões de crédito.
2.3 Atos Proibidos. O Usuário não deve usar um Serviço de Nuvem da Hyland para se envolver em qualquer um dos seguintes atos:
(a) Interferir, obtendo acesso não autorizado ou de outra forma violando a segurança do servidor, rede, computador pessoal, dispositivos de acesso ou controle de rede, software ou dados ou outro sistema da Hyland ou de terceiros, ou tentar realizar qualquer uma das ações acima, incluindo, sem limitação, o uso no desenvolvimento, distribuição ou execução de vírus da Internet, worms, ataques de negação de serviço, inundação da rede ou outras atividades mal-intencionadas destinadas a interromper os serviços de computador ou destruir dados;
(b) Interferir na rede da Hyland ou no uso e aproveitamento do Serviço de Nuvem da Hyland recebidos por outros Usuários autorizados;
(c) Promover ou distribuir software, serviços ou listas de endereços com o objetivo de facilitar o spam;
(d) Fornecer informações falsas ou enganosas em títulos de mensagens ou outro conteúdo, usando nomes de domínio inexistentes ou endereçamento enganoso, ou ocultar ou encobrir informações que identifiquem o ponto de origem ou a via de transmissão de uma mensagem;
(e) Violar direitos de privacidade pessoal;
(f) Enviar e coletar respostas a spam, mensagens eletrônicas não solicitadas ou mensagens em cadeia; e
(g) Envolver-se em qualquer atividade que a Hyland acredite, a seu exclusivo critério, que possa ser prejudicial às operações, imagem ou reputação pública da Hyland.
3. CUMPRIMENTO. Se um Usuário violar esta AUP, a Hyland poderá, dependendo da natureza e gravidade da violação, suspender a hospedagem de qualquer Serviço de Nuvem da Hyland que esse Usuário acessa pelo tempo necessário para que sejam tomadas medidas que, no julgamento razoável da Hyland, impedirão a violação de continuar ou reincidir.
4. NOTIFICAÇÃO. A menos que seja proibido por lei, a Hyland fornecerá ao Usuário uma notificação por escrito por e-mail ou de outra forma sobre uma violação desta AUP, para que tal violação possa ser corrigida sem impacto no Serviço de Nuvem da Hyland; A Hyland também fornecerá ao Usuário um prazo para que o Usuário esteja em conformidade com esta AUP. A Hyland se reserva o direito, no entanto, de agir imediatamente e sem aviso prévio para suspender o Serviço de Nuvem da Hyland em resposta a uma ordem judicial ou notificação governamental de que determinada conduta do Usuário deve ser interrompida ou quando a Hyland determinar razoavelmente: (1) que possa estar exposta a sanções, responsabilidade civil ou ação penal; (2) que tal violação pode causar danos ou interferir na integridade ou operações normais ou segurança da rede ou redes da Hyland com as quais a Hyland está interconectada ou interferir no uso do Serviço de Nuvem da Hyland de outro Cliente da Hyland, outros serviços ou produtos de software; ou (3) que tal violação apresente risco iminente de danos à Hyland ou a outros clientes da Hyland ou seus respectivos empregados. Em outras situações, a Hyland envidará esforços razoáveis para fornecer ao Usuário um aviso com pelo menos 7 (sete) dias corridos de antecedência antes de suspender o Serviço de Nuvem da Hyland. O Usuário é responsável por todas as cobranças ou taxas devidas à Hyland até o momento de suspensão pela Hyland, de acordo com o contrato em vigor entre o Usuário e a Hyland relacionado aos Serviços de Nuvem da Hyland.
5. ISENÇÃO DE RESPONSABILIDADE. A Hyland se isenta de qualquer responsabilidade por danos sofridos pelo Usuário como resultado da resposta da Hyland à violação desta AUP pelo Usuário. O Usuário é o único responsável pelo conteúdo e mensagens transmitidas ou disponibilizadas pelo Usuário usando um Serviço de Nuvem da Hyland. Ao usar um Serviço de Nuvem da Hyland, o Usuário reconhece que a Hyland não tem obrigação de monitorar nenhuma atividade ou conteúdo quanto a violações da lei aplicável ou desta AUP, mas reserva-se o direito de fazê-lo. A Hyland se isenta de qualquer responsabilidade pelo uso inadequado de um Serviço de Nuvem da Hyland pelo usuário e de qualquer responsabilidade por violação de terceiros desta AUP ou lei aplicável.
6. INDENIZAÇÃO. O Usuário concorda em indenizar a Hyland de e contra todas as responsabilidades, obrigações, perdas e danos, além de custos e despesas, incluindo honorários advocatícios razoáveis, decorrentes de qualquer reclamação, dano, perda, responsabilidade, processo ou ação movida contra a Hyland por terceiros, como resultado da conduta do Usuário que viola esta AUP.
7. RENÚNCIA. Nenhuma falha ou atraso no exercício ou no cumprimento desta política constituirá uma renúncia à política ou a qualquer outro direito ou medida. Se qualquer disposição desta política for considerada inexequível devido à lei ou mudança na lei, tal disposição será desconsiderada e as demais disposições da política permanecerão em vigor.
8. DÚVIDAS. Se você não tiver certeza se algum uso ou ação contemplada é permitida, entre em contato com a Hyland pelo telefone XX-1-440-788-5000.
Effective September 28th 2022 to June 6th 2023
DownloadTable of Contents
Effective March 30th 2021 to September 28th 2022
DownloadTable of Contents
HxP Acceptable Use Policy
Effective March 16th 2021
DownloadTable of Contents
HxP and Sharebase Privacy Policy
Effective March 26th 2021
DownloadTable of Contents
- To improve the Service and our other products;
- To continuously evaluate and improve user experience;
- To respond to emails or other requests, comments, or questions;
- To provide customer support;
- To provide you or our Customer with information that we believe may be useful, such as information about products or services we offer;
- To comply with applicable laws, regulations, or legal process as well as industry standards and our company policies;
- To prevent fraud or other misuse, including to protect our rights and the rights of affiliated companies or related third parties;
- To report suspected criminal acts;
- To maintain records of our transactions and communications; or
- To monitor and analyze trends, usage, and activities of users.
- Hyland Affiliates. As an international organization, Personal Information about you may be shared globally throughout Hyland’s international organization. A list of Hyland entities and their contact information is available here. Personal Information may be shared with affiliated companies for any of the purposes set forth in the section above titled “How We Use Your Information.”
- Third Party Service Providers Under Contract with Hyland. For example, data analytics providers, data center providers, website management, law firms, auditors, performance service providers, and other similar providers. We share your Personal Information with these Service Providers so that they can perform certain business functions on Hyland’s behalf.
- Third Party Solution Providers under contract with Hyland. To allow third parties that resell Hyland products and services (“Solution Provider”) to provide customer support and analyze trends, usage, and activities related to users affiliated with that Solution Provider’s customers.
- Other Unaffiliated Third Parties. We may also share your Personal Information with other unaffiliated third parties for the following purposes:
- Required Disclosures. To comply with a court proceeding, in response to a court order, subpoena, civil discovery request, other legal process, or as otherwise required by law.
- Government Agencies. To response to a request by a government agency.
- Legal Compliance and Protections: To comply with the law or to protect the rights, property, or safety of Hyland, our users, or others. This may include sharing information, including Personal Information, with other companies and organizations for fraud protection and credit risk reduction.
- Corporate Transactions: To disclose and transfer your data, including your Personal Information, if applicable:
- To a subsequent owner, co-owner, or operator of the Service or successor database.
- In connection with a corporate merger, consolidation, bankruptcy, the sale of substantially all of our membership interests and/or assets or other corporate change, including to any prospective purchasers.
- To prevent your information from being used by Google Analytics:
- you can install Google’s opt-out browser add-on: https://tools.google.com/dlpage/gaoptout.
- from your android or iOS device, follow these instructions: (1) open the menu located in the upper left corner of the ShareBase Mobile Application,(2) selected the Settings menu; and (3) toggle switch next to “Share Usage Statistics” to “off.”
- To opt out of interest-based advertising, you can visit http://optout.networkadvertising.org/#!/ and follow NAI’s on-screen instructions. Note that if you opt out through the NAI, you will still receive advertising, but the advertising will not be tailored to your interests. In addition, if you opt out through NAI and later delete your cookies, use a different browser, or buy a new device, you will need you opt out of interest-based advertising again.
- Check your mobile device for settings that control ads based on your interactions with the applications on your device. For example, on your iOS device, enable the “Limit Ad Tracking” setting, and on your Android device, enable the “Opt out of Ads Personalization” setting.
- Confirmation that Hyland processes your Personal Information;
- Access to your Personal Information from Hyland;
- Correction of your Personal Information if incomplete, inaccurate, or out-of-date;
- Anonymization, blocking or deletion of unnecessary or excessive Personal Information or Personal Information processed in noncompliance with the provisions of Brazil’s data protection law;
- Portability of your Personal Information to another service or product provider, by means of an express request and subject to commercial and industrial secrecy as long as that Personal Information has not already been anonymized at the time of your request;
- Deletion of personal data processed with the consent of the data subject;
- Information about public and private entities with which Hyland has shared your Personal Information; and
- Information about the possibility of denying consent and the consequences of such denial.
- Essential Cookies: These are cookies that are strictly necessary for the functioning of the website or for performing services that an individual user has requested. Some examples of functions performed by essential cookies are cookies that remember previous actions (e.g., entered text) when navigating back to a page in the same session.
- Analytical Cookies: These cookies collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don’t collect information that identifies a visitor. All information that analytical cookies collect is aggregated and therefore anonymous. These cookies are used only to improve how a website functions.
- Functional Cookies: These cookies allow the website to remember choices users make and to provide enhanced, personalized features. For example, on our website, these cookies remember users’ language preferences.
- Persistent Cookies: Persistent cookies remain on your device until deleted manually or automatically.
- What web pages you visit on the Service and how long you visit them;
- Information about how you navigate, use, and interact with the Service;
- Your IP address, device identifiers and signatures, and browser type; and
- The language you’ve chosen to read the website.
Hyland Software, Inc.
Attn: PRIVACY INQUIRY
Westlake OH, 44145
Hyland Experience Technical Support
Effective May 3rd 2024
DownloadTable of Contents
Technical Support Levels | |||
Digital | Premier | Signature | |
Initial Response Target | N/A | P1 and P2: 60 minutes* P3 and P4: 1 Business Day P5 and P6: 2 Business Days | P1 and P2: 30 minutes* P3 and P4: 1 Business Hour P5 and P6: 4 Business Hours |
Issue Update Frequency Target | N/A | P1 and P2: Hourly P3 - P6: 2 Business Days | P1 and P2: Conference bridge** P3 - P6: Business Daily |
Priority Level | Description | Hyland Response |
Level 1 (P1) | Total or substantial failure of Hyland Experience. | Hyland will match Customer’s effort, up to and including 24-hour days, 7 days a week. |
Level 2 (P2) | All of Customer’s users are unable to access an entire portion of Hyland Experience. | Hyland will match Customer’s effort, up to and including 24-hour days, 7 days a week. |
Level 3 (P3) | Hyland Experience is usable except there is an ongoing, system-wide, severe performance degradation. | Hyland will match Customer’s efforts during Business Days, up to 16 hours/day. |
Level 4 (P4) | Hyland Experience is usable except a specific feature or functionality is not working. | Hyland will use reasonable efforts during Business Hours. |
Level 5 (P5) | Hyland Experience is usable except for a trivial inconvenience. | Hyland will use reasonable efforts during Business Hours. |
Level 6 (P6) | All other matters, including “how to” requests and questions about the Documentation. | Hyland will use reasonable efforts during Business Hours. |
Effective March 30th 2021 to May 3rd 2024
DownloadTable of Contents
Severity Level | Description | Hyland Response |
Level 1 | “Level 1” means any error or issue in the Hyland Experience Service that causes total or substantial Hyland Experience Service failure, which means that the Hyland Experience Service is down and Customer is unable to access the Hyland Experience Service in any way. | Upon receiving notification from Customer, Hyland’s support Team Leader will immediately notify a support Manager. Within thirty (30) minutes, the Manager will notify a member of Senior Management or a Vice President. To provide a Resolution, Hyland will work up to and including 24 hour days, 7 days a week, through holidays and weekends until there is a Resolution, provided Customer remains accessible by phone for troubleshooting from the time Hyland receives the notification through Resolution. |
Level 2 | “Level 2” means an error or issue in the Hyland Experience Service that causes substantial Hyland Experience Service failure which prevents a portion of Customer’s users from accessing the Hyland Experience Service in any way. | Upon receiving notification from Customer, Hyland’s support Team Leader will notify a support Manager within sixty (60) minutes. Within two (2) hours, the Manager will notify a member of Senior Management or Vice President. To provide a Resolution, Hyland will work up to 24 hour days, 7 days a week, through holidays and weekends until there is a Resolution, provided Customer remains accessible by phone for troubleshooting from the time Hyland receives the notification through Resolution. |
Level 3 | “Level 3” means that the Hyland Experience Service is usable except that an error or issue in the Hyland Experience Service causes an ongoing, system-wide, severe performance degradation. | To provide a Resolution, Hyland will work up to 5 days/week, 16 hours/day, through holidays and weekends until there is a Resolution, provided Customer remains accessible by phone for troubleshooting from the time Hyland receives the notification through Resolution. |
Level 4 | “Level 4” means that the Hyland Experience Service is usable except that an error or issue in the Hyland Experience Service prevents a specific feature or functionality from working. | To provide a Resolution, Hyland will use commercially reasonable efforts during regular support hours. |
Level 5 | “Level 5” means that the Hyland Experience Service is usable except that an error or issue in the Hyland Experience Service causes a trivial inconvenience and the task can be completed in another way. | Standard Hyland Experience Service Support. |
Level 6 | “Level 6” means Technical Support Services. | Standard Hyland Experience Service Support. |
Hyland Experience Security
Effective May 3rd 2024
DownloadTable of Contents
Effective March 30th 2021 to May 3rd 2024
DownloadTable of Contents
- Risk Management.
- Conducting an annual risk assessment designed to identify threats and vulnerabilities in the administrative, physical, legal, regulatory, and technical safeguards used to protect the Hyland Experience Service.
- Maintaining a documented risk remediation process to assign ownership of identified risks, establish remediation plans and timeframes, and provide for periodic monitoring of progress.
- Information Security Program.
- Maintaining a documented comprehensive Hyland Experience Service information security program. This program will include policies and procedures based on industry standard practices, which may include ISO 27001/27002, or other equivalent standards.
- Such information security program shall include, as applicable: (i) adequate physical and cyber security where Customer Data will be processed and/or stored; and (ii) reasonable precautions taken with respect to Hyland personnel employment.
- These policies will be reviewed and updated by Hyland management annually.
- Organization of Information Security. Assigning security responsibilities to appropriate Hyland individuals or groups to facilitate protection of the Hyland Experience Service and associated assets.
- Human Resources Security.
- Hyland employees undergo comprehensive screening during the hiring process. Background checks and reference validation will be performed to determine whether candidate qualifications are appropriate for the proposed position. Subject to any restrictions imposed by applicable law and based on jurisdiction, these background checks include criminal background checks, employment validation, and education verification as applicable.
- Ensuring all Hyland employees are subject to confidentiality and non-disclosure commitments before access is provisioned to the Hyland Experience Service or Customer Data.
- Ensuring applicable Hyland employees receive security awareness training designed to provide such employees with information security knowledge to provide for the security, availability, and confidentiality of Customer Data.
- Upon Hyland employee separation or change in roles, Hyland shall ensure any Hyland employee access to the Hyland Experience Service is revoked in a timely manner and all applicable Hyland assets, both information and physical, are returned.
- Asset Management.
- Maintaining asset and information management policies and procedures. This includes ownership of assets, an inventory of assets, classification guidelines, and handling standards pertaining to Hyland assets.
- Maintaining media handling procedures to ensure media containing Customer Data as part of the Hyland Experience Service is encrypted and stored in a secure location subject to strict physical access controls.
- When a Hyland Experience Service storage device has reached the end of its useful life, procedures include a decommissioning process that is designed to prevent Customer Data from being exposed to unauthorized individuals using the techniques recommended by NIST to destroy data as part of the decommissioning process.
- If a Hyland storage device is unable to be decommissioned using these procedures, the device will be virtually shredded, degaussed, purged/wiped, or physically destroyed in accordance with industry-standard practices.
- Access Controls.
- Maintaining a logical access policy and corresponding procedures. The logical access procedures will define the request, approval and access provisioning process for Hyland personnel. The logical access process will restrict Hyland user (local and remote) access based on Hyland user job function (role/profile based, appropriate access) for applications and databases. Hyland user access recertification to determine access and privileges will be performed periodically. Procedures for onboarding and offboarding Hyland personnel users in a timely manner will be documented. Procedures for Hyland personnel user inactivity threshold leading to account suspension and removal threshold will be documented.
- Limiting Hyland’s access to Customer Data to its personnel who have a need to access Customer Data as a condition to Hyland’s performance of the services under this Agreement. Hyland shall utilize the principle of “least privilege” and the concept of “minimum necessary” when determining the level of access for all Hyland users to Customer Data. Hyland shall require strong passwords subject to complexity requirements and periodic rotation and the use of multi-factor authentication.
- Ensuring strict access controls are in place for Customer Data access by Hyland. Customer administrators control its user access, user permissions, and Customer Data retention to the extent such controls are available to Customer with respect to the Hyland Experience Service.
- System Boundaries.
- Hyland is not responsible for any system components that are not within the Hyland Cloud Platform, including network devices, network connectivity, workstations, servers, and software owned and operated by the Customer or other third parties. Hyland may provide support for these components at its reasonable discretion.
- The processes executed within the Hyland Cloud Platform are limited to those that are executed by a Hyland employee (or Hyland authorized third party) or processes that are executed within Hyland’s established system boundaries, in whole. This includes, but is not limited to, hardware installation, software installation, data replication, data security, and authentication processes.
- Certain business processes may cross these boundaries, meaning one or more tasks are executed outside of Hyland’s established system boundaries for the Hyland Cloud Platform, one or more tasks are executed by individuals who are not Hyland personnel (or authorized third-parties), or one or more tasks are executed based on written requests placed by Customer. In such event, Hyland will provide support for such processes to the extent they occur within Hyland’s established system boundaries, but Hyland is not responsible for providing support for such processes to the extent they occur outside of such established system boundaries. At its reasonable discretion, Hyland may provide limited support for processes that occur outside such established system boundaries for the Hyland Cloud Platform. Examples of business processes that cross these boundaries include, but are not limited to, Hyland Experience Service configuration changes, processing that occurs within the Hyland Experience Service, user authorization, and file transfers.
- Encryption.
- Customer Data shall only be uploaded to the Hyland Experience Services in an encrypted format such as via SFTP, TLS, or other equivalent method.
- Customer Data shall be encrypted at rest.
- Where use of encryption functionality may be controlled or modified by Customer, in the event Customer elects to modify the use of or turn off any encryption functionality, Customer does so at its own risk.
- Physical and Environment Security.
- The Hyland Cloud Platform uses data centers or third party service providers who have demonstrated compliance with one or more of the following standards (or a reasonable equivalent): International Organization for Standardization (“ISO”) 27001 and/or American Institute of Certified Public Accountants (“AICPA”) Service Organization Controls (“SOC”) Reports for Services Organizations. These providers provide Internet connectivity, physical security, power, and environmental systems and other services for the Hyland Cloud Platform.
- Hyland uses architecture and technologies designed to promote both security and high availability.
- Operations Security.
- Maintaining documented Hyland cloud operating procedures.
- Maintaining change management controls to ensure changes to Hyland Experience Service production systems made by Hyland are properly authorized and reviewed prior to implementation. Customer is responsible for testing all configuration changes, authentication changes and upgrades implemented by Customer or implemented by Hyland at the request of Customer prior to production use of the Hyland Experience Service. In cases where the Customer relies upon Hyland to implement changes on its behalf, a written request describing the change must be submitted (e.g. an e-mail, or another method provided by Hyland) by Customer’s designated Customer Security Administrators (“CSAs”) or set forth in a Services Proposal. Hyland will make scheduled configuration changes that are expected to impact Customer access to their Hyland Experience Service during a planned maintenance window. Hyland may make configuration changes that are not expected to impact Customer during normal business hours.
- Monitoring usage and capacity levels within the Hyland Cloud Platform to adequately and proactively plan for future growth.
- Utilizing virus and malware protection technologies, which are configured to meet common industry standards designed to protect the Customer Data and equipment located within the Hyland Cloud Platform from virus infections or similar malicious payloads.
- Implementing disaster recovery and business continuity procedures. These will include replication of Customer Data to a secondary location.
- Maintaining a system and security logging process to capture system logs deemed critical by Hyland. These logs shall be maintained for at least six months and reviewed on a periodic basis.
- Maintaining system hardening requirements and configuration standards for components deployed within the Hyland Cloud Platform. Ensuring servers, operating systems, and supporting software used in the Hyland Cloud Platform receive all Critical and High security patches within a timely manner, but in no event more than 90 days after release, subject to the next sentence. In the event any such security patch would materially adversely affect the Hyland Experience Service, then Hyland will use reasonable efforts to implement compensating controls until a security patch is available that would not materially adversely affect the Hyland Experience Service.
- Conducting Hyland Cloud Platform vulnerability scans or analysis on at least a quarterly basis and remediate all critical and high vulnerabilities identified in accordance with its patch management procedures.
- Conducting Hyland Cloud Platform penetration tests at least annually.
- Communications Security
- Implementing Hyland Cloud Platform security controls to protect information resources within the Hyland Cloud Platform.
- When supported, upon implementation and once annually thereafter, Customer may request Hyland limit access to Customer’s Hyland Experience Service to a list of pre-defined IP addresses at no additional cost.
- Supplier Relationships. Maintaining a Vendor Management Program for its critical vendors. This program will ensure critical vendors are evaluated on an annual basis.
- Security Incident.
- Employing incident response standards that are based upon applicable industry standards, such as ISO 27001 and National Institute for Standards and Technology (“NIST”), to maintain the information security components of the Hyland Experience Service environment.
- Responses to these incidents follow the Hyland documented incident response sequence. This sequence includes the incident trigger phase, evaluation phase, escalation phase, response phase, recovery phase, de-escalation phase, and post-incident review phase.
- If Hyland has determined Customer’s Hyland Experience Service has been negatively impacted by a security incident, Hyland will deliver a root cause analysis summary. Such notice will not be unreasonably delayed, but will occur after initial corrective actions have been taken to contain the security threat or stabilize the Hyland Experience Service.
- The root cause analysis will include the duration of the event, resolution, technical summary, outstanding issues, and follow-up, including steps Customer needs to take in order to prevent further issues. Hyland Experience Service information including data elements that require additional confidentiality and security measures (including that of other customers impacted in the event) will not be publicly disclosed. If Customer needs additional details of an incident, a request to the Hyland GCS Support team must be submitted and handled on a case by case basis. The release of information process may require an on-site review to protect the confidentiality and security of the requested information.
- Hyland will notify Customer of a Security Incident within 48 hours. A “Security Incident” means a determination by Hyland of an actual disclosure of unencrypted Customer Data to an unauthorized person or entity that compromises the security, confidentiality, or integrity of the Customer Data.
- Information Security Aspects of Business Continuity Management.
- Maintaining a business continuity and disaster recovery plan.
- Reviewing and testing this plan annually.
- Aggregated Data.
- Hyland owns all Customer and User registration and billing data collected and used by Hyland that is required for user set-up, use and billing for the Hyland Experience Service (“Account Information”) and all aggregated, anonymized and statistical data derived from the use and operation of the Hyland Experience Service, including without limitation, the number of records in the Hyland Experience Service, the number and types of transactions, configurations, and reports processed as part of the Hyland Experience Service and the performance results of the Hyland Experience Service (the “Aggregated Data”).
- Hyland may utilize the Account Information and Aggregated Data for purposes of operating Hyland’s business. For clarity, Account Information and Aggregated Data does not include Customer Data.	
- Audit and Security Testing.
- Monitoring its compliance with its information security program. This includes periodic internal reviews. Results are shared with Hyland leadership and deviations tracked through to remediation.
- Maintaining a periodic external audit program. Completed attestations, such as available SOC 2 reports, are provided to Customer upon written request.
- Customer may conduct audits of Hyland’s operations that participate in the ongoing delivery and support of the Hyland Experience Service purchased by Customer on an annual basis; provided Customer provides Hyland written notice of its desire to conduct such audit and the following criteria are met: (a) Hyland and Customer mutually agree upon the timing, scope, and criteria of such audit, which may include the completion of questionnaires supplied by Customer and guided review of policies, practices, procedures, Hyland Experience Service configurations, invoices, or application logs, and (b) Customer agrees to pay Hyland fees (at Hyland’s standard rates) for the Professional Services that are required or requested of Hyland in connection with such audit. Prior to any such audit, any third party engaged by Customer to assist with such audit, must be cleared by Hyland and enter into a Non-Disclosure Agreement directly with Hyland. If any documentation requested by Customer cannot be removed from Hyland’s facilities as a result of physical limitations or policy restrictions, Hyland will allow Customer’s auditors access to such documentation at Hyland’s corporate headquarters in Ohio and may prohibit any type of copying or the taking of screen shots. Where necessary, Hyland will provide private and reasonable accommodation at Hyland’s corporate headquarters in Ohio for data analysis and meetings. Upon reasonable notice, Hyland and Customer mutually agree to make necessary employees or contractors available for interviews in person or on the phone during such audit at Customer’s cost and expense. Customer is prohibited from distributing or publishing the results of such audit to any third party without Hyland’s prior written approval.
- Customer may conduct penetration testing against the public URL used to access the Hyland Experience Service on an annual basis; provided Customer provides Hyland with written notice of its desire to conduct such testing and the following criteria are met: (a) Hyland and Customer mutually agree upon the timing, scope, and criteria of such testing, which may include common social engineering, application, and network testing techniques used to identify or exploit common vulnerabilities including buffer overflows, cross site scripting, SQL injection, and man in the middle attacks, and (b) such testing is at Customer’s cost and expense and Customer pays to Hyland fees (at Hyland’s standard rates) for the Professional Services that are required or requested of Hyland in connection with such testing. Prior to any such testing, any third party engaged by Customer to assist with such testing, must be cleared by Hyland and enter into a Non-Disclosure Agreement directly with Hyland. Customer acknowledges and agrees that any such testing performed without mutual agreement regarding timing, scope, and criteria may be considered a hostile attack, which may trigger automated and manual responses, including reporting the activity to local and federal law enforcement agencies as well as immediate suspension of Customer’s access to or use of the Hyland Experience Service. Customer is prohibited from distributing or publishing the results of such penetration testing to any third party without Hyland’s prior written approval.
Hyland Experience Service Levels
Effective April 19th 2024
DownloadTable of Contents
Hyland Experience Service Levels
Service Level Agreements (“SLA”) described in this document pertain to the availability of Hyland Experience. This document does not address Support Services.
Service Level Definitions
“Downtime” is calculated as the aggregate time (in minutes) each calendar month, as confirmed by Hyland following written notice from the Customer, that Hyland Experience is Unavailable (as defined below). The length of Downtime will be measured from the time an incident occurs, as confirmed by Hyland, until the time when Hyland confirms that the failure condition(s) reported are no longer present. Downtime does not include any failure conditions which occur due to an Exclusion Event (see below).
“Exclusion Event” means any of the following occurrences:
- System maintenance, whether such maintenance is scheduled (e.g., for upgrading of the Service or its components or for any other scheduled purpose) or unscheduled (due to emergency) which results in the Service being unavailable or inaccessible to Customer.
- Failure of a customer’s or user’s equipment or facilities.
- Acts or omissions of a customer or its user, including but not limited to (a) performance or non-performance of any services by a third party (other than Hyland) contracted by the customer to provide services to the customer or its users related to Hyland Experience, (b) any failure that is not due to fault of Hyland or Hyland’s contracted third-party service provider, (c) failure of any code or configurations managed or written by the customer or any third-party vendor to the customer, or (d) any unauthorized use or access by the customer or any of its users;
- The occurrence of a force majeure event.
- Internet failure or congestion.
- Failure of equipment or systems not within Hyland Experience, or of equipment or systems not provided, or not under the control or direction of Hyland including equipment or systems Hyland may obtain or contract for at the request of the customer; or
- Failures or other failures caused directly or indirectly by known or unknown computer viruses, worms or other malicious programs (assuming Hyland has not breached any of its obligations here or in the applicable agreement relating to virus protection protocols).
“Failover Notice” is a notification made by Hyland to the Customer (which may be made by electronic communication via e-mail or the Community portal) indicating that Hyland is initiating an AWS (Amazon Web Services) Region failover.
“Monthly Fees” is the portion of the recurring fees for Hyland Experience attributable to the month in which the applicable performance deficiency occurs, excluding any taxes, one-time fees, third party fees, travel or expense, professional services or similar additional fees. E.g., if fees are charged annually, the Monthly Fee equals the annual fees divided by 12, subject to the same exclusions above.
Monthly Uptime Percentage. is calculated as the total number of minutes in a calendar month, minus the number of minutes of Downtime (as defined above) in such month, divided by the total number of minutes in such month.
“Recovery Point” means the minimum number of hours (prior to the time Hyland provides a Failover Notice) that the customer’s data must have been stored within Hyland Experience to qualify as eligible data. Customer Data is deemed “eligible” if Hyland confirms it has been stored within the Hyland Cloud Service for a number of hours (prior to the time Hyland provides a Failover Notice) that exceeds the applicable Recovery Point Objective defined in Table 2 below.
“Recovery Time” means the number of hours from the time the required Failover Notice is delivered to the time Hyland Experience has been Restored (excluding any time during that period if/when an Exclusion Event affects both the current primary and secondary data centers).
“Restoration” occurs once access to Hyland Experience has been restored such that:
(1) eligible Customer Data can be retrieved; and
(2) new Customer Data can be input.
“Unavailability” or “Unavailable” refers to a state when Hyland Experience is either unresponsive or responds with an error, thereby preventing access. For clarification: if certain features or functions within Hyland Experience are unavailable while other features remain accessible, this will not be considered “Unavailability,” so long as the unavailable features or functions do not, when combined, significantly hinder the Customer’s use of Hyland Experience.
Service Level Commitments
Table 1: Monthly Uptime Percentages
STANDARD | |
Monthly Uptime Percentage | 99.5% |
Applicable Credit | 10% of the Monthly Fee |
Table 2: Business Continuity
STANDARD | |
Recovery Point Objective (RPO) | 24 Hours |
Applicable Credit | 25% of the Monthly Fee |
Recovery Time Objective (RTO) | 8 Hours |
Applicable Credit | 25% of the Monthly Fee |
Service Level Commitment Terms
Monthly Uptime Percentage. Hyland will meet the Monthly Uptime, as identified in Table 1 above, during each calendar month.
Business Continuity. Hyland shall provide business continuity redundancy via AWS Availability Zones. Hyland Experience does not use multiple AWS Regions. If Hyland delivers a Restoration Notice to Customer, Hyland shall restore Hyland Experience within the applicable Recovery Time Objective set forth in Table 2 above (except to the extent caused or prevented by an Exclusion Event).
Downtime Report. Following the occurrence of a Downtime event, upon request by the customer, Hyland shall provide a report which will include, as applicable, a detailed description of the incident, start and end times of the incident, duration of the incident, business/functional impact of the incident, description of remediation efforts taken, and a description of outstanding issues or tasks relating to the incident.
Exclusive Remedies Terms
Monthly Uptime Percentage. In the event the Monthly Uptime Percentage during any calendar month is less than the applicable Monthly Uptime Percentage set forth in the Table 1 above, the customer shall receive the applicable credit against the fees specified in Table 1 above, provided Customer submitted a technical support request within twenty-four hours of such Downtime.
Maximum Service Level Credit. Notwithstanding anything to the contrary, customers are only entitled to a maximum of one service level credit for all events occurring in a particular calendar month. If available, Customer shall be entitled to only the largest service level credit which may be payable for one or more of the service level failures occurring in such calendar month.
Application of Service Level Credits. Service level credits will be applied first to any outstanding amounts which are due and owing from Customer, and then to future fees.
Termination Remedy. If Customer earns a service level credit either: (a) in two consecutive calendar months, or (b) in three calendar months during any six consecutive month period; then the customer may, by written notice to Hyland delivered within thirty days after the last credit described in either clause or (a) or (b) above is earned, terminate the subscription to Hyland Experience.
Exclusivity. The remedies set forth above constitute the sole and exclusive remedies available to a customer for any failure to meet the service level commitments set forth in this document.
System Maintenance
For the purposes of the Service Level Commitment, Scheduled Maintenance is defined as:
Hyland Scheduled Maintenance Windows. Modifications or repairs to shared infrastructure or platform patching and upgrades that are expected to impact or potentially impact Hyland Experience availability is currently restricted to within the hours of 12 AM to 2 AM, based on the time zone of the impacted AWS Region. Hyland expects that scheduled system maintenance will not exceed 16 hours per month.
Hyland will notify Customer of scheduled system maintenance expected to impact system availability or functionality through the status page (currently, https://status.experience.hyland.com) or through direct communication. Customers must subscribe to the status page to receive notifications. Hyland will use reasonable efforts to notify Customer of unscheduled system maintenance that is expected to impact or potentially impact system availability or functionality. Such notifications will typically be sent at least 24 hours in advance, but to the extent Hyland determines that such maintenance is required sooner due to a security or availability concern (e.g., emergency maintenance is required by Hyland), Hyland will use reasonable efforts to send such notice no less than 2 hours prior to the specified start time.
Effective March 30th 2021 to April 19th 2024
DownloadTable of Contents
- System Maintenance (see “System Maintenance” below);
- failure of Customer’s equipment or facilities;
- acts or omissions of Customer, including but not limited to (a) performance or non-performance of any services by a third party (other than Hyland) contracted by Customer to provide services to Customer related to the Service, (b) any failure that Customer mutually agrees is not due to fault of Hyland or Hyland’s contracted third party service provider, or (c) failure of any code or configurations managed or written by Customer or any third party vendor to Customer;
- the occurrence of a force majeure event (as described in the Agreement);
- Internet failure or congestion;
- Use of the Service by Customer in violation of the Acceptable Use Policy; or Use of the Service by Customer after Hyland has advised Customer to modify its use of the Service, if Customer did not modify its use as advised;
- provided that Hyland has fulfilled its obligations under the Agreement, Service Unavailability or other failures caused directly or indirectly by known or unknown computer viruses, worms or other malicious programs;
- During beta or trial periods as reasonably determined by Hyland.
Service Classes | Silver |
Monthly Uptime Percentage | 99% |
Applicable Credit Determinations | Less than 99% 15% of the Monthly Fees for the Hyland Cloud Service for the calendar month in which the downtime began |
Data Processing Addendum - Brazil
Effective April 29th 2021
DownloadTable of Contents
- DEFINITIONS
- “Controller”, “Processor”, “Processing”, and “National Authority” have the same meanings as in Article 5 of the LGPD.
- “Data Subject” means the subject of Personal Data.
- “Hyland” means Hyland Software, Inc. on behalf of itself and its affiliates. The term affiliates shall be deemed to include any parent company, subsidiary, affiliate of, or entity controlled by (including beneficial control), controlling or under common control with Hyland Software, Inc.
- “Personal Data” means any information received by Service Provider from, or received or created on behalf of, Hyland relating to an identified or identifiable natural person located in Brazil. An “identifiable natural person” is one who can be identified, directly or indirectly, in particular, by reference to an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of the natural person.
- “Personal Data Breach” means breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed when that Personal Data is in the possession of Service Provider or its agents or subcontractors.
- “Required By Law” means that a statute, regulation, court order, or legal process, enforceable in a court of law, mandates the conduct.
- “Sensitive Personal Data” shall have the meaning given to it under Article 5 of the LGPD and also includes information about criminal history.
- “Sub-processor” means an entity that processes Personal Data at the request of Service Provider.
- SERVICE PROVIDER’S PROCESSING OF PERSONAL DATA
- Nature and Purpose of Processing of Personal Data. Service Provider agrees to Process Personal Data solely in accordance with Appendix A.
- Duration of Processing. Service Provider shall Process Personal Data only during the term of the Service Agreement.
- Violation Of Data Protection Law. Service Provider will immediately notify Hyland if Service Provider becomes aware that Service Provider’s compliance with a term or condition of this Addendum has violated, violates, or will violate Service Provider’s or Hyland’s obligations under applicable law.
- Disclosures of Personal Data. Service Provider may not disclose Personal Data to third parties unless the disclosure is (1) Required By Law, or (2) with the prior written consent of Hyland. Before disclosing Personal Data as Required By Law, Service Provider will immediately notify Hyland in writing of such required disclosure and will provide Hyland a reasonable opportunity to object to the request before Service Provider produces any Personal Data in response. Upon request, Service Provider will provide Hyland a copy of any Personal Data disclosed to a third party as Required by Law.
- Cross-Border Data Transfers. Service Provider will not transfer Personal Data outside of Brazil unless (1) Hyland has provided prior written permission for the transfer, and (2) in addition to the other requirements set forth in this Addendum, Service Provider ensures an adequate level of protection in accordance with the LGPD or the transfer falls under a derogation in accordance with the LGPD.
- SERVICE PROVIDER’S SAFEGUARDS FOR PERSONAL DATA
- Confidentiality Of Personal Data. Service Provider will maintain the confidentiality of all Personal Data. Service Provider has required employees responsible for Processing Personal Data to sign a confidentiality agreement prohibiting the disclosure of Personal Data Processed for Hyland to any third party except as permitted by this Addendum or as Required By Law.
- Physical, Technical And Organizational Safeguards. Service Provider shall maintain a comprehensive written information privacy and security program that includes reasonable and appropriate measures to protect against reasonably foreseeable risks to the security, confidentiality, integrity and resilience of Personal Data, which risks could result in the unauthorized disclosure, use, alteration, destruction or other compromise of the Personal Data, including a Personal Data Breach. Such program shall comply with the LGPD concerning the protection of Personal Data and shall include the measures set forth in the Services Agreement and such measures shall not be materially reduced during the Term of the Services Agreement. Service Provider will regularly monitor, test, and update its information security program. Service Provider shall also maintain in accordance with good industry practice, measures to protect Personal Data from interception such as: (i) network protections intended to deny attackers the ability to intercept or access Personal Data; and (ii) anonymization or other measures to deny attackers the ability to read intelligible Personal Data, including encryption in transit between Service Provider and any third party, as permitted by this Agreement. Service Provider will provide Hyland with such information concerning its information security program as Hyland may reasonably request from time to time.
- Reporting Personal Data Breaches. Service Provider shall report to Hyland any Personal Data Breach of which it becomes aware. Service Provider will make such report within 24 hours of Service Provider’s becoming aware of the incident and such report shall include, at a minimum subject to the availability of necessary information, the following: (1) a description of the incident; (2) the date that the incident occurred; (3) the date that Service Provider became aware of the incident; (4) the identity and last known mailing address of each affected Data Subject; (5) the approximate number of affected Personal Data records involved; (6) the affected categories of Personal Data, including Sensitive Personal Data, if any, for each affected Data Subject that was affected; (7) the approximate number of Data Subjects affected; (8) an identification of any law enforcement agency or National Authority that has been contacted about the incident and contact information for the relevant official; (9) a description of the steps that have been, or will be, taken to mitigate the incident; (10) a description of the steps that have been, or will be, taken to prevent a recurrence; (11) the likely consequences of the Personal Data Breach; and (12) contact information for the person at Service Provider principally responsible for responding to the Personal Data Breach.
- Service Provider will update the written report periodically as new information becomes available. All reports required by this provision shall be made to: Hyland Legal Department, Attn: Person In Charge, 28500 Clemens Rd. Westlake, Ohio 44145, 440-788-5000, brazilprivacy@hyland.com, or such other person that Hyland may designate from time to time in writing to Service Provider without amending this Addendum. Service Provider acknowledges that its determination that a particular set of circumstances constitutes a Personal Data Breach shall not be binding on Hyland.
- Mitigation Of Damages By Service Provider And Cooperation in Investigation. Service Provider agrees to take, at its own expense, measures reasonably necessary to mitigate any harmful effect of a Personal Data Breach. Service Provider agrees to cooperate, at its own expense, with Hyland in its investigation of any Personal Data Breach. Service Provider will reimburse Hyland for all imputed and out-of-pocket costs reasonably incurred by Hyland in connection with the Personal Data Breach, including, but not limited to, costs related to provision of notices to affected Data Subjects and to any services offered to affected Data Subjects.
- Notifications Related To A Personal Data Breach. Service Provider acknowledges that Hyland shall determine (1) whether and when to notify any National Authority and which National Authority to notify; (2) who will provide notice to Data Subjects with respect to any Personal Data Breach; (3) the content of any such notice(s); (4) the timing for, and method of, delivery of any such notice(s); and (5) the products or services, if any, to be offered to affected Data Subjects. Service Provider shall not disclose the fact that a Personal Data Breach has occurred, or any details related to a Personal Data Breach to any third party without Hyland’s written consent, unless otherwise Required By Law.
- SERVICE PROVIDER’S ASSISTANCE WITH AUDITS AND REQUESTS FROM DATA SUBJECTS
- Information Technology Audits. Service Provider will permit Hyland, directly or through a contractor, to conduct audits of the information technology and information security controls to ensure that: (i) Service Provider is in compliance with this Addendum; and (ii) Service Provider provides the appropriate level of security for the Personal Data.
- Requests For Impact Assessment Information. Service Provider shall promptly provide the information requested by Hyland to assist in conducting a data protection impact assessment pursuant to the LGPD.
- Requests Directed to Service Provider. Service Provider agrees to assist Hyland in responding to a request from a Data Subject to exercise any of his/her rights as provided for under the LGPD. In the event a Data Subject submits such a request with respect to the Data Subject’s Personal Data, Service Provider agrees to comply with the request within five (5) business days of receiving the request from Hyland. Service Provider will immediately provide Hyland with any requests concerning Personal Data that are sent directly to Service Provider from parties other than Hyland.
- SERVICE PROVIDER’S SUB-PROCESSORS
- Consent To Processing By Sub-Processors. Service Provider will not disclose Personal Data to any sub-processor without Hyland’s prior written consent. In the event that Hyland consents to Service Provider’s disclosure of Personal Data to a sub-processor, Service Provider shall remain responsible for, and remain liable to, Hyland for, the acts and omissions of such sub-processor as if they were Service Provider’s own acts and omissions.
- Sub-processors’ Physical, Technical And Administrative Safeguards: Service Provider shall obtain reasonable assurances, in writing, from any sub-processor to whom Service Provider discloses Personal Data. Such assurances shall include at least the following: that the sub-processor (1) will comply with substantially the same restrictions and conditions on Processing of Personal Data that this Addendum imposes on Service Provider, including the restrictions on cross-border data transfers; (2) will implement reasonable and appropriate physical, technical and organizational safeguards to protect Personal Data in compliance with the LGPD; and (3) will notify Service Provider within 24 hours of becoming aware of any Personal Data Breach involving Personal Data.
- SERVICE PROVIDER’S OBLIGATIONS UPON TERMINATION OF THE SERVICE AGREEMENT
- Return Or Destruction Of Personal Data. Upon Hyland's written instruction, Service Provider shall return or destroy Personal Data. If Hyland directs Service Provider to destroy the Personal Data, Service Provider shall do so in a manner reasonably intended to prevent recovery of the Personal Data and shall certify to the same in writing.
- Service Provider’s Retention Of Personal Data. If local law requires Service Provider to retain a copy of any Personal Data, then Service Provider shall (1) notify Hyland of such requirement, (2) extend the protections of this Addendum to the retained Personal Data and (3) limit further Processing of the retained Personal Data to those purposes Required By Law for as long as Service Provider maintains the Personal Data.
- Survival. Service Provider’s obligations and duties under this Addendum with respect to Personal Data shall survive the termination of the Service Agreement and of this Addendum and shall continue for as long as the Personal Data remains in the possession of Service Provider or of its sub-processors.
- MISCELLANEOUS TERMS
- Indemnification. Service Provider shall defend and indemnify Data Processor, its parent and subsidiary corporations, officers, directors, employees and agents for any and all claims, charges, inquiries, investigations, costs, reasonable attorneys’ fees, monetary penalties, and damages incurred by Hyland and/or its parent or subsidiary corporations, officers, directors, employees and agents resulting from (1) any Processing of Personal Data not permitted by the Services Agreement including this Addendum, (2) any Personal Data Breach involving Personal Data in the possession, custody or control of Service Provider or its sub-processors, in the event such Personal Data Breach results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
- Indemnification Process. The foregoing indemnification obligations are conditioned upon Hyland: (1) notifying Service Provider promptly in writing of any claim, charge, inquiry, or investigation as described in Section 7.1 above; (2) reasonably cooperating and assisting in defense of such claim, charge, inquiry, or investigation; and (3) giving sole control of the defense and any related settlement negotiations to Service Provider with the understanding that Service Provider may not settle any claim in a manner that admits guilt or otherwise prejudices Hyland, without Hyland’s consent.
- Construction. This Addendum supersedes any inconsistent provisions in the Services Agreement and/or other existing agreements between the Hyland and Service Provider with respect to Service Provider’s obligation to safeguard Personal Data.
Subject Matter and During of the Processing | The subject matter of the Processing is Service Providers provision of Services under the Services Agreement. The duration of the Processing is the term of the Services Agreement, and any exit period, if applicable. |
Nature and Purpose of the Processing | The purpose of the Processing is to provide the Services as set forth in the Services Agreement. The nature of the Processing may include, but is not limited to, collection, recording, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
Type of Personal Data Processed | The Personal Data transferred may concern the following categories of data subjects: Employees - Past, potential, present and future staff of Hyland (including job candidates, volunteers, agents, independent contractors, interns, temporary and casual workers). Vendors - Past, present and potential advisors, consultants, vendors, contractors, subcontractors and other professionals engaged by Hyland and related staff. Website visitors – Individuals who visit any Hyland owned or operated website. Hyland Customers or End Users (collectively, “Customers”) – (a) Past, present and potential Customers of Hyland, and (b) data subjects whose Personal Data is uploaded or provided by Customers to Hyland during use of Hyland’s services or products. |
Categories of Personal Data Processed | The Personal Data transferred may concern the following categories: Employees Identification data: civil/marital status; first and last name; photograph; date and place of birth; nationality; corporate identifier; gender. Contact details: address; telephone number (fixed and mobile); email address; fax number; emergency contact information. Employment details: job title; company name; grade, occupation code; geographic location; employee performance and evaluation data; employee discipline information; information regarding previous roles and employment; employee benefits information such as election decisions, leave requests, authorization/declination, health insurance company. National identifiers: national ID/passport number; tax ID; government identification number; driver's license, visa or immigration status. Academic and professional qualifications: degrees; titles; skills; language proficiency; training information; employment history; CV/résumé. Financial data: bank account number; IBAN number; bank details including bank name, bank code, sort code; salary and compensation data; bonuses; pension qualification information; payroll data; tax class; tax office name. IT related data: computer ID; user ID and password; domain name; IP address; log files; software and hardware inventory; software usage pattern tracking information (i.e., cookies and information recorded for operation and training purposes). Lifestyle: hobbies; social activities; holiday preferences. Vendors Identification data: first and last name; date of birth; place of birth; nationality; photograph; vendor ID. Contact details: address; professional email address; professional telephone number (including mobile telephone number). Professional details: job title; employer; academic and professional qualifications; data related to transactions involving goods and services. National identifiers: tax ID; government identification number. Financial data: bank account number; bank details. Website visitors IT-related data: unique device identifiers, dynamic and static Internet Protocol addresses, as well as other information, such as browser characteristics, language preferences, operating system details, referring URLs, length of visits, and pages viewed. Customers, potential Customers and/or their staff, each as applicable Contact information (including name, physical address, e-mail and telephone numbers); Employer; Job title; Login credentials; Account profile, including interests and photograph; Applications for Hyland’s educational opportunities, including name, contact information, references, programming experience, and application essays; Dietary preferences and restrictions; Order information for trainings courses; Training records including courses taken, certifications completed, and scores and grades; Questions, feedback, comments and other postings, including through https://community.hyland.com; Other information the Customer chooses to provide; Information provided by third parties: data relating to the Customer, potential Customer or staff having clicked on a Hyland advertisement posted on a third party website; Information provided by third parties, where a Customer attends a Hyland event sponsored by a third party: including name, e-mail address, and phone number; Versions of Hyland Group company software used and how the software is being used (what functions, how often etc.); bank account number; bank details; credit card details; purchasing history; return history; cancellation history; and Personal Data submitted by a Customer in the course of the Customer's use of Hyland's Services or during the performance of Services under the Service Agreement. |
Categories of Sensitive Personal Data Processed | No collection of any sensitive data by a Service Provider is anticipated other than employee data required to provide Services in connection with valid employment purposes or to the extent required by applicable law. Such collection will only concern limited sensitive data, for example, health-related information for the purpose of managing employee absences, or disabilities in order to provide access to our premises. |
Data Processing Addendum - GDPR
Effective April 29th 2021
DownloadTable of Contents
- “Controller”, “Processor”, “Processing”, and “Supervisory Authority” have the same meanings as in Article 4 of the GDPR.
- “Data Subject” means the subject of Personal Data.
- "Data Protection Law" means: (i) EU Regulation 2016/679 (General Data Protection Regulation) (the "GDPR"); (ii) EU Directive 2002/58/EC (the "ePrivacy Directive"); (iii) after European Union law no longer applies in the United Kingdom, the data protection laws of the relevant territories of the United Kingdom; and (iv) any and all applicable national data protection laws made under or pursuant to (i), (ii) or (iii), in each case as may be amended or superseded from time to time.
- “EU Model Clauses” means standard contractual clauses adopted or approved by the European Commission for transfers under the GDPR (and if more than one set of such clauses may apply to a transfer, the most recent such set).
- “Hyland” means Hyland Software, Inc. on behalf of itself and its affiliates. The term affiliates shall be deemed to include any parent company, subsidiary, affiliate of, or entity controlled by (including beneficial control), controlling or under common control with Hyland.
- “Personal Data” means any information received by Service Provider from, or received or created on behalf of, Hyland relating to an identified or identifiable natural person located in the European Economic Area, the UK or Switzerland. An “identifiable natural person” is one who can be identified, directly or indirectly, in particular, by reference to an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of the natural person.
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed when that Personal Data is in the possession of Service Provider or its agents or subcontractors.
- “Required By Law” means that a statute, regulation, court order, or legal process, enforceable in a court of law, mandates the conduct.
- “Sensitive Personal Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health, sex life, or sexual orientation, genetic data and biometric data when Processed for the purpose of uniquely identifying a natural person, and also includes information about criminal history.
- “Sub-processor” means an entity that processes Personal Data at the request of Service Provider.
- SERVICE PROVIDER’S PROCESSING OF PERSONAL DATA
- Nature and Purpose of Processing of Personal Data. Service Provider agrees to Process Personal Data solely in accordance with Appendix A.
- Duration of Processing. Service Provider shall Process Personal Data only during the term of the Services Agreement.
- Violation Of Data Protection Law. Service Provider will immediately notify Hyland if Service Provider becomes aware that Service Provider’s compliance with a term or condition of this DPA has violated, violates, or will violate Service Provider’s or Hyland’s obligations under applicable law.
- CROSS-BORDER DATA TRANSFERS
- Service Provider will not transfer Personal Data outside of the European Economic Area, which term shall include the United Kingdom (“EEA”) (but only for so long as transmission of personal data from the EEA to the United Kingdom is not considered as a transfer to a third country under European Union law), unless it has taken such measures as are necessary to ensure the transfer is in compliance with Data Protection Law. Such measures may include (without limitation) transfers to any country or territory and/or sector that is at the time subject to a current finding by the European Commission of adequate protection, to a recipient that has achieved binding corporate rules authorization in accordance with Data Protection Law, or under any derogation permitted by Data Protection Law.
- To the extent that Service Provider transfers Personal Data outside the EEA in connection with the Services provided under the Services Agreement, and such transfer is not covered by any measure set forth in Section 3.1, the relevant transfer shall be governed by the appropriate EU Model Clauses, with the data importer being the Service Provider or other approved Sub-Processor and, as appropriate:
- the data exporter being Hyland and the governing law being that of where the applicable Hyland entity is established;
- the data exporter being the applicable Hyland customer and the governing law being that of where the applicable customer is located;
- Sections 3.1 and 3.2 shall apply equally to any transfers made from the United Kingdom to a recipient outside the United Kingdom in a territory and/or sector that has not been designated under Data Protection Laws as ensuring an adequate level of protection, with references in those clauses to EU Model Clauses being read as references to standard data protection clauses specified under Data Protection Laws as providing appropriate safeguards for transfers, and such clauses shall be deemed completed with the information stated in Sections 3.1 and 3.2 mutatis mutandis as appropriate.
- Where Personal Data originating in Switzerland is Processed by Service Provider (including a Sub-processor) outside Switzerland in a territory and sector that has not been designated as ensuring an adequate level of protection pursuant to Swiss laws Sections 3.1 and 3.2 shall apply mutatis mutandis but with the amendments stated in the Addendum hereto.
- SERVICE PROVIDER’S SAFEGUARDS FOR PERSONAL DATA
- Confidentiality Of Personal Data. Service Provider will maintain the confidentiality of all Personal Data. Service Provider will require employees responsible for Processing Personal Data to sign a confidentiality agreement prohibiting the disclosure of Personal Data to any third party except as permitted by this DPA or as Required By Law.
- Physical, Technical And Organizational Safeguards. Service Provider shall maintain a comprehensive written information privacy and security program that includes reasonable and appropriate measures to protect against reasonably foreseeable risks to the security, confidentiality, integrity and resilience of Personal Data, which risks could result in the unauthorized disclosure, use, alteration, destruction or other compromise of the Personal Data, including a Personal Data Breach. Such program shall comply with Article 32 of the GDPR and local laws concerning the protection of Personal Data and shall include the measures set forth in the Services Agreement and such measures shall not be materially reduced during the Term of the Services Agreement. Service Provider will regularly monitor, test, and update its information security program. Service Provider shall also maintain in accordance with good industry practice, measures to protect Personal Data from interception such as: (i) network protections intended to deny attackers the ability to intercept or access Personal Data; and (ii) anonymization or other measures to deny attackers the ability to read intelligible Personal Data, including encryption in transit between Service Provider and any third party, as permitted by this Agreement. Service Provider will provide Hyland with such information concerning its information security program as Hyland may reasonably request from time to time.
- Reporting Personal Data Breaches. Service Provider shall report to Hyland any Personal Data Breach of which it becomes aware. Service Provider will make such report orally to Hyland within 24 hours of Service Provider’s becoming aware of the incident followed by a report in writing (e-mail is acceptable) within 24 hours of the initial oral report. The written report shall include, at a minimum subject to the availability of necessary information, the following: (1) a description of the incident; (2) the date that the incident occurred; (3) the date that Service Provider became aware of the incident; (4) the identity and last known mailing address of each affected Data Subject; (5) the approximate number of affected Personal Data records involved; (6) the affected categories of Personal Data, including Sensitive Personal Data, if any, for each affected Data Subject that was affected; (7) the approximate number of Data Subjects affected; (8) an identification of any law enforcement agency or Supervisory Authority that has been contacted about the incident and contact information for the relevant official; (9) a description of the steps that have been, or will be, taken to mitigate the incident; (10) a description of the steps that have been, or will be, taken to prevent a recurrence; (11) the likely consequences of the Personal Data Breach; and (12) contact information for the person at Service Provider principally responsible for responding to the Personal Data Breach.
- Service Provider will update the written report periodically as new information becomes available. All reports required by this provision shall be made to: Hyland Legal Department, Attn: Privacy Officer, 28500 Clemens Rd. Westlake, Ohio 44145, 440-788-5000, privacy@hyland.com. Service Provider acknowledges that its determination that a particular set of circumstances constitutes a Personal Data Breach shall not be binding on Hyland.
- Mitigation Of Damages By Service Provider And Cooperation in Investigation. Service Provider agrees to take, at its own expense, measures reasonably necessary to mitigate any harmful effect of a Personal Data Breach. Service Provider agrees to cooperate, at its own expense, with Hyland in its investigation of any Personal Data Breach. Service Provider will reimburse Hyland for all imputed and out-of-pocket costs reasonably incurred by Hyland in connection with the Personal Data Breach, including, but not limited to, costs related to provision of notices to affected Data Subjects and to any services offered to affected Data Subjects.
- Notifications Related To A Personal Data Breach. Service Provider acknowledges that Hyland shall determine (1) whether and when to notify any Controller (if applicable) or Supervisory Authority and which Supervisory Authority to notify; (2) who will provide notice to Data Subjects with respect to any Personal Data Breach; (3) the content of any such notice(s); (4) the timing for, and method of, delivery of any such notice(s); and (5) the products or services, if any, to be offered to affected Data Subjects. Service Provider shall not disclose the fact that a Personal Data Breach has occurred or any details related to a Personal Data Breach to any third party without Hyland’s written consent, unless otherwise Required By Law.
- Third Party Access Requests. In the event Service Provider receives a non-compulsory request from any third party, including without limitation, any law enforcement, regulatory, judicial or governmental authority, for disclosure of or access to Personal Data, Service Provider will not disclose or provide such access unless instructed to do so by Hyland. In the event Service Provider receives a compulsory order issued at the request of any third party, including without limitation any law enforcement, regulatory, judicial or governmental authority for disclosure of or access to Personal Data, Service Provider will prior to any disclosure or provision of access:
- promptly notify Hyland of such order, unless prohibited by law, and, if so prohibited from notifying Hyland, seek to obtain the right to waive such prohibition in favor of promptly communicating to Hyland as much information as possible; and
- inform the third party that: (i) Service Provider is a Processor of such transferred Personal Data and that Hyland has not authorised the disclosure of Personal Data to the third party; and (ii) any and all requests or demands for disclosure of or access to such transferred Personal Data should therefore be notified to or served upon Hyland; and
- Only disclose such transferred Personal Data to the extent Service Provider is legally required to do so in accordance with an applicable lawful process, and prior to any such transfer, use reasonable efforts to challenge the scope or validity of any order that Service Provider reasonably believes to be overly broad.
- Service Provider will maintain, in accordance with good industry practice, measures to protect Personal Data from interception such as: (a) network safeguards intended to deny attackers the ability to access Personal Data; and (b) other measures to deny attackers the ability to read intelligible Personal Data, including encryption in transit between Service Provider to Hyland and from Service Provider to any Sub-Processor.
- SERVICE PROVIDER’S ASSISTANCE WITH AUDITS AND DATA SUBJECT REQUESTS
- Availability Of Records Of Processing. Service Provider shall promptly, after a reasonable request from Hyland, make available to Hyland all information necessary to demonstrate the Controller’s compliance with the obligations established by Article 28 of the GDPR.
- Information Technology Audits. Service Provider will permit Hyland, directly or through a contractor, to conduct site audits of the information technology and information security controls for all facilities used to Process Personal Data so that Hyland can ensure that Service Provider provides the appropriate level of security for the Personal Data.
- Requests For Impact Assessment Information. Service Provider shall promptly provide the information requested by Hyland to assist in conducting a data protection impact assessment pursuant to Articles 35 and 36 of the GDPR.
- Requests Directed to Service Provider. Service Provider agrees to assist Hyland in responding to a request from a Data Subject to exercise any of his/her rights as provided for under the GDPR. In the event a Data Subject submits such a request with respect to the Data Subject’s Personal Data, Service Provider agrees to comply with the request within 5 business days of receiving the request from Hyland. Service Provider will immediately provide Hyland with any requests concerning Personal Data that are sent directly to Service Provider from parties other than Hyland.
- SERVICE PROVIDER’S SUB-PROCESSORS
- Consent To Processing By Sub-Processors. Service Provider will not disclose Personal Data to any third party without Hyland’s prior written consent. In the event that Hyland consents to Service Provider’s disclosure of Personal Data to a Sub-processor, Service Provider shall remain responsible for, and remain liable to, Hyland for, the acts and omissions of such Sub-processor as if they were Service Provider’s own acts and omissions.
- Sub-processors’ Physical, Technical And Administrative Safeguards. Service Provider shall obtain reasonable assurances, in writing, from any Sub-processor to whom Service Provider discloses Personal Data. Such assurances shall include at least the following: that the sub-processor (1) will comply with substantially the same restrictions and conditions on Processing of Personal Data that this DPA imposes on Service Provider, including the restrictions on cross-border data transfers; (2) will implement reasonable and appropriate physical, technical and organizational safeguards to protect Personal Data in compliance with Article 32 of the GDPR; and (3) will notify Service Provider within 24 hours of becoming aware of any Personal Data Breach involving Personal Data.
- SERVICE PROVIDER’S OBLIGATIONS UPON TERMINATION OF THE SERVICE AGREEMENT
- Return Or Destruction Of Personal Data. Upon Hyland's written instruction, Service Provider shall return or destroy Personal Data. If Hyland directs Service Provider to destroy the Personal Data, Service Provider shall do so in a manner reasonably intended to prevent recovery of the Personal Data and shall certify to the same in writing.
- Service Provider’s Retention Of Personal Data. If local law requires Service Provider to retain a copy of any Personal Data, then Service Provider shall (1) notify Hyland of such requirement, (2) extend the protections of this DPA to the retained Personal Data and (3) limit further Processing of the retained Personal Data to those purposes Required By Law for as long as Service Provider maintains the Personal Data.
- Survival. Service Provider’s obligations and duties under this DPA with respect to Personal Data shall survive the termination of the Services Agreement and of this DPA and shall continue for as long as the Personal Data remains in the possession of Service Provider or of its Sub-processors.
- MISCELLANEOUS TERMS
- Indemnification. Service Provider shall defend and indemnify Hyland, its parent and subsidiary corporations, officers, directors, employees and agents for any and all claims, charges, inquiries, investigations, costs, reasonable attorneys’ fees, monetary penalties, and damages incurred by Hyland and/or its parent or subsidiary corporations, officers, directors, employees and agents resulting from (1) any Processing of Personal Data not permitted by the Services Agreement and this DPA, (2) any Personal Data Breach involving Personal Data in the possession, custody or control of Service Provider or its sub-processors, in the event such Personal Data Breach results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- Indemnification Process. The foregoing indemnification obligations are conditioned upon Hyland: (1) notifying Service Provider promptly in writing of any claim, charge, inquiry, or investigation as described in Section VII.A above; (2) reasonably cooperating and assisting in defense of such claim, charge, inquiry, or investigation; and (3) giving sole control of the defense and any related settlement negotiations to Service Provider with the understanding that Service Provider may not settle any claim in a manner that admits guilt or otherwise prejudices Hyland, without Hyland’s consent.
- Construction. This DPA supersedes any inconsistent provisions in the Services Agreement and/or other existing agreements between the Hyland and Service Provider with respect to Service Provider’s obligation to safeguard Personal Data.
Subject Matter and During of the Processing | The subject matter of the Processing is Service Providers provision of Services under the Services Agreement. The duration of the Processing is the term of the Services Agreement, and any exit period, if applicable. |
Nature and Purpose of the Processing | The purpose of the Processing is to provide the Services as set forth in the Services Agreement. The nature of the Processing may include, but is not limited to, collection, recording, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
Type of Personal Data Processed | The Personal Data transferred may concern the following categories of data subjects: Employees - Past, potential, present and future staff of Hyland (including job candidates, volunteers, agents, independent contractors, interns, temporary and casual workers). Vendors - Past, present and potential advisors, consultants, vendors, contractors, subcontractors and other professionals engaged by Hyland and related staff. Website visitors – Individuals who visit any Hyland owned or operated website. Hyland Customers or End Users (collectively, “Customers”) – (a) Past, present and potential Customers of Hyland, and (b) data subjects whose Personal Data is uploaded or provided by Customers to Hyland during use of Hyland’s services or products. |
Categories of Personal Data Processed | The Personal Data transferred may concern the following categories: Employees Identification data: civil/marital status; first and last name; photograph; date and place of birth; nationality; corporate identifier; gender. Contact details: address; telephone number (fixed and mobile); email address; fax number; emergency contact information. Employment details: job title; company name; grade, occupation code; geographic location; employee performance and evaluation data; employee discipline information; information regarding previous roles and employment; employee benefits information such as election decisions, leave requests, authorization/declination, health insurance company. National identifiers: national ID/passport number; tax ID; government identification number; driver's license, visa or immigration status. Academic and professional qualifications: degrees; titles; skills; language proficiency; training information; employment history; CV/résumé. Financial data: bank account number; IBAN number; bank details including bank name, bank code, sort code; salary and compensation data; bonuses; pension qualification information; payroll data; tax class; tax office name. IT related data: computer ID; user ID and password; domain name; IP address; log files; software and hardware inventory; software usage pattern tracking information (i.e., cookies and information recorded for operation and training purposes). Lifestyle: hobbies; social activities; holiday preferences. Vendors Identification data: first and last name; date of birth; place of birth; nationality; photograph; vendor ID. Contact details: address; professional email address; professional telephone number (including mobile telephone number). Professional details: job title; employer; academic and professional qualifications; data related to transactions involving goods and services. National identifiers: tax ID; government identification number. Financial data: bank account number; bank details. Website visitors IT-related data: unique device identifiers, dynamic and static Internet Protocol addresses, as well as other information, such as browser characteristics, language preferences, operating system details, referring URLs, length of visits, and pages viewed. Customers, potential Customers and/or their staff, each as applicable Contact information (including name, physical address, e-mail and telephone numbers); Employer; Job title; Login credentials; Account profile, including interests and photograph; Applications for Hyland’s educational opportunities, including name, contact information, references, programming experience, and application essays; Dietary preferences and restrictions; Order information for trainings courses; Training records including courses taken, certifications completed, and scores and grades; Questions, feedback, comments and other postings, including through https://community.hyland.com; Other information the Customer chooses to provide; Information provided by third parties: data relating to the Customer, potential Customer or staff having clicked on a Hyland advertisement posted on a third party website; Information provided by third parties, where a Customer attends a Hyland event sponsored by a third party: including name, e-mail address, and phone number; Versions of Hyland Group company software used and how the software is being used (what functions, how often etc.); bank account number; bank details; credit card details; purchasing history; return history; cancellation history; and Personal Data submitted by a Customer in the course of the Customer's use of Hyland's Services or during the performance of Services under the Service Agreement. |
Categories of Sensitive Personal Data Processed | No collection of any sensitive data by a Service Provider is anticipated other than employee data required to provide Services in connection with valid employment purposes or to the extent required by applicable law. Such collection will only concern limited sensitive data, for example, health-related information for the purpose of managing employee absences, or disabilities in order to provide access to our premises. |
- that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant Authorities of the country where the data exporter is established) and does not violate the relevant provisions of that country.