SaaS Protection Client Terms
These Client Terms (“Terms”), apply to you as the entity that owns, licenses, or lawfully controls the content (“Content”) in a Datto SaaS Protection or Datto SaaS Defense product account (“Product”). Datto does not provide the Product directly to you. The Product is sold and provided by Datto, Inc. or one of its subsidiaries or affiliates (“Datto”) directly to the reseller/managed service provider (“Administrator”) who will (a) use and manage the Product on your behalf with your Content; or who may (b) authorize you to access, use or manage the Product yourself, in which case you will be considered Client Administrator of the Product.
RIGHTS TO THE PRODUCT
You acknowledge that Datto and its licensors own all intellectual property rights in and to the Product. You will not engage in or authorize any activity that is inconsistent with such ownership
Datto’s Use of Content. Datto will use Content only as necessary to provide and support the Product and will not otherwise access Content other than as permitted herein, as described in the Product Specifications or as authorized by an Administrator for support.
Datto’s Rights. In the event that Datto reasonably believes Content or related Product use violates these terms, including any Fair Use policies in the Product Specifications, may disrupt or threaten the operation or security of any computer, network, system or the Product, or may otherwise subject Datto to liability, Datto reserves the right to refuse or disable access to the Product or Content. Datto may also take such action pursuant to the Digital Millennium Copyright Act and/or as required to comply with law or any judicial, regulatory or other governmental order or request. Datto will use reasonable efforts to contact the Administrator prior to taking such action. Notwithstanding the foregoing, Datto may restrict access to any Product or Content without prior notice as required to comply with law or any judicial, regulatory or other governmental order or request. In the event that Datto takes any such action without prior notice, Datto will provide notice to the Administrator, unless prohibited by law.
Use of Aggregate Data. Notwithstanding anything else in these Terms or otherwise, Datto may evaluate and process use of the Product and Content in an aggregate and anonymous manner, meaning in such a way that the individual is not or no longer identified or identifiable and compile statistical and performance information related thereto (referred to as “Aggregate Data”). Aggregate Data includes utilization statistics, reports, and logs aggregated with data from other Datto customers. Datto may use, process and share such Aggregate Data with third parties to improve the Products, develop new products, understand and/or analyze usage, demand, and general industry trends, develop and publish white papers, reports, and databases summarizing the foregoing, and generally for any purpose related to Datto’s business. Datto retains all intellectual property rights in Aggregate Data. For clarity, Aggregate Data does not include any personally identifiable information nor identify any Client or individual.
Datto SaaS Defense. Through SaaS Defense, Datto will scan Content (including emails and drives) to identify and defend against spam, viruses, malware and other malicious content (“Malicious Code”). Datto will compile and provide threat information regarding Malicious Code (“Threat Information”). Datto may retain a copy of the Malicious Code and use information about the Malicious Code for any purpose, including, but not limited to, the improvement of its Products, research and analysis, and cooperation with others regarding Malicious Code.
Right to Change Products. Datto may make changes to its Products through updates and upgrades that offer new features, functionality, and efficiencies (“Enhancements”). Datto reserves the right to add new Products and Enhancements and to replace or discontinue Products or Enhancements at any time.
Right to Interact with Products. You agree that Datto may and you hereby authorize Datto to interact remotely with any deployed Product in order to test, troubleshoot, update, analyze use of or modify the Product or the environment in which it operates.
ADMINISTRATOR
Datto will interact with the Administrator(s) you appoint to operate and manage use of the Product with your Content. You are not a third-party beneficiary of any agreement between Datto and an Administrator.
An Administrator is not an agent of Datto and is not authorized to make any representations or warranties on behalf of Datto regarding the Product or its use.
You are responsible for instructing and authorizing the Administrator with respect to use of the Product including backup settings, management, retention and deletion of Content, and transition of Product or Content to a different Administrator, and transition assistance and cooperation upon termination or expiration of any relationship between or among Administrator, you and/or Datto.
You expressly agree that Datto may rely on the instructions and authorization of the Administrator with respect to use and support of the Product and access and control of your Content.
YOUR DIRECT USE OF A PRODUCT
If the Administrator authorizes you to access or use a Product directly, you are responsible for all actions you take with respect to use of the Product including backup settings and management, retention and deletion of Content and Datto may rely on your instructions as an authorized administrator of the Product.
Any support for the Product is provided to you by the Administrator and not directly by Datto.
SECURITY
Datto has implemented and maintains physical, technical and administrative measures designed to help secure Content under Datto’s control against accidental or unlawful loss, access or disclosure. However, no password-protected system of data storage and retrieval can be made entirely impenetrable and you acknowledge and agree that despite the reasonable measures employed, the Products and Content are not guaranteed against all security threats or other vulnerabilities.
You acknowledge and agree that the Administrator you authorize to manage use of the Product on your behalf has access to and manages your Content. You and/or the Administrator are responsible, and in no event will Datto be responsible, for any physical, administrative, or technical controls related to Products or Content not under the exclusive control of Datto, including but not limited to , passwords or other access credentials, LAN or internet connectivity. You and/or the Administrator are responsible for the proper configuration and maintenance of security measures and for determining the security measures appropriate for the Content
INDEMNIFICATION
You will defend, indemnify and hold harmless Datto from and against any loss, cost, liability or damage, including attorneys’ fees, for which Datto becomes liable arising from any claim relating to your Content, including if it a) infringes or misappropriates the intellectual property rights or other rights of a third party; b) violates any applicable law; or c) otherwise is in violation of these Client Terms or the applicable Product Terms of Use.
LIMITATIONS OF LIABILITY
THE DATTO PRODUCT, ARE PROVIDED “AS IS.” TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, DATTO DISCLAIMS ANY AND ALL PROMISES, REPRESENTATIONS AND WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, SYSTEM INTEGRATION, DATA ACCURACY, DATA SECURITY, QUIET ENJOYMENT, TITLE, AND/OR NON-INFRINGEMENT OR ANY WARRANTIES ARISING OUT OF ANY COURSE OF DEALING OR USAGE OF TRADE. DATTO DOES NOT WARRANT THAT THE PRODUCT WILL MEET ANY SPECIFIC REQUIREMENTS OR THAT THE OPERATION OF ANY PRODUCT WILL BE SECURE, UNINTERRUPTED OR ERROR-FREE, OR THAT ALL ERRORS WILL BE CORRECTED.
DATTO MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE PRODUCT’S COMPLIANCE WITH LAWS AND REGULATIONS SPECIFICALLY APPLICABLE TO ANY USER OR INDUSTRY AND DISCLAIMS ALL LIABILITY ASSOCIATED THEREWITH.
THE PRODUCT MAY BE SUBJECT TO LIMITATIONS, DELAYS, AND OTHER RISKS INHERENT IN THE USE OF THE INTERNET AND ELECTRONIC COMMUNICATIONS. DATTO IS NOT RESPONSIBLE FOR ANY DELAYS, DELIVERY FAILURES, OR OTHER DAMAGE RESULTING FROM SUCH PROBLEMS.
DATTO DISCLAIMS ANY DUTIES OF A BAILEE, AND YOU HEREBY WAIVE ALL RIGHTS AND REMEDIES OF A BAILOR (ARISING UNDER COMMON LAW OR STATUTE), RELATED TO OR ARISING OUT OF ANY POSSESSION, STORAGE, TRANSMISSION OR SHIPMENT OF CONTENT BY OR ON BEHALF OF DATTO.
TO THE FULLEST EXTENT ALLOWED BY LAW, IN NO EVENT WILL DATTO OR ANY DATTO LICENSOR OR SUPPLIER BE LIABLE FOR ANY DIRECT, INCIDENTAL, INDIRECT, SPECIAL, CONSEQUENTIAL OR PUNITIVE DAMAGES OR COSTS, REGARDLESS OF THE NATURE OF THE CLAIM, INCLUDING, WITHOUT LIMITATION, LOST PROFITS, LOST REVENUES, COSTS OF DELAY, FAILURE OF DELIVERY, BUSINESS INTERRUPTION, COSTS OF LOST OR DAMAGED DATA OR THE COST OF RECREATING THE SAME, EVEN IF DATTO HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT WILL DATTO BE LIABLE FOR THE PROCUREMENT OF SUBSTITUTE SERVICES OR PRODUCTS.
NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY DATTO, ANY RESELLER, ADMINISTRATOR OR OTHER PARTY WILL CREATE ANY ADDITIONAL DATTO WARRANTIES, ABROGATE THE DISCLAIMERS SET FORTH ABOVE OR IN ANY WAY INCREASE THE SCOPE OF DATTO’S OBLIGATIONS HEREUNDER.
EUROPEAN DATA PROCESSING ADDENDUM
This European Data Processing Addendum (“DPA”) amends the applicable Product Terms of Use for a Datto Product only to the extent the Product is used to Process Personal Data covered under the GDPR.
Definitions
Capitalized words are defined in this section or when first used throughout this DPA or the applicable Product Terms of Use.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.
“Controller”, “Data Subject”, “Processor”, Processing” will have the meaning set forth in Article 4 of the GDPR.
“Data Subject Request” means a request made by or on behalf of a Data Subject to exercise a right for access to, rectification, objection, erasure or other applicable right recognized by the GDPR of that Data Subject’s Personal Data.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC and, from the date the United Kingdom may no longer be a member of the European Union, the corresponding data privacy and protection legislation of the United Kingdom.
“Personal Data” means information relating to an identified or identifiable natural person (Data Subject) covered under the GDPR that is directly or indirectly submitted, stored or Processed via use of the Product by Customer, its Affiliates, clients or end users.
“Product” means a Product and all related services provided by Datto that Processes Personal Data covered by this DPA.
“Subprocessor” means a third party that, by reason of its role in performing services on behalf of Datto with respect to Datto’s provision of a Product, may have logical access to Personal Data covered by this DPA.
Effectiveness
This DPA will be effective from the later of the date on which Customer clicks to accept the Product Terms of Use and this DPA or Datto and Customer otherwise agree to this DPA.
In the event of a conflict between this DPA and the Product Terms of Use concerning the subject matter hereof, the terms of this DPA will govern.
Duration of Processing/Term of DPA
This DPA and Datto’s Processing of Personal Data will terminate automatically upon termination of the Product Terms of Use and of any post termination period during which Datto makes Personal Data available for export by Customer, until its final deletion.
Controller/Processor Roles
For purposes of this DPA, the parties agree that Dato is a Processor of Personal Data. This DPA does not apply where Datto is a Controller of Personal Data.
Customer may act either as a Controller or Processor, as applicable, of Personal Data. If Customer is not the Controller of Personal Data, Customer represents and warrants to Datto that Customer has the right and authority to appoint Datto as a Processor and provide instructions to Datto, and such actions have been authorized by the appropriate Controller of the Personal Data.
Customer has sole responsibility for the quality, ongoing accuracy, legality and scope of Personal Data and the means by which Customer acquired Personal Data. Customer represents and warrants that it has sufficient rights and all third party consents as may be necessary and appropriate for the use of the Personal Data with the Product and that its submission of Personal Data to Datto will comply with the GDPR and all applicable laws.
Processing of Personal Data
Datto will Process the Personal Data only on the instructions of Customer, including through Customer’s use and configuration of the features within the Product. Customer instructs Datto to Process the Customer Personal Data (a) to provide the applicable Product and related technical and administrative support consistent with the Product Terms of Use and this DPA; (b) as further instructed via Customer’s use of the Product; and (c) to comply with other reasonable instructions provided by Customer (via email or support tickets) that are consistent with the nature and scope of the Product.
Datto will inform Customer if, in its opinion, an instruction violates the terms of the GDPR.
Subject Matter and Nature of Processing
The subject matter and scope of Processing is Datto’s provision of the Product, including related technical and administrative support (through management portals or otherwise) that is the subject of the Product Terms of Use. Datto will Process Personal Data that is provided directly or indirectly by Customer, its clients or end users to Datto for the purpose of providing the Product that is the subject of the Product Terms of Use.
Data Subject Requests
If Datto receives a Data Subject Request related to the Product, to the extent it is able to do so, and it is legally permitted, Datto will notify Customer and/or direct the Data Subject to make the request directly to Customer.
Customer is responsible for responding to any Data Subject Requests. Taking into account the nature of the Processing, Datto will provide Customer with commercially reasonable assistance in responding to a Data Subject Request, to the extent legally permitted, if such Data Subject Request is reasonably possible consistent with the functionality of the Product and is required under applicable law. To the extent legally permitted, Customer will be responsible for any costs arising from Datto’s assistance.
Duty of Confidentiality
Datto ensures that its personnel engaged in the processing Personal Data have committed to maintain the confidentiality of Personal Data by requiring such personnel to execute written confidentiality agreements.
Data Deletion
Within a reasonable amount of time following expiration or termination of the applicable Product Terms of Use plus any post termination period during which Customer has the ability to export Personal Data, Datto will delete Personal Data. Customer hereby instructs Datto to delete all Personal Data after such period. It is Customer’s responsibility to export any Personal Data prior to its deletion.
Personal Data Breach
If Datto becomes aware of and confirms a breach of Datto’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data covered by the GDPR in Datto’s custody or control, Datto will, without undue delay, notify Customer and exercise best efforts to mitigate the effects and to minimize any damage resulting from such a security incident.
Customer agrees that an unsuccessful security incident will not be subject to this section. An unsuccessful security incident includes but is not limited to things such as attempts at unauthorized access to Personal Data or to any of Datto’s equipment or facilities storing Personal Data, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers).
Datto’s obligation to report or respond to a security incident will not be construed as an acknowledgement of any fault or liability of Datto with respect to the security incident. Datto will have no obligation to respond to any incidents caused by Customer or anyone acting with Customer’s authorization.
Subprocessing
Customer acknowledges and agrees that Datto Affiliates may be retained as Subprocessors and that Datto and its Affiliates respectively may engage third party Subprocessors as needed to provide a Product. Customer hereby consents to the use of Subprocessors as described in this section.
A current list of Subprocessors for the Product will be available at www.datto.com/subprocessors. Datto will provide prior notification of a new Subprocessor, depending on the Product, by either updating the list of Subprocessors at www.datto.com/subprocessors, providing notice in the applicable Product management portal, and/or offering an email subscription notification option, before authorizing such new Subprocessor to have access to Customer’s Personal Data in connection with the provision of the applicable Product.
Customer may reasonably object to Datto’s use of a new Subprocessor by notifying Datto promptly in writing, explaining the reasonable grounds for objection, within ten (10) business days following Datto’s notice described above. Datto will use commercially reasonable efforts to make available to Customer a change to Customer’s configuration or use of the Product to avoid use of the objected to new Subprocessor. If Datto is unable to make available such change within a reasonable period of time, not to exceed thirty (30) days, either party as its sole remedy may terminate the applicable Product Terms of Use with respect only to those services which cannot be provided by Datto without the use of the objected-to new Subprocessor. In such case, Datto will refund any prepaid fees covering the remainder of the term applicable to such Product.
Datto will use only Subprocessors that have executed written contracts with Datto containing obligations that are substantially similar to those of Datto under this DPA. Datto will be liable for the acts and omissions of its Subprocessors to the same extent Datto would be liable if performing the services of each Subprocessor directly under the terms of this DPA.
A Product or Product management portal may provide links or integrations or an API which may be used to facilitate integrations to or from third party products or services (“Third Party Applications”). If Customer elects to integrate with, enable, access or use an API to interact with such Third Party Applications it does so at its own risk and Datto has no responsibility or liability for any Personal Data processed by or through such Third Party Applications. Customer expressly acknowledges and agrees that all enabled Third Party Applications are expressly authorized by Customer and Datto is not a co-processor, subprocessor or controller with respect to any Personal Data processed by or on behalf of Customer through a Third Party Application.
Audit
Datto will cooperate with any Customer audit to verify Datto’s compliance with its obligations under this DPA by making available, subject to non-disclosure obligations, third party audit reports, where available, descriptions of security controls and other information reasonably requested by Customer regarding Datto’s security practices and policies.
Taking into account the nature of the Processing and the information available to Datto, Datto will provide, at Customer’s cost if legally allowed, commercially reasonable cooperation and assistance to Customer regarding Customer’s compliance obligations described in Articles 32-36 of the GDPR.
Limitation of Liability
To the maximum extent allowed by applicable law, the total combined liability for both Datto and Customer and any of their Affiliates arising out of or related to this DPA is subject to the exclusions and limitations of liability set forth in the applicable Product Terms of Use. Any regulatory penalties imposed on either party resulting from this DPA will count toward such liability cap.
Security
Datto maintains commercially reasonable technical and organizational measures to protect against accidental or unlawful access, destruction, loss or alteration of Personal Data under its control. Datto may modify such measures, provided that any changes will not result in a material degradation of the security measures.
A Product or Product management portal may make available certain Customer controlled security features, which may include multi-factor authentication, administrative access controls and local encryption. Datto makes available best practices for Customer to adopt to help protect against accidental or unlawful access, destruction, loss or alteration of Personal Data. Customer is responsible for securing Personal Data under its control, including but not limited to properly configuring and using available Customer controlled security features.
Data Center Location of Personal Data
Most Products allow Customer the ability to use a data center located in the European Economic Area (“EEA”) or the United Kingdom for Processing of Personal Data. For all such Products, Customer is responsible for using an appropriate data center location in the EEA or the UK. Certain data related to technical and administrative support for a Product or its management portal, for which Datto is generally considered a controller, may be hosted in the U.S. even if Customer uses a data center located in the EEA or the UK.
Governing Law
If Customer is a resident of the United Kingdom, this DPA is governed by the law of England and Wales and is subject to the exclusive jurisdiction of the courts of England and Wales.
If Customer is a resident of the EEA or Switzerland, this DPA is governed by the law of the Netherlands and is subject to the exclusive jurisdiction of the Netherlands.
Notices
Notice to Datto under this DPA should be sent to Datto, Inc., 101 Merritt 7, 7th floor, Norwalk, CT 06851 Attn: Legal Department.
If Customer is not the primary administrator for a Product (for example, a client who purchases a Product from a managed service provider) Customer acknowledges and agrees that Datto will communicate all notices related to this DPA via email or through the Product management portal with the party that is the primary administrator for the Product.
If Customer is the primary administrator for a Product (for example, a managed service provider that manages a Product for its client) Customer acknowledges and agrees that it is responsible for receiving and promptly relaying all notices related to this DPA received via email or through the Product management portal to the appropriate parties, including those notices required by applicable law.
It is Customer’s responsibility to maintain current, accurate contact information within the applicable administrative portal for the Product for purposes of facilitating all notices.
General
The terms of this DPA are confidential information of Datto covered by the confidentiality provisions of the applicable Product Terms of Use. Customer agrees not to disclose the terms of this DPA.
Datto reserves the right to modify this DPA, including if different GDPR recognized compliance standards become available, or as needed to maintain compliance with the GDPR or other applicable law.ailable, or as needed to maintain compliance with the GDPR or other applicable law.