Online Subscription Agreement
Live Video Shopping - One-to-Many
Last Updated: April 7th, 2021
BAMBUSER and SERVICES
- About us. Bambuser AB, hereinafter referred to as “Bambuser”, is a Swedish based global SaaS company specializing in interactive live video streaming.
- The Service. Bambuser is dedicated to developing and supporting a range of digital services (including live video streaming), tools, apps, software, web/hosting platforms, websites and other services integrating various functionalities enabling enhanced shopping experiences, hereinafter referred to as the “Service”. For further information about the Service, please refer to https://bambuser.com/.
- Privacy Statement. Bambuser is committed to users’ privacy. We recognise that when you, as a user, upload and/or provide personal data to us, trust that we will respect your privacy. We do not take that trust lightly and have committed to safeguarding everyone’s privacy and protecting the information entrusted to us. We endeavour to provide services, which do not place the integrity of our users and visitors at risk.We encourage you to contact us if you have questions about this privacy policy (“Policy”) or our processing of your personal data.
General information on the privacy policy
- Legal basis. This Policy is based on the European Union’s Regulation 2016/679 ("GDPR") and national Swedish data protection regulatory schemes adopted at the time of this Policy. All terms and expressions used in this Policy shall have the same meaning as set out in the GDPR and data protection laws and regulations in Sweden unless otherwise indicated.
- Data protection principles. All processing of personal data by us is conducted in accordance with the data protection principles as set out in the GDPR and data protection laws and regulations in Sweden, specifically Article 5 of the GDPR, and in particular:
- Lawfulness – We only process your information when we have identified a lawful basis for the intended personal data processing pursuant to Article 6 of the GDPR. These are often referred to as the “conditions for processing”, for example contractual or legal obligation, legitimate interest or explicit consent.
- “Bambuser Dashboard”: means the dashboard enabling the Customer to set up live shows and assign Hosts. The Customer can also add and remove Authorized Users, add products to be displayed in the live shows, moderate the product display and moderate the chat function. Any live show can be immediately unpublished on the Bambuser Dashboard.
- “Bambuser Player”: means the embedded java script library that creates the customized player on the Customer’s website for the live show.
- “Bambuser Solution”: means the Bambuser product(s) ordered by the Customer and described in Appendix A (Technical Specification). The Bambuser Solution includes: Bambuser App, Bambuser Player and Bambuser Dashboard.
- “Confidential Information”: means information of a confidential or secret nature that may be disclosed, orally or in writing, during the term of the Agreement to a Party by the other Party that relates to the business of the other Party or to the business of any parent, subsidiary, affiliate, customer or supplier of the other Party. Such Confidential Information includes, inventions, marketing plans, product information and plans, product designs, business strategies, trade secrets, know-how, financial information, sales figures, forecasts, personnel information, customer lists and data, and domain names.
- “Customer Data”: means any data and information submitted to Bambuser under the Agreement by or for the Customer, its affiliates and/or any Authorized User or Live Show Participant.
- “DPA”: means the data processing agreement attached hereto as Appendix B (Data Processing Agreement).
- “Effective Date”: means the effective date upon which the Customer can start using the Bambuser Solution.
- “Force Majeure”: means an event beyond a Party’s control, which could not reasonably have been foreseen by the Party prior to entering into the Agreement or prevented by the Party, including but not limited to civil war, fire, flood, interruption in public transport, communications or general energy supply, act of government, act of terror, strike, act of public authority, new or amended legislation, pandemics and epidemics, failure by internet service provider or Bambuser’s sub-suppliers.
- “Host”: means the person presenting and displaying products and/or other content in the live show as agreed with the Customer. A Host is an Authorized User with specific access to the Bambuser App to: (i) go live; (ii) pause and end the live show; and (iii) highlight products selected to the live show.
- “Intellectual Property Rights”: means all intellectual property rights of any nature anywhere in the world (whether registered or not and including any applications) including copyright and neighboring rights (including copyright in computer software), patents, logos, trademarks or business names, design rights and database rights.
- “License”: means the Customers right to use the Bambuser Solution.
- “License Fee”: means the license fee which the Customer shall pay for using the Bambuser Solution.
- “Live Show Content”: means any text, images, graphics, photos, video, audio, and any other content, information or data, created, derived from or accessible via use of the Bambuser Solution, including; (i) backdrop; (ii) welcome, pause and thank you screen, (iii) trade names, trademarks, logotypes or similar; (iv) live chat messaging; (v) music, and (vi) any other content that the Host or the Live Show Moderator features performing the live stream show, including all live show segments.
- “Live Show Moderator”: means the Authorized User that (i) moderates the products displayed in the Live Show Content, (ii) moderates and interacts the chat during the live show, and (iii) has the right to immediately unpublish the live show and/or delete comments and block Live Show Participants from the chat.
- “Live Show Participant” means the individual participating in the live show without being an Authorized User, i.e. consumers. The live Show Participant may watch the live show e.g. from the Customer’s website and may use the chat function, part of the Bambuser Solution.
- “Services”: means the services as set out in the Subscription Order and other services which are incidental or ancillary to such services.
- “Solution Data”: means anonymized data, including meta-data, analytical, diagnostic and technical data, and usage statistics concerning or generating from the Customer’s use of the Bambuser Solution, however excluding personal data.
- “Taxes” means any value added taxes, levies, duties or similar governmental assessments of any nature.
- “Tracking Script”: means the software code which enables optimization of the Bambuser Solution and gathers Live Show Participant for statistical purposes.
General Undertakings of Bambuser
- Provisioning of the Bambuser Solution. Bambuser shall as from the Effective Date and during the term of this Agreement: (i) make the Bambuser Solution available to the Customer pursuant to the Agreement; (ii) provide support or other customized adaptions if such Services are separately purchased by the Customer; and (iii) take commercially reasonable efforts to make the Bambuser Solution available twenty four (24) hours a day, seven (7) days a week, except for: (a) planned downtime (of which Bambuser shall give written notice in advance), (b) what is stated in Sections 14.1 and 14.2.
General Undertakings of the Customer
- Customer responsibilities. The Customer shall (i) be responsible for any breach of the Agreement caused by the Customer, any Authorized User and/or any Live Show Participant, (ii) be responsible for the accuracy, quality and legality of Live Show Content and Customer Data and the means by which the Customer acquired the Live Show Content and Customer Data, (iii) use commercially reasonable efforts to prevent unauthorized access to or use of the Bambuser Solution, and notify Bambuser promptly of any such unauthorized access or use, and (iv) use the Bambuser Solution only in accordance with the Agreement.
- Prerequisites for the use of the Bambuser Solution. The Customer hereby acknowledges that Bambuser’s undertaking is limited to provision of the Bambuser Solution to the Customer and agreed Services as listed herein. In order for the Customer to be able to use the Bambuser Solution the Customer shall e.g. (i) embed the correct and correctly configure the java script library on its website provided by Bambuser, and (ii) enable a landing page if necessary for the live show. The Customer shall also promote and drive traffic to the live show to increase sales on its website.
- Third party compliance. The Customer shall ensure that all Live Show Participants, prior to participating in a live show provided by way of the Bambuser Solution: (i) are required to accept usage restrictions which are consistent with, and no less protective than as set out in Section 5.2; and (ii) have obtained information regarding the transmission and use of personal data generated via use of the Bambuser Solution in accordance with the DPA.
Use of the Bambuser Solution
- Right to use. Bambuser grants a limited, revocable, non-sublicensable, non-transferable, and non-exclusive license for the Customer, its affiliates and its Authorized Users to use and operate the Bambuser Solution during the term of, and in accordance with, the Agreement.
- Usage restrictions. The Customer may not: (i) make any part of the Bambuser Solution available to, or use any part of the Bambuser Solution for the benefit of, anyone other than Authorized Users; (ii) sell, resell, license, sublicense, distribute, make available, rent or lease any part of the Bambuser Solution, or include the Bambuser Solution in a service bureau or outsourcing offering; (iii) use the Bambuser Solution to store or transmit (a) infringing, libelous, or otherwise prohibited material (as further set out in Section 6.2), or (b) material in violation of third party privacy rights; (iv) use the Bambuser Solution to store or transmit malicious code; (v) attempt to gain unauthorized access to the Bambuser Solution or its related systems or networks; (vi) permit direct or indirect access to or use of the Bambuser Solution in a way that circumvents a contractual usage limit; (vii) copy the Bambuser Solution or any part, feature, function or user interface thereof; (viii) frame or mirror any part of the Bambuser Solution, other than framing on the Customer’s own intranets or otherwise for its own internal business purposes or as permitted in the Agreement; (ix) access the Bambuser Solution in order to build a competitive product or service; (x) reverse engineer the Bambuser Solution (to the extent such restriction is permitted by law); (xi) remove any copyright, trademark or other proprietary rights notices associated with or visible via use of the Bambuser Solution; or (xii) alter the software code of the Bambuser Solution.
- Bambuser’s right to suspend. The Customer’s, Authorized User’s and/or any Live Show Participants’ violation of the provisions of Section 5.2, or any use of the Bambuser Solution in breach of the Agreement, that in Bambuser’s judgment imminently threatens the security, integrity or availability of the Bambuser Solution, may result in Bambuser’s immediate suspension of the Bambuser Solution.
- Live Show Moderator. The Customer is responsible for administrating and moderating the chat function in the live show, and for selecting an individual to operate as Live Show Moderator. The Customer shall ensure that its organization has adequate resources and knowledge to fulfil its obligation and warrants that it shall adhere to applicable legislation regarding inter alia chat-services. The Customer shall also ensure that the Live Show Moderator complies with any instructions from Bambuser applicable to moderation of the chat function, live show and product display.
- Host. The Host will display and/or use all products and/or items as agreed with the Customer during the live show. The broadcasting device that the Host will use shall have login access to the Bambuser App. The Host is further responsible to ensure that no inappropriate, derogatory or illegal statements are made by the Host in the Live Show Content that may impair Bambuser’s reputation negatively. The Customer is solely responsible to ensure that the Host abides to the terms of this Agreement, including display of third-party trademarks, prior to launching any Live Show Content.
- A/B Test. Bambuser may, at its sole discretion, and without prior notice, conduct A/B Tests in respect of the Bambuser Solution.
Live Show Content
- Responsibility for Live Show Content. All Live Show Content is the Customer’s sole responsibility and the responsibility of the individuals from which such Live Show Content originates. Bambuser shall have no responsibility or liability for the deletion or failure to store any Live Show Content. To the extent permissible per applicable law, the Content shall be the propriety of the Customer.
- Propriety of Live Show Content. The Customer shall not transmit, and shall ensure that no Authorized User and/or Live Show Participant transmit(s), Live Show Content or otherwise conduct or participate in any activities on or via the Bambuser Solution which is likely to be prohibited by law, or violates third party rights. The Customer shall not distribute, and shall ensure that no Authorized User and/or Live Show Participant distribute(s), in any way any Live Show Content, or otherwise engages in any activity in connection with the Bambuser Solution, that: (i) is hateful, offensive, racist, sexist, bigoted, libelous, defamatory, obscene, abusive, pornographic, lewd, erroneous, stalking, or threatening; (ii) advocates or encourages conduct that could constitute a criminal offense, give rise to civil liability, or otherwise violate any law or regulation; (iii) creates an impression that is incorrect, misleading, or deceptive; or (iv) divulges other people’s privacy, private or personally identifiable information without their express authorization and permission.
- Unauthorized Live Show Content. The Customer is solely responsible for everything disclosed in the Live Show Content, including any music and other third-party material, including Intellectual Property Rights vested therein or relating thereto. Use of music is prohibited unless the Customer has obtained appropriate licenses in writing prior to featuring such music in the Live Show Content. Unauthorized Live Show Content may be blocked, and/or removed at Bambuser’s sole discretion.
Fees and Payment
- Fees. The Customer shall pay to Bambuser the fees for the selected Services according to the Subscription Order. Except as otherwise set forth in the Agreement, (i) payment obligations are non-cancellable and paid fees are non-refundable, and (ii) agreed quantities of Services cannot be decreased.
- Increase Fees. Beginning on the first anniversary of the Effective Date of the Agreement and upon each anniversary thereafter, Bambuser may increase the charges for the fees stated in the Agreement, by an amount not to exceed five per cent (5%) per year upon at least sixty (60) days written notice.
- Invoicing and payment. Unless otherwise set out in the Agreement, Bambuser will charge the License Fee monthly in advance. The Customer is responsible for providing complete and accurate billing and contact information to Bambuser and notifying Bambuser of any changes to such information.
- Overdue charges. If any invoiced amount is not received by Bambuser by the due date, without limiting Bambuser’s rights or remedies by applicable law or the Agreement, those charges may accrue late interest at a yearly rate of ten (10) % of the outstanding balance.
- Suspension of Service. If any charge owing by the Customer is thirty (30) days or more overdue, Bambuser may, without limiting its other rights and remedies by applicable law or the Agreement, suspend the Customer’s access to the Bambuser Solution until such amounts are paid in full, provided that Bambuser has given the Customer at least ten (10) days prior written notice and the Customer fails to pay the relevant amount within that period of time.
- Taxes. The License Fee is exclusive of any Taxes. The Customer is responsible for paying all Taxes associated with its purchases under the Agreement. If Bambuser has the legal obligation to pay or collect Taxes for which the Customer is responsible under this Section 7.6, Bambuser shall invoice the Customer and the Customer shall pay that amount unless the Customer provides Bambuser with a valid tax exemption certificate authorized by the appropriate taxing authority.
Proprietary Rights and Licenses
- Reservation of rights. Subject to the limited rights expressly granted in the Agreement, Bambuser reserves all its right, title and interest in and to the Bambuser Solution, the Services and the Solution Data, including all related Intellectual Property Rights.
- Right to collect Solution Data. Bambuser is entitled to collect, process and use Solution Data. Bambuser may use automated means to isolate information from the Live Show Content in order to help detect and protect against spam and malware, or to improve the Bambuser Solution. The foregoing shall not be construed as an admission that consent to such data collection activity is legally required.
- Bambuser Authorization to use Live Show Content. The Customer provides authorization for Bambuser to use Live Show Content for the purpose of (i) sending live shows produced by the Customer on Bambuser’s website and (ii) providing the Bambuser Solution in accordance with the Agreement. Bambuser’s right to send live shows according to paragraph (i) in this Section 8.3 is only valid during the period the live show is accessible via the Customer’s website and/or app for mobile devices.
- Open source. The Bambuser Solution may include open source software as well as other third-party products as communicated by Bambuser from time to time. In case separate terms and conditions apply for the Customer’s use of the Bambuser Solution, Bambuser will present them to the Customer, in which case such terms and conditions shall take priority over the Agreement.
- Publicity. Bambuser is granted a perpetual, irrevocable, worldwide, royalty-free, fully paid-up, non-exclusive right and license to use the Customer’s name, trade names, trademarks, and service marks for marketing purposes.
Confidentiality
- Confidentiality undertaking. Each Party undertakes to, both during the term of the Agreement and after its termination, not to disclose the other Party’s Confidential Information and/or to use the other Party’s Confidential Information for any other purposes than for the purposes of the Agreement.
- Exceptions from confidentiality. The foregoing shall not apply to any Confidential Information which: (i) is in the public domain at the time of disclosure or later becomes part of the public domain through no fault of the receiving Party; (ii) was known to the receiving Party prior to disclosure by the disclosing Party or is independently developed by the receiving Party (without any use of Confidential Information), in each case as evidenced by the receiving Party; (iii) is disclosed to the receiving Party by a third party who had the right to furnish such Confidential Information; (iv) is required to be disclosed by operation of law or court order and is not protected by any claim of privilege, provided the receiving Party attempts to notify the disclosing Party prior to disclosure and any available governmental or judicial protection is obtained by the receiving Party; (v) is required to be disclosed under a Party’s contract with a recognized stock exchange; or (vi) has received the other Party’s prior written approval to disclose Confidential Information.
- Business records. All business records, papers and documents kept or made by a Party, whether in hard copy or electronically, relating to the business of the other Party or its affiliates or the Confidential Information, correspondence included, shall remain the property of the other Party or such affiliate as the case may be and shall in connection with the termination of the Agreement for whatever reason be destroyed or returned to the other Party without prior request.
Representations and Indemnification
- Representations. Each Party represents that it has validly entered into the Agreement and has the legal power to do so. The Customer represents that all information submitted to Bambuser in connection with the Bambuser Solution, including account and billing information, is accurate, complete and truthful, and that it shall promptly update any provided information that becomes inaccurate. Furthermore, the Customer represents that it has all necessary rights and licenses to transmit and provide the Live Show Content and Customer Data for use in the Bambuser Solution as set out in the Agreement.
- Indemnification by Customer for third party claims. The Customer agrees to fully indemnify, defend and hold harmless Bambuser, its affiliates, officers, directors, employees and agents of Bambuser and its affiliates, directly or indirectly caused by or incurred by reason of a third party allegation, lawsuit, claim or proceeding, arising out of or related to (i) Live Show Content; (ii) Customer Data; (iii) the Customer’s/Authorized Users’/Live Show Participants’ (a) conduct, or (b) use of the Bambuser Solution or (iv) breach of the Agreement. Bambuser may assume the exclusive defense and control of any matter for which the Customer is required to indemnify Bambuser at the Customer’s expense. The Customer shall cooperate with Bambuser’s defense of such claims and shall under no circumstances settle or compromise any such claims without the prior written consent of Bambuser.
Limitations of liability
- Limitation of warranty. Bambuser shall provide the Bambuser Solution to the Customer pursuant to the Agreement. However, to the maximum extent possible under applicable law, Bambuser disclaims all warranties of any kind with respect to the Bambuser Solution, whether express or implied, including any implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. Specifically, Bambuser makes no warranty that (i) the Bambuser Solution shall meet the Customer’s requirements, goals or needs, or (ii) the Bambuser Solution access shall be uninterrupted, timely, secure or error-free.
- Limitation of Bambuser’s liability. Bambuser’s maximum aggregate liability for all claims, liabilities or obligations arising under or relating to the Agreement, regardless of the number of claims, shall not exceed an amount equal to all amounts paid by the Customer to Bambuser under the twelve (12) months preceding the first incident out of which the liability arose.
- General limitation of liability. In no event shall either Party be liable to the other Party for any punitive, indirect, special, incidental or consequential damages (including lost revenue, lost profits, lost data or lost savings.
Correspondence
- Notices. All notices, terminations, claims etc. under the Agreement must be delivered by e-mail to the addresses indicated in the Subscription Order (or to such addresses/e-mail addresses as may later be given by written notice in accordance with this Section 12). A notice shall be deemed to have been received by a Party on the day of dispatch.
Term and Termination
- Term. The Agreement shall enter into force on the Effective Date and be in effect for the period as set out in the Subscription Order.
- Termination. Each Party has the right to terminate the Agreement as set out in the Subscription Order.
- Early termination by both Parties.. Either Party may terminate the Agreement with immediate effect by notice in writing to the other Party on the occurrence of any of the following events.
- If the other Party commits a material breach of any term of the Agreement and that breach is irremediable, or if that breach is remediable fails to remedy that breach within a period of fourteen (14) days after being notified in writing to do so.
- If bankruptcy or insolvency proceedings are instituted against the other Party and such proceedings are not dismissed within thirty (30) calendar days from the date of proceedings, or the other Party makes an assignment for the benefit of its creditors.
- Due to a Force Majeure event, in case such force majeure event lasts for more than thirty (30) calendar days.
- Termination by Bambuser. Bambuser may terminate the Agreement with immediate effect in the event (i) the Customer generally fails to pay its debts as they become due or acknowledges in writing that it is unable to do so, or (ii) it is required by, or for failure to comply with, applicable law, regulation, court or governing agency order or ethical requirements.
- Effect of termination. The rights of either Party under this Section 13 are in addition to any other rights and remedies permitted by law or under the Agreement. Breach of the Agreement may result in pursuit of all available remedies for Intellectual Property Rights (including intellectual property rights infringement), the availability of which the Customer hereby acknowledges. Upon termination for any reason, the Customer shall immediately cease all use and distribution, and destroy all copies, of the Bambuser Solution.
- Survival. Access to and rights of use associated with Bambuser Solution shall terminate upon termination of the Agreement. Sections 6.1, 7, 8, 9, 10, 12, 13.6, 14, 15 and any other Section that by its nature is permanent shall survive any termination or expiration of the Agreement.
Miscellaneous
- Force Majeure. A Party shall be released from the consequences of failure to fulfil certain obligations under the Agreement due to any Force Majeure events. As soon as practicable following the affected Party's notice, the Parties shall consult with each other in good faith and use all reasonable endeavors to agree appropriate terms to mitigate the effects of a Force Majeure event and to facilitate the continued performance of the Agreement. The affected Party shall notify the other Party as soon as possible after the Force Majeure event ceases or no longer causes the affected Party to be unable to comply with its obligations under the Agreement. Following such notification, the Agreement shall continue to be performed on the terms existing immediately prior to the occurrence of the Force Majeure event unless agreed otherwise, in writing by the Parties.
- Service discontinuance and modifications. Bambuser may from time to time modify or discontinue access to, temporarily or permanently, any part, feature, or functionality of the Bambuser Solution. Bambuser shall not be liable for any such modification, suspension or discontinuance, even if certain features or functions, the Customer’s settings, and/or any Live Show Content the Customer has contributed or has come to rely on, are permanently lost. Bambuser reserves the right to make modifications of the Agreement periodically. If changes are made, the Customer will be notified. The Customer’s continued use of and access to the Bambuser Solution after notice of such modifications indicates its acceptance of and agreement to the modified Agreement.
- Amendments. Except as set out in Section 14.2, any amendments to the Agreement must be made in writing and signed by authorized representatives of the Parties to be binding.
- Assignment. The Customer’s right and obligations under the Agreement shall not be assigned by the Customer, in whole or in part, without Bambuser’s prior written consent. Any such purported assignment, delegation or transfer without such written consent shall be void. Bambuser may at any time assign its rights and obligations under the Agreement, in whole or in part, to any third party without prior consent or notice.
- Limitation. The Parties agree that regardless of any statute or law to the contrary, any claim or cause of action arising out of or related to the Agreement must be filed within one (1) year after the Party becomes, or should have been, aware of such claim or cause of action arose or be forever barred.
- Injunctive relief. The Customer acknowledges and agrees that breach of the Agreement, or any unauthorized use, disclosure or distribution of the Bambuser Solution, may cause irreparable harm to Bambuser, the extent of which would be difficult to ascertain, and that Bambuser shall be entitled to seek immediate injunctive relief (in addition to any other available remedies), in any court of competent jurisdiction under the applicable laws thereto.
- Entire agreement. The Agreement constitutes the entire agreement between the Parties and supersedes any previous written or oral agreement between the Parties in relation to the subject matters dealt with in the Agreement.
- Severability. If any Section (or part of a Section) of the Agreement is held by a court of competent jurisdiction to be invalid, illegal or unenforceable, it shall, insofar as it is severable from the remainder of the Agreement, be deemed omitted from the Agreement, and the remaining provisions of the Agreement shall remain in effect.
- Relation between the Parties. This Agreement is entered into between two entities for business purposes only and thus, to extent permitted under relevant law, excludes the applicability of any consumer law, whether mandatory or otherwise.
- DPA. The Parties have agreed that Bambuser, within the scope of the Services under this Agreement, will process personal data on behalf of the Customer. The Parties have therefore agreed that the DPA, attached to the Agreement as Appendix B (Data Processing Agreement), shall apply between the Parties with regard to processing of personal data.
Governing Law and Dispute Resolution
- Governing law. The Agreement and any disputes between the Parties and related to or concerning the Agreement shall be governed by the substantive laws of Sweden, excluding its conflict of law principles.
- Dispute resolution. Any dispute, controversy or claim arising out of or in connection with the Agreement, or the breach, termination or invalidity thereof, shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (the “SCC”). The Rules for Expedited Arbitrations shall apply, unless the SCC in its discretion determines, taking into account the complexity of the case, the amount in dispute and other circumstances, that the Arbitration Rules shall apply. In the latter case, the SCC shall also decide whether the Arbitral Tribunal shall be composed of one (1) or three (3) arbitrators. The seat of arbitration shall be Stockholm, Sweden. The language to be used in the arbitral proceedings shall be Swedish or English.
- Confidentiality during proceedings. The Parties shall keep confidential and shall not disclose to any third parties, without the prior written consent of the other Party, the existence of the arbitral proceedings, any arbitral awards and any Confidential Information and material produced or disclosed by another Party in the arbitral proceedings. Notwithstanding the aforesaid, the disclosure of information to third parties shall not be restricted under this Section 15.3, if the disclosure of information is required by law, by a competent regulatory or governmental body or other public authority, or is necessary to protect or pursue a legal right of a Party. Furthermore, disclosure of information to professional, financial or legal advisors of a Party shall not be restricted under this Section 16.3, provided that the recipient of the information is bound by a confidentiality obligation. The aforesaid shall not limit the Parties’ right to (i) seek interim orders or injunctions or any other provisional remedies available under the applicable law; (ii) collect uncontested claims from the other Party; or (iii) enforce an arbitral award in any competent court of law.
Appendix A
Technical Specification (Bambuser Solution)
General technical description
The Bambuser Solution is a cloud-based service that enables the Customer to broadcast live video streaming shows with an integrated shopping feature. The Bambuser Solution is an in-house developed software dependent on third-party services by AWS and Google Cloud. These third-party services are distributed by Bambuser (embedded in the Bambuser Solution) and are not to be used on a stand-alone basis by the Customer. The Bambuser Solution is built partly using open source software and the Customer acknowledges that Bambuser is using industry standard open source products. Bambuser follows the applicable licenses such as MIT and Apache.
The Bambuser Solution includes the following features:
- iOS & Android app for capturing and streaming shows
- Web based video player with shopping features
- Web based administration dashboard for creating and managing shows
- Documentation with instructions for embedding the video player on a Customer website
- JavaScript library and documentation for tracking completed purchases
- Analytics dashboard
Tracking Script
- Prior to taking any part of the Bambuser Solution into commercial use, the Customer agrees and undertakes to install and thereafter maintain during the term of this Agreement such Tracking Scripts (cookies) as set out below, allowing Bambuser to supervise and measure any usage of the Bambuser Solution.
- If the Customer fails to maintain the Tracking Script, resulting in cessation or reduction of functionality of the Tracking Script during the term of the Agreement, the Customer shall remedy such default within fourteen (14) calendar days upon Bambuser’s written request.
- Any failure by the Customer to install a Tracking Script pursuant to the above and/or to remedy the functionality of the Tracking Script pursuant to Section 3 in this Appendix A (Technical Specification) constitutes a material breach of the Agreement, which entitles Bambuser to terminate the Agreement with immediate effect.
The Customer agrees and undertakes to install and thereafter maintain during the term of the Agreement, the Tracking Scripts as instructed by Bambuser. By the time for entering into this Agreement, the following Tracking Scripts shall be installed:
- _bamls_seid thirty (30) minutes – A unique identifier for a session in which a Bambuser show was watched. Used in tracking to attribute statistics to a single session.
- _bamls_shid thirty (30) days – A unique identifier for a Bambuser show. Used to attribute statistics to a single show. This also - similar to source/medium in Google Analytics - enables attribution of purchases (that do not occur within the embedded stream) towards the show.
- _bamls_cuid – A unique identifier for the Customer. Used as a common denominator for all tracking performed by Bambuser to easily enable reporting and dashboards per customer (active for entire duration of the Agreement).
- _bamls_usid – A unique identifier for a user. Used to attribute Bambuser statistics to a single site user (active for entire duration of the Agreement).
The Customer agrees and undertakes to provide information to and obtain consents from Live Show Participants regarding any tracking scripts placed on their devices in accordance with and as required under applicable law.
Appendix B
Data Processing Agreement
Background and Purpose
In addition to any confidentiality obligations under the Agreement, Bambuser and the Customer shall comply with the requirements set out in this Appendix B (“DPA”) in respect of Personal Data. Unless otherwise stipulated, the provisions of this DPA shall take precedence over the provisions of the main body of the Agreement with respect to the subject matter hereof.
This DPA sets out the terms and conditions for the processing of Personal Data by Bambuser (and where relevant its Affiliates) on behalf of Customer under the Agreement (as defined below), under which Bambuser provides services as to the Customer. Except as may be otherwise required under Data Protection Laws, Customer, on behalf of any other Controller (e.g., where applicable, companies within Customer´s company group or other Controllers designated by Customer, in both cases subject to agreement between Customer and Bambuser), shall serve as a single point of contact for Bambuser with regard to all matters under this DPA and shall be responsible for the internal coordination, review and submission of instructions or requests to Bambuser as well as the onward distribution of any information, notifications and reports provided by Bambuser hereunder.
Unless otherwise stipulated, the provisions of this DPA shall take precedence over the provisions of the Agreement with respect to the subject matter hereof.
IT IS AGREED as follows:
Definitions
In addition to any definitions in the main body of the Agreement, and without prejudice to any definition of a term set out in Data Protection Laws, any terms not defined herein shall be given the meaning provided in the Agreement.
Affiliate
means any legal entity that is:
(a) directly or indirectly owning or controlling Bambuser; or
(b) under the same direct or indirect ownership or control as the Bambuser; or
(c) directly or indirectly controlled by the Bambuser; for so long as such ownership or control lasts.
Ownership or control shall exist through direct or indirect ownership of fifty percent (50%) or more of the nominal value of the issued equity share capital or of fifty percent (50%) or more of the shares entitling the holders to vote for the election of the members of the board of directors or persons performing similar functions.Controller or Data Controller
shall have the meaning defined in Data Protection Laws.
Data Protection Laws
means any applicable EU and national data protection legislation as amended from time to time, including but not limited to Regulation (EU) 2016/697 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”), or any legislation replacing this regulation, as well as any relevant national legislation and court or government decisions applicable to the Processing of Personal Data and the instructions and binding orders of a Supervisory Authority.
Data Subject
means an individual whose Personal Data is being Processed by Processor under this DPA and the Agreement.
Personal Data
means any information relating to an identified or identifiable natural person, as defined in Data Protection Laws.
Personal Data Breach
means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Processor or any and all incidents adversely impacting the integrity or security of information.
Processing or Process
means any processing action or combination of actions concerning Personal Data, as defined in Data Protection Laws.
Processor
shall have the meaning defined in Data Protection Laws.
Standard Contractual Clauses
mean the contractual clauses issued by the European Commission by the decision 2010/87/EU for international transfers of Personal Data (“SCC”), or any subsequent legal instrument (such as the new SCCs, published in draft form by the European Commission in November 2020; once adopted and effective (“New SCCs”) permitting the lawful transfer of Personal Data to international organisations and countries not part of the European Economic Area or European Union.
Supervisory Authority
means any competent supervisory authority under Data Protection Laws.
Responsibilities
- Processor shall Process Personal Data with all due care and skill, diligence and prudence, in a workmanlike manner in accordance with high professional standards, and in compliance with Data Protection Laws. Processor must not use the Personal Data for any other purposes than those specified in the Agreement, this DPA and Customer’s/Controller´s documented instructions from time to time. Customer´s written instructions for Processing are set out in "Sub-appendix 1".
More specifically, Processor shall:
- Process the Personal Data only on documented instructions from Controller, unless required to deviate from such instructions in order to comply with applicable Data Protection Laws which Processor is subject to;
- ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- assist Controller by appropriate technical and organisational measures in Controller’s obligation to respond to requests for exercising the Data Subject’s rights;
- assist Controller in ensuring compliance with its legal obligations, such as, with Controller’s data security, data protection assessment and prior consulting obligations set out by Data Protection Laws;
- make available to Controller all information necessary to demonstrate compliance with Processor’s obligations set out in this DPA and in Data Protection Laws, and allow for and contribute to audits, including inspections, conducted by Controller as set forth in this DPA;
- Process Personal Data only during the term of this DPA; and
- fulfil any and all of its obligations under this DPA or Data Protection Laws.
- Processor shall implement technical, physical, and organisational measures to ensure a high level of security of the Personal Data Processing and to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. Processor's security measures shall at all times meet the requirements of applicable Data Protection Laws.
Subject to the terms of the Agreement, Processor shall implement and maintain technical and organisational measures to ensure conformity with Data Protection Laws to which Processor is subjected, inter alia, measures for:
- pseudonymization and/or encryption of Personal Data;
- ensuring confidentiality, integrity, availability and resilience of systems and services processing Personal Data;
- restoring availability and access to Personal Data in a timely manner in the event of a Personal Data Breach or other unexpected event interrupting Processor's processing of Personal Data;
- regularly testing, assessing and evaluating the effectiveness, readiness and integrity of technical and organisational measures for ensuring the security of the Processing; and
- conforming with current business practices, standards or recommendations concerning privacy protection and information safety.
- A description of Processor´s technical and organisational measures applicable upon the date of signing hereof is appended hereto, Sub-appendix 2.
- Processor shall ensure that any person acting under the authority of Processor who has access to Personal Data shall not process them except on documented instructions from Controller.
- Customer (and/or, as the case may be, companies affiliated with Customer as may be agreed with Bambuser) is Controller for all Personal Data which Customer (or persons on its behalf) shares with Processor for Processing under the Agreement and this DPA. In its capacity as Controller, Customer confirms (on its own part and, as applicable, on behalf of each other Controller) that: a) without prejudice to Processor’s responsibilities as a Processor hereunder, Customer is solely responsible for any Personal Data provided or made accessible to Processor under this DPA and the means by which it has been acquired and collected as well as the accuracy, quality, legality and integrity thereof; b) Customer is entitled to provide access to the Personal Data to Processor for the purposes hereof and, consequently, that it has and will maintain a lawful basis for Processor´s performance of the services under the terms of the Agreement and hereunder; c) all instructions from Customer for the Processing of Personal Data hereunder shall comply with Data Protection Laws, shall be reasonable and documented in writing, and shall relate to and be consistent with the services agreed to be provided by Bambuser under the Agreement, and Customer accepts that Bambuser disclaims any obligation or liability with regard to any instructions or requests being in violation of any of the aforesaid.
- Customer is responsible for providing Processor with instructions for the Processing of Personal Data. Processor shall only Process Customer's Personal Data in accordance with this DPA and Controller´s instructions applicable from time to time. If Processor deems that instructions violate Data Protection Laws, Processor shall notify Customer thereof as soon as practicably possible. Processor shall for the avoidance of doubt not be obliged to perform a certain measure if, according to Processor´s reasonable assessment, this would result in a breach of Data Protection Laws. Notwithstanding the foregoing, Processor shall not be obliged to perform any own investigations, surveys or assessments in order to establish whether instructions comply with Data Protection Laws or not. Processor reserves the right to charge Customer on a time and material basis for any work caused by Customer, and/or costs incurred, pursuant to the above or for other work or measures (including measures or work requested to be performed by Customer) not expressly covered in this DPA or which is in addition to Processor´s standard business undertakings pertaining to its Processing of Personal Data.
Transfer of Personal Data
- Processor shall ensure that no Personal Data is transferred, released, assigned, disclosed or otherwise made available to any third party without Controller's specific prior written consent.
- Processing activities (including storage) shall take place on the location(s) set out in Sub-appendix 1. Personal Data shall not be transferred outside such location, including to other countries/states, without the prior written consent of Customer. It is acknowledged that Bambuser, either itself or using sub-processors, as part of the services under the Agreement, may need to perform services from locations in countries and territories outside the EEA. In case of such performance, then Customer (for its own part and on behalf of other Controllers referenced herein being established in the EEA) will give its specific written consent, mandate, authorization and instruction to Bambuser for the purposes of conducting transfers outside the EEA, as set forth below. Bambuser or its sub-processors may Process Personal Data outside the EU/EEA only pursuant to the requirements and conditions set out in Chapter V to the GDPR.
Sub-processors
- Processor may only engage sub-processors for Processing of Personal Data under the Agreement in accordance with the below. Customer acknowledges that appointment of sub-processors (as well as appointment of new sub-processors from time to time), is necessary in order for Bambuser to perform its services under the Agreement. Processor is responsible for ensuring that all Processing of Personal Data performed by a sub-processor is governed by a written agreement with the sub-processor that corresponds to the requirements of this DPA. Processor is responsible for the sub-processor's Processing of Personal Data under the Agreement and is fully responsible for sub-processors who do not fulfil their obligations. Subject to and considering the above, Customer (also on behalf of other Controllers, where applicable) hereby gives its general written consent and mandate (also for the purpose of the SCCs and, subsequently, the New SCCs, as applicable) to Processor to use sub-processors, and for the sub-processors to use sub-processors, in respect of: i) Affiliates, ii) other sub-processors used in Processor´s regular business and service delivery; and iii) otherwise any sub-processor of which Processor has provided thirty (30) days’ prior written notice to Customer. Bambuser will maintain a list of its permitted sub-processors; such list to be made available without undue delay upon Customer’s request and shall without undue delay notify (such notification may be given in-service or posted on-line) Customer of any change to the list of sub-processors to the extent relating to Processing of Personal Data under this DPA. Customer shall have the right to object to the use of a sub-processor by written notice to Processor, such objection to be made in good faith and based on justifiable grounds, without undue delay from the time Customer was notified of the use of such sub-processor. The Parties will in good fatih discuss possible activities to mitigate such objection from Customer. Customer acknowledges and accepts that its objection to a sub-processor may adversely affect Bambuser´s ability to perform the services under the Agreement. Unless otherwise agreed, Processor is under no obligation to refund any payments made in advance for services under the Agreement. The sub-processors engaged by Processor on the date hereof are set out in Sub-appendix 1.
Data Breach
In the event of a Personal Data Breach, Processor shall without undue delay submit a written notice to Customer including the following information;
- a description of the nature of the Personal Data Breach including, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of data records concerned;
- name and contact details of the person responsible for Processor’s data protection matters;
- a description of likely consequences and/or realised consequences of the Personal Data Beach; and
- a description of actions taken by Processor (and/or its sub-processors); to assess and address the Personal Data Breach; to mitigate its possible adverse effects; or to prevent the reoccurrence of the Personal Data Breach.
- Where, and in so far as, it is not possible to provide the information requested in Section 5.1 at the same time, Processor may provide the requested information in phases without undue further delay. Furthermore, Processor shall document any Personal Data Breaches and upon Controller’s request make the documentation available for Controller to ensure its compliance with Data Protection Laws.
Processor shall take all the necessary steps to protect the Personal Data when made aware of a Personal Data Breach. Pursuant to the submission of a notice to Customer in accordance with Section 5.1, Processor shall, in consultation with Customer, take appropriate measures to secure the Personal Data and limit any possible detrimental effect to the Data Subjects. Processor shall cooperate with Customer, and with any third parties designated by Customer, to respond to the Personal Data Breach. The objective of the Personal Data Breach response will be to restore the confidentiality, integrity, and availability of the Personal Data processed by Processor, to establish root causes and corrective actions, preserving evidence and to mitigate any damage caused to Data Subjects or Customer/Controller.
Records
Processor shall maintain and update a record in an electronic form (“Record”), of all Personal Data Processing carried out under this DPA and the Agreement on behalf of Customer.
- Processor shall provide Customer with the Record without undue delay as from the Customer’s request.
In case of a request by Data Subjects or the Supervisory Authority concerning Processing of Personal Data (including requests to block, delete, transfer, amend Personal Data or any other actions), Processor shall, without undue delay, inform Customer of all such requests and shall assist Customer in its response or other action concerning such request. Processor may only correct, delete, amend or block the Personal Data Processed on behalf of Customer/Controller when instructed to do so by Customer or required by Data Protection Laws.
Processor shall notify Controller of any changes in its activities that may materially affect the data protection, security or integrity of Controller’s Personal Data Processed hereunder.
Audits
If Customer has reasonable grounds to suspect non-compliance of this DPA or Data Protection Laws on Processor´s part, or if otherwise required under Data Protection Laws, Processor shall, upon Customer’s written request, make all necessary information available to demonstrate compliance hereof and allow for audits, including inspections, to be performed by Customer or its appointed representative. Customer shall endeavour to perform such audit without causing significant interruptions to Processor’s regular operations (e.g. to perform any such measures under reasonable time, place and manner conditions, during regular business hours) and subject always to Processor´s security policies. Customer will primarily rely on applicable existing audit reports or other available verification, if any, to confirm Processor´s compliance and avoid unnecessary repetitive audits; unless required under Data Protection Laws, audits will not be made more than once in any twelve-month period. The audit shall not grant Customer access to trade secrets or proprietary information unless required in order to comply with Data Protection Laws (and Processor will never be obliged, with regard to any information request or audit, to provide access to prices, pricing structures or other commercial information). Customer shall notify, within a reasonable period of time (at least thirty (30) days), Processor in advance of such audit unless otherwise required by a Supervisory Authority. Customer and any persons conducting an audit, must enter into adequate confidentiality undertakings prior to such audit (and the audit must be conducted so as not to jeopardise the security of information belonging to other customers). In the event that Customer uses a representative/third party auditor, then Processor may oppose to such appointment only if such representative/auditor is a competitor of Processor or Processor has other justifiable grounds for objection. Notwithstanding the foregoing, Customer accepts that any requirements that Customer (itself or on behalf of any Controller referenced herein) may have with regard to the purposes of Processing Personal Data hereunder, or any requests for information, assistance or activities from Processor made by Customer or on its behalf hereunder, that extend beyond Processor´s ordinary course of business, routines or policies, or what is otherwise commercially reasonable, shall be specifically agreed in writing and may be subject to additional fees and charges. Insofar as possible, Processor shall procure that Customer is similarly entitled to conduct audits in respect to sub-processors (or provide corresponding information from such sub-processors). Customer is however aware of and acknowledges that the scope of such audits/information may not correspond with the above and/or that conditions may apply.
Term and Termination
This DPA shall automatically terminate upon any termination or expiration of the Agreement, provided no separate assignments for Processing of Personal Data independent of the Agreement have been concluded by and between the Parties in accordance with Sub-appendix 1. The terms of this DPA will however continue to apply for as long as any Personal Data is Processed by Processor.
- Upon termination of this DPA, or upon Customer's written request, Processor shall destroy or return, either to Customer or to a third party designated by Customer, all Personal Data, unless otherwise required by Data Protection Laws. Processor shall verify in writing to Customer that such destruction or return has taken place, and, upon written request, provide Customer with written statement confirming that such Personal Data, including all copies thereof, have been permanently destroyed.
Limitation of Liability
Subject to the below, the provisions on limitations of liability for Bambuser set out in the Agreement shall apply to this DPA.
- The Parties shall cooperate and provide assistance in the event of an enforcement action or investigation by the Supervisory Authority with regards to activities conducted under this DPA, including promptly notifying the other Party of the threat and commencement of such measures. The Parties shall make all reasonable efforts to minimise the risk of damage incurred by a Parties due to such event.
Governing Law and Disputes
This DPA and its sub-appendices shall be governed and construed in accordance with the laws of Sweden. Disputes shall be resolved in accordance with the provisions on dispute resolution contained in the main body of the Agreement.
Sub-Appendix 1
The Parties agree the following:
Processing activities
The Processor will Process Personal Data for the purpose of fulfilling its obligations under the Agreement.
Duration of Processing
The Personal Data shall be Processed during the term of the Agreement.
Sub-processors
The following sub-processors may Process the Personal Data:
Company name: Amazon Web Services
- Country of establishment: US
- Country of processing: US and Ireland (EU)
- Type of processor: Cloud service provider
Company name: Google Cloud Platform
- Country of establishment: US
- Country of processing: US and Ireland (EU)
- Type of processor: Cloud service provider
Data Security
The Processor’s data security requirements are set out in Sub-appendix 2.
Categories of Data Subjects
The categories of Data Subjects:
Controller’s employees including consultants, temporary and casual workers
Representatives of Controller’s suppliers or business partners
Controller’s customers
Other participants in live show chat
Type of Personal Data
The Processor will process the following types of Personal Data about the following categories of Data Subjects:
Agent/Live Video Host/Other persons appearing in the Live Video
- Name
- Role / Title
- Picture / video
- Other personal information shared in live video
Users/Shoppers/Viewers
- Personal information shared in live video chat
One-to-One product specific
- Full name
- E-mail address
- Other personal information shared in live video
One-to-Many product specific
- User name when participating in chat
Staff using Service back office
- Full name
- E-mail address
Special categories of Personal Data:
- None, unless such data is shared in the chat or video.
Notices
Notices regarding any Personal Data breach, changes in Processing (including sub-processor changes) and other notifications under this DPA or this Sub-appendix 1 shall be made to the following contact (and/or as may be set out in this DPA):
If to Controller:
- As set out in the Subscription Order
If to Processor:
- Security Coordinator
- security@bambuser.com
- Other personal information shared in live video
Sub-Appendix 2
Technical and Organisational Measures
The following technical and organisational measures are designed to:
ensure the security and confidentiality of Personal Data
protect against any anticipated threats or hazards to the security and integrity of Personal Data
protect against any actual unauthorized processing, loss, use, disclosure or acquisition of or access to any Personal Data
A. People, awareness and HR:
All recruitments follow a screening process
A mandatory nano learning awareness program on security is used among the employees
In each contract each employee has Non-Disclosure Agreements clauses
Bambusers comprehensive Staff book includes discrimination policy and equality policy
A high-level security policy is signed by the Management and shared to all employees
Bambusers general recommendations regarding security measurement e.g for personal devices are shared to all employee and consultants and is a part of the onboarding process
Access to systems is provided on a ‘need to have basis’ taken into account segregation of duties
Regular internal security audits are conducted to verify the security practice
B. Physical Security and paper records:
Access control and visitor management systems implemented for all visitors/guests at Bambusers Head office
Physical access reviews as per defined periodicity
Clean desk, clear screen and follow me printing, process implemented
Fire alarm and fire-fighting systems implemented for employee safety
Fire evacuations drills are conducted at specified frequencies
C. Remote end user devices are protected:
Employees are working with laptops with the following security measures incorporated:
Encryption of the hard disks
Vendor supplied updates are installed automatically
E-mails are automatically scanned by anti-virus and anti-spam software
D. Access Security
All connectivity is encrypted
2-factor authentication is used for remote access where available
E-mails are automatically scanned by anti-virus and anti-spam software