QSR International Terms and Conditions

These Terms and Conditions are intended to form a legal agreement between you, the Customer who is identified in the Order placed with us, and QSR International, LLC and affiliates, 35 Corporate Drive, Burlington, Massachusetts, United States of America (“QSR”), for use of one or more products supplied by QSR (Products) which include cloud-based services and licensed software.

By clicking on the "I agree" (or similar button) that is presented to you at the time of placing your Order, or by using any of the Products, you indicate your acceptance of these Terms and Conditions (an "Agreement").

If you are an individual entering into the Agreement on behalf of an entity, such as your employer, you represent that you have the legal authority to bind that entity.
We reserve the right to change these Terms and Conditions by posting the revised version on the myNVivo™ Portal. Your continued use of the Product will indicate your agreement to the revised Terms and Conditions.

You will not be entitled to use a Product until we have accepted your Order.

If you do not agree to these Terms and Conditions, and to the delivery of a Product, do not order or purchase the Product. If you have already ordered the Product, contact QSR via email at info@qsrinternational.com immediately.

These Terms and Conditions are comprised of the following:

1. General Terms
2. License Terms
3. Cloud Services Terms
4. Product Schedules
   
   1. NVivo Software
   2. Transcription Service
   3. Cloud Collaboration Service
   4. NVivo Integration – Word, Excel & Outlook
5. QSR Data Processing Addendum

A. GENERAL TERMS

1. Definitions

In these Terms and Conditions, except where the contrary intention is expressed:

Cloud Service means one or more hosted or cloud-based solutions provided through the myNVivo™ Portal.

Commencement Date means the date that we first accept an Order from you.

Customer means an individual or entity that has placed an Order with QSR.

Data Protection Addendum means the QSR Data Protection Addendum attached to these Terms and Conditions.

EULA means the End User License Agreement for QSR Software, as amended from time to time, available at EULA.

Fees means the pre-paid and periodic amounts payable by the Customer for use of Licensed Software or a Cloud Service, as specified in the relevant Product Schedule.

GDPR means the EU General Data Protection Regulation 2016/679.

Licensed Software means QSR software products which are licensed by QSR for on-premises installation and use and which are acquired by you through the myNVivo™ Portal.

NVivo™ Cloud Platform means the IT infrastructure and networks owned, licensed or managed by us, which are used by QSR and its service providers to provide a Cloud Service.

MyNVivo™ Portal means the QSR Portal at https://portal.mynvivo.com

Order means an order for Licensed Software or a Cloud Service placed by you through the myNVivo™ Portal and includes any renewal of a licence or a Subscription or further purchase of Service Hours.

Parties means, collectively, QSR and the Customer, and “Party” means either one of them as the context may indicate.

PAYG Service means a Cloud Service which is provided on a pre-paid timed basis.

Privacy Policy means our privacy policy available at Privacy Policy.

Product Schedule means a schedule to these Terms and Conditions which sets out the details of Licensed Software or a Cloud Service and any specific terms applying to that software or service.

Scope of Use means the scope of use for a particular Cloud Service, as described in clause 4(a).

Service Hours means, in respect of a PAYG Service, the minutes of use of the service acquired by you.

Subscription means a Cloud Service provided on a subscription basis for a set term.

Subscription Term means the initial term of a Subscription as specified in your Order as extended by subsequent renewal periods.

2. Product Specific Terms

Individual Products are supplied on the terms of these Terms and Conditions as well as any Product-specific terms contained in the relevant Product Schedule. To the extent of any inconsistency, the terms and conditions in the Product Schedule will take precedence.

3. Prices

QSR may change the prices displayed on the NVivo™ Portal and our website at any time. While every effort is made to ensure the accuracy of prices and information published on the portal, we reserve the right to accept or reject an offer for any reason, including the unavailability of any product, an error in the price or the product description posted on this site, or an error in your order. We may require additional verification or information before accepting any order.

4. Payments

1. Credit Cards: This NVivo™ Portal accepts VISA and MasterCard. Transactions are processed in Australia and the United States of America and some transactions may attract an international processing fee from your financial institution.
2. Credit card pre-authorizations: In some instances, when the Customer places an order via the NVivo™ Portal, the total order amount will be pre-authorized against the credit card provided. Where this is the case, Customers will be clearly notified at the start of the order process. Pre-authorized funds will be held against the payment for the QSR order for a period of time dependant on the bank associated with the credit card. Should the pre-authorized funds be inaccurate, QSR will cancel the order within five business days and will contact the Customer billing contact via the billing email address provided.
3. Paying with Pay Pal: Those who have a billing address in North America, Central America and South America may choose to purchase products on this NVivo™ Portal using a PayPal account.

5. Taxes

Where initial prices are stated, they are exclusive of taxes, duties, levies or fees. The Customer shall pay all taxes, duties, levies or fees, or other similar charges imposed on QSR or on the Customer by any taxing authority (other than taxes imposed on QSR's income) related to the Customer's order, unless the Customer has provided QSR with an appropriate exemption certificate for the delivery location. 'Delivery location' means the location where QSR transfers title or possession of products to the Customer or its designate.

6. Intellectual property

1. The Licensed Software and Cloud Services are made available on a limited license or access basis, and no ownership right is conveyed to you, irrespective of the use of terms such as “purchase” or “sale”.
2. QSR and its licensors have and retain all right, title and interest, including all intellectual property rights, in and to the Licensed Software and Cloud Services, their “look and feel”, any and all related or underlying technology, and any modifications or derivative works of the foregoing created by or for QSR.
3. NVivo, myNVivo and NVivo Transcription are trademarks of QSR.

7. Warranties

1. We represent and warrant that:
   
   1. we have the right to enter into an Agreement on these Terms and Conditions;
   2. we have the right to license the Licensed Software and provide the Cloud Services; and
   3. the Licensed Software and the Cloud Service will operate substantially as described in the relevant Product Schedule.
2. To the maximum extent permitted by law, all express or implied guarantees, warranties, representations and other terms and conditions of any kind in relation to  an Agreement which are not contained in these Terms and Conditions, are hereby expressly excluded.

8. Confidentiality

1. Each Party (the "Receiving Party") may only use the Confidential Information disclosed or revealed by the other Party (the "Disclosing Party") for the purposes of performing its obligations or exercising its rights under the Agreement  and must keep such Confidential Information confidential.
2. For purposes of this clause 6, "Confidential Information" means any information of whatever kind disclosed or revealed by the Disclosing Party to the Receiving Party under or in relation to the Agreement  that:
   
   1. is by its nature confidential;
   2. is designated by the Disclosing Party as confidential; or
   3. the Receiving Party knows or reasonably ought to know is confidential, including:
   4. where we are the Disclosing Party, any part of the Cloud Services that are not otherwise publicly available; and
   5. where you are the Disclosing Party, any of Your Content entered or uploaded to the Cloud Services, but does not include information that:
   6. is published or has otherwise entered the public domain without a breach of the Agreement;
   7. is obtained from a third party who has no obligation of confidentiality to the Disclosing Party; or
   8. is independently developed or obtained without breach of the Agreement.
3. The Receiving Party may disclose the Confidential Information of the Disclosing Party:
   
   1. to those members, directors, employees, agents, contractors, representatives and/or advisors of the Receiving Party ("Representatives") reasonably requiring it on a need to know basis , provided that the Receiving Party ensures that such Representatives keep such Confidential Information confidential in accordance with this clause6;
   2. to the extent required by law; or
   3. with the prior written consent of the Disclosing Party.
4. We may refer to the fact that you are a client of ours and a user of the Licensed Software or the Cloud Services in marketing and promotional materials.

9. Privacy and Your Data

1. For purposes of this clause 9,
   
   1. "Personal Data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; and
   2. "Applicable Data Protection Laws" means all laws, regulations, binding legislative and regulatory requirements and codes of practice relating to data protection and the processing of Personal Data, as may be applicable to either Party or to the Cloud Services, including, without limitation:
      
      1. the Australian Privacy Act 1988 (Cth);
      2. the UK Data Protection Act 2018;
      3. the GDPR; and
      4. the Japanese Act on the Protection of Personal Information 2003.
2. The Data Processing Addendum, which includes the standard contractual clauses as required under article 28 of the GDPR, forms part of the Agreement.
3. You agree that QSR may use the services of third parties to provide part of a Cloud Service ("sub-processor") and that the sub-processor may, as required for the purposes of providing the Cloud Service, process Personal Data provided to us by you.
4. Each Party warrants to the other that in relation to the Agreement, it will comply strictly with all requirements of any Applicable Data Protection Laws, whether enacted as at the Commencement Date or enacted subsequently.
5. In using the Cloud Services you must ensure that you are permitted to provide us with any Personal Data you provide to us, and that you have made any disclosures or obtained any consents necessary under any Applicable Data Protection Laws. Subject to these Terms and Conditions, we will establish and maintain appropriate, reasonable technical and organisational security measures in accordance with good industry practice to keep Your Content secure.
6. We may only transfer any Personal Data you provide to us across a country border in the event that such action is required for the purpose of providing the Cloud Services and complying with our obligations under these Terms and Conditions. We will further ensure that the transfer of any Personal Data across a country border complies with Applicable Data Protection Laws.
7. We may use and disclose to our service providers anonymous data about your use of the Cloud Services for the purpose of helping us to improve the Cloud Services. Any such disclosure will not include details of your identity or the identity of your associates unless prior consent has been provided for such disclosure.

10. SECURITY

1. You acknowledge that the internet is an insecure public network which means there are risks that information sent to or from the Cloud Services may be intercepted, corrupted or modified by third parties.
2. Notwithstanding the foregoing, we will take all steps that a prudent and competent provider of services such as the Cloud Services would be expected to take to maintain the security and the integrity of the Cloud Service. Specifically, we will:
   
   1. implement administrative, physical and technical safeguards to protect Your Content that are no less rigorous than accepted industry information security best practices;
   2. as soon as we become aware that any virus, malware or other harmful code ("Harmful Code") is contained in or affects the Cloud Services provided to you and/or that any of Your Content may have been, or may be subject to unauthorised access, immediately notify you and take all reasonable steps to remedy the problem, secure Your Content, remove the Harmful Code, as applicable, and prevent the situation’s reoccurrence;
   3. use commercially reasonable efforts to:
      
      1. prevent any Harmful Code being contained in, or affecting the, Cloud Service used by you;
      2. prevent unauthorised access to Your Content;
      3. prevent any unauthorised access of, and/or Harmful Code being introduced into, your IT systems.
3. All personal and credit card information provided to QSR is encoded using Secure Sockets Layer (SSL) technology, an encryption protocol that protects data as it travels over the Internet. Also, QSR uses well established payment gateway service providers called SecurePay and CyberSource to process all online credit card payments. SecurePay and CyberSource are online, real-time payment service providers that provide all the security required for the transmission and storage of credit card details using SSL, encryption minimum 40 bit and firewalls.

11. Term and Termination

1. For purposes of this clause:  “Insolvency Event” means in relation to either Party, any one or more of the following events or circumstances occurring in relation to such Party (or any person comprising such Party): (i) being in liquidation or provisional liquidation or under administration; (ii) having a controller or analogous person appointed to it or any of its property; (iii) being unable to pay its debts or being otherwise insolvent; (vi) entering into a compromise or arrangement with, or assignment for the benefit of, any of its members or creditors; and (vii) any analogous event or circumstance under the laws of any jurisdiction.
2. An Agreement will commence on the Commencement Date and, unless terminated earlier in accordance with the terms of these Terms and Conditions, will remain in full force and effect for as long as you are using any of the Cloud Services and/or the licence period for the Licensed Software has not expired.
3. Either Party may terminate an Agreement by notifying the other accordingly:
   
   1. where the other Party materially breaches these Terms and Conditions, and fails to remedy that breach within 30 days of receiving notice of the breach; or
   2. where the other Party suffers an Insolvency Event.
4. You may terminate an Agreement by notice to us if we amend these Terms and Conditions in a way which materially alters your rights or obligations or which materially changes the nature or quality of the Cloud Services being provided to you.
5. If an Agreement expires or is terminated for any reason, the rights and licences provided to you under these Terms and Conditions will cease immediately.
6. If a Party exercises a right of termination of an Agreement, the Agreement terminates in its entirety for all Parties.

12. Limitation of Liability

1. To the maximum extent permitted by law:
   
   1. NEITHER PARTY (NOR ITS SUPPLIERS) WILL BE LIABLE TO THE OTHER FOR ANY INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL LOSS OR DAMAGE OR DAMAGES FOR LOSS OF PROFITS, GOODWILL, REVENUE, SAVINGS OR OPPORTUNITY OR FOR LOSS OF USE, LOST OR INACCURATE DATA, FAILURE OF SECURITY MECHANISMS, INTERRUPTION OF BUSINESS OR COSTS OF DELAY ARISING UNDER OR IN CONNECTION WITH AN AGREEMENT OR ITS SUBJECT MATTER, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), IN EQUITY OR UNDER STATUTE, EVEN IF INFORMED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE;
   2. EXCEPT FOR A PARTY'S LIABILITY UNDER OR IN CONNECTION WITH A BREACH BY THE CUSTOMER OF THE SPECIFIC LIMITATIONS AND OBLIGATIONS UNDER THE AGREEMENT RELATING TO ITS USE OF A PRODUCT, OR IN CONNECTION WITH AN INFRINGEMENT OF ANY INTELLECTUAL PROPERTY RIGHTS OF THE OTHER PARTY OR ITS LICENSORS, EACH PARTY'S MAXIMUM AGGREGATE LIABILITY FOR ALL CLAIMS UNDER OR IN CONNECTION WITH AN AGREEMENT IS LIMITED AS FOLLOWS:
      
      1. WITH RESPECT TO CLAIMS ARISING OUT OF THE LICENSING OR USE OF LICENSED SOFTWARE, TO THE AMOUNT OF THE LICENSE FEE PAID BY YOU TO USE THE SOFTWARE; and
      2. WITH RESPECT TO CLAIMS ARISING OUT OF THE PROVISION OR USE OF CLOUD SERVICES, AGGREGATE LIABILITY FOR ALL CLAIMS ARISING IN EACH CONSECUTIVE 12 MONTH PERIOD COMMENCING ON THE DATE OF FIRST USE OF THE SUBSCRIPTION SERVICES IS LIMITED TO AN AMOUNT EQUAL TO THE FEES PAYABLE BY YOU UNDER THE AGREEMENT IN RESPECT OF SUCH 12 MONTH PERIOD, PROVIDED THAT ANY OBLIGATION TO PAY OUTSTANDING FEES OR TO REFUND PREPAID FEES WILL NOT BE CONSIDERED FOR THE PURPOSES OF THIS LIMITATION ON LIABILITY; AND
   3. TO THE MAXIMUM EXTENT PERMITTED BY LAW, NO SUPPLIERS OF ANY THIRD PARTY COMPONENTS INCLUDED IN THE PRODUCTS WILL BE LIABLE TO YOU FOR ANY DAMAGES WHATSOEVER.
2. Individual Products will be subject to further exclusions and limitations on liability if so specified in the relevant Product Schedule.
3. A Party's liability under these Terms and Conditions will be reduced to the extent that the other Party's acts or omissions (or, unless otherwise stated in these Terms and Conditions, those of a third party) contribute to or cause the loss or liability.
4. The parties agree that the limitations specified in this clause 12 (Limitation of Liability) will survive and apply even if any limited remedy specified in these Terms and Conditions is found to have failed of its essential purpose.

13. Variation

We may update or modify these Terms and Conditions from time to time, including any referenced policies and other documents.  If a revision meaningfully reduces your rights, we will use reasonable efforts to notify you.  If you object to the updated terms of use, as your exclusive remedy, you may choose not to renew, including cancelling any terms set to auto-renew.

14. Audit

At our request, you agree to provide a signed certification that you are using all Licensed Software and Cloud Services pursuant to these Terms and Conditions, including the Scope of Use. You agree to allow us, or our authorised agent, to audit your use of the Licensed Software or Cloud Services. We will provide you with at least 10 days advance notice prior to the audit, and the audit will be conducted during normal business hours. We will bear all out-of-pocket costs that we incur for the audit, unless the audit reveals that you have exceeded the Scope of Use. You will provide reasonable assistance, cooperation, and access to relevant information in the course of any audit at your own cost. If you exceed your Scope of Use, we may invoice you for any past or ongoing excessive use, and you will pay the invoice promptly after receipt. This remedy is without prejudice to any other remedies available to QSR at law or equity or under these Terms and Conditions. To the extent we are obligated to do so, we may share audit results with certain of our third party licensors or assign (without your consent) the audit rights specified in this section to such licensors.

15. Dispute Resolution

1. If a dispute arises out of or relates to an Agreement (including in respect of Fees under clause 9), a Party may not commence any court proceedings relating to the dispute unless it complies with this clause 15 (Dispute Resolution), except where a Party seeks urgent interlocutory relief.
2. A Party claiming that a dispute has arisen under or in relation to an Agreement must give written notice to the other Party specifying the nature of the dispute.  On receipt of that notice by that other Party, the Parties must endeavour in good faith to resolve the dispute expeditiously using mediation administered by the American Arbitration Association under its Commercial Mediation Procedures.  If the dispute is not resolved within 15 days after the mediator is appointed, or at any other time that the Parties agree to in writing, the mediation ceases and either Party may commence legal proceedings in relation to the dispute.

16. Privacy Policy

For information relating to how QSR collects and uses information and protects the privacy of our customers, view our Privacy Policy.

17. Contact Us

If you would like to contact us, please email, write, telephone or send a fax to us:

QSR International Pty Ltd

Australia, New Zealand, & Oceania

Tower 2, Level 2, Chadstone Shopping Centre
1341 Dandenong Road
Chadstone, Victoria, 3148
Australia
Our business hours are from Monday to Friday,
9am to 5:30pm AEDT (view world clock)
Telephone: +61 3 9840 4900
Fax: +61 3 9840 1500

QSR International (Americas) Inc.

United States, Canada and Latin America

35 Corporate Drive, Burlington, MA 01803
USA
Telephone: +1 617 491 1850
Fax: +1 617 812 7799

QSR International (UK) Limited

Europe, Middle East and Africa

Vanguard House, Keckwick Lane
Daresbury, Cheshire, WA4 4AB
United Kingdom
East Side
Kings Cross Station
London, N1C 4AX
United Kingdom
Telephone: +44 (0) 8455 442 712
Calls will cost 2p per minute, plus your phone company's Access Charge
Fax: +44 (0) 1925 357 980

18. General

1. Governing law and jurisdiction: This Agreement is governed by the law of the State of Delaware, United States of America and the Parties consent to the exclusive jurisdiction of the courts of the State of Delaware and the United States of Americas.
2. Notices: Any notices, consent, or any other communication given under this Agreement is only effective if it is in writing, signed by or on behalf of the Party giving it and received in full and legible form at the addressee’s address.  Each Party’s contact details are as specified in the initial Order, unless either Party gives notice to the other Party of an alternative address, fax number or e-mail address.
3. Severable Provisions: Any term of this Agreement which is wholly or partially void or unenforceable is severed to the extent that it is void or unenforceable.
4. Waiver: The failure by a Party to exercise or delay exercising a right or power under this Agreement does not operate as a waiver of that right or power and does not preclude the future exercise of that right or power.
5. Assignment: Unless otherwise provided in this Agreement, neither Party may assign, novate or otherwise transfer any of its rights or obligations under this Agreement without the prior written consent of the other Party (which consent may not be unreasonably withheld).
6. Subcontracting: We may subcontract any of our rights and obligations under this Agreement at any time. We will be liable for the acts and omissions of our personnel and subcontractors as if they were our acts or omissions.
7. Entire Agreement: Subject to the provisions of clause 1 above, this Agreement constitutes the entire Agreement between the Parties in connection with their respective subject matter and supersedes all previous Agreements or understandings between the Parties in connection with the relevant subject matter.
8. Survival: Clauses 7, 8, 9, 10, 11, 12, and 15 survive termination or expiry of this Agreement together with any other provision which by its nature is intended to do so.
9. Cumulative rights: Except as expressly provided in these Terms and Conditions, the rights of a Party under an Agreement are in addition to and do not exclude or limit any other rights or remedies provided by law.
10. Interpretation: In these Terms and Conditions, the following rules of interpretation apply unless the contrary intention appears:
    
    1. headings are for convenience only and do not affect the interpretation of these Terms and Conditions;
    2. the words 'such as', 'including', 'particularly' and similar expressions are not used as nor are intended to be interpreted as words of limitation;
    3. a reference to:
       
       1. the singular includes the plural and vice versa;
       2. a person includes a natural person, partnership, body corporate, association, governmental or local authority or agency;
       3. a thing includes a part of that thing;
       4. a Party includes its successors and permitted assigns; and
       5. a law includes a constitutional provision, treaty, decree, convention, statute, regulation, ordinance, by-law, judgment, rule of common law or equity and is a reference to that law as amended, consolidated or replaced; and
       6. a rule of construction does not apply to the disadvantage of a Party because that Party was responsible for the preparation of these Terms and Conditions or any part of it.

B. QSR LICENSED SOFTWARE TERMS
1. EULA

The Licensed Software is licensed to you on the terms of the EULA. To the extent that there is inconsistency between the other terms of these Terms and Conditions and the EULA, the terms of the EULA will prevail.
2. Purchases

Purchases can be made through https://www.qsrinternational.com or https://portal.mynvivo.com
3. Shipping charges and delivery schedule:

1. We will send an email communication to your nominated email address within two business days. The email will contain a link to the download site, and your unique software license key.
2. If the cost of your goods (exclusive of taxes and freight) is equal to or less than USD1,500 or AUD 1,500 or GBP 1,000 or EURO 1,000, payment must be made in full before your order can be forwarded to you.

4. Return and replacement policy

3. If you change your mind, a refund will be provided less an administrative charge, provided that QSR is notified within thirty days of purchase, and provided that the software has not been activated.
4. As stated above, please note that QSR cannot provide a refund if the software has been activated, or if the requirements have not been met in the thirty-day period following purchase.
5. All customers are encouraged to fully test our Licensed Software before they purchase. This can be done by downloading a free, fully functioning 14-day trial of our Licensed Software.

5. Limited Warranty

YOU ACKNOWLEDGE THAT THE SOFTWARE CANNOT BE GUARANTEED ERROR-FREE AND FURTHER ACKNOWLEDGE THAT THE EXISTENCE OF ANY SUCH ERROR SHALL NOT CONSTITUTE A BREACH OF THE AGREEMENT. YOU ACKNOWLEDGE THAT YOU HAVE EXERCISED INDEPENDENT JUDGMENT IN ACQUIRING THE SOFTWARE AND HAVE NOT RELIED ON ANY REPRESENTATION MADE BY QSR WHICH HAS NOT BEEN STATED EXPRESSLY IN THESE TERMS AND CONDITIONS OR RELIED ON ANY DESCRIPTIONS OR ILLUSTRATIONS OR SPECIFICATIONS CONTAINED IN ANY DOCUMENT INCLUDING CATALOGUES OR PUBLICITY MATERIAL PRODUCED BY QSR.

6. Disclaimers and Limitation of Liability

EXCEPT TO THE EXTENT THAT LIABILITY ARISES PURSUANT TO A NON-EXCLUDABLE STATUTORY PROVISION, QSR DISCLAIMS ALL CONDITIONS OR WARRANTIES RELATING TO THE SOFTWARE, WHETHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

NOTHING IN THESE TERMS AND CONDITIONS IS INTENDED TO EXCLUDE OR MODIFY ANY NON-EXCLUDABLE STATUTORY RIGHT OR LIABILITY. HOWEVER, TO THE MAXIMUM EXTENT PERMITTED BY LAW, THE LIABILITY OF QSR IN RESPECT OF ANY CLAIM UNDER SUCH LEGISLATION SHALL BE LIMITED, IN THE CASE OF GOODS, TO THE REPAIR OR REPLACEMENT OF THOSE GOODS OR PAYMENT OF THE COST OF THEIR REPAIR OR REPLACEMENT, OR, IN THE CASE OF SERVICES, THE RE-SUPPLY OF THOSE SERVICES OR THE PAYMENT OF THE COST OF THEIR RE-SUPPLY.

C. QSR CLOUD SERVICES TERMS
1. Scope

This Agreement governs your initial purchase of a Cloud Service, as well as any future purchases made by you that references these Terms and Conditions.  These Terms and Conditions incorporates our Privacy Policy and any other referenced policies and attachments.
2. Cloud Services

1. Our Cloud Services are provided as PAYG Services or as a Subscription.
2. Except as otherwise specified in your Order, all Subscriptions will automatically renew for periods equal to your initial Subscription Term (and you will be charged at the then-current rates) unless you cancel your Subscription through the myNVivo™ Portal. If you cancel, your Subscription will terminate at the end of the then-current billing cycle, but you will not be entitled to any credits or refunds for amounts accrued or paid prior to such termination.
3. For PAYG Services, you must pre-purchase Service Hours. All Service Hours you purchase will have an expiry date, as specified in the relevant Product Schedule.
4. Details of the individual Cloud Services, and any specific terms applying to a Cloud Service, are set out in the relevant Product Schedule. We note that our Cloud Services may involve the use of various third party tools and services.
5. We may offer a free trial of a Cloud Service, either by way of an allocation of Service Hours or a free Subscription Period ("Trial"). Orders for a Trial are to be made through the myNVivo™ Portal.

3. Account Registration

1. You may need to register for a QSR account in order to place Orders or access or receive a Cloud Service.
2. Any registration information that you provide to us must be accurate, current and complete.
3. You must also update your information so that we may send notices, statements and other information to you by e-mail or through your account.
4. You are responsible for all actions taken through your accounts.

4. Orders

1. QSR's Cloud Service ordering documentation or purchase flow will specify your authorised scope of use for the particular Cloud Service, which may include:
   
   1. number and type of Authorised Users (as defined below);
   2. storage or capacity; or
   3. Service Hours or other restrictions.
2. Once we receive your Order, we will notify you through the myNVivo™ portal that your Order has been accepted and the status of your account. We reserve the right to reject any Order, but will provide reasons to you via e-mail or through the myNVivo™ portal if we do so.

5. Authorised users

1. Only the specific individuals for whom you have paid the required fees and whom you designate in your Order may access and use the Cloud Service ("Authorised Users"). Authorised Users may be you or your employees, representatives, consultants, contractors, agents, or other third parties who are acting for your benefit or on your behalf. You are responsible for compliance with these Terms and Conditions by all Authorised Users.
2. Where QSR issues you with user names and passwords ("Login Credentials") that allow your Authorised Users to access and use the Cloud Service:
   
   1. you are responsible for ensuring that Authorised Users take all reasonable steps to safeguard their Login Credentials. We may assume that any person accessing or using the Cloud Service using those Login Credentials is one of your Authorised Users. You must also ensure that each of your Authorised Users only uses the Login Credentials that have been allocated to them, and that no other person uses such Login Credentials; and
   2. if you become aware or have reason to suspect that there has been any unauthorised use of any Login Credentials that have been allocated to your Authorised Users, you must notify QSR immediately.
3. We may suspend access to the Cloud Service where we reasonably believe that there has been unauthorised use of the Cloud Service by any of your Authorised Users or through any Login Credentials issued to you. Where we do so, we will notify you within a reasonable time of the suspension occurring, and the Parties will work together to resolve the matter. Nothing in this paragraph(c) limits any other rights or remedies we may have in such circumstances.

6. Right to Access Services

1. Once we have accepted your Order for a Cloud Service, we grant you a non-exclusive, non-transferable, limited licence to access and use the Cloud Service solely for the lawful operation of your business and in accordance with these Terms and Conditions.
2. It is your responsibility to ensure that you have reliable and secure access to the internet so as to be able to effectively use the Cloud Services.
3. Your right to access the Cloud Service is subject to the Scope of Use and any other limitations specified in the Product Schedule.

7. Your Content

1. As part of your use of the Cloud Services, you or your Authorised Users may upload to the NVivo™ Cloud Platform certain materials ("Your Content"). You must ensure that Your Content:
   
   1. does not infringe the intellectual property or other rights of another person;
   2. is not defamatory, offensive, abusive, pornographic, profane or otherwise unlawful, including material that racially or religiously vilifies, incites violence or hatred, or is likely to insult or humiliate others based on race, religion, ethnicity, gender, age, sexual orientation or any physical or mental disability;
   3. does not relate to unlawful conduct;
   4. does not create a privacy or security risk to any person, including by soliciting personal information from any person;
   5. does not solicit money from any person;
   6. is not false, misleading or deceptive;
   7. does not contain financial, legal, medical or other professional advice;
   8. is not likely to harm, abuse, harass, stalk, threaten or otherwise offend;
   9. is not likely to reflect negatively on us, including our goodwill, name and reputation;
   10. does not tamper with, hinder the operation of, or make unauthorised modification to the Cloud Services;
   11. does not breach any applicable laws; and/or
   12. does not otherwise result in civil or criminal liability for you, us or any third party.
2. You:
   
   1. grant to us a non-exclusive, worldwide, royalty-free, licence (including a right of sub-licence to our subcontractors) to disclose, use, copy and modify Your Content as required by us but only for the purpose of providing the Cloud Services and complying with our obligations under these Terms and Conditions; and
   2. )warrant that you have the right to grant such licence.
3. You agree to indemnify and hold us (including any of our members, directors, officers, employees, contractors, representatives and advisors) harmless from any claim made by any third party arising out of the disclosure, use, copying or modification of Your Content by us or our subcontractors, provided such claim does not arise from any disclosure, use, copying or modification of Your Content not permitted under paragraph (b) above.
4. We may review Your Content and may modify or remove any of Your Content where we reasonably believe it violates these Terms and Conditions.
5. QSR will adhere to good industry practice and procedures to prevent data loss, including a daily system data back-up, but does not give any guarantees in relation to loss of Your Content.

8. Your Rights and Obligations

1. You must ensure that you and your Authorised Users comply with these Terms and Conditions, and you will be liable for the acts and omissions of your Authorised Users as if they were your acts or omissions.
2. It is a condition of your use of a Cloud Service that you (and your Authorised Users) do not:
   
   1. sell, rent, lease, license, sublicense, display, time share or otherwise transfer the Cloud Service to, or permit the use of or access to the Cloud Service by, any third party; and
   2. remove any copyright or proprietary notice from the Cloud Service;
   3. attempt to undermine the security or integrity of our computing systems or networks;
   4. use the Cloud Service for any purpose that is improper or unlawful;
   5. use the Cloud Service in a way which may impair the functionality of the Cloud Service or other systems used to deliver it;
   6. distribute viruses, spyware, corrupted files, or any other similar software or programs that may damage the operation of any computer hardware or software; and/or
   7. engage in any other conduct that inhibits any other person from using or enjoying the Cloud Service.

9. Fees and Payment

1. Subscription Fees will be payable by you at the time you first subscribe and then on the first day of each renewal term.
2. If you are paying by credit or debit card:
   
   1. on the due date for payment we will charge the Fees and any applicable taxes to your card and issue an electronic receipt; and
   2. You must authorise the credit card account you provide to us at the time you register for a Subscription to pay the amounts described in this clause 9 and you authorise us to charge those amounts to that credit card account. You must provide updated information regarding your credit card account upon request and any time the credit information earlier provided is no longer current or valid.
3. If you are paying Subscription Fees on invoice, we will issue an electronic tax invoice for the initial Subscription Term when you first subscribe and then prior to each renewal. Payment terms will be as specified in the invoice.
4. Payment for PAYG Services must be made by credit or debit card through the myNVivo™ portal. An electronic receipt will be provided for all payments.
5. Invoices are to be paid in the currency in which the invoice is issued. Payments through the myNVivo™ Portal may only be made in one of the currencies there specified.
6. If, upon receipt of an invoice from us, you dispute whether any Fees are payable to us genuinely and in good faith, you may withhold the amount in dispute until the resolution of the dispute. If any such withheld amount is subsequently paid, or you otherwise fail to pay any undisputed amount when due under these terms, we may charge you interest on such amount at a rate of Inter-Bank rate of the jurisdiction you are in,, per month from the date that the amount became due for payment until the date that amount is paid in full.
7. Unless we specify otherwise when releasing a new feature or function, the Cloud Services do not include new products, features or functions which we may introduce over the course of an Agreement (as opposed to improvements to existing features and functions of the products provided under the Agreement).  Additional Fees may apply should you wish to use such additional products, features or functions.  Details of such additional Fees are available on request.
8. We may increase the Fees for Subscriptions at the end of the initial Subscription Term and of each renewal term in proportion to the increase in CPI since the Commencement Date (for the first increase) or the last increase (for any other increase).  We may vary the Fees for PAYG Services at any time. The applicable Fees for PAYG Services will be as published on the myNVivo™ Portal from time to time.
9. We may suspend access to the Cloud Services if you fail to pay any Fees by their due date.

10. Warranties

1. We represent and warrant that if a Cloud Service fails to operate substantially as described in the relevant Product Schedule and you notify us of this failure, we will:
   
   1. at our cost, correct the failure in the Cloud Service; or
   2. if we are unable to correct the failure in a commercially reasonable manner, you may terminate the relevant Subscription and we will refund to you a pro-rated portion of the Fees previously paid for the terminated Subscription taking into account the unexpired Subscription Term for which the Fees were paid.
2. If we breach the warranty under this clause 10 your exclusive remedy and our entire liability for breach of this warranty will be the remedy set out in this clause. The warranty will not apply if the failure of the Cloud Service resulted from improper use or a defect in or failure of any device, communications link or software used to access the Cloud Service.
3. QSR does not warrant, represent or guarantee that the Cloud Services:
   
   1. will be continuously available or free of any fault or harmful code; or
   2. are suitable for your purposes or business.
4. If any guarantee, warranty, term or condition is implied or imposed in relation to an Agreement under the Australian Consumer Law or any other applicable legislation and cannot be excluded (a "Non-Excludable Provision"), and QSR is able to limit your remedy for a breach of the Non-Excludable Provision, then QSR's liability for breach of the Non-Excludable Provision is limited to the resupply of the Cloud Services or the cost of having Cloud Services supplied, at QSR’s election.

11. Term and Termination

1. If an Agreement is terminated, other than for our breach,  you must pay us the Fees for any Cloud Services performed and/or provided to you up to and until the date of termination, whether or not an invoice has been issued for those services as at the date of termination.
2. Upon expiry of termination of an Agreement, we will either (at our option):
   
   1. provide to you; or
   2. make available for your download for a period of 30 days following termination,

all of Your Content in machine readable format, that is stored at that time on the NVivo™ Cloud Platform.  After having done so, we may delete any of Your Content.

12. Third party content and services

The Cloud Services may include, refer to, or permit you to access, content and services provided by third parties.  Where this is the case, such third party content and services are not provided by us, and if you choose to access and use any such third party content or services you do so subject to that third party’s terms and conditions.  To the maximum extent permitted by law, we are not liable in connection with any such third party content or services.  We are not responsible for providing any implementation, training, maintenance or improvement of any third party content or services.

PRODUCT SCHEDULE 1
NVivo™

1. Service Description

NVivo™​ is a qualitative data analysis software designed for qualitative researchers working with very rich text-based and/or multimedia information, where deep levels of analysis on small or large volumes of data are required. NVivo™ allows you to identify patterns in your content across various text and data sources and organize and analyse your content to discover deep insights while asking further questions of your content through queries. NVivo can help you find connections and understand underlying themes and patterns that will help inform and support decisions.

2. Pricing options vary depending on type of customer and the operating system Mac or Windows) being used by Customer. The various options can be viewed on our NVivo™ Portal.

3. You may register for a 14-day free trial to test NVivo™. QSR reserves the right to permanently delete any and all of your files uploaded or created using the 14-day free trial account if you do not transfer your files from the 14-day free trial account to a subscription account within 30 days after the end of the 14-day free trial.

4. NVivo Software Assurance

1. Purchase software assurance when you buy NVivo™ and you'll have access to more personalized phone support and to extended support service hours. Basic support is between 9am to 5.30pm Australian Eastern Daylight Time, Monday to Friday (excluding Victorian public holidays).  Basic support includes email support and a best effort response time.
2. With software assurance you can take advantage of additional extended service hours of 8pm to 4am Australian Eastern Daylight Time, Monday to Friday (excluding Victorian public holidays). Additionally, you have access to phone support and a targeted response time of one working day.
3. Future Upgrades
   
   1. You will automatically receive future NVivo upgrades during the term of your subscription.
   2. You will be entitled to perpetual copies of any new NVivo releases during the term of your subscription.
   3. Upgrades received will be equivalent to your current software edition.
   4. Any future releases of NVivo will be delivered as a download.

5. NVivo Training Workshops

a. Confirmation/Cancellation/Substitution: QSR will provide confirmation of registration and further details of the course as soon as possible. If we cannot accommodate you in this course, we will offer you another course or offer you a full refund. You are welcome to allocate your place to another colleague at any time by contacting QSR. If you are attending a classroom workshop, please do not make travel arrangements until you receive a written confirmation of your registration. If you do not receive confirmation by email within 48 business hours of submitting your form, please contact us at training@qsrinternational.com

b. Cancellation and transfer fees: Cancellation fees will be at the discretion of QSR and you will be charged in the currency you originally paid in. They will normally be:

1. More than two weeks before course - USD 20 / GBP 20 / EURO 20 / AUD 20 administration charge.
2. Between one and two weeks before course - 50% of course fee paid.
3. Between one day and six days before course - 75% of course fee paid.
4. Less than 24 hours before course - no refund.
2. Transfer fees: An administrative charge of USD 50 / GBP 50 / EURO 50 / AUD 50 will be incurred for course transfers within 2 weeks of course date.
3. Payment: Payment must be made within 7 days from the date of registration; otherwise your booking will not be confirmed.

c. No refund for cancellation: You may transfer your registration to a later course providing notification is given to QSR no less than 2 weeks before the course starts.

d. NVivo Online Courses purchased through Quick Order: Each purchase of an online course will allow one user to be a participant in the Fundamentals online course for their relevant platform. This product needs to be purchased with an NVivo license. Students will need to verify their student status. Customers have 6 months from the purchase date to register for a course, after which the access to the training will expire.

e. Copyright: All QSR course material is protected by copyright and is not able to be copied or utilized by you or any other party without permission from QSR. This applies to the complete course materials or any part thereof.

f. Legal Disclaimer: QSR will use all reasonable endeavors to ensure that training activities are focused on the needs of attendees. Nevertheless, QSR cannot guarantee that all attendees’ queries will be addressed in the time allotted or that a specific level of skills will be attained as a consequence of attending the course. To the extent permitted by statute, all implied warranties as to the nature and content of QSR’s training activities are excluded and to the extent that such exclusion is not permitted, attendees’ remedies are limited to the extent permitted by the relevant statute.

PRODUCT SCHEDULE 2
NVivo™ Transcription

1. Service Description

NVivo Transcription is an online service which allows you to transcribe the speech in supported audio files from audio to text.  The service provides an editor interface which allows Authorised Users to make and save changes to the transcribed text and tag the speaker changes.

2. Special Conditions
   
   1. Your use of NVivo™ Transcription is subject to the terms of the QSR International Fair Usage Policy.
   2. NVivo™ Transcription may be acquired in two ways:
      
      1. PAYG Service: Customer buys Service Hours to use the automated transcription functionality of the service. Service Hours are based on the length of audio files that are being transcribed, not the length of time taken to transcribe. Unused Service Hours expire 90 days after purchase.
      2. Subscription Service: Customer pays a subscription fee for use of the automated transcription functionality of the service. The subscription is for a fixed period and up to a maximum number of Service Hours. Service Hours are based on the length of audio files that are being transcribed. The right to use the service expires at the end of the subscription period regardless of whether the maximum number of Service Hours has been reached.
   3. For each of the options described in Section 2(b), Service Hours may be applied and used as follows:
      
      1. (Individual Service) Authorised User's Service hours may not be shared with other Users
      2. (Enterprise Service) All Authorised Named Users Service Hours are pooled together to provide the enterprise flexibility in allocating the Service Hours. Additional Authorised Named User Subscription Services may be purchased at an additional cost. Pricing is determined and agreed upon on a per customer basis.

Each Subscription Service purchased must be allocated to an Authorised Named User.  Once an Authorised Named User has been assigned to a Subscription Service, that Subscription Service cannot be reallocated to another Authorised Named User.

4. In each option detailed in Section 2(c), the software will send automatic notifications once the User has consumed 75%, 95%, 100% of their storage allowance.
5. If you expect to surpass the allotted Service Hours described in Section 2(c), you can purchase additional Service Hours in your user portal.
6. Upon using 100% of the Service Hours, you will still have access to the portal to access your files. However, you will not be able to transcribe new files until you purchase additional Service Hours.
7. Most files can be transcribed in a timespan of half the length of the audio file being transcribed. For example, if an audio file is ten minutes long, the audio file will be transcribed in about five minutes. Our software has 90% accuracy when transcribing an audio file. This accuracy percentage is subject to the quality of the audio being transcribed, as there are many variables that can affect the final transcribed product. NVivo™ Transcription has the ability transcribe 28 (twenty-eight) languages to text.
8. You may use the editor functionality of NVivo™ Transcription with respect to transcribed files without charge for so long as the relevant text files are retained on the NVivo™ Cloud Platform.
9. You have the ability to use NVivo™ Transcription for free for 15 (fifteen) minutes for the first time to acquaint yourself with the service and test your file. QSR International reserves the right to delete any and all of your files created using the free 15 (fifteen) minute trial on the NVivo™ Cloud Platform 30 days after the free 15 (fifteen) minute trial ends if you do not transfer the file created using the free 15 (fifteen) minute trial to subscription account.
10. Payments for Service Hours are non-refundable, except in the following circumstances:
    
    1. the relevant Order was placed in error, in which case we will cancel the Order and provide a refund if notified within seven (7) days of the Order being placed, provided that no Service Hours have been used; or
    2. there are significant discrepancies between Your audio file and the transcribed file and provided that Your audio file is of sufficient quality based on the guidelines outlined on QSR’s NVivo™ Portal. In order to provide a full or partial refund, a relevant sample of Your audio file must be supplied to QSR for evaluation no later than seven (7) days after completion of the relevant transcription.  Post this evaluation, you accept that QSR will make the final decision as to whether a refund is granted.  QSR will not provide any refunds where you fail or refuse to provide such evidence as requested by QSR.
11. QSR reserves the right to delete any and all Customer files remaining on the NVivo™ Platform 90 days after:
    
    1. For subscription services, the Customer's subscription ends; or
    2. For PAYG services, all Service Hours have expired.
12. Notwithstanding any other term of the Agreement or this Product Schedule, QSR gives no warranty or undertaking as to the quality of the output from NVivo™ Transcription and, to that extent, NVivo™ Transcription is provided "AS IS". You acknowledge that the quality of the output will depend on many factors including the clarity of the original recording, background noise and accents of the speakers.

PRODUCT SCHEDULE 3
NVivo™ Cloud Collaboration

1. Service Description

NVivo™ Cloud Collaboration is a cloud-based software service which allows multiple Authorised Users to collaborate and share NVivo project files. It is a module that must be purchased and installed separately from NVivo™.

2. Special Conditions
   
   1. Your use of NVivo™ Cloud Collaboration is subject to the terms of the QSR International Fair Usage Policy.
   2. You have the option of registering for a free 14-day trial of NVivo™ Cloud Collaboration. If you do not convert your free 14-day free trial account into one of the licenses described in Section 2(d) below, your 14-day free trial account and any information saved in that account will be deleted 30 (thirty) days after the 14-day free trial ends.
   3. The amount of storage depends on the service selected:
      
      1. The Small Team Service limits storage to 25 (twenty-five) gigabytes for a maximum of five team members.
      2. The Enterprise Agreement of NVivo Cloud Collaboration limits storage to 5 (five) gigabytes per Authorised Named User with no limit to the number of Authorised Named Users. Additional Authorised Named Users may be purchased at an extra cost. Pricing is determined and agreed upon on a per customer basis.

Each NVivo Cloud Collaboration subscription purchased must be allocated to an Authorised Named User.  Once an Authorised Named User has been assigned to an NVivo Cloud Collaboration subscription, that subscription cannot be reallocated to another Authorised Named User.

4. In each option detailed in Section 2(c), the software will send automatic notifications once the User has consumed 75%, 95%, 100% of their storage allowance.
5. Upon using 100% of the storage allowance, you will still have access to the portal to access your files. However, you will not be able to store additional files until you delete old files which will free up space.
6. NVivo™ Cloud Collaboration may be used in conjunction with NVivo™ Transcription. If you use NVivo™ Transcription in conjunction with NVivo™ Cloud Collaboration, you agree to abide by the Special Conditions of NVivo™ Transcription on Schedule 2 of these Terms and Conditions.

PRODUCT SCHEDULE 4
NVivo Integration – Word, Excel & Outlook

1. Service Description

NVivo Integration - Word, Excel & Outlook is an online service which allows you to import data from Microsoft Word, Excel, and Outlook for Windows OS users and Microsoft Word and Excel for Apple Mac OS users. NVivo Integration - Word, Excel & Outlook also allows you to use tags to note key points or themes in a document and add descriptions of the document before uploading it to NVivo. Once the file has been uploaded to NVivo, the file can be searched or filtered using the options in NVivo.

2. Special Conditions
   
   1. This service uses a plug-in software module licensed by Microsoft. In order to use NVivo Integration - Word, Excel & Outlook, the Microsoft Office add-in for NVivo it is required to be installed. It can be installed in Word, Excel or Outlook application as required. The NVivo add-in can be installed from inside the Office applications via the Get Add-ins function. The add-ins are further available on Microsoft AppSource https://appsource.microsoft.com/en-us/marketplace/apps?product=add-ins The use of this module is subject to the terms and conditions of Microsoft AppSource.
   2. Your use of NVivo Integration - Word, Excel & Outlook is subject to the terms of the QSR International Fair Usage Policy.
   3. With the 14-day trial of NVivo, you have the option of registering for a free 14-day trial of NVivo Integration - Word, Excel & Outlook. If you do not convert your free 14-day free trial account into one of the licenses described in Section 2(d) below, your 14-day free trial account and any information saved in that account will be deleted 30 (thirty) days after the 14-day free trial ends.
   4. The amount of storage depends on the service option selected:
      
      1. The Individual Service limits storage to 500 (five hundred) MB.
      2. The Enterprise Agreement limits storage to 500 (five hundred) MB per Authorised User with no limit to the number of Authorised Users. Pricing is determined and agreed upon on a per customer basis.
   5. In each option detailed in Section 2(d), the software will send automatic notifications within the App once the Authorised User has consumed 100% of their storage allowance.
   6. If you expect the Authorised User to surpass the storage allowance in either license under Section 2(d), you can free up space by deleting older files.
   7. Upon using 100% of the storage allowance, you will still have access to the portal to access your files. However, you will not be able to store additional files.
   8. NVivo Integration - Word, Excel & Outlook may be used in conjunction with NVivo™ Transcription. If you use NVivo™ Transcription in conjunction with NVivo Integration - Word, Excel & Outlook, you agree to abide by the Special Conditions for NVivo™ Transcription in Schedule 2 to these Terms and Conditions.

QSR Data Protection Addendum

This Data Protection Addendum (Addendum) forms part of the QSR International Terms and Conditions ("Terms and Conditions"), as updated from time to time, which are the basis for the agreement between QSR International Pty Limited (QSR) and Customer (Agreement).

This Addendum shall apply to Personal Data that QSR or a QSR Affiliate processes in the course of providing the Cloud Services to Customer under the Agreement.
Customer enters into this Addendum on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Customer Affiliates, if and to the extent QSR processes Personal Data for which such Customer Affiliates qualify as the Controller.

DATA PROCESSING TERMS

1. Definitions​

1.1
In this Addendum, unless the context otherwise requires, the following terms have the meaning set out below:

Applicable Laws means all applicable laws, rules and/or regulations applicable to the Agreement (as amended) or the activities contemplated thereunder, including without limitation any applicable Data Protection Laws

Customer Affiliate means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Customer, where “control” is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;

Customer Group Member means Customer or any Customer Affiliate;

Customer Personal Data means any Personal Data Processed by a Processor on behalf of a Customer Group Member pursuant to or in connection with the Agreement;

Data Protection Laws means all laws, regulations, binding legislative and regulatory requirements and codes of practice relating to data protection and the Processing of Personal Data, as applicable to either party or the Services, including, without limitation the  the Australian Privacy Act 1988 (Cth), the UK Data Protection Act 2018, the GDPR; and the Japanese Act on the Protection of Personal Information 2003.

EEA means the European Economic Area;

GDPR means EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016;

Processor means any QSR Group Member which processes Customer Personal Data;

QSR Affiliate means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with QSR; and

QSR Group Member means QSR or any QSR Affiliate.

Restricted Transfer means:

1. a transfer outside the EEA of Customer Personal Data from any Customer Group Member to a Processor or Subprocessor; or
2. a transfer outside the EEA (or an onward transfer) of Customer Personal Data from a Processor to a QSR Affiliate or Subprocessor, or between two establishments of Processors,

in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses to be established under clause 6.4.2 below;

Services means the services and other activities to be supplied to or carried out by or on behalf of QSR for the relevant Customer Group Members pursuant to the Agreement;

Standard Contractual Clauses means the contractual clauses for the transfer of personal data approved by the European Commission, as amended, replaced or supplemented from time to time;

Subprocessor means any person (including any third party and any QSR Affiliate, but excluding an employee of QSR or any of its sub-contractors) appointed by or on behalf of QSR to Process Customer Personal Data in connection with the Agreement;

1.2    
The terms, "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" (or equivalent terms) shall have the meanings set out in, and will be interpreted in accordance with, such Data Protection Laws as are applicable from time to time.

2. Interpretation

2.1  
The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
2.2    
A reference to a statute or statutory provision includes all subordinate legislation made under that statute or statutory provision from time to time, and is a reference to it amended, extended or re-enacted from time to time.
2.3  
Unless the context otherwise requires, words and expressions defined in the Agreement shall have the same meaning where used in this Addendum except where they are inconsistent with or replaced by the amendments set out in this Addendum.
2.4    
Nothing in this Addendum reduces QSR's or any QSR Affiliate’s obligations under the Agreement in relation to the protection of Personal Data or permits QSR or any QSR Affiliate to Process Personal Data in a manner which is prohibited by the Agreement. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

3. Status of parties

3.1
Customer and its relevant Customer Group Members shall be Controllers of the Customer Personal Data and, a reference to Customer shall be deemed to be a reference to the relevant Customer Group Member that is the Controller of the relevant Customer Personal Data in respect of the relevant Processing.
3.2
Except to the extent expressly provided otherwise in the Agreement, QSR shall be the Processor of Customer Personal Data on behalf of Customer.
3.3
In relation to obligations which this Agreement purports to impose on QSR, where QSR is not the Processor it shall procure the performance of those obligations by the relevant QSR Affiliate. In relation to obligations which this Agreement purports to impose on a Customer Group Member, where the Customer is not the relevant Customer Group Member it shall procure the performance of those obligations by the relevant Customer Affiliate.

4. Customer obligations

4.1    
Customer and each relevant Customer Group Member shall comply with all Data Protection Laws in connection with the Processing of Customer Personal Data, the Services and the exercise and performance of its respective rights and obligations under this Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws and the terms of this Agreement.
4.2    
Customer (on its own behalf and on behalf of each relevant Customer Group Member) warrants, represents and undertakes, that:

• 4.2.1  all data sourced by Customer for use in connection with the Services, prior to such data being provided to or accessed by QSR for the performance of the Services under this Agreement, shall comply in all respects (which shall include Customer providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws; and
• 4.2.2  all instructions given by it to QSR in respect of Customer Personal Data shall at all times be in accordance with Data Protection Laws.

5. Processing of Customer Personal Data

5.1  
The Processor shall:

• 5.1.1  comply with all applicable Data Protection Laws and the terms of this Agreement in the Processing of Customer Personal Data; and
• 5.1.2  not Process Customer Personal Data other than on the relevant Customer Group Member’s documented instructions unless Processing is required by Applicable Laws to which the relevant Processor is subject, in which case the Processor shall, to the extent permitted by Applicable Laws, inform the relevant Customer Group Member of that legal requirement before the relevant Processing of that Customer Personal Data.

5.2  
The Customer, on its own behalf and on behalf of each relevant Customer Affiliate:

• 5.2.1  instructs the Processor (and authorises the Processor to instruct each Subprocessor) to:
  • 5.2.1.1   Process Customer Personal Data; and
  • 5.2.1.2  in particular, transfer Customer Personal Data to any country or territory (subject to clause 7 being complied with),
• 5.2.2  as reasonably necessary for the provision of the Services and consistent with the Agreement; and
• 5.2.3  warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in clause 3.2.1 on behalf of each relevant Customer Affiliate.

5.3
Annex 1 sets out certain information regarding the Processor’s Processing of the Customer Personal Data as required by Article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws).

6. QSR and QSR Affiliate Personnel

The Processor shall take reasonable steps to ensure that any employee, agent or contractor of any of them who may have access to the Customer Personal Data is subject to confidentiality undertakings or professional or statutory obligations of confidentiality and only Processes the Customer Personal Data on instructions from Customer.

7.  Security

7.1    QSR shall, and shall where it is not the Processor, procure that the relevant QSR Affiliate implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data transmitted, stored or otherwise Processed in accordance with Data Protection Laws, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. The standard security measures that the Contracted Processor shall implement shall include those measures set out in Annex 2.

8. Subprocessing

8.1  
The Customer, on its own behalf and on behalf of each relevant Customer Affiliate authorises the Processor to appoint (and permit each Subprocessor appointed in accordance with this clause 6 to appoint) Subprocessors in accordance with this clause 6 and any restrictions in this Agreement.
8.2
The Processor may continue to use the following Subprocessors:

• 8.2.1  Speechmatics
• 8.2.2  Zuora
• 8.2.3  Netsuite
• 8.2.4  Auth0
• 8.2.5  Microsoft (Azure Platform)
• 8.2.6  SendGrid
• 8.2.7  Hotjar

8.3
QSR shall at least 14 days before appointing any new Subprocessor provide notice to the Customer via the MyNVivo Website including full details of the Processing to be undertaken by the Subprocessor. If Customer notifies QSR in writing of any objections (on reasonable grounds) to the proposed appointment QSR must not disclose any Customer Personal Data to the proposed Subprocessor except with the prior written consent of Customer.
8.4 
With respect to each Subprocessor, QSR shall:

• 8.4.1    ensure that the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Customer Personal Data as those set out in this Agreement and meet the requirements of Article 28(3) of the GDPR; and
• 8.4.2    if that arrangement involves a Restricted Transfer, ensure that the provisions of clause 7 are complied with.

9. International data transfers

9.1
QSR shall, and where QSR is not the Processor it shall procure the performance of those obligations by the relevant QSR Affiliate, ensure that in respect of all Restricted Transfers, the Standard Contractual Clauses are at all relevant times: (a) incorporated into the agreement between the Processor and the Subprocessor; or (b) entered into directly between the Subprocessor and the relevant Customer Group Member(s).

10. Data Subject Rights

10.1    
Taking into account the nature of the Processing, the Processor shall assist Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the relevant Customer Group Members' obligations to respond to requests to exercise Data Subject rights under the Data Protection Laws.
10.2 
The Processor shall:

• 10.2.1  promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and
• 10.2.2  not respond to that request except on the documented instructions of Customer or the relevant Customer Affiliate.

11. Personal Data Breach

11.1 
The Processor shall notify Customer without undue delay upon the Processor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow each relevant Customer Group Member to meet any obligations to report or inform Data Subjects of the Personal Data Breach under Data Protection Laws.
11.2  
The Processor shall provide reasonable assistance to Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of the Processing and the information available to the Processor.

12. Data Protection Impact Assessment and Prior Consultation

The Processor shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, as required under Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Processor.

13. Deletion or return of Customer Personal Data

13.1  
Subject to clause 11.2, the Processor shall at Customer’s written request and option promptly and in any event within 30 days of the date of cessation of any Services involving the Processing of Customer Personal Data: (a) return a complete copy of all Customer Personal Data to Customer by secure file transfer in such format as is reasonably notified by Customer to QSR; and (b) delete and procure the deletion of all other copies of Customer Personal Data Processed by any Processor.
13.2
Each Processor may retain Customer Personal Data to the extent and for such period as required by Applicable Laws and always provided that the Processor shall hold such Customer Personal Data secure in accordance with clause 5 and ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.

14. Audit rights

14.1 
The Processor shall make available to each Customer Group Member on request all information reasonably required to demonstrate compliance with the obligations under Article 28 of the GDPR (or equivalent obligations under Data Protection Laws).
14.2  
Subject to clause 12.3, the Processor shall allow for and contribute to audits, including inspections, by any Customer Group Member or an auditor mandated by any Customer Group Member in relation to the Processing of the Customer Personal Data by the Processors.
14.3    
Information and audit rights of the Customer Group Members only arise under clause 12.2 to the extent that compliance cannot be adequately demonstrated in accordance with clause 12.1 or the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law (including, where applicable, Article 28(3)(h) of the GDPR), provided that such rights shall be subject to equivalent restrictions to those in the Agreement (including as to frequency, timing and minimising disruption).

15. General

15.1 
Where a provision requires the Processor to assist Customer or a Customer Group Member with compliance with their obligations under Data Protection Laws, such assistance shall be provided at no additional cost where this can reasonably be accommodated within the standard provision of the Services. Otherwise, the associated costs shall be agreed between the parties in accordance with the change control or Addendum procedure applicable under the Agreement.

Order of precedence
15.2 
In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
15.3 
Subject to clause 13.2, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.

ANNEX 1 TO QSR DATA PROCESSING ADDENDUM: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA

This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR.

Subject matter and duration of the Processing of Customer Personal Data

The subject matter of the Processing of the Customer Personal Data is set out in the Agreement. Processing of the Customer Personal Data by the Processor shall be for the term of the Agreement, provided that Personal Data shall not be Processed for longer than is necessary for the purpose for which it was collected or is being Processed (except where a statutory exception applies).

The nature and purpose of the Processing of Customer Personal Data

The Processing of Customer Personal Data is QSR's provision of the applicable services under the Agreement, which shall involve performance on behalf of the relevant Customer Group Member of the tasks and activities set out in the Agreement for the purpose of providing those Services.

The types of Customer Personal Data to be Processed

The Processor may Process any or all of the following types / categories of Personal Data, and any additional types of Customer Personal Data, as set out in the Agreement and as relevant in the context of the Services.

• Personal Data, including personal details, family details, lifestyle and social circumstances, financial details, employment and education details, goods or services, visual images, personal appearance and behaviour, geolocation data: and
• Sensitive Personal Data / other categories of Personal Data, including information relating to physical or mental health data, genetic data or biometric data,  criminal offences and alleged offences and proceedings, racial or ethnic origin, religious or philosophical beliefs,  trade union membership, sex life or sexual orientation.

The categories of Data Subject to whom the Customer Personal Data relates

The categories of Data Subjects includes any or all of the following individuals: Customer Group Member customers and clients, research participants, Customer Group Member advisers, consultants and other professional experts, Customer Group Member employees and staff, Customer Group Member QSRs and services providers, complainants and enquirers who contact Customer Group Members, and / or individuals captured by CCTV images, including staff, customers and clients, offenders and suspected offenders, members of the public and those inside, entering or in the immediate vicinity of the area under surveillance.

The obligations and rights of Customer and Customer Affiliates

The obligations and rights of Company and Company Affiliates are set out in the Agreement (as varied).

ANNEX 2 TO QSR DATA PROCESSING ADDENDUM: STANDARD SECURITY MEASURES

1. Network Security Management

Purpose: To ensure the protection of information in networks and its supporting information processing facilities.

1.1. Responsibility and Ownership

i.    Networks shall be managed to ensure the security of data and the protection of connected services from unauthorised access. The overall responsibility for provision of network services and ensuring their security, to meet the business need, resides with the Head of Customer Infrastructure and Operations and the Head of Content Infrastructure and Distribution

1.2. Network Controls

Configuration standards
i. Configuration standards for network equipment shall be documented to provide instruction to staff regarding the configuration and setup of the equipment. The configuration standards should cover topics such as:

• Device hardening
• Admin account setup
• Naming conventions
• Configuration backup
• Logging requirements

Change Control
ii. Changes to the configuration of the network shall be subject to documented change control procedures.

Diagrams
iii. Layer 3 and Layer 2 network diagrams must be maintained and kept up-to-date. Any network changes being presented through the change review process that have a material impact on the layer 3 or layer 2 topology need to be presented with as-is and to-be network diagrams to highlight impacts of the changes.

Network Management
iv. Access to network management systems shall be tightly controlled, making sure that users do not have more privilege than is required to perform their job. Access to network management systems, and the level of access granted shall be authorised by the Infrastructure and Operations Manager (Corporate, Network and Broadband Systems).

v. Access to the network management interface on network security appliances shall be restricted to specially created network management VLANs.

vi. Authentication into devices and services that provide a network security function, for users with admin change privileges, should incorporate multi factor authentication.

Logging and Monitoring

vii. Appropriate logging and monitoring shall be applied to enable the recording of network based events that may affect, or are relevant to Information Security. Examples of the types of events that need to be logged include:

• The configuration of change events on network devices:
• IP conversation history between systems on the network: and
• Allowed/denied hits on security policies on network security devices

viii. Logging should be kept for a minimum of one year to allow for forensic investigations into historical incidents.

Network Connection Control

ix. Any exposed network connection points that allow a user to plug a workstation into the network shall support authentication. 802.1X style controls with user name and password or machine certificates are the preference with MAC based authentication being the minimum standard.

x. Non QSR International managed computers are not permitted to be plugged into the QSR International corporate network.

xi. Computers of partner organisations that require access to QSR International systems may only be connected to specially designed contractor networks that segment the connected computers from the remainder of the corporate network, and provide tight controls over precisely what internal systems can be accessed.

Wireless Network Security

xii. Staff, contractors, consultants and visitors must not introduce wireless networks or Access Points (AP) into a QSR International site. Wireless networks must only be setup by authorised Information and Technology Network administrators and must be approved by the Change Advisory Board through the change control process.

xiii. An inventory of authorised wireless access points is to be maintained including a documented business justification.

xiv. Business sites must be swept quarterly to detect and identify all authorised and unauthorised wireless access points.

xv. The wireless network shall be encrypted using a suitably strong protocol. The preferred standard is WPA2. Use of WPA and WEP is prohibited. A high level of key strength should be used (128 bit or higher). Static keys should be avoided, although they are permitted for guest networks that provide Internet access only and no access to the internal network.

xvi. All wireless access points deployed at any QSR International site need to support central management through a single common management system.

1.3. Segregation in networks

i. Groups of information services, users and information systems shall be segregated on networks through the design and implementation of network security domains. There are a variety of ways to define network security domains. The domains can be chosen based on trust levels (e.g. public access domain, desktop domain, server domain), along organisational units (e.g. human resources, finance, marketing) or a combination (e.g. server domain connected to multiple organisational units. The segregation can be performed using either physically different networks or by using different logical networks.

ii. The network domain model needs to communicate the intent of network segmentation at QSR International, the typical control sets to apply to each domain and the communication rules between domains

Requirements for Firewalls (including routers)

i. External network boundaries shall be secured by the use of an appropriately configured and managed firewall or combination of firewalls. Firewalls shall be configured to provide the maximum amount of security consistent with business requirements.

ii. The security of gateways and firewalls must be subjected periodically to expert scrutiny with reference to the registered connections, and to penetration testing. This must be undertaken at least once a year, and after any major reconfiguration.

iii. Any part of a network that is on premises where QSR International does not have control of the physical security shall be segregated by a firewall. Inward access shall be subject to risk assessment and strict control. A DMZ shall be used wherever possible for servers that are accessed by external users.

iv. All firewall rules and router ACLs shall be adequately documented so that an independent reviewer can understand their purpose and the documentation must be maintained and made available for audit. Rulesets and ACLs must be reviewed annually to ensure that rules are correct and up-to-date.

v. Disclosure of private IP addresses and routing information to unauthorised parties is prohibited.  Methods to obscure IP addressing may include, but are not limited to:

• Network Address Translation (NAT)
• Placing servers containing cardholder data behind proxy servers/firewalls,
• Removal or filtering of route advertisements for private networks that employ registered addressing: and
• Internal use of RFC1918 address space instead of registered addresses.

vi. Any QSR International managed mobile device, or employee owned device that facilitates access to QSR International resources and also connects to the Internet when outside the QSR International network shall have personal firewall software installed.

2. Information Transfer

Purpose: To maintain the security of information transferred within an organisation and with any external entity.

2.1. General

Information transfer may occur through the use of a number of different types of communication facilities, including electronic mail, voice, facsimile and video. Software transfer may occur through a number of different mediums, including downloading from the Internet and acquisition from vendors selling off-the-shelf products.

i. The business, legal and security implications associated with electronic data interchange, electronic commerce and electronic communications and the requirements for controls should be considered and documented.

ii. The sensitivity of the information being transferred and the party its being transferred to will be critical factors in the overall assessment of risk associated with the information transfer and the controls that should be put in place to secure the transfer.

2.2. Transfer of sensitive or confidential information

Refer to Supplier Relationships Security Policy for details of Information Security in supplier relationships.

The following are the minimum sets of controls that need to be put in place for the transfer of sensitive or confidential information.

i. When sharing confidential information with a third party, a non-disclosure agreement shall be put in place prior to the sharing of any information. The non-disclose agreement should cover the following elements:

• a definition of the information to be protected (e.g. confidential information);
• expected duration of an agreement, including cases where confidentiality might need to be maintained indefinitely;
• required actions when an agreement is terminated;
• responsibilities and actions of signatories to avoid unauthorised information disclosure;
• ownership of information, trade secrets and intellectual property, and how this relates to the protection of confidential information;
• the permitted use of confidential information and rights of the signatory to use information;
• the right to audit and monitor activities that involve confidential information;
• process for notification and reporting of unauthorised disclosure or confidential information leakage;
• terms for information to be returned or destroyed at agreement cessation;
• expected actions to be taken in the event of a breach of the agreement.

ii. QSR International employee’s dealing with confidential QSR International information must be subject to non-discloser agreements.

iii. Transfer of sensitive or confidential information to third parties via electronic means shall be encrypted in transit. Email is not be used for the communication of sensitive information to third parties unless the attached payloads are encrypted. Decryption keys used in email communication cannot be sent via email. A separate out-of-bands communication channel needs to be used for this purpose.

iv. QSR International data needs to be classified to determine its sensitivity and confidentiality level. Access controls need to be put in place to ensure that only staff with roles required to access sensitive data can actually access the information. Systems need to be put in place to ensure that reports can be generated to show who has access sensitive information, when they have accessed it and from where.

v. Systems put in place for the electronic transfer of data between QSR International systems and third party company systems, like API gateways and sFTP servers, need to be approved by QSR International. The exposed interfaces to the third parties must be tested every year for vulnerabilities.

vi. The use of peer-to-peer file transfer applications is strictly prohibited.

Peer-to-peer file sharing is the distribution and sharing of digital media using peer-to-peer (P2P) networking technology. P2P file sharing allows users to access media files such as books, music, movies, and games using a P2P software program that searches for other connected computers on a P2P network to locate the desired content. The nodes (peers) of such networks are end-user computers and distribution servers (not required). Examples include BitTorrent and Gnutella

vii. The use of consumer-based, cloud file sharing services (e.g. Dropbox, Google Drive, Box) is prohibited for the transfer of QSR International data.

viii. Transfer of sensitive information over public networks must be encrypted at all times.

3. Electronic messaging

i. Employees shall receive security awareness training to reduce the risk of introducing malicious software.

ii. Emails and attachments can be a source of malicious software and should be treated with caution.

iii. Unsolicited emails are to be deleted and not responded to.

iv. When sending email, employees are responsible for checking that the email is correctly addressed, and that the content of the message is only being sent to appropriate persons.

v. Email sent unencrypted over the Internet is not secure and may be liable to interception, copying and tampering. Where confidential information must be sent outside QSR International’s own networks, an approved, secure messaging service shall be used to ensure security. Under no circumstances may user account information or passwords be sent over the Internet.

vi. Email shall be retained according to QSR International’s Record Retention Schedule (in draft with Legal).

vii. Users are prohibited from automatically forwarding QSR International email to a third party email system as doing so might cause emails with confidential or inappropriate content to be transmitted over the Internet.

viii. Individual messages which are forwarded by the user must not contain QSR International confidential or sensitive information.

ix. Users are prohibited from using third-party email systems and storage servers such as Google, Yahoo, and MSN Hotmail etc. to conduct QSR International business, to create or memorialise any binding transactions, or to store or retain email on behalf of QSR International. Such communications and transactions must be conducted through proper channels using QSR International-approved documentation and systems.

x. Users are prohibited from using applications or software that have not been approved for use by QSR International for accessing or managing QSR International email, calendaring, or tasking systems.

xi. Non-QSR International related commercial uses of QSR International electronic messaging systems are prohibited.

xii. QSR International employees shall have no expectation of privacy in anything they store, send or receive on the company’s email system.

xiii. QSR International may monitor messages without prior notice. QSR International is not obliged to monitor email messages.

xiv. All use of email must be consistent with QSR International policies and procedures of ethical conduct, safety, compliance with applicable laws and proper business practices.

3.1. Business information systems

i. Confidential information can be communicated by other systems such as voice mail, fax machines, printers, etc. These are subject to comparable security provisions to electronic mail.

ii. Fax machines and printers that are used for printing out confidential information shall be located in secure rooms or protected by keys or personal passwords. It is the user’s responsibility to check that faxes are sent to the correct number, and print-outs to the correct printer.

iii. Voice mail systems shall be protected by personal passwords or pin numbers.

3.2. Using the Internet

i. Employees must use internet services in a responsible and security conscious manner.

ii. This section applies to services utilising the Internet such as web browsing, Instant Messaging, Skype, Internet Protocol (IP) telephony, video conferencing or file sharing sites.

iii. Unless applications using these communications methods are evaluated and approved by IT Compliance, they must not be used for communicating sensitive or classified information over the Internet.

iv. All Employees must report any suspicious contact from external or unknown sources to the Service Desk, especially contact from external sources using Internet services. Suspicious contact may relate to questions regarding the work duties of employees or the specifics of projects being undertaken by employees.

v. Monitoring of breaches of web usage policies—for example attempts to access blocked websites such as pornographic and gambling websites—as well as compiling a list of employees who excessively download or upload data without a legitimate business requirement assists QSR International in enforcing their web usage policies.

3.3. Posting official information on websites

i. Employees must not post sensitive or classified information on public websites, especially in forums, blogs and social networking sites. Even unclassified information that appears to be benign in isolation, could, along with other information, have a considerable security or reputational impact on QSR International.

ii. To report cases where such information is posted, employees are to advise their manager in the first instance.

iii. To ensure that personal opinions of employees are not interpreted as official Policy, employees must maintain separate professional and personal accounts when using websites, especially when using online social networks.

iv. Employees can post information authorised for release into the public domain, only on approved websites

3.4. Peer–to–peer applications

i. The installation and use of peer–to–peer applications is prohibited.

ii. Employees are not to send or receive files via peer–to–peer applications.

iii. Only QSR International approved methods of file sharing are to be used.

3.5. Electronic Commerce Services

Electronic commerce

i. Electronic communication and commerce is vulnerable to a number of network threats which may result in fraudulent activity, contract dispute and disclosure or modification of information. When commercial information is communicated, a risk assessment shall be conducted to determine the appropriate level of controls that should be applied to protect against such threats.
Security considerations for electronic commerce shall include:

• Authentication of the parties.
• Authorisation of transactions.
• Confidentiality and integrity of contract information.
• Proof of transactions and non-repudiation.
• Integrity of pricing information.
• Vetting of payment information.
• Protection of settlement against fraud.
• Confidentiality and integrity of order information.
• Liability for fraudulent transactions.

ii. Electronic commerce arrangements between trading partners shall be supported by a documented agreement which commits both parties to the agreed terms of trading.

iii. Consideration should be given to the resilience to attack of the host used for electronic commerce, and the security implications of any network interconnection required for its implementation.

On-line transactions

iv. When an application involves on-line transactions that are confidential or sensitive (e.g. contractual or financial transactions), then a risk assessment shall be made to determine the appropriate level of controls.

v. Transactions shall be protected against misrouting, and against any unauthorised alteration, disclosure or replay.

vi. The following security measures shall be considered:

• Use of electronic signatures for each of the parties involved in the transaction.
• Encryption of the data between all involved parties.
• Ensuring stored transaction data is not accessible from the Internet.

3.6. Publicly available systems

i. Information that is published to publicly available systems, e.g. Internet Web servers, shall be protected from unauthorised modification. Such servers shall be hardened against attack, and the integrity of the information shall be checked frequently, preferably by an automated mechanism. There shall be a formal authorisation process before information is made publicly available.

ii. Software, data and other information requiring a high level of integrity, when it is made available on a publicly available system, shall be protected by appropriate mechanisms, e.g. digital signatures.