Last Updated on 04-05-23

Purchase Order
Terms and Conditions

1.   SERVICES

Vendor shall provide or has provided certain Materials (as defined in Section 3(a)) and/or services (“Services”) for Agency as specified in the specifications provided by and in a manner satisfactory to Agency. The quality and timing of the Materials and Services is of the essence of the Purchase Order (hereinafter referred to as the or this “PO”). Agency and Client have the right to inspect and sole discretion to approve the Services and Materials and may reject or return the Services and/or Materials for any reason. Agency and Client reserve the right to terminate this PO due to the nonconformance of any Materials or Services or Vendor's failure to perform or to engage a third party to correct Vendor's nonconforming Materials or Services, or failure to perform, at Vendor's cost. All goods must be packaged, shipped and routed exactly as specified by Agency. If a different manner of shipment is necessary in order to comply with the specified delivery date, all increases in shipping costs shall be borne solely by Vendor. Title to and risk of loss of the Materials shall remain with Vendor until the Materials are delivered F.O.B. at the point of delivery specified in the PO, or if no such point is specified, then when the Materials are delivered to Agency or Client. Vendor shall maintain continuity of personnel during the performance of the Services. If during the course of the provision of Services, Agency or Client desire to make any changes in or variations from the specifications given to Vendor by Agency and such changes result in additional costs, Vendor shall notify Agency's authorized representative in writing of the amount of such additional costs before any such additional costs are incurred and shall proceed only after receiving written authorization from such representative. Reimbursement for such additional costs (to the extent such additional costs have been preapproved) shall be payable at the same time as the final payment.

2.   COMPENSATION AND BILLING

  1. PAYMENT PROCESS: Unless specified in the PO, payment shall be due not more than sixty (60) days after the occurrence of the last of the following: (a) receipt by Agency of Vendor's invoice in proper form including the PO number; (b) completion and delivery of all Materials and/or Services to be performed and delivered to Agency and Agency’s acceptance thereof; and (c) payment to Agency has been made by Client for the invoiced amount. All invoices must be addressed to Agency’s purchasing department at the address indicated on the Order with an electronic copy sent via email to acctspayable@gmrmarketing.com. Invoices not received within 60 days of completion of your services may be rejected by Agency in its sole discretion.

    1. Payment instructions must be provided and verified in accordance with the Agency’s policies before they are put into effect. Except as otherwise approved by Agency, Vendor agrees that any amounts due hereunder may be paid via electronic funds transfer (EFT) (e.g., Automated Clearing House (ACH) for US payments or wire transfer for non-US payments). Payment instructions provided via any other means (including on invoices) will not be used.

  2. PRICES, OVERAGES, AND TAXES: Agency shall not be billed at prices higher than those stated on Agency’s Order. Vendor must obtain prior written approval of Agency for any overage above the Total Payment. The failure to do so will result in non-payment of the overage. Unless otherwise specified, prices on an Order include all charges for packing, storage and transportation. The price stated includes all taxes except state or local sales or use tax or similar taxes, which you are required by law to collect from Agency. Such taxes, if any, shall be separately stated in Seller’s invoice and paid by Agency unless an exemption is available.

  3. RESULTS OF CHANGES: Agency may make changes in specifications, quantities, delivery schedules, or methods of shipment or packaging on any goods at any time. If such changes result in an increase or decrease in cost, an equitable adjustment of price and delivery schedules may be made, or Agency may, at its option, terminate the Order if agreement on an adjustment cannot be reached. Claims for adjustment must be asserted by you within ten (10) days of the change order. Vendor shall be paid only for work actually performed.

  4. REIMBURSEMENT OF EXPENSES: In the event Agency has agreed to reimburse Vendor for any expenses, such expenses must be preapproved and itemized in the PO and are subject to the submission of appropriate documentation and receipts. All preapproved expenses must be invoiced at cost, without markup. The failure to submit invoices for fees and/or expenses for reimbursement within sixty (60) days after the incurrence thereof may render such fees and/or expenses as non-reimbursable, at Agency’s discretion and/or as provided for in Agency’s agreement with Client. Agency’s Client travel and expense policies will be adhered to when traveling for a Client project. Receipts for expenses will be provided upon request.

  5. AUDIT: Vendor shall maintain complete and accurate accounting and other records in connection with its performance hereunder and in support of all time worked and any fees and expenses for which payment is sought under this PO. All such records shall be preserved by Vendor and made available to Agency for audit upon request at any time during normal business hours and upon reasonable notice. If, after any such audit, it is determined that Vendor’s charges exceed the amounts properly chargeable to Agency, Vendor shall, without limiting Agency’s other available rights or remedies, promptly refund the amount of such overcharge as well as pay the cost of the audit which uncovered the overcharge in the event that an overcharge is ten (10%) percent or more of the correct amount. Conversely, Agency may offset against invoiced amounts payable amounts owed by you.

  6. NO ACCEPTANCE OF DEFECT: No payment for Materials or Services hereunder shall be deemed an acceptance thereof and Agency’s failure to notify Vendor of defects after receipt or acceptance of the Materials or Services shall not be deemed a waiver.

3.   WORK FOR HIRE/ASSIGNMENT

  1. Except where otherwise identified pursuant to paragraph 3(b), all Materials protectable under United States copyright law shall be owned by Agency and its successors and assigns, and to such other persons or companies as Agency may designate from time to time and their assigns and licensees, as “works made for hire” under the U.S. Copyright Act, as amended; to the extent that any or all of such Materials are deemed not to be works made for hire, or where the U.S. Copyright Act, as amended, is deemed not to apply, Vendor hereby irrevocably assigns to Agency all right, title and interest in and to the worldwide copyrights in such Materials. With respect to all other intellectual property and proprietary rights in such Materials, Vendor hereby irrevocably assigns to Agency all worldwide rights, title and interest in and to all trademarks, service marks, trade dress, trade secrets, patents and other intellectual property rights in such Materials. “Materials” shall refer collectively to any and all tangible or intangible materials discovered, conceived, invented, reduced to practice, developed, designed, created, prepared, produced, provided, presented, furnished by or on behalf of Vendor or its subcontractors or any of their respective employees or personnel, whether in preliminary, draft or final form, finished or unfinished, whether or not patentable, copyrightable or otherwise subject to intellectual property protection, and whether used or unused by Agency or its Client. Materials shall include, where applicable, but are not limited to, trademarks, service marks, logos, names, designs, taglines, product names and descriptions, brand names, characters, trade dress, slogans, copy, scripts, commercials, advertisements, brochures, instruction manuals, crew materials, point of purchase materials, promotional materials, storyboards, videos, films, packaging, signs, official contest and sweepstakes rules, domain names, websites, social media pages, social media accounts, social media posts, internet portals or telephone numbers for use in connection with the Services, printed materials, digital materials, photographs, illustrations, transcriptions, literary materials, artistic materials, production materials, tooling, layouts, artwork, engravings, sound recordings, models, sound chips, music, lyrics, sketches, layouts, drawings, proposals, presentations, drafts, rough cuts, ideas, data, data bases, databanks, plans, plates, props, printing screens, trade dress, developments, innovations, improvements, tools, processes, formulas, techniques, software, hardware, firmware, source/object/computer codes, discoveries, concepts, writings, inventions, toys, premiums, component parts, technology, self-liquidating premiums, premiums for profit, customer data, customer complaint/inquiry files and customer service files. Vendor agrees to execute and cause others who in any way contribute to the creation of the Materials to execute all further documents that, in the judgment of Agency, are required or useful to establish, protect or enforce the rights herein granted or confirmed. If Agency is unable for any reason to secure the Vendor’s signature to any document requested under this Section, Vendor hereby irrevocably designates and appoints Agency and its duly authorized employees, personnel or agents as Vendor’s attorneys-in-fact, coupled with an interest and with full power of substitution, to act for and on Vendor’s behalf, to execute and file any such documents and to do all other lawfully permitted acts to further the purposes of the foregoing with the same legal force and effect as if executed by Vendor.

  2. LICENSE TERMS: If Agency expressly agrees to obtain the Materials on a licensed basis then, subject to any limitations specifically set forth in the PO, Vendor irrevocably grants to Agency and its respective successors and assigns the exclusive, royalty- free, worldwide, transferable, sub-licensable right and license to use, publish, display, reproduce, retouch, alter, crop, modify, couple, edit, adapt, digitize, transfer, translate, deliver, dispose, perform or otherwise use, modify, adapt, and create derivative works of the Materials, whether in whole or in part, to, but not limited to, advertise or otherwise promote Client and/or its products or services without the need for any further consent or approval by Vendor or that of any third party, worldwide, in all media now known or hereafter invented, including without limitation for advertising, publicity, entertainment, trade, merchandising or theatrical presentation, internal meetings, public relations, advertising awards competitions, and in retrospective/editorial material and for similar purposes or otherwise, with or without the use of Vendor’s name. Agency and its affiliates shall also have the right to use the Materials for the purposes of self-promotion. Neither Agency nor Client shall have any liability for any visual distortion which may occur to the Materials including, but not limited to, blurring, distortion, alteration or optical illusion. Except if specifically set forth in the PO, Vendor hereby waives any right that it may have to inspect or approve the final form and/or use of the Materials. Neither Client nor Agency, nor their respective designees, will be held liable for any continued publication, display and/or performance of the Materials after said agreed upon time period, so long as Client and/or Agency has used reasonable efforts to cause said publication, display and/or performance to cease, it being understood that Client and/or Agency shall have no obligation to remove or take down or seek the removal or takedown of Materials from social media feeds or third party platforms once such Materials are published or posted. For the avoidance of doubt, unless specifically set forth to the contrary in the PO, Vendor and any person acting under its authority are restricted from making any use of the Materials, or any materials substantially or confusingly similar to the Materials, in any way, including, for example, and not limitation, in connection with any product or service during the term and/or option term, if any set forth in the PO. Notwithstanding the foregoing, except if specifically set forth in the PO, any license granted to use any software that was not created specifically for Agency or Client shall be non-exclusive.

  3. INSPECTION: If any Materials are found to be defective or otherwise not in conformity with the requirements of this PO, Agency may, in addition to its other rights and remedies, reject such Materials and require their prompt correction or their replacement at Vendor’s expense, including shipping and packaging charges. Alternatively, Agency may repair or replace such nonconforming Materials at Vendor’s expense.

  4. DATA: Vendor acknowledges that all data provided to Vendor by Agency and Client or data collected by Vendor in the course of providing the Materials and/or Services (“Data”) is, as between Client, Agency and Vendor, owned solely by Agency or Client. Vendor does not obtain any right, title or license to Data and Vendor shall not use Data other than as authorized in writing for the sole benefit of Client or Agency. Subject to Vendor’s normal access and security procedures, in no event shall Vendor ever deny Client or Agency access to Data for purposes of retrieval or backup. For the avoidance of doubt, Vendor shall not deny Agency or Client such access even in the event of a dispute between the parties or breach of this PO by Agency. Data shall include all data and information received, sent or generated through the performance of any hosting or online services by Vendor, as well as all IDs, passwords, screen names and other online identifiers.

4.   WARRANTIES AND REPRESENTATIONS

Vendor warrants and represents that: (i) the Materials purchased hereunder shall be free from defects in material and workmanship, shall be accurate and fit for the purpose for which they are intended to be used, shall conform to the highest quality and safety standards in Vendor’s industry, will be Vendor’s original and independent work product in all respects, and shall operate error free; the Services will be carried out in a competent and professional manner by adequately trained and skilled personnel; and each of the Materials and the Services shall strictly conform to all specifications and requirements supplied or communicated by the Agency to the Vendor; (ii) in creating the Materials or performing the Services hereunder, the Vendor shall be licensed or otherwise have the right to use any computer programs or other materials, services, information or data used, unless specifically provided by Agency to Vendor, and Vendor shall be responsible for obtaining all rights, permissions and/or licenses required for any materials, services, information or data used or incorporated into any Materials provided hereunder, including but not limited to ensuring that (A) models and other persons whose name, image, likeness, voice or other identifying trait appears in the Materials, and (B) owners of patented, trademarked, copyrighted, source-identifying or other creative and/or distinctive elements that appear in the Materials, have (or will have, before the deadline for Vendor’s delivery of the Materials to Agency and/or Client) executed valid releases permitting the use, as specified in this PO, of said traits and elements in the Materials, and Vendor shall supply the Agency with an original or photocopy of each such written permission or release upon request; (iii) Vendor, if required, is duly organized and validly existing and in good standing under the laws of the state of its incorporation or formation, has the full legal right to enter into this PO and fully perform its duties and obligations hereunder and entry into or performance of this PO will not breach or conflict with any agreement, commitment or other existing arrangement that Vendor has with any other entity or person; (iv) the Materials shall be delivered to Agency free and clear of any and all liens, mortgages, claims, charges, security interests, licenses, use agreements and any other encumbrance or limitation on rights of use, whatsoever; (v) the Materials and Services and any component thereof, including without limitation, any Music, will not infringe, misappropriate or violate any patent, copyright, literary right, dramatic right, trademark, right of privacy or publicity or trade secret or any other right of any person or entity; (vi) unless licensed pursuant to article 3(b) and in such case subject to the terms set forth on this PO, (A) the Materials are wholly original and are not copied in whole or in part from any other work, or based on or adapted from any other work, or in the public domain and have not been published or exploited in any form anywhere in the world, (B) no application has been made to register the Materials or any related intellectual property rights with any government or regulatory authority; (vii) Vendor will do nothing hereafter that is inconsistent with or in derogation of any of its obligations hereunder or any of the rights granted to Agency and/or Client; (viii) Vendor’s performance of the Services under this PO shall not conflict with the rights of any third person or violate any laws, regulations, rules or guidelines, including any laws concerning privacy and data security; (ix) no part of any software or technology shall contain any third party or open source code or materials or any malware, virus, time-bomb, trojan horse, worm or other harmful or disabling code; (x) Vendor shall at all times strictly adhere to the Supplier Code of Conduct attached as Exhibit A hereto; and (xi) in connection with any software purchased, assigned, licensed or otherwise transferred to Agency hereunder, Vendor shall provide a true and correct copy of source materials for any such software, including without limitation any and all human readable source code and materials, underlying computer tools and applications, documentation (including all programmers’ comments), and all similar materials that are necessary to enable full use and maintenance of such software.

5.   INSTALLATION/REPAIR/CONSTRUCTION

In the event the Services relate to installation, repair or construction work, or manufacturing, Vendor's employees will be fit and skilled for the work assigned. Vendor will take extreme precautions against hazards of all types to Agency's property and personnel and maintain adequate protection of the work, adjacent property and the public and will be responsible for all damages or injuries arising through its acts or omissions. Vendor will obtain any necessary permits and/or authorizations to perform the work. All materials will be new and of good and merchantable quality.

6.   CANCELLATION

Client and/or Agency may cancel all or part of this PO in their sole discretion, upon notice to Vendor. Except in the event of termination by Agency due to breach by Vendor, Agency will pay Vendor the lesser of (a) all verified costs actually incurred and paid by Vendor and non-cancellable costs properly incurred and committed to by Vendor in the creation and delivery of the Material or provision of Services which are accepted in accordance with this PO prior to said cancellation, or (b) the total payment amount set forth in this PO (“Total Payment”). For the avoidance of doubt, time is of the essence in Vendor’s performance of its obligations set forth in this PO, including without limitation Vendor’s delivery of all Materials. Any termination by Agency and/or Client due to breach by Vendor shall be without penalty or payment on the part of Agency, and in such an event, all rights and remedies of Agency are expressly reserved.

7.   FORCE MAJEURE

If for any reason beyond Vendor's reasonable control, such as but not limited to strikes, war, acts of God, labor troubles, riots, delay of commercial carrier or restraint of public authority, Vendor is unable to produce and deliver the Materials as provided herein, Agency shall have the right to give written notice to Vendor to terminate or reduce deliveries under this PO. In the event of termination, Agency and Client shall be under no obligation to make any further payments to Vendor. If Agency accepts reduced deliveries, Agency may procure substitute Materials from other sources, in which event this PO shall be deemed modified to eliminate Vendor’s obligation to sell and Agency's and Client’s obligation to purchase such substituted Materials.

8.   INSURANCE

Vendor shall obtain at its own cost and maintain in full force and effect during the time period that Client and/or Agency may use the Material pursuant to this PO, the types of insurance and minimum limits, as applicable, set forth in Exhibit B hereto with an insurer having an A.M. Best rating of A-VIII or better and admitted to conduct business in the jurisdictions where Materials were created or are to be used and where the Services are performed.

9.   INDEPENDENT CONTRACTOR

Vendor is acting as an independent contractor in its performance of its obligations set forth in this PO, and Vendor shall not be permitted to act as agent or otherwise obligate or bind Agency and/or Client in connection with this PO. No persons employed by Vendor in performing its obligation shall be deemed employees of Agency or Client. Vendor shall make whatever payments which may be due such persons.

10   CONFIDENTIALITY; PUBLICITY

All non-public information and materials Vendor has or shall receive from Agency or Client, including, by way of example and not limitation, storyboards, scripts, layouts and other written or oral instructions, concepts and marketing plans, strategies, Client’s products or advertising, the Materials, and this PO (“Confidential Information”), is the sole property of Agency and/or Client, as the case may be. Vendor represents, warrants and agrees that neither it nor its employees, agents or subcontractors will disclose to any third party, nor use the Confidential Information (except for such internal use as is required to provide the Materials or Services), without the prior written consent of an authorized representative of Agency, and, provided such third party executes a written confidentiality agreement no less restrictive than the terms hereof. Vendor shall be responsible for any disclosure made by such third party. The aforementioned restrictions shall not apply in the event and to the extent that Confidential Information becomes publicly known as a result of the intentional disclosure of the Confidential Information by Agency or Client. Vendor shall not use or refer to any Materials related to this PO (including in its creative reel), the substance of this PO, or the name or trademarks of Agency or Client, in any of its advertising or publicity. Vendor hereby agrees that Agency will be entitled, in addition to any other remedies available to them at law or in equity, to injunctive relief to prevent the breach or threatened breach of Vendor’s obligations in this Section 10, without any requirement to demonstrate irreparable harm or post a bond.

11.   SECURITY; PRIVACY

If, in the course of performance of its obligations, Client or Agency gives Vendor on-site or remote access to any of Client’s or Agency’s network, computer or electronic data storage system, Vendor will use such access only to perform Services or provide Materials and will not attempt to access any computer system, electronic file, software or other electronic services other than those specifically authorized by Client or Agency and required to perform the Services or provide the Materials. Vendor will limit such access to those Vendor personnel and/or third parties requiring such access in connection with providing the Services or Materials and shall follow all Client and Agency security policies, rules and procedures for use of Client’s or Agency’s network and other electronic resources. In addition to any security requirements provided by Agency to Vendor at any time, Vendor shall implement and maintain commercially reasonable physical and electronic security procedures and practices consistent with industry practices and appropriate to the nature of any Agency or Client information disclosed to or accessible by Vendor in order to protect such information from unauthorized access, destruction, use, modification or disclosure, and it shall immediately notify Agency in writing in the event any unauthorized access to such information is suspected or becomes known, provide the Agency access to the extent Agency deems necessary to determine the existence and extent of such breach, and permit Agency to control any public notifications (with the reasonable assistance of Vendor) and be responsible for the cost of any remediation, at Vendor’s sole cost. At a minimum, the Vendor shall (i) designate individuals with direct responsibility for security; (ii) document all movement, storage, and handoffs of Agency or Client’s sensitive information; and (iii) grant the least amount of access to Agency or Client’s sensitive information to the smallest set of people for the shortest time period needed for them to provide the Materials and Services as set forth in the PO. Vendor acknowledges that to the extent it is collecting or providing any personally identifiable information under this PO, it shall get prior written approval from Agency in each instance. With respect to any information received by Vendor from Agency, including without limitation any personally identifiable information, Vendor shall comply with, and shall not take any action or fail to take any action that would cause Agency or Client to be in breach of applicable laws, rules or regulations, or any self-regulatory principles, including without limitation those concerning privacy and data security. In the event that Vendor suspects that there may have been a breach of its security or privacy obligations Vendor shall advise Agency, in writing, of the suspected breach as soon as possible but in no event later than 48 hours after the discovery of the suspected breach. Agency and/or Client shall have the right, upon reasonable prior notice to Vendor to audit Vendor’s compliance with its security and privacy obligations.

12.   PRIVACY, CONFIDENTIALITY AND INFORMATION SECURITY

Vendor agrees to comply with the terms and conditions of the Privacy, Confidentiality and Information Security Addendum set forth in Exhibit C.

13.   HIRING OF MINORS

In the event the services of performers who are minors may be required in connection with the Services hereunder, Vendor will comply with all applicable laws and regulations concerning such employment in the state in which the Services will take place, including but not limited to obtaining parental consents, requiring working permits and trust accounts (where applicable) and complying with working conditions applicable to minors. Where applicable, Vendor shall be responsible for complying with all applicable laws and regulations relating to the hiring and payment of workers, including but not limited to (i) the disclosure of wage statements at the time of hire pursuant to the New York Wage Theft Prevention Act, where applicable; (ii) timely payment of workers pursuant to the California Labor Code, where applicable; and (iii) compliance with all applicable laws in effect.

14.   INDEMNIFICATION

Vendor will indemnify and hold harmless Agency and Client, and their respective officers, directors, employees, agents, and affiliates from and against all claims, actions, liabilities, losses, costs and expenses (including without limitation reasonable attorneys’ fees) relating to and/or arising from (i) the actual or alleged breach of this PO, any error, omission, negligence, willful misconduct or fault of Vendor or its employees, agents, subcontractors or other persons acting under Vendor’s authority); (ii) any claim for injury or loss suffered by Vendor’s employees, agents, subcontractors or other persons acting under Vendor’s authority; (iii) Client, Agency or their respective designees’ use of the Material as permitted and contemplated by this PO, including without limitation all claims alleging a violation of patent, trade secret, copyright, trademark right, moral right, contract right, privacy or publicity right, or other personal and/or property right, and (iv) any claims of any of Vendor’s employees, agents, subcontractors or other persons acting upon Vendor’s authority providing services hereunder related to (a) such person’s employment relationship or termination of employment with Vendor or removal from providing services pursuant to this PO, or (b) any claim of breach of contract, unjust dismissal, wrongful termination, or discrimination under federal, state or local law by such persons against Vendor. Agency shall advise Vendor in writing of any action, administrative or legal proceeding or investigation as to which these foregoing indemnification requirements may apply. Agency and Client shall have the right to select counsel used by Vendor to defend Agency and Client against any such lawsuit, claim or legal proceeding for which indemnification is sought. Agency and Client shall have the sole right to control the legal defense and to compromise, settle or dispose of any such lawsuit, claim or legal proceeding. All costs incurred by Agency or Client in enforcing Vendor’s indemnity obligations hereunder, including but not limited to attorneys' fees and disbursements, shall be borne by Vendor. The foregoing indemnifications shall also extend to any business owner, landlord, property manager, or any other entity Agency is contractually obligated to indemnify, defend and hold harmless by reason of Agency’s lease or use of the premises in or on which Vendor’s work is being performed.

15.   LIMITATION OF LIABILITY

UNDER NO CIRCUMSTANCES SHALL AGENCY OR CLIENT OR ANY OF THEIR RESPECTIVE PARENTS, AFFILIATED COMPANIES, DIRECTORS, OFFICERS, EMPLOYEES, SHAREHOLDERS, LICENSEES OR AGENTS BE LIABLE TO VENDOR FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE OR EXEMPLARY DAMAGES, WHETHER ARISING UNDER CONTRACT, WARRANTY, OR TORT (INCLUDING NEGLIGENCE OR STRICT LIABILITY) OR ANY OTHER THEORY OF LIABILITY, REGARDLESS OF WHETHER AGENCY AND/OR CLIENT KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES. EXCEPT WITH RESPECT TO ANY UNPAID FEES DUE FROM AGENCY TO VENDOR PURSUANT TO SECTION 2 HEREUNDER, IN NO EVENT SHALL AGENCY OR CLIENT OR ANY OF THEIR RESPECTIVE PARENTS, AFFILIATED COMPANIES, DIRECTORS, OFFICERS, EMPLOYEES, SHAREHOLDERS, LICENSEES OR AGENTS BE LIABLE TO VENDOR FOR DAMAGES GREATER THAN THE TOTAL AMOUNT ACTUALLY PAID OR PAYABLE TO VENDOR PURSUANT TO THIS PO.

16.   SAFEGUARD OF PROPERTY

All property of Client or Agency in the possession or control of Vendor will remain the property of Client or Agency, respectively, and Vendor will be responsible for all damage or loss to that property while it is in Vendor’s possession or control. Vendor agrees to promptly return all such property (including Confidential Information) to Agency, or as directed by Agency, upon the earlier of Agency’s request, the completion of Vendor’s performance or termination or expiration of this PO.

17.   CHOICE OF LAW

This PO will be construed in accordance with the laws of the State of Wisconsin, where Agency maintains its principal office, notwithstanding any conflict or choice of law principle to the contrary. All disputes relating to this PO will be adjudicated in the federal or state courts, as appropriate, located in Milwaukee County, Wisconsin and the parties hereby consent to personal jurisdiction and venue in such courts and waive all defenses as to an improper or inconvenient jurisdiction or venue.

18.   SEQUENTIAL LIABILITY

Agency will only be liable for the cost of the Materials and Services purchased and other obligations to Vendor to the extent Agency has been paid by Client (and Client shall have no obligation to Vendor to the extent that such amounts have been paid to Agency). For amounts not paid to Agency by Client, Vendor will seek payment solely from Client (and not from Agency). Agency represents and warrants to Vendor that Client has requested Agency to purchase from Vendor the Materials and Services purchased hereby and Agency agrees to use commercially reasonable efforts to collect from Client all amounts due. In the event that despite such efforts, Agency has not received payment from the Client, upon the written request of Vendor, Agency shall provide to Vendor the Client’s contact information to assist Vendor to seek payment directly from the Client.

19.   MISCELLANEOUS

VENDOR SHALL NOT ASSIGN OR DELEGATE ANY DUTIES OR CLAIMS UNDER THIS PO OR SUBCONTRACT THE PO, OR ANY PORTION THEREOF, WITHOUT THE PRIOR WRITTEN CONSENT OF AGENCY. The term "subcontract" as used in this clause means a contract for the purchase of an item or items or services to your specifications, designs, or drawings. The term does not include the purchase of standard commercial supplies or raw materials.

All notices required shall be in writing and shall be either personally delivered, or delivered by a reputable national or international overnight courier, or sent by facsimile (with proof of successful transmission retained) with an original to be delivered by the overnight courier, in each case addressed to the applicable party to its business address as indicated on the front side of this PO, or to any other address designated by Agency or Vendor by prior written notice to the other. Notice shall be deemed given on the day it is personally served or one (1) business day after it is sent by the courier or facsimile, provided proof of successful transmission has been retained. The waiver by either party of a breach of any provision of this PO by the other party shall not operate or be construed as a waiver of any other or subsequent breach by the other party. No waiver shall be effective unless made in writing and signed by an authorized representative of the party to be charged with such a waiver. No failure by Agency or Client to exercise any rights granted herein and no custom or practice of Agency or Vendor at variance with this PO shall constitute a waiver of the right of Agency to demand strict compliance. Should any provisions of this PO be held by a court of law to be illegal, invalid, or unenforceable, the legality, validity and enforceability of the remaining provisions of this PO shall not be affected or impaired thereby. This PO may not be transferred, assigned or subcontracted, in whole or in part, without Agency’s prior written consent. This PO shall be binding on any permitted successors and assigns. Vendor shall remain fully liable for the acts of any subcontractors. This PO constitutes the entire agreement between the parties and may not be changed except by a writing signed by both parties.

Invoices, rate cards or other documents, including without limitation any online, browse-wrap, click-wrap or click-through terms and conditions, originating with Vendor or persons or entities acting under Vendor’s authority will not satisfy this writing requirement and are of no force or effect, notwithstanding payment of such invoices, signature of such documents and/or failure to object to such documents. For the avoidance of doubt, if any provision in such documents contradicts or otherwise is incompatible with any provision in this PO, then the provision in this PO will control.

Agency may inspect, copy and shall have access to, at all reasonable times during the performance of the Order and for five (5) years thereafter, all of Vendor’s and its subcontractors, books, records, receipts, vouchers, correspondence, instructions and the like pertaining to the Order and Materials provided, for the purpose of and as are reasonably necessary to audit and to verify that the charges presented and the Materials supplied by Vendor are in accordance with the Order and for any other reasonable purpose.

EXHIBIT A

SUPPLIER CODE OF CONDUCT

INTRODUCTION

Agency (hereinafter referred to as “we”, “our”, “us”) is committed to achieving a standard of excellence in every aspect of our business.

We always strive to work to the highest professional standards relevant to our business. Our corporate responsibility strategy aims to improve the impact of our business on society. We expect the same high standards from those businesses with which we work. A reliable and ethical supply chain is critical for our business. Consequently, we expect our suppliers to conduct their business activities ethically and responsibly, with integrity, honesty and transparency. We require that all members of our supply chain endorse our values by operating ethically.

At a minimum, we expect you and each of your subsidiaries, including your respective employees and agents (hereinafter collectively referred to as “you” and “your”), to meet the standards and promote the principles outlined in this Supplier Code, and we expect you to hold your own suppliers to the same standards.

This Supplier Code is not exhaustive and should not be used to prevent or discourage companies from exceeding these standards.

PRINCIPLES OF SUPPLIER CONDUCT

  1. Anti‐Discrimination
    You shall not discriminate against any employee based on sex, race, religion, sexual orientation, gender identity and/or expression, national origin, age, disability, pregnancy, marital status, or any other legally protected characteristic, in hiring or other employment practices.

  2. Anti‐Harassment and Abuse
    You shall commit to a workplace free of harassment and abuse and shall not threaten workers with, or subject them to, harsh or inhumane treatment. You shall uphold the human rights of workers and treat your workers with dignity and respect. You shall ensure that workers have a mechanism to report grievances and that your business encourages and facilitates open communication between management and workers.

  3. Underage Workers
    You shall ensure that no underage worker is used in the production or distribution of your goods or services. You shall employ only workers who meet the applicable legal minimum working age, except that in no event shall you employ any person who is under the age of 16 even if local law permits otherwise. However, performers, actors, or models who are minors are exempt from the foregoing, if local law permits. You agree to comply with all applicable laws concerning such minors (including, but not limited to, shoot hours, welfare workers / teachers, and break times).

  4. Working Hours, Wages and Benefits
    You shall set working hours, wages (including but not limited to shift pay and other allowances) and over-time pay in compliance with applicable laws. Your workers shall be paid at least the minimum legal wage. All deductions from wages must be lawful and, where applicable, with the express permission of the employee.

  5. Freedom of Association
    You shall freely allow workers lawful rights to associate with others, form and join organizations of their choice, and bargain collectively as permitted and in accordance with all applicable laws and regulations, without discrimination, retaliation or harassment.

  6. Employment Status
    You shall employ workers who have complied with all relevant immigration regulations and who lawfully live and work in the country in which you operate. You shall ensure that all workers provide satisfactory proof of identity to you and that employment by you of your workers does not breach any laws, rules or regulations.

    Your employees must be free to leave their employment after giving reasonable notice and shall not be required to lodge deposits or payments (in cash or other kind) with their employers.

  7. Health and Safety
    You shall provide and maintain a safe work environment and integrate sound health and safety management practices into your business. You shall have a system for workers to report health and safety incidents without fear of reprisal, as well as a system to investigate, track, and manage such reports, and implement required corrective action. You shall obtain, keep current, and comply with all required laws, regulations, health and safety permits, licenses and consents.

  8. Whistleblowing
    You shall have clear policies and procedures in place so that workers may report concerns about wrongdoing in their workplace without being victimized, dismissed or otherwise retaliated against. You shall also comply with all other applicable laws in relation to whistleblowing.

  9. Prevention of Modern Slavery and Human Trafficking
    You shall take reasonable steps to ensure that modern slavery and human trafficking is not taking place in your supply chains or in any part of your business. Within 20 days of request, you shall provide to us a modern slavery and human trafficking report setting out the steps you have taken to ensure that modern slavery and human trafficking is not taking place in any of your supply chains or in any part of your business. This may include, to the extent relevant, information concerning:

    1. your business structure and supply chain;

    2. the policies you have adopted to ensure there is no modern slavery, including human trafficking, forced or indentured labour, slavery or servitude, within your business;

    3. the training and other measures used to ensure appropriate policies and procedures are applied;

    4. the due diligence and monitoring conducted by your business to understand the relevant risk areas and confirm that no such behavior is occurring;

    5. a confirmation that no modern slavery issues have been identified in your business or supply chain in the last year;

    6. to the extent any potential issues concerning modern slavery (including human trafficking, forced or indentured labor, slavery or servitude) have been identified within your business, the circumstances surrounding those issues and the steps you have taken to remedy such issues; and/or

    7. documents evidencing the information provided in relation to the matters set out in this paragraph 9.

  10. Environment
    You shall develop, implement and maintain environmentally responsible business practices. You shall carry out your operations with care for the environment and comply with all applicable environmental laws and regulations.

  11. Compliance with Law
    Your business activities shall comply with all applicable laws and regulations in the countries and jurisdictions in which you operate.

  12. Anti‐Bribery
    You shall not engage in corruption, extortion, embezzlement or bribery to obtain an unfair or improper advantage on our behalf. This means that you shall not provide or receive anything of value to obtain an improper business advantage or favorable treatment or exert undue influence, including offering, giving, asking for or taking any form of potential bribe or kick-back. This prohibition extends to payments and gifts of cash or in kind, made directly or through others and includes a prohibition on facilitation payments intended to expedite or secure performance of a routine governmental action such as obtaining a visa or customs clearance, even in locations where such activity may not violate local law. You shall abide by all applicable anti-corruption laws and regulations of the countries in which you operate, including the U.S. Foreign Corrupt Practices Act, the U.K. Bribery Act 2010 and applicable international anti-corruption conventions.

  13. Disclosure of Information
    You shall accurately record information regarding your business activities, employment, health and safety, and environmental practices and shall disclose such information, without falsification or misrepresentation, to all appropriate parties and as required by law. You shall maintain accurate financial books and business records in accordance with all applicable legal and regulatory requirements and generally accepted accounting practices.

  14. Information Security
    You must comply with applicable data privacy laws (e.g., GDPR, CCPA) and must protect the confidential and proprietary information of others, including personal data, from unauthorized or unlawful processing, access, destruction, use, modification and disclosure, and against accidental loss or destruction, or damage through appropriate technical and organizational measures including physical and electronic security procedures. You also are expected to take the necessary information security measures, for both computer systems and portable electronic devices, to protect against malware and unauthorized disclosure of any proprietary information. You are responsible for tracking new data privacy laws and modifications to current laws.

  15. Risk Assessment and Management
    You shall develop and maintain a process to identify employment and human rights, health and safety, environmental, business ethics, and legal compliance risks associated with your operations, determine the relative significance of each risk, and implement appropriate procedures and controls to minimize the identified risks.

CONCLUSION

This Supplier Code is intended to promote a culture among our suppliers that complies with both the letter and the spirit of all applicable laws, rules and regulations.

You should refer to the principles set out in this Supplier Code when ethical and compliance issues arise. Each of the principles in this Supplier Code is fundamental to how we do business. However, this Supplier Code cannot anticipate every possible instance in which an ethical issue may arise, and so it aims to reinforce the ethical and responsible way in which we require you to conduct your business and the integrity, honesty and transparency which is required in your operations.

EXHIBIT B

INSURANCE REQUIREMENTS

  1. Vendor shall obtain at its own cost and maintain in full force and effect during the time period that Client and/or Agency may use the Material or Services, and for an additional time period of three (3) years for any policy written on a “claims made” basis, the following types of insurance and minimum limits, as applicable, set forth below with an insurer having an A.M. Best rating of A-VIII or better and admitted to conduct business in the jurisdictions where Materials were created or are to be used and where the Services are performed:

    1. GENERAL INSURANCE REQUIREMENTS

      Workers' Compensation:
      Part One (Work. Comp.) — Statutory
      Part Two (Employers Liab.) – $1,000,000
      For Temporary Staffing Agencies an Alternate Employers’ Endorsement is required

      Commercial General Liability – Covering liability arising from premises, operations, personal injury, products/completed operations, and liability assumed under an insured contract (including the tort liability of another assumed in a business contract) and no action-over or labor law exclusions within the policy. The limits of at least:

      $2,000,000 General Aggregate limit
      $1,000,000 each occurrence limit for all bodily injury or property damage incurred in any one (1) occurrence
      $1,000,000 each occurrence limit for Personal Injury and Advertising Injury
      $2,000,000 Products/Completed Operations Aggregate limit
      $1,000,000 each occurrence limit for Products/Completed Operations
      $1,000,000 Damage to Rented Premises (Fire Legal Liability)

      Commercial Automobile Liability – Covering all owned, non-owned and hired vehicles with limits of $1 million combined single limit for bodily injury/property damage each accident.

      Umbrella/Excess – $10,000,000 Occurrence and $10,000,000 Aggregate in excess of Employers Liability, Commercial General Liability and Commercial Automobile Liability and if applicable, your services include Liquor Liability and Garage Keepers Legal Liability.

      Commercial Crime Insurance – Commercial Crime Insurance including coverage for Employee Dishonesty, loss inside the premises, loss outside the premises, forgery or alteration, funds transfer fraud and computer fraud with a minimum limit of $1,000,000. Coverage will include 3rd Party Client Coverage/Clients Property for loss committed solely by Vendor’s employee with a minimum limit of $1,000,000. Coverage will include Agency and Client as joint loss payees which may be satisfied through the use of a blanket loss payee endorsement.

    2. PROFESSIONAL LIABILITY INSURANCE REQUIREMENTS

      1. If Vendor is providing art or photography (still or video) services, or if Vendor is providing original music creation or music licensing services:

        Professional Liability/Errors & Omissions Insurance, including coverage for Intellectual Property Rights (copyright; service mark; trademark rights); Cross Liability and Contractual Liability insuring the provisions of the above indemnification agreement with minimum limits of $1 million per claim and $2 million aggregate.

      2. If Vendor is providing non‐technology Services, such as Talent Agency, Talent Agent, Temporary Staffing, Security, Events, Moving Company, Payroll Services, Design Professional, Business Services Professionals, i.e., Consultants:

        Professional Liability/Errors & Omissions – Professional Liability/Errors & Omissions Insurance appropriate for Vendor’s business in an amount not less than $10,000,000 per claim and in the aggregate. If Services involve Vendor having access to or possession of personally identifiable information, then policy must include security and privacy liability coverage.

      3. If vendor is providing technology services:

        Professional Liability – Professional Liability/Errors & Omissions Insurance, including coverage for Technology Products & Services E&O; Security Liability; Privacy Liability; and Cross Liability (providing a carve-back to the insured vs. insured exclusion), Media Liability (including intellectual property infringements) and liability assumed under an insured contract (including the tort liability of another assumed in a business contract) with minimum policy limits of $10,000,000 per claim and in the aggregate.

    3. VARIOUS ADDITIONAL INSURANCE REQUIREMENTS - If your Services include

      Temporary Staffing Agencies Only, EPLI Third Party with minimum limits of $1,000,000. Policy shall include Agency, its Client and all other Indemnitees as additional insureds.

      Vendors Serving Alcoholic Beverages Liquor Liability – $1,000,000 each occurrence, if Services include the serving of alcoholic beverages.

      Vendor having care, custody or control of third-party vehicles, Garage Keepers Legal Liability - $1,000,000 each occurrence on a direct primary basis.

      Vendor Property Insurance – For loss or damage to Personal Property of Others in the care, custody or control of Vendor, the coverage limit must be at least the full replacement cost value of the property in Vendor’s possession and include Agency and Client as a loss payee.

  2. The following paragraphs apply to all Required Insurance

    1. Required minimum limits of insurance may be satisfied by any combination of primary and Umbrella/Excess liability policies.

    2. Vendor’s insurance shall be primary and non-contributory to any other insurance or self-insurance maintained by or available to Agency, its Client or all other indemnitees. Agency and its Client and all other indemnitees shall be named as additional insureds on Vendor's Commercial General Liability (including Liquor Liability and Garage Keepers Legal Liability, if applicable) and Commercial Automobile Liability Policies. As respects to Professional Liability/Errors & Omissions policies Vendor agrees to add Agency and its Client and all other Indemnitees as additional insured, but only if there is carve back for any insured vs. insured exclusion.

    3. Prior to the start of work, Vendor shall provide Agency with certificates of insurance evidencing the above insurance coverage. In addition, Vendor shall provide copies of Additional Insured, Loss Payee, Waiver of Subrogation and Primary/Non-Contributory endorsements from the respective policies. Agency shall be given at least thirty (30) days written notice prior to any policy cancellation; non-renewal or material change in coverage.

    4. The failure of Agency to request such certificates of insurance or the failure of Agency to identify any coverage deficiency will not be construed as a waiver of Vendor’s obligation to maintain the insurance required in this Agreement.

    5. All subcontractors retained by Vendor to perform services shall maintain the same types; limits and terms & conditions of insurance required of Vendor.

    6. Any deviations from these requirements must be approved by Agency and agreed in writing prior to Materials or Services being provided.

    7. Vendor and subcontractors shall be solely responsible for any policy deductibles or self-insured retentions and no more than $25,000 deductible or self-insured retention is permitted. The required minimum limits of insurance shall not in any way limit the liability of Vendor in connection with its performance under this PO.

    8. Vendor’s policies shall contain a waiver of subrogation in favor of Agency and its Client and all other Indemnitees, where permitted by law.

EXHIBIT C

Privacy, Confidentiality and Information Security Addendum

This Privacy, Confidentiality and Information Security Addendum (“Addendum”) sets forth the terms and conditions relating to the privacy, confidentiality, security and protection of Personal Information (as defined below) associated with services rendered by Vendor to Agency as agent for Client, or to Client if Agency is not acting as agent pursuant to this Purchase Order (this “PO”).

WHEREAS, Agency and/or Client or their employees, agents, consultants or contractors may provide Vendor with access to Personal Information in connection with certain services performed by Vendor for or on behalf of Agency or Client pursuant to this PO; and

WHEREAS, Agency and Client require that Vendor preserve and maintain the privacy, confidentiality, security and protection of such Personal Information.

NOW, THEREFORE, in consideration of Agency, as agent for Client, or as principal, entering to this PO with Vendor, Agency and Vendor agree as follows:

I. Definitions

  1. “Data Controller” means the entity that determines the purposes and means of the processing of Personal Information.

  2. “Data Processor” means any person or entity that Processes Personal Information on behalf of a Data Controller.

  3. “Data Subject” means an identified or identifiable natural person to which the Personal Information pertains.

  4. “European Data Protection Laws” means all applicable European Union (“EU”), European Economic Area (“EEA”) or national laws and regulations (including, without limitation, laws and regulations of the United Kingdom or Switzerland) relating to the privacy, confidentiality, security or protection of Personal Information, including, without limitation: the EU General Data Protection Regulation 2016/679 (“GDPR”) and laws or regulations implementing or supplementing the GDPR; the EU Directive 2002/58/EC (“e‐Privacy Directive”), as replaced from time to time, and laws or regulations implementing or supplementing the e-Privacy Directive, including laws regulating the use of cookies, other tracking mechanisms and unsolicited e-mail communications.

  5. “Information Security Incident” means any actual or suspected unauthorized or accidental access to or loss, use, disclosure, modification, destruction, acquisition or Processing of any Personal Information.

  6. “Instructions” means this PO and any amendment or other written agreement or documentation through which the Data Controller instructs the Data Processor to perform specific Processing of Personal Information.

  7. “Notification Related Costs” means Agency’s or Client’s and its affiliates’ internal and external costs associated with investigating, addressing and responding to an Information Security Incident, including but not limited to: (i) preparation and mailing or other transmission of any notifications or other communications to Agency or Client or their respective employees, agents or others as Agency or Client deems reasonably appropriate; (ii) establishment of a call center or other communications procedures in response to such Information Security Incident (e.g., Agency or Client service FAQs, talking points and training); (iii) public relations and other similar crisis management services; (iv) legal, accounting, consulting and forensic expert fees and expenses associated with Agency’s. Client’s and their affiliates’ investigation of and response to such Information Security Incident; and (v) costs for commercially reasonable credit monitoring, identity protection services or similar services that Agency or Client determines are advisable under the circumstances.

  8. “Personal Information” means any information that is Processed in connection with the services specified in this PO (1) relating to an identified or identifiable natural person, or (2) that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, regardless of the media in which it is maintained, that may be: (i) Processed at any time by Vendor in anticipation of, in connection with or incidental to the performance of this PO, or (ii) derived by Vendor from such information. Personal Information includes, but is not limited to, the data elements listed in section 140(o)(1)(A)-(K) of the California Consumer Privacy Act of 2018 (“CCPA”), if any such data element identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular individual or household.

  9. “Privacy Laws” means (i) all applicable international, federal, state, national, provincial and local laws, rules, regulations, directives and governmental requirements currently in effect and as they become effective relating in any way to the privacy, confidentiality or security of Personal Information, including without limitation, European Data Protection Laws and the CCPA, Cal. Civ. Code § 1798.100 et seq. and its implementing regulations; (ii) all applicable industry standards concerning privacy, confidentiality or information security; and (iii) applicable provisions of Agency’s or Client’s written requirements currently in effect and as they become effective relating in any way to the privacy, confidentiality or security of Personal Information or applicable privacy policies, statements or notices that are provided to Vendor in writing.

  10. “Privacy Shield” means, collectively, the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework.

  11. “Process” (and its derivatives) means any operation or set of operations performed upon Personal Information, whether or not by automatic means, including, without limitation, creating, collecting, aggregating, procuring, obtaining, accessing, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, disseminating, making available, aligning, combining, restricting, erasing and/or destroying the information.

  12. “Sub‐Processor” means any entity engaged by Vendor (or further Sub-Processor) to Process Personal Information on behalf and under the authority of Agency or Client.

  13. “Vendor Personnel” means any employees, agents, consultants or contractors of Vendor.

  14. “Business Purpose”, “Deidentified” (and its derivatives), and “Sell” (and its derivatives) shall have the meaning ascribed to them in the CCPA.

II. Privacy of Personal Information

  1. The Parties acknowledge and agree as follows:

    1. Agency, or Client, as the case may be, is acting as a Data Controller, and has the sole and exclusive authority to determine the purposes and means of the Processing of Personal Information Processed under this PO, and Vendor is acting solely as a Data Processor on behalf and under the Instructions of Agency or Client. Vendor acknowledges and agrees that between Vendor and Agency, Agency or Client owns all Personal Information.

    2. The Personal Information that Agency or Client discloses to Vendor is provided to Vendor for a Business Purpose, and neither Agency nor Client Sell Personal Information to Vendor in connection with the PO.

    3. During the time the Personal Information is disclosed to Vendor, neither Agency nor Client will have knowledge or reason to believe that Vendor is unable to comply with the provisions of this PO.

  2. Vendor represents, warrants and covenants as follows:

    1. Vendor shall hold in strict confidence any and all Personal Information and shall Process Personal Information only to the extent, and in such manner, as is necessary to provide services for or on behalf of Agency and Client in accordance with this PO.

    2. Vendor shall process Personal Information only on behalf of and in accordance with the Instructions of Agency or Client and Annex 1 of this Addendum, unless Vendor is otherwise required by applicable law, in which case Vendor shall inform Agency of that legal requirement before Processing the Personal Information (unless informing Agency is prohibited by law on important grounds of public interest). Vendor shall not (i) Sell Personal Information, or (ii) retain, use or disclose Personal Information (a) for any purpose other than for the specific purpose of performing the services specified in this PO, or (b) outside of the direct business relationship between the Parties. Vendor shall immediately inform Agency if, in Vendor’s opinion, an Instruction infringes Privacy Law.

    3. Vendor shall ensure that any Vendor Personnel is only granted access to Personal Information on a need-to-know basis, is subject to a duly enforceable contractual or statutory privacy, confidentiality and security obligations that are substantially similar to those required by this PO, and only processes Personal Information in accordance with the Instructions of Agency or Client.

    4. Vendor shall immediately inform Agency in writing of any requests from Data Subjects with respect to Personal Information, including without limitation, any request to exercise rights under Privacy Laws. Vendor shall direct the requesting individual to submit the request directly to Agency at the address set forth on the front of the PO. Vendor shall cooperate with Agency if an individual requests (i) access to his or her Personal Information, (ii) information about the categories of sources from which the Personal Information is collected, or (iii) information about the categories or specific pieces of his or her Personal Information Processed by Vendor on Agency’s behalf. Vendor shall assist Agency in fulfilling Agency’s obligation to respond to Data Subjects’ requests to exercise their rights with respect to Personal Information, including by providing the requested information in a portable and, to the extent technically feasible, readily useable format that allows the individual to transmit the information to another entity without hindrance. Vendor shall respond to such requests only as specifically directed by Agency and in accordance with Agency’s written instructions and this PO.

    5. Vendor shall assist Agency in complying with its obligations under Privacy Laws, including without limitation, Agency’ and Client’s obligations under European Data Protection Laws to implement appropriate data security measures, to carry out a data protection impact assessment, and to consult the competent supervisory authority.

    6. Vendor shall maintain internal record(s) of Processing activities, copies of which shall be provided to Agency by Vendor upon Agency’s request.

    7. Vendor shall notify Agency immediately in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Personal Information. Agency shall have the right to defend such action in lieu of and/or on behalf of Vendor. Agency may, if it so chooses, seek a protective order. Vendor shall reasonably cooperate with Agency in such defense.

  3. Vendor certifies that it understands and will comply with the requirements and restrictions set forth in this PO.

III. Data Transfers

  1. Vendor shall (i) provide at least the same level of privacy protection for Personal Information received by Agency or Client from the European Economic Area (“EEA”), United Kingdom (“UK”), or Switzerland as is required by the Privacy Shield Principles, (ii) promptly notify Agency if at any time Vendor cannot provide or is not providing at least the same level of privacy protection for such Personal Information as is required by the Privacy Shield principles, and (iii) take reasonable and appropriate steps to stop and remediate, as directed by Agency, the Processing of such Personal Information if at any time Agency notifies Vendor that Agency has determined Vendor is not Processing the Personal Information in a manner consistent with the Privacy Shield principles.

  2. Vendor shall not transfer Personal Information outside the country from which the Personal Information was originally delivered or made available to Vendor, or from which Vendor otherwise accessed or obtained such Personal Information, (or, if it was originally delivered to a location inside the EEA, UK or Switzerland, outside the EEA, UK or Switzerland) for Processing without the explicit written consent of Company. Where Vendor, with the consent of Company, transfers such Personal Information, Vendor shall comply with Privacy Laws and implement a data transfer mechanism in accordance with Privacy Laws to the extent required for such cross-border transfer.

IV. Sub‐Processing

  1. Vendor shall not share, transfer, disclose, make available or otherwise provide access to any Personal Information to any third party, or contract any of its rights or obligations concerning Personal Information, unless Agency or Client has authorized Vendor to do so in writing. Where Vendor, with the consent of Agency or Client, provides access to Personal Information to a Sub-Processor, Vendor shall enter into a written agreement with each such Sub-Processor that imposes obligations on the Sub-Processor that are the same as those imposed on Vendor under this PO and requires the Sub-Processor to provide at least the same level of protection as is required by this PO. Vendor shall only retain Sub-Processors that are capable of appropriately protecting the privacy, confidentiality and security of the Personal Information. Vendor shall remain fully liable to Agency and Client for its obligations under this PO, even if such obligations are delegated to a Sub-Processor.

  2. To the extent Vendor provides a third-party Processor access to Personal Information received by Agency or Client from individuals in the EEA, UK or Switzerland, Vendor shall (i) transfer the Personal Information to the third-party Processor only for the limited and specified purposes instructed by Agency or Client, (ii) ascertain that the third-party Processor is obligated to provide at least the same level of privacy protection as is required by the Privacy Shield principles, (iii) take reasonable and appropriate steps to ensure that the third-party Processor effectively Processes the Personal Information transferred in a manner consistent with the Privacy Shield principles, (iv) require the third-party Processor to notify Vendor if the third-party Processor determines that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield principles, and (v) upon notice, including under (iv) above, take reasonable and appropriate steps to stop and remediate unauthorized Processing.

V. Compliance with Applicable Laws

  1. Vendor shall comply with all applicable Privacy Laws.

  2. No applicable law, legal requirement, enforcement action, investigation, litigation or claim prohibits Vendor from (i) fulfilling its obligations under this PO, or (ii) complying with Instructions it receives from Agency or Client concerning Personal Information. In the event a law, legal requirement, enforcement action, investigation, litigation or claim, or any other circumstance, is reasonably likely to adversely affect Vendor’s ability to fulfill its obligations under this PO, Vendor shall promptly notify Agency in writing and Agency or Client may, in its sole discretion and without penalty of any kind to Agency or Client, suspend the (i) transfer or disclosure of Personal Information to Vendor or (ii) access to Personal Information by Vendor, and terminate any further Processing of Personal Information by Vendor, and terminate the PO, if doing so is necessary to comply with Privacy Laws.

  3. Vendor shall enter into any further data processing agreement reasonably requested by Agency or Client for purposes of compliance with Privacy Laws. In case of any conflict between this Addendum and any such further privacy, confidentiality or information security written agreement, such further written agreement shall prevail with regard to the Processing of Personal Information covered by it.

VI. Data Security

  1. Vendor shall develop, implement and maintain a comprehensive written information security program that complies with applicable Privacy Laws as well as the terms and conditions of this PO. Vendor’s information security program shall include reasonable and appropriate administrative, technical, physical, organizational and operational safeguards and other security measures to (i) ensure the security and confidentiality of Personal Information; (ii) protect against any anticipated threats or hazards to the security and integrity of Personal Information; and (iii) protect against any Information Security Incident. These measures shall include, as appropriate and without limitation, pseudonymization, deidentification, aggregation or encryption of the Personal Information; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; the ability to restore the availability and access to the Personal Information in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

  2. Vendor shall perform services in compliance with the Payment Card Industry Data Security Standard (“PCI DSS”), and hereby acknowledges its responsibility for the security of any Cardholder Data (as such term is defined in the PCI DSS), which it stores, transmits or processes in connection with this PO. Vendor shall perform any and all tasks, assessments, reviews, penetration tests, scans and other activities required under the PCI DSS for companies in the same category(s) as Agency and Client (including any compliance guidance issued by the PCI Data Security Council or its subordinate bodies) or otherwise to validate during the term of this PO its compliance with the PCI DSS as it relates to the system elements and portions of the cardholder data environment (as such terms are defined in the PCI DSS) for which Vendor is responsible. Upon Agency’s or Client’s request, Vendor shall deliver to Company copies of all documentation necessary to verify such compliance, including without limitation, any attestation of compliance, report on compliance, self-assessment questionnaire, or testing or assessment results.

  3. Vendor shall exercise the necessary and appropriate supervision over Vendor Personnel to maintain appropriate privacy, confidentiality and security of Personal Information in accordance with this PO. Vendor shall provide training, as appropriate, regarding the privacy, confidentiality, and information security requirements set forth in this PO to relevant Vendor Personnel who have access to Personal Information.

  4. Promptly upon the expiration or earlier termination of this PO, or such earlier time as Agency or Client requests, Vendor shall return to Agency, Client or its designee, or at Agency’s or Client’s request, securely delete, destroy or render unreadable or undecipherable if return is not reasonably feasible or desirable to Agency or Client (which decision shall be based solely on Agency’s or Client’s written statement), each and every original and copy in every media of all Personal Information in Vendor’s, its affiliates’ or any Sub-Processor’ possession, custody or control. Promptly following any return or alternate action taken to comply with this paragraph, Vendor shall provide to Agency or Client a completed Officer’s Certificate certifying that such return or alternate action occurred. In the event and during the period that Vendor is unable to perform such delivery, deletion or destruction of certain Personal Information for reasons permitted under applicable law, Vendor warrants that it shall (i) promptly inform Agency or Client of the reason(s) for its refusal of the deletion request, (ii) ensure the privacy, confidentiality and security of the Personal Information in accordance with this PO, and (iii) delete the Personal Information promptly after the reason(s) for Vendor’s refusal has expired, and that Vendor shall not use or disclose any Personal Information after termination of this PO.

VII. Data Breach Notification

  1. Vendor shall immediately inform Agency in writing of any Information Security Incident of which Vendor becomes aware, but in no case longer than twenty-four (24) hours after it becomes aware of the Information Security Incident. The notification to Agency shall include all available information regarding such Information Security Incident, including information on: (i) the nature of the Information Security Incident including where possible, the categories and approximate number of affected Data Subjects and the categories and approximate number of affected Personal Information records; (ii) the likely consequences of the Information Security Incident; and (iii) the measures taken or proposed to be taken to address the Information Security Incident, including, where appropriate, measures to mitigate its possible adverse effects.

  2. Vendor shall promptly investigate such Information Security Incident, take all necessary and advisable corrective actions, and shall cooperate fully with Agency and Client in all reasonable and lawful efforts to prevent, mitigate or rectify such Breach. Vendor shall provide Agency and Client with such assurances as Agency or Client shall request that such Information Security Incident is not likely to recur. Vendor shall provide such assistance as required to enable Agency and Client to satisfy their respective obligation(s) under Privacy Laws. The content of any filings, communications, notices, press releases or reports related to any Information Security Incident must be approved by Agency prior to any publication or communication thereof.

  3. Agency or Client shall have the right at any time after learning of an Information Security Incident to engage and involve external forensic firms in the investigation of the Information Security Incident (which will include a right to investigate Vendor’s systems), and Vendor shall comply with all reasonable requests of such external forensic firm. Vendor shall use commercially reasonable efforts to preserve all applicable evidence relating to the Information Security Incident until the forensic investigation is completed or confirmed to Vendor that it waives its right to conduct such an investigation.

  4. In the event of an Information Security Incident involving Personal Information in Vendor’s possession, custody or control or for which Vendor is otherwise responsible, Vendor shall reimburse Agency or Client, as the case may be, on demand for all commercially reasonable Notification Related Costs (as defined below) incurred by Agency or Client, as the case may be arising out of or in connection with any such Information Security Incident.

VIII. Audit

  1. Vendor shall make available to Agency or Client all information necessary to demonstrate compliance with the obligations set forth in this PO and allow for and contribute to audits, including inspections, conducted by Agency or Client or another auditor mandated by Agency or Client. Without limiting the generality of the foregoing, on an annual basis, Vendor (including its affiliates and its and their Sub-Processors), at Vendor’s expense, shall require auditors to conduct an examination of the controls placed in operation and a test of operating effectiveness, as defined by Statement on Standards for Attestation Engagements No. 18, Reporting on Controls at a Service Organization (or its successors) (“SSAE 18”), of the services performed by Vendor for or on behalf of Agency or Client and issue SOC 1 and SOC 2 reports (Type II) thereon (collectively “SOC Reports”) for the applicable calendar year. Vendor (including its affiliates and its and their Sub-Processors) shall deliver to Agency a copy of the SOC Reports within six (6) weeks after conducting the SSAE 18 assessment for the calendar year. Vendor shall prepare and implement a corrective action plan to correct any deficiencies and resolve any problems identified in such reports. Vendor shall correct any audit control issues or weaknesses identified in any SOC Reports, at no additional cost to Agency or Client. If specific audit recommendations are not implemented by Vendor, then Vendor should implement such alternative steps as are reasonably satisfactory to Agency and Client for the purposes of minimizing or eliminating the risks identified in any such SOC Report.

  2. Agency or Client shall have the right to monitor Vendor’s compliance with this Addendum. During normal business hours, and reasonable prior notice, Agency or Client and/or its authorized representatives may inspect Vendor’s facilities and equipment, and any information or materials in Vendor’s possession, custody or control, relating in any way to Vendor’s obligations under this PO. An inspection performed pursuant to this Addendum shall not unreasonably interfere with the normal conduct of Vendor’s business. Vendor shall cooperate fully with any such inspection initiated by Agency or Client.

  3. Vendor shall notify Agency in writing in the event of a material change to Vendor’s internal security plans, controls or measures.

IX. Liability

Vendor agrees to indemnify and hold Agency and Client harmless from and against any losses that it may incur or that arise out of or in connection with a third party claim relating to (i) any violation of this PO, (ii) Vendor’s negligence, gross negligence, bad faith, fraudulent acts or omissions, or intentional or willful misconduct, (iii) Vendor’s use of any Sub-Processor providing services in connection with or relating to Vendor’s performance under this PO; and (iv) any Information Security Incident involving Personal Information in Vendor’s possession, custody or control, or for which Vendor is otherwise responsible. For the purposes of this PO, “Losses” means all judgments, settlements, awards, damages, losses, charges, liabilities, penalties, interest claims (including taxes and all related interest and penalties incurred directly with respect thereto), and all related reasonable costs, expenses and other charges (including all reasonable attorneys’ fees and reasonable internal and external costs of investigations, litigation, hearings, proceedings, document and data productions and discovery, settlement, judgment, award, interest and penalties). In no event shall Vendor’s liability be excluded or limited for a violation of its obligation under this PO.

X. Injunctive Relief

Vendor agrees and acknowledges that any Processing of Personal Information in violation of this PO, Agency’s instructions, or any Privacy Law may cause immediate and irreparable harm to Agency and/or Client for which money damages may not constitute an adequate remedy. Therefore, Vendor agrees that Agency or Client may obtain specific performance and injunctive or other equitable relief, in addition to its remedies at law. Agency and Client shall be entitled to such equitable relief in addition to all other remedies at law or in equity.

XI. Governing Law

This PO shall be governed by the laws of the jurisdiction in which the Agency or Client has its principal office, as they shall elect.

XII. Miscellaneous

  1. Vendor’s obligations under this PO shall survive the termination of this PO and the completion of all services subject thereto.

  2. This PO is the complete agreement between the Parties and supersedes any prior oral or written agreement, including this PO, if any, between the parties concerning the Processing of Personal Information by Vendor on behalf and on instructions of Agency or Client as contemplated under this PO.

  3. If any provision of this PO is held invalid or unenforceable, the remaining provisions shall remain in effect.

  4. This PO is binding upon successors and assigns of the parties.

  5. A waiver by either Party of any term or condition of this PO in one or more instances shall not constitute a permanent waiver of the term or condition or any other term or condition of this PO or a general waiver.

  6. As required or upon request, Vendor agrees that Agency or Client may provide a summary or copy of this PO to any government agency.