Mobility Demand API (Annex 3)
Mobility Demand API - Additional Terms and Conditions (Annex 3)
These Mobility Demand API Additional Terms and Conditions (“Additional API Terms”) are expressly incorporated into and made a part of the General Terms and Conditions (Demand Side) if Partner elected to provide Mobility Services to Passengers by utilizing the HERE Mobility Marketplace via the HERE Mobility Demand API.
A. Additional Definitions.
(1) “HERE Mobility Demand API” mean the HERE Mobility application programming interface, software developer kit, documentation, and any software, materials or data that HERE makes available to Partner for the purpose of integrating with the HERE Mobility Marketplace, in its sole discretion, including any access credentials and tools that may be provided by HERE to Partner from time to time.
B. Method of Delivery.
(1) HERE shall provide Partner access to HERE Products relating to the HERE Mobility Demand API by downloadable executable and/or HERE provided URL, or any other manner as shall be agreed by the parties (including by email or by posting on a protected web portal). The HERE Mobility Demand API may only be installed and implemented on Partner’s pre-approved digital properties (identified on the cover page of the Agreement, the “Qualified Website”). As between Partner and HERE, Partner is solely responsible for the implementation of the HERE Mobility Demand API.
(2) Partner may connect to the HERE Mobility Demand API via a standard internet connection with access credentials that shall be preapproved by HERE, in its sole discretion. HERE will provide Partner with access credentials to the HERE Mobility Demand API connections (“Access Credentials”) for Users (by email or by posting on a protected web portal).
C. Additional License Terms and Conditions.
(1) The license granted in Section 3.1 of the General Terms and Conditions (Demand Side) grants Partner the right download and connect to the HERE Mobility Demand API solely in the geographic locations in which the Partner makes available the Partner Materials as integrated with the HERE Products. The foregoing license is non-sublicensable, with the limited exception that Partner may sub-license it to third party website designers, webmasters and other providers of similar services, for the sole purpose of enabling such providers to assist Partner in downloading and configuring the HERE Mobility Demand API for use with Partner’s Qualified Properties and provided that such providers will be subject to the same obligations as Partner under this Agreement. Partner shall remain liable for the actions of any such third party providers. Partner will not cause, permit or authorize any modification of the HERE Mobility Demand API, which includes separation into component parts or creation of derivative works. All right, title, and interest in and to the HERE Mobility Demand API, including all intellectual property rights therein, shall remain the exclusive property of HERE and/or its licensors. Partner acknowledges and agrees that the HERE Mobility Demand API is licensed, not sold.
D. Additional Use Restrictions.
In addition to, and without limitation of, any restrictions set forth in the Agreement, the following additional restrictions apply to your use of the HERE Mobility Demand API:
(1) Partner may not directly or indirectly change, edit, add to, copy or extract content and/or Passenger Data from or produce summaries of the HERE Products or any content on any HERE Website. HERE may use the information collected from the HERE Mobility Demand API for the following general purposes: to customize and improve the HERE Products; to prevent potentially prohibited or illegal activities; to enforce its legal rights; and as otherwise contemplated under Section E below.
(2) Partner will not cause, permit or authorize any modification of the ERE Mobility Demand API or HERE Products, which in HERE's sole opinion, would constitute a Forbidden Usage.
(3) Partner shall not, and shall not allow or authorize any third party to, use or display the HERE Mobility Demand API or HERE Products in a way that, in HERE's sole opinion, would constitute a Forbidden Usage.
(4) The HERE Mobility Demand API is subject to certain limitations on access, data requests, and use as set forth on the the HERE Mobility Supply API documentation. Partner hereby agrees to only use the HERE Products in accordance with their applicable documentation and any limitations set forth therein. If HERE believes that Partner has attempted to exceed or circumvent these limitations, Partner’s use to and/or access to the applicable HERE Products may be temporarily or permanently blocked. Partner may not, and may not encourage or allow any third party to interfere with, hinder, limit, or modify any notices or authorization or consent requests provided by HERE.
(5) Partner may not use the HERE Mobility Demand API in any manner that is competitive to HERE or the HERE Products, including, without limitation, in connection with any application, website or other product or service that also includes, features, endorses, or otherwise supports in any way a third party that provides services competitive to the HERE products and services (including without limitation, the HERE Products), as determined in HERE’s sole discretion.
(6) Partner may not charge Users in any manner for access to or use of the HERE Mobility Demand API or the HERE Products or functionality included in or related to the HERE Mobility Demand API or the HERE Products. Without limiting the foregoing, Partner may not sell, rent, lease, sublicense, redistribute or syndicate access to the ERE Mobility Demand API, and Partner may not charge any kind of service, booking or similar fee in connection with any services made available via the HERE Mobility Demand API.
(7) Partner must ensure that any Data or data otherwise related to your integration of the HERE Mobility Demand API is encrypted and transmitted over a secure, encrypted channel (e.g., HTTPS).
E. Data Privacy and Data Processing.
Without limiting the generality of Section 4 of the General Terms and Conditions (Demand Side), the following additional terms and conditions shall apply with respect to demand Partners who elect to provide the Mobility Services via HERE Mobility Demand API:
(1) In the course of providing the HERE Products to Partner pursuant to the Agreement, HERE Global B.V. may process User Data on behalf of Partner, and use and collect Passenger Data for its purposes. The parties agree that: (i) with regard to the processing of User Data, Partner is the data controller and HERE Global B.V. is a data processor; and (ii) with regard to Passenger Data, (A) prior to such time that each Passenger consents (where legally required to do so) to applicable HERE terms and conditions (either via Demand API’s native Passenger interface, if applicable, or by responding to SMS text messages, “Passenger Consent”), HERE Global B.V. is the data processor with respect to such Passenger Data, and (B) upon Passenger Consent or the establishment of any other legal basis (as applicable), HERE Global B.V. is the data controller with respect to such Passenger Data; provided, that in the event the parties are deemed to be joint data controllers with regard to Passenger Data or User Data, as applicable, the parties shall apportion data protection compliance responsibilities between one another for purposes of compliance with the requirements of applicable data protection laws, rules or regulations in the country in which Partner provides the Partner Materials as integrated with the HERE Products (“Data Protection Laws”). To the extent Data provided by Partner includes “personal data” or “personally identifiable information” (as defined under applicable Data Protection Laws), HERE’s processing of such Data shall be within a dedicated, logically segregated platform and limited to the following purposes: (i) the processing, use, storage, disclosure and disposal of such Data for purposes of matching Passengers with transportation supply providers that are directly or indirectly connected to the HERE Mobility Marketplace; and (ii) the processing of such Data such that it no longer relates to an identified or identifiable natural person or is rendered anonymous in such a way that a data subject is no longer identifiable (“De-Identified Data”), for purposes of utilizing such De-Identified Data in HERE Products. Partner agrees and acknowledges that HERE may maintain, use and distribute such De-Identified Data derived from the Data for its own purposes and Partner agrees to include the relevant language and terms in its privacy policy, and inform the Users and the Passengers, and to the extent legally required, obtain legal and valid consent or establish another legal basis regarding such usage by HERE in accordance with Data Protection Laws. Partner shall comply with, and shall be responsible for each User’s compliance with all applicable Data Protection Laws with respect to the Data and information that is provided to or by, or made available to or by, Partner and/or is under its control.
(2) Partner shall, in its use or receipt of the HERE Products, collect and process Data in accordance with the requirements of applicable Data Protection Laws and Partner will ensure that its instructions for the processing of Data shall comply with applicable Data Protection Laws. Partner shall have sole responsibility for the accuracy, quality, and legality of the Data and the means by which Partner acquired the Data. Notwithstanding the foregoing, Partner acknowledges that Data may be stored and/or processed in a different country than where the Partner Materials as integrated with the HERE Products are provided. Data from a Partner in the European Economic Area (“EEA”) or Switzerland may only be exported or accessed by HERE or its subprocessors outside the EEA or Switzerland, if: (i) the recipient, or the country or territory in which it processes or accesses Data, ensures an adequate level of protection as determined by the European Commission; or (ii) Standard Contractual Clauses (as defined below) for the transfer of personal data to processors established in third countries apply.
(3) To the extent Partner, in its use or receipt of the HERE Products, does not have the ability to correct, amend, block or delete Data as required by applicable Data Protection Laws, HERE shall comply with any commercially reasonable request by Partner to facilitate such actions to the extent HERE is legally permitted and technically able to do so. HERE shall, to the extent legally permitted, promptly notify Partner if it receives a request from a User and/or a Passenger, as applicable, for access to, correction, amendment or deletion of that person’s User Data. HERE shall not respond to any such request without Partner’s prior written consent except to confirm that the request relates to Partner. HERE shall provide Partner with commercially reasonable cooperation and assistance in relation to handling of a request for access to that person’s Data, to the extent legally permitted and to the extent Partner does not have access to such Data through its use or receipt of the HERE Products.
(4) Partner authorizes HERE to subcontract the processing of Data to subprocessors, as required for the functioning of the HERE Products under this Agreement. In case of any subprocessing, HERE shall enter into a written contract with its subprocessor which imposes at least equivalent obligations on the subprocessor as are imposed on HERE under this Agreement; such contract shall include a description of the technical and organizational measures, which the subprocessor has to implement in such a manner that the processing will meet the requirements of the applicable Data Protection Laws. If Partner requests, HERE will inform Partner of the name, address and role of each involved subprocessor. HERE´s use of subprocessors is at HERE´s sole discretion. HERE will notify Partner in advance (by email or by posting on a protected web portal) of any changes to the list of subprocessors in place on the Effective Date (except for emergency replacements or deletions of subprocessors without replacement). If Partner has a legitimate reason that relates to the subprocessor´s processing of personal data, Partner may object to HERE´s use of a subprocessor, by notifying HERE in writing within thirty days after receipt of HERE`s notice. If Partner objects to the use of the subprocessor, the parties will discuss a resolution in good faith. HERE may choose to: (i) refrain from using the subprocessor, or (ii) take the corrective steps requested by Partner as specified in its objection and use the subprocessor. If none of these options are reasonably possible and Partner continues to object for a legitimate reason, either party may terminate the Agreement on thirty days´ written notice. If Partner does not object within thirty days of receipt of the notice, Partner is deemed to have accepted the new subprocessor. Where legally required, HERE has entered into the unchanged version of the Standard Contractual Clauses for the transfer of personal data to processors established in third countries pursuant to Commission Decision 2010/87/EU (“Standard Contractual Clauses”) prior to the subprocessor´s processing of Data. Partner hereby accedes to the Standard Contractual Clauses between HERE and the subprocessor.
(5) HERE shall ensure that its personnel and subprocessors engaged in the processing of Data and are informed of the confidential nature of the Data and have received appropriate training on their responsibilities and are subject to obligations of confidentiality and such obligations survive the termination of that persons’ or subcontractors’ engagement with HERE. HERE shall ensure that HERE and its Affiliates’ access to Data is limited to those personnel who require such access to perform the Agreement. HERE has appointed a data protection officer where such appointment is required by Data Protection Laws who may be reached by email at privacy@here.com.
(6) If HERE becomes aware of any unlawful access to any Data stored on HERE’s equipment or in HERE’s facilities, or unauthorized access to such equipment or facilities resulting in loss, disclosure, or alteration of Data for which notice is required under applicable Data Protection Laws (“Security Breach”), HERE will promptly: (a) notify Partner of the Security Breach; (b) investigate the Security Breach and provide Partner with information about the Security Breach; and (c) take reasonable steps designed to mitigate the effects and to minimize any damage resulting from the Security Breach. Partner agrees that an unsuccessful Security Breach attempt will not be subject to this Section. An unsuccessful Security Breach attempt is one that results in no unauthorized access to, or loss, disclosure or alteration of, Data or to any of HERE’s equipment or facilities storing Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers) or similar incidents; and HERE’s obligation to report or respond to a Security Breach under this Paragraph 6 of this Section E is not and will not be construed as an acknowledgement by HERE of any fault or liability with respect to the Security Breach. Notification(s) of Security Breaches, if any, will be delivered to one or more of Partner’s business, technical or administrative contacts by any means HERE selects, including via email. It is Partner’s sole responsibility to ensure it maintains accurate contact information on HERE’s support systems at all times.
(7) HERE shall comply with the requirements relating to the security of processing personal data as required by applicable Data Protection Laws. In particular, HERE shall implement and maintain appropriate technical and organizational measures ensuring a level of protection that is reasonable and sufficient in terms of the risks related to the processing and the nature of the involved personal data. A description of the technical and organizational measures, implemented by HERE, is set forth in Schedule 1 (“HERE Technical and Organizational Measures”).
(8) Partner may audit HERE´s security practices relevant to personal data processed by HERE only if: (i) HERE has not provided sufficient evidence of its compliance with the technical and organizational measures through providing a certification as to compliance with ISO 27001 or other standards; (ii) a Security Breach has occurred; (iii) Partner has reasonable grounds to suspect that HERE is not in compliance with its obligations under this Section E; (iv) an audit is formally requested by Partner´s competent data protection authority; or (v) mandatory Data Protection Laws provides Partner with a direct audit right. Where Partner audits HERE´s environment upon reasonable advance notice of at least sixty days, HERE will reasonably support Partner in its auditing process. The Partner audit will be limited to once in a calendar year and limited to a maximum of one business day without disrupting HERE´s regular course of business. Partner and HERE will each bear their own audit costs.
(9) HERE shall return Data to Partner and/or delete Data in accordance with HERE’s procedures and applicable Data Protection Laws and/or consistent with the terms of the Agreement; provided that HERE shall have no obligation to delete Data that has been de-identified.
(10) For the duration of this Agreement, Partner shall maintain and publish an adequate privacy notice on its Qualified Website(s) that complies, in full, with the terms of Section 2.7 of the General Terms and Conditions (Demand Side).
Schedule 1
HERE Technical and Organizational Measures
In order to protect personal rights while processing personal data on behalf of Partner, HERE has implemented the following technical and organizational measures (as may be amended from time to time by HERE, at its sole discretion, by providing Partner with written notice thereof):
SECURITY POLICIES AND MANAGEMENT
HERE has ensured that its senior management assigns security responsibilities and reviews the implementation of security within the organization. Senior management has nominated an individual responsible for the overall security, risk management, information security, privacy and controls for handling personal data.
HERE has established and demonstrated commitment to security through an organization-wide security policy (“Security Policy”). This Security Policy and related guidelines are communicated to all employees working on Partner engagement.
HERE has its own, dedicated information classification schema based on information sensitivity (for example, internal, confidential, and secret) and established measure to ensure that information ownership is defined at all times. This schema includes appropriate security controls to protect Partner information, personal data and assets, where applicable.
HERE conducts security risk assessments either for Partner engagement or as part of its normal business operations at least at an annual frequency, incorporating emerging threats, possible business impacts and probabilities of occurrence. HERE modifies the security related processes, procedures and guidelines based on the findings in such security risk assessments.
INDEPENDENT CERTIFICATIONS AND AUDIT RIGHTS
For the production systems which run the HERE services provided under the Agreement and during the term of the Agreement, HERE maintains applicable certifications based on ISO 27001. Upon Partner’s request or at least annually, HERE shall inform Partner about the applicable certifications and/or reports and provide a copy of such certifications and/or reports, including scope of such certifications (including any identified deficiencies), for Partner to review. Information and copies of such certifications and reports shall be confidential information of HERE.
SECURITY INCIDENT MANAGEMENT
HERE has established adequate issue and/or incident response procedures (or plans) and nominated persons to react and minimize in a timely fashion further damage caused by security or privacy issues, vulnerabilities and incidents. HERE notifies and escalates events related to unauthorized disclosure, modification or misuse of Partner´s personal data under the Agreement. HERE shall use agreed incident communications channels in communicating the incident(s) in a timely fashion. HERE shall attempt to mitigate the incident, related to Partner´s personal data, already at the time of noticing and shall report to Partner only such incidents which cannot be excluded from being identified as false alerts. HERE shall have competent people to conduct investigations.
EMERGENCY RESPONSE AND BUSINESS CONTINUITY
HERE has a documented and implemented up-to-date emergency response plan for provided services, focusing on the availability and integrity of the services in scope as well as on the safety of people, premises and assets. Where applicable and necessary, HERE has communicated this plan to its employees.
HERE has appropriate workaround solutions in place for delivering as per agreed applicable Service Level Agreement (SLA), if any. These measures shall be documented in form of a plan and tested as part of Business Continuity testing cycle of HERE.
PERSONNEL AND SUBCONTRACTOR SECURITY
HERE personnel, their subcontractors and their external service providers shall have valid, signed, written confidentiality obligations prior to accessing environments, where Partner’s personal data is processed. HERE shall ensure that there is a verifiable and auditable trail of confidentiality obligations at all times between Partner, HERE and their subcontractors and/or external service providers.
HERE ensures that there is an appropriate entry and exit procedure for personnel changes that includes granting and disabling of user access and returning of assets when terminating the employment with HERE or upon personnel changes related to Services provisioning targeted to Partner.
AWARENESS
HERE conducts security and privacy awareness trainings (or refresher sessions) during induction and thereafter at least annually to all relevant existing employees and new hires. HERE ensures that due emphasis is given to the handling of client confidentiality and specifically unlaunched product information and social media guidelines (and restrictions).
IT SECURITY
HERE has implemented appropriate access control and access rights management designed to ensure that data is only processed by a minimum number of authorized persons who have access to requisite data needed to perform their work-related duties (i.e., role-based access control with least privileges).
HERE maintains the following: processes for authorizing and terminating user access and subcontractor access, including emergency access termination procedure; password management policy including password complexity requirements, no common or shared user accounts in use, password aging where systems do not support use of password managers, and secure delivery of credentials to users; audit records of all existing user privileges, shall be retained and reviewed regularly to remove excess privileges, and processes which ensure segregation of duties.
HERE further maintains a sufficient audit trail and the use of access privileges (changes, who, what, when) is in place when dealing with sensitive (confidential or secret) information.
HERE collects logs pertaining to user access to Partner Data and stores such logs for at least three (3) months unless otherwise restricted by local legislation.
HERE has implemented reasonable and appropriate information security measures (e.g., hardening, patching, antivirus, IDS, etc.) to protect Partner Data against unauthorized or accidental access, use, disclosure, deletion, destruction, loss, alteration or amendment.
HERE only stores and processes Partner Data in an environment where requisite security controls have been implemented. HERE ensures that IT infrastructure and networks are designed and managed to protect IT systems, information, users and electronic communications.
HERE uses industry standard techniques to secure the connectivity between Partner and HERE against eavesdropping and alteration (including wireless access or remote connection), in solutions and services.