Mobility SDK (Annex 4)
Mobility SDK - Additional Terms and Conditions (Annex 4)
These Mobility SDK Additional Terms and Conditions (“Additional SDK Terms”) are expressly incorporated into and made a part of the General Terms and Conditions (Demand Side) if Partner elected to provide Mobility Services to Users by utilizing the HERE Mobility Marketplace via the Mobility SDK.
A. Additional Definitions.
(1) “Mobility SDK” mean the HERE Mobility Software Development Kit, documentation, and any software, materials or data that HERE makes available to Partner for the sole purpose of integrating with the HERE Mobility Marketplace and/or additional maps and location services that may be provided by HERE to Partner in connection thereto, in its sole discretion, including any access credentials and tools that may be provided by HERE to Partner from time to time.
B. Method of Delivery.
(1) HERE shall provide Partner access to HERE Products relating to the Mobility SDK via a HERE provided URL, or any other manner as shall be agreed by the parties (including by email or by posting on a protected web portal). The Mobility SDK may only be implemented on Partner’s approved applications (identified on the cover page of the Agreement, the “Qualified Application”). As between Partner and HERE, Partner is solely responsible for the implementation of the Mobility SDK.
(2) Partner may connect to the Mobility SDK via a standard internet connection with access credentials that shall be preapproved by HERE, in its sole discretion. HERE will provide Partner with access credentials to the Mobility SDK connections (“Access Credentials”), by email or by posting on a protected web portal.
C. Updates to the Mobility SDK
Partner acknowledges that HERE may update or modify the Mobility SDK from time to time, and at HERE’s sole discretion (in each instance, an “Update”). Partner is entitled to implement and use the most current version of the Mobility SDK and to make any changes to the Partner Materials that are required as a result of such Update, at its sole cost and expense. Partner acknowledges that Updates may adversely affect the manner in which Partner Materials operate, or access or communicate with the Mobility SDK. Partner continued access or use of the Mobility SDK following any Update will constitute a binding acceptance of such Update.
D. Additional License Terms and Conditions.
(1) The license granted in Section 3.1 of the General Terms and Conditions (Demand Side) grants Partner the right to download and use the Mobility SDK solely for the purpose of integrating the Mobility SDK into the Partner Materials and solely in the geographic locations in which the Partner makes available the Partner Materials as integrated with the HERE Products.Partner shall conspicuously display HERE's copyright notices as specified by HERE or as set out in the HERE brand guidelines (as may be provided by HERE from time to time) in connection with Partner’s integration of the Mobility SDK into and/or with the Partner Materials. The foregoing license is non-sublicensable, with the limited exception that Partner may allow access to the SDK to its Users, third party website designers, webmasters and other providers of similar services, for the sole purpose of enabling such providers to assist Partner in downloading and integrating the Mobility SDK for use with Partner Materials and provided that such Partner service providers will be subject to the same obligations as Partner under this Agreement. Partner remains liable for the actions or omissions of any such third-party providers in connection with the Mobility SDK. Partner will not use, cause, permit or authorize the use of the Mobility SDK in any manner not expressly set forth herein.
(2) All right, title, and interest in and to the Mobility SDK, including all Intellectual Property Rights therein, shall remain the exclusive property of HERE and/or its licensors. Partner acknowledges and agrees that the Mobility SDK is licensed, not sold.
E. Additional Use Restrictions.
In addition to, and without limitation of, any restrictions set forth in the Agreement, the following additional restrictions apply to your use of the Mobility SDK:
(1) Partner may not directly or indirectly change, edit, add to, separate into components, copy or extract content from or produce summaries, or create derivative works from the HERE Products including without limitation the Mobility SDK or any content on any HERE Website.
(2) Partner will not cause, permit or authorize any modification of the Mobility SDK or HERE Products, which in HERE's sole opinion, would constitute a Forbidden Usage.
(3) Partner shall not and shall not allow or authorize any third party to, use or display the Mobility SDK or HERE Products in a way that, or in connection with any content or use, which in HERE's sole opinion, would constitute a Forbidden Usage.
(4) The Mobility SDK is subject to certain limitations on access, data requests, and use as set forth on the Mobility SDK documentation available at developer.mobility.here.com. Partner hereby agrees to only use the HERE Products in accordance with their applicable documentation and any limitations set forth therein. If HERE believes that Partner has attempted to exceed or circumvent these limitations, Partner’s use to and/or access to the applicable HERE Products may be temporarily or permanently blocked. Partner may not, and may not encourage or allow any third party to interfere with, hinder, limit, or modify any notices or authorization or consent requests provided by HERE.
(5) Partner may not use the Mobility SDK in any manner that is competitive to HERE or the HERE Products, including, without limitation, in connection with any application, website or other product or service that also includes, features, endorses, or otherwise supports in any way a third party that provides services competitive to the HERE products and services (including without limitation, the HERE Products), as determined in HERE’s sole discretion.
(6) Partner may not charge Users in any manner for access to or use of the Mobility SDK or the HERE Products or functionality included in or related to the Mobility SDK or the HERE Products. Without limiting the foregoing, Partner may not sell, rent, lease, sublicense, redistribute or syndicate access to the Mobility SDK, and Partner may not charge any kind of service, booking or similar fee in connection with any services made available via the Mobility SDK.
(7) Partner must ensure that any Data or data otherwise related to your integration of the Mobility SDK is encrypted and transmitted over a secure, encrypted channel (e.g., HTTPS).
F. Data Privacy and Data Processing.
Without limiting the generality of Section 4 of the General Terms and Conditions (Demand Side), nor any other terms and conditions hereof, the following additional terms and conditions shall apply with respect to demand Partners who elect to provide the Mobility Services via Mobility SDK:
(1) In the course of providing the Mobility SDK to Partner pursuant to the Agreement, HERE Global B.V. processes User Data on behalf of Partner. The parties agree that with regard to the processing of User Data, Partner is the data controller and HERE Global B.V. is a data processor. To the extent User Data provided by Partner includes “personal data” or “personally identifiable information”, as defined under the applicable data protection laws, rules or regulations in the country in which Partner provides its offering as integrated with the HERE Mobility SDK (“Data Protection Laws”), HERE’s processing of such User Data shall be within a dedicated, logically segregated platform and limited to the following purposes: (i) the processing, use, storage, disclosure and disposal of such User Data in connection with the provision of the Mobility SDK and all features available therein or in connection thereto; and (ii) the processing of such User Data such that it no longer relates to an identified or identifiable natural person or is rendered anonymous in such a way that a data subject is no longer identifiable (“De-Identified Data”), for purposes of utilizing such De-Identified Data in HERE Mobility SDK to customize and improve the Mobility SDK or any other HERE Products. HERE may also use the information collected from the Mobility SDK to prevent potentially prohibited or illegal activities; to enforce its legal rights; and as otherwise contemplated under this Section F. Partner agrees and acknowledges that HERE may maintain, use and distribute such De-Identified Data derived from the User Data for its own purposes and Partner agrees to include the relevant language and terms in its privacy policy, and inform the Users, and to the extent legally required, obtain legal and valid consent or establish another legal basis regarding such usage by HERE in accordance with Data Protection Laws.
(2) Partner shall comply with and shall be responsible for each User’s compliance with all applicable Data Protection Laws with respect to the User Data and information that is provided to or by, or made available to or by, Partner and/or is under its control.
(3) Partner shall, in its use or receipt of the Mobility SDK, collect, use, transfer or otherwise process User Data in accordance with the requirements of applicable Data Protection Laws and Partner will ensure that its instructions for the processing of User Data shall comply with applicable Data Protection Laws. Partner warrants and represents that it complies and shall continue to comply at all times, with any Data Protection Laws with respect to any detection, collection, access and otherwise use of User Data. Partner acknowledges that the use of the Mobility SDK enables detection, collection, access and otherwise use of User Data which includes, inter-alia, name, phone number and geo-location data. HERE offers Partner the ability to configure and customize its use of the Mobility SDK such that Partner may choose whether or not to allow the collection and use of its Users’ name, phone number and geo-location data via the Mobility SDK as embedded within the Partner Materials when its Users use the Partner Materials. Partner is required and advised to exercise great care in configuring the types of data it chooses to have the Mobility SDK collect, making sure that such data is collected upon sufficient legal basis. Partner shall have sole responsibility for the accuracy, quality, and legality of the User Data and Partner’s collection and/or acquisition and use of the User Data (including provision of the User Data to HERE pursuant to the Agreement). Notwithstanding the foregoing, Partner acknowledges that User Data may be stored and/or processed in a different country than where Partner offerings as integrated with the Mobility SDK are provided. User Data from a Partner in the European Economic Area (“EEA”) or Switzerland may only be exported or accessed by HERE or its subprocessors outside the EEA or Switzerland, if: (i) the recipient, or the country or territory in which it processes or accesses User Data, ensures an adequate level of protection as determined by the European Commission; or (ii) Standard Contractual Clauses (as defined below) for the transfer of personal data to processors established in third countries apply.
(4) To the extent Partner, in its use or receipt of the HERE Products, does not have the ability to correct, amend, block or delete User Data as required by applicable Data Protection Laws, HERE shall comply with any commercially reasonable request by Partner to facilitate such actions to the extent HERE is legally permitted and technically able to do so. HERE shall, to the extent legally permitted, promptly notify Partner if it receives a request from a User, for access to, correction, amendment or deletion of that person’s User Data. HERE shall not respond to any such request without Partner’s prior written consent except to confirm that the request relates to Partner. HERE shall provide Partner with commercially reasonable cooperation and assistance in relation to handling of a request for access to that person’s User Data, to the extent legally permitted and to the extent Partner does not have access to such User Data through its use or receipt of the HERE Products.
(5) Partner authorizes HERE to subcontract the processing of User Data to subprocessors, as required for the functioning of the HERE Products under this Agreement. In case of any subprocessing, HERE shall enter into a written contract with its subprocessor which imposes at least equivalent obligations on the subprocessor as are imposed on HERE under this Agreement; such contract shall include a description of the technical and organizational measures, which the subprocessor has to implement in such a manner that the processing will meet the requirements of the applicable Data Protection Laws. If Partner requests, HERE will inform Partner of the name, address and role of each involved subprocessor. HERE´s use of subprocessors is at HERE´s sole discretion. HERE will notify Partner in advance (by email or by posting on a protected web portal) of any changes to the list of subprocessors in place on the Effective Date (except for emergency replacements or deletions of subprocessors without replacement). If Partner has a legitimate reason that relates to the subprocessor´s processing of personal data, Partner may object to HERE´s use of a subprocessor, by notifying HERE in writing within thirty days after receipt of HERE`s notice. If Partner objects to the use of the subprocessor, the parties will discuss a resolution in good faith. HERE may choose to: (i) refrain from using the subprocessor, or (ii) take the corrective steps requested by Partner as specified in its objection and use the subprocessor. If none of these options are reasonably possible and Partner continues to object for a legitimate reason, either party may terminate the Agreement on thirty days´ written notice. If Partner does not object within thirty days of receipt of the notice, Partner is deemed to have accepted the new subprocessor. Where legally required (as determined by HERE), HERE has entered into the unchanged version of the Standard Contractual Clauses for the transfer of personal data to processors established in third countries pursuant to Commission Decision 2010/87/EU (“Standard Contractual Clauses”) prior to the subprocessor´s processing of User Data. Partner hereby accedes to the Standard Contractual Clauses between HERE and the subprocessors.
(6) HERE shall ensure that its personnel and subprocessors engaged in the processing of User Data and are informed of the confidential nature of the User Data and have received appropriate training on their responsibilities and are subject to obligations of confidentiality and such obligations survive the termination of that persons’ or subcontractors’ engagement with HERE. HERE shall ensure that HERE and its Affiliates’ access to User Data is limited to those personnel who require such access to perform the Agreement. HERE has appointed a data protection officer where such appointment is required by Data Protection Laws who may be reached by email at privacy@here.com.
(7) If HERE becomes aware of any unlawful access to any User Data stored on HERE’s equipment or in HERE’s facilities, or unauthorized access to such equipment or facilities resulting in loss, disclosure, or alteration of User Data for which notice is required under applicable Data Protection Laws (“Security Breach”), HERE will promptly: (a) notify Partner of the Security Breach; (b) investigate the Security Breach and provide Partner with information about the Security Breach; and (c) take reasonable steps designed to mitigate the effects and to minimize any damage resulting from the Security Breach. Partner agrees that an unsuccessful Security Breach attempt will not be subject to this Section. An unsuccessful Security Breach attempt is one that results in no unauthorized access to, or loss, disclosure or alteration of, User Data or to any of HERE’s equipment or facilities storing User Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers) or similar incidents; and HERE’s obligation to report or respond to a Security Breach under this Paragraph 6 of this Section F is not and will not be construed as an acknowledgement by HERE of any fault or liability with respect to the Security Breach. Notification(s) of Security Breaches, if any, will be delivered to one or more of Partner’s business, technical or administrative contacts by any means HERE selects, including via email. It is Partner’s sole responsibility to ensure it maintains accurate contact information on HERE’s support systems at all times.
(8) HERE shall comply with the requirements relating to the security of processing personal data as required by applicable Data Protection Laws. In particular, HERE shall implement and maintain appropriate technical and organizational measures ensuring a level of protection that is reasonable and sufficient in terms of the risks related to the processing and the nature of the involved personal data. A description of the technical and organizational measures, implemented by HERE, is set forth in Schedule 1 (“HERE Technical and Organizational Measures”).
(9) Partner may audit HERE´s security practices relevant to personal data processed by HERE only if: (i) HERE has not provided sufficient evidence of its compliance with the technical and organizational measures through providing a certification as to compliance with ISO 27001 or other standards; (ii) a Security Breach has occurred; (iii) Partner has reasonable grounds to suspect that HERE is not in compliance with its obligations under this Section F; (iv) an audit is formally requested by Partner´s competent data protection authority; or (v) mandatory Data Protection Laws provides Partner with a direct audit right. Each Partner audit shall be made subject to a sixty (60) days prior written notice and HERE will reasonably assist Partner in its auditing process. The Partner audit will be limited to once in a calendar year and limited to a maximum of one business day without disrupting HERE´s regular course of business. Partner and HERE will each bear their own audit costs.
(10) HERE shall return User Data to Partner and/or delete User Data in accordance with HERE’s procedures and applicable Data Protection Laws and/or consistent with the terms of the Agreement; provided that HERE shall have no obligation to delete User Data that has been de-identified.
(11) For the duration of this Agreement, Partner shall maintain and publish an adequate privacy notice as part of its applications that complies, in full, with all applicable laws including Data Protection Laws, any binding contractual obligations (including any platform or application store terms of use) and with the terms of Section 2.7 of the General Terms and Conditions (Demand Side).
G. Additional Effect of Termination
(1) Upon termination of this Agreement, Partner must remove the Mobility SDK from all applicable Partner Materials in the first update release of the Partner Materials by Partner, which must occur by no later than 30 days of said termination. It is hereby agreed and acknowledged that upon termination of this Agreement, HERE may, at its sole discretion, disable Partner’s continued access or use of the Mobility SDK as integrated into the Partner Materials.
Schedule 1
HERE Technical and Organizational Measures
In order to protect personal rights while processing personal data on behalf of Partner, HERE has implemented the following technical and organizational measures (as may be amended from time to time by HERE, at its sole discretion, by providing Partner with written notice thereof):
SECURITY POLICIES AND MANAGEMENT
HERE has ensured that its senior management assigns security responsibilities and reviews the implementation of security within the organization. Senior management has nominated an individual responsible for the overall security, risk management, information security, privacy and controls for handling personal data.
HERE has established and demonstrated commitment to security through an organization-wide security policy (“Security Policy”). This Security Policy and related guidelines are communicated to all employees working on Partner engagement.
HERE has its own, dedicated information classification schema based on information sensitivity (for example, internal, confidential, and secret) and established measure to ensure that information ownership is defined at all times. This schema includes appropriate security controls to protect Partner information, personal data and assets, where applicable.
HERE conducts security risk assessments either for Partner engagement or as part of its normal business operations at least at an annual frequency, incorporating emerging threats, possible business impacts and probabilities of occurrence. HERE modifies the security related processes, procedures and guidelines based on the findings in such security risk assessments.
INDEPENDENT CERTIFICATIONS AND AUDIT RIGHTS
For the production systems which run the HERE services provided under the Agreement and during the term of the Agreement, HERE maintains applicable certifications based on ISO 27001. Upon Partner’s request or at least annually, HERE shall inform Partner about the applicable certifications and/or reports and provide a copy of such certifications and/or reports, including scope of such certifications (including any identified deficiencies), for Partner to review. Information and copies of such certifications and reports shall be confidential information of HERE.
SECURITY INCIDENT MANAGEMENT
HERE has established adequate issue and/or incident response procedures (or plans) and nominated persons to react and minimize in a timely fashion further damage caused by security or privacy issues, vulnerabilities and incidents. HERE notifies and escalates events related to unauthorized disclosure, modification or misuse of Partner´s personal data under the Agreement. HERE shall use agreed incident communications channels in communicating the incident(s) in a timely fashion. HERE shall attempt to mitigate the incident, related to Partner´s personal data, already at the time of noticing and shall report to Partner only such incidents which cannot be excluded from being identified as false alerts. HERE shall have competent people to conduct investigations.
EMERGENCY RESPONSE AND BUSINESS CONTINUITY
HERE has a documented and implemented up-to-date emergency response plan for provided services, focusing on the availability and integrity of the services in scope as well as on the safety of people, premises and assets. Where applicable and necessary, HERE has communicated this plan to its employees.
HERE has appropriate workaround solutions in place for delivering as per agreed applicable Service Level Agreement (SLA), if any. These measures shall be documented in form of a plan and tested as part of Business Continuity testing cycle of HERE.
PERSONNEL AND SUBCONTRACTOR SECURITY
HERE personnel, their subcontractors and their external service providers shall have valid, signed, written confidentiality obligations prior to accessing environments, where Partner’s personal data is processed. HERE shall ensure that there is a verifiable and auditable trail of confidentiality obligations at all times between Partner, HERE and their subcontractors and/or external service providers.
HERE ensures that there is an appropriate entry and exit procedure for personnel changes that includes granting and disabling of user access and returning of assets when terminating the employment with HERE or upon personnel changes related to Services provisioning targeted to Partner.
AWARENESS
HERE conducts security and privacy awareness trainings (or refresher sessions) during induction and thereafter at least annually to all relevant existing employees and new hires. HERE ensures that due emphasis is given to the handling of client confidentiality and specifically unlaunched product information and social media guidelines (and restrictions).
IT SECURITY
HERE has implemented appropriate access control and access rights management designed to ensure that data is only processed by a minimum number of authorized persons who have access to requisite data needed to perform their work-related duties (i.e., role-based access control with least privileges).
HERE maintains the following: processes for authorizing and terminating user access and subcontractor access, including emergency access termination procedure; password management policy including password complexity requirements, no common or shared user accounts in use, password aging where systems do not support use of password managers, and secure delivery of credentials to users; audit records of all existing user privileges, shall be retained and reviewed regularly to remove excess privileges, and processes which ensure segregation of duties.
HERE further maintains a sufficient audit trail and the use of access privileges (changes, who, what, when) is in place when dealing with sensitive (confidential or secret) information.
HERE collects logs pertaining to user access to Partner Data and stores such logs for at least three (3) months unless otherwise restricted by local legislation.
HERE has implemented reasonable and appropriate information security measures (e.g., hardening, patching, antivirus, IDS, etc.) to protect Partner Data against unauthorized or accidental access, use, disclosure, deletion, destruction, loss, alteration or amendment.
HERE only stores and processes Partner Data in an environment where requisite security controls have been implemented. HERE ensures that IT infrastructure and networks are designed and managed to protect IT systems, information, users and electronic communications.
HERE uses industry standard techniques to secure the connectivity between Partner and HERE against eavesdropping and alteration (including wireless access or remote connection), in solutions and services.