Home » Help Center » Regpack Service Agreement and Data Processing Agreement

Regpack Service Agreement and Data Processing Agreement

Regpack Service Agreement

Regpack Inc. (hereafter referred to as the “Service Provider”) will enter into this agreement with  XXXXX (hereafter as the “client”) to provide services outlined below (hereafter the “product”). The effective date of this agreement is the date the setup fee is paid. Both “Service Provider” and “client” hereto agree as follows:

Billing Terms

Terms are based on the amount of admin licenses and cost per license as outlined in your cart. Client can login to their Regpack account and navigate to “Billing” to review their current billing and cart items. Reach out to Support at support@regpacks.com for further information.

General Billing Terms: 

  • Month to Month License
    • Includes unlimited applicants across all projects
    • Includes additional projects
    • Includes unlimited collaborators and view-only users
    • License(s) must be paid in full at the beginning of the contract term
    • Contracts will renew after the initial term is complete
  • Annual License(s)
    • Includes unlimited applicants across all projects
    • Includes additional projects
    • Includes unlimited collaborators and view-only users
    • License(s) must be paid in full at the beginning of the contract term
    • License(s) will renew after the initial term is complete

Admin License Levels:

  • Owner – includes access to all elements of the product and full permission to speak with Regpack representatives about all elements of the account. All owners MUST be Super Admins.
  • Super Admin – includes read and write access to all building, payment, and reporting elements of the product including permission to speak with Regpack representatives about all elements of building, payment, and reporting elements.
  • Financial Admin – includes read and write access to all payment elements of the product including permission to speak with Regpack representatives about all elements regarding payments.
  • API Admin – strictly for accessing our Open API and webhook tools. It can’t be accessed by any individual(s) outside of the API connection. API admin licenses are not eligible for discounts, special promotions, or group pricing.
  • Collaborator – includes only read and write access to user information.
  • Guest – includes only read only access to user information.

Only Super Admin, Financial Admin, and Collaborator(s) are able to communicate with the Service Provider Support Team via email. Only Super Admin(s) are eligible for training session(s) and scheduled phone calls. Please see – www.regpacks.com/pricing – or speak with your sales rep for more details.

NOTE: Account sharing is prohibited. All admins who login to manage your project must be registered as a Super Admin, Financial Admin, Collaborator, or Guest, and will be billed accordingly. Failure to abide by these guidelines is in direct opposition to our Data Processing Agreement, which protects the safety and security of all user and payment data, and will result in immediate suspension of your account.

Month to Month Billing Cycle Terms:

  • The first payment is not included in the setup fee payment.
  • The monthly cycle is billed for the upcoming 30 days.
  • Admin fees are billed regardless of project status. There are options to suspend your account so as not to incur a monthly charge. You must contact Support in writing for suspension approval and processing.
  • Suspended accounts can not be altered, adjusted, or amended by any Service Provider representative or employee.
  • Account will be locked out if payment for admin fees is not received by the due date.
  • All accounts are automatically billed through a saved payment method (e-check or credit card). If no payment method is supplied in the system, payment for 12 months must be issued in advance.

Annual License Billing Terms:

  • Payment is due at the time the setup fee is paid.
  • Licenses are valid for the number of months paid for, either 12 or 24 months.
  • Licenses will automatically renew after the term has ended.
  • License holders are required to provide 30 days written notice of cancellation in order to prevent automatic renewal of license term. Cancellation requests are routed through our support team (support@regpacks.com).
  • The Service Provider may modify the license fees one per calendar year with 30 days’ notice, provided that the increase does not exceed 10% over current fees paid per admin license.

Payment Method. 

All Regpack accounts must maintain a valid credit or debit card or bank account for automated clearing house transaction (ACH) on file with us. You agree that we may charge your credit or debit card, withdraw amounts from your designated account at your depository institution, or charge any other payment method that you have on file with the fees due hereunder, any sales and use taxes, and any late fees or interest (as described below).

If you arrange to make payments by check and you do not pay your invoice within twenty-eight (28) days from the invoice date, we will charge your credit or debit card or withdraw from your designated account at your depository institution on file for the outstanding balance past due. You represent and warrant that the payment information you provide to us is correct and accurate and you are using a form of payment that you are legally authorized to use for this purpose.

You agree that you are solely liable for any payment or credit card fraud, abuse, or unauthorized use by you or others. Except for downgrades and cancellations by you in the manner permitted herein, payments are nonrefundable, and there are no refunds or credits for partially used periods.

Refund Policy

Any monthly or annual license payment, including initial setup fees, project manager fees, and all other incurred fees are non-refundable once paid. For cancellation of a monthly or annual plan, refer to the “Cancellation” section of this contract, outlined below.

Account Suspension

You can suspend your account once, for up to 60 days, within a 12 month time period. Suspended accounts will not be billed during suspension, and access to your account will be locked. Requests for access to information will reactivate your account and billing will resume immediately.

In order to suspend your account, you must request a suspension in writing by emailing support@regpacks.com. Account suspension will go into effect once your suspension request is received and processed. Unless otherwise notified, your account will automatically turn back on after 60 days and billing will resume.

Cancellation Policy

Canceling the renewal of a 12 month (or longer) license subscription requires at least 30 days notice via written correspondence to either support@regpacks.com or payments@regpacks.com. If you have not given notice prior to 30 days of the renewal date, the license will be renewed for an additional term of at least 12 months.

Canceling your Regpack account requires at least 90 days notice via written correspondence to either support@regpacks.com or payments@regpacks.com. If your preferred cancellation date is within 90 days or you have not given notice prior to 90 days of your preferred cancellation date, Regpack will provide two options for immediate cancellation:

  1. A one-time fee of at least half of all SA licenses under your organization OR a minimum of $2,000 USD to cancel all Super Admin licenses that are 12 months or longer and end the contract. Upon receipt of payment, Regpack will then close the account immediately.
  2. Upfront payment of license fees for all monthly Super Admin licenses listed in your account for the subsequent 90 days. Upon receipt of payment, Regpack will then close the account immediately.

Reactivating or Re-opening your account resets the canceling notice requirement.

Admin License Terms 

Regpack Inc. (hereafter referred to as the “service provider”) will enter into this agreement with undefined (hereafter as the “client”) to provide services outlined below (hereafter the “product”). The effective date of this agreement is the date the setup fee is paid. Both “service provider” and “client” hereto agree as follows:

License Details

This license permits a single user to access the service provider’s administrative portal (www.regpacks.com/reg/admin/). This license can not be accessed or used across several computers simultaneously but is not limited to a specific network or region. Attempting to access simultaneously will result in immediate expulsion and multiple expulsions will lead to termination of a license.

PM Assistance Timeline: For your first project build, your onboarding includes PM Assistance for 2 months from the date you make your first payment. If you have not completed your Project Build within this timeframe and would like to continue to work with your Project Manager to complete the build, you will be charged an additional $350.

Security

All licenses require multi-factor authentication to access the administrative portal. This can not be turned off, restricted, or circumvented by the service provider’s representatives, contractors, and/or partners. All licensees must be able to receive a secondary code directly to their documented email address. All licensee email addresses can not be a shared inbox and limited to only a single person.

Enforcement of Licensee Access

The client manages all access to the service provider’s administrative portal, including, but not limited to inviting, removing, adjusting license levels and their designated permission levels. The service provider’s representatives, contractors, and/or partners will not invite, exclude, remove, or intervene except when inviting the initial account owner. All licenses will have full access to the administrative portal via the permission levels designated below. The client will take full responsibility for any actions taken by individuals they’ve permitted to access the system. The service provider is not responsible for any malicious action performed by an authorized user nor is the service provider responsible for restitution or information loss in the case of negligence by an authorized user such as password sharing or lost device(s).

Admin License Transfer Policy:

PARTIES:

  1. Regpack, Inc. whose registered office is at 530 B Street, San Diego, CA (the “Licensor”)
  2. YOU, the end user of the software products licensed for use for an organization (the “Licensee”)

BACKGROUND

  1. The Licensor has supplied and licensed certain software products (“Software”) to the Licensee under the terms of the Terms of Service Agreement.
  2. In order to guard against unlicensed use of the Software, each License is assigned to an individual via their email address. Secure login is required to access and enable the Software.
  3. The Licensee wishes to move a license to another user on the terms set out, but not limited, to this agreement.

TERMS AND CONDITIONS

The transfer of the license to a new user of the Software is subject to these terms and conditions.

  1. Licensor will limit the Licensee to a maximum of one (1) license transfer per calendar year from the date the product was purchased. This is free of charge.
  2. Additional license key transfers within this period will be charged a fee.
    1. 2nd transfer: $250
    2. 3rd transfer: $500
  3. The transfer of license is considered on a case-by-case basis and is at the sole discretion of the Licensor.
  4. The Licensor may from time to time and at its sole discretion vary the terms and conditions of this License Transfer Policy.

Project Manager Support

The Service Provider will provide Project Manager support for the client’s initial project. The cost of the Project Manager is included in the setup fee for the initial project. Project Manager support is provided for additional projects for an additional fee. Refer to pricing at the beginning of this document.

The role of the Project Manager is to assist the client in building the base structure of the project. This includes the initial form structure, setting up the initial product and discount structure, providing training session scheduling, and reviewing the email communication mechanisms within the project.

The Project Manager will be assigned to the client after the initial setup fee or the additional project fee with Project Manager support are paid in full and any supporting documents needed for project creation are supplied and approved. The Project Manager will hand off to the support team when the project is ready to go live.

The projected timeline for getting a project ready to take live registrations is 10 business days following a document review and initial conversation with the Project Manager. All documents (including pricing and discounts) must be submitted to the Project Manager for their approval prior to the start of the 10 business day build timeline. The build timeline is contingent upon client adherence to tasks and deadlines set by the Project Manager.

The Service Provider offers an expedited service of 5 business days for an additional fee. The Service Provider reserves the right to change the Project Manager or to stop project management services without cause or prior notice.

The Project Manager support DOES NOT include:

  • Text changes/adjustments on any elements after they are inserted into the project. The client and all Super Admins will be able to make adjustments once the structural build is complete.
  • Support after the project is ready to go live.
  • Creation and setup of user report(s).
  • Creation and setup of email message(s) for communication with users.
  • Manual typing of legal document(s) or agreement(s)
  • Design/image implementation and/or HTML Support

The Project Manager support DOES include:

  • Initial form creation and setup (up to 15 forms).
  • Initial product/services creation and setup, if necessary.
  • Review of email trigger mechanisms to confirm message(s) are sent as expected.
  • Initial instructions on how to access and edit elements not included in Project Manager support.

Integrated Payments

The Service Provider enables online payments with credit cards and ACH (electronic checks for US bank accounts only) . The payments are performed through 3rd party partnerships including, but not limited to: BlueSnap, CardConnect and Wepay.

These partners are solely responsible for money transfer, payment authentication, fraud detection, fund arrival, and chargeback arbitration. Additionally, these partners are responsible for risk assessments, which can affect the actual processing rates assessed on transactions. The Service Provider acts solely as the technological bridge and bears no responsibility for funds or money transfers. The client enters into a standard processing agreement with the processing partner connected for their project and/or organization. The integration of a processing partner is done solely at the discretion of the Service Provider.

Regpack offers payments through WePay, Inc. (“WePay”), BlueSnap, and CardConnect, all third-party payment processors. In order for you to use these payment processing services, you must register with them as a merchant. The WePay Terms of Service explain that process and are available here. The WePay Privacy Policy is available here. The Bluesnap Terms and Conditions are here and merchant agreement is here. By accepting this agreement with Regpack, you agree that you have reviewed the Terms of Service and Privacy Policy for the country in which you are located and agree to them. If you have questions regarding the Terms of Service or Privacy Policy, please contact payments@regpacks.com.

Transactions of illegal products and services are prohibited by both the Service Provider and payment processing partners.

Transactions are limited to countries and currencies that are not listed on the blocked and/or sanctioned list by the U.S. State Department. For questions regarding payments from specific countries, reach out to our Payments team at payments@regpacks.com.

Processing Fees

The credit card processing fees are determined according to the credit card issuer. Your contracted rates can be found under “Settings” and “Billing”.

American Express, Discover, and Diners cards will have an additional surcharge of 1.6% plus $.50 on Visa / Mastercard rates.

NOTE: The client has the ability to limit the type of integrated payments offered. Options include: credit card only, limiting the type of credit cards allowed, ACH only, or any combination of the latter. These choices can be implemented per project.

All processing fees are subject to change due to risk re-evaluation, law changes, credit card company policy, or third party price changes. The client’s funds can be subject to a hold by the processing partner due to their risk evaluation.

The client processing fees are determined during initial conversations with their sales rep and are based on estimates of quoted processing volume and/or payment method ratio. The client will be asked to supply documentation in order to secure processing fee rates at the initial quoted rate amount. In the event that actual processing volume differs from estimated volume, or cannot be verified, all processing fees will be subject to re-evaluation and change. Please reach out to the sales team if there are any additional questions.

All BlueSnap and WePay processing fees are automatically deducted from the transactions prior to their deposit into the client’s bank account. All CardConnect credit card processing fees are deducted from the client’s bank account daily. All CardConnect ACH processing fees will be manually billed to the client the month following. All processing fees are considered a resell and are not quoted in an invoice prior to being billed.

The client will be given access to a dashboard maintained by the processing partners to review and reconcile transactions paid through the Service Provider. The client can receive funds via ACH transfer. Daily transfers are free of charge. Weekly and monthly transfers incur a $2 transfer fee. The client will be given an option of daily, weekly, and monthly deposits for all processing processors. BlueSnap offers wire transfer for non US or Canadian clients at an additional cost of $20 per transfer.

Integrated Payment Reports

The Service Provider provides tokens to allow the client to create and export transaction reports in .csv format.

Additionally, the client has the option to create and export transaction reports directly through dashboards maintained by the third party processing partners. The client can request access to these dashboards by contacting the Service Provider’s payments team at payments@regpacks.com.

These reports will list all of the following elements as options to include in a report: transactions, including sales, refunds, chargebacks, and all details of each transaction, including name, amount, date, last 4 digits of credit card number, breakdown of commissions that were deducted from payment, and rate of each payment method.

Payment Risk Compliance

In order to reduce the risk of chargebacks and mass refunds, the client understands that Regpack can, at any time, require specific information be added to the client’s offerings, housed across all projects, in order to remain in compliance with risk protocols and guidelines from government entities, card issuers, Regpack’s payment gateway agreements, and our internal risk standards. Data not in compliance runs the risk of increased processing rates to compensate for risk increases.

Specific data requirements include, but are not limited to, the date or date range of all in-person and virtual offerings, and the price and detailed description of all offerings. The service provider reserves the right to change the conditions of compliance as processing partners change or update their risk requirements at any time.

Refunds

The client can issue a refund via the embedded function in the Service Provider’s system. If the client wishes to issue a refund more than 60 days after the transaction date or for a recent ACH payment, the client will need to send an email from an authorized person that will state: full name, email, and refund amount to support@regpacks.com. The refund will be issued within 48-72 business hours. The user’s balance will be updated accordingly, and the client will be able to see the refunds as negative amounts on the payment page at any time.

Chargebacks and ECP Reversals

The client will be charged a $15 fee for each chargeback. A chargeback is the return of funds to a consumer, initiated by the issuing bank of the instrument used by a consumer to settle a debt. Specifically, it is the reversal of a prior outbound transfer of funds from a consumer’s bank account, line of credit, or credit card. These transactions are initiated by the consumer. If the client would like to challenge this transaction, the processing partner is solely responsible for the chargeback review process and the final determination on the status.

The client will be charged a $4 ECP (Electronic Check Processing) reversal fee on a declined ACH payment. This can be due to insufficient funds, incorrect account number entered, because the account could not be located, or other factors.

Purchase Protection 

Purchase Protection is an optional 3rd party service that the client can utilize in their projects at no additional cost. Purchase Protection covers the cost of eligible products across all client’s projects that reimburses some or all of the user’s payments if eligibility (such as illness) criteria is met. The software provides tools to allow the client and their users to opt-in or opt-out of the service on a per-project basis.

The full terms and conditions of Purchase Protection can be found here.

Account/Admin Support

The Service Provider will provide support primarily via email during 9:00am-5:00pm PST Monday through Friday. The Service Provider reserves the right to amend or adjust these hours without cause or prior notice.

The Project Manager will transition the client to account/admin support at their determination that the project is ready to go live. All inquiries, concerns, requests, and issues will need to be communicated from the client directly to support@regpacks.com.

Project Updates/Maintenance

The Service Provider is not responsible for the day to day maintenance of the client’s project including, but not limited to: updating text, updating fields, updating products, updating emails, updating triggers or any function the client themselves have access to. If a client would like access to day to day maintenance, a Managed Account option is available, and detailed below.

Managed Account

The Service Provider has an optional expanded service where the client will have direct access to a dedicated account manager for an additional fee. This service does not expand on the support hours listed above. This service is quoted according to the needs of the client. The base cost is $6,000 paid annually upfront and can be adjusted according to need.

Development Requests

The product is sold “as is” and the Service Provider has sole discretion on the features and functions contained within as well as the future development. Any client can submit feature requests, but there is no guarantee on development time or implementation. There is an option for clients to submit requests for custom development for their project. This requires an additional fee and requests are subject to approval by the head of development and priced according to the scope of work.

End User Contact

The Service Provider does not provide direct support to any end users of the client. If the Service Provider needs to contact an end user while troubleshooting an issue, it is the responsibility of the client to act as the intermediary. All contact between the Service Provider and their end users must be consented to by the client in a written notice.

The Service Provider DOES NOT directly market to the client’s end users nor will the Service Provider sell any end user information to any third parties without prior authorization from the client.

Account/Admin Support Eligibility

The Service Provider uses the admin level and/or permissions to confirm any individuals access to the project. Account/Admin support is only provided to individuals with an active admin license and support staff can only speak with an individual according to the projects they have access to. Any person(s) without an admin license is considered an unauthorized individual for security purposes.

Security

The product functions on encrypted servers with SSL 256 bit enabled. All information is processed through the SSL protocol in order to ensure the data transferred cannot be viewed by any unauthorized third parties. The product protects payment information by employing a split database mechanism where payment information is not saved with user information.

The Service Provider is PCI-2 compliant and undergoes daily scans to confirm integrity, daily backups to protect information, and an independent audit to confirm the PCI compliance level. The payment information is saved on a PCI-1 compliant server that is employed with several safeguards including, but not limited to: encrypted API, available to limited IP addresses, rotating passwords and usernames, and protection algorithms created on the fly to create secure “handshakes”. The payment data can only be accessed within the Service Provider’s network and the network of our processing partners.

Any action done by the client that violates PCI compliance regulations will result in immediate suspension of the client’s account. All account information will be purged immediately. This includes but is not limited to:

  • Gathering credit card or bank information directly on forms not designed for it
  • Capturing payment information from end users outside of Service Providers approved integrated payments forms
  • Sharing login credentials including passwords with anyone other than themselves
  • Any other action violating PCI regulations

Compliance

Any client who’s willful negligence is found to be the cause of any disaster or major outage will be held liable for any cost incurred by Service Provider or affected parties. Any third party partner company found in violation may have their access terminated.

Application Updates and Releases

The Service Provider will release development updates to the product as they are released. These updates and their frequency and content are done solely at the discretion of the Service Provider. The product is under constant development and the Service Provider will review all issues reported by the client. The release date for any issue fixes are determined solely by the Service Provider. The release date of any updates are primarily kept internally, but if shared, these dates are non binding.

Development Timeline

For any custom quoted feature requests, a timeline will be provided to the project stakeholders. The timeline will be agreed upon prior to payment and will only be binding if payment is received by date outlined in the provided quote.

For project related tasks, such as admin email and/or name adjustments, CSS styling adjustments, or vendor account implementation, completion time is up to 14 business days. Any reported issue escalated to developer review can take up to 10 business days to investigate and if it is confirmed as legitimate, the above release guidelines will apply.

Ownership of Code

All applications, modules, systems, functions, abilities, and structures built by the Service Provider are the Service Provider’s sole property. The price paid is for usage only and not for ownership. The client cannot claim rights to this property due to usage, payment, improvement, or participation in the development process.

Additional Disclaimers

Except as expressly provided in this agreement, the services are provided on an “as is” “as available” and “with all faults” basis. To the extent permitted by law, Service Provider disclaims all implied conditions, representations, and warranties of any kind, including any implied warranty or condition of merchantability, fitness for a particular purpose, title, or non-infringement. Service Provider makes no representations, warranties, conditions or guarantees as to the usefulness, quality, suitability, or completeness of the services or that they will be error-free, uninterrupted or free from defect. The Service Provider reserves the right to update this agreement with no cause and no prior notice. By signing these terms, you acknowledge they may be changed or updated at any time.

Arbitration

These terms of service include an arbitration provision, below, that governs any disputes between the Service Provider and the client. This provision will eliminate the clients right to a trial by jury, and substantially affect the clients rights, including preventing the client from bringing, joining, or participating in class or consolidated proceedings.

Any controversy or claim arising out of or relating to this contract, or the breach thereof, shall be settled by arbitration in accordance with its Commercial [or other] Arbitration Rules, and judgment on the award rendered by the arbitrator(s) may be entered in any court having jurisdiction thereof.

The location of the arbitration proceedings can be amended or adjusted according to local laws and statutes.

Data Storage Upon Suspension or Cancellation

As part of our compliance with GDPR, Service Provider will not store or provide access to unnecessary user data. To comply with this standard, we will purge user data based on the status of your account.

For suspended accounts, we can only store user information for up to 6 months. If you choose to suspend your account, it can only be suspended for a maximum of 6 months and will be automatically reactivated upon hitting this term limit.

If you chose to cancel your account, this will result in all of your user information being purged immediately.

All suspensions and cancellations must be requested and confirmed via written correspondence. All purged data cannot be recovered once removed. Billing on automatically reactivated accounts will resume according to terms outlined in this Agreement.

Limitation of Liability

(i) in no event will either party’s aggregate liability arising out of or related to this agreement, whether in contract, tort or under any other theory of liability, exceed fees actually paid to Service Provider by client under this agreement in the twelve months preceding the incident(s) giving rise to liability.

(ii) Service Provider does not assume any liability for client’s failure to perform in accordance with this agreement or any results caused by client’s acts, omissions or negligence, or a subcontractor or an agent of client or an employee of client or any of client’s agents or subcontractors, nor shall Service Provider have any liability for claims of third parties arising out of or resulting from, or in connection with, client’s products, client’s messages, client’s programs, client’s caller contracts, client’s promotions or advertising, infringement of any of client’s products , or any claim for libel or slander or for client’s violation of copyright, trademark, or other intellectual property rights with regard to any of client’s products.

Exclusion of damages. In no event will Service Provider nor client have any liability to the other party or any other party for any lost profits, loss of business, goodwill or revenue, or for any indirect, special, incidental, punitive, or consequential damages however caused and, whether in contract, tort or under any other theory of liability, whether or not the party has been advised of the possibility of such damages.

The client shall assume all responsibility and liability for processed payments, both automated and/or manually entered, delivering of purchased goods and/or services, use, production, and/or commercialization of the Licensed Technology, including, but not limited to, the safety, effectiveness, and reliability of the Licensed Products. Under no circumstances shall the service provider be liable for any indirect, special, consequential or punitive damages of any kind resulting from the client’s practice of the rights granted hereunder.

Remarks:

  1. Prices do not include VAT or any taxes that need to be added. If required, these will be added by the client in their system, according to the law.
  2. The Service Provider reserves the right to use the client logo and company name in marketing materials and promotions as one of the Service Provider’s clients.
  3. The processing fee and any custom pricing in this document are valid for 30 days until signing and will continuously renew each month. The client can request a copy of our most up to date terms at any time by contacting support@regpacks.com.

Assignment

Service Provider may only process personal data in accordance with your written instruction unless required to do so by law. By signing this document, you are giving Service Provider the permission to process personal data we collect on your behalf. Service Provider employs appropriate security measures to keep personal data processing secure. While Service Provider takes appropriate technical and organizational measures to ensure the security of data, by signing this document you agree that you will also take technical and organizational measures to ensure the security of personal data processing, including but not limited to: not sharing your admin credentials with anyone, not giving access to unauthorized individuals to your account, and ensuring other 3rd parties you use are in compliance with GDPR and all data protection laws when handling any of your data.

You are required to:

  • Ensure you are doing everything you can do keep personal data secure,
  • Notify any personal data breaches to Service Provider immediately.
  • Delete data of a user should they request it, within 1 month of the request and free of charge.

Please note:

  • If you suspend your account, your data will be held by Service Provider for up to 6 months. At this point, your account will be renewed or you can request cancellation.
  • If your account is canceled, ALL data will be purged from the system immediately.
  • Only data that is required by law to be retained will be exempt from the purge.

Regpack Data Processing Agreement

Regpack, Inc. (“Regpack”) provides the Regpack service (the “Service”) through the domain Regpacks.com (the “Website”) which allows a customer to collect, analyze, and export user personal data. The party who has signed this agreement (the “Customer” also known as the ‘data controller’ as defined in this document) has signed up for the Service and has agreed to Regpack’s terms and conditions (including Regpack’s Privacy Policy (collectively the “Agreement”). This Regpack Data Processing Agreement (the “DPA”) is entered into between Regpack and Customer effective as of the last date of signature (“Effective Date”) and reflects the parties’ agreement with respect to the terms governing the processing and security of Personal Data under the Agreement. Terms not otherwise defined below will have the meaning set forth in the Agreement.

The parties agree as follows:

Purpose. Each party agrees to process Personal Data received under the Agreement only for the purposes set forth in the Agreement and in compliance with the Applicable Data Protections Laws.

Definitions. In addition to the terms otherwise defined in the Agreement, the following terms have the definitions below:

2.1. “Applicable Data Protection Laws ” means all laws and regulations, including laws and regulations of the United States, European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.

2.2. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

2.3. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Counsel of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

2.4. “Personal Data” means information about an individual that (a) can be used to identify, contact or locate a specific individual, including data that the Customer chooses to provide to Regpack from its use of the Regpack service; (b) can be combined with other information that can be used to identify, contact or locate a specific individual; or (c) is defined as “personal data” or “personal information” by the applicable laws or regulations relating to the collection, use, storage or disclosure of information about an identifiable individual.

2.5. “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2.6.    “Processor” means the entity which Processes Personal Data on behalf of the Controller.

2.7.    “Sub-processor” means any Processor engaged by Regpack.

2.8.    “User” means the identified or identifiable person to whom Personal Data relates.

Provision of Services. In the course of providing the Services to the Customer pursuant to the Agreement, Regpack may Process Personal Data on behalf of Customer and its Users. The parties agree and acknowledge that the Applicable Data Protection Laws may apply to the processing of Personal Data if, for example, the data processing is carried out on behalf of a Customer (or of an authorized Customer affiliate) with a presence in an EU Member State. Each party agrees to comply with the following provisions with respect to any Personal Data Processed during the provision of the Services. The parties acknowledge and agree that with regards to such Processing of Personal Data, Customer is the Controller and Regpack is the Processor.

Customer’s Processing. Customer, in its use of the Services, agrees to:

4.1. Process the Personal Data in accordance with the written instructions provided to Regpack as set forth in this DPA and the Agreement;

4.2. Comply with its protection, security, and other obligations with respect to Personal Data prescribed by the Applicable Data Protection Laws for data Controllers by: (a) establishing and maintaining a procedure for the exercise of the rights of the individuals whose Personal Data is processed on behalf of Customer; (b) processing only data that has been lawfully and validly collected and ensuring that such data will be relevant and proportionate to the respective uses, including, but not limited to, providing notice and obtaining all consents and rights necessary to process Customer data and provide the Services pursuant to this DPA and the Agreement; and (c) ensuring compliance with the provisions of the Agreement and this DPA by its personnel or by any third-party accessing or using Personal Data on behalf of Customer; and

4.3. Upon request of Regpack, delete Customer Data as requested by the User through the deletion capability in the Regpack Services, as required by Applicable Data Protection Laws. If requested by Regpack, a user or the customer, provide such information to Regpack reasonable and necessary, including, but not limited to, user IDs associated with such User, for Regpack to unambiguously identify the User requesting such deletion.

Regpack Processing. Regpack shall treat Personal Data as Confidential Information and will only Process Personal Data in accordance with Applicable Data Protection Laws directly applicable to the Services, including, effective as of May 25, 2018, compliance with the GDPR. Regpack will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Documentation.

5.1. Regpack will Process Personal Data (i) only for the purpose of providing, supporting and improving Regpack’s services (including providing insights and other reporting), using appropriate technical and organizational security measures; and (ii) for the purposes set forth in the Agreement. The parties agree that this DPA and the Agreement set out the Customer’s complete and final instructions to Regpack in relation to the processing of Customer Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and Regpack. Regpack will not use or process the Personal Data for any other purpose. Regpack will inform Customer in writing if it cannot comply with the requirements under this DPA, in which case Customer may terminate their account with Regpack or suspend data processing operations.

5.2. Regpack will Inform Customer if, in Regpack’s opinion, an instruction from Customer violates Applicable Data Protection Laws.

5.3. Regpack will enter into contractual arrangements with Sub-processors binding them to provide the same level of data protection and information security to that is required by law. Regpack will not be liable for the acts and omissions of its Sub-processors.

5.4. Notwithstanding anything to the contrary in the Agreement (including this DPA), Customer acknowledges that Regpack shall have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing. To the extent any such data is considered Personal Data under Data Protection Laws, Regpack is the Data Controller of such data and accordingly shall process such data in accordance with the Regpack Privacy Policy and Applicable Data Protection Laws.

User Request. Regpack shall not respond to a User Request without Customer’s prior written consent except to confirm that such request relates to Customer, to which Customer hereby agrees. To the extent Customer, in its use of the Services, does not have the ability to address a User Request or if the Customer fails to address a User Request within ten (10) days, Regpack shall provide commercially reasonable assistance to facilitate such User Request to the extent Regpack is legally permitted and/or required to do so, technically can provide assistance and provided that such User Request is exercised in accordance with Applicable Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Regpack’s provision of such assistance.

Transfers of EU Data. For transfers of EU Personal Data to Regpack for processing by Regpack in a jurisdiction other than a jurisdiction in the EU, the EEA, or the European Commission-approved countries providing ‘adequate’ data protection, Regpack agrees it will (a) comply with and provide at least the same level of privacy protection for EU Personal Data as required under the U.S.-EU and U.S.-Swiss Privacy Shield frameworks; or (b) use the form of the Standard Contractual Clauses set forth in Exhibit 1 to enable the lawful transfer of EU Personal Data. Regpack shall promptly notify Customer of any inability by Regpack to comply with the provisions of this Section.

Regpack Personnel

8.1. Confidentiality. Regpack shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Regpack shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

8.2. Reliability. Regpack shall take commercially reasonable steps to ensure the reliability of any Regpack personnel engaged in the Processing of Personal Data.

8.3. Limitation of Access. Regpack shall ensure that Regpack’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.

8.4. Data Protection Officer. Regpack has appointed a data protection officer. The appointed person may be reached at support@regpacks.com.

Deletion. On the expiration or termination of the Agreement (or, if applicable on expiration of any post-termination period during which Regpack may agree to continue providing access to the Services), after a recovery period of up to 30 days following such expiration or termination, Regpack will delete any Personal Information then in its possession and/or control within a maximum period of 90 days, unless applicable legislation or legal process prevents it from doing so.

Access; Export of Data. During the term of the Agreement, Regpack will make available to Customer, the Personal Data in a manner consistent with the functionality of the Services and in accordance with the terms of the Agreement. To the extent Customer, in its use and administration of the Services during the term of the Agreement, does not have the ability to amend or delete Personal Data (as required by applicable law), or migrate Personal Data to another system or service provider, Regpack will, at Customer’s reasonable expense, comply with any reasonable requests from Customer to assist in facilitating such actions to the extent Regpack is legally permitted to do so and has reasonable access to the relevant Personal Data.

Security. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the rights and freedoms of natural persons, Processor and each Processor affiliate, shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk including, as appropriate, the measures referred to in the GDPR. Processor shall maintain appropriate technical and organizational measures for protection of Personal Data (including protection against unauthorized or unlawful Processing, against accidental or unlawful destruction, loss, alteration or damage, and unauthorized disclosure of, or access to, Personal Data). Processor will not materially decrease its overall security of the Personal Data during the term of the Agreement.

Data Storage Upon Suspension or Cancellation

As part of our compliance with GDPR, Regpack will not store or provide access to unnecessary user data. To comply with this standard, we will purge user data based on the status of your account.

For suspended accounts, we can only store user information for up to 6 months. If you choose to suspend your Regpack account, it can only be suspended for a maximum of 6 months and will be automatically reactivated upon hitting this term limit. If you chose to cancel your account, this will result in all of your user information being purged immediately. All suspensions and cancellations must be requested and confirmed via written correspondence. All purged data cannot be recovered once removed. Billing on automatically reactivated accounts will resume according to terms outlined in Regpack Service Agreement.

Limitation of Liability. Each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement. For the avoidance of doubt, Regpack’s and its affiliates’ total liability for all claims from the Customer arising out of the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement and will not exceed the overall admin fees paid by Customer.

Order of Precedence. This DPA is incorporated into and forms part of the Agreement. For matters not addressed under this DPA, the terms of the Agreement apply. With respect to the rights and obligations of the parties addressed under this DPA, in the event of a conflict between the terms of the Agreement and this DPA, the terms of this DPA will control. In the event of a conflict between the terms of the DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.

Exhibit 1 – Standard Contractual Clauses

Name of data importing organization:

Regpack, Inc.

Address:

530 B St, Suite 1500

San Diego, CA 92101

E-mail:

support@regpacks.com

(the “data importer”)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection the parties have agreed on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b) ‘the data exporter’ means the controller who transfers the personal data;

(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), Clause 6, Clause 7, and Clause 9.
  2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e), Clause 6, Clause 7, Clause 8, and Clauses 9 to 11, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
  3. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e), Clause 6, Clause 7,

Clause 8, and Clauses 9 to 11, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the

Clauses.

  1. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with acceptable security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8 to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer (Regpack Inc)

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

(ii) any accidental or unauthorised access; and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred; such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

Clause 6

Liability

The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation only from the data exporter for the damage suffered.

Clause 7

Mediation and jurisdiction

The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b) to refer the dispute to the courts in the Member State in which the data exporter is established.

  1. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

Clause 9

Governing law

The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely United States.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Obligation after the termination of personal data-processing services

The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, after a period of 30 days, at the choice of the data exporter, destroy all the personal data transferred and the copies thereof to the data exporter and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

United States

The Data Exporter is a/an entity who will use the Services provided by the Data Importer pursuant to the Agreement.

Data importer

Data importer is the owner and operator of SaaS application that allows the customer to collect, analyze, and export user personal data with data exporter’s services and website.

Data subjects

Data subjects include the individuals about whom data is provided to Data Importer via the Services by (or at the discretion of) the Data Exporter. This may include, but is not limited to, personal data relating to the Data Exporter customers and employees.

Categories of data

The personal data transferred concern the following categories of data:

Name, personal addresses, telephone numbers, email, birthdates, payment details, IP addresses.

Processing operations

The personal data transferred will be subject to the following basic processing activities: personal data may be received, processed and stored in order to provide the Services, to communicate with the data exporter and to otherwise fulfill its obligations under the Agreement; access for customer service; in accordance with your use of features; abuse detection, prevention, and remediation; maintaining, improving, and providing our Services.

Sub-processors

Data exporter consents to sub-processing by the following subcontractors: Bluesnap, WePay, CardConnect, Mailgun, FullStory, BounceX, Incapsula, Rackspace.

Data exporter agrees the data importer is not liable for any and all acts of the subcontractors.

Appendix 2 to the Standard Contractual Clauses

This Appendix forms part of the Clauses.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

In processing personal data under the Agreement, the Data Importer represents and warrants that it has implemented and will maintain the administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of personal data uploaded to the Services, as described in and set out at https://www.regpacks.com/regpack-security/. Data importer will not materially decrease the overall security of the Services during the term of the Agreement .