Uber Direct Terms of Use

1. Definitions. The following terms shall have the meanings set forth below:

a. “Affiliate” means with respect to any entity, any other entity that, directly or indirectly, through one or more intermediaries, controls, is controlled by, or is under common control with, such entity, where “control” (including the terms “controlled by” and “under common control with”) means the possession, directly or indirectly, of at least fifty percent (50%) of the voting equity of another entity, or the power to vote such voting equity, by contract or otherwise.

b. “Agreement” means the Uber Direct API Agreement entered into by and between a Company and Uber for the provision of the Uber Direct Services.

c. “Community Guidelines” means the guidelines, as updated from time to time which set expectations of all users of the Uber App and related services such as Uber Direct Services, including customers, merchants, and Delivery Persons. https://www.uber.com/legal/en/document/?name=general-community-guidelines&country=canada&lang=en for a link to the current version.

d. “Delivery Integration API” means the specific Uber application programming interface service which allows for access to delivery services provided by Delivery Persons.

e. “Delivery Person” means an independent contractor that intends to seek, receive, and fulfill on-demand requests for delivery services using Uber’s proprietary technology under license from Uber or its Affiliates. For clarity, the term “Uber” as used in the Agreement does not include Delivery Persons.

f. “Delivery-Informed Parties” means parties designated by Company to receive information regarding any delivery solicited from Delivery Persons by Company under the Agreement, including the intended recipient or its designee.

g. “Territory” means the geographic area within Canada permitted for Company by Uber for the purposes of requesting delivery services.

h. “Uber App” means UTI and its Affiliates’ mobile applications or mobile websites that allow users to access and use Uber’s products and services, as may be updated by Uber from time to time.

i. “Uber Direct” means the Uber service that enables the Company Client to request delivery services from Delivery Persons by using the Uber Direct Services and the Delivery Integration API.

j. “Uber Direct Services” means the Uber Canada services, including lead generation marketplace connection services, being on-demand intermediary and related services through a digital technology network, that will allow Company to connect with Delivery Persons providing Delivery Services and to purchase such Delivery Services from Uber Canada, that, in connection with UTI and its Affiliate’s Delivery Integration API, enables Clients to place orders through the Company Service and request that such orders be delivered by Delivery Persons.

k. Uber Personal Data” means any information Uber provides to Company in connection with the Agreement relating to an identified individual or an identifiable individual or which can be reasonably used to identify an individual, or that may otherwise be considered “personal data” under applicable law.

2. Confidentiality.

(a) Definition of Confidentiality. The term “Confidential Information” shall mean any confidential or proprietary business, technical or financial information or materials of a party (“Disclosing Party”) provided to the other party (“Receiving Party”) in connection with the Agreement, whether orally or in physical form, and shall include the terms of the Agreement. However, Confidential Information shall not include information (i) previously known by Receiving Party without an obligation of confidentiality, (ii) acquired by Receiving Party from a third party which was not, to Receiving Party's knowledge, under an obligation of confidentiality, (iii) that is or becomes publicly available through no fault of Receiving Party, or (iv) that Disclosing Party provides written permission to Receiving Party to disclose, but only to the extent of such permitted disclosure.

(b) Restrictions. Receiving Party agrees that (i) it will use Confidential Information solely for the purposes permitted under the Agreement, and (ii) it will not disclose the Confidential Information to any third party other than Receiving Party’s employees, Affiliates or agents who are bound by obligations of nondisclosure and restricted use at least as strict as those contained herein. In the event Receiving Party receives a subpoena, administrative or judicial order, or any other request for disclosure of any Confidential Information of Disclosing Party, Receiving Party will give Disclosing Party prompt written notice of such subpoena, order or request and allow Disclosing Party to assert any available defenses to disclosure.

(c) Confidential Information Security. Receiving Party will protect the Disclosing Party’s Confidential Information in the same manner that it protects the confidentiality of its own proprietary and confidential information, but in no event using less than a reasonable standard of care.

3. Delivery Integration API.

(a) In order to utilize the Delivery Integration API throughout the Term, Company must establish a developer account by completing the online sign up process available at developer.uber.com, which, among other things, requires Company to agree to the UTI API Terms of Use (“API Terms of Use”) available at https://developer.uber.com/docs/businesses/terms-of-use, as may be updated or modified from time to time by UTI or its Affiliates. Company’s use of the Delivery Integration API shall be governed by the API Terms of Use and the terms of the Agreement. Company represents and warrants that throughout the Term it will use the Delivery Integration API solely in accordance with the API Terms of Use and the Agreement. In the event of a conflict between the API Terms of Use and the Agreement, the terms of the Agreement shall control solely with respect to that conflict. Capitalized terms used but not otherwise defined in the Agreement shall have the respective meanings ascribed to such terms in the API Terms of Use.

(b) Design Implementation. Company will implement the Delivery Integration API into the Company Service in a manner consistent with the implementation guidelines agreed to by the parties in writing before launch. Additionally, Company agrees that it will use Uber’s Marks (as defined below) in any demand channel, including for example Company’s website or app, where Uber Direct is being utilized or advertised. Uber will provide Company with requirements on design and placement of Uber’s Marks via email, and Company agrees to work in good faith with Uber in implementing said requirements. In the event that tipping and rating on Company’s products is substantially different from tipping and rating on the Uber App, the parties will mutually agree on a solution. Company shall be responsible for user support for the Company Service and any Company Client’s installation and operation of the Company Service. In addition, upon Uber’s request, Company shall use commercially reasonable efforts to provide fraud review and mitigation related to use of the Uber Direct Services in the Company Service.

4. Proprietary Rights.

(a) License to Marks; Restrictions. The term “Marks” shall mean the trademarks, service marks, trade names, logos, slogans and other identifying symbols and indicia of a party (“Licensor”). Each party hereby grants to the other party (“Licensee”), solely during the Term, a limited, royalty-free, non-exclusive, non-transferable, non-assignable license, without the right to sublicense, to use and display the Licensor’s Marks only as expressly permitted by the other party in writing in each instance. All use of a Licensor’s Marks by Licensee will be in the form and format approved by Licensor, and Licensee will not otherwise use or modify Licensor’s Marks without Licensor’s prior written consent. All goodwill related to Licensee’s use of Licensor’s Marks shall inure solely to the benefit of Licensor. Marks will at all times remain the exclusive property of the respective Licensor. Except as expressly set forth herein, Licensor does not, and shall not be deemed to, grant Licensee any license or rights under any intellectual property or other proprietary rights. All rights not granted herein are expressly reserved by Licensor.

(b) No Development. EACH PARTY ACKNOWLEDGES AND AGREES THAT NEITHER PARTY SHALL DEVELOP ANY TECHNOLOGY, CONTENT, MEDIA, OR OTHER INTELLECTUAL PROPERTY FOR THE OTHER PARTY PURSUANT TO THE AGREEMENT. The parties shall enter into a separate written agreement, as necessary, to govern any development activities relating to any technology, content, media, or other intellectual property prior to the commencement of any such activities.

(c) No Publicity. Other than as expressly set forth herein, neither party may use or reference the other party’s name, logo, trademarks or service marks in a press release or otherwise without the prior consent of such other party in each instance.

5. Insurance. During the Term and for one (1) year thereafter, each party shall maintain Commercial General Liability insurance and, if required by law, Worker’s Compensation insurance (or its equivalent) or comply with the legal obligations of contribution to the applicable workers compensation systems in relation to its employees. The Commercial General Liability insurance policy limits shall be One Million Canadian Dollars ($1,000,000) (or local currency equivalent thereof) combined single limit per occurrence for bodily injury, death and property damage liability, and Two Million Canadian Dollars ($2,000,000) (or local currency equivalent thereof) in aggregate. Company’s Commercial General Liability insurance policy shall include coverage for contractual liability, personal and advertising injury, products and completed operations. In addition, Uber agrees to maintain Commercial Automobile Liability insurance with limits not less than One Million Canadian Dollars ($1,000,000) per accident for bodily injury or property damage arising out of the ownership, maintenance or use of owned, hired, and non-owned vehicles. All policies shall be written by reputable insurance companies with an A.M. Best’s policyholder rating of not less than A-. Such insurance shall not be cancelled or materially reduced without thirty (30) days prior written notice to the other party. Upon a party’s request, the other party shall provide evidence of the insurance required herein. In no event shall the limits of any policy be considered as limiting the liability of a party under the Agreement.

6. Data Processing Restrictions. The parties agree that the terms and conditions included in Appendix A shall govern the data exchanged by the parties under the Agreement (the “Data Processing Terms”).

7. Uber Direct.

(a) Access to Services. After the parties finalize the Delivery Integration API in accordance with the Agreement, Uber will use commercially reasonable efforts to enable the Company to access Uber Direct within the Territory.

(b) Acknowledgments. Company expressly acknowledges and agrees that: (i) any and all delivery services provided to Company are provided by Delivery Persons, who provide independent third-party delivery services; (ii) all Marketplace Fees, Return Fees, cancellation fees or other fees charged to Company in accordance with the Agreement are nonrefundable except as may be expressly provided otherwise herein; (iv) Delivery Persons will not purchase items for delivery; (v) Delivery Persons reserve the right to refuse to accept any item in their sole discretion (vi) Delivery Persons shall not be responsible for packaging items; (vii) for the purposes of the Agreement, pickup and delivery locations for deliveries will be limited to within the Territory and the distance between each pickup and delivery location shall not exceed the delivery radius specified in the Agreement, unless otherwise agreed to by the parties in writing; and (viii) Uber has no control over the availability of products that are sold by Company Clients using Uber Direct.

(i) Company further acknowledges that Uber and its Affiliates will have no liability to Company or Company Clients for any loss, damage, non-delivery, or delay in the delivery of items requested by Company Clients for delivery, or any unexpected issues or changes made by Uber to Uber Direct in its discretion that could arise during Company’s use of Uber Direct. Uber and its Affiliates do not take title to any items that are requested for delivery through Uber Direct. Company agrees that no bailment is created by Company Client’s use of Uber Direct, and Uber and its Affiliates are not a bailee of goods.

(ii) Company Clients maintain title to all product inventory until such product is delivered to the delivery recipient and to the extent required by applicable law, products are sold or delivered to third parties under Company’s retail and food delivery license privileges. Company is responsible for the costs of all substandard (or undelivered) products and will cover the costs related to reimbursement to its customers in the event any such customer(s) request a refund for substandard (or undelivered) product(s) (including, without limitation, any costs associated with retrieving any such unsatisfactory product(s), if applicable). Uber does not maintain insurance for loss, damage, or theft in respect of any of Company Client’s products. Company Clients should contact an insurance agent or broker if insurance coverage is desired in connection with the delivery of its products using Uber Direct.

(iii) Company Clients will comply with all applicable safety, health and quality regulations for sale of the products that Company Clients requests be delivered through Uber Direct and in the event that Company fails to comply with such regulations, Uber is under no obligation to make such substandard products available via Uber Direct.

8. Requirements for Delivery.

(a) Company understands that it may provide instructions for the delivery of items at the delivery location.  If the items are undeliverable because the delivery recipient cannot be located or the delivery otherwise cannot be completed according to Company's delivery instructions, the items may be returned to Company at the original pickup location (each a “Return”).  Company shall accept any and all Returns and understands that in the event of a Return, Company will be charged fees associated with the Delivery Person’s return trip (“Return Fees”). In addition, Company shall be responsible for handling, including all charges related to, any pick-ups and returns from a delivery location where an item was delivered, but later found to be at the incorrect location.

(b) Company shall ensure that items provided to a Delivery Person through Uber Direct: (i) are collectively able to fit into, and are appropriate for transport in a standard midsize motor vehicle; and (ii) do not exceed 50 pounds per package, box, or parcel.

(c) Company will ensure that items are readily available for pickup upon arrival of a Delivery Person at the requested pick-up location. Company understands that if a Delivery Person refuses to accept an item due to size or weight, or such item is a Restricted Item, or because the Delivery Person is asked to purchase such item, Company will be responsible for: (1) a cancellation fee; and (2) any Return Fees.

(d) As between Uber and its Affiliates and Company, Company will be responsible for all support to intended recipients, including resolving any disputes or concerns from Delivery-Informed Parties related to deliveries requested via use of Uber Direct.

(e) If applicable, Company will ensure that Company and Company Clients have and will maintain all required license(s) and/or permit(s) to sell and deliver alcohol, and will comply with all applicable laws in respect thereof, including without limitation, time restrictions and legal age. When placing an order for Delivery Services, Company Client is obligated to: (i) inform Uber if a certain order contains alcoholic beverages, and (ii) include disclaimers of Company Client’s platform to provide customers with information about the restrictions for purchasing and delivering alcoholic beverages. If required under applicable law, Company Client will ensure that food or a meal is included with each delivery including alcoholic beverages, in a manner compliant with applicable laws. Company is solely responsible for ensuring that Company Client is aware of these requirements when preparing an order including alcoholic beverages.

9. Warranties and Disclaimers.

(a) Mutual Warranties. In addition to the representations and warranties in the API Terms of Use, each party hereby represents and warrants that (a) it has full power and authority to enter into the Agreement and perform its obligations under the Agreement, (b) such party’s acceptance of the Agreement, as well as such party’s performance of the obligations set forth in the Agreement, does not and will not violate any other agreement to which such party is a party, (c) it is in compliance and shall remain in compliance during the Term, with all applicable laws, rules and regulations, including those relating to data protection, privacy, identity theft, data breach, consumer protection, and data security, and any applicable industry standards relating to privacy and data security, (d) it is duly organized, validly existing and in good standing under the laws of the jurisdiction of its origin, and (e) such party’s Marks as provided by such party pursuant to the Agreement will not infringe or otherwise violate the intellectual property rights, rights of publicity or other proprietary rights of any third party.

(b) Company Warranties. In addition to the representations and warranties in the API Terms of Use, Company represents and warrants that (a) Company has all rights and legally adequate consents, where necessary, to provide Uber with Personal Data, as defined in Appendix A, and any other information provided to Uber hereunder; (b) Company will use Uber Personal Data solely for legitimate business purposes including business expense, processing, accounting, and budgeting purposes; (c) Company will only share and provide access to Uber Personal Data to Company personnel who have a business need to access such Uber Personal Data; (d) Company will not disclose Uber Personal Data to any third party, unless expressly authorized in writing by Uber, and who are in each case bound by privacy and security obligations regarding Uber Personal Data at least as restrictive as those contained herein; (e) Company will not rent or sell Uber Personal Data for any purpose not authorized by Uber; (f) Company will not disclose Uber Personal Data nor disclose Uber’s pricing or fares associated with Uber Personal Data to a competitor of Uber; (g) Company is not a government or quasi-government entity, or otherwise owned, controlled by, or created by a government entity; (h) the Company Service does not and will not infringe upon a third party’s intellectual property rights; and (i) Company will inform and obtain all necessary rights, permission and legally adequate consent from Delivery-Informed Parties: (1) to share personal data of such Delivery-Informed Parties with Uber; (2) to receive SMS messages from Uber or its Affiliates in connection with Uber Direct or to provide any communications, including via automated voice dialing, pursuant to the Agreement; and (3) for Uber to provide Company and/or the applicable Company Client with detailed trip information, including real-time delivery status, for the deliveries charged to Company.

(c) Disclaimer. UBER PROVIDES UBER DIRECT “AS IS” AND WITHOUT WARRANTY. UBER DOES NOT WARRANT THAT THE FUNCTIONS CONTAINED IN UBER DIRECT WILL MEET COMPANY’S REQUIREMENTS OR THAT THE OPERATION OF UBER DIRECT WILL BE UNINTERRUPTED OR ERROR FREE. UBER HEREBY DISCLAIMS ALL OTHER WARRANTIES WITH RESPECT TO THE AGREEMENT, WHETHER EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, (A) ANY IMPLIED OR STATUTORY WARRANTIES COVERING UBER DIRECT, AND (B) ANY IMPLIED WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT OR FITNESS FOR A PARTICULAR PURPOSE. COMPANY ACKNOWLEDGES AND AGREES THAT UBER DIRECT IS A TECHNOLOGY SERVICE THAT ENABLES ACCESS TO REQUEST ON-DEMAND LOGISTICS SERVICES PROVIDED BY INDEPENDENT THIRD-PARTY PROVIDERS. UBER IS NOT A LOGISTICS PROVIDER. UBER DOES NOT GUARANTEE AVAILABILITY OF LOGISTICS SERVICES, ON-TIME ARRIVALS OR DEPARTURES THEREOF, OR ANY OTHER SERVICES LEVELS RELATED TO INDEPENDENT LOGISTICS PROVIDERS THAT MAY BE OBTAINED VIA UBER DIRECT.

10. Delivery Informed Parties.

(a) To permit Uber to send information and updates regarding the delivery to parties designated by Company, Company shall, before requesting delivery services as described herein, obtain from such parties, and submit to Uber, the following information (collectively, “Delivery-Informed Data”) with respect to such Delivery-Informed Parties: (i) active telephone number; (ii) delivery drop-off location; and (iii) other optional trip related data (e.g., billing code, trip purpose, message to Delivery Persons).

(b) Company shall ensure that all data provided to Uber is accurate and complete, and Uber shall not be liable to Company, any Company Client, or any other party with respect to inaccurate or incomplete Delivery-Informed Data supplied to Uber by Company.

(c) Company shall be solely responsible for contacting, or facilitating contact with, any Delivery-Informed Parties. Uber shall have no responsibility for contacting or providing messaging of any sort pursuant to the Agreement to any individual for whom Company has not provided Uber any Delivery-Informed Data.

11. Delivery Person Verification and User Safety Policies. Uber is responsible for contracting terms with all independent contractors using the Uber technology systems under license from UTI or its Affiliate(s) to provide transportation, delivery or other services. The following shall apply:

(a) Screening Standards. Uber Canada (or an Uber Canada Affiliate) shall ensure that all prospective Delivery Persons are screened using a third-party service accredited by a nationally-recognized background screening organization, to the extent such organization exists. The screening standard applied shall conform to Uber’s then-current background check practices on the Uber systems and in the relevant jurisdiction.

(b) Screening Information. During the course of the screening process the following information shall be collected and maintained (unless such information should not be maintained due to privacy considerations or other applicable law) in accordance with Uber’s then-current practices: (a) full name; (b) date of birth; (c) driver’s license number; and (d) copy of driver’s license.

12. Indemnification.

(a) In addition to the indemnification obligations in the API Terms of Use, each party (the "Indemnifying Party") will indemnify, defend and hold harmless the other party (the “Indemnified Party”), its Affiliates and their respective directors, officers, employees, consultants, agents, successors and assigns from and against any and all claims, liabilities, damages, losses, costs, and expenses (including reasonable outside attorney fees) with respect to any third-party claim arising out of or related to: (i) a breach (or claim that, if true, would be a breach) of any of the Indemnifying Party’s representations or warranties in the Agreement, or (ii) the infringement of a third party’s intellectual property rights by the Indemnifying Party’s Marks, but only if such Marks have been used by the Indemnified Party in the manner approved by the Indemnifying Party.

(b) In addition to the indemnification obligations in the API Terms of Use, Company will also indemnify, defend and hold harmless Uber, its Affiliates, and its and their respective directors, officers, employees, consultants, agents, successors, and assigns from and against any and all claims, liabilities, damages, losses, costs, and expenses (including reasonable outside attorney fees) with respect to any third-party claim arising out of or related to: (a) the use of Uber Direct by any Company Client or Delivery-Informed Party; (b) any personal injury or damage to property arising from the items requested by Company or any Company Client for delivery; (c) Company’s or any Company Client’s inclusion of a Restricted Item; or (d) the use of Uber Direct by any Company Client that has not accepted the Company Client Terms, or if Company is unable to provide a record of such acceptance to Uber, as outlined in the Agreement.

(c) The Indemnified Party shall provide prompt notice to the Indemnifying Party of any potential claim subject to indemnification hereunder. The Indemnifying Party will assume the defense of the claim through counsel designated by it and reasonably acceptable to the Indemnified Party. The Indemnifying Party will not settle or compromise any claim, or consent to the entry of any judgment, without written consent of the Indemnified Party, which will not be unreasonably withheld. The Indemnified Party will reasonably cooperate with the Indemnifying Party in the defense of a claim, at the Indemnifying Party’s expense.

13. Limits of Liability. OTHER THAN WITH RESPECT TO A PARTY’S (X) BREACH OF THE REPRESENTATIONS OR WARRANTIES SET FORTH HEREIN, OR (Y) INDEMNIFICATION OBLIGATIONS, AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL UBER OR COMPANY BE LIABLE (A) FOR ANY INDIRECT, PUNITIVE, INCIDENTAL, EXEMPLARY, SPECIAL OR CONSEQUENTIAL DAMAGES, OR FOR LOSS OF BUSINESS OR PROFITS, SUFFERED BY ANY PARTY HERETO OR ANY THIRD PARTY ARISING OUT OF THE AGREEMENT, WHETHER BASED ON CONTRACT, TORT, OR ANY OTHER LEGAL THEORY, EVEN IF UBER OR COMPANY (OR THEIR AGENTS) HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND (B) UNDER THE AGREEMENT FOR ANY DIRECT DAMAGES IN AN AMOUNT EXCEEDING ONE HUNDRED THOUSAND DOLLARS ($100,000). EACH PARTY ACKNOWLEDGES THAT THE FOREGOING LIMITATIONS ARE AN ESSENTIAL ELEMENT OF THE AGREEMENT BETWEEN THE PARTIES, AND THAT IN THE ABSENCE OF SUCH LIMITATIONS, THE FEES AND OTHER TERMS SET FORTH IN THE AGREEMENT WOULD BE SUBSTANTIALLY DIFFERENT.

14. Affiliates. The parties hereby acknowledge and agree that Company and each of its Affiliates may utilize the Delivery Integration API and Uber Direct Services upon execution of the Agreement. Any such Affiliate shall be bound by all of the terms and conditions applicable to Company under the Agreement, and entitled to all rights and protections afforded Company under the Agreement, provided, however, Company shall continue to bear legal responsibility for all acts or omissions of such Affiliate. The parties acknowledge and agree that any services to be rendered or licenses provided under the Agreement may be performed by Uber Canada or granted by UTI, respectively, directly, or by any of Uber Canada or UTI’s Affiliates, as may be required from time to time for the performance of Uber Canada and UTI’s obligations under the Agreement.

15. Force Majeure. Nonperformance of either party under the Agreement shall be excused to the extent and during the period that performance is rendered impossible by strike, fire, flood, hurricane, earthquakes, other natural disaster, governmental acts or orders or restrictions, failure of suppliers, or contractors, or any other reason where failure to perform is beyond the reasonable control and not caused by the negligence of the non-performing party (“Force Majeure Event”). The affected party will promptly notify the other party upon becoming aware that any Force Majeure Event has occurred or is likely to occur and will use commercially reasonable efforts to minimize any resulting delay in or interference with the performance of its obligations under the Agreement.

16. Independent Contractor. Uber Canada, UTI and Company are and shall remain independent contractors. Neither party is the representative or agent of the other and neither party shall have any power to assume any obligations on behalf of the other.

17. Headings. Section headings are for convenience only and shall not be considered in the interpretation of the Agreement.

18. Waiver. The failure of either party to enforce, at any time or for any period of time, the provisions hereof, or the failure of either party to exercise any option herein, shall not be construed as a waiver of such provision or option and shall in no way affect that party’s right to enforce such provisions or exercise such option.

19. Non-Discrimination. Company shall not, in its use of the services under the Agreement, discriminate against any employee, volunteer, or participant, or individual based on race, colour, gender, pregnancy, marital status, familial status, sexual orientation, gender identity or expression, religion, ancestry, national origin, disability, or age except that programs may target beneficial services for specific participant groups, as agreed upon between Uber and Company. Company acknowledges and agrees that upon Uber’s receipt of evidence of Company’s discrimination under any of these categories, Uber shall have the right to immediately terminate the Agreement following notice to Company.

20. Severability. In the event any provision of the Agreement is determined to be invalid or unenforceable by ruling of a court of competent jurisdiction, the remainder of the Agreement (and each of the remaining terms and conditions contained herein) will remain in full force and effect.

21. Survival. The terms and conditions of the Agreement that by their nature and context are intended to survive termination hereof will so survive, including without limitation, all outstanding payment obligations under the Agreement. Upon termination of the Agreement by either Party, Company must cease any access to or use of the Delivery Integration API.

22. Assignment. The Agreement is not transferable and may not be assigned by either party, in whole or in part, without the prior written consent of the other party, provided that each Party may assign the Agreement without such consent, but with notice to the other, in connection with a merger or a sale of all of the equity or assets of either Party. Notwithstanding the foregoing, Uber may assign the Agreement to an Affiliate without notice or the prior written consent of Company. Subject to the foregoing, the Agreement shall be binding upon all successors and assigns of a party.

Appendix A

Data Processing Terms

DEFINITIONS

The following terms shall have the following meanings. Capitalized terms not defined herein shall have the same meaning set forth in the Agreement.

1. “Company Personal Data” means the Personal Data provided by Company to Uber in connection with the Agreement. For the avoidance of doubt, the term “Company Personal Data” does not include Personal Data collected from Data Subjects by Uber.
2. “Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including the California Consumer Privacy Act of 2018, the Act Respecting the Protection of Personal Information in the Private Sector (Quebec) and the Personal Information Protection and Electronic Documents Act (Canada).
3. “Data Subject” means an identified or identifiable natural person.
4. “Information Security Incident” means an unauthorized or unlawful processing or unauthorized loss, destruction, damage, alteration, or disclosure of Personal Data.
5. “Personal Data” means any information in connection with the Agreement that can reasonably be used to identify a Data Subject, or that may otherwise be considered personal data or personal information under applicable Data Protection Laws.
6. “Process,” “Processes,” “Processing,” or “Processed” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collecting, recording, accessing, releasing, disclosing, making available, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, dissemination or otherwise, aligning or combining, restricting, erasing or destroying.
7. “Services” means the services provided or received by the parties pursuant to the Agreement.
8. GENERAL TERMS
   1. Personal Data Processing
      1. Uber Obligations and Limitations.
         1. Uber shall Process Company Personal Data solely as necessary to facilitate the provision of the the Services (including any ancillary activities related to the Services such as product and service improvement, analytics, customer support, safety and fraud prevention purposes but excluding any direct marketing and advertising purposes) and to protect and enforce its rights and/or as may be required by applicable law or regulation. Uber may not use Company Personal Data for any other purpose unless otherwise agreed by the parties in writing.
         2. Uber shall (1) limit access to Company Personal Data to only those employees, agents or third-party vendors that require access to perform their roles and responsibilities in connection with the Services, and (2) under no circumstances rent, sell or disclose Company Personal Data, except as otherwise allowed or contemplated in these Data Processing Terms or the Agreement.
         3. Uber shall retain Company Personal Data for only so long as necessary to perform its obligations under the Agreement (including any ancillary activities), unless otherwise required under applicable laws.
      2. Company Obligations and Limitations.
         1. Company shall Process Uber Personal Data solely as necessary to facilitate the provision of the Services (including any ancillary activities but excluding any direct marketing and advertising purposes) and to protect and enforce its rights and/or as may be required by applicable law or regulation, and may not use Uber Personal Data for any other purpose unless otherwise agreed by the parties in writing.
         2. Company shall (1) limit access to Uber Personal Data to only those employees, agents or third-party vendors that require access to perform their roles and responsibilities in connection with the Services, and (2) under no circumstances rent, sell or disclose Uber Personal Data, except as allowed or otherwise contemplated in these Data Processing Terms or the Agreement.
         3. Company shall retain Uber Personal Data for only so long as necessary to perform its obligations under the Agreement (including any ancillary activities), unless otherwise required under applicable laws.
      3. Compliance with Data Protection Laws.
         1. The parties shall comply with the obligations applicable to them under the Data Protection Laws with respect to their Processing of Personal Data. Each Party shall notify the other Party if it reasonably determines that it cannot meet its obligations under the Data Protection Laws with respect to the Personal Data it has received from the other Party.
         2. A Party that has made Personal Data available to the other Party under the Agreement (“Disclosing Party”) will have the right to take reasonable and appropriate steps to help ensure that such other Party (“Receiving Party”) Processes such Personal Data in a manner consistent with its obligations under Data Protection Laws by requesting that the Receiving Party attest to its compliance with these Data Processing Terms. Following any such request, the Receiving Party will promptly provide that attestation or notice about why it cannot provide it. If the Disclosing Party reasonably believes that the Receiving Party Processes the Personal Data in breach of these Data Processing Terms, upon reasonable prior written notice, it will have the right to take reasonable and appropriate steps to stop and remediate unauthorized use of the disclosed Personal Data.
      4. Data Subject Requests. Each Party will be responsible for responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws (“Data Subject Requests”). If a Party receives a Data Subject Request or other inquiry regarding the other Party’s Processing of Personal Data under the Agreement, such Party will promptly inform the other Party and will advise the Data Subject to submit their request to this Party.
      5. Cooperation. Both parties agree to reasonably cooperate and assist each other in relation to any regulatory inquiry, complaint or investigation concerning the Personal Data shared between the parties.
      6. Third-parties. If and to the extent either Party transfers any Personal Data received from the other Party to any third party, such Party shall first enter into contractual arrangements with such third party containing privacy and security obligations that are at least as restrictive as those contained in these Data Processing Terms.
      7. Information Security Incidents.
         1. Uber shall promptly notify Company in the event that Uber learns that an Information Security Incident has occurred in relation to Company Personal Data. This notification includes at least: (1) the nature of the breach of security measures; (2) the potentially compromised Company Personal Data and Data Subjects; (3) the duration and expected consequences of the Information Security Incident; and (4) any mitigation or remediation measures taken or planned in response to the Information Security Incident. Upon any such discovery, Uber shall: (a) take all reasonable steps to investigate, remediate, and mitigate the effects of the Information Security Incident; and (b) provide Company with assurances reasonably satisfactory to Company that such Information Security Incident will not recur. Additionally, if and to the extent any Information Security Incident occurs in relation to Company Personal Data as a result of an act or omission of Uber, and if Company determines that notices (whether in Uber’s or Company’s name) are warranted, Uber shall, at Company’s request and at Uber’s cost and expense, undertake the aforementioned remedial actions.
         2. Company shall promptly notify Uber in the event that Company learns that an Information Security Incident has occurred in relation to Uber Personal Data. This notification includes at least: (1) the nature of the breach of security measures; (2) the potentially compromised Uber Personal Data and Data Subjects; (3) the duration and expected consequences of the Information Security Incident; and (4) any mitigation or remediation measures taken or planned in response to the Information Security Incident. Upon any such discovery, Company shall: (a) take all reasonable steps to investigate, remediate, and mitigate the effects of the Information Security Incident; and (b) provide Uber with assurances reasonably satisfactory to Uber that such Information Security Incident will not recur. Additionally, if and to the extent any Information Security Incident occurs in relation to Uber Personal Data as a result of an act or omission of Company, and if Uber determines that notices (whether in Uber’s or Company’s name) are warranted, Company shall, at Uber’s request and at Company’s cost and expense, undertake the aforementioned remedial actions.
9. SECURITY MEASURES
   1. Organizational Security Measures.
      1. Security Program. The parties have developed and implemented, and will consistently update and maintain as needed: (i) a written and comprehensive information security program in compliance with applicable Data Protection Laws; and (ii) reasonable policies and procedures designed to detect, prevent, and mitigate the risk of data security breaches or identify theft (“Security Program”). Specifically, the Security Program shall include, at a minimum:
         1. a data loss prevention program, with appropriate policies and/or technological controls designed to prevent loss of Personal Data; and
         2. a disaster recovery/business continuity plan that addresses ongoing access, maintenance and storage of Personal Data as well as security needs for back-up sites and alternate communication networks.
      2. Access.
         1. The parties shall reasonably update all access rights based on personnel or computer system changes, and shall periodically review all access rights at an appropriate frequency to ensure current access rights to Personal Data are appropriate and no greater than are required for an individual to perform his or her functions necessary to fulfill the purposes of the Agreement.
         2. The parties shall verify all access rights through effective authentication methods.
   2. Physical Security Measures. The parties shall maintain appropriate physical security measures for any facility used to Process Personal Information and continually monitor any changes to the physical infrastructure, business, and known threats.
   3. Technical Security Measures
      1. Vulnerability scanning and assessments. The parties shall perform vulnerability scanning and assessments on new and key applications and infrastructure.
      2. Access Control and Limiting Remote Access. The parties shall secure its computer networks using multiple layers of access controls to protect against unauthorized access.
         1. The parties shall restrict access through mechanisms such as, but not limited to, management approvals, robust controls, logging, and monitoring access events and subsequent audits.
         2. The parties shall identify computer systems and applications that warrant security event monitoring and logging, and reasonably maintain and analyze log files.
      3. Security Patches. The parties shall deploy all applicable and necessary system security patches to all software and systems that Process, store, or otherwise support the Agreement.
      4. Virus/Malware Scanning. The parties shall use up-to-date, industry standard, commercial virus/malware scanning software that identifies malicious code on all of its systems that collect, use, disclose, store, retain or otherwise Process Personal Data.