Mabel

Terms of Service

Last Updated: October 4th, 2024

These Terms of Use (the “Terms”) set forth the terms and conditions that govern (i) access to, and use of the software application provided by Siena Labs, Inc. (the “Platform”), (ii) the access to, and use of our website available at the URL www.siena.cx (“Site”) and (iii) the access to, and use of the content of the Platform and of the Site including of the services provided by Siena (the “Services”).

Please carefully read these Terms as they contain important information concerning your rights and obligations. These Terms include various limitations and exclusions, defining Siena's liability in certain cases, determining the jurisdiction and authorities on matters of conflict resolution, as well as the applicable legislation to Siena Services.

These Terms are a legal agreement between you (i) as a commercial user of the Platform (“Client”), or (ii) as an individual user only navigating through our Site (“you”, “your”, or “user”) and Siena Labs Inc., a company incorporated under the United States law, having its headquarters in 1209 Orange Street, Wilmington, New Castle, DE, 19801, ("Siena", “we”, "us"). Before you use the Platform, you will need to agree to these Terms. We are only willing to make the Platform available to you if you accept all of these Terms. Otherwise, you may not access or use the Platform. The use of our presentation Site represents your confirmation that you understand and agree to all of these Terms.

In case you use the Platform and or Site on behalf of a company, you represent that you have the legal authority to accept these Terms on behalf of the respective company. In such a case, when using “you” in these Terms, we will refer to the respective company.

We reserve the right to change the Terms at any time and in our sole discretion. If we make changes to these Terms, they will become effective when we make the updated version of the Terms available on the Platform and on the Site and update the “Last Updated” date found at the top of these Terms and we will inform you accordingly. In such a case, in order to continue to use the Platform, you need to agree to the newly amended Terms.

1. THE PLATFORM

The Platform can be installed by Clients (for example, online shops) including at the URL address https://app.siena.cx. The Platform is designed to help the Clients to support and engage with their Users and to automate conversations.

2. USAGE OF THE PLATFORM

Subject to compliance with these Terms of Use, Siena may, on the terms and conditions set out in these Terms of Use, provide Client or You, as applicable, with access to Siena's proprietary conversational, artificial intelligence powered chatbot software services and any other products and services otherwise made available by Siena under these Terms of Use. In order to provide the Services, it will be necessary for Siena to communicate through various channels, including instant messaging, email and SMS. Accordingly, Client or You, as applicable, consent and grant us permission to communicate through such channels, and further agree to provide us with any further evidence required to document or affirm such consent and permission, in each case as required by applicable laws, in connection with these Terms of Use or our performance of the Services. Use of the Services also require You to first obtain an account by completing a registration form. When registering, you must: (a) provide true, current and complete information about yourself on the registration form and (b) maintain such information so it continues to be true, current and complete.

When using the Platform, if required by applicable law, You must identify the Services as being provided by a virtual assistant and that the sessions are being recorded and obtain any required User consent.

3. FEES

In order to use our Platform, the Clients need to pay a monthly subscription fee (“Fee”), due every month on the date when the Trial Period expires.  Fees are not refundable.  

In order to pay the Fee, the Client has to add a bank card and to fill in the required details. On the due date of the Fee, the bank card registered by the Client will be automatically debited with the amount of the Fee. In case the bank card cannot be debited with the amount of the Fee, the access to our Platform will cease.  Client agrees to pay all costs of collection, including attorney’s fees and costs, on any outstanding balance.

The payment of the Fee shall be made by using the services of a third-party provider. Client understands and agrees that it must provide current, complete and accurate billing and payment information. We will not be responsible or liable for any claims, damages, payments, deficiencies, fines, judgments, settlements, liabilities, losses, costs and expenses arising out of or relating to the use of the respective payment services. In certain instances there may be banking or financial institution transaction fees or related charges, which Client understands and agrees it shall be responsible to pay.  

We have the right to change the Fees from time to time. When we do so, the updated Fees shall apply as of the date we make the updated version of the Terms available on the Platform and on the Site.

4. INTELLECTUAL PROPERTY RIGHTS

Unless otherwise indicated by us, all elements of the Platform and of the Site, all content and other materials therein are owned by us (or, as applicable, our licensors) and are protected by intellectual property rights. For the avoidance of doubt, the visual interfaces, design, text, graphics, pictures, systems, information, data, methods, software, computer code, organization, services, all other elements and any other documentation or other ancillary material provided to you (the “Content”) are owned by us or by our licensors and are protected by copyright, patents, trademarks, design, trade secrets, any other intellectual property rights and applicable law.

Client and You, as applicable, can use the Platform, the Site and the Content solely for the purpose of provided by these Terms. However, you are not permitted to:

  • use the Platform, the Site or the Content other than for their intended purposes;
  • use any data mining, robots or similar data gathering or extraction methods;
  • sell, rent, lease, lend, redistribute, sublicense or make commercial use of the Platform, the Site or the Content;
  • copy, reverse engineer, decompile, disassemble or attempt to discover the source code of our Platform, the Site or Content;
  • modify, alter or otherwise make any derivative uses of the Platform, the Site or the Content, or any portion thereof, except as expressly permitted under these Terms;
  • remove, alter or obscure any copyright, trademark or other proprietary rights notice included in the Platform, the Site or Content;

Any use of the Platform, the Site or the Content other than as specifically authorized herein, without the prior written permission of Siena, is strictly prohibited. Such unauthorized use may also violate applicable laws, including without limitation, copyright and trademark laws. Unless explicitly stated by Siena, nothing in these Terms shall be construed as conferring any license to intellectual property rights, whether by implication or otherwise.‍

5. USER CONTENT

In case Client or You create any user content on our Platform, Client or you, as applicable, are solely responsible for all content created, transmitted and/or distributed through the Platform (“User Content”). It is a violation of this Agreement to create, transmit and/or distribute through the Platform any User Content that:

  • is illegal or unlawful, that would constitute, encourage or provide instructions for a criminal offense, violate the rights of any party, or otherwise create liability or violate any local, national or international law;
  • is defamatory, profane, obscene, pornographic, sexually explicit, indecent, lewd, vulgar, suggestive, violent, harassing, hateful, threatening, offensive, discriminatory, bigoted, abusive, inflammatory, invasive of privacy or publicity rights, fraudulent, deceptive or otherwise objectionable;
  • impersonates any person or entity or otherwise misrepresents your affiliation with a person or entity;
  • may infringe or violate any patent, trademark, trade secret, copyright, or other intellectual property right or other right of any party;
  • contains or depicts any statements, remarks or claims that do not reflect your honest views and experiences;
  • is designed to deceive or trick the users of the Platform;

6. USER CONDUCT

Client and You, as applicable, are solely responsible for your own conduct while accessing or using the Platform and the Site. Client and You, as applicable, agree to use the Platform and the Site only for purposes that are legal, proper and in accordance with these Terms and any applicable laws or regulations. Client and You, as applicable, agree that you will not and will not permit any third party to do, including but not limited to, any of the following:

  • use the Platform and the Site for any illegal or unauthorized purpose or engage in, encourage, or promote any illegal activity, or any activity that violates these Terms or any other rules or policies established from time to time by us;
  • use the Platform and the Site to violate the legal rights and the legitimate interests of others, including, but not limited to, transmitting or otherwise making available through the Platform of content that infringes the intellectual proprietary rights of any party;
  • remove any copyright, trademark or other proprietary rights notices contained in or on the Platform and the Site, or any part of it;
  • modify, adapt, hack, translate, or reverse engineer the Platform and the Site;
  • use any robot, spider, crawler, scraper or other automated means or interface not provided by us to access the Platform and the Site or to extract data;
  • attempt to indicate in any manner that you have a relationship with us or that we have endorsed you or any products or services for any purpose, unless we specifically consented to such conduct;
  • upload, send, distribute or disseminate any User Content that could be in any way interpreted as defamatory, unlawful, fraudulent, obscene, harassing or objectionable;
  • distribute any other harmful components such as, including but not limited to, worms, viruses, Trojan horses, corrupted files, defects, hoaxes;
  • impersonate another person by any mean (e.g., by use of an email address, name, nickname or otherwise);
  • exploit the Platform and the Site for any unauthorized commercial purpose;
  • access or use the Platform and the Site for the purpose of creating a product or service competitive with any of our products or services;
  • register on the Platform and the Site on behalf of a company, without having the right to represent the respective company;

7. PUBLICITY AND BRANDING

The Client hereby grants to Siena a worldwide, free of charge, non-exclusive and non-transferable right during the term when the Client uses our Services to use the name of Client and its logo on our website or Platform in order to promote the fact that the Client uses our Services.

Client expressly agrees that we may, in its discretion, add our name (Siena) to the messages we send to the Users on behalf of the Client. For clarity, each message we send to the Users on behalf of our Clients shall contain a reference to our business name by inserting in the text the syntagm “Powered by Siena” (or similar designation).

8. INDEMNIFICATION

Each of Client and You agree, at your sole expense, to defend, indemnify and hold us, our officers, agents, employees, advertisers, licensors, suppliers or partners harmless from and against any claims, damages, payments, deficiencies, fines, judgments, settlements, liabilities, losses, costs and expenses of any kind or nature, including litigation costs, and legal fees arising out of or in any way related to (i) your use of the Platform and the Site; (ii) your violation of these Terms, applicable law or the rights of any third-party; or (iii) your breach of the provisions of this Agreement.

9. DISCLAIMER

Client and You, as applicable, expressly acknowledge and agree that your use of the Platform and the Site is at your sole risk and that the entire risk as to satisfactory quality, performance, safety, accuracy and effort is with you. The Platform and the Site are provided on an “as is” and “as available” basis. To the maximum extent permitted by applicable law, we disclaim any and all warranties and representations (express or implied, written or oral) in relation to, without limitation, the Platform, the Site or external websites or applications, including but not limited to any implied warranties of merchantability, implied warranties of fitness or suitability for any purpose and warranties of non-infringement, condition of title, accuracy, reliability. We do not warrant and/or represent that the Platform and the Site will meet accuracy and your requirements, that the use of the Platform and the Site will be uninterrupted, secure or error-free, or that the Platform and the Site is free of harmful components, such as viruses.

10. LIMITATION OF LIABILITY

Client and You, as applicable, acknowledge and agree that to the maximum extent permitted under applicable law, in no event will Siena be liable to you or to any other third party for any incidental, indirect, special, consequential, exemplary or punitive damages whatsoever including, but not limited to, damages for loss of profits, (whether incurred directly or indirectly), loss of goodwill or business reputation, loss of data, cost of procurement of substitute goods or services, or any other intangible loss, arising out of or related to the Plaftorm and the Site, regardless of the theory of liability (contract, warranty, tort, strict liability, product liability or other theory) and even if we have been advised of the possibility of such damages.

Client and You, as applicable, understand and agree that we will not be liable for any failure or delayed performance of our obligations that results from any condition beyond our reasonable control, including but not limited to, acts or omissions of third parties, earthquake, fire, flood, governmental action, acts of terrorism, labor conditions, power failures, Internet disturbances or server failures.

Client and You, as applicable, acknowledge that the Platform and the Site is Internet-based and you understand and accept the inherent security risks associated with such applications and websites, including but not limited to, the risk of losing the Internet connections, the risk of malicious software, the risk of hardware or software failure and the risk of unauthorized access by third parties to your account. Thus, you agree that we our liability for any malfunctions, communication failures, delays, errors, or any breach of security you might incur shall be limited to the amounts we received from you for the access to the Platform during the twelve months prior to the event giving rise to the claim.

11. EXTERNAL SITES

The Platform and the Site may contain hyperlinks to third party websites or resources. These links to third party pages are provided for convenience only. In any event, especially because of the volatile nature of information on the Internet, Siena cannot control the nature or content of these external sources and therefore is not responsible and or liable for the use, the unavailability of third party website nor their content and advertising or other materials available on such third party websites that you might access via our Platform or the Site.

12. CHANGES OF THE PLATFORM AND OF THE SITE

We may, in our sole discretion and without cost to you, with notice at any time, modify or discontinue, temporarily or permanently, any portion or feature of our Platform and Site.

In no event will Siena be liable for the removal of or disabling of access to any portion or feature of the Platform or the Site.

13. SUSPENSION OR TERMINATION

In case Client or You, as applicable, breach these Terms, we may suspend or terminate in whole or in part, your access to the Platform at our sole discretion, immediately and without prior notice, and delete or deactivate your account. In such a case, we will notify you accordingly. The Clients have the possibility to uninstall the Platform and to delete their accounts(provided we may retain certain information about the commercial relationship with the respective user, in accordance with our Privacy Policy).

14. ASSIGNMENT

Siena may assign these Terms and/or any and all of its rights or delegate any and all of its obligations under these Terms without your consent. All provisions contained in these Terms shall extend to and be binding upon you and Siena's successors and assigns. You may not assign these Terms or any of your rights and/or obligations under these Terms to another person or entity.

15. PERSONAL DATA

Please refer to our Privacy Policy for information on how we collect, use, store and disclose your personal data.

16. SEVERABILITY

If any provision of these Terms shall be deemed unlawful, void or for any reason unenforceable, then that provision shall be deemed severable from these Terms and shall not affect the validity and enforceability of any remaining provisions.

17. ENFORCEMENT

Enforcement of these Terms is solely in our discretion and our failure to enforce any of the provisions in some instances does not constitute a waiver of our right to enforce such provisions in other instances.

18.  GOVERNING LAW AND JURISDICTION

These Terms will be governed by and construed in accordance with the laws of the State of California. Any legal action or proceeding arising under these Terms will be brought exclusively in the courts located in San Francisco, California, and the parties irrevocably consent to the personal jurisdiction and venue there.

Arbitration. Read this section carefully because it requires the parties to arbitrate their disputes and limits the manner in which you can seek relief from Company. For any dispute with Company, Client and You, as applicable, agree to first contact us at legal@siena.cx and attempt to resolve the dispute with us informally. In the unlikely event that We have not been able to resolve a dispute after sixty (60) days, we each agree to resolve any claim, dispute, or controversy (excluding any claims for injunctive or other equitable relief as provided below) arising out of or in connection with or relating to this Agreement, or the breach or alleged breach thereof (collectively, “Claims”), by binding arbitration by JAMS, under the Optional Expedited Arbitration Procedures then in effect for JAMS, except as provided herein. JAMS may be contacted at www.jamsadr.com. The arbitration will be conducted in San Francisco, California, unless you and Company agree otherwise. If you are using the Service for commercial purposes, each party will be responsible for paying any JAMS filing, administrative and arbitrator fees in accordance with JAMS rules, and the award rendered by the arbitrator shall include costs of arbitration, reasonable attorneys’ fees and reasonable costs for expert and other witnesses. If you are an individual using the Service for non-commercial purposes: (i) JAMS may require you to pay a fee for the initiation of your case, unless you apply for and successfully obtain a fee waiver from JAMS; (ii) the award rendered by the arbitrator may include your costs of arbitration, your reasonable attorney’s fees, and your reasonable costs for expert and other witnesses; and (iii) you may sue in a small claims court of competent jurisdiction without first engaging in arbitration, but this does not absolve you of your commitment to engage in the informal dispute resolution process. Any judgment on the award rendered by the arbitrator may be entered in any court of competent jurisdiction. Nothing in this Section shall be deemed as preventing Company from seeking injunctive or other equitable relief from the courts as necessary to prevent the actual or threatened infringement, misappropriation, or violation of our data security, Intellectual Property Rights or other proprietary rights.

Class Action/Jury Trial Waiver. With respect to all persons and entities, regardless of whether they have obtained or used the Service for personal, commercial or other purposes, all Claims must be brought in the parties’ individual capacity, and not as a plaintiff or class member in any purported class action, collective action, private attorney general action or other representative proceeding. This waiver applies to class arbitration, and, unless we agree otherwise, the arbitrator may not consolidate more than one person’s Claims. You agree that, by entering into this Agreement, you and Company are each waiving the right to a trial by jury or to participate in a class action, collective action, private attorney general action, or other representative proceeding of any kind.

Appendix A - Data processing Agreement
For a signed copy of the DPA (including the full appendix content) click here.

Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into as of the Effective Date by and between Siena Labs Inc. (Siena) a company incorporated under the United States law, and the entity or person set forth on the last page hereto ("Customer"). Siena (Processor) and Customer (Controller) are sometimes referred to individually as "Party" or collectively as "Parties".

This DPA forms an integral part of and is concluded subject to the Terms of Service or Master Service Agreement, which Customer has concluded with Siena.

Whereas:

  1. the Customer is interested in using software application provided by Siena Labs, Inc. (the software and associated services are jointly referred to as "Services");
  2. Customer's use of the Services requires that Customer Users’ Data (as defined below) is processed by Siena;
  3. the Parties wish to set forth their mutual obligations regarding the processing of Customer Data (as defined below) by Siena;

The parties have agreed as follows:

  1. SUBJECT MATTER OF DPA

    1. Data Processing Agreement is entered into in connection with and for the purpose of performing the Siena Master Service Agreement (the "Master Agreement") or Siena Terms of Service (the “ToS”). The processing of personal data in connection with the performance of the Master Agreement or ToS is regulated by the US State Privacy Laws (as defined in Appendix 4 to this DPA) - the CPRA and the US State Privacy Laws, as well as Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC ("GDPR").
    2. Pursuant to the Data Processing Agreement, the Customer entrusts Siena with the personal data specified in Appendix 1 to the DPA ("Personal Data") for processing. A change in the scope of entrustment of processing does not require an annex, but only the consent of both Parties expressed in writing or electronically (including e-mail) by persons authorized to make statements under the Master Agreement or ToS. A change in the scope of entrustment as specified in the preceding sentence may not lead to an expansion of the Processor's obligations or limitation of its rights under the Master Agreement or ToS, including with regard to the remuneration due.
    3. We process Personal Data only for the fulfillment of the Master Agreement or ToS and to the extent necessary for its fulfillment and only during the term of the Master Agreement or ToS.
    4. We are obliged to process Personal Data in accordance with the "Applicable Data Protection Laws" which means the CPRA, GDPR or the US State Privacy Laws (as defined in Appendix 4 to this DPA).
  2. OBLIGATIONS OF THE PARTIES

    1. Customer, as the data controller, acknowledges and understands that in circumstances and to the extent described i to this DPA making use of the Services requires that Customer Users' Data are processed within the Services.
    2. Customer, as the data controller, confirms that this DPA along with Customer’s  use and configuration of the Services and its individual features are the complete and final instructions to Siena for the processing of Customer Data. Siena will immediately inform the Customer if in its opinion the Customer’s instructions may infringe Applicable Data Protection Laws; Customer Data was and will be obtained in accordance with Applicable Data Protection Laws and that all required consents (if required) from people whose personal data is processed using the Services were collected and all information duties fulfilled.
    3. Siena, as a data processor, undertakes to only process Customer Data to make it possible for the Customer to make use of the Services and its individual features, solely on the basis and under the conditions specified in this DPA and Applicable Data Protection Laws.
    4. Siena is obliged t
      1. apply all technical and organizational measures adequate to the level of risk to secure Personal Data under the principles set forth in Article 32 of the GDPR;
      2. assist the Customer in complying with the obligations set forth in Articles 32-36 of the GDPR, taking into account the nature of the processing and the information available to Siena;
      3. process Personal Data only at the Customer’s documented instruction, unless such an obligation is imposed on Siena by applicable national or EU law, in which case Siena will inform the Customer of this legal obligation prior to the start of processing, unless such law prohibits the provision of such information for reasons of important public interest; in particular, the Master Agreement or ToS is considered to be the documented instruction of the Controller;
      4. as far as possible, assist the Customer, through appropriate technical and organizational measures describer i, in fulfilling its obligation to respond to the data subject's requests for the execution of their rights under Chapter III of the GDPR;
      5. ensure that persons authorized to process Personal Data undertake to maintain confidentiality, unless they are persons obliged to maintain confidentiality under the law;
      6. upon termination of the DPA, depending on the Customer’s request, to delete or return the Personal Data and delete copies thereof, unless otherwise provided by imperative law; within the limits set forth i to the DPA, Siena shall process the Personal Data on its own behalf, for the purpose of establishing, asserting or defending against claims that may arise in connection with the performance of the DPA or the Master Agreement or ToS.
    5. The provisions of Sections 2.1.1-2.1.6 do not expand Siena’s obligations with regard to the provision of services in accordance with the Master Agreement or ToS.
    6. Siena is authorized to further entrust the processing of Personal Data to sub-processors, the list of which is attached a to the DPA. Siena will inform the Customer of any significant intended change to the list of sub-processors in the way adopted for communication in accordance with the Master Agreement or ToS. The Customer can object to such change within the following 3 days. Siena ensures that it will only use the services of such sub-processors that provide sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the GDPR, as well as protects the rights of data subjects. Siena is obliged to ensure that at least the same obligations are imposed on sub-processors as those imposed on Siena in the DPA. Customer acknowledges that failure to agree to a change in the list of further processors may result in Siena’s inability to continue performing the Master Agreement or ToS, of which Siena will inform Customer immediately.
    7. Siena will share with Customer the information necessary to perform its duties related to the entrustment of the processing of Personal Data. Siena will allow Customer to carry out audits, including inspections, at a time agreed upon by the Parties, to the extent related to the entrustment of processing of Personal Data by Siena and will provide cooperation in this regard. The cost of the audit shall be incurred by each Party on its own, notwithstanding the outcome of the audit. Customer is obliged to maintain the confidentiality of all information obtained in connection with the audit, including the results of the audit, and to ensure that the persons it relies on to carry out the audit have also obliged themselves to confidentiality in this regard. The obligation of confidentiality applies for the term of the DPA and indefinitely thereafter. In the case when the preceding sentence becomes invalid or ineffective, the confidentiality obligation shall continue for the term of the DPA and for a period of 10 years thereafter.
    8. Siena is obliged to ensure that any person processing Personal Data on its behalf processes the data only at Customer instruction.
  3. DATA TRANSFER

    1. Siena may transfer Personal Data if:
      1. the destination country provides an adequate level of personal data protection to that of the European Union; or
      2. Customer and Siena or Siena’s sub-processor has entered into an agreement based on standard contractual clauses or have implemented another mechanism that legalizes the transfer of data to a third country in accordance with the law.
  4. LIABILITY

    1. Notwithstanding the provisions of the Master Agreement or ToS, the total contractual and tort liability of Siena in relation to the processing of Personal Data under the DPA is limited to an amount equivalent to the amount of Siena’s monthly remuneration under the Master Agreement or ToS, calculated according to the month in which the premise for the occurrence of the said liability occurred, unless otherwise provided by binding legal regulations.
  5. Jurisdiction specific data protection clauses

    1. If Customer is subject to any data protection laws of jurisdictions listed i, then the terms o supplement the clauses of sections 1 - 4 of this DPA.
  6. FINAL PROVISIONS

    1. The DPA is concluded for the term of the Master Agreement or ToS. The DPA may be terminated by Customer with immediate effect in the event of gross or repeated breaches of the DPA, GDPR or other applicable data protection laws by Siena - if Siena has been previously called upon to remedy the breaches, an additional period of not less than 30 days has been set for this purpose, and the period has expired without effect. Termination of the DPA shall be in writing under pain of ineffectiveness.
    2. Termination of the DPA is the basis for termination of the Master Agreement or ToS.
    3. Amendments to the DPA are possible only in writing under pain of ineffectiveness, unless the DPA expressly provides for another form for amendments.
    4. Any terms capitalized and not defined in the DPA have the meaning given to them in the Master Agreement or ToS.
    5. Any disputes having to do with the DPA will be adjudicated by the Court of competent jurisdiction in accordance with the Master Agreement or ToS.
    6. The Appendices to the DPA are an integral part of the DPA. The list of appendices is as follows:some text
      1. Appendix No. 1 - Scope of entrustment of personal data;
      2. Appendix No. 2 - Summary of security measures implemented by Siena;
      3. Appendix No. 3 - List of sub-processors;
      4. Appendix No. 3 - US Data Protection Laws Addendum

APPENDIX 1

Scope of entrustment of personal data

  1. The nature and purposes of processing: processing of personal data in connection with the provision of services in the form of Siena Enterprise Software Platform in order to fulfill the contract connecting the Controller and the Processor. Siena Enterprise Software Platform specifically supports the Controller in serving customers, prospects and others who interact with the Controller through automated interactions. 
  2. Data subject categories:
  • Controller’s employees and coworkers,
  • Controller’s clients,
  • Controller’s potential clients;
  • Controller’s contractors;
  • Controller’s potential contractors; 
  • Any other person contacting the Controller on any matter. 
  1. Type of personal data:
  • Contact information; 
  • Content of the inquiry/notification/message;
  • Data on the established cooperation or concluded contract;
  • Data contained in the inquiry/notification/message;
  1. Location where personal data will be processed: European Economic Area, USA, Canada. 
  2. Data processed by the Controller on its own behalf, in its role as Controller, for the purposes of establishing, asserting or defending against claims that may arise in relation to the performance of the DPA or Master Agreement: data related to the operation of the Siena Enterprise Software Platform.

APPENDIX 2

Summary of security measures implemented by Siena

This document describes security measures that Siena has implemented to ensure that Customer Data is processed in accordance with the Applicable Data Protection Laws and the DPA. This document is regularly updated to reflect changes made in Siena’s security and data privacy compliance program.

1. General organizational measures

  1. Data Protection Officer and Compliance Program. Siena has appointed a Data Protection Officer who is responsible for coordinating, monitoring and improving Siena’s security and data privacy compliance program ("Compliance Program"). The Compliance Program defines clear roles and responsibilities of Siena’s personnel. The Data Protection Officer is responsible for coordinating, monitoring and improving the Compliance Program.
  2. Confidentiality. Siena’s entire personnel is subject to confidentiality obligations and may only access personal data (personal information) subject to a prior, written authorization issued by Siena.

2. Training and awareness

  1. Personnel training. Siena conducts regular training sessions for its personnel on data protection rules and personnel roles within its Compliance Program. Siena also informs its personnel about possible consequences of non-compliance. These training sessions are conducted using anonymized data.

3. Physical and environmental security

  1. Physical access to data centers. Customer Data is processed within AWS data centers. Access to these datacenters is restricted only to identified Google staff members. Siena personnel may not physically access these data centers.
  2. Protection from disruptions. Siena takes reasonable measures per industry accepted solutions to protect against loss of data due to power supply failure, fire, natural disaster or line interference.
  3. Component disposal. Siena takes reasonable measures per industry accepted solutions to delete Customer Data when it is no longer needed.

4. Access control

  1. Access authorization. Siena maintains a comprehensive register of personnel authorized to access its facilities and information systems. To ensure the security and integrity of its operations, Siena has implemented robust controls designed to prevent any individual who ceases employment or engagement with the organization from retaining access. This is achieved by deactivating their authentication credentials and revoking all access rights. Furthermore, Siena conducts regular audits, at intervals not exceeding 12 months, to verify that inactive authentication credentials are promptly deactivated. Deactivated or expired identifiers are not reassigned to other personnel or new members. Additionally, Siena adheres to industry-standard protocols for the timely deactivation of passwords that have been compromised or inadvertently disclosed.
  2. Limitation of privileges. A restricted and designated group of personnel is exclusively authorized to grant, modify, or revoke access privileges to Siena’s facilities and information systems. The access rights conferred upon personnel are strictly limited to those assets and resources necessary for the performance of their respective duties. This principle of least privilege ensures that access is confined to the minimum scope required for the execution of specific functions, thereby enhancing security and safeguarding sensitive information within the organization.
  3. Authentication of users. Siena employs industry-recognized solutions, including multifactor authentication, to identify and authenticate users accessing its information technology systems. Passwords are regularly updated and must conform to minimum standards established by Siena's security policies. Additionally, best practices are rigorously applied to ensure the confidentiality and integrity of passwords during assignment, distribution, and storage. These measures are designed to safeguard credentials and prevent unauthorized access to Siena's IT systems, in line with recognized security protocols.
  4. Monitoring. Siena continuously monitors its information systems to detect and prevent any attempts of unauthorized access, including the use of expired or invalid credentials. This monitoring is designed to promptly identify and mitigate security threats, ensuring that only authorized individuals with valid credentials can access Siena's systems, in accordance with its stringent security protocols.

5. Asset and operations management

  1. Endpoint protection. All computing endpoints are encrypted and protected against malware.
  2. Backup copies. Siena regularly creates backups of service settings, configuration details, and Customer Users' Data. These backups are maintained to ensure data integrity, continuity of operations, and the ability to restore critical information in the event of system disruptions or data loss, in accordance with Siena’s data protection and security protocols.
  3. Integrity and confidentiality. All personnel are required to terminate all active sessions upon leaving computers unattended to prevent unauthorized access. A limited and specifically designated group of personnel, whose duties necessitate remote access, is authorized to carry mobile devices and utilize them outside of Siena's premises. All such mobile devices are secured with password protection and equipped with encrypted storage, ensuring the confidentiality and integrity of data in accordance with Siena's security policies.

6. Incident management

  1. Malicious software. Siena has implemented comprehensive anti-malware controls to prevent malicious software from gaining unauthorized access to Customer Data and its information systems. These controls are designed to safeguard against threats originating from public networks, ensuring the protection of data and the integrity of Siena's systems in compliance with established security standards and best practices.
  2. Incident record. Siena maintains a detailed record of all security incidents, which includes the date and time of each incident, the consequences resulting from the breach, and the corrective measures implemented to prevent recurrence. This documentation ensures a systematic approach to incident management and enhances the organization's ability to mitigate future security risks in alignment with industry best practices and legal obligations.
  3. Service monitoring. Siena conducts regular verification and monitoring of system logs to detect any irregularities or suspicious activity. This continuous oversight is implemented to promptly identify potential security threats and ensure the integrity and security of Siena’s information systems, in accordance with its established security policies and procedures.

APPENDIX 4

US Data Protection Laws Addendum

1. The following terms and conditions apply additionally when we process Customer Data containing California consumers' personal information or otherwise subject to the California Consumer Privacy Act ("CCPA") (hereinafter jointly referred to as "CCPA Covered Data"):

  1. where we process CCPA Covered Data we are a "service provider" who processes CCPA Covered Data on your behalf and you are a "business", as defined in the CCPA;
  2. unless explicitly stated otherwise, in sections 1 – 4 of this DPA the term "you" shall be read to include "business", the term "us" or “Siena” shall be read to include "service provider", the term "data subject" shall be read to include "consumer" and the terms "Customer Data" shall be read to include "personal information", each as defined under the CCPA;
  3. as a service provider, we will process CCPA Covered Data only for the business purposes set forth in the Master Agreement or ToS and in this DPA;
  4. as a service provider, we undertake not to: (i) sell or share CCPA Covered Data; (ii) retain, use or disclose CCPA Covered Data for any purpose other than making your use of our Services possible or as otherwise may be permitted for service providers under the CCPA; (iii) retain, use or disclose CCPA Covered Data outside of the direct business relationship between us; (iv) combine CCPA Covered Data that we receive from you, or on your behalf, with personal information that we receive from, or on behalf of, another person or persons, or collect from our own interactions with consumers, unless such combination is required to perform any business purpose as permitted by the CCPA, including any regulations thereto, or by regulations adopted by the California Privacy Protection Agency;
  5. we will: (i) comply with obligations applicable to us as a service provider under the CCPA; (ii) provide CCPA Covered Data with the same level of privacy protection as is required by the CCPA, provided, however, that you are responsible for ensuring that you have complied, and will continue to comply, with the requirements of the CCPA in your use of the Services and your own processing of CCPA Covered Data; (iii) notify you without undue delay if we make a determination that we can no longer meet our obligations as a service provider under the CCPA; (iv) provide you with reasonable additional and timely assistance to assist you in complying with your obligations with respect to consumer requests under the CCPA in line with the procedure described in points 5.1. – 5.3. of this DPA; (v) observe the conditions for the engagement of sub-processors including by ensuring that we enter into a written agreement that complies with the CCPA, regarding, without limitation, the contractual requirements for service providers and contractors, with each such sub-processor that we engage to process CCPA Covered Data;
  6. you have the right to take reasonable and appropriate steps: (i) to help ensure that we use CCPA Covered Data in a manner consistent with your obligations under the CCPA; (ii) to stop and remediate unauthorized use of CCPA Covered Data; to exercise these rights, just contact us;
  7. you have the right to monitor our compliance with this DPA and the CCPA by using any of the means and methods described in section 9 of this DPA;
  8. we certify that we understand and will comply with our obligations as a service provider under the CCPA;
  9. we acknowledge and confirm that we do not receive Customer Data, Customer Email Data or Customer Emails as consideration for any Services provided to you.

2. The following terms and conditions apply additionally when we process Customer Data containing personal data subject to the US State Privacy Laws (as defined below) (all hereinafter jointly referred to as "US State Privacy Laws Covered Data"):

  1. for the purposes of this Addendum, the term "US State Privacy Laws" means: (i) the Virginia Consumer Data Protection Act; (ii) the Colorado Privacy Act; (iii) the Connecticut Data Privacy Act; (iv) the Utah Consumer Privacy Act; (v) any other applicable US state law relating to the protection of personal data, based on which you are a controller of personal data and we are a processor of personal data, provided that the terms and conditions of this Addendum meet the requirements set forth in such other state laws;
  2. unless explicitly stated otherwise, in sections 1 – 4 of this DPA the term "you" shall be read to include "controller", the term "we" or “Siena” shall be read to include "processor", the term "data subject" shall be read to include "consumer" and the terms "Customer Data", "Customer Email Data" and "Customer Emails" shall be read to include "personal data", each as defined under the US State Privacy Laws;
  3. we will: (i) adhere to your instructions regarding the processing of US State Privacy Laws Covered Data; (ii) provide you with necessary information to enable you to conduct and document data protection assessments as may be required pursuant to the US State Privacy Laws in line with the procedure described in point 5.4. of this DPA; (iii) make available to you, upon your reasonable request, all information in our possession necessary to demonstrate our compliance with our obligations as a processor under the US State Privacy Laws in line with the procedure described in section 2 of this DPA; (iv) undertake that each person processing US State Privacy Laws Covered Data is subject to a duty of confidentiality with respect to such data; (v) delete all US State Privacy Laws Covered Data in line with point 2 of this DPA, unless retention of US State Privacy Laws Covered Data is required by law; (vi) arrange for a qualified and independent assessor to conduct an assessment of our policies and technical and organizational measures implemented in support of our obligations under this Addendum, as well as provide a report of such assessment to you upon request in line with point 2 of this DPA; (vii) observe the conditions for the engagement of sub-processors including, without limitation, by ensuring that we enter into a written agreement that complies with the US State Privacy Laws with each such sub-processor that we engage to process US State Privacy Laws Covered Data and that we give you the opportunity to object against the involvement of a new sub-processor;
  4. taking into account the nature of processing and the information available to us, by appropriate technical and organizational measures, insofar as this is reasonably practicable, we will: (i) help you fulfill your obligation to respond to consumer rights requests made pursuant to the US State Privacy Laws in line with the procedure described in point 2 of this DPA; (ii) assist you in meeting your obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security regarding the Services, including in particular by providing relevant notices in line with section 2 of this DPA.