1.- Purpose and Scope 1.1.- This document regulates the terms of use of the Sealpath service (hereinafter, the Service), established between SEALPATH TECHNOLOGIES, S.L. (hereinafter, SEALPATH), with tax identification number B95620613 and registered office in Bilbao (Spain), calle Simón Bolívar 27, dpto. 29 and the Client. The Service consists of a system for the protection and management of access permissions to CAD files in electronic format, without, in principle, these documents being hosted or stored by SEALPATH. In this sense, the service allows the encrypting of an electronic file, determining permissions and authorised actions, and modifying and controlling these aspects even if the file has been shared to third parties. The Service incorporates a certificate hierarchy management functionality on which the encryption system is based, considered to be highly secure in accordance with current standards and the state of the art. 1.2.- The Service is offered in the following modalities: Sealpath SaaS, in which the information on the management and control of permissions will be hosted by SEALPATH. The Client will have access to a control panel and administration area to manage its users and permissions in the system hosted by SealPath. Integration with the Client’s systems will be possible through connectors, via Microsoft Windows Active Directory or other environments specifically foreseen in the offer/quote. The files will, in any case, be hosted on the Client’s systems. The integration/installation of the system or connectors in both modalities and technical support will be provided by a Sealpath Partner, whose services are independent and external to SEALPATH, and will be governed exclusively by the agreements that the Client concludes with the Partner. The terms and conditions of the Partner Programme are available at https://www.sealpath.com/partners-program/. In addition, the Service may incorporate different functionalities, such as centralised monitoring, management of corporate protections, data hosting, scalability and customisation depending on the environment and specific needs or specific availability conditions. Therefore, the scope, rights, obligations and responsibilities associated with the Service shall be determined according to the modality and advanced functionalities indicated in the corresponding offer, quotation or special conditions, which together with this document make up the Contract. 1.3.- For these purposes, the Client is understood to be the natural or legal person who contracts the Service for use as the end-user. The Client declares to be of legal age and to be legally capable of assuming the obligations and rights of the Contract. The person signing the Contract on behalf of the Client represents and warrants that he or she has sufficient authority to act on behalf of the entity in whose name or interest he or she is acting, and to bind the entity in accordance with the Contract. The Service is not available to consumers. 1.4. Access and use of the Service shall be limited to the Customer and staff or dependent associates of the same. Any use by unauthorized third parties shall be considered to contravene these terms and conditions, and may result in suspension or termination of the Service. The Client declares, under his/her responsibility, that all the information provided in the contracting process is true, complete and up to date. 1.5.- Access to and use of the Service shall be limited to the Client and to users specifically registered or registered by the Client. Any use by unauthorised third parties will be considered contrary to the Contract and may lead to the suspension or termination of the Service. The Client shall be responsible for the actions of the users, to whom the conditions of the Contract must be transmitted. 1.6.- Once the Service has been contracted, the termination or refund of the price by the Client will not be permitted until the contracted period has elapsed, unless the specific causes for termination provided for herein are met. 2.- Technical and access requirements to the Service 2.1.- In order to use the Service, the download and installation of the desktop application necessary to encrypt and share documents is required. The Client must establish an administrator profile, who will be responsible for activating the registration and deregistration of users linked to the Client, and for administering and managing the user’s access privileges and parameters. No registration is required to access files that have been shared by the Client with third parties. 2.2.- The Client undertakes to keep the user identifiers (email address) and passwords provided for personal and exclusive use by the Client confidential, and must contact SEALPATH (in the case of the SaaS option) or the Partner (in the case of the On Premise option) in the event of theft, loss or inappropriate use of the same by third parties. Otherwise, the Client shall be liable for all consequences or damages that a fraudulent or inappropriate use of the same may cause. 2.3.- [Applicable to SaaS only] There is no geographical or time limitation for access to the Service, which operates 24 hours a day, 365 days a year. However, please note that the quality and speed of use of its functionalities depends, to a large extent, on your computer equipment, your telecommunications provider or your network connection. Unless the offline access option has been specifically activated, in order to decrypt and access protected documents or files through the Service, an Internet connection will be required. 2.4.- In order to access and use all the functionalities of the Service, at least a personal computer, terminal or device with an Internet connection and a browser is required. The versions of operating systems supported, document editing and reading suites or the compatible document formats that can be protected are specified at https://sealpath.zendesk.com/hc/en-us/articles/229764727-Supported-formats-and-platforms . The Client is responsible for verifying the above before contracting the Service. 3.- Limitations on use 3.1.- SEALPATH hereby grants the Client, by means of this document, a licence to use the applications and tools that make up the Service, in accordance with the contracted modality, on a non-exclusive, non-transferable basis and without territorial limitation, for the duration of this Contract, limited to the purposes indicated. 3.2.- The Client undertakes to use the Service in accordance with the law, this Contract, as well as with generally accepted morals and good customs and public order, and to protect and safeguard the Service and all its elements, and may not assign or transfer to third parties in any way, the rights acquired through this Contract, nor allow, by any title or circumstance, its use by third parties, being definitively forbidden to use the Service for any other purpose other than the exclusive satisfaction of the agreed needs; In short, it may not, by way of example but not limitation, lease, lend, sell or sub-licence the software application or its complements, or carry out acts that imply a violation of the duty to protect the property of third parties. This shall apply both to the original source code and object as a computer application as well as to any modifications or adaptations made to it by SEALPATH, its functionalities, design, layout, structure, databases, images, sounds, animations and other incorporated elements. 3.3.- The Client undertakes to refrain from using the Service for illicit purposes or effects, contrary to that established in the Contract, that are harmful to the rights and interests of SEALPATH, or which in any way may damage, render useless, overload or deteriorate the Service or impede the normal use or enjoyment of the same by other clients or users. 3.4.- The Client is forbidden, including but not limited to reverse engineering, modifying, decompiling, disassembling, translating, versioning, commercialising, duplicating or transmitting to any person or entity, partially or in its entirety, in any form or by any means, whether mechanical, magnetic, by photocopy or any other means, or eliminating any notice of ownership or labels of the Service, the source code and object without prior and express written authorisation from SEALPATH, except within the limits expressly provided for by law. 3.5.- The Client shall be liable for any infringement committed by anyone who is dependent on him/her or through whose cause he/she has known or had direct or indirect access to the Service. 4.- Intellectual and industrial property 4.1.- The Service and the elements that comprise it are the exclusive property of SEALPATH and are protected by the laws and international treaties on intellectual property, including, but not limited to, any of its versions or modules, source or object code, graphic interfaces, databases, structure, design, images, sounds, texts, manuals, diagrams or other components. Failure to comply with the provisions of the applicable regulations and these conditions will give rise to the exercise of the corresponding civil or criminal actions for infringement of rights. In this case, apart from the compensation that may be due for the above acts, the Client undertakes to bear all the costs that the exercise of the corresponding actions may entail, including the fees and rights of the lawyer and court solicitor, even if their intervention is not compulsory. Excluded from the above are the elements of graphic personalisation and corporate image of the Client (only available in On Premise mode), data, content and information that form part of the documents or computer files created, disseminated or shared by the Client and its users, the ownership of which shall correspond exclusively to the latter, as well as the applications, resources and developments of third parties linked to the Service. On this point, SEALPATH uses technology from third party providers such as libraries, APIs/SDKs or service infrastructure as an authorised licensee. 4.2.- The name “Sealpath”, as well as the logos or anagrams included therein, constitute trademarks and are protected as industrial property. Their use is authorised provided that they make express and faithful reference to the products or services of the owner of the same, without this implying the granting of any property rights over the same. 4.3.- In the event that the Client should detect the infringement of the aforementioned rights by third parties, they shall notify SEALPATH as soon as possible, undertaking to collaborate with the latter in the exercise of investigations, civil or criminal actions which, where appropriate, they may decide to exercise. 5.- Protection of personal data 5.1.- The On Premise Service does not imply that SEALPATH has access to personal data relating to third parties linked to the Client, particularly in relation to access and permissions to encrypted and shared files or documents, their email address and other identifying data linked to the user profile. Access to and processing of said data shall correspond, where applicable, to Sealpath’s Partner, in accordance with the conditions agreed between the Client and Sealpath. However, in SaaS mode, SEALPATH will have access to personal data relating to third parties linked to the Client, which will be processed by SEALPATH in its own or third party systems. In accordance with the provisions of current legislation, for these purposes, the Client shall be considered the data controller and SEALPATH the data processor, in relation to the information strictly necessary to manage access and permissions to encrypted and shared files or documents, i.e. the name and group of those users to whom access privileges are granted, their email address and other identifying data linked to the user profile. For the purposes of the above, in the event of contracting in SaaS mode, and in accordance with article 28 of Regulation (EU) 2016/679, of the European Parliament and of the Council of 27 April 2016, General Data Protection Regulation (GDPR), and articles 33 and concordant articles of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights, or regulations replacing the above, the Client and SEALPATH agree to the following terms: a.- SEALPATH shall process the Client’s personal data solely for the purposes of providing the Service, in accordance with the instructions given in writing by the Client from time to time. In addition, the data may be used for the purpose of compiling statistics on access, use and performance by end users, with the aim of contributing to the improvement and optimisation of the Service, in an anonymised form as mere aggregate data that does not allow users to be identified. All this data will be kept confidential and secret even after the contractual relationship has ended. b.- SEALPATH guarantees the implementation of appropriate technical and organisational measures, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, as well as risks of varying likelihood and severity to the rights and freedoms of natural persons, in order to provide a level of security appropriate to the risk, which may include, among others: (i) pseudo-anonymisation and encryption of personal data; (ii) the continuing confidentiality, integrity, availability and resilience of the processing systems; (iii) the ability to restore availability and access to personal data promptly in the event of a physical or technical incident; and (iv) a process of regular verification, evaluation and assessment of the effectiveness of the technical and organisational measures to ensure the security of the processing. The specific measures shall be as determined by the Client, but generally provide for: (1) the determination and documentation of the functions and obligations of the personnel, including training in data protection; (2) the existence of a register and response plan for security incidents, procedures for risk analysis and impact assessment; (3) the implementation of a register and access control, which shall be kept for at least one year; (4) identification and authentication measures, which shall be kept for at least one year; (4) identification and authentication measures, including internal segregation of duties and a procedure for assigning secure passwords; (5) backup and recovery; and (6) control, maintenance and supervision of a Security Document containing the above measures. c.- SEALPATH undertakes to keep under its control and custody the personal data to which it has access as a result of the provision of the Service and not to disclose, transfer or otherwise communicate them, not even for storage to third parties. Excepted from the foregoing is the subcontracting of data hosting services on servers, which in any case shall be kept within the European Economic Area. Likewise, following the Client’s instructions and at the end of the Contract, SEALPATH undertakes to delete all personal data to which it has had access, unless it is necessary to keep them, duly blocked, for as long as legal liabilities may arise from its relationship with the Client. d.- SEALPATH undertakes to notify the Client, by e-mail to the address determined by the Client, as soon as it becomes aware of the existence of any incident or breach of data security, without undue delay. This notification shall include the information required under article 33 of the GDPR. e.- SEALPATH will keep a written record of all categories of processing activities carried out on behalf of the Client, in accordance with the content required by the GDPR, will cooperate with the Spanish Data Protection Agency or other supervisory authority, at the latter’s request, in the fulfilment of its powers, and will make available to the Client all information necessary to demonstrate compliance with the obligations set out in this Contract and to enable and contribute to the performance of audits or inspections by the Client 5.2.- Independently of the above, the data linked to the Contract shall be processed by SEALPATH as data controller, for the purpose of supervising, maintaining and executing the contractual relationship, as well as to comply with its legal, administrative, fiscal and accounting obligations, the foregoing being the legal bases that legitimise the processing. In addition, and in accordance with its own legitimate interest, SEALPATH may send the Client electronic commercial communications related to the same or similar services as those provided, without prejudice to the Client’s right to oppose the same at any time under the legally established conditions. The data will not be communicated to third parties except in the cases expressly permitted or required by law. The data will be processed mainly within the European Economic Area, although in the framework of the performance of certain ancillary services contracted to third parties, some data may be transferred outside the European Economic Area, subject to the adoption of the measures and guarantees provided for by law. The data will be kept for the duration of the contractual relationship or legal business between the parties and, in any case and duly blocked, until the prescription of any possible legal liabilities that may arise. SEALPATH will treat the data of the Client and third parties related to the latter confidentially, and appropriate and sufficient legal, technical and organisational measures will be applied to the same to guarantee privacy and the corresponding rights. Those affected may exercise their rights of access, rectification, opposition, deletion, limitation of processing and portability by sending their request to the address privacy@sealpath.com. They may also file a complaint with the Spanish Data Protection Agency in the event that they consider that their data has not been processed appropriately. 6.- Guarantees and liabilities 6.1.- SEALPATH guarantees access to and use of the Service under the conditions and for the uses specified in the Contract. The measures of the Service are suitable for improving data security and confidentiality, although SEALPATH does not guarantee exhaustive compliance with legal or contractual obligations or requirements for specific purposes or their completeness. Unless otherwise provided by law, SEALPATH shall not be liable in any case for any direct or indirect, economic, material or other damage that may be caused to the files beyond the economic amount of the Contract. 6.2.- SEALPATH cannot guarantee the availability and continuity of access to the Service, its inadequate functioning, loss or corruption of data, loss of profit or in general any damages, direct or indirect, including those caused by an error or malfunction of the computer systems of the Client, the Partner or third parties contracted by the latter, such as its network, equipment, operating systems, applications, configuration or communications system, as well as by periodic or extraordinary maintenance or repair procedures or for other reasons beyond the control of SEALPATH or that are not reasonably foreseeable. Likewise, SEALPATH does not guarantee correct operation of the Service beyond the environments, scopes, minimum and recommended requirements established in these conditions. 6.3.- The Client is solely responsible for the information and data entered by themselves or their employees or collaborators in the files or electronic documents, their custody, confidentiality, duty of secrecy and permissions granted or denied, responding to third parties and SEALPATH for the ownership and legality of the same, especially that they do not involve a violation of company rights, nor infringe the regulations on intellectual and industrial property, market and competition, honour, privacy or personal image or protection of personal data. It is the Client’s responsibility to have an adequate security policy for its systems, to determine the security measures in accordance with its risk analysis, and to keep its systems updated and correctly configured, free of computer viruses and any malicious applications and errors. 6.4.- SEALPATH may monitor, manage and control access to and use of the Service in order to guarantee its security, quality and conditions of provision, and may access the operations and actions carried out by the Client in relation to the same. In the event of detecting a breach of the provisions of these conditions, the infringement of the rights or interests of third parties or of current legislation, it must notify the competent administrative or judicial authorities so that they may adopt the appropriate measures, as well as suspend or terminate the Service. 7.- Price and Payment Method 7.1.- SEALPATH distributes its solutions through channel partners. Prices and other economic conditions are managed by these Partners with the Client. 7.2.- In the event of non-compliance with any of the payment obligations that may be reported by the Channel Partner, the non-compliant party shall automatically and without the need for prior notice by the creditor party, enter into default and shall be obliged to pay the amounts owed increased in accordance with the interest established in Law 3/2004, of 29 December, which establishes measures to combat late payment in commercial transactions, or regulations that replace the previous one, as well as the bank charges and penalties incurred. 7.3.- Non-payment shall also entail the immediate interruption of access to the Service, blocking it for all of the Client’s users. Said access will be restored when the amounts pending payment are paid, as well as the corresponding interest and expenses. 8.- Modifications 8.1.- SEALPATH reserves the right to carry out, at any time, modifications and updates to the provision of the Service, its functionalities, configuration, availability and presentation of the information, as well as to this Contract, without prejudice to the rights acquired. 8.2.- Any modification to the products or services offered, as well as to the Contract, will be duly communicated by e-mail. Continued use of the Service shall imply full and unreserved acceptance of the above modifications. 9.- Duration and Termination 9.1.- This Contract shall have the initial duration corresponding to the contracted period, and shall be automatically extended for equal periods of time, unless it is terminated for the legally established reasons and in the following cases: a) In the event of serious breach of the obligations of the parties, following a request by the party in breach, without prejudice to any claim for damages that may be applicable. In the event of serious breach of the obligations of the parties, following a request by the party in breach, without prejudice to any claim for damages that may be applicable. At the request of the Client, in which case the effects of the request for termination of the contract will occur at the end of the initially contracted period or any of its extensions. At the request of SEALPATH and prior notification to the Client, in the event of cessation or termination of the activity, change of business model, closure, merger or absorption of the company. 9.2.- Termination of the Contract will prevent the use of the Service and the revocation of any licences and permissions granted. Please note that this means that it will not be possible to encrypt electronic files, or to manage, control or administer the corresponding permissions, or to decrypt previously protected files after the termination of the Contract. 10. Applicable law and competent jurisdiction This Contract shall be governed by and interpreted in all its precepts in accordance with Spanish law. Any controversy that may exist between the parties in relation to the provisions herein shall be submitted to the Courts and Tribunals of Bilbao, expressly waiving any other jurisdiction that may correspond to them.