Momentumworks Inc / Utopia's Terms of Service, Privacy Policy, and GDPR policy

Hi and welcome! You're reading Utopia’s Terms of Service, which include an agreement between you and Momentumworks Inc in Section 15 to arbitrate in certain cases instead of going to court.

This is the legal contract between you and Momentumworks Inc when you use the Utopia site, and related services and products. You should read this carefully before you use our site, our services or products.

We’ve tried to be both fair and clear—if you have any suggestions for improvement, feel free to email us at support@utopia.app. We’ve also included annotations throughout this contract in quotes; these annotations aren’t a part of the contract itself, but are intended to help you follow the text and to emphasize key sections.

1. Accepting the Terms of Service

“We are Momentumworks Inc and you’re agreeing to these terms.”

These are some of the definitions we’ll use in this contract:

By creating an account to use the Services (“Account”) or using or accessing the Services, you agree to become bound by all the terms and conditions of this Agreement. Please note that your account to use the Services will be different from your account to use other Momentumworks Inc services. If you do not agree to all the terms and conditions of this Agreement, you shouldn’t and aren’t permitted to use the Services.

2. Modifications to this Agreement

“We can change this agreement if needed, and when we do, we’ll let you know.”

Momentumworks Inc may make modifications, deletions and/or additions to this Agreement (“Changes”) at any time. A Change will be effective: (i) thirty (30) days after Momentumworks Inc provides notice of such Change, whether such notice is provided through the Services user interface, is sent to the e-mail address associated with your Account or otherwise; or (ii) when you opt-in or otherwise expressly agree to such Change or a version of this Agreement incorporating such Change, whichever comes first.

3. Use of the Services

Eligibility: “You have to be thirteen or older.”

No individual under the age of thirteen (13) may use the Services or provide any information to Momentumworks Inc or otherwise through the Services (including, for example, a name, address, telephone number, or email address). If you are a parent and believe your child under the age of thirteen (13) has created an Account or otherwise provided personal information to Momentumworks Inc, please contact us at support@utopia.app. In addition, you may only use the Services to the extent not legally prohibited from doing so.

Service Changes and Limitations: “We are going to be changing and updating the service regularly.”

The Services may change frequently, and their form and functionality may change without prior notice to you. Momentumworks Inc retains the right to create limits on or in relation to use of the Services in its sole discretion at any time with or without notice. We will work to notify you of any such limits, or of changes to these limits, whenever possible.

Momentumworks Inc may also impose limits on certain Services or aspects of those Services or restrict your access to parts or all of the Services without notice or liability. Generally, this will only happen when needed to maintain the service or to make necessary updates to the service. Momentumworks Inc may change, suspend, or discontinue any or all of the Services at any time, including the availability of any product, feature, database, or Content (as defined below). Momentumworks Inc may also suspend Accounts at any time, in its sole discretion.

Limitations on Automated Use: “You shouldn’t use bots or access the system in malicious or un-permitted ways.”

You may not do any of the following while accessing or using the Services: (a) access, tamper with, or use non-public areas of the Services, or the computer or delivery systems of Momentumworks Inc and/or its service providers; (b) probe, test, or scan any system or network (especially for vulnerabilities), or otherwise attempt to breach or circumvent any security or authentication measures; (c) access or search or attempt to access or search the Services by any means (automated or otherwise) other than through our currently available, published interfaces that are provided by Momentumworks Inc (and only pursuant to those terms and conditions), unless you have been specifically allowed to do so in a separate agreement with Momentumworks Inc, or unless specifically permitted by Momentumworks Inc’s robots.txt file or other robot exclusion mechanisms; (d) scrape the Services, or scrape Content (as defined below) from the Services; (e) use the Services to send altered, deceptive, or false source-identifying information, including without limitation by forging TCP-IP packet headers or e-mail headers; or (f) interfere with, or disrupt or attempt to interfere with or disrupt, the access of any User, host or network, including, without limitation, by sending a virus to, spamming, or overloading the Services, or by scripted use of the Services in such a manner as to interfere with or create an undue burden on the Services.

If you discover a security breach related to the Services, you shall notify us promptly.

4. Privacy

“We’ll follow our privacy policy.”

Any information you provide to Momentumworks Inc is subject to Momentumworks Inc’s Privacy Policy, which governs our collection and use of your information. You understand that through your use of the Services you consent to the collection and use (as set forth in the Privacy Policy) of this information.

5. Content and Intellectual Property Rights

Definitions: “Content means text, pictures and other stuff; User Content is your stuff.”

For purposes of this Agreement: (1) the term “Content” means any work of authorship and includes, without limitation, video, audio, photographs, images, illustrations, animations, logos, tools, written posts, replies, and comments, information, data, text, software, scripts, executable files, graphics, and interactive features; (2) the term “User Content” is all Content that users of the Services (“Users”) create on, or upload to, their Accounts, such as code, text, images and other assets.

Ownership: “You own your stuff, and we own our stuff.”

As between you and Momentumworks Inc, you retain ownership of all intellectual property rights in your User Content, and Momentumworks Inc and/or its licensors retain ownership of all intellectual property rights in the Services and all Content made available through the Services other than your User Content. You agree not to sell, license, distribute, copy, modify, publicly perform or display, transmit, publish, edit, adapt, create derivative works from, or otherwise make unauthorized use of the Services, but you may peform these actions on your User Content in compliance with the terms of this Agreement.

Content License from You: “You allow us to use your content while using and running our services and operating our business.”

As a User of the Services, you hereby grant to Momentumworks Inc a worldwide, non-exclusive, royalty-free, full-paid, irrevocable, perpetual, transferable, sublicensable right and license to download, copy, store, view, display, perform, and analyze the User Content for (1) purposes of operating and providing the Services and (2) Momentumworks Inc’s internal business purposes, including without limitation for analyzing usage of and improving our Services.

User Content: “You have the right to let us use your content. We don’t warrant other user’s content.”

You represent and warrant that you either own your User Content or have all necessary rights, licenses and consents relating thereto in order to grant Momentumworks Inc the license rights granted herein without infringement or violation of the rights of any third party. You agree that your User Content will not: (i) include material that is not authorized by the copyright owner, protected by trade secret or otherwise subject to third party proprietary rights, including privacy and publicity rights, unless you are the owner of such rights or have permission from their rightful owner to post and sell the material and to grant Momentumworks Inc all of the license rights granted herein; (ii) include falsehoods or misrepresentations that could damage Momentumworks Inc or any third party; (iii) include material that is unlawful, defamatory, libelous, threatening, pornographic, harassing, hateful, racially or ethnically offensive or encourages conduct that would be considered a criminal offense, give rise to civil liability, violate any law or is otherwise inappropriate. Momentumworks Inc does not endorse any User Content or any opinion, recommendation, or advice expressed therein, and Momentumworks Inc expressly disclaims any and all liability in connection with User Content. If notified by a user or a content owner of any User Content that allegedly does not conform to this Agreement, Momentumworks Inc may investigate the allegation and determine in good faith and in its sole discretion whether to remove the User Content from the Services, which it reserves the right to do at any time. Additionally, Momentumworks Inc may, at any time, remove from the Services any User Content that in the sole judgment of Momentumworks Inc violates this Agreement.

Copyright Infringement; DMCA Policy: “We’ll remove copyrighted materials of yours; just let us know about it.”

If you believe that any materials available through our Services infringe your copyright, you may request that such materials be removed. This request must bear a signature (or electronic equivalent) of the copyright holder or an authorized representative and must include the following information: (1) identification of the copyrighted work that you believe to be infringed, including a description of the work and, where possible, a copy or the location of an authorized version of the work; (2) identification of the material that you believe to be infringing and its location, including a description of the material, its location on our Services or other pertinent information that will help us to locate the material; (3) your name, address, telephone number and email address; (4) a statement that you have a good faith belief that the complained of use of the materials is not authorized by the copyright owner, its agent or the law; (5) a statement that the information in your claim is accurate; and (6) a statement that “under penalty of perjury,” you declare that you are the lawful copyright owner or are authorized to act on the owner’s behalf. Our agent for copyright issues relating to our Services is: Copyright Agent, Momentumworks Inc, Los Angeles, California, United States of America or support@utopia.app. In an effort to protect the rights of copyright owners, we reserve the right to suspend your Account, delete or disable content alleged to be infringing and/or terminate the Account of a repeat infringer.

Suggestions: “We welcome your suggestions; if you give us any suggestion, we have the right to use it.”

We welcome your suggestions for improvements to our Services. If you send us any feedback, ideas or other suggestions (“Suggestions”), you agree that: (1) you hereby grant us a non-exclusive, perpetual, irrevocable, royalty free license to copy, distribute, adapt and use your Suggestion(s); (2) none of your Suggestion(s) contain confidential or proprietary information of any third party; (3) we may use or redistribute Suggestion(s) for any purpose and in any way; (4) there is no obligation for us to review your Suggestion(s); and (5) we have no obligation to keep any Suggestions confidential.

6. Use of Trademarks

“You must get our permission to use our Momentumworks Inc branding and trademarks.”

Any use of Momentumworks Inc’s trademarks, branding, logos or any other such assets requires the express written permission of Momentumworks Inc. If you need to use these assets, contact us at support@utopia.app. Any such use will be subject to compliance with our trademark guidelines.

7. Warranty Disclaimer; Services Available on an “AS-IS” Basis

“We want Utopia to be great for you, but it’s not warrantied.”

YOUR ACCESS TO AND USE OF THE SERVICES OR ANY CONTENT IS AT YOUR OWN RISK. THE SERVICES AND ANY ANALYTICS PROVIDED THROUGH THE SERVICES ARE PROVIDED FOR INFORMATION PURPOSES ONLY AND Momentumworks Inc IS NOT RESPONSIBLE OR LIABLE FOR ANY ACTIONS OR OMISSIONS BASED ON SUCH ANALYTICS. YOU UNDERSTAND AND AGREE THAT THE SERVICES ARE PROVIDED TO YOU ON AN “AS IS” AND “AS AVAILABLE” BASIS. WITHOUT LIMITING THE FOREGOING, TO THE FULL EXTENT PERMITTED BY LAW, Momentumworks Inc DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.

Momentumworks Inc makes no representations or warranties of any kind with respect to the Services, including any representation or warranty that the use of the Services will (a) be timely, uninterrupted or error-free or operate in combination with any other hardware, software, system, or data, (b) meet your requirements or expectations, (c) be free from errors or that defects will be corrected, or (d) be free of viruses or other harmful components. Momentumworks Inc also makes no representations or warranties of any kind with respect to Content; User Content is provided by and is solely the responsibility of the respective User providing that Content. No advice or information, whether oral or written, obtained from Momentumworks Inc or through the Services will create any warranty not expressly made herein.

8. Release From Liability

“We’re not liable for certain issues that could arise from using Utopia.”

You release, to the fullest extent permitted by law, Momentumworks Inc, its directors, officers, members, employees, representatives, consultants, agents, suppliers, and/or distributors from responsibility, liability, claims, demands, and/or damages (actual and consequential) of every kind and nature, known and unknown, arising out of or in any way connected with the following:

You hereby waive applicability of California Civil Code ¤1542, and any similar statute or principle of common law. California Civil Code ¤1542 says: “A general release does not extend to claims which the creditor does not know or suspect to exist in his or her favor at the time of executing the release, which if known by him or her must have materially affected his or her settlement with the debtor.”

9. Limitation of Liability

“As much as the law allows, Momentumworks Inc and its team isn’t liable for certain types of damages. Momentumworks Inc’s total liability to you is limited, too.”

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, Momentumworks Inc, ITS DIRECTORS, OFFICERS, MEMBERS, EMPLOYEES, REPRESENTATIVES, CONSULTANTS, AGENTS, SUPPLIERS, LICENSORS, AND/OR DISTRIBUTORS SHALL NOT BE LIABLE FOR: (A) ANY INCIDENTAL, EXEMPLARY, PUNITIVE, CONSEQUENTIAL OR OTHER INDIRECT DAMAGES OF ANY KIND WHATSOEVER; (B) LOSS OF PROFITS, REVENUE, DATA, USE, GOOD-WILL, OR OTHER INTANGIBLE LOSSES; (C) DAMAGES RELATING TO YOUR INABILITY TO ACCESS OR USE THE SERVICES; (D) DAMAGES RELATING TO ANY CONDUCT OR CONTENT OF ANY THIRD PARTY OR USER USING THE SERVICES, INCLUDING WITHOUT LIMITATION DEFAMATORY, OFFENSIVE OR ILLEGAL CONDUCT OR CONTENT; AND/OR (E) DAMAGES IN ANY MANNER RELATING TO ANY USER CONTENT. THIS LIMITATION APPLIES TO ALL CLAIMS, WHETHER BASED ON WARRANTY, CONTRACT, TORT, OR ANY OTHER LEGAL THEORY, WHETHER OR NOT Momentumworks Inc HAS BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGE, AND FURTHER WHERE A REMEDY SET FORTH HEREIN IS FOUND TO HAVE FAILED ITS ESSENTIAL PURPOSE.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE TOTAL LIABILITY OF Momentumworks Inc AND ITS DIRECTORS, OFFICERS, MEMBERS, EMPLOYEES, REPRESENTATIVES, CONSULTANTS, AGENTS, SUPPLIERS, LICENSORS AND/OR DISTRIBUTORS, FOR ANY CLAIM UNDER THIS AGREEMENT, INCLUDING FOR ANY IMPLIED WARRANTIES, IS LIMITED TO THE GREATER OF FIFTY DOLLARS (US$50.00) OR THE AMOUNT YOU PAID US TO USE THE APPLICABLE SERVICE(S) IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENTS GIVING RISE TO THE CLAIM.

10. Exclusions to Warranties and Limitation of Liability

“We follow the law of your region in regard to warranties and liabilities.”

Some jurisdictions may not allow the exclusion of certain warranties or the exclusion/limitation of liability as set forth in Section 9, so the limitations above may not apply to you.

11. Legal Compliance; Indemnification

“You won’t use Utopia to do illegal things.”

As a condition of your use of the Services, you represent and warrant that you will not use the Services for any purpose that is unlawful or prohibited by this Agreement. Access to the Services from territories where their contents are illegal is strictly prohibited. You agree to comply with all rules, laws, and regulations relating in any way to your use of the Services including without limitation rules about intellectual property rights, the Internet, technology, data, email, and privacy.

You agree to indemnify and hold Momentumworks Inc, and its directors, officers, members, employees, representatives, consultants, agents, suppliers, licensors and/or distributors, harmless from and against any demands, suits, actions, claims, losses, damages, liabilities, judgments, settlements, costs or expenses, including without limitation attorneys’ fees, arising out of or relating to your use or misuse of the Services, violation of this Agreement or violation of the rights of any other person or entity.

12. Termination

“If you want to cancel this agreement, just close your Account. We can cancel it too.”

Either party may terminate this Agreement at any time by notifying the other party. Momentumworks Inc may also terminate or suspend your access to or ability to use any and all Services immediately, without prior notice or liability, for any reason or no reason, including but not limited to if you breach any of the terms or conditions of this Agreement. Momentumworks Inc may immediately terminate or suspend Accounts that have been flagged for repeat copyright infringement.

Upon termination of your access to or ability to use a Service, including but not limited to suspension of your Account on a Service, your right to use or access that Service and any Content will immediately cease. The following Sections shall survive any termination of these Terms of Service: 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, and 17. Termination of your access to and use of the Services shall not relieve you of any obligations arising or accruing prior to such termination or limit any liability which you otherwise may have to Momentumworks Inc or any third party.

13. Arbitration; Waiver of Class Actions

“We’ll arbitrate instead of going to court for many disputes. We’ll only resolve disputes on an individual basis.”

Any claim where (a) the total amount of the award sought by either you or Momentumworks Inc is less than $10,000 and (b) that does not involve patents, copyrights, trademarks, trade secrets or moral rights, shall be resolved via binding non-appearance-based arbitration initiated through the American Arbitration Association (“AAA”). The AAA Rules are available online at www.adr.org or by calling the AAA at 1-800-778-7879. In any such arbitration, the parties and AAA must comply with the following rules: (w) the arbitration shall be conducted by telephone, online and/or be solely based on written submissions, and the specific manner shall be chosen by the party initiating the arbitration; (x) the arbitration shall not involve any personal appearance by the parties or witnesses unless otherwise mutually agreed by the parties; (y) the arbitrator may award injunctive or declaratory relief only in favor of the individual party seeking relief and only to the extent necessary to provide relief warranted by that party’s individual claim; and (z) any judgment on the award rendered by the arbitrator may be entered in any court of competent jurisdiction. Notwithstanding anything in this Agreement, (1) either party may seek remedies in small claims court of competent jurisdiction and (2) either party may seek injunctive or other equitable relief in any court of competent jurisdiction.

Any claims brought by you or us must be brought in that party’s individual capacity, and not as a plaintiff or class member in any purported class or representative proceeding. Neither you nor us will participate in a class action or class-wide arbitration for any claims covered by these Agreement. You hereby waive any and all rights to bring any claims related to these Agreement and/or our Privacy Policy as a plaintiff or class member in any purported class or representative proceeding. You may bring claims only on your own behalf.

You may opt out of the agreement to arbitrate in the first paragraph of this Section 13 (“Agreement to Arbitrate”). If you do so, neither you nor we can require the other to participate in an arbitration proceeding. To opt out, you must notify us in writing within thirty (30) days of the date that you first became subject to this arbitration provision. The opt-out notice must state that you do not agree to the Agreement to Arbitrate and must include your name, address, phone number, your Account to which the opt-out applies and a clear statement that you want to opt out of this Agreement to Arbitrate. You must sign the opt-out notice for it to be effective. This procedure is the only way you can opt out of the Agreement to Arbitrate. You must use this address to opt out:

Momentumworks Inc ATTN: Arbitration Opt-out Los Angeles, California, CA USA

Notwithstanding any provision in this Agreement to the contrary, you and we agree that if we make any change to the arbitration procedures (other than a change to any notice address or Site link provided herein) in the future, that change shall not apply to any claim that was filed in a legal proceeding against us prior to the effective date of the change. Moreover, if we seek to terminate the arbitration procedures from this Agreement, such termination shall not be effective until thirty (30) days after the version of this Agreement not containing the arbitration procedures is posted to our Services, and shall not be effective as to any claim that was filed in a legal proceeding against us prior to the effective date of removal.

In accordance with Section 12, this Section will survive the termination of your relationship with us.

14. Jurisdiction

“This agreement is covered by California law. If there is a dispute between us not subject to arbitration, we’ll handle it in California.”

Before resorting to litigation, we strongly encourage you to contact us at support@utopia.app to seek a resolution. This Agreement shall be governed in all respects by the laws of the State of Delaware as they apply to agreements entered into and to be performed entirely within Delaware between Delaware residents, without regard to conflict of law provisions. You agree that any claim or dispute you may have against Momentumworks Inc that isn’t subject to mandatory arbitration under Section 14 must be resolved exclusively by a state or federal court located in Delaware, except as otherwise agreed by the parties. Each party agrees to submit to the personal jurisdiction of the courts located within Delaware for the purpose of litigating all such claims or disputes.

15. Special Provisions for users Located Outside of the United States

“We’re in the United States, so we’ll follow U.S. law.”

Momentumworks Inc provides global products and services and enables a global community for individuals. Momentumworks Inc’s operations are, however, located in the United States, and Momentumworks Inc’s policies and procedures are based on United States law. As such, the following provisions apply specifically to users located outside of the United States: (1) you consent to the transfer, storage, and processing of your information, including but not limited to User Content and any personal information, to and in the United States and/or other countries; and (2) if you are using the Services from a country embargoed by the United States, or are on the United States Treasury Department’s list of “Specially Designated Nationals,” you agree that you will not use the Services.

16. Miscellaneous

“This is the whole agreement between us.”

This Agreement, including as it may be modified from time to time as set forth in Section 2 above, constitutes the entire agreement between you and Momentumworks Inc with respect to the subject matter hereof. This Agreement replaces all prior or contemporaneous understandings or agreements, written or oral, regarding the subject matter hereof and constitutes the entire and exclusive agreement between the parties. The failure of either party to exercise in any respect any right provided for herein shall not be deemed a waiver of any further rights hereunder. If any provision of this Agreement is found to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary so that this Agreement shall otherwise remain in full force and effect and enforceable. This Agreement is not assignable, transferable, or sublicensable by you except with Momentumworks Inc’s prior written consent. Momentumworks Inc may assign this Agreement in whole or in part at any time without your consent. No agency, partnership, joint venture, or employment is created as a result of this Agreement and you do not have any authority of any kind to bind Momentumworks Inc in any respect whatsoever.

Any notice to Momentumworks Inc that is required or permitted by this Agreement shall be in writing and shall be deemed effective upon receipt, when delivered in person by nationally recognized overnight courier or mailed by first class, registered or certified mail, postage prepaid, to Momentumworks Inc 75 Broad Street Suite 1904 Delaware City, NY 10004, Attn: Legal Department. Momentumworks Inc may provide notices to you via e-mail to the e-mail address associated with your Account or by mail to your mailing address. The Services are provided by Momentumworks Inc, which may be contacted at the mailing address above, by e-mail at support@utopia.app.

17. Special Notice to California Residents

“The state of California makes us tell you this.”

If you are a California resident, we are required to inform you that you may reach the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs via mail at 1625 North Market Blvd., Suite N112, Sacramento, CA 95834 or telephone at (916) 445-1254 or (800) 952-5210. Hearing impaired users can reach the Complaint Assistance Unit at TDD (800) 326-2297 or TDD (916) 322-1700.

Privacy Policy

Last Modified: 2017-03-12

Momentumworks Inc takes the private nature of your personal information very seriously. We respect your privacy and strive to use your information in ways that you can understand, predict and control.

We’ve tried to make this privacy policy readable because we really do want you to read it.

We’ll use a few terms in this policy:

This Privacy Policy describes how we treat the information we collect when you visit and use any of the Services. When you use any of the Services, you are consenting to the collection, transfer, manipulation, storage, disclosure and other uses of your information as described in this Privacy Policy.

Because your privacy is important, we ask that you please read this Policy carefully. We’ve also included highlighted annotations throughout this policy in quotes; these annotations aren’t a part of the policy itself, but are intended to help you follow the text and to emphasize key sections.

1. Children

“We do not collect personally identifiable information from children.”

The Services are not directed towards, and Momentumworks Inc does not knowingly collect information from, children under the age of thirteen (13). If you are a parent and believe your child under the age of thirteen (13) has created a Services account or otherwise provided personal information to Momentumworks Inc, please contact us at support@utopia.app.

2. What This Privacy Policy Covers

“This Policy covers information you share with Momentumworks Inc, not third parties.”

This Privacy Policy covers our treatment of information gathered when you are using or accessing the Services. This Privacy Policy does not apply to the practices of third parties that we do not own or control, including but not limited to any third party websites, services and applications (“Third Party Services”) that you elect to access through the Service or to individuals that we don’t manage or employ. We encourage you to carefully review the privacy policies of all Third Party Services you access.

3. What Information We Collect and How We Use It

Information Obtained from Third Party Services: “Momentumworks Inc uses your data shared from third-party networks like Twitter and you should understand their policies.”

Information about Your Accounts on Third Party Services: Key parts of the Services require you to link your Account to certain Third Party Services, including without limitation social networking services such as GitHub. In order to do so, you will provide your user ID and authentication on each of those Third Party Services, where we receive a token that allows us to access those accounts. We use this authorization as permission to, for example, retrieve your content or activity on those services.

We do NOT ask for, receive or store your passwords for your Third Party Service accounts.

We really encourage you to familiarize yourself with the terms of service and privacy policy of any Third Party Services which you use in conjunction with Utopia.

In some cases, when you connect your Account with your accounts on Third Party Services, we may obtain information about you from those Third Party Services. To the extent we obtain such information, we may use the information about you that we receive from Third Party Services to improve and personalize our Services. As a general practice, we strongly urge you to make careful judgments about any personal information you disclose to Internet services, including without limitation Utopia and any Third Party Services, regardless of whether you choose to link your accounts.

User Content: “Your Utopia activity is public by default.”

By default, the information we get from your accounts with Third Party Services and the analysis generated by the Services regarding that information is public, and it is published so that anyone can view it. If you use our Services to edit your profile or content, that edit will become public and our Services will publicly show that you made the edit. You should assume that anything Utopia publishes for you is publicly accessible unless you have explicitly selected otherwise. Content published and shared publicly is accessible to everyone, including without limitation search engines. In addition, information shared publicly may be copied and shared throughout the Internet. While you are free to remove published content from or delete your Account, because of the nature of Internet sharing, copies of that content may exist elsewhere and be retained indefinitely, including without limitation in our systems.

Information About User Content: “Your content might have data embedded in it. We may use that data.”

In some cases, we may collect information about content you provide to the Services. For example, when it’s included with images, we may collect information describing your camera and camera settings. This information allows us to improve the Services and provide additional features and functionality.

Information Related to Use of the Services: “We use third party statistics and analytics services. Read their policies.”

We collect information about how people use the Services, including without limitation those with an Account. This information includes general usage information, and may include information such as the number and frequency of our visitors, which pages or features of the Services they have visited, which links on the Services they have clicked on, and the length of those visits. We may also use third party applications and services, such as Google Analytics, to collect and analyze this information. This information enables us and third parties authorized by us to figure out how often individuals use the Services so that we can analyze and improve them. Some of this information may be associated with the IP Address (as defined below) used to access the Services, and some may be associated with your Account, such as the topics you search for and the help pages that you visit. We may also use some of this information in aggregate form, that is, as a statistical measure related to all of our users that would not identify you personally. We use information about your use of the Services to improve and enhance your experience on the Services.

For your convenience, you may view the Google Analytics Terms of Service: http://www.google.com/analytics/terms/us.html

And you can view the Google Analytics Privacy Policy: http://www.google.com/analytics/learn/privacy.html

Information Related to Your Web Browser: “Web browsers typically send some data when you visit us; We use that to make Utopia better.”

We automatically receive and record information from your web browser when you interact with the Services, such as your browser type and version, what sort of device you are using, your operating system and version, your language preference, the website or service that referred you to the Services, the date and time of each web request you make, your screen display information, and information from any cookies we have placed on your web browser (as described below). We also sometimes detect whether you are using certain web browser extensions and store that information in a manner associated with your Account. Web browser-related information is used to enhance your experience with the Services (for example, by personalization) and to allow us to improve the Services; it is not, however, used in a manner that would identify you personally.

IP Address Information: “Normally, when you visit Utopia we receive your IP address, which we’ll use to improve Utopia.”

When you log into the Services or load a web page from the Services, we will collect and store your Internet Protocol Address (“IP Address”). We generally use IP Address information to fight spam, malware, and identity theft; we also may use it, in the future, to personalize the Services for you. IP Address information is also used by us to generate aggregate, non-identifying, information about use of the Services.

Location Information: “If we receive your location information, we’ll use it to provide better Utopia services to you.”

In some cases we collect and store information about where you are located, such as by converting your IP Address into a rough geolocation, or by using location data stored in photos or in social media messages. We may use location information to improve and personalize the Services for you.

Information Collected Using Cookies: “We use cookies to make Utopia work for you. If you turn them off, you won’t be able to use Utopia. Some statistics services we use set cookies, too.”

Cookies are pieces of information that may be sent to and saved by your web browser when you access a website; your web browser stores these cookies in a way associated with each website you visit, and you can see your cookies through your browser settings. We use cookies to enable our servers to recognize your web browser and tell us how and when you use the Services. Our cookies do not, by themselves, contain information that personally identifies you, and we don’t combine the general information collected through cookies with other information to tell us who you are. However, we do use cookies to identify that you have logged in and that your web browser has accessed aspects of the Services, and we may associate that information with your Account if you have one. This information, in turn, is sometimes used to personalize your experiences on the Services, such as by presenting you with a different feature when you are logged in to Utopia. Most web browsers have an option for turning off the cookie feature, which will prevent your browser from accepting new cookies, as well as (depending on your web browser software) allowing you to decide to accept each new cookie in a variety of ways. If you disable cookies, you won’t be able to log into your Account, and so will not be able to use the vast majority of our Services; as such, we don’t recommend disabling your cookies when using the Services. Some third-party services that we use, such as Google Analytics, may also place their own cookies on your browser. Note that this Privacy Policy covers our use of cookies only and does not cover the use of cookies by third parties.

We do not currently recognize or respond to browser-initiated Do Not Track signals as there is no industry standard for compliance. We do not track you across the internet, and we do not change or disable the DNT setting in your browser.

Information About Your Contacts: “Utopia may automatically retrieve your friend or follower list from connected services.”

Certain features of the Services allow you to provide us with your contact lists stored on other services. We only use and store that information to provide the Utopia service to you.

Derived Information: “We may deduce information about you from your activity. We only do that to provide Utopia services to you.”

We analyze your actions on the Services in order to derive or infer characteristics that may be descriptive of you. These characteristics are used to improve and personalize the Services.

Email Tracking: “We may sometimes put a tracking link in emails to know if you opened an email or clicked on a link in it.”

We may place information in our emails to you (such as a web beacon) that allows us to measure our email deliverability, and we may track which links in an email are followed. We may also use third-party email services to deliver messages and you should review the policies of these services which govern these messages as well.

4. Remarketing

“You may see more advertising for Utopia when you browse the web.”

In the future, we may use marketing services provided by Google and other third parties that allow us to deliver advertising to users after they leave our Services that they will see elsewhere on the web. This is a common practice called “remarketing.” Users will not see more ads than they otherwise would see as a result of remarketing; rather, the ads they see are more likely to be ads for Utopia products and services. Google (and any other third party marketing services providers we use to help us with remarketing) use cookies as part of the remarketing service. For more information regarding remarketing and the ability to opt-out, please visit:

5. With Whom Your Information Is Shared

“We don’t share your personal information without telling you.”

We never share personal information we receive from you unless: (a) we have your permission to share that information; (b) we have given you prior notice (such as within this privacy policy) that the information will be shared, and with whom; or (c) that information is aggregate information or other information that does not identify you.

Information Shared with the Public Through the Services: “Your Utopia contributions are public by default.”

As noted above, by default, content published through the Services is shared with the public, and this is an important feature of the Services. Such information includes, but isn’t limited to, anything you choose to post on or submit to a connected service and anything apparent in posted content. Because this kind of information can be seen by anyone and may be indexed by search engines (like Google), you should be careful in what you choose to disclose publicly and make sure it is information you want to share with everyone.

Information Shared Between the Services: “We might combine your use of different networks together to improve Utopia.”

We may, if possible, aggregate information about your use of multiple Services and use that consolidated information to improve how the Services operate, and to develop new Services.

Information Shared with Our Agents in Order to Operate and Improve the Services: “If we hire a contractor or consultant, they’ll follow the same policy here.”

In some cases, we share information that we store (such as IP Addresses) with third parties, such as our service providers, consultants and other agents (“Agents”), for the purposes of operating and improving the Services. For example, we may share information with service providers in order to fight spam, and third-party consultants may have access to information in the process of improving our processes and technology. Agents with whom we share such information for these reasons are generally bound by confidentiality obligations and, unless we tell you differently, our Agents do not have any right to use information we share with them beyond the scope and duration of what is necessary to assist us. You hereby consent to our sharing of your information with our Agents.

Information Shared with Third Parties: “If we share information with business partners, it would be aggregate information.”

We may share or disclose non-private information, information that is aggregated with information relating to other Service user that does not personally identify you, or other non-personally identifiable Information with people and entities that we do business with.

Information Disclosed Pursuant to Business Transfers: “If we sell Utopia or its assets, your information would come along in the sale.”

In some cases, we may choose to buy or sell business assets. In these transactions, user information is typically one of the transferred business assets. Moreover, if we, or substantially all of our assets, were acquired, or if we go out of business or enter bankruptcy, user information would be one of the assets that is transferred or acquired by a third party. You acknowledge that such transfers may occur, and that any acquirer of us or our assets may continue to use your personal information as set forth in this policy.

Information Disclosed for Our Protection and the Protection of Others: “We will disclose information if needed to obey the law or to protect people.”

We believe in freedom of expression, and we will work to protect our community from baseless legal demands. That said, we must reserve the right to access, preserve, and disclose any information we reasonably believe is necessary to (i) satisfy any law, regulation, legal process, governmental request, or governmental order, (ii) enforce this Privacy Policy and our Terms of Service, including without limitation investigation of potential violations hereof, (iii) detect, prevent, or otherwise address fraud, security, or technical issues (including exchanging information with other companies and organizations for fraud protection and spam/malware prevention), (iv) respond to user support requests, or (v) protect the rights, property, health, or safety of us, our users, any third parties, or the public in general, including but not limited to situations involving possible violence, suicide, or self-harm.

Information We Share with Your Consent or at Your Request: “If you want to share your data, we’ll accommodate you.”

If you ask us to release information that we have about your Account, we will do so if reasonable and not unduly burdensome.

6. The Security of Your Information

“We’re keeping your data reasonably safe.”

Your Account information is protected by a password or by connection to a Third-Party Service for your privacy and security. You need to prevent unauthorized access to your Account and personal information by selecting and protecting your password appropriately and limiting access to your computer and browser by signing off after you have finished accessing your Account on the Services.

We use reasonable measures to protect your information (including your Account information) to ensure that it is kept private; however, we can’t guarantee the security of any information. Unauthorized entry or use, hardware or software failure, and other factors, may compromise the security of user information at any time.

7. What Information You Can Access

“You can see your account information in your Settings page.”

If you are a registered user, you can access and delete most information associated with your Account by logging into the Services and deleting projects or content. Registered and unregistered users can access and delete cookies through their web browser settings.

Your California Privacy Rights: Under California Civil Code sections 1798.83-1798.84, California residents are entitled to ask us for a notice identifying the categories of personal customer information that we share with our affiliates and/or third parties for marketing purposes, and providing contact information for such affiliates and/or third parties. If you are a California resident and would like a copy of this notice, please submit a written request to the following address: 75 Broad Street Suite 1904 Delaware City, NY 10004.

8. How to Delete Your Account and What Happens When You Delete Your Account

“You can email us to close your account, and we’ll delete your account. Some information may persist for a while after your account is deleted.”

If you want to delete your Account, you can do so from your Membership page or by emailing us at support@utopia.app and providing proof of authority over the Account. What constitutes “proof of authority” will vary depending on the circumstances, but generally will require sufficient identifying information so that we can be confident you are the Account owner. Deleting your Account does not remove the content you have published from our systems and we may continue to use the content in accordance with our Terms of Service. In addition, given the nature of sharing on the Services, the public activity on your Account prior to deletion may remain stored on our servers and accessible to the public. Even after you delete your Account, there may be records of any contributions you have made to projects created by others.

Changes to This Privacy Policy

“We may change this privacy policy. If we do, we’ll tell you.”

We may amend this Privacy Policy from time to time, using the process for modifications set forth in our Terms of Service. Use of information we collect now is subject to the current version of our Privacy Policy regardless of when we collected the information.

Where to Direct Questions or Concerns

“Seriously: If you have any questions or concerns about this policy, email us.”

If you have any questions or concerns regarding privacy using the Services, please send us a detailed message to support@utopia.app.

GDPR

EFFECTIVE DATE OF AMENDMENT: Feb 28, 2019.

Momentumworks Inc, (Processor) provides products and/or services involving the processing (ex. accessing, storing, transmitting, etc.) of personal data subject to the GDPR (collectively, the “Agreements”). Accordingly, Momentumworks Inc, is acting as processor and/or subprocessor under GDPR.

This Amendment shall apply to all processing of personal data in order to provide the Services under all Agreements. This amends the Agreement(s) to reflect the arrangements between Processor and its Customers for General Data Privacy Regulation 2016/679 (“GDPR”) as follows:

1. Definitions.
All capitalized terms not specifically defined in this GDPR Letter Amendment shall have the same meaning as provided for in the Agreement(s). Terms used but not defined in this Section 1 (Definitions), such as “processing”, “controller”, “processor” and “data subject”, will have the same meaning as set forth in Article 4 of the GDPR.

The following definitions are used within this GDPR Letter Amendment:

1.1 Data Protection Laws means the GDPR and all Member State data protection laws and regulations.

1.2 Customer Personal Data means the Personal Data which Processor is processing as Processor on behalf of Customer in order to provide the services. Personal Data includes both, Personal Data controlled by Customer and Personal Data Customer is Processing on behalf of Other Controllers as Processor.

1.3 Other Controller means any entity other than Customer that is Controller of the Customer Personal Data, such as Customer's affiliated companies or Customer's client's, their customers or affiliated companies.

1.4 Personal Data Breach means a suspected or actual breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

2. Roles and Scope.
2.1 This GDPR Letter Amendment applies if and to the extent Processor is Processing Customer Personal Data. Customer appoints Processor as Processor to process such Customer Personal Data.

2.2 Processor will Process Customer Personal Data for the sole purpose of providing the Services according to Customer's written instructions. The initial scope of Customer's instructions for the Processing of Customer Personal Data is defined by the Agreements including, in particular, this GDPR Letter Amendment. Customer may provide further instructions that the Processor has to comply with. In case Processor does not accommodate an instruction, Customer may terminate the affected part of the Service by providing Processor with a written notice. If Processor believes an instruction violates the Data Protection Laws, Processor will inform Customer without undue delay.

2.3 Processor will comply with all Data Protection Laws in respect of the services applicable to Processors and is responsible for the lawfulness of Processor's Processing of Customer Personal Data.

3. Relevant GDPR Obligations: Articles 28, 32, and 33.
3.1 Processing by Processor shall be governed by this GDPR Letter Amendment under European Union or Member State law and are binding on Processor with regard to Customer. The subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, the categories of data subjects and the obligations and rights of Customer are set forth in the Agreements in place between the parties, including this GDPR Letter Amendment. In particular, Processor shall:

3.1.1 process the Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which Processor is subject; in such a case, Processor shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

3.1.2 ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

3.1.3 take all measures required pursuant to Article 32 of the GDPR;

3.1.4 respect the conditions referred to in Section 3.1 and Section 4 for engaging another processor;

3.1.5 taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR;

3.1.6 assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Processor;

3.1.7 at the choice of Customer, delete or return all the Personal Data to Customer after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data;

3.1.8 make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and as described in this GDPR Letter Amendment and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.

Processor shall immediately inform Customer if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.

4. Subprocessors.
4.1. The engagement of Subprocessors (including Processor Affiliates) by Processor requires Customer's explicit prior written approval. The fact that Customer has agreed to the involvement of a respective subcontractor regarding the provision of Services, cannot be considered as an approval for such subcontractor to Process Customer Personal Data as Subprocessor. Processor will provide a list of its then-current Subprocessors for Customer's review upon execution of this GDPR Letter Amendment, and Processor notify Customer in advance of any changes to Subprocessors and request Customer's explicit approval for such change.

4.2. Processor shall impose the same data protection obligations as set out in this DPA on any approved Subprocessor prior to the Subprocessor Processing any Customer Personal Data, and ensure that the relevant obligations (including but not limited to the information and audit rights) can be directly enforced by Customer or Other Controllers against the Processor's Subprocessors.

4.3. Processor remains responsible for its Subprocessors and liable for their acts and omissions as for its own acts and omissions and any references to Processor's obligations, acts and omissions in this DPA shall be construed as referring also to the Processor's Subprocessors.

5. Technical and Organizational Measures.
Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to:
5.1. the pseudonymisation and encryption of Personal Data;

5.2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

5.3. the ability to restore the availability and access to Personal Data immediately in the event of a physical or technical incident; and

5.4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

5.5. Additional technical and security measures are as set forth in Exhibit 1 of this GDPR Letter.

5.6. If changes to the technical and organizational measures are required by Customer, such changes shall be implemented by the Processor following Customer's instructions.

6. In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

7. Processor shall take steps to ensure that any natural person acting under the authority of Processor who has access to Personal Data does not process them except on instructions from Customer, unless he or she is required to do so by Union or Member State law.

8. Breach Notification.
Processor shall notify Customer without undue delay (and in no event less than 24 hours) after becoming aware of a Personal Data Breach. Such notice will, at a minimum:

8.1. describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;

8.2. communicate the name and contact details of the data protection officer or other contact where more information can be obtained;

8.3. describe the likely consequences of the personal data breach; and

8.4. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

9. Assisting Customer Response to Requests from Data Subjects.
9.1. To the extent permitted by law, Processor will inform Customer without undue delay of requests from Data Subjects exercising their Data Subject rights (e.g. rectification, deletion and blocking of data) addressed directly to Processor regarding Customer Personal Data. If Customer is obliged to provide information regarding Customer Personal Data to Other Controllers or third parties (e.g. Data Subjects or the Supervisory Authority), Processor shall assist Customer in doing so by providing all required information. If Customer or Other Controllers are obliged to provide information about the processing of Customer Personal Data to a Data Subject, Processor shall assist Customer in making the required information available.

9.2. If a Data Subject brings a claim directly against Customer for damages suffered in relation to Processor's breach of this GDPR Letter Agreement or Data Protection Laws with regard to the processing of Customer Personal Data, Processor will indemnify Customer for any reasonable cost, charge, damages, expenses or loss arising from such a claim, provided that Customer has notified Processor about the claim and is giving the Processor the possibility to cooperate with Customer in the defense and settlement of the claim.

10. Transborder Data Processing.
10.1. In case Processor is established in a country that is neither a Member State nor considered by the European Commission to have adequate protection, by agreeing to this GDPR Letter Amendment, Processor is entering into EU Standard Contractual Clauses with Customer as set out here

10.2. At Customer's choice, Other Controller(s) may agree to the EU Standard Contractual Clauses as additional Data Exporter(s) and Processor declares in advance to accept such accession. Customer shall inform the Processor about the accession of such additional Data Exporters.

11. Records of Processing Activities.
Processor shall maintain all records required by Article 30(2) of the GDPR and, to the extent applicable to the processing of Personal Data on behalf of Customer, make them available to Customer upon request.

12. General.
Processor agrees that it shall be responsible for all costs associated with its compliance of such obligations. Processor is responsible and liable for its acts and omissions under this DPA. All damages arising under this GDPR Letter Amendment shall be deemed direct damages.

Except as amended herein, all other terms and conditions of the subject Agreement(s) shall remain in full force and effect.

Customer acknowledges that they have read this GDPR Letter Amendment, understand it, and agree to be bound by its terms and conditions. Further, they agree that this GDPR Letter Amendment and the subject Agreement are the complete and exclusive statement of the agreement between the parties, superseding all proposals or other prior agreements, oral or written, and all other communications between the parties relating to this subject.

Exhibit 1

Technical and Organizational Measures
Processor has implemented and will maintain the appropriate technical and organizational security measures in accordance with either option a) Independent Attestation of Security, or b) GDPR Data Security Principles, for the purpose of protecting Customer or Personal Data (collectively, “Customer Personal Data,”) against accidental loss, destruction, alteration, unauthorized disclosure or access, or unlawful destruction. Processor agrees that, based on Customer or Customer Client requirements or the nature of the engagement, Customer may require Processor to agree to additional technical and organizational measures. Those terms may require a separate executed agreement.

GDPR Data Security Principles

1. Data Protection
a. Security measures for each Processor deliverable or service are designed to protect Customer Personal Data and to maintain the availability of such Customer Personal Data pursuant to the Agreement, including applicable Attachments, Statements of Work or other transaction documents, (collectively “Agreement Documents”). Customer is the sole controller for any personal data, and appoints Processor as a processor to process such personal data (as those terms are defined in EU General Data Protection Regulation). Processor will treat all Customer Personal Data as confidential by not disclosing Customer Personal Data except to Processor employees, contractors, and subprocessors, and only to the extent necessary to deliver the Service, unless otherwise specified in Agreement Documents.

b. Processor will securely sanitize physical media intended for reuse prior to such reuse, and will destroy physical media not intended for reuse, consistent with National Institute of Standards and Technology, United States Department of Commerce (NIST), guidelines for media sanitization.

2. Security Policies
a. Processor will maintain and follow IT security policies and practices that are integral to Processor's business and mandatory for all Processor employees, including supplemental personnel.

b. Processor will review its IT security policies at least annually and amend such policies as Processor deems reasonable to maintain protection of Services and Customer Personal Data processed therein.

c. Processor will maintain and follow its standard mandatory employment verification requirements for all new hires, including supplemental employees, and extend such requirements to wholly owned Processor subsidiaries. In accordance with Processor internal process and procedures, these requirements will be periodically reviewed and include, but may not be limited to, criminal background checks, proof of identity validation, and additional checks as deemed necessary by Processor. Each Processor company is responsible for implementing these requirements in its hiring process as applicable and permitted under local law.

d. Processor employees will complete security and privacy education annually and certify each year that they will comply with Processor's ethical business conduct, confidentiality, and security policies, as set out in Processor's employee code of conduct. Additional policy and process training will be provided to persons granted administrative access to Service components that is specific to their role within Processor's operation and support of the Service, and as required to maintain compliance and certifications stated in the relevant Agreement Documents.

3. Security Incidents
a. Processor will maintain and follow documented incident response policies consistent with NIST guidelines for computer security incident handling, and will comply with data breach notification terms of the Agreement.

b. Processor will investigate unauthorized access and unauthorized use of Customer Personal Data of which Processor becomes aware (security incident), and, within the Service scope, Processor will define and execute an appropriate response plan. Customer may notify Processor of a suspected vulnerability or incident by submitting a technical support case for Processor evaluation.

c. Processor will promptly (and in no event later than 24 hours) notify Customer of a security incident or Personal Data Breach that is known or reasonably suspected by Processor to affect Customer. Processor will provide Customer with reasonably requested information about such security incident and status of any Processor remediation and restoration activities.

4. Physical Security and Entry Control
a. Processor will maintain appropriate physical entry controls, such as barriers, card controlled entry points, surveillance cameras, and manned reception desks, to protect against unauthorized entry into Processor facilities used to host the Service (data centers). Auxiliary entry points into data centers, such as delivery areas and loading docks, will be controlled and isolated from computing resources.

b. Access to data centers and controlled areas within data centers will be limited by job role and subject to authorized approval. Use of an access badge to enter a data center and controlled areas will be logged, and such logs will be retained for not less than one year. Processor will revoke access to controlled data center areas upon a) separation of an authorized employee or b) the authorized employee no longer has a valid business need for access. Processor will follow formal documented separation procedures that include, but are not limited to, prompt removal from access control lists and surrender of physical access badges.

c. Any person duly granted temporary permission to enter a data center facility or a controlled area within a data center will be registered upon entering the premises, must provide proof of identity upon registration, and will be escorted by authorized personnel. Any temporary authorization to enter, including deliveries, will be scheduled in advance and require approval by authorized personnel.

d. Processor will take precautions to protect the Service's physical infrastructure against environmental threats, both naturally occurring and man-made, such as excessive ambient temperature, fire, flood, humidity, theft, and vandalism.

5. Access, Intervention, Transfer and Separation Control
a. Processor will maintain documented security architecture of networks managed by Processor in its operation of the Service. Processor will separately review such network architecture, including measures designed to prevent unauthorized network connections to systems, applications and network devices, for compliance with its secure segmentation, isolation, and defense in depth standards prior to implementation. Processor may use wireless networking technology in its maintenance and support of the Service and associated components. Such wireless networks, if any, will be encrypted and require secure authentication and will not provide direct access to Service networks. Service networks do not use wireless networking technology.

b. Processor will maintain measures for a Service that are designed to logically separate and prevent Customer Personal Data from being exposed to or accessed by unauthorized persons.

c. To the extent described in the relevant Agreement Documents, Processor will encrypt Customer Personal Data not intended for public or unauthenticated viewing when transferring Customer Personal Data over public networks and enable use of a cryptographic protocol, such as HTTPS, SFTP, and FTPS, for secure transfer of Customer Personal Data to and from the Service over public networks.

d. Processor will encrypt Customer Personal Data at rest when specified in Agreement Documents. If the Service includes management of cryptographic keys, Processor will maintain documented procedures for secure key generation, issuance, distribution, storage, rotation, revocation, recovery, backup, destruction, access, and use.

e. If Processor requires access to Customer Personal Data, Processor will restrict and limit such access to least level required to provide and support the Service. Such access, including administrative access to any underlying components (privileged access), will be individual, role based, and subject to approval and regular validation by authorized Processor personnel following the principles of segregation of duties. Processor will maintain measures to identify and remove redundant and dormant accounts with privileged access and will promptly revoke such access upon the account owner's separation or request of authorized Processor personnel, such as the account owner's manager.

f. Consistent with industry standard practices, and to the extent natively supported by each component managed by Processor within the Service, Processor will maintain technical measures enforcing timeout of inactive sessions, lockout of accounts after multiple sequential failed login attempts, strong password or passphrase authentication, and measures requiring secure transfer and storage of such passwords and passphrases.

g. Processor will monitor use of privileged access and maintain security information and event management measures designed to a) identify unauthorized access and activity, b) facilitate a timely and appropriate response, and c) to enable internal and independent third party audits of compliance with documented Processor policy.

h. Logs in which privileged access and activity are recorded will be retained in compliance with Processor's records retention policy. Processor will maintain measures designed to protect against unauthorized access, modification and accidental or deliberate destruction of such logs.

i. To the extent supported by native device or operating system functionality, Processor will maintain computing protections for systems containing Customer Personal Data and all end-user systems that include, but may not be limited to, endpoint firewalls, full disk encryption, signature based antivirus and malware detection and removal that shall a) be regularly updated by central infrastructure and b) logged to a central location, time based screen locks, and endpoint management solutions that enforce security configuration and patching requirements.

6. Service Integrity and Availability Control
a. Processor a) performs penetration testing and vulnerability assessments, including automated system and application security scanning and manual ethical hacking, before production release and annually thereafter, b) enlists a qualified independent third-party to perform penetration testing at least annually, c) performs automated management and routine verification of underlying components' compliance with security configuration requirements, and d) remediates identified vulnerabilities or noncompliance with its security configuration requirements based on associated risk, exploitability, and impact. Processor will take reasonable steps to avoid Service disruption when performing its tests, assessments, scans, and execution of remediation activities.

b. Processor will maintain policies and procedures designed to manage risks associated with the application of changes to its Services. Prior to implementation, changes to a Service, including its systems, networks and underlying components, will be documented in a registered change request that includes a description and reason for the change, implementation details and schedule, a risk statement addressing impact to the Service and its clients, expected outcome, rollback plan, and documented approval by authorized personnel.

c. Processor will maintain an inventory of all information technology assets used in its operation of the Service. Processor will continuously monitor the health and availability of the Service and underlying components.

d. Each Service will be separately assessed for business continuity and disaster recovery requirements pursuant to documented risk management guidelines. Each Processor Service will have, to the extent warranted by such risk assessment, separately defined, documented, maintained and annually validated business continuity and disaster recovery plans consistent with industry standard practices. Recovery point and time objectives for the Service, if provided, will be established with consideration given to the Service's architecture and intended use, and will be described in the relevant Agreement Documents.

e. Processor will a) backup systems containing Customer Personal Data daily, b) ensure at least one backup destination is at a remote location, separate from production systems, c) encrypt backup data stored on portable backup media and d) validate backup process integrity by regularly performing data restoration testing.

f. Processor will maintain measures designed to assess, test, and apply security advisory patches to the Service and its associated systems, networks, applications, and underlying components within the Service scope. Upon determining that a security advisory patch is applicable and appropriate, Processor will implement the patch pursuant to documented severity and risk assessment guidelines. Implementation of security advisory patches will be subject to Processor change management policy.