/Docs/G/WorldCC/ContractPrinciples-CmA/Principle/0.md
Source views: Source JSON(ish) on GitHub (VSCode) Doc views: Document (&k=r00t): Visual Print Technical: OpenParameters Xray
WorldCC Clauses
- CUSTOMER AUDIT OF SUPPLIERS
- Introduction
The contracting principles in this document have been developed with and are endorsed by the International Association of Contract and Commercial Management (WorldCC) and are referred to as the “WorldCC Contracting Principles.” They are intended to serve as an industry-adopted set of guidelines to support either the drafting of applicable contract clauses or the negotiation of applicable terms and conditions between a supplier and a customer. These principles are intended to reduce or eliminate the need for negotiation on these issues and shorten cycle time to signature. Participants who accept these WorldCC Contracting Principles are free to use them on a case by case basis and as they deem appropriate; however, it is expected that the benefits of their use will be maximized when both parties to a transaction agree to rely on them and draft the relevant clauses accordingly. In addition, these principles are not intended to constitute formal legal advice. - Definitions
The following definitions apply to these WorldCC Contracting Principles:- "Financial Audit" means investigation and examination of financial records and other documents, for the purpose of verifying amounts charged (including any price changes as stipulated in the contract) and/or credited (e.g., SLA credits) by a Supplier.
- "Compliance Audit" means investigation and examination of Supplier records and premises for the purpose of verifying Supplier’s compliance with data security requirements, specific legal requirements, employee screening requirements, and/or other Supplier contractual obligations (other than SLAs, which are covered by the Service Quality Audit).
- "Service Quality Audit" means investigation and examination of Supplier records for the purpose of verifying that service levels are being met.
- General Concepts
The following concepts form the basis for the more detailed WorldCC Contracting Principles that follow:- The extent to which audit rights will be provided to a Customer is a commercial issue that should be negotiated based on the size and scope of the deal, and the nature of the solution. The type and extent of audit rights granted should be memorialized in the contract based upon business-to-business discussions.
- Audits are a tool used by Customers to verify that contractual commitments are being met. However, Suppliers have a strong interest in ensuring that the scope of Customer’s audit rights are aligned with the Suppliers’ obligations so as to mitigate costs, confidentiality issues, disruption and other burdens to Suppliers associated with the audit.
- Audit rights should not be unlimited, but should be prescribed based on legitimate Customer needs that cannot be otherwise satisfied, and should not subject a Supplier to undue hardship.
- Audit rights cannot require the Supplier to violate its own legal or contractual obligations.
- WorldCC Contracting Principles
>- General Audit Principles
>- All audit rights, whether for Financial Audits, Compliance Audits or Service Quality Audits, should be subject to (1) reasonable parameters on what can be audited; (2) requirements to provide reasonable advance notice; and (3) restrictions on frequency. One reasonable audit parameter should be the exclusion of third party information, confidential information (unless proper protections are in place) and Supplier highly sensitive information.
- Audit rights should apply during the term and any other periods for which Supplier is contractually required to maintain the records subject to audit, but audits should not be permitted to go back further in time than the period for which a remedy is permitted under the contract.
- Costs of an audit should be borne by the Customer, unless the parties agree that Supplier should bear some pre-agreed portion of the reasonable audit costs if a Financial Audit discloses material over-billing on the part of Supplier or in the event of other material non-compliance.
- Where Customers need audit rights to comply with their own auditing and regulatory requirements, Supplier’s support obligations should be specified in the agreement and should be limited to its provision of services and/or products.
- If faults found during audit constitute a breach of the Supplier’s contract obligations, they should be treated the same as any other contract breach, e.g., the Supplier should be given an opportunity to cure and the Customer should be entitled to the same remedies otherwise available under the agreement.
- Customers and Suppliers should agree on audit methodology and on a process to review audit results, correct for disclosed deficiencies, and confirm corrections are completed.
- If Customers request to use third party auditors, Supplier and Customer should ensure appropriate confidentiality obligations and use restrictions are established with that third party auditor, as well as that the third party auditor is not a competitor of Supplier who could gain competitive advantage through the audit. Audit results should be shared with the Supplier. Where feasible, the entity performing the audit should be required to destroy all data gathered during the audit.
>Financial Audits
>- Financial Audit rights are appropriate for all types of Customer contracts, subject to the general audit principles described above.
- For Financial Audits, records should be limited to those available under Supplier’s record retention policies.
- Customer should not have Financial Audit rights to Supplier’s subcontractors.
>Operational Audits
>- Service Quality Audits intended to determine compliance with service levels generally should be limited to relevant customer-specific operational data, and should not include on-site audit rights.
- Compliance Audits related to data security should be satisfied by Supplier’s provision of responses to security questionnaires and non-sensitive data security information, which may include internal audit reports, SSAE 16, ISAE 3402 or similar audit reports (redacted or summarized as appropriate). Certifications demonstrating achievement of industry standards or the equivalent should serve as validations of compliance with those industry standards.
- Audits should not include penetration or other real-time security testing, which could adversely affect Suppliers’ operations and their customers.
>Recommended Clause:
Audit
>- Company's Right To Audit
>- Right to Audit
The Company may audit the accounts and books of the Contractor which reasonably relate directly to the performance of obligations or work contemplated by this agreement and compliance with Laws at reasonable times and from time to time, not only during the continuance of this agreement, but for [7] years after the date of its termination, or final payment, whichever occurs last. - Payment Errors
If such audit or audits reveal any error or discrepancy of any nature whatever, such error or discrepancy will be promptly corrected and any amount owing or due to either the Company or the Contractor, will be promptly paid by the other party. - Improper Payments
If such audit or audits reveal any improper or illegal payment of any nature whatever, the Company may terminate this agreement immediately and to enforce any remedies available to the Company under this agreement or applicable law. - Notice
The Company shall have this right to audit the Contractor's accounts and records only after delivery of written notice to the person whose accounts and records are to be audited in accordance with the provisions for notices set forth in this agreement.
>Company's Right To Retain Records
The Company has the right to make copies of documents audited and such copies are the property of the Company. All audit rights of the Company described herein are in addition to, and are not in any way in lieu of, all other rights of the Company in law or in equity.>DATA SECURITY AND PRIVACY- Introduction
The contracting principles in this document have been developed with and are endorsed by the International Association of Contract and Commercial Management (WorldCC) and are referred to as the “WorldCC Contracting Principles.” They are intended to serve as an industry-adopted set of guidelines to support either the drafting of applicable contract clauses or the negotiation of applicable terms and conditions between a supplier and a customer. These principles are intended to reduce or eliminate the need for negotiation on these issues and shorten cycle time to signature. Participants who accept these WorldCC Contracting Principles are free to use them on a case by case basis and as they deem appropriate; however, it is expected that the benefits of their use will be maximized when both parties to a transaction agree to rely on them and draft the relevant clauses accordingly. In addition, these principles are not intended to constitute formal legal advice. - Definitions
The following definitions apply to these WorldCC Contracting Principles:- “Personal Data” means personal data (such as personally identifiable information and credit card information) and other highly sensitive data (such as passwords) of a customer or its clients that are in the possession of or accessible by the supplier. Depending on the originator, nature, and location of the data being processed, the definition of Personal Data may be modified to take into account applicable law (for instance, data subject to HIPAA, the European Data Privacy Directive, GDPR, or PIPEDA).
- “Data Non-Compliance” means a failure by the supplier to comply with its obligations regarding the handling or safeguarding of Personal Data under the contract or under data protection/privacy laws or regulations applicable to the supplier.
- “Data Loss” means
- the improper use or disclosure of Personal Data by the supplier,
- unauthorized access by the supplier’s employees or by third parties to Personal Data held by or accessed through the supplier, or
- the loss by the supplier of media on which Sensitive Date is held.
(Not all Data Losses result from a Data Non-Compliance, such as where hacking takes place despite the supplier’s compliance with all applicable obligations.)General Concepts
The following concepts form the basis for the more detailed WorldCC Contracting Principles that follow:- A security environment should be based on the assumption that failures may occur and should provide for multiple layers of protection to guard against high-impact Data Losses. Contract terms should, where possible, provide specificity with regards to the types of Personal Data being exchanged, the permitted uses of such Personal Data by the supplier, and any sharing or re-transmission of the Personal Data required by supplier.
- Contract terms should reflect a balance of cost and benefit in the security environment. Customers and suppliers can more effectively reduce operational risks of Data Losses by focusing on (and clearly delineating) their respective security obligations rather than by focusing solely on supplier liabilities in the event of a Data Non-Compliance.
- The extent to which a supplier will conform to particular industry security standards or will meet custom/more exacting requirements is a commercial issue that should be negotiated based on the size and scope of the deal (including particular security safeguards) and the nature of the solution (e.g., whether a standard multi-customer environment or a custom-built solution). The allocation of liability for Data Non-Compliance should be a function of the outcome of those business-to-business discussions.
- The same liability principles should apply to Data Non-Compliance as all other potential breaches under an agreement – liability should be based on sufficient proof of a breach, should be proportionate to fault, and should reflect a fair allocation of risk as agreed to by the parties.
- The obligation to mitigate damages – whether claimed by a party to the contract or by a third party - should apply, either pursuant to governing law of the agreement or as explicitly stated in the agreement.
- In respect of Personal Data, other types of confidential information may be subject to contractual confidentiality obligations but are not considered Personal Data within the scope of this Principles document.
WorldCC Contracting Principles
>- Scope of Personal Data Protection Obligations
>- The supplier’s ability to re-transmit Personal Data, if applicable, and the Supplier’s permitted use of Personal Data should each be clearly described in the agreement.
- The supplier’s data security obligations should be clearly and accurately described based on the role it will perform and should focus on functions and tasks, not outcomes.
- Customers should be expected to undertake reasonable steps to safeguard their own Personal Data (such as encryption or regular backups) to mitigate against potential losses and resulting damages.
- The supplier should specify the security standards to which its operations adhere by reference to specific industry standards (such as ISO 27001, PCI-DSS, etc.) or otherwise, and the supplier should provide applicable certifications upon request.
>Compliance with Laws and Regulations
>- Each party should comply with the data protection/privacy laws, regulations and mandatory industry standards (such as PCI-DSS) that apply to its own operations and activities. Except where Supplier is obligated to provide specific compliance activities, the supplier should not be expected to be responsible for compliance with data protection/privacy laws that apply to the customer’s operations and activities, but should take commercially reasonable actions to assist the customer in facilitating such compliance. Where required by law or regulation, the supplier and the customer will promptly enter into any additional agreements or file any additional materials required for compliance (for example, EU model clauses).
- When appropriate, the customer’s data protection/privacy compliance activities that are included in the scope of supplier’s services should be clearly stated within the contract to avoid misunderstandings or gaps in responsibilities.
- The contract should provide an equitable mechanism to modify the supplier’s contract obligations (and charges, where appropriate) based on changes to data protection/privacy laws applicable to the supplier and/or customer.
- Suppliers should not be expected to provide customers with independent compliance audit reports that contain highly sensitive information and are generally not created for dissemination. Rather, the parties should adopt an alternative process by which their respective experts can meet to share appropriate information to give the customer assurances relating to security controls. In cases where customers have obligations to provide regulators with suppliers’ compliance documentation or where laws or regulations permit regulators to audit suppliers’ compliance with security standards, the contract should address those situations and provide for appropriate safeguards for the supplier’s information and operations.
>Allocation of Liability for Data Losses
>- A supplier should be liable in the event of its Data Non-Compliance but should not be expected to act as an insurer or guarantor of the customer’s security environment. A supplier should be accountable only for Data Losses that result from its Data Non-Compliance. If a Data Loss results from multiple points of failure, the supplier should be held responsible only to the extent the loss is the result of its Data Non-Compliance(s) (shared fault = shared risk).
- For service offerings where the supplier has only incidental access to Personal Data (e.g., business contact information for customer employees) and the risk of damages are small, the supplier’s liability for a Data Non-Compliance should be subject to the standard contract limitation of liability (such as a cap at a fixed dollar amount or a multiple of average monthly charges).
- Where the supplier is operating within the customer’s security environment or has significant access to Personal Data, it would be appropriate for the supplier to be subject to higher liability caps for a Data Non-Compliance.
- The contract’s general exclusion of indirect, consequential or similar categories of damages should apply in the case of Data Loss. However, it may be appropriate to identify discrete categories of covered damages for which the supplier will be liable (subject to caps), such as cost of breach notifications, credit monitoring, data recovery (unless a customer’s failure to back up its data in a reasonable fashion gave rise to the loss), and regulatory fines. These exclusions and covered categories of liabilities should also apply to supplier’s indemnifications for third party claims attributable to a Data Non-Compliance.
>Recommended Clause:
Data Security
{_P1} shall maintain an information security system and protocol to protect {_P2}'s information from unauthorized access, disclosure or misuse. {_P1} shall- maintain adequate physical controls and password protections for any server or system on which any Data may reside,
- encrypt any Data that is in transmission, and
- encrypt any Data located on any storage media.
>INDEMNIFICATION OF THIRD PARTY CLAIMS (EXCLUDING INTELLECTUAL PROPERTY CLAIMS)- Introduction
The contracting principles in this document have been developed with and are endorsed by the International Association of Contract and Commercial Management (WorldCC) and are referred to as the “WorldCC Contracting Principles.” They are intended to serve as an industry-adopted set of guidelines to support either the drafting of applicable contract clauses or the negotiation of applicable terms and conditions between a supplier and a customer. These principles are intended to reduce or eliminate the need for negotiation on these issues and shorten cycle time to signature. Participants who accept these WorldCC Contracting Principles are free to use them on a case by case basis and as they deem appropriate; however, it is expected that the benefits of their use will be maximized when both parties to a transaction agree to rely on them and draft the relevant clauses accordingly. In addition, these principles are not intended to constitute formal legal advice. - Definitions
The following definition applies to these WorldCC Contracting Principles:- “Indemnification” means that the indemnifying party (“Indemnitor”) will defend and be responsible for a claim made by a third party against the indemnified party (“Indemnitee”) to the extent that the Indemnitor expressly undertook the indemnification obligation with respect to the specific acts or omissions under the agreement that gave rise to the claim.
- General Concepts
>- The following concepts form the basis for the more detailed WorldCC Contracting Principles that follow:
- Although parties to a contract generally recognize that their acts or omissions under the agreement may have an effect on third parties – particularly where a supplier is enabling a customer to provide its products or services downstream – the supplier should not be expected to step into the shoes of the customer in taking on all risks that the customer faces in doing business in the marketplace.
- Third parties should not be viewed as beneficiaries of an agreement between customers and suppliers unless expressly made so in the agreement.
- Customers should be expected to undertake commercially reasonable efforts to shield themselves from liability (e.g., by including appropriate flow down terms in its own agreements with their end consumers or by means of appropriate insurance) and should not look to suppliers to act as insurers in the event those efforts are not successful in warding off claims.
- The agreement is not the sole vehicle by which a party can hold the other party accountable for third party claims; a party can also join the other party as a third party defendant in litigation initiated by a third party plaintiff.
>Given that a third party is not a party to the agreement, the third party is not be bound by any limitations to or exclusions from liability in that agreement. However, where the third party is an end-customer of the customer, then it is reasonable to expect that the latter could limit its exposure to certain claims under its contractual relationships with its end-customers, thereby foreclosing the end-customers from bringing claims for indirect, consequential damages and the like.WorldCC Contracting Principles
>- Scope of Indemnification Obligations
>- Each party should indemnify the other for third party claims relating to (i) personal injury, death, and property damage due to a party’s (or its subcontractors’ or agents’) negligence or willful misconduct; and (ii) where relevant to the services provided, employment matters brought by employees of the Indemnitor against the Indemnitee.
- Supplier indemnification for data losses should be limited to only those transactions where the supplier will need to be in control of or have ongoing access to personal data belonging to the customer’s clients in order to provide services.
- Supplier’s indemnification for governmental or regulatory fines or penalties incurred by the customer should be limited to those that are a direct result of the supplier’s breach of the agreement with respect to obligations to comply with applicable laws or regulations.
- Customers should indemnify suppliers for third party claims associated with the customers’ business operations, data, or business content that gave rise to the claim except to the degree the suppliers’ acts or omissions contributed to the damages.
- The parties to be indemnified should be specified in the agreement. Suppliers should be willing to indemnify the customer and its affiliates, agents, and assigns.
>Applicability of Limitations of and Exclusions from Liability for Indemnification Obligations
>- The same limitation of liability should apply to indemnification obligations as would apply if the claim were made by the Indemnitee itself against the Indemnitor.
- Third party claims should be treated as direct damages to the Indemnitee regardless of their nature if the Indemnitee could not have reasonably protected itself against those claims contractually (e.g., the Indemnitee was not able to exclude lost profits or goodwill from its customer agreements or the third party is seeking damages under tort).
>Conditions for Indemnification
>- The Indemnitee should have the same obligation to mitigate third party damages as it would to mitigate its own.
- Any obligation to indemnify for third party claims should be preconditioned upon the following:
- A party seeking indemnification pursuant to an agreement has the burden of proof for the amount of losses being claimed under the relevant indemnity unless the agreement specifies liquidated damages in the particular situation.
- The extent of liability for the claim should be proportional to the fault on the part of the Indemnitor vis-à-vis fault by the Indemnitee or any other party.
- The Indemnitee must give prompt notice of the claim to the Indemnitor or relieve the latter for any incremental liability caused by the delay.
- The Indemnitee must provide all reasonable support to the Indemnitor in defense of the claim (if the Indemnitor will be undertaking defense of the claim), with the latter responsible for payment of any reasonable out-of-pocket expenses incurred by the former for that support.
- The Indemnitee has the right to participate (at its own expense) in the defense of the claim; provided that the Indemnitor has priority rights to take the lead on the defense.
- The Indemnitee cannot settle any claim for which indemnification is sought without the express prior written consent of the Indemnitor.
- The Indemnitor cannot admit to guilt or fault on the Indemnitee’s part without the express prior written consent of the latter.
- The Indemnitor cannot take any action in the course of the defense that would impugn the reputation or goodwill of the Indemnitee.
>>Recommended Clause:
Indemnification
>- Indemnification by {_P2}
The {_P2} shall indemnify the {_P1} against all losses and expenses arising out of any proceeding:- brought by either a third party or the {_P1}; and
- that arises out of any breach by the {_P2} of its obligations, representations, warranties, or covenants under this agreement.
>Mutual Indemnification
Each party (as an "Indemnifying Party") shall indemnify the other (as an " Indemnified Party") against all losses arising out of any proceeding:- brought by either a third party or an Indemnified Party; and
- that arises out of the Indemnifying Party's willful misconduct or gross negligence.
>>INTELLECTUAL PROPERTY RIGHTS AND INDEMNIFICATION FOR THIRD PARTY IP CLAIMS- Introduction
The contracting principles in this document have been developed with and are endorsed by the International Association of Contract and Commercial Management (WorldCC) and are referred to as the “WorldCC Contracting Principles.” They are intended to serve as an industry-adopted set of guidelines to support either the drafting of applicable contract clauses or the negotiation of applicable terms and conditions between a supplier and a customer. These principles are intended to reduce or eliminate the need for negotiation on these issues and shorten cycle time to signature. Participants who accept these WorldCC Contracting Principles are free to use them on a case by case basis and as they deem appropriate; however, it is expected that the benefits of their use will be maximized when both parties to a transaction agree to rely on them and draft the relevant clauses accordingly. In addition, these principles are not intended to constitute formal legal advice. - Definitions
"Intellectual Property" means any and all of the following in any jurisdiction throughout the world- trademarks and service marks, including all applications and registrations, and the goodwill connected with the use of and symbolized by the foregoing;
- copyrights, including all applications and registrations related to the foregoing;
- trade secrets and confidential know-how;
- patents and patent applications;
- websites and internet domain name registrations;and
- other intellectual property and related proprietary rights, interests and protections (including all rights to sue and recover and retain damages, costs and attorneys' fees for past, present, and future infringement, and any other rights relating to any of the foregoing).
>General Concepts
The following concepts form the basis for the more detailed WorldCC Contracting Principles that follow:- Intellectual property owned by a party remains that party’s property unless expressly transferred under the contract.
- A party’s use of and rights to another party’s intellectual property must be expressly specified in the contract.
- Where services are provided by a supplier, the focus of the contract with the customer should be on the service and not on the intellectual property of the underlying components that are used in the provision of the service.
- The supplier should stand behind all of the intellectual property is incorporated into the service, and indemnify the customer against third party claims which relate to the service and any elements thereof, subject to appropriate limitations (see below).
WorldCC Contracting Principles
>- Intellectual Property Rights
>- Each party owns the intellectual property it creates before, during and after the contract term, except as may be specifically provided in a contract or an attachment thereto.
- As between the parties to a contract, the party furnishing information or materials to the other retains its intellectual property rights in such information or materials, subject to any license rights that are granted by the furnishing party (or by a third party licensor).
- The Customer has the right to use the deliverables and other Supplier intellectual property necessary to use the services only to the extent and for so long as necessary to use the service provided under the contract for the Customer’s specific business needs.
- The Supplier has the right to use Customer intellectual property only to the extent and for so long as necessary to provide the services under the contract for the Customer's specific needs including any transition.
- In circumstances where broader (or longer duration) license terms to deliverables are appropriate, those rights should be specifically provided in a contract or an attachment thereto. As to deliverables created in connection with the provision of services provided to multiple customers (i.e. shared services type offering), it may be appropriate for the Customer to be granted a license to that delivered content that is unique to that Customer and is first created by the Supplier in the performance of the services to that Customer; and the Supplier would be granted a license to use the Customer's IP to the extent necessary for the Supplier's provision of services.
- As to customized unique content (such as a custom software application) that is developed for a Customer's sole use, in accordance with the Customer's specifications without the benefit of the Supplier's right to re-use such content, a provision granting the Customer exclusive use of such content may be appropriate. Third-party software, services, and equipment is provided subject to the third party’s license terms.
- Generally, where services do not contemplate software development, “work-for-hire” and similar provisions allocating ownership rights are not applicable.
>Intellectual Property Infringement
>- The Supplier will be responsible the defend and pay/settle any third-party claim against the Customer alleging that the supplier’s service infringes the third party’s intellectual property rights in any country in which the service is provided or where the services/deliverables are intended to be used. The Supplier will not be responsible for infringement claims that arise from the following ("Excluded Claims"):
- combination of the Supplier’s service with items provided by the Customer or others;
- modification to the Supplier’s service by someone other than the Supplier;
- the Supplier’s adherence to the customer’s requirements;
- the Customer’s content; and
- use of the service by the Customer in breach of contract restrictions or in any manner other than as expressly contemplated by the contract.
>Customers should have an obligation to indemnify suppliers for Excluded Claims, but only when dealing with outsourcing or significant integration.The obligation to indemnify for third party infringement claims should not be subject to any limitation of liability cap unless the indemnification provisions pose an extraordinary risk to one of the parties.The Customer will promptly notify the supplier of any such claims, and the supplier will not be responsible for any losses attributable to a notification delay.The indemnification of third-party claims is sufficient to protect the Customer. In light of the indemnity for third party claims, the Supplier should not be expected to warrant or represent that its services do not infringe third party intellectual property rights. If the Supplier’s service infringes a third party’s IP (or is subject to a claim of infringement), the Supplier may:- obtain from the third party the right for the Customer to continue its use of the service;
- modify the service so it is not infringing without materially reducing the functionality and performance of the service; or
- substitute another service having substantially the same functionality and performance criteria.
>If the Supplier is unable to implement any of these measures through commercially reasonable efforts, the Supplier may cease providing the service that is subject to the third party claim and refund any prepaid charges.>Recommended Clause:
Intellectual Property
>- Preexisting Intellectual Property
Each party will retain exclusive interest in and ownership of its Intellectual Property existing prior to this agreement or developed outside the scope of this agreement. - Independently Developed Intellectual Property
Any Intellectual Property developed solely by a party under this agreement without the participation of the other party is and will remain the sole and exclusive property of the developing party. - Jointly Developed Intellectual Property
In the event that the parties jointly develop Intellectual Property, the parties shall engage in good faith negotiations to establish their respective rights. In the event the parties cannot reach an agreement with regard to such jointly developed property, each party will have equal ownership and rights in such intellectual property, without further obligation and without a duty to account to the other party. - Intellectual Property Definition
"Intellectual Property" means any and all of the following in any jurisdiction throughout the world- trademarks and service marks, including all applications and registrations, and the goodwill connected with the use of and symbolized by the foregoing;
- copyrights, including all applications and registrations related to the foregoing;
- trade secrets and confidential know-how;
- patents and patent applications;
- websites and internet domain name registrations;and
- other intellectual property and related proprietary rights, interests and protections (including all rights to sue and recover and retain damages, costs and attorneys' fees for past, present, and future infringement, and any other rights relating to any of the foregoing).
>>