SCORM Tools provides its services through WelcomeNext S.L., whose details are listed below:

 

Name/Company name: WelcomeNext S.L.

Commercial name: SCORM TOOLS

VAT ID: ES-B86432325

Address: Avenida de Europa 26, ATICA 5, 2nd floor. Pozuelo de Alarcon. Madrid (28224) Spain

Email: [email protected]

 

These General Conditions of Use and Contracting (hereinafter the “Conditions”) regulate the acquisition and use of the products and services that WelcomeNext makes available to its users and/or clients through the Internet portal https://www.scormtools.net/ (hereinafter, the “Website” or the “Website” interchangeably).

 

SUBJECT

This Contract seeks to establish the grounds according to which WELCOMENEXT is to provide the following services to the CLIENT:

 

  • SCORM TOOLS hosting at WELCOMENEXT’s cloud-based servers, to be used by the CLIENT.
  • Technical support and maintenance service, in accordance with the terms and conditions set forth in this agreement.

 

DATA PROTECTION POLICY

The parties, following the current laws on Personal Data Protection and pursuant to article 28 of the GDPR agree as follows:

For the provision of the Services and for the execution thereof in accordance with the Contract, WELCOMENEXT shall have access to certain personal data of the CLIENT and, in particular, to the following: Identification data (name and surnames, address and VAT ID) and user name (email/Nick).

The provision of services delivered by WELCOMENEXT involves the processing of the following: collecting, record, structuring, preservation and interconnection.

WELCOMENEXT, acting as data processor, represents and warrants to the CLIENT the following:

  • It has enough technical capacity to meet the obligations of the Contract in full compliance with the laws regarding personal data protection, being able to commit itself, insofar as is required for the provision of the Services, to comply with the requirements of the GDPR.
  • It will maintain the secrecy and confidentiality of the personal data owned by the CLIENT to which access is provided.
  • It will process the personal data to which access is provided exclusively on behalf of the CLIENT and, in any case, in accordance with the instructions given by the CLIENT. Similarly, it must use such data only for the provision of the Services and, consequently, cannot use them or implement them in any way exceeding such purpose.
  • It shall not provide third parties, not even for safekeeping, data to which access is provided pursuant to the provision of the Services, or similar developments, assessments or processes carried out with such data, or duplicate or reproduce all or part of the information, results or relations on such data, except for such cases where it is legally enforceable.
  • All personal data processed by WELCOMENEXT is hosted on servers located within the European Union. Likewise, WELCOMENEXT represents and warrants that the backups of data are hosted on servers located within the European Union.
  • It shall provide the CLIENT with the necessary information to prove compliance of its obligations, and for audits or inspections carried out by the CLIENT, or an auditor on its behalf.
  • It shall appoint a data protection officer and communicate the identity and contact details to the CLIENT, when put under the obligation to designate one. If WELCOMENEXT does not have the obligation to designate a data protection officer, it must notify such fact to the CLIENT through a statement of responsibility.
  • It shall guarantee that the persons authorised to process personal data commit themselves, expressly and in writing, to respect confidentiality and comply with the corresponding security measures, of which they shall inform accordingly. To that end, WELCOMENEXT shall keep available to the CLIENT all documents evidencing compliance with the obligation set forth in this paragraph.
  • It shall guarantee the necessary training, in the field of personal data protection, of those persons authorised to process personal data for which it is responsible.
  • It shall give support to the CLIENT in the carrying-out of impact assessments with regard to personal data to which access is provided, as appropriate and requested by the CLIENT.
  • It shall give support to the CLIENT in the prior consultations held with the control authority, where applicable.
  • If WELCOMENEXT considers that the fulfilment of any particular instruction given by the CLIENT might entail a breach of the GDPR or any other applicable regulations modifying or supplementing it, WELCOMENEXT must immediately inform the CLIENT and ask it to withdraw, amend or confirm such instruction. WELCOMENEXT may suspend the implementation of the relevant instruction while awaiting the CLIENT’s decision with regard to the withdrawal, amendment or confirmation of the corresponding instruction.
  • On completion of the provision of Services and at the CLIENT’s request, WELCOMENEXT will immediately destroy the personal data to which it had access to, and the documents or storage mediums that included such data.
  • It shall implement mechanisms to: (i) ensure permanent confidentiality, integrity, availability and resilience of processing systems and services (ii) restore data availability and access in a quick way in case of physical or technical incidents; (iii) constantly verify, assess and value the effectiveness of technical and organisational measures implemented to ensure security of processing; and (iv) pseudonomise and encrypt data, where appropriate.
  • As data processor it shall notify the CLIENT, without undue delay, and in any case within a maximum of 24 hours, via emai, of any incident, suspected or confirmed, on data protection, of any unlawful or unauthorised data, of any loss, destruction or damage to personal data within the area of responsibility of WELCOMENEXT (caused by WELCOMENEXT, its staff, agents or subcontractors) and of any incident that may be considered to be a security breach of data, along with all relevant information for the documentation and communication of the incident to the authorities or affected parties. In this sense, if available, at least the following information is to be provided:
    • Description of the nature of the breach of data security, including, where possible, the categories and approximate number of affected parties, and the categories and approximate number of affected personal data registries;
    • Name and contact details of the data protection officer or of another point of contact from which detailed information can be obtained;
    • Description of the possible consequences of the breach of data security; and
    • Description of the adopted or proposed measures to remedy the breach of data security, including, where appropriate, the measures adopted to mitigate the potential negative effects.

Additionally, WELCOMENEXT shall immediately open a full investigation on the circumstances associated with such incident and shall submit its report or comments on it to the CLIENT, and it shall fully cooperate with the investigation that may be performed by the CLIENT, providing the CLIENT with the assistance required to investigate such incident.

Likewise, it shall assist the CLIENT, in the event of a breach of personal data security, so as to ensure compliance with the reporting obligations of a breach of personal data security in accordance with the GDPR (in particular, arts. 33 and 34 of the GDPR) and any other applicable regulations amending, complementing or that may be enacted in the future.

  • It shall assist the CLIENT, at its request, upon simple application, delivering any kind of information or documents needed to provide a proper response to the exercise of the rights of access, rectification, erasure, opposition, limits to processing or data portability that it may receive from the interested parties, it all within reasonable deadlines and, in any case, sufficiently in advance for the CLIENT to be able to comply with legally established deadlines for the provision of the aforementioned rights.
  • In those cases where it receives a direct request of access, rectification, erasure, opposition, limits to processing or portability from the affected party, holder of the processed data, it undertakes to immediately transfer such request to the CLIENT so that it can be addressed within the legally established deadlines.
  • It shall not subcontract the Services to third parties unless it has prior written authorisation from the CLIENT or it refers to ancillary services that WELCOMENEXT needs in order to provide its services properly.

If WELCOMENEXT needs to sub-process processing, it must inform the CLIENT about the services and processing that wants to be outsourced, the identity of the subcontractor and its contact details. Such notice must be made by WELCOMENEXT at least two weeks before the signing of the outsourcing, and throughout such period the CLIENT may oppose to such outsourcing.

The subprocessor will also be subject to the obligations imposed upon WELCOMENEXT under this Contract and to the instructions given by the CLIENT at any given time. In this sense, WELCOMENEXT must capture the subprocessing and the obligations of the subprocessor in a contract signed by WELCOMENEXT and the subprocessor, which fulfils the formal requirements contained in this clause. In the case of failure on the part of the subprocessor to fulfil its obligations on data protection, WELCOMENEXT will undertake responsibility to the CLIENT with respect to such failures, as if such failure had been committed by WELCOMENEXT.

  • It shall maintain a written record of all categories of processing activities carried out in accordance with this Contract, containing:
    • The name and contact details of WELCOMENEXT and, where appropriate, of the CLIENT’s representative or of WELCOMENEXT’s representative and of the data protection officer;
    • The categories of processing carried out in accordance with the Contract; and
    • In the event of international transfers (which must be, in any case, regularised or authorised by the CLIENT), the identification of the third country of destination of the data owned by the CLIENT and documentation on appropriate guarantees.
  • It shall not carry out international transfers of personal data to which access is provided, owned by the CLIENT, unless it has prior and written authorisation of the CLIENT or they have been dully regularised.
  • It shall have a general description of the technical and organisational security measures regarding: (i) pseudonomisation and encryption of personal data, where appropriate; (ii) the capacity to ensure permanent confidentiality, integrity, availability and resilience of processing systems and services (iii) the capacity to restore personal data availability and access in a quick way in case of physical or technical incidents; and (iv) the process of constant verification, assessment and valuation of technical and organisational measures implemented to ensure security of processing.

Additionally, WELCOMENEXT undertakes to implement all technical and organisational security measures that may be applicable in accordance with the GDPR (namely, those laid down in article 32) and any other applicable regulations that amend, complement or replace it. In the particular context of this relationship, following the relevant risk analysis, both parties have agreed that the specific security measures that WELCOMENEXT must implement in connection with the data processed under this Contract are those referred to in clause 4.6 below.

Such security measures, and any others that may be implemented can be amended at the request of the CLIENT so as to accommodate them to regulatory changes or variations in the type of personal data to which WELCOMENEXT is to have access to.

In accordance with the provision of the data protection law, WELCOMENEXT shall be considered as a data controller should it use the data for another purpose, disclose or use them in breach of the stipulations of this Contract, answering for the breaches it has personally caused.

Pursuant to that set forth in the applicable regulations on Personal Data Protection, the CLIENT and WELCOMENEXT inform the signatories acting in the name and on behalf of each of the parties in this Contract (“Representatives“) that the personal data laid down in this Contract and those arising out of the relationship, shall be processed by each of the parties, as data controllers, on the basis of the legal interest of each party in maintaining, complying with, developing, controlling and executing that provided for in this Contract.

Data shall be kept for at least the duration of the relationship, being able to preserve it subsequently blocked during the limitation to legal actions related to such processing.

To all appropriate effects, the parties inform the Representatives that their data will not be disclosed to third parties except in the cases provided by the law and access to such data will only be given to service providers of the parties in the systems, technology and administrative management sectors.

If the Representatives wish to exercise their rights to access, rectification, cancellation, limits to processing and, in those situations where it is possible, opposition, they may do so by way of a written request addressed to the addresses specified in the Contract’s appearance clause or to the following addresses, attaching a copy of a personal identification document:

They may also address the Spanish Data Protection Agency to claim their rights.

 

SECURITY MEASURES

This article lays down the security measures of information and personal data systems used during the provision of the SCORM TOOLS service to the CLIENT.

The CLIENT is the controller of the files used for the service provision of the SCORM TOOLS system while WELCOMENEXT is assigned the processing of the files.

While executing its maintenance duties, WELCOMENEXT shall limit its access to personal data to that necessary for the execution of the Contract and will strictly comply with the current personal data protection regulations.

WELCOMENEXT may subcontract the hardware servers that are to host the services rendered. In accordance with the personal data protection regulations, the CLIENT accepts and authorises the personal data saved in the SCORM TOOLS system to be stored on devices outside the premises of the CLIENT and WELCOMENEXT, so as to guarantee the level of security relevant to the type of file processed.

Functions and duties of the staff of WELCOMENEXT

Access to the SCORM TOOLS system and to the data therein contained shall be provided to both analysts/programmers of the WELCOMENEXT team, and system technician, who shall develop the following tasks:

  • Incident management.
  • Maintenance of hardware and software systems.
  • Fulfilment of security activities.
  • Making backup copies of the system and stored data.
  • Production readiness of the programming code.
  • System coding and testing.

Security copies

Backup copies of all the SCORM TOOLS system used by the CLIENT will be made on a daily basis, as well as of its specific configuration. This will also include copies of all information stored in the system (databases, documents, etc.).

Backup files shall be transported through a communications network with certain security measures and secure protocols.

Backup files shall be made every day from ZERO HOURS (00:00) and FIVE HOURS (05:00) (CET) in the morning, during which the service may run at below normal service level.

WELCOMENEXT shall store daily backups for a maximum of 7 days.

 

TECHNICAL SUPPORT AND MAINTENANCE

WELCOMENEXT offers technical support via e-mail [email protected]. This shall be available to the CLIENT over the life of the Contract.

Response times shall be proportional to the seriousness of the error, and in no case will they exceed that expressed in the table below:

TYPE DESCRIPTION RESPONSE TIME
SOFT Soft errors shall be those that do not affect the proper functioning of the system and users can use the system in a normal way. They relate to errors in the text, style, pictures, colours and other irrelevant mistakes, among others.

72 hours

MODERATE Moderate errors shall be those that do affect the normal use of the system by users, but enables them to access the service partially. These errors relate to functionality, access to a section or to certain information and display problems affecting the optimum navigation through the application.

48 hours

SERIOUS Serious errors are those that prevent the users from accessing the application. These errors relate to general system errors and server problems.

24 hours

 

Response time is defined as the time interval between the moment in which the incident is received and the time when WELCOMENEXT’s technicians begin working to solve it. This time is calculated in work hours, that is to say, during standard working hours. If necessary, contact will be maintained with the CLIENT to instruct, should it be necessary, him on how to perform a corrective action or the scope of the actions to be performed.

 

RATES AND FORM OF PAYMENT

 Official rates for the SCORM TOOLS service are those shown on website: www.scormtools.net.

The amount of such rates can be paid via credit or debit card.

 

GUARANTEE FOR THE SERVICE PROVIDED (SLA)

 WELCOMENEXT shall be responsible for the functioning of the hardware and software under its supervision according to the contracted service, bearing the costs of the incidents that take place in the service when they are WELCOMENEXT’s responsibility. The CLIENT must communicate the failure or incident via email to the support email: [email protected].

WELCOMENEXT guarantees 99% availability in the service. In case of serious incidents or suspension of service for more than 8 hours, WELCOMENEXT will discount from the next invoice issued to the CLIENT, the amount that is proportionate to the duration of the service disruption.

In the event of incidents that can derive from the misuse by the CLIENT it reserves the right to invoice the CLIENT for the replacement expenses.

WELCOMENEXT does not assume any responsibility for the adequacy of the services offered to the CLIENT’s needs. The inadequacy is not a reason for contract termination or non-payment of dues.

 

RESPONSIBILITIES

 WELCOMENEXT shall not be liable for the loss of profits and damage resulting from the use, functioning or performance of the software, and shall only be liable for the acts carried out that are necessary to comply with its obligations in accordance with this Contract.

WELCOMENEXT shall not be liable for breaches of its obligations defined under this Contract, when the performance of such obligations has been reasonably hindered, interfered or delayed due to circumstances beyond the control of WELCOMENEXT. These events will include, among others, force majeure acts, accidental acts, strikes, riots, lockouts, acts of war, epidemics, official acts or regulations, fires, communication failures, failures in the electricity supply, lightning, earthquakes, floods, disasters and other events.

WELCOMENEXT cannot be held responsible for the use of data stored in the system. The CLIENT shall be responsible for the correct management of access, modification or deletion of such data.

The Parties shall be subject to the obligation to compensate for damages caused to the other Party as a result of the breach of this Contract.

WELCOMENEXT’s responsibility for damages resulting from the breach of its contractual obligations shall be limited, in any case, to a maximum amount equal to the service that has been contracted under this Contract.

 

INTELLECTUAL AND INDUSTRIAL PROPERTY

The terms and conditions agreed in this Contract do not involve, implicitly or explicitly, the transfer of any of the intellectual or industrial rights of the Software, its manuals or data model. The knowledge and know-how inherent to the Software, along with the knowledge used for its configuration, are also WELCOMENEXT’s own and confidential information.

The CLIENT shall take responsibility for the actual damages to WELCOMENEXT arising directly from the fraudulent use or illegal copy of programs or this information by the CLIENT’s own employees, having to take all necessary measures to ensure that only authorised persons have access to such protected information.

The CLIENT must respect the copyright notices appearing in the programme or in the original documentation.

The CLIENT is responsible for ensuring that the content stored in the platform respects the applicable industrial and intellectual rights. WELCOMENEXT shall in no case be held liable for infringements of industrial or intellectual property concerning materials, elements, videos, photos, documents or any other element uploaded to the platform by users.

The content stored in the platform, along with any industrial and intellectual property, shall be held by its respective authors. As a result, WELCOMENEXT may not under any circumstances carry out a disposal, sale, lease, transfer or others of the data collected.

APPLICABLE LAW AND JURISDICTION

This contract shall be interpreted in accordance with the Spanish law. In the event of a dispute over the whole or part of this contract, the parties shall be subject to the jurisdiction of the Courts and Tribunals of the city of Madrid (Spain).