WORKPLACE ENTERPRISE AGREEMENT

FOR RESELLER CUSTOMERS

1. Use of Workplace.
   1. Your Usage Rights. Subject to the terms and conditions of this Agreement, during the Term, you have a non-exclusive, non-transferable, non-sublicensable right to access and use Workplace for your own internal business purposes in accordance with this Agreement. Use of Workplace is limited to the Users for whom you enable accounts, and you are responsible for all Users and their compliance with this Agreement and their access to, and use of, Workplace. For clarity, Workplace is provided as a service to you, not to Users individually.
   2. Accounts. Your registration and account information must be accurate, complete and kept up-to-date. Workplace accounts are for individual Users and cannot be shared or transferred. You must keep all login credentials confidential and agree to notify Facebook immediately if you discover any unauthorized use of your accounts or login credentials. Different Workplace account types have different permissions (e.g., admin accounts) and you may not grant Users greater permissions than allowed under their account types.
   3. Restrictions. You will not (and will not permit anyone else to): (a) use Workplace on behalf of any third party or rent, lease, provide access to or sublicense Workplace to any third party, except Users as expressly permitted herein; (b) reverse engineer, decompile, disassemble, or otherwise seek to obtain the source code to Workplace, except to the extent expressly permitted by applicable law (and then only upon advance notice to Facebook); (c) copy, modify or create derivative works of Workplace; (d) remove, modify or obscure any proprietary or other notices contained within Workplace; (e) publicly disseminate information regarding the performance of Workplace; or (f) share admin access tokens with or grant similar app access permissions to any third party not expressly approved by Facebook, and, if you decide to grant such admin access, either via token or app permission, with an approved third party, you may allow the third party access to your data or content only to the extent necessary for the purpose approved by Facebook and consistent with your instructions. We reserve the right to limit such third party access (e.g., by resetting the access token or removing the app permission) at any time if we believe admin access has been or will be misused.
   4. Setup. During the setup of your Workplace instance, you will appoint a User(s) as the system administrator(s) of your Workplace environment who is responsible for managing your Workplace instance. You must ensure you have an active admin for your Workplace instance at all times.
2. Your Data and Obligations.
   1. Your Data. As between the parties, you retain all right, title and interest (including intellectual property rights) in and to Your Data. During the Term, you grant Facebook a non-exclusive, worldwide, royalty-free, fully-paid right to use, copy, store, transmit, modify, display, perform and create derivative works of Your Data as necessary to provide Workplace to you, for related support purposes, and as otherwise expressly permitted in this Agreement. You acknowledge that Facebook is the data processor and that you are the data controller of Your Data, which Facebook may use on your behalf and in accordance with your instructions as set forth in this Agreement. You instruct Facebook to process Your Data for the purposes specified in this Agreement.
   2. Your Obligations. You agree to Workplace's Acceptable Use Policy and further agree (a) that you are solely responsible for the accuracy and content of Your Data; (b) to obtain all necessary rights and consents required by Laws from your Users and any applicable third party to allow the collection and use of data (including any personal data) with Workplace as contemplated in this Agreement; and (c) that your use of Workplace, including Your Data and its use hereunder, will not violate any Laws or third party rights, including intellectual property, privacy or publicity rights. You are responsible for the selection and content of any of Your Policies applicable to your use of Workplace and for communicating Your Policies to Users, provided that any such policies must be consistent with this Agreement. If any of Your Data is submitted or used in violation of this Section 2, you agree to promptly remove it from Workplace. You are solely responsible for any decision to share Your Data among Users or with third parties using Workplace, and Facebook is not responsible for use, access, alteration, distribution or deletion of Your Data by those to whom you or your Users make it available. Both parties agree to the obligations set out in the Privacy Shield Addendum.
   3. Prohibited Data. You agree not to submit to Workplace any information or data that requires safeguarding or dissemination controls pursuant to applicable laws and/or regulation ("Prohibited Information"). Examples of Prohibited Information include, but are not limited to, information categories identified as part of the Controlled Unclassified Information ("CUI") Registry maintained by the U.S. National Archives and Records Administration; patient, medical or other protected health information regulated by the Health Insurance Portability and Accountability Act ("HIPAA") or any similar federal or state laws, rules or regulations governing health information; "education records" as defined in the Family Education Rights and Privacy Act ("FERPA") and any other data subject to legal or regulatory safeguarding obligations and/or limitations on distribution. With regard to health information, you acknowledge that Facebook is not a Business Associate or subcontractor (as those terms are defined in HIPAA) and that Workplace is not HIPAA compliant. Facebook will have no liability under this Agreement for Prohibited Information, notwithstanding anything to the contrary herein.
   4. Indemnification. You will defend, indemnify and hold harmless Facebook (and its Affiliates and their respective directors, officers, employees, agents, and representatives) from and against all claims (from third parties and/or Users), costs, damages, liabilities and expenses (including reasonable attorneys' fees) arising out of or in connection with your breach or alleged breach of this Section 2 or otherwise related to Your Data, Your Policies or use of Workplace in violation of this Agreement. Facebook may participate in the defense and settlement of any such claim with its own counsel and at its own expense. You shall not settle any claim without Facebook's written consent if the settlement requires Facebook to take any action, refrain from taking any action, or admit any liability.
   5. Backups and Data Deletion. Facebook does not provide an archiving service, and you are solely responsible for creating backups of Your Data. You may delete Your Data consisting of User content at any time through the administrator functionality of Workplace, subject to Section 9.d (Deletion of Your Data).
   6. User Data. Notwithstanding anything to the contrary contained in this Agreement, you acknowledge and agree that Facebook may provide Reseller with statistical information about Users' engagement on Workplace (e.g., number of groups, number of posts, number of reactions, number of chats, etc.). In addition, to help further facilitate the relationship between you and Reseller, you instruct Facebook to provide Reseller with the names, email addresses, and other information (which may include other personal data) about all of your system administrators.
3. Facebook Security and Aggregate Data.
   1. Security of Your Data. We will use commercially reasonable technical, organizational and security measures designed to protect Your Data in our possession against unauthorized access, alteration, disclosure or destruction, as further described in the Data Security Addendum.
   2. Aggregate Data. We may gather statistical data, analytics, trends and other aggregated or otherwise de-identified data derived from you and your Users' use of Workplace ("Aggregate Data"). For the avoidance of doubt, Aggregate Data does not include Your Data or any personal data.
   3. Legal Disclosures and Third Party Requests. You understand that Facebook may disclose Your Data to comply with data-breach notification laws and other legal requirements. You are generally responsible for responding to third party requests regarding Your Data, such as a subpoena, warrant, discovery order or other request or order from a law enforcement agency ("Third Party Requests"). We will, to the extent allowed by law and by the terms of the Third Party Request, use reasonable efforts to (a) notify you of our receipt of a Third Party Request and ask the third party to contact you and (b) comply with your reasonable requests regarding your efforts to oppose a Third Party Request at your expense. You will first seek to obtain the information required to respond to the Third Party Request on your own, and will contact us only if you cannot reasonably obtain such information.
   4. Data Processing. Both parties shall comply with the Data Processing Addendum. The provisions of the Data Processing Addendum shall prevail should they conflict with any provisions found elsewhere in this Agreement.
4. Payment.
   1. Fees. You are not obligated to pay any fees to Facebook under this Agreement. You may be obligated to pay fees to Facebook's third party reseller that facilitates your access to Workplace ("Reseller") in connection with your access and use of Workplace pursuant to an agreement between you and such Reseller. Facebook reserves the right to charge you directly for your access and use of Workplace, at Facebook's then-current standard rates for Workplace and subject to Facebook's then-current standard terms and conditions for Workplace, if: (i) you and Reseller are unable to resolve a dispute with respect to Workplace after Facebook is aware or made aware of such dispute; or (ii) your agreement with such Reseller in relation to Workplace is terminated or expires for any reason and you continue to access and/or use Workplace after such termination or expiration.
5. Confidentiality.
   1. Obligations. Each party (as "Receiving Party") agrees that all business, technical and financial information it obtains from the disclosing party ("Disclosing Party") constitutes the confidential property of the Disclosing Party ("Confidential Information"), provided that it is identified as confidential at the time of disclosure or should be reasonably known by the Receiving Party to be confidential or proprietary due to the nature of the information disclosed and the circumstances surrounding the disclosure. The terms and conditions of this Agreement are deemed Facebook's Confidential Information. Except as expressly authorized herein, the Receiving Party will: (1) hold in confidence and not disclose any Confidential Information to third parties; and (2) not use Confidential Information for any purpose other than fulfilling its obligations and exercising its rights under this Agreement. The Receiving Party may disclose Confidential Information to its employees, agents, contractors and other representatives having a legitimate need to know (including, for Facebook, those of its Affiliates and the subcontractors referenced in Section 11.j), provided that such representatives are bound to confidentiality obligations no less protective of the Disclosing Party than this Section 5 and that the Receiving Party remains responsible for compliance by any such representative with the terms of this Section 5.
   2. Exceptions. The Receiving Party's confidentiality obligations will not apply to information that the Receiving Party can document: (a) was rightfully in its possession or known to it prior to receipt of the Confidential Information; (b) is or has become public knowledge through no fault of the Receiving Party; (c) is rightfully obtained by the Receiving Party from a third party without breach of any confidentiality obligation; or (d) is independently developed by employees of the Receiving Party who had no access to the Disclosing Party's Confidential Information. The Receiving Party may make disclosures to the extent required by Laws or court order, provided that (unless prohibited by Laws) the Receiving Party notifies the Disclosing Party in advance and cooperates in any effort by the Disclosing Party to obtain confidential treatment.
   3. Injunctive Relief. The Receiving Party acknowledges that use of or disclosure of Confidential Information in violation of this Section 5 could cause substantial harm for which damages alone would not be a sufficient remedy, and therefore that upon any such threatened or actual use or disclosure by the Receiving Party the Disclosing Party will be entitled to seek appropriate equitable relief in addition to whatever other remedies it might have at law.
6. Intellectual Property Rights.
   1. Facebook Ownership. This is an agreement for access to and use of Workplace, and no ownership rights are conveyed to Customer. Facebook and its licensors retain all right, title and interest (including all intellectual property rights) in and to Workplace, Aggregate Data, any and all related and underlying technology, and any derivative works, modifications or improvements to any of the foregoing created by or on behalf of Facebook, including those based on your Feedback (defined below). No rights are granted to you except as expressly set forth in this Agreement.
   2. Feedback. If you submit comments, questions, suggestions, use cases or other feedback relating to Workplace or its API(s) or our other products or services ("Feedback"), we may freely use or exploit such Feedback in connection with any of our products or services or those of our Affiliates, without obligation or compensation to you.
7. Disclaimer. FACEBOOK EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE OR NON-INFRINGEMENT. WE DO NOT GUARANTEE THAT WORKPLACE WILL BE UNINTERRUPTED OR ERROR-FREE. FACEBOOK IS NOT RESPONSIBLE FOR ANY THIRD PARTIES OR ANY THIRD PARTY PRODUCTS THAT YOU CHOOSE TO USE IN CONNECTION WITH WORKPLACE.
8. Limitations of Liability. EXCEPT FOR EXCLUDED CLAIMS (DEFINED BELOW): (A) NEITHER PARTY WILL BE LIABLE FOR ANY LOSS OF USE, LOST OR INACCURATE DATA, INTERRUPTION OF BUSINESS, COSTS OF DELAY OR ANY INDIRECT, SPECIAL, INCIDENTAL, RELIANCE OR CONSEQUENTIAL DAMAGES OF ANY KIND (INCLUDING LOST PROFITS), REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, EVEN IF INFORMED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE; AND (B) NEITHER PARTY'S ENTIRE LIABILITY TO THE OTHER UNDER THIS AGREEMENT WILL EXCEED TEN THOUSAND U.S. DOLLARS ($10,000 USD). "Excluded Claims" means (a) Customer liability arising under Section 2 (Your Data and Obligations); and (b) a party's breach of its obligations in Section 5 (Confidentiality) but excluding breaches relating to Your Data. The limitations in this Section 8 will survive and apply even if any limited remedy specified in this Agreement is found to have failed of its essential purpose. You acknowledge and agree that our provision of Workplace is based upon the assumption that our liability is limited as provided in this Agreement.
9. Term and Termination.
1. Term. This Agreement will commence on the Effective Date and continue until terminated as permitted herein (the "Term").
2. Termination for Convenience. Without prejudice to your termination rights under paragraph 2(iv) of the Data Processing Addendum, you may terminate this Agreement at any time, for no reason or any reason, upon thirty (30) days' advance notice to both Facebook, by contacting Facebook support through Workplace, and Reseller, in accordance with the notice terms under your agreement with Reseller. Facebook may also terminate this Agreement at any time, for no reason or any reason, upon thirty (30) days' advance notice to you. In addition, during any period of Free Access, Facebook may suspend or limit Free Access (including your number of Users) at any time and for any reason.
3. Facebook Termination and Suspension. Facebook reserves the right to terminate this Agreement with reasonable notice to you or immediately suspend your access to Workplace if you breach this Agreement or if we deem such action necessary to prevent harm to the security, stability, availability or integrity of Workplace.
4. Deletion of Your Data. Facebook will delete Your Data promptly after any termination or expiration of this Agreement, but you understand that deleted content may persist in backup copies for a reasonable period of time whilst deletion is carried out. As set forth in Section 2.e, you are solely responsible for creating any back-ups of Your Data for your own purposes.
5. Effect of Termination. Upon any termination or expiration of this Agreement: (a) you and your Users must immediately cease using Workplace; (b) at the Disclosing Party's request, the Receiving Party will promptly return or delete any of the Disclosing Party's Confidential Information in its possession; and (c) the following Sections will survive: 1.c (Restrictions), 2 (Your Data and Obligations) (other than Facebook's license to Your Data in Section 2.a), 3.b (Aggregate Data), 3.c (Legal Disclosures and Third Party Requests), 5 (Confidentiality) through 12 (Definitions). Except as may be specified in this Agreement, either party's exercise of any remedy, including termination, is without prejudice to any other remedies it may have under this Agreement, by law or otherwise. If you downgrade your Workplace Premium instance to Workplace Standard, then you will be required to terminate this Agreement and Your Data will become subject to the Workplace Standard terms, and the obligation on Facebook to delete Your Data under Section 9.d will not apply.
10. Other Facebook Accounts.
    1. Personal Accounts. For the avoidance of doubt, Workplace accounts are distinct from any personal Facebook account that Users may create on the consumer Facebook service ("Personal FB Accounts"). Personal FB Accounts are not subject to this Agreement, but rather are subject to Facebook's Statement of Rights and Responsibilities and Data Policy, each between Facebook and the relevant User. You agree that, unless allowed by Laws, you will not log into your Users' Personal FB Accounts or request access to their login credentials for such accounts.
    2. Workplace and Ads. We will not show third-party advertising to your Users on Workplace and we will not use Your Data to provide or target advertising to your Users or to personalize your Users' experience on their Personal FB Accounts. Facebook may, however, make in-product announcements about features or functionality related to Workplace.
11. General.
    1. Changes. Facebook may change terms of this Agreement and policies referenced in or incorporated by this Agreement at any time, including but not limited to the Data Processing Addendum, Data Security Addendum, Acceptable Use Policy and Privacy Shield Addendum. Facebook may change this Agreement (including the Data Processing Addendum, Data Security Addendum, Acceptable Use Policy, and Privacy Shield Addendum) at any time by providing you with notice by email, through the service or by other reasonable means ("Change"). By continuing to use Workplace fourteen (14) days after our notice, you consent to such Change.
    2. Governing Law. This Agreement and your and your Users' use of Workplace as well as any claim that might arise between you and us, are governed by, and must be construed in accordance with, the laws of the United States and the State of California, as applicable, without giving effect to their principles of conflicts of law. Any claim, cause of action arising out of or relating to this Agreement or Workplace must be commenced exclusively in the U.S. District Court for the Northern District of California or a state court located in San Mateo County, and each party hereby consents to the personal jurisdiction of such courts.
    3. Entire Agreement. This Agreement (which includes the Privacy Shield Addendum, the Data Processing Addendum, the Data Security Addendum, and Acceptable Use Policy) is the entire agreement between the parties regarding Workplace and supersedes any prior representations or agreements relating to Workplace. Headings are for convenience only, and terms such as "including" are to be construed without limitation. This Agreement is written in English (U.S.), which will control over conflicts in any translated version.
    4. Waiver and Severability. Failure to enforce a provision will not be deemed a waiver; waivers must be in writing signed by the party claimed to have waived. Any terms or conditions in any Customer purchase order or business form will not modify this Agreement and are hereby expressly rejected, and any such document will be for administrative purposes only. If any provision of this Agreement is adjudged by a court of competent jurisdiction to be unenforceable, invalid or otherwise contrary to law, such provision will be interpreted so as to best accomplish its intended objectives and the remaining provisions of this Agreement will remain in full force and effect. Except as otherwise provided in this Agreement, amendments must be in writing and signed by authorized representatives by both parties or as appropriate, agreed through electronic means.
    5. Publicity. Any press release, publicity or public announcement about the parties' relationship requires the prior written approval of both parties. Notwithstanding the foregoing: (a) within your own company, you may publicize or promote use of Workplace during the Term (e.g., to encourage User adoption), subject to Facebook's brand usage guidelines provided from time to time, and (b) Facebook may reference your status as a Workplace customer in conferences, presentations and other non-public settings.
    6. Assignment. Neither party may assign this Agreement or its rights or obligations under this Agreement without the prior written consent of the other party, except that Facebook may assign this Agreement without consent to any of its Affiliates or in connection with a merger, reorganization, acquisition, or other transfer of all or substantially all of its assets or voting securities. Subject to the foregoing, this Agreement will bind and inure to the benefit of each party's permitted successors and assigns. Non-permitted assignments are void and will create no obligations on Facebook.
    7. Independent Contractor. The parties are independent contractors. No agency, partnership, joint venture, or employment is created as a result of this Agreement and neither party has authority to bind the other.
    8. No Third Party Beneficiaries. Save as set out in the Privacy Shield Addendum, this Agreement benefits only Facebook and Customer and there are no intended third party beneficiaries, including any Users.
    9. Notices. Any notice under this Agreement must be in writing. Except as set forth in Section 9.b, Customer must send any notices to Facebook at the following address (as applicable): in the case of Facebook Ireland Limited, to 4 Grand Canal Square, Dublin 2, Ireland, Attn: Legal, Workplace and, in the case of Facebook Inc, to 1 Hacker Way, Menlo Park, CA 94025 USA, Attn: Legal, Workplace. Facebook may send notices to the email address on Customer's account. Facebook may also provide operational notices regarding Workplace or other business-related notices through messages to Users within Workplace or conspicuous posting within Workplace.
    10. Subcontractors. Facebook may use subcontractors and permit them to exercise Facebook's rights under this Agreement, but Facebook remains responsible for compliance of any such subcontractor with this Agreement.
    11. Force Majeure. Neither party will be liable to the other for any delay or failure to perform any obligation under this Agreement if the delay or failure is due to unforeseen events that occur after the signing of this Agreement and that are beyond the reasonable control of such party, such as a strike, blockade, war, act of terrorism, riot, natural disaster, failure or diminishment of power or telecommunications or data networks or services, or refusal of a license or authorization by a government agency or entity.
    12. Third Party Websites. Workplace may contain links to third-party websites. This does not imply our endorsement of any website and we are not responsible for the actions, content, information, or data of third-party websites or actions or any link contained in them, or any changes or updates to them. Third-party websites may provide their own terms and conditions of use and privacy policies that apply to you and your Users and your use of such third-party websites is not governed by this Agreement.
    13. Export Control. In use of Workplace, you agree to comply with all export and import laws and regulations of the United States and other applicable jurisdictions. Without limiting the foregoing: (a) you represent and warrant that you are not listed on any U.S. government list of prohibited or restricted parties; (b) you are not subject to any UN, U.S., EU, or any other applicable economic sanctions or trade restrictions; and (c) you do not have operations in a country subject to comprehensive U.S. trade sanctions.
    14. Conditions on Governmental Entity Use. If you are a Governmental Entity, you represent that: (i) you are not restricted by any applicable Laws, policy, or principle from agreeing and performing, or accepting performance, of any term or condition of this Agreement, including without limitation Facebook's Acceptable Use Policy or other applicable Facebook policy; (ii) no applicable Laws, policy, or principle renders any term or condition of this Agreement unenforceable against you or any applicable Governmental Entity; (iii) you are authorized to, and have the legal capacity under applicable Laws, policies and principles to represent and bind any applicable Governmental Entity to the terms and conditions of this Agreement; and (iv) you enter into this Agreement based upon an impartial decision concerning the value of Workplace to you and your Users and no improper conduct or conflict of interest has influenced your decision to enter into this Agreement. Do not accept this Agreement if you cannot make the representations in this Section 11.n (Conditions on Governmental Entity Use). If a Governmental Entity accepts this Agreement in violation of this Section 11.n (Conditions on Governmental Entity Use), Facebook may elect to terminate this Agreement immediately, or the parties may enter into a separate mutually agreeable and enforceable agreement or may mutually agree to modify this Agreement, and execute such a modification.
    15. No Agency. You acknowledge and agree that any third party reseller that facilitates access to Workplace is not an agent or authorized representative of Facebook, and that Facebook is not bound by any representations or statements made by a third party reseller
12. Definitions. In this Agreement, unless otherwise stated:
    "Acceptable Use Policy" means the rules for use of Workplace found at www.facebook.com/legal/FB_Work_AUP, as may be modified from time to time.
    "Affiliate" means an entity that directly or indirectly owns or controls, is owned or is controlled by or is under common ownership or control with a party, where "control" means the power to direct the management or affairs of an entity, and "ownership" means beneficial ownership of 50% (or, if the applicable jurisdiction does not allow majority ownership, the maximum amount permitted under such law) or more of the entity's voting equity securities or equivalent voting interests. For purposes of this definition, a Governmental Entity is not an affiliate of another Governmental Entity unless it wholly controls such other Governmental Entity.
    "Data Processing Addendum" means the data processing addendum attached to, and forming part of, this Agreement as may be amended from time to time.
    "Data Security Addendum" means the data security addendum attached to, and forming part of, this Agreement as may be amended from time to time.
    "Free Access" means any free trial or other no-charge access to Workplace provided by Reseller.
    "Governmental Entity" means any country or jurisdiction in the world, including without limitation any state, local, municipal, regional, or other unit or political subdivision of government, any governmental organization, instrumentality, enterprise, or other entity established, owned or controlled by such a government, and any representative or agent of any of the foregoing.
    "Laws" means all applicable local, state, provincial, territorial, federal and international laws, regulations and conventions, including, without limitation, those related to data privacy and data transfer, international communications, the exportation of technical or personal data, and public procurement, and those applicable to Facebook Ireland Limited and Facebook, Inc.
    "Privacy Shield Addendum" means the Privacy Shield Addendum attached to this Agreement, as may be modified from time to time to address changes to the Privacy Shield or to enable Facebook, Inc. to comply with the Privacy Shield.
    "Users" means any of your or your Affiliates' employees or contractors that you permit to access Workplace.
    "Workplace" means the Workplace Premium service that we make available to you under this Agreement and any subsequent version thereof, including any websites, apps, online services, tools, and content that we may provide to you under this Agreement, as may be modified from time to time. For the avoidance of doubt, the Workplace Premium service is distinct from the service known as Workplace Standard which is subject to its own terms of use.
    "Your Data" means: (a) any contact information or network or account registration data that you or your Users submit to Workplace; (b) any content or data that you or your Users publish, post, share, import or provide on Workplace; (c) information we collect when you or your Users contact or engage us for support regarding Workplace, including information about hardware, software, and other details gathered related to the support incident; and (d) any usage or functional information (e.g., IP addresses, browser and operating system types, and device identifiers) regarding how Users interact with Workplace.
    "Your Policies" means any of your applicable employee, systems, privacy, HR, complaint or other policies.

1. Facebook, Inc. is certified under the EU-US Privacy Shield and Swiss-US Privacy Shield in respect of Your Data on Workplace, as part of its ongoing commitment to protect the privacy of your EU and Swiss Users. You acknowledge that under the EU-US Privacy Shield and the Swiss-US Privacy Shield (each as amended from time to time) (collectively, "Privacy Shield") Facebook, Inc. has made commitments in respect of the data received from you and Users. More information on Facebook, Inc.'s participation in Privacy Shield is available here: https://www.facebook.com/about/privacyshield. If, and to the extent, the Privacy Shield applies to Facebook, Inc. in connection with your use of Workplace, the parties agree to the following obligations set out in this Privacy Shield Addendum.
2. Notice. You acknowledge that under the terms of Privacy Shield, Facebook, Inc. needs to provide certain notice to Users, and you will provide reasonable co-operation to enable us to provide this appropriate notice as necessary.
3. Choice. You acknowledge that under the terms of Privacy Shield, Facebook, Inc. may not either: (i) disclose Your Data to a non-service provider third party; or (ii) use Your Data for a purpose materially different from those connected with our agreement with you for Workplace, without offering Users choice (as required by Privacy Shield) regarding such disclosure or use ("Choice"). When applicable and as appropriate, you agree to offer Users such Choice.
4. Data Subject Access Requests. You acknowledge that under the terms of Privacy Shield, Facebook, Inc. may be required to provide Users with a means to access their personal information (and the ability to correct, amend or delete that information). You agree to us providing Users with this means of access, such as directly through the Workplace service. For any requests which cannot be resolved through this means of access (including those received by Facebook, Inc. and notified to you as well as those you may receive directly from Users (or former Users)), you agree to be responsible for resolving those requests promptly and in accordance with applicable laws. Facebook, Inc. will provide you with commercially reasonable cooperation to respond to any such requests.
5. Recourse and Dispute Resolution. You acknowledge that you are responsible for resolving any complaints made to you by Users (whether made to you directly or to any Facebook entity and notified to you) regarding your processing of Users' personal information in connection with Workplace. Notwithstanding this, you acknowledge that Facebook, Inc. may, in respect of its own processing activities, receive complaints from Users and makes available to Users an independent recourse and dispute resolution mechanism. You agree to provide all commercially reasonable assistance requested by us, in the timeframes reasonably specified, to resolve any such complaints received from Users.

1. Definitions. Within this Data Processing Addendum, "GDPR" means the General Data Protection Regulation (Regulation (EU) 2016/679), and "Controller", "Data Processor", "Data Subject", "Personal Data", "Personal Data Breach" and "Processing" shall have the same meanings as are defined in the GDPR. "Processed" and "Process" shall be construed in accordance with the definition of Processing. All other defined terms herein shall have the same meanings as are defined elsewhere in this Agreement.
2. Data Processing.
   1. In conducting its activities as Processor under this Agreement in relation to any Personal Data within Your Data ("Your Personal Data"), Facebook confirms that:
      1. the duration, subject matter, nature and purpose of the Processing shall be as specified in the Agreement;
      2. the types of Personal Data Processed shall include those specified in the definition of Your Data;
      3. the categories of Data Subjects include your representatives, Users and any other individuals identified or identifiable by Your Personal Data; and
      4. your obligations and rights as Data Controller in relation to Your Personal Data are as set out in this Agreement.
   2. To the extent that Facebook Processes Your Personal Data under or in connection with the Agreement, Facebook shall:
      1. only Process Your Personal Data in accordance with your instructions as set out under this Agreement, including in respect of the transfer of Your Personal Data, subject to any exceptions permitted by Article 28(3)(a) of the GDPR;
      2. ensure that those of its employees authorized to Process Your Personal Data under this Agreement have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in relation to Your Personal Data;
      3. implement the technical and organizational measures set out in the Data Security Addendum;
      4. respect the conditions referred to below in Sections 2(iii) and 2(iv) of this Data Processing Addendum when appointing sub-Processors;
      5. assist you by appropriate technical and organizational measures, insofar as this is possible through Workplace, to enable you to fulfil your obligations to respond to requests for the exercise of rights by a Data Subject under Chapter III of the GDPR;
      6. assist you in ensuring compliance with your obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of the Processing and the information which is available to Facebook;
      7. on termination of the Agreement, delete the Personal Data pursuant to the Agreement, unless European Union or Member State law requires Personal Data to be retained;
      8. make available to you the information described in this Agreement and via Workplace in satisfaction of Facebook's obligation to make available all information that is necessary to demonstrate compliance with the obligations of Facebook under Article 28 GDPR; and
      9. on an annual basis, procure that a third party auditor of Facebook's choice conducts a SOC 2 Type II or other industry standard audit of Facebook's controls relating to Workplace, such third party auditor being hereby mandated by you. At your request, Facebook will provide you with a copy of its then-current audit report and such report will be deemed Facebook's Confidential Information.
   3. You authorize Facebook to subcontract its data Processing obligations under this Agreement to Facebook's Affiliates, and to other third parties, a list of which Facebook will provide to you upon your written request. Facebook shall do so only by way of a written agreement with such sub-Processor which imposes the same data protection obligations on the sub-Processor as are imposed on Facebook under this Agreement. Where that sub-Processor fails to fulfil such obligations, Facebook shall remain fully liable to you for the performance of that sub-Processor's data protection obligations.
   4. Where Facebook engages an additional or replacement sub-Processor(s), Facebook shall inform you of such additional or replacement sub-Processor(s) no later than fourteen (14) days in advance of the appointment of such additional or replacement sub-Processor(s). You may object to the engagement of such additional or replacement sub-Processor(s) within fourteen (14) days of being so informed by Facebook by terminating the Agreement immediately on written notice to Facebook.
   5. Facebook shall notify you without undue delay upon becoming aware of a Personal Data Breach relating to Your Personal Data. Such notice shall include, at the time of notification or as soon as possible after notification, relevant details of the Personal Data Breach where possible, including the number of your records affected, the category and approximate number of affected Users, anticipated consequences of the breach and any actual or proposed remedies, where appropriate, for mitigating the possible adverse effects of the breach.

1. Background and Purpose
   This document describes the minimum security requirements applicable to Facebook's provision of Workplace to you.
2. Information Security Management System
   Facebook has established and will maintain an Information Security Management System ("ISMS") designed to implement industry-standard information security practices applicable to its provision of Workplace. Facebook's ISMS is designed to protect against unauthorized access, disclosure, use, loss or alteration of Your Data.
3. Risk Management Process
   Security of information and information processing facilities, including IT infrastructure and physical facilities, shall be based upon risk assessment. Risk assessment of Workplace will be done on a regular basis.
4. Organization of Information Security
   Facebook has a designated Security officer with overall responsibility for security in the organization. Facebook has designated personnel responsible for oversight of security of your Workplace instance.
5. Physical and Environmental Security
   Facebook's security measures shall include controls designed to provide reasonable assurance that access to physical processing facilities is limited to authorized persons and that environmental controls are established to detect, prevent and control destruction due to environmental hazard.
   The controls include:
   • Logging and auditing of all physical access to the data processing facility by employees and contractors;
   • Camera surveillance systems at critical entry points to the data processing facility;
   • Systems that monitor and control the temperature and humidity for the computer equipment;
   • Power supply and backup generators; and
   • Implementing industry-standard procedures for secured deletion and disposal of data on electronic media, subject to the Agreement.
6. Segregation
   Facebook will establish technical mechanisms designed to ensure that Your Data is logically segregated from other customers' data and that Your Data is only available to authorized users.
7. Personnel
   1. Training
      Facebook shall ensure that all employees with access to Your Data undergo security training.
   2. Screening and Background Checks
      Facebook shall:
      • Have a process for verifying the identity of the personnel working with your instance of Workplace.
      • Have a process for performing background checks on personnel working with your instance of Workplace in accordance with Facebook standards.
      • Provide personal ID cards with picture and written name to all personnel working with your instance of Workplace. ID cards shall be required for entry to all Facebook facilities.
   3. Personnel Security Breach
      Facebook will establish sanctions for unauthorized or impermissible access to Your Data by Facebook personnel, including punishments up to and including termination.
8. Security Testing
   Facebook shall perform regular security and vulnerability testing to assess whether key controls are implemented properly and are effective.
9. Access Control
   1. User Password Management
      Facebook shall have an established process for User Password Management, designed to ensure passwords are personal and inaccessible for unauthorized persons, including at minimum:
      • Password provisioning, including verifying the identity of the user prior to a new, replacement or temporary password;
      • Encrypting all passwords when stored in computer systems or in transit over the network;
      • Altering all default passwords from vendors;
      • Strong passwords relative to their intended use; and
      • User awareness.
   2. User Access Management
      Facebook will implement a process for changing and / or revoking access rights and user IDs, without undue delay.
      Facebook shall have procedures for reporting and revoking compromised access credentials (passwords, tokens etc.) 24/7. Facebook shall implement appropriate security logs including userid and timestamp. Clock shall be synchronized with NTP.
      The following minimum events shall be logged:
      • Authorization Changes;
      • Failed and successful authentication and access attempts; and
      • Read and write operations.
10. Communications Security
    1. Network Security
       Facebook shall employ technology that is consistent with industry standards for network segregation.
    Remote network access shall require encrypted communication by use of secured protocols, and use of multi-factor authentication.
    2. Protection of Data in Transit
       Facebook will enforce use of appropriate protocols designed to protect the confidentiality of data in transit over public networks.
11. Operational Security
    Facebook will institute and maintain a vulnerability management program for Workplace that includes definition of roles and responsibilities, dedicated ownership of vulnerability monitoring, vulnerability risk assessment and patch deployment.
12. Security Incident Management
    Facebook shall establish and maintain a security incident response plan for monitoring, detecting and handling possible security incidents affecting your instance of Workplace. The security incident response plan at least shall include definition of roles and responsibility, communication and post mortem reviews, including root cause analysis and remediation plans.
    Facebook will monitor Workplace for any security breaches and malicious activity. The monitoring process and detection techniques shall be designed to enable detection of security incidents affecting your instance of Workplace according to relevant threats and ongoing threat intelligence.
13. Business Continuity
    Facebook shall maintain a business continuity plan for responding to emergency or other critical situations that could damage your instance of Workplace. Facebook shall formally review its business continuity plan at least once a year.