These general terms and conditions (hereafter the "Terms and Conditions") are issued by Sarus Technologies, a French société par actions simplifiée with share capital of 12,022.00 euros, listed on the Paris Trade and Companies Register under No. 879 906 055, the registered office of which is at 128, rue La Boétie – 75008 Paris (hereafter: "Sarus").
The Terms and Conditions define the terms under which Sarus allows the Client to use the Solution and supplies associated services. In the absence of a formal order by the Client, Sarus is not obliged to supply the Solution or to perform all or some of the associated services. It is expressly agreed that the sending by the Client of an order implies the Client's full, complete and unreserved acceptance of these Terms and Conditions, which it acknowledges to have received and read.The order, the Terms and Conditions and any appendices and amendments thereto constitute the "Agreement", which supersedes any previous document relating to the same subject matter as well as the Client’s general terms and conditions of purchase.
Sarus and the Client are hereinafter referred to collectively as the “Parties” and individually as a “Party”.
Sarus has developed and operates an innovative software solution, to be either installed by its client (hereafter the “Client”) on its own computer systems and servers (hereafter: “Self-Managed Mode”) or used from Sarus’s servers (hereafter: “SaaS Mode”), which allows users authorized by the Client to perform mathematical analyses of the Client’s data while complying with the privacy policies set out by the Client (hereafter the "Solution"). Its functionalities and specifications are described in Annex 1.
The Terms and Conditions define the terms under which Sarus allows the Client to use the Solution and supplies associated services. In the absence of a formal order by the Client, Sarus is not obliged to supply the Solution or to perform all or some of the associated services. It is expressly agreed that the sending by the Client of an order implies the Client’s full, complete and unreserved acceptance of these Terms and Conditions, which it acknowledges to have received and read.
The order, the Terms and Conditions and any appendices and amendments thereto constitute the "Agreement", which supersedes any previous document relating to the same subject matter as well as the Client’s general terms and conditions of purchase.Sarus and the Client are hereinafter referred to collectively as the “Parties” and individually as a “Party”.
1.1. Pursuant to and for the term of the Agreement, Sarus undertakes to supply the Solution and the associated services to the Client, under the conditions and according to the specifications defined in Annex 1, from the date agreed and/or according to the deadlines set by the Parties.
As such, Sarus undertakes to cooperate with the Client’s personnel, to provide material, technical and human resources as well as to take all reasonable care when performing its services, in accordance with:
- legal and regulatory provisions relating to its activities,
- best industry practices, and
- generally accepted principles of how differential privacy protects personal information.
It is expressly understood that Sarus has only an obligation of means towards the Client.
1.2. In the event that the Client wishes to benefit from additional services to the services ordered, the financial and implementing conditions of those additional services will give rise to a specific order. Once it has been accepted and formalised by the Parties, those additional services shall be deemed to form an integral part of the Agreement.
2.1. The Client shall:
- put Sarus in contact with any persons useful for the proper configuration and use of the services;
- inform Sarus of any events concerning it which may affect the smooth running of the Agreement; and
- enforce Sarus’s intellectual property rights
2.2. The Client is solely responsible for its use of the Solution, including of the information, data and contents the Client will request the Solution to mathematically process as well as of its use of the results of the mathematical analyses produced by the Solution.
As such, the Client will be responsible for taking any necessary precautions to ensure the correctness, confidentiality, security, back-up of such elements.
When using the Solution in SaaS Mode, the Client grants, for the terms and solely for the purposes of the Agreement, a worldwide licence to use the intellectual property rights attached to the information, data and contents provided to Sarus, in order that the Solution processes them.
The Client declares to Sarus that it holds all the rights to the aforementioned information, data, and contents as well as all the authorisations required for their use therein and holds Sarus harmless from any judgment, action, claim or complaint of any kind by third parties, the cause or object of which is the use by Sarus of the information, data, elements, contents and/or rights provided by the Client, who also undertakes to pay all expenses, costs and indemnities incurred by Sarus to defend itself, including, in particular, legal costs and the costs of any expert opinion.
3.1. In return for the performance of the services and the supply of the Solution by Sarus, the Client undertakes to pay the sums defined in Annex 2.
3.2. Unless otherwise stipulated, invoices shall be paid by the Client within thirty (30) days as of month-end from their issue date, on the dates and/or within the deadlines agreed between the Parties.
Any late payment will result in the automatic application, without the need for prior written notice, of late payment interest equivalent to three (3) times the statutory interest rate in force per month of delay, pro rata temporis as well as fixed compensation of forty (40) euros, for recovery costs. Late payment interest will be calculated monthly and must be paid at the same time as the principal amount payable.
4.1. The Agreement does not transfer any intellectual property rights from Sarus to the Client; the Client acknowledges and agrees that all rights relating to all or part of the Solution are exclusively held by Sarus, which remains the sole holder thereof.
Sarus grants the Client a license to access and use the Solution either in Self-Managed Mode or in SaaS Mode, under the conditions defined in Annex 1, under the limits, restrictions and for the term set out in the Agreement.
The license to use the Solution is personal, non-exclusive, non-assignable and non-transferable. It is granted to the Client on the following terms:
- on a worldwide basis;
- solely for the term of the Agreement;
- solely for the Client’s own business purposes;
- including all subsequent versions of the Solution released by Sarus during the term of the Agreement, it being specified that Sarus reserves the right to modify the source code of the Solution at any time to correct any errors or for development purposes.
4.2. The Client expressly acknowledges that the license to use the Solution means the right to implement the Solution in accordance with its intended purpose either in the Self-Managed Mode: on the Client’s servers, or in the SaaS Mode: on Sarus’s servers via an internet connection. Except as expressly permitted in this Agreement, the Client is formally prohibited from:
- using the Solution outside the conditions set out in the Agreement;
- permanently or temporarily reproducing the Solution in whole or in part, by any means and in any form, including when loading, displaying or running it;
- bypassing security measures and systems, adapting, altering, decompiling, arranging, disseminating, translating, correcting, modifying in any way, developing or interfacing the Solution or its components with any software, database or IT product, or from integrating all or part of it with or into existing or future works; and
- using, copying, translating, redistributing, retransmitting, publishing, selling, renting, leasing, marketing, sublicensing, pledging, assigning, encumbering, transferring and/or making the Solution available to a third party by any means.
4.3. In order to verify the Client’s compliance with Sarus’ intellectual property rights and with the limits of the license to use the Solution granted to the Client herein, the latter undertakes, upon Sarus’ request and not more than once per calendar year, to enable any independent auditor selected by Sarus to have access to the Client’s premises and to control the Client’s servers, computer systems and/or IT documentations.
Should any unauthorized use of the Solution be ascertained, the Client undertakes to address promptly and implement the measures Sarus deems appropriate to mitigate, compensate and resolve the unauthorized use. Should the measures implemented by the Client be insufficient to comply with Sarus’s intellectual property rights on the Solution, Sarus will be entitled to terminate the Agreement for cause, subject to the prior notice and conditions defined in Article 5.2.
5.1. The Agreement shall enter into force as from the order, for the period defined in the said order.
The Agreement is then automatically renewed by tacit agreement, under the same terms, for successive periods defined in the order, unless it is terminated by either Party by email with acknowledgement of receipt, giving fifteen (15) days’ notice before the end of the then-current contractual period.
5.2. Without prejudice to any additional damages for the Party initiating early termination, the Agreement may be terminated early at any time, in the event of breach by the other Party of any of its essential obligations which has not been remedied within thirty (30) days of formal notice sent by registered letter with acknowledgement of receipt.
In particular, it is expressly agreed between the Parties that Sarus may terminate the Agreement in the event of breach by the Client of its obligations relating to compliance with Sarus's intellectual property rights and confidentiality and/or in the event of repeated non-payment of sums payable under this Agreement.
5.3. At the end of the Agreement for whatever reason, the Client shall pay all outstanding sums to Sarus and shall immediately stop using the Solution, removing and deleting it from its servers and computer systems, with evidence of such deletion to be supplied to Sarus. Subject to the Client’s compliance with the aforementioned obligations, Sarus shall return all the Client's information, data, files and/or other elements used or implemented in the Solution. These shall be returned within the deadlines and on the media agreed between the Parties.
Sarus agrees to use all reasonable means to return those elements so that the Client can, following the end of the Agreement, continue to exploit them, directly or with the assistance of another service provider. The Client shall actively cooperate with Sarus to facilitate the return operations.
After the end of the Agreement, Sarus will not retain any copy of elements returned to the Client and will destroy them on request.
6.1. Sarus represents and warrants to the Client that it has no information or reason to believe that the supply and/or use of the Solution infringes any third-party intellectual property rights. However, if any of the elements licensed by Sarus to the Client under the Agreement constitutes an infringement of third-party intellectual property rights, Sarus may, at its sole discretion:
- obtain, at its own cost, the right for the Client to continue using the element at issue, subject to the agreement of the third party concerned, or
- replace that element with another element that meets the requirements of the Agreement and is not disputed by third parties, or
- terminate the Client's user right and refund the corresponding proportionate amount of the price paid by the Client.
6.2. Sarus cannot, in any event, be held liable:
- in the event of loss suffered by the Client as a result of:
* the use and/or modification of the Solution by the Client, or any other third party, in a manner that does not comply with the provisions of the documentation and/or the Agreement and/or with any instruction that Sarus has communicated to the Client;
* the use of the Solution with computer software and/or hardware that is not compatible or is non-compliant with Sarus’ technical requirements;
* the intervention of any third party on the Solution, with the exception of those Sarus itself has appointed, who have not been authorised to intervene by Sarus in writing in advance;
* the accidental destruction, by the Client or by any other third party irrespective of the circumstances, of the data processed via the Solution;
* the interruption or slow-down of the Solution caused by technical uncertainties of the internet and/or related to the Client's own computer systems or servers;
* any loss of data caused by the Client's failure to comply with Sarus’s recommended measures; and
- in the event of indirect loss suffered by the Client including, but not limited to: commercial loss, loss of orders, turnover, any commercial disruption, loss of profit or damage to brand image, loss resulting from the use of or inability to use the Solution or elements supplied, presented and/or made available by Sarus. The Client will be responsible for taking, in particular, all measures to ensure the backup, security and integrity of all data and information that it transmits to Sarus and/or enters and processes on the Solution.
In all cases where Sarus’s liability is established, irrespective of the nature, basis and terms of the action brought against it (including in the event of action by a third party), it is expressly understood that Sarus’s liability under the Agreement may not exceed the amount of remuneration paid by the Client to Sarus over the last six (6) months of performance of the Agreement.
6.3. Sarus undertakes that it has taken out, with a company known to be creditworthy, and that it shall maintain in full force and effect, at its own expense, an operating and professional liability insurance policy and, more generally, any insurance policies required to cover its liability under the Agreement. At the Client's request, Sarus will provide it with insurance certificate(s) confirming the existence and/or renewal of those insurance policies, mentioning in particular the different cover acquired and the amounts thereof.
7.1. The Parties each undertake to comply with the regulations in force applicable to the processing of personal data and, in particular, Regulation (EU) No. 2016/679 of the European Parliament and of the Council of 27 April 2016 and Law No. 78-17 of 6 January 1978 on data processing, files and freedoms. To this end, when the Solution is used by Client in SaaS Mode, they shall comply with the conditions defined in Annex 3.
7.2. In general, any information relating to the Agreement, the Solution, the associated services and technical and commercial information, organisation, human resources or the methods of a Party constitutes confidential information. The same shall apply to all information disclosed to the other Party and/or of which it may become aware in connection with the Agreement.
Each Party undertakes during the term of the Agreement and for five (5) years from the date of termination of the Agreement, for whatever reason, to ensure that the said information:
- is protected, kept strictly confidential and processed with the same level of precaution and protection as it grants to its own confidential information of equal importance;
- is only transmitted to members of its staff, third-party service providers or subcontractors who need to know it and is only used by them to perform the Agreement;
- is not used, in whole or in part, for a purpose other than that defined in this clause without the prior written consent of the other Party and is not -in particular- sold, assigned, leased or commercially exploited; and
- is not copied, reproduced or duplicated, in whole or in part, except where necessary to perform the obligations under the Agreement and/or without the prior written consent of the other Party.
Each Party undertakes to ensure compliance by its employees, subcontractors and agents with the obligations set out in this clause and shall be liable for any disclosure by them in breach of this clause.
7.3. Without prejudice to the foregoing, either Party may mention the Agreement as a trade reference and, for this purpose, mention the trade name and/or company name of the other Party, in accordance with practice in this regard.
If, as a result of a force majeure event in accordance with article 1218 of the French Civil code, either Party is required to interrupt the performance of the Agreement, the obligations affected by that event shall be suspended for the time that the Parties are unable to perform them.
The Party invoking such force majeure shall notify the other as soon as possible, do its best to limit the consequences thereof and find an alternative solution and resume, if possible, the performance of its obligations immediately after the force majeure has ceased.
In the case where it is not able to resume performance of the Agreement within eighty (90) days of the force majeure event, the Parties will meet to discuss a possible modification of the Agreement. If such discussions fail and/or if force majeure renders the performance of the Agreement definitively impossible, the Agreement may be terminated by either Party, without any compensation being payable to either Party.
All the provisions of the Agreement are subject to French law. In the event of dispute relating to the validity, interpretation, performance or termination of the Agreement, the courts of Paris shall have exclusive jurisdiction.
Sarus Solution enables data practitioners to perform data analyses on data with protection against the exposure of significant personal information. The protection derives from the implementation of Differential Privacy when performing computation on the data, or any other methods available in the Solution and that the Client may choose to use.
Dataset
A Dataset is the fundamental data holding object that is set up by the data owner via Sarus. Access rights are defined per datasets; synthetic data is generated for each dataset. A Dataset can be composed of several files or tables.
Sarus Instance
The Sarus Instance is an instance of the Sarus software running on hardware resources. Among other services, it features a synthetic data generation engine, an API to receive data processing jobs, a gateway filtering processing jobs based on access rights, a privacy compiler rewriting of jobs to comply with access rights, and the ability to connect to various data sources, and administration services to define users and access rights.
In the case of the Self-managed mode, the Sarus instance runs on the Client’s infrastructure. In the case of the SaaS mode, it runs on Sarus’s own infrastructure.
Access Rules and Privacy Policies
This is the set of parameters that decide which queries authorized users can perform on which dataset. In the case of differentially-private queries it includes the admissible differential privacy parameters of such queries.
Description
The Solution runs on an instance that has access to data controlled by the data owner or data depositor. Provided that the data type is supported, the software will automatically analyze the data and generate a synthetic representation of the dataset (synthetic data). The instance includes an API so that authorized data consumers can query the underlying data.
The data owner defines the privacy policies applicable to each dataset they make available for each authorized user. Sarus software will enforce the application of privacy policies throughout all interactions with the original data. Privacy policies may include special access rights or parameters such as differential privacy budget.
The data consumers submit queries via the API. The Sarus gateway verifies the queries against the privacy policies and, if authorized, launches the processing. When the privacy policies define constraints on the queries such as the application of differential privacy, the Sarus instance will rewrite the queries to comply with such constraints. Results are then sent back to the data practitioners via the gateway.
Limits
Sarus natively supports a limited list of data types, formats, or queries. This list evolves over time. It is made available on the Sarus documentation page.
Sarus instances may not support datasets of arbitrary size. Limits may appear depending on the underlying hardware, the number of rows, and the number and type of columns.
Sarus lets users define the privacy policies themselves. Sarus cannot guarantee that the access rights and parameters (including differential privacy parameters) granted by the data depositor are compliant with the Client’s objectives or comply with applicable regulations.
The implementation of differential privacy includes the addition of random noise to all outputs of computations. Differentially-private results are fundamentally non deterministic and can never be considered exact. The amount of protection is related to the amount of noise that the user can set in the Solution. Using a very low level of noise may lead to small or even non-existent data protection.
Self-Managed Mode: Installation
In the Self-Managed Mode, the Client downloads the Solution and installs it on their own infrastructure. The Client will need to allocate enough resources (memory, computing power, network access), at its own expense, for the proper performance of the Solution. Sarus will communicate minimum requirements for the proper functioning of the Sarus Instance. The exact requirements will depend on the size of the data, its type, and the types of analysis carried out on it.
SaaS Mode: Access
In the case of the SaaS Mode, Sarus will host the instance of the Solution. The Client makes data available to the Sarus instance. Data may be copied to the Sarus instance or accessed at run time when queries are performed depending on what data source option the client has chosen. Sarus will manage the hardware infrastructure necessary for the performance of the services. Limits apply to the size of the datasets made available in the SaaS instance as documented by Sarus.
Set-up assistance for Self-Managed Mode
Sarus will assist Client in the deployment of a Sarus instance on their system whether on-premises or in a public cloud environment. It will provide assistance for the proper configuration of the instance including the deployment of all services, the parametrization of data access rules, the network parameters, the creation of Sarus users on the instance, the technical parameters of the instance, the proper uploading of the Client’s data sources into the Sarus Solution.
Enterprise support and maintenance for Self-Managed Mode
Sarus will provide assistance for the maintenance of the solution as installed in the Client’s infrastructure. It includes the installation of regular updates and possible migration of the solution, the adaptation of the instance’s parameters to new data sources or architecture requirements, assistance with regards to the data storage and memory usage of the instance.
Support on compliance audit and guidelines implementations
Sarus will provide assistance in exchanges with internal or external compliance teams in order to help assess how the Sarus solution materially improves the data protection objectives of the client. It could include contribution to a data protection impact assessment. Sarus will help with the implementation of the privacy policy into the Sarus Instance.
Support on data science objectives
Sarus will provide assistance to the data science or the analytics team successfully build models or carry out analytics work using the Solution. It will include assistance using the Sarus SDKs, recommendations with regards to using differentially-private machine learning models.
Sarus is charged on a per dataset and per month basis. The price per dataset will vary depending on dataset size according to the following pricing structure:
SaaS Mode
Small Dataset (source data smaller than 500 megabytes): 600 EUR/month (1 month minimum)
Large Dataset (source data larger than 1 gigabyte): 1,000 EUR/month (1 month minimum)
30-day SaaS trial for up to 2 Small Datasets: Waived
Platform license fee: ask for a quote.
Self-Managed Mode
Platform license fee: ask for a quote.
Dataset: 600 EUR/month (1 month minimum)
Set-up assistance for Self-Managed Mode in a public cloud: ask for a quote.
Enterprise support and maintenance for Self-Managed Mode in a public cloud: ask for a quote.
Support on compliance audit and guidelines implementations: ask for a quote.
Support on data science objectives: ask for a quote.
Sarus makes the Solution available to the Client in SaaS Mode, so that users authorized by the Client can perform mathematical analyses of the data that has been uploaded on their account while complying with the privacy policies as defined by the Client in the Solution.If this data is personal data, Sarus is required to carry out personal data processing (hereafter the "Personal Data") on behalf of the Client.
The description of the processing must be fully described in a schedule attached to the order. In absence of such schedule, no personal data may be loaded onto the Sarus SaaS instance.
The Client acts as data controller in accordance with Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereafter the "GDPR") and French law No. 78-17 of January 6th, 1978 on data processing, files and freedoms (collectively referred to hereafter as the "Data Regulations"). For its part, Sarus acts as the Client’s data processor, in its capacity as operator of the Solution.
Sarus undertakes to comply with all its obligations under the Data Regulations and, in particular, to:
- process Personal Data solely for the purpose described in the order;
- process Personal Data solely for the period necessary to achieve that purpose;
- process Personal Data in accordance with the Client’s documented instructions. If Sarus believes that an instruction is in breach of the Data Regulations, it shall inform the Client without undue delay;
- if Sarus is to transfer Personal Data outside the European Union territory, inform the Client in advance and comply with the requirements set out in articles 44 et seq. of the GDPR, including the entering with Clients the standard data protection clauses adopted by the Commission attached in Schedule 1;
- guarantee the confidentiality of any Personal Data processed;
- ensure that persons authorized to process Personal Data under the Agreement: undertake to observe confidentiality or are subject to an appropriate statutory confidentiality obligation, receive the necessary training on the protection of Personal Data;
- take into account, with regard to its tools, products, applications or services, the principles of Personal Data protection as from the design and protection of Personal Data by default;
- where Sarus uses another processor (hereafter the "Sub-Processor"), to carry out specific processing activities, inform the Client in advance and in writing of any planned changes concerning the addition or replacement of Sub-Processors. This information must clearly indicate the processing activities subcontracted, the identity and the contact details of the Sub-Processor.Sarus shall ensure that any Sub-Processor provides the same adequate guarantees in implementing appropriate technical and organizational measures such that the processing will meet the requirements of the Data Regulations. If the Sub-Processor fails to fulfill its Personal Data protection obligations, Sarus shall remain fully liable towards the Client for the performance by the Sub-Processor of its obligations;
- assist the Client, on request, with carrying out impact assessments relating to the protection of Personal Data as well as with the prior consultation of the supervisory authority;
- implement security measures and means: to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; - to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; - to test, assess and evaluate the effectiveness of technical and organizational measures for ensuring the security of the processing;
- at the end of the services relating to the processing of Personal Data, return the Personal Data to the Client. Such return shall be accompanied by the destruction of all existing copies in Sarus's information systems;
- communicate to the Client the name and contact details of its data protection officer, if Sarus has appointed one;
- keep a written record of all the categories of processing activities carried out on behalf of the Client;
- provide the Client with the documentation needed to demonstrate compliance with all its obligations; and
- subject to being notified in writing with fifteen (15) days’ notice, allow audits -which may not take place more than once (1) per calendar year- by the Client, at the latter’s own expense, or another auditor appointed by the Client, bound by strict confidentiality agreements.
Those audits will be strictly limited to verifying the compliance of processing carried out by Sarus for the Client with the Data Regulations. The audit report must be submitted by the Client to Sarus and will be examined jointly by the Parties.
For its part, the Client undertakes to comply with all its obligations under the Data Regulations and, in particular, to:
- only provide Sarus with Personal Data in accordance with the Data Regulations, in particular with regard to: the collection, information of data subjects, answers to data subjects’ requests in the event of the exercise of their rights, storage and processing thereof;
- only provide Sarus with Personal Data and for the processing described in the schedule attached to the order form;
- document in writing any instructions concerning the processing of Personal Data by Sarus;
- ensure, in advance and throughout the duration of the processing, that Sarus complies with the obligations provided for in the Data Regulations;
- supervise the processing, including to conduct audits and inspections of Sarus;
- guarantee the security of its own information systems as well as the security of its access and connection to the Sarus Solution;
- notify the supervisory authority, if the Client or Sarus detects a Personal Data breach, within the regulatory time frame of seventy-two (72) hours, and inform the data subjects if the breach requires those data subjects to be informed, potentially after notifying the supervisory authority of that breach.
