Contracts
Built on Workday
Effective April 18th 2025
DownloadTable of Contents
Built on Workday
1. If Customer has purchased the Content Innovation Cloud integration with Workday (as identified on an Order Form), then Customer will be required to accept the Built on Workday Terms (currently, https://developer.workday.com/terms/builtonworkdaycustomer), which will be provided by Workday to the customer prior to downloading and using the Built on Workday App. The Customer agrees that it has the authority to agree to the Built on Workday terms from Workday notwithstanding anything in Customer’s agreement with Workday.
The most current version of this document shall be such in effect as of 12:00am EST (Eastern Standard Time) of the date stamped on such online version.
Content Federation Services
Effective April 18th 2025
DownloadTable of Contents
Content Federation Services
1. Content Federation Service connects structured, semi-structured, and unstructured, structured data, from multiple repositories, across multiple networks, to the Content Innovation Cloud.
2. Content Federation Services communicates with repositories through the Content Federation broker that establishes a connection between the repository and Content Federation gateway (hosted by Hyland in Content Innovation Cloud). If the repository is managed by Customer or Customer’s third-party vendor, then, upon termination of the Content Innovation Cloud Schedule, Customer will destroy the Content Federation broker installed on such repository and certify in writing to Hyland that Customer has completed such destruction.
The most current version of this document shall be such in effect as of 12:00am EST (Eastern Standard Time) of the date stamped on such online version.
Security
Effective April 18th 2025
DownloadTable of Contents
Security
For Content Innovation Cloud, Hyland maintains and manages a comprehensive written security program that is designed to protect: (a) the security and integrity of Customer Data; (b) against threats and hazards that may negatively impact Customer Data; and (c) against unauthorized access to Customer Data. Such program includes the following:
1. Risk Management.
1.1 Conducting an annual risk assessment designed to identify threats and vulnerabilities in the administrative, physical, legal, regulatory, and technical safeguards used to protect Content Innovation Cloud.
1.2 Maintaining a documented risk remediation process to assign ownership of identified risks, establish remediation plans and timeframes, and provide for periodic monitoring of progress.
2. Information Security Program.
2.1 Maintaining a documented comprehensive information security program that includes policies and procedures based on industry standard practices, which may include ISO 27001/27002, or other equivalent standards. Such information security program shall include, as applicable: (a) adequate physical and cyber security where Customer Data will be processed and/or stored; and (b) reasonable precautions taken with respect to Hyland personnel employment.
2.2 Reviewing and updating such policies annually.
3. Organization of Information Security. Assigning security responsibilities to appropriate individuals or groups to facilitate protection of Content Innovation Cloud and associated assets.
4. Human Resources Security.
4.1 Requiring all Hyland employees to undergo a comprehensive screening during the hiring process.
4.2 Performing background checks and reference validation to determine whether candidate qualifications are appropriate for the proposed position.
4.3 Subject to any restrictions imposed by applicable law and based on jurisdiction, conducting criminal background checks, employment validation, and education verification as applicable.
4.4 Ensuring all Hyland employees are subject to confidentiality and non-disclosure commitments before access is provisioned to Content Innovation Cloud or Customer Data.
4.5 Ensuring applicable Hyland employees receive security awareness training designed to provide such employees with information security knowledge to provide for the security, availability, and confidentiality of Customer Data.
4.6 Upon Hyland employee separation or change in roles, ensuring any Hyland employee’s access to Content Innovation Cloud is revoked in a timely manner and all applicable Hyland assets, both information and physical, are returned.
5. Asset Management.
5.1 Ensuring Customer Data is encrypted and stored in a secure location subject to strict physical access controls.
5.2 Maintaining asset and information management policies and procedures, including ownership of assets, an inventory of assets, classification guidelines, and handling standards pertaining to Hyland assets.
5.3 Note: Content Innovation Cloud is hosted in the Amazon Web Services (AWS) Cloud where security and compliance are shared responsibilities between AWS and Hyland. AWS is responsible for protecting the infrastructure that runs all the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services. AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates, including media handling and decommissioning. AWS Device Management Controls can be found here: https://aws.amazon.com/compliance/data-center/controls/#Device_Management
6. Access Controls.
6.1 Maintaining an access policy and corresponding procedures. The access procedures will define the request, approval, and access provisioning process for Hyland personnel. The access process will restrict Hyland user (local and remote) access based on Hyland user job function (role/profile based, appropriate access) for applications and databases.
6.2 Documenting procedures for: (a)onboarding and offboarding Hyland personnel users in a timely manner; and (b) Hyland personnel user inactivity threshold leading to account suspension and removal threshold.
6.3 Limiting Hyland’s access to Customer Data to its personnel who have a need to access Customer Data as a condition to Hyland’s performance of the services under this Agreement. For such Hyland employees, Hyland shall utilize the principle of “least privilege” and the concept of “minimum necessary.” Hyland shall require strong passwords subject to complexity requirements and periodic rotation and the use of multi-factor authentication.
6.4 Ensuring access controls are in place for Customer Data access by Hyland. Note: Customer controls its: user’s access, user’s permissions, and Customer Data retention to the extent such controls are available to Customer.
7. System Boundaries.
7.1 Note: Hyland is not responsible for any system components that are not within Content Innovation Cloud, including network devices, network connectivity, workstations, servers, and software owned and operated by the Customer or other third parties.
7.2 Note: The processes executed within Content Innovation Cloud are limited to those that are executed by a Hyland employee (or Hyland authorized third party) or processes that are executed within Hyland’s established system boundaries, in whole.
7.3 Note: Certain business processes may cross these boundaries, meaning one or more tasks are executed outside of Hyland’s established system boundaries for Content Innovation Cloud, one or more tasks are executed by individuals who are not Hyland personnel (or authorized third parties), or one or more tasks are executed based on written requests placed by Customer. In such event, Hyland will provide support for such processes to the extent they occur within Hyland’s established system boundaries, but Hyland is not responsible for providing support for such processes to the extent they occur outside of such established system boundaries. Examples of business processes that cross these boundaries include, but are not limited to, Content Innovation Cloud configuration changes, processing that occurs within Content Innovation Cloud, user authorization, and file transfers.
8. Encryption.
8.1 Ensuring Customer Data shall only be uploaded to Content Innovation Cloud in a supported encrypted format such as TLS or other equivalent method.
8.2 Encrypting Customer Data at rest and in transit over public networks.
8.3 Note: Where use of encryption functionality may be controlled or modified by Customer and Customer elects to modify its use of or turn off any encryption functionality, Customer does so at its own risk.
9. Operations Security.
9.1 Maintaining change management controls to ensure changes made by Hyland to production systems are properly authorized and reviewed prior to implementation. Note: Customer is responsible for testing all configuration changes, authentication changes and upgrades implemented by Customer or Hyland. If Customer requests Hyland to implement changes on its behalf, such request must be in writing and submitted by Customer’s designated Authorized Customer Administrators via a support case or set forth in a separate agreement.
9.2 Making scheduled configuration changes that are expected to impact Customer access to Content Innovation Cloud during a planned maintenance window. Note: Hyland may make configuration changes that are not expected to impact Customer during normal business hours.
9.3 Utilizing technologies that are configured to meet common industry standards designed to protect the Customer Data within Content Innovation Cloud from virus infections or similar malicious payloads.
9.4 Implementing disaster recovery and business continuity procedures in accordance with the applicable Service Level purchased by Customer.
9.5 Maintaining security logs for one year.
9.6 Maintaining system hardening requirements and configuration standards for components deployed within Content Innovation Cloud.
9.7 Conducting vulnerability scans on a regular basis and remediating in a timely manner. In the event any security patch would materially adversely affect Content Innovation Cloud, then Hyland will use reasonable efforts to implement compensating controls until a security patch is available that would not materially adversely affect Content Innovation Cloud. Upon written request, Hyland will provide an executive summary report of its most recent external vulnerability scan.
9.8 Conducting external penetration tests at least annually against an instance of Content Innovation Cloud that is representative of the configuration used by Customers generally and making an executive summary of the most recent penetration test to Customer upon request.
9.9 Permitting Customer to, on an annual basis (but no more than once during any 12-month period), conduct a penetration test against a Content Innovation Cloud website, setup by Hyland, that is authorized for penetration testing , provided: (1) Customer submits a Penetration Testing Authorization form in advance; (2) prior to conducting such testing, Hyland and Customer mutually agree upon the timing, scope, and price, (3) such testing is at Customer’s sole cost and expense; and (4) if Customer engages a third-party to assist with such testing, the third-party must first be cleared by Hyland and enter into a Non-Disclosure Agreement directly with Hyland. Note: Any testing performed without mutual agreement regarding timing, scope, and criteria may be considered a hostile attack, which may trigger automated and manual responses, including reporting the activity to local and federal law enforcement agencies as well as immediate suspension of Customer’s access to or use of Content Innovation Cloud; and Customer is prohibited from distributing or publishing the results of such penetration testing without Hyland’s prior written approval.
9.10 Maintaining a 24/7 security operations center.
10. Supplier Relationships. Maintaining a Vendor Management Program for its critical vendors and evaluating critical vendors on an annual basis.
11. Security Incident Response.
11.1 Employing incident response standards that are based upon applicable industry standards, such as ISO 27001 and National Institute for Standards and Technology (“NIST”), to maintain the information security components of Content Innovation Cloud environment.
11.2 Responses to these incidents follow the Hyland documented incident response sequence. This sequence includes the incident trigger phase, evaluation phase, escalation phase, response phase, recovery phase, de-escalation phase, and post-incident review phase.
11.3 If Hyland has determined Customer’s instance of Content Innovation Cloud has been negatively impacted by a security incident, delivering a root cause analysis summary. Such notice will not be unreasonably delayed but will occur after initial corrective actions have been taken to contain the security threat or stabilize Content Innovation Cloud.
11.4 The root cause analysis will include the duration of the event, resolution, technical summary, outstanding issues, and follow-up, including steps Customer needs to take to prevent further issues. Content Innovation Cloud information including data elements that require additional confidentiality and security measures (including that of other customers impacted in the event) will not be publicly disclosed. If Customer needs additional details of an incident, a request to the applicable Hyland Cloud support team must be submitted and handled on a case-by-case basis to protect the confidentiality and security of the requested information.
11.5 Notifying Customer of a Security Incident within 48 hours. A “Security Incident” means a determination by Hyland of an actual disclosure of unencrypted Customer Data to an unauthorized person or entity that compromises the security, confidentiality, or integrity of the Customer Data.
12. Information Security Aspects of Business Continuity Management.
12.1 Maintaining a business continuity and disaster recovery plan.
12.2 Reviewing and testing the business continuity and disaster recovery processes annually.
13. Audits and Assessments.
13.1 Monitoring its compliance with its information security program. This includes periodic internal reviews. Results are shared with Hyland leadership and deviations tracked through to remediation.
13.2 Maintaining a periodic external audit program. Completed attestations are provided to Customer upon written request.
13.3 Permitting Customer to, on an annual basis (but no more than once during any 12-month period), conduct audits (which includes assessments, questionnaires, guided reviews or other requests to validate Hyland’s security controls) of Hyland’s operations that participate in the ongoing delivery and support of Content Innovation Cloud (each, a “Security Inquiry”), provided, that:
(a) the proposed Security Inquiry does not overlap with, or otherwise cover the same or similar information as, or scope of: (1) any controls already provided for by an external audit or assessment already performed by Hyland, such as a SOC 2 report, ISO 27001 or other similar audit or assessment that is made available to Customer upon Customer’s request; or (2) any content already provided by Hyland through its completed SIG, CAIQ or similar questionnaire that is made available to Customer upon request.
(b) Hyland and Customer mutually agree upon the timing, scope, fees (if any), and criteria of such Security Inquiry;
(c) confidential and restricted documentation, such as Hyland internal policies, practices, and procedures, including any documentation requested by Customer that cannot be removed from Hyland’s premises as a result of physical limitations or policy restrictions will not be provided externally or removed from Hyland’s premises and such reviews must either (at Hyland’s election) be conducted onsite at Hyland’s corporate headquarters in Ohio or through a secure screenshare which may be arranged by Hyland to prohibit any type of copying or screen shots;
(d) Hyland will not permit access to internal systems or devices used to host or support Hyland’s offerings; and
(e) to the extent Customer desires to engage a third party to perform such Security Inquiry: (1) Hyland must approve of such third party in writing in advance, (2) Customer shall cause such third party to: (A) enter into a Non-Disclosure Agreement with Hyland and (B) agree to abide by Hyland’s security standards, and (3) Customer shall manage the engagement with the third party and ensure the third party understands the scope of the Security Inquiry as mutually agreed upon between Hyland and Customer and how Customer utilizes the Hyland Cloud Service.
Where necessary, Hyland will provide private and reasonable accommodation at Hyland’s corporate headquarters in Ohio for data analysis and meetings. Upon reasonable advance written request, Hyland and Customer may mutually agree to make necessary employees or contractors available for interviews in person or on the phone during such Security Inquiry at Customer’s cost and expense. Customer is prohibited, , and Customer shall prohibit each third-party engaged to perform a Security Inquiry from distributing or publishing the results of such Security Inquiry without Hyland’s prior written approval. Notwithstanding anything to the contrary within this Agreement, nothing in this Agreement (including this section) will require Hyland or any of its affiliates to disclose information that is subject to attorney-client privilege.
The most current version of this document shall be such in effect as of 12:00am EST (Eastern Standard Time) of the date stamped on such online version.
Service Levels
Effective May 30th 2025
DownloadTable of Contents
Service Levels
Service Level Agreements (“SLA”) described in this document pertain to the availability of Content Innovation Cloud. This document does not address technical support.
Service Level Definitions
“Downtime” is calculated as the aggregate time (in minutes) each calendar month, as confirmed by Hyland following written notice from the Customer, that Content Innovation Cloud is Unavailable (as defined below). The length of Downtime will be measured from the time an incident occurs, as confirmed by Hyland, until the time when Hyland confirms that the failure condition(s) reported are no longer present. Downtime does not include any failure conditions which occur due to an Exclusion Event (see below).
“Exclusion Event” means any of the following occurrences:
1. System maintenance, whether such maintenance is scheduled (e.g., for upgrading of the Service or its components or for any other scheduled purpose) or unscheduled (due to emergency) which results in the Service being unavailable or inaccessible to Customer.
2. Failure of a Customer’s or User’s equipment or facilities.
3. Acts or omissions of a Customer or its User, including but not limited to (a) performance or non-performance of any services by a third party (other than Hyland) contracted by the Customer to provide services to the Customer or its Users related to Content Innovation Cloud, (b) any failure that is not due to fault of Hyland or Hyland’s contracted third-party service provider, (c) failure of any code or configurations managed or written by the Customer or any third-party vendor to the Customer, or (d) any unauthorized use or access by the Customer or any of its Users;
4. The occurrence of a force majeure event.
5. Internet failure or congestion.
6. Failure of equipment or systems not within Content Innovation Cloud, or of equipment or systems not provided, or not under the control or direction of Hyland including equipment or systems Hyland may obtain or contract for at the request of the Customer; or
7. Failures or other failures caused directly or indirectly by known or unknown computer viruses, worms or other malicious programs (assuming Hyland has not breached any of its obligations here or in the applicable agreement relating to virus protection protocols).
“Failover Notice” is a notification made by Hyland to the Customer (which may be made by electronic communication via e-mail or the Community portal) indicating that Hyland is initiating an AWS (Amazon Web Services) Region failover.
“Monthly Fees” is the portion of the recurring fees for Content Innovation Cloud attributable to the month in which the applicable performance deficiency occurs, excluding any taxes, one-time fees, third party fees, travel or expense, professional services or similar additional fees. E.g., if fees are charged annually, the Monthly Fee equals the annual fees divided by 12, subject to the same exclusions above.
"Monthly Uptime Percentage" is calculated as the total number of minutes in a calendar month, minus the number of minutes of Downtime (as defined above) in such month, divided by the total number of minutes in such month.
“Recovery Point” means the minimum number of hours (prior to the time Hyland provides a Failover Notice) that the Customer’s data must have been stored within Content Innovation Cloud to qualify as eligible data. Customer Data is deemed “eligible” if Hyland confirms it has been stored within the Content Innovation Cloud for a number of hours (prior to the time Hyland provides a Failover Notice) that exceeds the applicable Recovery Point Objective defined in Table 2 below.
“Recovery Time” means the number of hours from the time the required Failover Notice is delivered to the time Content Innovation Cloud has been Restored (excluding any time during that period if/when an Exclusion Event affects both the current primary and secondary data centers).
“Restore" or "Restored" means that, except to the extent prevented by an Exclusion Event, access to Content Innovation Cloud has been restored such that:
(1) eligible Customer Data can be retrieved; and
(2) new Customer Data can be input.
“Unavailability” or “Unavailable” refers to a state when Content Innovation Cloud is either (1) unresponsive or (2) responds with an error, and thereby prevents all Users from accessing Content Innovation Cloud.
Service Level Commitments
Table 1: Monthly Uptime Percentages
STANDARD | |
Monthly Uptime Percentage | 99.5% |
Applicable Credit | 5% of the Monthly Fee |
Table 2: Business Continuity
STANDARD | |
Recovery Point Objective (RPO) | 24 Hours |
Applicable Credit | 15% of the Monthly Fee |
Recovery Time Objective (RTO) | 8 Hours |
Applicable Credit | 15% of the Monthly Fee |
Service Level Commitment Terms
Monthly Uptime Percentage. Hyland will meet the Monthly Uptime, as identified in Table 1 above, during each calendar month.
Business Continuity. Hyland shall provide business continuity redundancy via AWS Availability Zones. Content Innovation Cloud does not use multiple AWS Regions. If Hyland delivers a Failover Notice to Customer, Hyland shall restore Content Innovation Cloud within the applicable Recovery Time Objective set forth in Table 2 above (except to the extent caused or prevented by an Exclusion Event).
Downtime Report. Following the occurrence of a Downtime event, upon request by the Customer, Hyland shall provide a report which will include, as applicable, a detailed description of the incident, start and end times of the incident, duration of the incident, business/functional impact of the incident, description of remediation efforts taken, and a description of outstanding issues or tasks relating to the incident.
Credits
Monthly Uptime Percentage. In the event the Monthly Uptime Percentage during any calendar month is less than the applicable Monthly Uptime Percentage set forth in the Table 1 above, the Customer shall receive the applicable credit against the fees specified in Table 1 above, provided Customer submitted a technical support request within twenty-four hours of such Downtime.
Exclusions. The physical infrastructure of Content Innovation Cloud is provisioned to Customer based on Customer’s Content Innovation Cloud Product Subscription which may be on a tier or volume basis. If Customer’s use of Content Innovation Cloud exceeds the usage limits of Customer’s Content Innovation Cloud Product Subscription (“Excessive Use”), then the speed, availability, or number of API requests that Customer may make of Content Innovation Cloud may be impacted. Customer will not earn a service level credit for Missed Uptime Percentages due to Excessive Use.
RPO and RTO. In the event and RPO or RTO during any calendar month is less than the applicable RPO or RTO set forth in the Table 2 above, the Customer shall receive the applicable credit against the fees specified in Table 2 above.
Maximum Service Level Credit. Notwithstanding anything to the contrary, Customers are only entitled to a maximum of one service level credit for all events occurring in a particular calendar month. If available, Customer shall be entitled to only the largest service level credit which may be payable for one or more of the service level failures occurring in such calendar month.
Application of Service Level Credits. Service level credits will be applied first to any outstanding amounts which are due and owing from Customer, and then to future fees.
Termination Remedy. If Customer earns a service level credit either: (i) in three consecutive calendar months, or (ii) in four calendar months during any six consecutive month period; then Customer may, by written notice to Hyland delivered within thirty days after the last credit described in either clause or (i) or (ii) above is earned, terminate the Agreement.
Exclusivity. The remedies set forth above constitute the sole and exclusive remedies available to a Customer for any failure to meet the service level commitments set forth in this document.
System Maintenance
For the purposes of an Exclusion Event, system maintenance will not exceed 16 hours per month, subject to the following.
Maintenance Notifications. Hyland will notify Customer of system maintenance expected to impact system availability or functionality through the status page (currently, https://status.experience.hyland.com) or through direct communication to Customer’s designated CSA.
Scheduled Maintenance. Hyland will notify Customer of scheduled maintenance that is expected to impact or potentially impact system availability or functionality. Such notification will typically be sent at least one week in advance, but in no event will such notice be sent less than 24 hours prior to the specified start time. Modifications or repairs to shared infrastructure or platform patching and upgrades, that is expected to impact or potentially impact Content Innovation Cloud availability is currently restricted to within the hours of 12 AM to 2 AM, based on the time zone of the impacted AWS Region. Any changes to the scheduled hours of maintenance will be communicated to each Customer via e-mail to Customer’s designated CSA, posted in the Content Innovation Cloud, or the status page.
Unscheduled Maintenance. Hyland will use reasonable efforts to notify Customer of unscheduled maintenance that is expected to impact or potentially impact Content Innovation Cloud availability or functionality. Such notification will typically be sent at least 24 hours in advance, but to the extent Hyland determines that such maintenance is required sooner due to a security or availability concern (e.g. emergency maintenance is required by Hyland), Hyland will use reasonable efforts to send such notice no less than 2 hours prior to the specified start time.
The most current version of this document shall be such in effect as of 12:00am EST (Eastern Standard Time) of the date stamped on such online version.
Effective April 18th 2025 to May 30th 2025
DownloadTable of Contents
Service Levels
Service Level Agreements (“SLA”) described in this document pertain to the availability of Content Innovation Cloud. This document does not address technical support.
Service Level Definitions
“Downtime” is calculated as the aggregate time (in minutes) each calendar month, as confirmed by Hyland following written notice from the Customer, that Content Innovation Cloud is Unavailable (as defined below). The length of Downtime will be measured from the time an incident occurs, as confirmed by Hyland, until the time when Hyland confirms that the failure condition(s) reported are no longer present. Downtime does not include any failure conditions which occur due to an Exclusion Event (see below).
“Exclusion Event” means any of the following occurrences:
1. System maintenance, whether such maintenance is scheduled (e.g., for upgrading of the Service or its components or for any other scheduled purpose) or unscheduled (due to emergency) which results in the Service being unavailable or inaccessible to Customer.
2. Failure of a customer’s or user’s equipment or facilities.
3. Acts or omissions of a customer or its user, including but not limited to (a) performance or non-performance of any services by a third party (other than Hyland) contracted by the customer to provide services to the customer or its users related to Content Innovation Cloud, (b) any failure that is not due to fault of Hyland or Hyland’s contracted third-party service provider, (c) failure of any code or configurations managed or written by the customer or any third-party vendor to the customer, or (d) any unauthorized use or access by the customer or any of its users;
4. The occurrence of a force majeure event.
5. Internet failure or congestion.
6. Failure of equipment or systems not within Content Innovation Cloud, or of equipment or systems not provided, or not under the control or direction of Hyland including equipment or systems Hyland may obtain or contract for at the request of the customer; or
7. Failures or other failures caused directly or indirectly by known or unknown computer viruses, worms or other malicious programs (assuming Hyland has not breached any of its obligations here or in the applicable agreement relating to virus protection protocols).
“Failover Notice” is a notification made by Hyland to the Customer (which may be made by electronic communication via e-mail or the Community portal) indicating that Hyland is initiating an AWS (Amazon Web Services) Region failover.
“Monthly Fees” is the portion of the recurring fees for Content Innovation Cloud attributable to the month in which the applicable performance deficiency occurs, excluding any taxes, one-time fees, third party fees, travel or expense, professional services or similar additional fees. E.g., if fees are charged annually, the Monthly Fee equals the annual fees divided by 12, subject to the same exclusions above.
Monthly Uptime Percentage. is calculated as the total number of minutes in a calendar month, minus the number of minutes of Downtime (as defined above) in such month, divided by the total number of minutes in such month.
“Recovery Point” means the minimum number of hours (prior to the time Hyland provides a Failover Notice) that the customer’s data must have been stored within Content Innovation Cloud to qualify as eligible data. Customer Data is deemed “eligible” if Hyland confirms it has been stored within the Hyland Cloud Service for a number of hours (prior to the time Hyland provides a Failover Notice) that exceeds the applicable Recovery Point Objective defined in Table 2 below.
“Recovery Time” means the number of hours from the time the required Failover Notice is delivered to the time Content Innovation Cloud has been Restored (excluding any time during that period if/when an Exclusion Event affects both the current primary and secondary data centers).
“Restoration” occurs once access to Content Innovation Cloud has been restored such that:
(1) eligible Customer Data can be retrieved; and
(2) new Customer Data can be input.
“Unavailability” or “Unavailable” refers to a state when Content Innovation Cloud is either (1) unresponsive or (2) responds with an error, and thereby prevents all users from accessing Content Innovation Cloud.
Service Level Commitments
Table 1: Monthly Uptime Percentages
STANDARD | |
Monthly Uptime Percentage | 99.5% |
Applicable Credit | 5% of the Monthly Fee |
Table 2: Business Continuity
STANDARD | |
Recovery Point Objective (RPO) | 24 Hours |
Applicable Credit | 15% of the Monthly Fee |
Recovery Time Objective (RTO) | 8 Hours |
Applicable Credit | 15% of the Monthly Fee |
Service Level Commitment Terms
Monthly Uptime Percentage. Hyland will meet the Monthly Uptime, as identified in Table 1 above, during each calendar month.
Business Continuity. Hyland shall provide business continuity redundancy via AWS Availability Zones. Content Innovation Cloud does not use multiple AWS Regions. If Hyland delivers a Restoration Notice to Customer, Hyland shall restore Content Innovation Cloud within the applicable Recovery Time Objective set forth in Table 2 above (except to the extent caused or prevented by an Exclusion Event).
Downtime Report. Following the occurrence of a Downtime event, upon request by the customer, Hyland shall provide a report which will include, as applicable, a detailed description of the incident, start and end times of the incident, duration of the incident, business/functional impact of the incident, description of remediation efforts taken, and a description of outstanding issues or tasks relating to the incident.
Exclusive Remedies Terms
Monthly Uptime Percentage. In the event the Monthly Uptime Percentage during any calendar month is less than the applicable Monthly Uptime Percentage set forth in the Table 1 above, the customer shall receive the applicable credit against the fees specified in Table 1 above, provided Customer submitted a technical support request within twenty-four hours of such Downtime.
Maximum Service Level Credit. Notwithstanding anything to the contrary, customers are only entitled to a maximum of one service level credit for all events occurring in a particular calendar month. If available, Customer shall be entitled to only the largest service level credit which may be payable for one or more of the service level failures occurring in such calendar month.
Application of Service Level Credits. Service level credits will be applied first to any outstanding amounts which are due and owing from Customer, and then to future fees.
Termination Remedy. If Customer earns a service level credit either: (i) in three consecutive calendar months, or (ii) in four calendar months during any six consecutive month period; then Customer may, by written notice to Hyland delivered within thirty days after the last credit described in either clause or (i) or (ii) above is earned, terminate the Agreement.
Exclusivity. The remedies set forth above constitute the sole and exclusive remedies available to a customer for any failure to meet the service level commitments set forth in this document.
System Maintenance
For the purposes of an Exclusion Event, system maintenance will not exceed 16 hours per month, subject to the following.
Maintenance Notifications. Hyland will notify Customer of system maintenance expected to impact system availability or functionality through the status page (currently, https://status.experience.hyland.com) or through direct communication to Customer’s designated CSA.
Scheduled Maintenance. Hyland will notify Customer of scheduled maintenance that is expected to impact or potentially impact system availability or functionality. Such notification will typically be sent at least one week in advance, but in no event will such notice be sent less than 24 hours prior to the specified start time. Modifications or repairs to shared infrastructure or platform patching and upgrades, that is expected to impact or potentially impact Content Innovation Cloud availability is currently restricted to within the hours of 12 AM to 2 AM, based on the time zone of the impacted AWS Region. Any changes to the scheduled hours of maintenance will be communicated to each Customer via e-mail to Customer’s designated CSA, posted in the Content Innovation Cloud, or the status page.
Unscheduled Maintenance. Hyland will use reasonable efforts to notify Customer of unscheduled maintenance that is expected to impact or potentially impact Content Innovation Cloud availability or functionality. Such notification will typically be sent at least 24 hours in advance, but to the extent Hyland determines that such maintenance is required sooner due to a security or availability concern (e.g. emergency maintenance is required by Hyland), Hyland will use reasonable efforts to send such notice no less than 2 hours prior to the specified start time.
The most current version of this document shall be such in effect as of 12:00am EST (Eastern Standard Time) of the date stamped on such online version.
Additional AI Terms - Third-Party AI
Effective May 30th 2025
DownloadTable of Contents
Additional AI Terms - Third-Party AI
When the Third-Party AI listed below is used in the Content Innovation Cloud, Additional AI Terms apply. The applicable AI Service Card identifies the Third-Party AI included in each Content Innovation Cloud product.
Amazon Bedrock
Some AI Models are provided via Amazon Bedrock. All such AI Models are subject to the applicable sections of the AWS Service Terms (the “AWS Model Terms”), which include the following terms (among others):
(i) These models may be used in connection with supporting healthcare services, provided that they are not medical devices under applicable law and regulations and are not intended to be used by themselves for any clinical diagnosis, decision-making, treatment, or other clinical use. Customer is responsible for all harm or liability that may arise in connection with any such uses;
(ii) Customer will not, and will not allow any third party to, modify, tamper with, remove, obscure, or otherwise alter Provenance Data. “Provenance Data” means information included as part of Output, such as metadata, digital signatures, or watermarks to identify it is generated using a generative AI model;
(iii) Customer’s use of these models must comply with applicable laws and regulations and AWS’s Acceptable Use Policy, and AWS’s Responsible AI Policy.
(iv) Amazon Bedrock may use automated abuse detection mechanisms designed to detect harmful content. If these mechanisms detect apparent child sexual abuse material, Customer agrees and instructs Amazon report the incident to the National Center for Missing and Exploited Children or other authority.
(v) To improve performance, such services may use cross-region inference, using the optimal AWS Region to process your content when running model inference.
1. Amazon Titan Texan Embedding V2. Governed by the AWS Model Terms.
2. Amazon Rerank 1.0. Governed by the AWS Model Terms.
3. Amazon Nova Micro. Governed by the AWS Model Terms.
4. Llama 3 8B: Governed the AWS Model Terms, the Meta Llama 3 Community License Agreement and the Meta Llama 3 Acceptable Use Policy. The Llama 3 model terms include the following restrictions (among other terms):
(i) Customer will not, and will not allow any third party to, use a model from the available AI Models, or Output therefrom, to improve any large language model (excluding any Meta Llama model).
(ii) If Customer uses the Output of a Llama Applicable Model to improve any AI model (excluding a Meta Llama model) that is distributed or made available, then Customer must (1) prominently display “Built with Llama” on a related website, user interface, blogpost, about page, or product documentation, and (2) include “Llama” at the beginning of any such AI model name.
(iii) If Customer distributes, licenses or sells the Output of a Llama Applicable Model or any AI model trained on such Output, then Customer must provide applicable copies of the Llama licenses.
(iv) Customer must not institute litigation or other proceedings against Meta alleging that the Output of a Llama Applicable Model or any portion thereof constitutes infringement of intellectual property or other rights owned or licensable by Customer.
5. Llama 3.2 11B Instruct. Governed by the AWS Model Terms, the Llama 3.2 Community License Agreement and the Llama 3.2 Acceptable Use Policy. The Llama 3.2 model terms include the restrictions listed in section 4(i) - 4(iv) above (among other terms).
6. Llama 4.0 Models. Governed By the AWS Model Terms, the Llama 4 Community License Agreement and the Llama 4 Acceptable Use Policy. The Llama 4 model terms include the restrictions listed in section 4(i) - 4(iv) above (among other terms), as well as the following: With respect to any multimodal models included in Llama 4, the rights granted under Section 1(a) of the Llama 4 Community License Agreement are not being granted to you if you are an individual domiciled in, or a company with a principal place of business in, the European Union. This restriction does not apply to end users of a product or service that incorporates any such multimodal models.
7. Anthropic Models. Governed By the AWS Model Terms and the Anthropic on Bedrock Terms, which includes the following restriction (among others terms): Customer may not and must not attempt to (i) access the services to build a competing product or service, including to train competing AI models except as expressly approved by Anthropic; (ii) reverse engineer or duplicate the services; or (iii) support any third party’s attempt at any of the conduct restricted in this sentence. Customer and its Users may only use the services in the countries and regions Anthropic currently supports.
The most current version of this document shall be such in effect as of 12:00am EST (Eastern Standard Time) of the date stamped on such online version.
Effective April 18th 2025 to May 30th 2025
DownloadTable of Contents
Third-Party AI Model Providers
1. Amazon Bedrock.
1.1 As indicated in the AI Services Card made available on Hyland’s Trust Center (currently, https://security.hyland.com/?product=hyland-cloud), Content Innovation Cloud may utilize Amazon Bedrock to provide Artificial Intelligence Technology. Amazon Bedrock may use automated abuse detection mechanisms designed to detect harmful content. If these mechanisms detect apparent child sexual abuse material, Customer agrees and instructs Amazon report the incident to the National Center for Missing and Exploited Children or other authority.
1.2 Output generated by models accessed through Amazon Bedrock may include information such as metadata, digital signatures, or watermarks to identify it is generated using a generative artificial intelligence model ("Provenance Data"), as indicated in applicable documentation (for example, Amazon Titan Image Generator). Customer may not modify, tamper with, remove, obscure, or otherwise alter such Provenance Data.
2. BYOM. Customer may have the option to connect and use an LLM of its choosing (a “Customer LLM”) with Content Innovation Cloud, subject to Hyland’s then-current technical and security requirements. Customer is solely responsible for the selection, configuration, operation, and licensing of any Customer LLM, including compliance with all applicable laws and third-party terms governing its use. Company makes no representations or warranties regarding the compatibility, accuracy, or performance of any Customer LLM with Content Innovation Cloud. Customer acknowledges that integration with a Customer LLM may affect the performance or results of Content Innovation Cloud, and Hyland disclaims any liability arising therefrom. Customer is solely responsible for any data transmitted to or processed by the Customer LLM, and for maintaining appropriate security and access controls. Hyland reserves the right to suspend or restrict integration with a Customer LLM if it poses a security, performance, or legal risk to Content Innovation Cloud or other customers.
The most current version of this document shall be such in effect as of 12:00am EST (Eastern Standard Time) of the date stamped on such online version.
Hyland Experience Technical Support
Effective May 3rd 2024
DownloadTable of Contents
HYLAND EXPERIENCE TECHNICAL SUPPORT
1 DEFINED TERMS
“Business Day” means any day other than Saturday, Sunday, or a legal holiday.
“Business Daily” means at least once per Business Day.
“Business Hour” means 8:00 a.m. to 6:00 p.m., in the time zone of the Hyland entity that Customer has contracted with for Hyland Experience, of a Business Day.
“Upgrades and Enhancements” means any and all new versions, improvements, modifications, upgrades, updates, fixes and additions to Hyland Experience that Hyland makes available to its end users generally to correct errors or deficiencies or enhance the capabilities of Hyland Experience, together with updates of the documentation to reflect such new versions, improvements, modifications, upgrades, fixes or additions; provided, however, that the foregoing shall not include new, separate product offerings, new modules or re-platformed software.
2 TECHNICAL SUPPORT
2.1 In General. Hyland will provide technical support for the functionality described in the Documentation of Customer’s production instance of Hyland Experience based on the level purchased by Customer.
2.1.1 Limitations. Technical support: (a) is provided in English-only; (b) only applies to the production instance; and (c) will only be provided during Business Hours unless otherwise stated herein.
2.1.2 Remote Work. Technical support will be performed remotely. Resources assigned to perform technical support may be employees or third-party contractors of Hyland or its’ affiliates, in each case located outside the United States. Unless otherwise agreed to by the parties in writing, Customer consents to such resources’ access to Customer’s Hyland Experience instance and related data during the provision of technical support.
2.2 Targets. In response to support cases submitted by Customer, Hyland will use reasonable efforts to: (a) resolve the support case, which may be effected by a reasonable workaround, correction, or modification; and (b) meet the targets described in the table below based upon the level Customer has purchased:
Technical Support Levels | |||
Digital | Premier | Signature | |
Initial Response Target | N/A | P1 and P2: 60 minutes* P3 and P4: 1 Business Day P5 and P6: 2 Business Days | P1 and P2: 30 minutes* P3 and P4: 1 Business Hour P5 and P6: 4 Business Hours |
Issue Update Frequency Target | N/A | P1 and P2: Hourly P3 - P6: 2 Business Days | P1 and P2: Conference bridge** P3 - P6: Business Daily |
*Priority Level 1 and Level 2 must be reported to Hyland by phone for Hyland to meet the Initial Response Targets.
**Hyland will participate in a conference bridge to provide continual updates to Customer, provided Customer remains accessible for troubleshooting from the time Hyland initially responds to the support case.
2.3 Priority Levels. Hyland will respond to support cases based on the Priority Level Hyland determines is most applicable to each such support case. Hyland may modify its commitments for Priority Levels from time to time, provided, that, the level of technical support will not materially decrease during the term of a Product Subscription.
Priority Level | Description | Hyland Response |
Level 1 (P1) | Total or substantial failure of Hyland Experience. | Hyland will match Customer’s effort, up to and including 24-hour days, 7 days a week. |
Level 2 (P2) | All of Customer’s users are unable to access an entire portion of Hyland Experience. | Hyland will match Customer’s effort, up to and including 24-hour days, 7 days a week. |
Level 3 (P3) | Hyland Experience is usable except there is an ongoing, system-wide, severe performance degradation. | Hyland will match Customer’s efforts during Business Days, up to 16 hours/day. |
Level 4 (P4) | Hyland Experience is usable except a specific feature or functionality is not working. | Hyland will use reasonable efforts during Business Hours. |
Level 5 (P5) | Hyland Experience is usable except for a trivial inconvenience. | Hyland will use reasonable efforts during Business Hours. |
Level 6 (P6) | All other matters, including “how to” requests and questions about the Documentation. | Hyland will use reasonable efforts during Business Hours. |
2.4 Customer Resources. To facilitate Hyland’s resolution of support cases, Customer agrees to the following. Failure by Customer to meet these commitments may impact Hyland’s ability to provide technical support.
2.4.1 Sponsor. Customer will assign a sponsor, who is the final escalation point for engaging with technical support. The sponsor will: (a) ensure that the appropriate Customer personnel are assigned and made available when necessary; (b) manage all Customer obligations described herein; and (c) coordinate all key departmental decision makers, technical experts, subject matter experts, end user representatives and third-party software application resources.
2.4.2 Technical Contacts. Customer will designate specific Users as “Technical Contacts.” Technical Contacts must have a working knowledge of Hyland Experience and the overall environment; typically, Technical Contacts are Customer’s designated system administrators. Hyland may provide Technical Contacts with access to the online support portal via a unique login. Technical Contacts are exclusively responsible for submitting support cases and engaging in interactions with the Hyland technical support team. Customer permits Hyland to communicate with the Technical Contacts as necessary to provide technical support.
2.4.3 Additional Subject Matter Experts. Customer will engage the appropriate business process owners and subject matter experts, who are thoroughly knowledgeable about the current business practices in their respective areas, including vendor resources, interface specialists, technical experts, and/or subject matter experts for third-party system(s) with which Hyland Experience will integrate or from which content will be migrated.
2.4.4 Updates. Customer will notify Hyland of Customer personnel changes to the extent personnel changes impact the performance of Hyland’s obligations. Such designees may be changed at any time by notice from Customer to their applicable Customer Support Manager, Account Manager, or Technical Account Manager.
2.5 Reporting Policies and Procedures.
2.5.1 Reporting Requirements. When requesting technical support, Customer’s Technical Contacts must submit the support case via Hyland’s secure end user website (currently www.hyland.com/community). Once such support case is submitted through the end user website, if Customer is experiencing a Level 1 or Level 2 Priority Level, Customer is advised to call Hyland’s support team after submitting the support case (support numbers are available through Hyland’s secure end user website). Hyland shall have no obligation to provide technical support, by any means, to any entity or individual other than the designated Technical Contacts.
2.5.2 Assistance. To resolve an error, Hyland must be able to reproduce the error. Therefore, Customer will provide Hyland with as much information and access to systems as reasonably possible to enable Hyland to investigate and attempt to identify and verify the error. Customer will work with Hyland support personnel as reasonably needed. Customer will notify Hyland of any configuration changes it has made, such as workflow configuration changes, network installation/expansion, integrations, upgrades, relocations, etc.
2.5.3 Hyland Response Procedures. Hyland will use reasonable efforts to meet the Initial Response Targets set forth in the table above based upon the confirmed Priority Level. Initial Response Targets are measured from when the Customer’s Technical Contact submits the support case to when Hyland first attempts to contact the Customer’s Technical Contact regarding such case. Hyland’s initial response may include questions seeking to clarify the issue or gather information regarding the cause of the issue. Hyland may be unable to start resolving the issue before receiving such additional information. At Hyland’s reasonable discretion, the Priority Level of a case may be updated based on the information provided to align with the Priority Level definitions.
2.5.4 Update, Upgrade, Change or Replacement of Components. To resolve a support case, Hyland may: (1) update the build or version of Hyland Experience; or (2) change, replace, update or upgrade the Hyland-provided hardware or software components, in each case, at Hyland’s discretion and expense.
2.6 Excluded Errors. Hyland is not responsible for providing, or obligated to provide, technical support:
(1) in connection with any errors, defects, or issues that were caused, in whole or in part, from any: (a) alteration, revision, change, enhancement, or modification; or (b) configuration of a component that was done by a party other than Hyland or a party retained by Hyland to perform the configuration;
(2) if Hyland has previously made available a reasonable workaround, correction, or modification which Customer has failed to implement;
(3) in connection with any software, hardware, system, or computer networking that is not provided by Hyland;
(4) in connection with any Work Products (as defined in the Underlying Agreement or the applicable agreement such Work Products were provided under, as applicable);
(5) in connection with any questions related to the operation or use of application programming interfaces (APIs); or
(6) if any party other than Hyland, or an authorized subcontractor specifically selected by Hyland, has provided any services in the nature of technical support to Customer (items (1)-(6), “Excluded Errors”).
2.7 Voluntary Support. In its efforts to be a supportive vendor, Hyland may assist Customer in troubleshooting and resolving Excluded Errors, but such assistance is beyond Hyland’s obligations (contractual or otherwise). Hyland may cease providing ongoing assistance with Excluded Errors at any time.
2.8 Upgrades and Updates.
2.8.1 Upgrades and Enhancements. Hyland will provide, in accordance with Hyland’s then current policies, as set forth from time to time on Hyland’s secure end user web site, all Upgrades and Enhancements, if and when released during the term of the Agreement.
2.8.2 Regulated Products. Customer acknowledges and agrees that for regulatory compliance purposes, Customer may be required to engage Hyland under a Services Proposal to implement Upgrades and Enhancements to a regulated product. If Hyland offers a self-service option for implementing Upgrades and Enhancements to a regulated product, and the Customer chooses this option, Customer agrees to comply with the training, reporting, and documentation requirements established by Hyland to ensure that the implementation is performed and documented as required by applicable regulations.
2.8.3 Update, Upgrade, Change or Replacement of Components. Hyland may update or upgrade the build or version of the software used in Hyland Experience from time to time at Hyland’s expense. Hyland also may change, replace, update or upgrade the physical hardware and infrastructure or any composite software layers which Hyland uses to provide Hyland Experience, in each case, whether owned by Hyland or a third party. Customer agrees to collaborate with Hyland and assist Hyland in connection with the completion of installation and testing of any update or upgrade. Notwithstanding the foregoing, Customer acknowledges that it is Customer’s responsibility to ensure that Customer is running a Cloud Compatible Version of Hyland Experience in accordance with Hyland’s Cloud Software Version Policy available at Hyland’s end user website; Customer’s failure to comply with Hyland’s Cloud Software Version Policy shall be considered a material breach of the Agreement.
[The most current version of this page shall be such in effect as of 11:59 p.m. ET of the date stamped on such online version.]
Effective March 30th 2021 to May 3rd 2024
DownloadTable of Contents
Hyland Experience Service Support
1. If Support Services provided by Hyland are included as part of the applicable Hyland Experience Service purchased by Customer, Hyland will provide Support to the applicable Hyland Experience Service in accordance with these provisions and the Support Prioritization Attachment attached hereto. Capitalized terms not defined herein have the meanings set forth in the applicable underlying Hyland Experience Services Agreement between the customer and Hyland which incorporates these support terms by specific reference (the “Agreement”)
(a) Technical Support Services. Hyland will provide telephone or online technical support related to problems reported by Customer and associated with the operation of the Hyland Experience Service, including assistance and advice related to the operation of the Hyland Experience Service.
(b) Error Correction Services. With respect to any issues or errors in the Hyland Experience Service which are reported by Customer and which are confirmed by Hyland, Hyland will use its reasonable efforts to correct such issue or error, which may be effected by a commercially reasonable workaround. Hyland shall promptly commence to confirm any reported issues or errors after receipt of a proper report of such suspected issue or error from Customer in accordance with the Support Prioritization Attachment. Hyland may elect to correct the issue or error by updating or upgrading the applicable component of the Hyland Experience Service to a new build or version.
(c) Reporting Policies and Procedures Applicable to Technical Support Services and Error Correction Services.
(1) Customer Reporting Requirements. When requesting support services, Customer must report problems, issues, and errors via Hyland’s secure end user website (currently www.hyland.com/community), except that Customer may call 440-788-5600 for Level 1 and Level 2 Severity Levels. In the case of reporting a problem, issue, or error with the Hyland Experience Service, Customer will provide Hyland with as much information and access to systems as reasonably possible to enable Hyland to investigate and attempt to identify and verify the problem, issue or error. Customer will work with Hyland support personnel during the problem isolation process, as reasonably needed.
(2) Hyland Response Procedures. Hyland shall respond to all reports in accordance with the Support Prioritization Attachment below. Hyland: (a) will respond based on the confirmed severity level; (b) may reclassify severity levels as it learns information about such problems, issues or errors during the resolution process; and (c) obligations for a reported issue or error concludes upon delivery of a Resolution in accordance with the Support Prioritization Attachment.
(d) Update, Upgrade, Change or Replacement of Components of the Hyland Experience Services. Hyland may update or upgrade the build or version of the software used in the Hyland Experience Services from time to time at Hyland’s expense. Hyland also may change, replace, update or upgrade the hardware or other software components of the Hyland Experience Services from time to time.
2. EXCLUSIONS.
(a) Generally. Hyland is not responsible for providing, or obligated to provide, Hyland Experience Service Support: (1) in connection with any errors, defects or problems that result in whole or in part from any alteration, revision, change, enhancement or modification of any nature of the Hyland Experience Service or from any error or defect in any configuration of any component of the Hyland Experience Service, which activities in any such case were undertaken by any party other than Hyland or a party retained by Hyland; (2) in connection with any error or defect or problem in any other component of the Hyland Experience Service if Hyland has previously made available corrections for such error or defect which Customer fails to implement; (3) in connection with any errors, defects or problems which have been caused by errors, defects, problems, alterations, revisions, changes, enhancements or modifications in any software, hardware or system or networking which is not a part of the Hyland Experience Service; (4) if any party other than Hyland, or an authorized subcontractor specifically selected by Hyland, has provided any services in the nature of Hyland Experience Service Support to Customer with respect to the Hyland Experience Service; or (5) in connection with any questions related to the operation or use of the Hyland Experience Service or other Hyland software application programming interfaces (APIs); or in connection with any errors, defects or problems with Work Products (as defined in the Agreement). Support relating to Work Products and the operation or use of APIs may be provided, on a case-by-case basis, as mutually agreed to in an applicable Services Proposal which outlines Professional Services for such support activities.
3. DEFINITIONS.
“Resolution” means Hyland provides Customer with a commercially reasonable workaround, correction, or modification that solves or mitigates a reported Hyland Experience Service issue or error.
SUPPORT PRIORITIZATION
Severity Level | Description | Hyland Response |
Level 1 | “Level 1” means any error or issue in the Hyland Experience Service that causes total or substantial Hyland Experience Service failure, which means that the Hyland Experience Service is down and Customer is unable to access the Hyland Experience Service in any way. | Upon receiving notification from Customer, Hyland’s support Team Leader will immediately notify a support Manager. Within thirty (30) minutes, the Manager will notify a member of Senior Management or a Vice President. To provide a Resolution, Hyland will work up to and including 24 hour days, 7 days a week, through holidays and weekends until there is a Resolution, provided Customer remains accessible by phone for troubleshooting from the time Hyland receives the notification through Resolution. |
Level 2 | “Level 2” means an error or issue in the Hyland Experience Service that causes substantial Hyland Experience Service failure which prevents a portion of Customer’s users from accessing the Hyland Experience Service in any way. | Upon receiving notification from Customer, Hyland’s support Team Leader will notify a support Manager within sixty (60) minutes. Within two (2) hours, the Manager will notify a member of Senior Management or Vice President. To provide a Resolution, Hyland will work up to 24 hour days, 7 days a week, through holidays and weekends until there is a Resolution, provided Customer remains accessible by phone for troubleshooting from the time Hyland receives the notification through Resolution. |
Level 3 | “Level 3” means that the Hyland Experience Service is usable except that an error or issue in the Hyland Experience Service causes an ongoing, system-wide, severe performance degradation. | To provide a Resolution, Hyland will work up to 5 days/week, 16 hours/day, through holidays and weekends until there is a Resolution, provided Customer remains accessible by phone for troubleshooting from the time Hyland receives the notification through Resolution. |
Level 4 | “Level 4” means that the Hyland Experience Service is usable except that an error or issue in the Hyland Experience Service prevents a specific feature or functionality from working. | To provide a Resolution, Hyland will use commercially reasonable efforts during regular support hours. |
Level 5 | “Level 5” means that the Hyland Experience Service is usable except that an error or issue in the Hyland Experience Service causes a trivial inconvenience and the task can be completed in another way. | Standard Hyland Experience Service Support. |
Level 6 | “Level 6” means Technical Support Services. | Standard Hyland Experience Service Support. |
Hyland Experience Security
Effective May 3rd 2024
DownloadTable of Contents
HYLAND EXPERIENCE SECURITY
For Hyland Experience, Hyland maintains and manages a comprehensive written security program that is designed to protect: (a) the security and integrity of Customer Data; (b) against threats and hazards that may negatively impact Customer Data; and (c) against unauthorized access to Customer Data. Such program includes the following:
1 Risk Management
1.1 Conducting an annual risk assessment designed to identify threats and vulnerabilities in the administrative, physical, legal, regulatory, and technical safeguards used to protect Hyland Experience.
1.2 Maintaining a documented risk remediation process to assign ownership of identified risks, establish remediation plans and timeframes, and provide for periodic monitoring of progress.
2 Information Security Program
2.1 Maintaining a documented comprehensive information security program that includes policies and procedures based on industry standard practices, which may include ISO 27001/27002, or other equivalent standards. Such information security program shall include, as applicable: (a) adequate physical and cyber security where Customer Data will be processed and/or stored; and (b) reasonable precautions taken with respect to Hyland personnel employment.
2.2 Reviewing and updating such policies annually.
3 Organization of Information Security. Assigning security responsibilities to appropriate individuals or groups to facilitate protection of Hyland Experience and associated assets.
4 Human Resources Security
4.1 Requiring all Hyland employees to undergo a comprehensive screening during the hiring process.
4.2 Performing background checks and reference validation to determine whether candidate qualifications are appropriate for the proposed position.
4.3 Subject to any restrictions imposed by applicable law and based on jurisdiction, conducting criminal background checks, employment validation, and education verification as applicable.
4.4 Ensuring all Hyland employees are subject to confidentiality and non-disclosure commitments before access is provisioned to Hyland Experience or Customer Data.
4.5 Ensuring applicable Hyland employees receive security awareness training designed to provide such employees with information security knowledge to provide for the security, availability, and confidentiality of Customer Data.
4.6 Upon Hyland employee separation or change in roles, ensuring any Hyland employee’s access to Hyland Experience is revoked in a timely manner and all applicable Hyland assets, both information and physical, are returned.
5 Asset Management
5.1 Ensuring Customer Data is encrypted and stored in a secure location subject to strict physical access controls.
5.2 Maintaining asset and information management policies and procedures, including ownership of assets, an inventory of assets, classification guidelines, and handling standards pertaining to Hyland assets.
5.3 Note: Hyland Experience is hosted in the Amazon Web Services (AWS) Cloud where security and compliance are shared responsibilities between AWS and Hyland. AWS is responsible for protecting the infrastructure that runs all the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services. AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates, including media handling and decommissioning. AWS Device Management Controls can be found here: https://aws.amazon.com/compliance/data-center/controls/#Device_Management
6 Access Controls
6.1 Maintaining an access policy and corresponding procedures. The access procedures will define the request, approval, and access provisioning process for Hyland personnel. The access process will restrict Hyland user (local and remote) access based on Hyland user job function (role/profile based, appropriate access) for applications and databases.
6.2 Documenting procedures for: (a)onboarding and offboarding Hyland personnel users in a timely manner; and (b) Hyland personnel user inactivity threshold leading to account suspension and removal threshold.
6.3 Limiting Hyland’s access to Customer Data to its personnel who have a need to access Customer Data as a condition to Hyland’s performance of the services under this Agreement. For such Hyland employees, Hyland shall utilize the principle of “least privilege” and the concept of “minimum necessary.” Hyland shall require strong passwords subject to complexity requirements and periodic rotation and the use of multi-factor authentication.
6.4 Ensuring access controls are in place for Customer Data access by Hyland. Note: Customer controls its: user’s access, user’s permissions, and Customer Data retention to the extent such controls are available to Customer.
7 System Boundaries
7.1 Note: Hyland is not responsible for any system components that are not within Hyland Experience, including network devices, network connectivity, workstations, servers, and software owned and operated by the Customer or other third parties.
7.2 Note: The processes executed within Hyland Experience are limited to those that are executed by a Hyland employee (or Hyland authorized third party) or processes that are executed within Hyland’s established system boundaries, in whole.
7.3 Note: Certain business processes may cross these boundaries, meaning one or more tasks are executed outside of Hyland’s established system boundaries for Hyland Experience, one or more tasks are executed by individuals who are not Hyland personnel (or authorized third parties), or one or more tasks are executed based on written requests placed by Customer. In such event, Hyland will provide support for such processes to the extent they occur within Hyland’s established system boundaries, but Hyland is not responsible for providing support for such processes to the extent they occur outside of such established system boundaries. Examples of business processes that cross these boundaries include, but are not limited to, Hyland Experience configuration changes, processing that occurs within Hyland Experience, user authorization, and file transfers.
8 Encryption
8.1 Ensuring Customer Data shall only be uploaded to Hyland Experience in a supported encrypted format such as TLS or other equivalent method.
8.2 Encrypting Customer Data at rest and in transit over public networks.
8.3 Note: Where use of encryption functionality may be controlled or modified by Customer and Customer elects to modify its use of or turn off any encryption functionality, Customer does so at its own risk.
9 Operations Security
9.1 Maintaining change management controls to ensure changes made by Hyland to production systems are properly authorized and reviewed prior to implementation. Note: Customer is responsible for testing all configuration changes, authentication changes and upgrades implemented by Customer or Hyland. If Customer requests Hyland to implement changes on its behalf, such request must be in writing and submitted by Customer’s designated Authorized Customer Administrators via a support case or set forth in a separate agreement.
9.2 Making scheduled configuration changes that are expected to impact Customer access to Hyland Experience during a planned maintenance window. Note: Hyland may make configuration changes that are not expected to impact Customer during normal business hours.
9.3 Utilizing technologies that are configured to meet common industry standards designed to protect the Customer Data within Hyland Experience from virus infections or similar malicious payloads.
9.4 Implementing disaster recovery and business continuity procedures in accordance with the applicable Service Level purchased by Customer.
9.5 Maintaining security logs for one year.
9.6 Maintaining system hardening requirements and configuration standards for components deployed within Hyland Experience.
9.7 Conducting vulnerability scans on a regular basis and remediating in a timely manner. In the event any security patch would materially adversely affect Hyland Experience, then Hyland will use reasonable efforts to implement compensating controls until a security patch is available that would not materially adversely affect Hyland Experience. Upon written request, Hyland will provide an executive summary report of its most recent external vulnerability scan.
9.8 Conducting external penetration tests at least annually against an instance of Hyland Experience that is representative of the configuration used by Customers generally and making an executive summary of the most recent penetration test to Customer upon request.
9.9 Permitting Customer to, on an annual basis (but no more than once during any 12-month period), conduct a penetration test against a Hyland Experience website, setup by Hyland, that is authorized for penetration testing , provided: (1) Customer submits a Penetration Testing Authorization form in advance; (2) prior to conducting such testing, Hyland and Customer mutually agree upon the timing, scope, and price, (3) such testing is at Customer’s sole cost and expense; and (4) if Customer engages a third-party to assist with such testing, the third-party must first be cleared by Hyland and enter into a Non-Disclosure Agreement directly with Hyland. Note: Any testing performed without mutual agreement regarding timing, scope, and criteria may be considered a hostile attack, which may trigger automated and manual responses, including reporting the activity to local and federal law enforcement agencies as well as immediate suspension of Customer’s access to or use of Hyland Experience; and Customer is prohibited from distributing or publishing the results of such penetration testing without Hyland’s prior written approval.
9.10 Maintaining a 24/7 security operations center.
10 Supplier Relationships. Maintaining a Vendor Management Program for its critical vendors and evaluating critical vendors on an annual basis.
11 Security Incident Response
11.1 Employing incident response standards that are based upon applicable industry standards, such as ISO 27001 and National Institute for Standards and Technology (“NIST”), to maintain the information security components of Hyland Experience environment.
11.2 Responses to these incidents follow the Hyland documented incident response sequence. This sequence includes the incident trigger phase, evaluation phase, escalation phase, response phase, recovery phase, de-escalation phase, and post-incident review phase.
11.3 If Hyland has determined Customer’s instance of Hyland Experience has been negatively impacted by a security incident, delivering a root cause analysis summary. Such notice will not be unreasonably delayed but will occur after initial corrective actions have been taken to contain the security threat or stabilize Hyland Experience.
11.4 The root cause analysis will include the duration of the event, resolution, technical summary, outstanding issues, and follow-up, including steps Customer needs to take to prevent further issues. Hyland Experience information including data elements that require additional confidentiality and security measures (including that of other customers impacted in the event) will not be publicly disclosed. If Customer needs additional details of an incident, a request to the applicable Hyland Cloud support team must be submitted and handled on a case-by-case basis to protect the confidentiality and security of the requested information.
11.5 Notifying Customer of a Security Incident within 48 hours. A “Security Incident” means a determination by Hyland of an actual disclosure of unencrypted Customer Data to an unauthorized person or entity that compromises the security, confidentiality, or integrity of the Customer Data.
12 Information Security Aspects of Business Continuity Management
12.1 Maintaining a business continuity and disaster recovery plan.
12.2 Reviewing and testing the business continuity and disaster recovery processes annually.
13 Audits and Assessments
13.1 Monitoring its compliance with its information security program. This includes periodic internal reviews. Results are shared with Hyland leadership and deviations tracked through to remediation.
13.2 Maintaining a periodic external audit program. Completed attestations are provided to Customer upon written request.
13.3 Permitting Customer to, on an annual basis (but no more than once during any 12-month period), conduct audits (which includes assessments, questionnaires, guided reviews or other requests to validate Hyland’s security controls) of Hyland’s operations that participate in the ongoing delivery and support of Hyland Experience (each, a “Security Inquiry”), provided, that:
(a) the proposed Security Inquiry does not overlap with, or otherwise cover the same or similar information as, or scope of: (1) any controls already provided for by an external audit or assessment already performed by Hyland, such as a SOC 2 report, ISO 27001 or other similar audit or assessment that is made available to Customer upon Customer’s request; or (2) any content already provided by Hyland through its completed SIG, CAIQ or similar questionnaire that is made available to Customer upon request.
(b) Hyland and Customer mutually agree upon the timing, scope, fees (if any), and criteria of such Security Inquiry;
(c) confidential and restricted documentation, such as Hyland internal policies, practices, and procedures, including any documentation requested by Customer that cannot be removed from Hyland’s premises as a result of physical limitations or policy restrictions will not be provided externally or removed from Hyland’s premises and such reviews must either (at Hyland’s election) be conducted onsite at Hyland’s corporate headquarters in Ohio or through a secure screenshare which may be arranged by Hyland to prohibit any type of copying or screen shots;
(d) Hyland will not permit access to internal systems or devices used to host or support Hyland’s offerings; and
(e) to the extent Customer desires to engage a third party to perform such Security Inquiry: (1) Hyland must approve of such third party in writing in advance, (2) Customer shall cause such third party to: (A) enter into a Non-Disclosure Agreement with Hyland and (B) agree to abide by Hyland’s security standards, and (3) Customer shall manage the engagement with the third party and ensure the third party understands the scope of the Security Inquiry as mutually agreed upon between Hyland and Customer and how Customer utilizes the Hyland Cloud Service.
Where necessary, Hyland will provide private and reasonable accommodation at Hyland’s corporate headquarters in Ohio for data analysis and meetings. Upon reasonable advance written request, Hyland and Customer may mutually agree to make necessary employees or contractors available for interviews in person or on the phone during such Security Inquiry at Customer’s cost and expense. Customer is prohibited, , and Customer shall prohibit each third-party engaged to perform a Security Inquiry from distributing or publishing the results of such Security Inquiry without Hyland’s prior written approval. Notwithstanding anything to the contrary within this Agreement, nothing in this Agreement (including this section) will require Hyland or any of its affiliates to disclose information that is subject to attorney-client privilege.
[This version shall be in effect as of 11:59 p.m. ET of the date stamped on such online version.]
Effective March 30th 2021 to May 3rd 2024
DownloadTable of Contents
HYLAND EXPERIENCE SERVICES SECURITY ATTACHMENT
Introduction: Hyland maintains and manages a comprehensive written security program that covers the Hyland Experience Service designed to protect: (a) the security and integrity of Customer Data; (b) against threats and hazards that may negatively impact Customer Data; and (c) against unauthorized access to Customer Data, which such program includes the following:
- Risk Management.
- Conducting an annual risk assessment designed to identify threats and vulnerabilities in the administrative, physical, legal, regulatory, and technical safeguards used to protect the Hyland Experience Service.
- Maintaining a documented risk remediation process to assign ownership of identified risks, establish remediation plans and timeframes, and provide for periodic monitoring of progress.
- Information Security Program.
- Maintaining a documented comprehensive Hyland Experience Service information security program. This program will include policies and procedures based on industry standard practices, which may include ISO 27001/27002, or other equivalent standards.
- Such information security program shall include, as applicable: (i) adequate physical and cyber security where Customer Data will be processed and/or stored; and (ii) reasonable precautions taken with respect to Hyland personnel employment.
- These policies will be reviewed and updated by Hyland management annually.
- Organization of Information Security. Assigning security responsibilities to appropriate Hyland individuals or groups to facilitate protection of the Hyland Experience Service and associated assets.
- Human Resources Security.
- Hyland employees undergo comprehensive screening during the hiring process. Background checks and reference validation will be performed to determine whether candidate qualifications are appropriate for the proposed position. Subject to any restrictions imposed by applicable law and based on jurisdiction, these background checks include criminal background checks, employment validation, and education verification as applicable.
- Ensuring all Hyland employees are subject to confidentiality and non-disclosure commitments before access is provisioned to the Hyland Experience Service or Customer Data.
- Ensuring applicable Hyland employees receive security awareness training designed to provide such employees with information security knowledge to provide for the security, availability, and confidentiality of Customer Data.
- Upon Hyland employee separation or change in roles, Hyland shall ensure any Hyland employee access to the Hyland Experience Service is revoked in a timely manner and all applicable Hyland assets, both information and physical, are returned.
- Asset Management.
- Maintaining asset and information management policies and procedures. This includes ownership of assets, an inventory of assets, classification guidelines, and handling standards pertaining to Hyland assets.
- Maintaining media handling procedures to ensure media containing Customer Data as part of the Hyland Experience Service is encrypted and stored in a secure location subject to strict physical access controls.
- When a Hyland Experience Service storage device has reached the end of its useful life, procedures include a decommissioning process that is designed to prevent Customer Data from being exposed to unauthorized individuals using the techniques recommended by NIST to destroy data as part of the decommissioning process.
- If a Hyland storage device is unable to be decommissioned using these procedures, the device will be virtually shredded, degaussed, purged/wiped, or physically destroyed in accordance with industry-standard practices.
- Access Controls.
- Maintaining a logical access policy and corresponding procedures. The logical access procedures will define the request, approval and access provisioning process for Hyland personnel. The logical access process will restrict Hyland user (local and remote) access based on Hyland user job function (role/profile based, appropriate access) for applications and databases. Hyland user access recertification to determine access and privileges will be performed periodically. Procedures for onboarding and offboarding Hyland personnel users in a timely manner will be documented. Procedures for Hyland personnel user inactivity threshold leading to account suspension and removal threshold will be documented.
- Limiting Hyland’s access to Customer Data to its personnel who have a need to access Customer Data as a condition to Hyland’s performance of the services under this Agreement. Hyland shall utilize the principle of “least privilege” and the concept of “minimum necessary” when determining the level of access for all Hyland users to Customer Data. Hyland shall require strong passwords subject to complexity requirements and periodic rotation and the use of multi-factor authentication.
- Ensuring strict access controls are in place for Customer Data access by Hyland. Customer administrators control its user access, user permissions, and Customer Data retention to the extent such controls are available to Customer with respect to the Hyland Experience Service.
- System Boundaries.
- Hyland is not responsible for any system components that are not within the Hyland Cloud Platform, including network devices, network connectivity, workstations, servers, and software owned and operated by the Customer or other third parties. Hyland may provide support for these components at its reasonable discretion.
- The processes executed within the Hyland Cloud Platform are limited to those that are executed by a Hyland employee (or Hyland authorized third party) or processes that are executed within Hyland’s established system boundaries, in whole. This includes, but is not limited to, hardware installation, software installation, data replication, data security, and authentication processes.
- Certain business processes may cross these boundaries, meaning one or more tasks are executed outside of Hyland’s established system boundaries for the Hyland Cloud Platform, one or more tasks are executed by individuals who are not Hyland personnel (or authorized third-parties), or one or more tasks are executed based on written requests placed by Customer. In such event, Hyland will provide support for such processes to the extent they occur within Hyland’s established system boundaries, but Hyland is not responsible for providing support for such processes to the extent they occur outside of such established system boundaries. At its reasonable discretion, Hyland may provide limited support for processes that occur outside such established system boundaries for the Hyland Cloud Platform. Examples of business processes that cross these boundaries include, but are not limited to, Hyland Experience Service configuration changes, processing that occurs within the Hyland Experience Service, user authorization, and file transfers.
- Encryption.
- Customer Data shall only be uploaded to the Hyland Experience Services in an encrypted format such as via SFTP, TLS, or other equivalent method.
- Customer Data shall be encrypted at rest.
- Where use of encryption functionality may be controlled or modified by Customer, in the event Customer elects to modify the use of or turn off any encryption functionality, Customer does so at its own risk.
- Physical and Environment Security.
- The Hyland Cloud Platform uses data centers or third party service providers who have demonstrated compliance with one or more of the following standards (or a reasonable equivalent): International Organization for Standardization (“ISO”) 27001 and/or American Institute of Certified Public Accountants (“AICPA”) Service Organization Controls (“SOC”) Reports for Services Organizations. These providers provide Internet connectivity, physical security, power, and environmental systems and other services for the Hyland Cloud Platform.
- Hyland uses architecture and technologies designed to promote both security and high availability.
- Operations Security.
- Maintaining documented Hyland cloud operating procedures.
- Maintaining change management controls to ensure changes to Hyland Experience Service production systems made by Hyland are properly authorized and reviewed prior to implementation. Customer is responsible for testing all configuration changes, authentication changes and upgrades implemented by Customer or implemented by Hyland at the request of Customer prior to production use of the Hyland Experience Service. In cases where the Customer relies upon Hyland to implement changes on its behalf, a written request describing the change must be submitted (e.g. an e-mail, or another method provided by Hyland) by Customer’s designated Customer Security Administrators (“CSAs”) or set forth in a Services Proposal. Hyland will make scheduled configuration changes that are expected to impact Customer access to their Hyland Experience Service during a planned maintenance window. Hyland may make configuration changes that are not expected to impact Customer during normal business hours.
- Monitoring usage and capacity levels within the Hyland Cloud Platform to adequately and proactively plan for future growth.
- Utilizing virus and malware protection technologies, which are configured to meet common industry standards designed to protect the Customer Data and equipment located within the Hyland Cloud Platform from virus infections or similar malicious payloads.
- Implementing disaster recovery and business continuity procedures. These will include replication of Customer Data to a secondary location.
- Maintaining a system and security logging process to capture system logs deemed critical by Hyland. These logs shall be maintained for at least six months and reviewed on a periodic basis.
- Maintaining system hardening requirements and configuration standards for components deployed within the Hyland Cloud Platform. Ensuring servers, operating systems, and supporting software used in the Hyland Cloud Platform receive all Critical and High security patches within a timely manner, but in no event more than 90 days after release, subject to the next sentence. In the event any such security patch would materially adversely affect the Hyland Experience Service, then Hyland will use reasonable efforts to implement compensating controls until a security patch is available that would not materially adversely affect the Hyland Experience Service.
- Conducting Hyland Cloud Platform vulnerability scans or analysis on at least a quarterly basis and remediate all critical and high vulnerabilities identified in accordance with its patch management procedures.
- Conducting Hyland Cloud Platform penetration tests at least annually.
- Communications Security
- Implementing Hyland Cloud Platform security controls to protect information resources within the Hyland Cloud Platform.
- When supported, upon implementation and once annually thereafter, Customer may request Hyland limit access to Customer’s Hyland Experience Service to a list of pre-defined IP addresses at no additional cost.
- Supplier Relationships. Maintaining a Vendor Management Program for its critical vendors. This program will ensure critical vendors are evaluated on an annual basis.
- Security Incident.
- Employing incident response standards that are based upon applicable industry standards, such as ISO 27001 and National Institute for Standards and Technology (“NIST”), to maintain the information security components of the Hyland Experience Service environment.
- Responses to these incidents follow the Hyland documented incident response sequence. This sequence includes the incident trigger phase, evaluation phase, escalation phase, response phase, recovery phase, de-escalation phase, and post-incident review phase.
- If Hyland has determined Customer’s Hyland Experience Service has been negatively impacted by a security incident, Hyland will deliver a root cause analysis summary. Such notice will not be unreasonably delayed, but will occur after initial corrective actions have been taken to contain the security threat or stabilize the Hyland Experience Service.
- The root cause analysis will include the duration of the event, resolution, technical summary, outstanding issues, and follow-up, including steps Customer needs to take in order to prevent further issues. Hyland Experience Service information including data elements that require additional confidentiality and security measures (including that of other customers impacted in the event) will not be publicly disclosed. If Customer needs additional details of an incident, a request to the Hyland GCS Support team must be submitted and handled on a case by case basis. The release of information process may require an on-site review to protect the confidentiality and security of the requested information.
- Hyland will notify Customer of a Security Incident within 48 hours. A “Security Incident” means a determination by Hyland of an actual disclosure of unencrypted Customer Data to an unauthorized person or entity that compromises the security, confidentiality, or integrity of the Customer Data.
- Information Security Aspects of Business Continuity Management.
- Maintaining a business continuity and disaster recovery plan.
- Reviewing and testing this plan annually.
- Aggregated Data.
- Hyland owns all Customer and User registration and billing data collected and used by Hyland that is required for user set-up, use and billing for the Hyland Experience Service (“Account Information”) and all aggregated, anonymized and statistical data derived from the use and operation of the Hyland Experience Service, including without limitation, the number of records in the Hyland Experience Service, the number and types of transactions, configurations, and reports processed as part of the Hyland Experience Service and the performance results of the Hyland Experience Service (the “Aggregated Data”).
- Hyland may utilize the Account Information and Aggregated Data for purposes of operating Hyland’s business. For clarity, Account Information and Aggregated Data does not include Customer Data.
- Audit and Security Testing.
- Monitoring its compliance with its information security program. This includes periodic internal reviews. Results are shared with Hyland leadership and deviations tracked through to remediation.
- Maintaining a periodic external audit program. Completed attestations, such as available SOC 2 reports, are provided to Customer upon written request.
- Customer may conduct audits of Hyland’s operations that participate in the ongoing delivery and support of the Hyland Experience Service purchased by Customer on an annual basis; provided Customer provides Hyland written notice of its desire to conduct such audit and the following criteria are met: (a) Hyland and Customer mutually agree upon the timing, scope, and criteria of such audit, which may include the completion of questionnaires supplied by Customer and guided review of policies, practices, procedures, Hyland Experience Service configurations, invoices, or application logs, and (b) Customer agrees to pay Hyland fees (at Hyland’s standard rates) for the Professional Services that are required or requested of Hyland in connection with such audit. Prior to any such audit, any third party engaged by Customer to assist with such audit, must be cleared by Hyland and enter into a Non-Disclosure Agreement directly with Hyland. If any documentation requested by Customer cannot be removed from Hyland’s facilities as a result of physical limitations or policy restrictions, Hyland will allow Customer’s auditors access to such documentation at Hyland’s corporate headquarters in Ohio and may prohibit any type of copying or the taking of screen shots. Where necessary, Hyland will provide private and reasonable accommodation at Hyland’s corporate headquarters in Ohio for data analysis and meetings. Upon reasonable notice, Hyland and Customer mutually agree to make necessary employees or contractors available for interviews in person or on the phone during such audit at Customer’s cost and expense. Customer is prohibited from distributing or publishing the results of such audit to any third party without Hyland’s prior written approval.
- Customer may conduct penetration testing against the public URL used to access the Hyland Experience Service on an annual basis; provided Customer provides Hyland with written notice of its desire to conduct such testing and the following criteria are met: (a) Hyland and Customer mutually agree upon the timing, scope, and criteria of such testing, which may include common social engineering, application, and network testing techniques used to identify or exploit common vulnerabilities including buffer overflows, cross site scripting, SQL injection, and man in the middle attacks, and (b) such testing is at Customer’s cost and expense and Customer pays to Hyland fees (at Hyland’s standard rates) for the Professional Services that are required or requested of Hyland in connection with such testing. Prior to any such testing, any third party engaged by Customer to assist with such testing, must be cleared by Hyland and enter into a Non-Disclosure Agreement directly with Hyland. Customer acknowledges and agrees that any such testing performed without mutual agreement regarding timing, scope, and criteria may be considered a hostile attack, which may trigger automated and manual responses, including reporting the activity to local and federal law enforcement agencies as well as immediate suspension of Customer’s access to or use of the Hyland Experience Service. Customer is prohibited from distributing or publishing the results of such penetration testing to any third party without Hyland’s prior written approval.
Hyland Experience Service Levels
Effective April 19th 2024
DownloadTable of Contents
Hyland Experience Service Levels
Service Level Agreements (“SLA”) described in this document pertain to the availability of Hyland Experience. This document does not address Support Services.
Service Level Definitions
“Downtime” is calculated as the aggregate time (in minutes) each calendar month, as confirmed by Hyland following written notice from the Customer, that Hyland Experience is Unavailable (as defined below). The length of Downtime will be measured from the time an incident occurs, as confirmed by Hyland, until the time when Hyland confirms that the failure condition(s) reported are no longer present. Downtime does not include any failure conditions which occur due to an Exclusion Event (see below).
“Exclusion Event” means any of the following occurrences:
- System maintenance, whether such maintenance is scheduled (e.g., for upgrading of the Service or its components or for any other scheduled purpose) or unscheduled (due to emergency) which results in the Service being unavailable or inaccessible to Customer.
- Failure of a customer’s or user’s equipment or facilities.
- Acts or omissions of a customer or its user, including but not limited to (a) performance or non-performance of any services by a third party (other than Hyland) contracted by the customer to provide services to the customer or its users related to Hyland Experience, (b) any failure that is not due to fault of Hyland or Hyland’s contracted third-party service provider, (c) failure of any code or configurations managed or written by the customer or any third-party vendor to the customer, or (d) any unauthorized use or access by the customer or any of its users;
- The occurrence of a force majeure event.
- Internet failure or congestion.
- Failure of equipment or systems not within Hyland Experience, or of equipment or systems not provided, or not under the control or direction of Hyland including equipment or systems Hyland may obtain or contract for at the request of the customer; or
- Failures or other failures caused directly or indirectly by known or unknown computer viruses, worms or other malicious programs (assuming Hyland has not breached any of its obligations here or in the applicable agreement relating to virus protection protocols).
“Failover Notice” is a notification made by Hyland to the Customer (which may be made by electronic communication via e-mail or the Community portal) indicating that Hyland is initiating an AWS (Amazon Web Services) Region failover.
“Monthly Fees” is the portion of the recurring fees for Hyland Experience attributable to the month in which the applicable performance deficiency occurs, excluding any taxes, one-time fees, third party fees, travel or expense, professional services or similar additional fees. E.g., if fees are charged annually, the Monthly Fee equals the annual fees divided by 12, subject to the same exclusions above.
Monthly Uptime Percentage. is calculated as the total number of minutes in a calendar month, minus the number of minutes of Downtime (as defined above) in such month, divided by the total number of minutes in such month.
“Recovery Point” means the minimum number of hours (prior to the time Hyland provides a Failover Notice) that the customer’s data must have been stored within Hyland Experience to qualify as eligible data. Customer Data is deemed “eligible” if Hyland confirms it has been stored within the Hyland Cloud Service for a number of hours (prior to the time Hyland provides a Failover Notice) that exceeds the applicable Recovery Point Objective defined in Table 2 below.
“Recovery Time” means the number of hours from the time the required Failover Notice is delivered to the time Hyland Experience has been Restored (excluding any time during that period if/when an Exclusion Event affects both the current primary and secondary data centers).
“Restoration” occurs once access to Hyland Experience has been restored such that:
(1) eligible Customer Data can be retrieved; and
(2) new Customer Data can be input.
“Unavailability” or “Unavailable” refers to a state when Hyland Experience is either unresponsive or responds with an error, thereby preventing access. For clarification: if certain features or functions within Hyland Experience are unavailable while other features remain accessible, this will not be considered “Unavailability,” so long as the unavailable features or functions do not, when combined, significantly hinder the Customer’s use of Hyland Experience.
Service Level Commitments
Table 1: Monthly Uptime Percentages
STANDARD | |
Monthly Uptime Percentage | 99.5% |
Applicable Credit | 10% of the Monthly Fee |
Table 2: Business Continuity
STANDARD | |
Recovery Point Objective (RPO) | 24 Hours |
Applicable Credit | 25% of the Monthly Fee |
Recovery Time Objective (RTO) | 8 Hours |
Applicable Credit | 25% of the Monthly Fee |
Service Level Commitment Terms
Monthly Uptime Percentage. Hyland will meet the Monthly Uptime, as identified in Table 1 above, during each calendar month.
Business Continuity. Hyland shall provide business continuity redundancy via AWS Availability Zones. Hyland Experience does not use multiple AWS Regions. If Hyland delivers a Restoration Notice to Customer, Hyland shall restore Hyland Experience within the applicable Recovery Time Objective set forth in Table 2 above (except to the extent caused or prevented by an Exclusion Event).
Downtime Report. Following the occurrence of a Downtime event, upon request by the customer, Hyland shall provide a report which will include, as applicable, a detailed description of the incident, start and end times of the incident, duration of the incident, business/functional impact of the incident, description of remediation efforts taken, and a description of outstanding issues or tasks relating to the incident.
Exclusive Remedies Terms
Monthly Uptime Percentage. In the event the Monthly Uptime Percentage during any calendar month is less than the applicable Monthly Uptime Percentage set forth in the Table 1 above, the customer shall receive the applicable credit against the fees specified in Table 1 above, provided Customer submitted a technical support request within twenty-four hours of such Downtime.
Maximum Service Level Credit. Notwithstanding anything to the contrary, customers are only entitled to a maximum of one service level credit for all events occurring in a particular calendar month. If available, Customer shall be entitled to only the largest service level credit which may be payable for one or more of the service level failures occurring in such calendar month.
Application of Service Level Credits. Service level credits will be applied first to any outstanding amounts which are due and owing from Customer, and then to future fees.
Termination Remedy. If Customer earns a service level credit either: (a) in two consecutive calendar months, or (b) in three calendar months during any six consecutive month period; then the customer may, by written notice to Hyland delivered within thirty days after the last credit described in either clause or (a) or (b) above is earned, terminate the subscription to Hyland Experience.
Exclusivity. The remedies set forth above constitute the sole and exclusive remedies available to a customer for any failure to meet the service level commitments set forth in this document.
System Maintenance
For the purposes of the Service Level Commitment, Scheduled Maintenance is defined as:
Hyland Scheduled Maintenance Windows. Modifications or repairs to shared infrastructure or platform patching and upgrades that are expected to impact or potentially impact Hyland Experience availability is currently restricted to within the hours of 12 AM to 2 AM, based on the time zone of the impacted AWS Region. Hyland expects that scheduled system maintenance will not exceed 16 hours per month.
Hyland will notify Customer of scheduled system maintenance expected to impact system availability or functionality through the status page (currently, https://status.experience.hyland.com) or through direct communication. Customers must subscribe to the status page to receive notifications. Hyland will use reasonable efforts to notify Customer of unscheduled system maintenance that is expected to impact or potentially impact system availability or functionality. Such notifications will typically be sent at least 24 hours in advance, but to the extent Hyland determines that such maintenance is required sooner due to a security or availability concern (e.g., emergency maintenance is required by Hyland), Hyland will use reasonable efforts to send such notice no less than 2 hours prior to the specified start time.
[This document will be effective 11:59 p.m. (ET) on the day it is published.]
Effective March 30th 2021 to April 19th 2024
DownloadTable of Contents
This Service Class Manual provides Customers a detailed description of the Service Level Commitments provided to the customer as part of the relevant Hyland Experience Service purchased by Customer (the “Service”). Capitalized terms not defined in this Service Class Manual have the meanings set forth in the applicable underlying Hyland Experience Services Agreement between the customer and Hyland which incorporates this Service Class Manual by specifically referencing the Service Class Manual (the “Agreement”).
“Monthly SaaS Fee” means the SaaS Fees for the particular Hyland Experience Service allocable to the month in which the applicable service failure occurred.
“Downtime” means the aggregate time (in minutes) each calendar month, as confirmed by Hyland following written notice from Customer that the Service is Unavailable. The length of Downtime will be measured from the time an incident occurs as confirmed by Hyland until the time when Hyland’s testing confirms that the failure condition(s) reported are no longer present. Downtime does not include any failure condition(s) described above which occur due to an Exclusion Event.
“Exclusion Event” means any of the following occurrences:
- System Maintenance (see “System Maintenance” below);
- failure of Customer’s equipment or facilities;
- acts or omissions of Customer, including but not limited to (a) performance or non-performance of any services by a third party (other than Hyland) contracted by Customer to provide services to Customer related to the Service, (b) any failure that Customer mutually agrees is not due to fault of Hyland or Hyland’s contracted third party service provider, or (c) failure of any code or configurations managed or written by Customer or any third party vendor to Customer;
- the occurrence of a force majeure event (as described in the Agreement);
- Internet failure or congestion;
- Use of the Service by Customer in violation of the Acceptable Use Policy; or Use of the Service by Customer after Hyland has advised Customer to modify its use of the Service, if Customer did not modify its use as advised;
- provided that Hyland has fulfilled its obligations under the Agreement, Service Unavailability or other failures caused directly or indirectly by known or unknown computer viruses, worms or other malicious programs;
- During beta or trial periods as reasonably determined by Hyland.
"Monthly Uptime Percentage" means the total number of minutes in a calendar month, minus the number of minutes of Downtime in such month, divided by the total number of minutes in such month.
“Unavailability” or “Unavailable” means the Service is unresponsive or responds with an error preventing access. In addition, unavailability of some specific features or functions within the website while other features remain available will not constitute Unavailability of the website, so long as the unavailable features or functions are not, in the aggregate, material to the website.
“System Maintenance” means the maintenance of the Service, whether such maintenance is scheduled (e.g., for upgrading of the Service or its components or for any other scheduled purpose) or unscheduled (due to emergency), and which results in the Service being unavailable or inaccessible to Customer.
Service Classes | Silver |
Monthly Uptime Percentage | 99% |
Applicable Credit Determinations | Less than 99% 15% of the Monthly Fees for the Hyland Cloud Service for the calendar month in which the downtime began |
Monthly Uptime Percentage. Hyland will meet the Monthly Uptime Percentage corresponding to the applicable Service Class purchased by Customer, as identified in table 1 above, during each calendar month.
Monthly Uptime Percentage. In the event the Monthly Uptime Percentage during any calendar month is less than the applicable Monthly Uptime Percentage set forth in the Table 1, upon written notice from Customer, Customer shall be eligible to receive the applicable credit against SaaS Fees specified in Table 1 above, provided Customer submitted a technical support request for such credit to Hyland within twenty four (24) hours of such Downtime.
For example, purposes only:
if Monthly Uptime Percentage is less than 99%, Customer shall receive a one-time credit against SaaS Fees in an amount equal to fifteen percent (15%) of the Monthly SaaS Fee
Maximum Service Level Credit. Notwithstanding anything to the contrary herein, Customer acknowledges and agrees that Customer is only entitled to a maximum of one (1) service level credit for all events occurring in a particular calendar month. Customer shall be entitled to only the largest service level credit which may be payable for one or more of the service level failures occurring in such calendar month.
Application of Service Level Credits. Service level credits will be applied first to any outstanding amounts which are due and owing from Customer, and then to future SaaS Fees.
Termination Remedy. If Customer earns a service level credit either: (i) in two (2) consecutive calendar months, or (ii) in three (3) calendar months during any six (6) consecutive month period; then Customer may, by written notice to Hyland delivered within thirty (30) days after the last credit described in either clause or (i) or (ii) above is earned, terminate the Agreement.
Exclusivity. The remedies set forth above constitute the sole and exclusive remedies available to Customer for any failure to meet the service level commitments set forth in this Service Class Manual.
Hyland will notify Customer of scheduled System Maintenance that is expected to impact or potentially impact system availability or functionality. Hyland will use reasonable efforts to notify Customer of unscheduled System Maintenance that is expected to impact or potentially impact system availability or functionality. Such notification will typically be sent at least 24 hours in advance, but to the extent Hyland determines that such maintenance is required sooner due to a security or availability concern (e.g. emergency maintenance is required by Hyland), Hyland will use reasonable efforts to send such notice no less than 2 hours prior to the specified start time. These notifications will be posted in the Hyland Experience Service at (https://status.hxp.hyland.com) or delivered to Customer contacts who have subscribed to receive notifications from such page.
Scheduled System Maintenance that is expected to impact or potentially impact Hyland Experience Service availability is currently restricted to within the hours of 10 PM to 8 AM, based on the time zone of the impacted data center. Hyland expects that scheduled System Maintenance will not exceed 16 hours per month. These notifications will be posted in the Hyland Experience Service at (https://status.hxp.hyland.com) or delivered to Customer contacts who have subscribed to receive notifications from such page.
Hyland Insight Pilot Program
Effective November 22nd 2024
DownloadTable of Contents
ADDITIONAL TERMS AND CONDITIONS APPLICABLE TO HYLAND INSIGHT PILOT PROGRAM
1. INTEGRATION. As stated in the Hyland Experience Terms of Use presented to Customer prior to use of Hyland Experience, these terms (including the General Terms Schedule and Hyland Experience Schedule) govern any use of Hyland Experience as part of the Hyland Insight Pilot Program. Accordingly, any signed Master Agreement or document of similar import, in either case, which does not explicitly state that it governs the Customer’s use of Hyland Experience as part of the Hyland Insight Pilot Program shall have no force or effect with respect to Customer’s use of Hyland Experience as part of the Hyland Insight Pilot Program.
2. INCREASED LIABILITY FOR CUSTOMER DATA. IN THE CASE OF AN UNAUTHORIZED DISCLOSURE OF OR ACCESS TO CUSTOMER DATA AS A RESULT OF CUSTOMER'S PARTICIPATION IN THE HYLAND INSIGHT PILOT PROGRAM FOR WHICH A CLAIM AGAINST HYLAND (OR ANY OF ITS AFFILIATES OR SUPPLIERS) ARISES, THE MAXIMUM LIABILITY OF HYLAND (INCLUDING ITS AFFILIATES AND SUPPLIERS), WHETHER IN CONTRACT OR TORT (INCLUDING NEGLIGENCE), OR ANY OTHER LEGAL OR EQUITABLE THEORY, SHALL IN NO EVENT EXCEED $100,000.00 USD.
3. SECURITY AND SUPPORT. The Hyland Insight Pilot Program is an AI-powered pilot and beta-testing program where Customer will provide feedback on, and Hyland will add or modify the functionality of, Hyland Experience. Accordingly, notwithstanding anything to the contrary, the Hyland Experience Technical Support and Hyland Experience Security terms included in the Hyland Experience Guide do NOT apply to use of Hyland Experience as part of the Hyland Insight Pilot Program.
4. TERMINATION; RETURN OF DATA. The term of the Hyland Insight Pilot Program commences on the Effective Date and continues until the earlier of Hyland’s declaration, at its sole discretion, that the program has ended, or termination of Customer’s enrollment in the program by either party immediately upon written notice to the other party. Notwithstanding anything to the contrary, upon termination of the Hyland Insight Pilot Program, Hyland will delete all Customer Data uploaded to Hyland Experience as part of the Hyland Insight Pilot Program.
5. DATA PROCESSING. Notwithstanding anything to the contrary, where Customer Data includes Personal Data, Hyland will process such Personal Data in accordance with the following Data Processing Addendum.
DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) applies when Customer provides Personal Data to Hyland as part of the Hyland Insight Pilot Program.
1. DEFINITIONS
"Data Protection Law(s)" means any applicable law, regulation, legislation, or directive applicable to the Processing of Personal Data.
“Data Subject” means a natural person as defined by applicable Data Protection Law.
“Customer Personal Data” means any Personal Data submitted by or on behalf of Customer to Hyland pursuant to the Hyland Insight Pilot Program Agreement.
“Personal Data” means any individually identifiable information relating to a natural person which is protected under applicable Data Protection Law.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, disclosure or access to Customer Personal Data.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collecting, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Sub-Processor,” means an entity that Processes Personal Data at the request of Hyland.
2. HYLAND’S PROCESSING OF PERSONAL DATA
2.1 Instructions for Processing Personal Data. Hyland shall only Process Customer Personal Data for the purposes set forth in the Agreement and in accordance with Appendix A, unless otherwise required by law. Hyland will not "sell" or "share" any Personal Data as defined in applicable Data Protection Laws.
2.2 Duration of Processing. Hyland shall Process Personal Data only for the duration set out in Appendix A.
3. HYLAND’S SAFEGUARDS FOR PERSONAL DATA
3.1 Physical, Technical and Organizational Safeguards. Hyland shall maintain appropriate technical and organizational security measures designed to protect Customer Personal Data from accidental or unlawful destruction, loss, alteration, disclosure, or access.
3.2 Processing by Sub-Processors. Hyland shall only engage the Sub-Processors listed in Appendix A, which may be updated without amendment to this Agreement upon notice to Customer. Hyland has entered into a written agreement with each Sub-Processor containing data protection obligations to protect Customer Personal Data no less protective than the protections set forth in this Data Processing Addendum.
3.3 Confidentiality of Personal Data. Hyland shall treat Customer Personal Data as confidential and ensure that Hyland's personnel (including independent contractors) who have access to the Customer Personal Data: (i) have entered into appropriate contractually binding confidentiality undertakings; (ii) are informed of the confidential nature of Customer Personal Data; and (iii) have received appropriate training related to Customer Personal Data.
3.4 Return or Deletion of Personal Data. Upon termination of the Agreement or upon request of Customer, whichever occurs first, Hyland shall delete all Customer Personal Data in Hyland’s possession or control. This provision shall apply to Customer Personal Data that is in the possession of Hyland, its subcontractors, and its agents. If Hyland determines that deleting the Customer Personal Data is infeasible, then Hyland shall: (a) notify Customer of the conditions that make deletion infeasible and (b) extend the protections of the Agreement to such Customer Personal Data and limit further uses and disclosures of such Customer Personal Data to those purposes that make the deletion infeasible for so long as Hyland maintains such Customer Personal Data.
3.5 Requests Directed to Hyland. To the extent legally permitted, Hyland will notify Customer without undue delay following its receipt of any actual or purported request from (or on behalf of) a Data Subject exercising his rights under Data Protection Laws ("Data Subject Request"). Hyland will cooperate with and provide any necessary assistance to Customer in responding to any such Data Subject Requests, insofar as possible and taking into account the nature of Hyland's Processing and the Personal Data available to Hyland.
3.6 Reporting a Personal Data Breach. Hyland will notify the Customer without undue delay upon becoming aware of a Personal Data Breach. Hyland will take reasonable efforts to identify the cause of such Personal Data Breach and take the steps that Hyland deems necessary and reasonable to remediate the cause of the Personal Data Breach. Any notification by Hyland under this subsection shall not be construed as an admission of fault by Hyland.
3.7 Notification of Processing. Hyland will notify Customer should Hyland determine that it can no longer meet its obligations under Data Protection Laws with respect to the Personal Data it receives or has access to in meeting its obligations under the agreement.
4. CUSTOMER OBLIGATIONS FOR PERSONAL DATA
4.1 Customer shall ensure it is not subject to any prohibition or restriction which would: (i) prevent or restrict it from disclosing or transferring the Customer Personal Data to Hyland; (ii) prevent or restrict it from granting Hyland access to the Customer Personal Data; and/or (iii) prevent or restrict Hyland from Processing the Customer Personal Data, in each case as required for Hyland to perform the Hyland Insight Pilot Program or as otherwise permitted in the applicable Hyland agreement.
4.2 Customer shall ensure all required consents and approvals have been obtained and all fair processing or other required notices or disclosures have been given and are sufficient in scope to enable Hyland to Process the Customer Personal Data in accordance with applicable Data Protection Laws.
Appendix A
Subject Matter and Duration of the Processing | The subject matter of the Processing is Hyland’s fulfilment of its obligations under the Hyland Insight Pilot Program Agreement. The duration of the Processing is the term of the Hyland Insight Pilot Program Agreement, and any exit period, if applicable. |
Categories of Data Subjects whose Personal Data is Processed | Any Data Subject whose Personal Data is transferred to Hyland under the Hyland Insight Pilot Program Agreement, which could include the following categories:
|
Nature and Purpose of the Processing | The purpose of the Processing is to provide the Hyland Insight Pilot Program and otherwise for Hyland’s fulfilment of its obligations under the Hyland Insight Pilot Program Agreement. The nature of the Processing may include, but is not limited to, collection, recording, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
Categories of Personal Data Processed | Any Personal Data submitted by Customer to Hyland under the Hyland Master Agreement. |
Sub-Processors | Amazon Web Services, Inc. Snowflake Inc. DataDog, Inc. MongoDB, Inc. Pendo.io Inc. Hyland Software, Inc. Affiliated Companies |
[The most current version of this page shall be such in effect as of 11:59 p.m. ET of the date stamped on such online version.]
Effective November 7th 2024 to November 22nd 2024
DownloadTable of Contents
ADDITIONAL TERMS AND CONDITIONS APPLICABLE TO HYLAND INSIGHT PILOT PROGRAM
1. INTEGRATION. As stated in the Hyland Experience Terms of Use presented to Customer prior to use of Hyland Experience, these terms (including the General Terms Schedule and Hyland Experience Schedule) govern any use of Hyland Experience as part of the Hyland Insight Pilot Program. Accordingly, any signed Master Agreement or document of similar import, in either case, which does not explicitly state that it governs the Customer’s use of Hyland Experience as part of the Hyland Insight Pilot Program shall have no force or effect with respect to Customer’s use of Hyland Experience as part of the Hyland Insight Pilot Program.
2. INCREASED LIABILITY FOR CUSTOMER DATA. IN THE CASE OF AN UNAUTHORIZED DISCLOSURE OF OR ACCESS TO CUSTOMER DATA FOR WHICH A CLAIM AGAINST HYLAND (OR ANY OF ITS AFFILIATES OR SUPPLIERS) ARISES (A "CUSTOMER DATA INCIDENT"), THE MAXIMUM LIABILITY OF HYLAND (INCLUDING ITS AFFILIATES AND SUPPLIERS), WHETHER IN CONTRACT OR TORT (INCLUDING NEGLIGENCE), OR ANY OTHER LEGAL OR EQUITABLE THEORY, SHALL IN NO EVENT EXCEED $100,000.00 USD.
3. SECURITY AND SUPPORT. The Hyland Insight Pilot Program is an AI-powered pilot and beta-testing program where Customer will provide feedback on, and Hyland will add or modify the functionality of, Hyland Experience Insight. Accordingly, notwithstanding anything to the contrary, the Hyland Experience Technical Support and Hyland Experience Security terms included in the Hyland Experience Guide do NOT apply to the Hyland Insight Pilot Program.
4. TERMINATION; RETURN OF DATA. The term of the Hyland Insight Pilot Program commences on the Effective Date and continues until the earlier of Hyland’s declaration, at its sole discretion, that the program has ended, or termination of Customer’s enrollment in the program by either party immediately upon written notice to the other party. Notwithstanding anything to the contrary, upon termination of the Hyland Insight Pilot Program, Hyland will delete all Customer Data uploaded to Hyland Experience as part of the Hyland Insight Pilot Program.
5. DATA PROCESSING. Notwithstanding anything to the contrary, where Customer Data includes Personal Data, Hyland will process such Personal Data in accordance with the following Data Processing Addendum.
DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) applies when Customer provides Personal Data to Hyland as part of the Hyland Insight Pilot Program.
1. DEFINITIONS
"Data Protection Law(s)" means any applicable law, regulation, legislation, or directive applicable to the Processing of Personal Data.
“Data Subject” means a natural person as defined by applicable Data Protection Law.
“Customer Personal Data” means any Personal Data submitted by or on behalf of Customer to Hyland pursuant to the Hyland Insight Pilot Program Agreement.
“Personal Data” means any individually identifiable information relating to a natural person which is protected under applicable Data Protection Law.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, disclosure or access to Customer Personal Data.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collecting, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Sub-Processor,” means an entity that Processes Personal Data at the request of Hyland.
2. HYLAND’S PROCESSING OF PERSONAL DATA
2.1 Instructions for Processing Personal Data. Hyland shall only Process Customer Personal Data for the purposes set forth in the Agreement and in accordance with Appendix A, unless otherwise required by law. Hyland will not "sell" or "share" any Personal Data as defined in applicable Data Protection Laws.
2.2 Duration of Processing. Hyland shall Process Personal Data only for the duration set out in Appendix A.
3. HYLAND’S SAFEGUARDS FOR PERSONAL DATA
3.1 Physical, Technical and Organizational Safeguards. Hyland shall maintain appropriate technical and organizational security measures designed to protect Customer Personal Data from accidental or unlawful destruction, loss, alteration, disclosure, or access.
3.2 Processing by Sub-Processors. Hyland shall only engage the Sub-Processors listed in Appendix A, which may be updated without amendment to this Agreement upon notice to Customer. Hyland has entered into a written agreement with each Sub-Processor containing data protection obligations to protect Customer Personal Data no less protective than the protections set forth in this Data Processing Addendum.
3.3 Confidentiality of Personal Data. Hyland shall treat Customer Personal Data as confidential and ensure that Hyland's personnel (including independent contractors) who have access to the Customer Personal Data: (i) have entered into appropriate contractually binding confidentiality undertakings; (ii) are informed of the confidential nature of Customer Personal Data; and (iii) have received appropriate training related to Customer Personal Data.
3.4 Return or Deletion of Personal Data. Upon termination of the Agreement or upon request of Customer, whichever occurs first, Hyland shall delete all Customer Personal Data in Hyland’s possession or control. This provision shall apply to Customer Personal Data that is in the possession of Hyland, its subcontractors, and its agents. If Hyland determines that deleting the Customer Personal Data is infeasible, then Hyland shall: (a) notify Customer of the conditions that make deletion infeasible and (b) extend the protections of the Agreement to such Customer Personal Data and limit further uses and disclosures of such Customer Personal Data to those purposes that make the deletion infeasible for so long as Hyland maintains such Customer Personal Data.
3.5 Requests Directed to Hyland. To the extent legally permitted, Hyland will notify Customer without undue delay following its receipt of any actual or purported request from (or on behalf of) a Data Subject exercising his rights under Data Protection Laws ("Data Subject Request"). Hyland will cooperate with and provide any necessary assistance to Customer in responding to any such Data Subject Requests, insofar as possible and taking into account the nature of Hyland's Processing and the Personal Data available to Hyland.
3.6 Reporting a Personal Data Breach. Hyland will notify the Customer without undue delay upon becoming aware of a Personal Data Breach. Hyland will take reasonable efforts to identify the cause of such Personal Data Breach and take the steps that Hyland deems necessary and reasonable to remediate the cause of the Personal Data Breach. Any notification by Hyland under this subsection shall not be construed as an admission of fault by Hyland.
3.7 Notification of Processing. Hyland will notify Customer should Hyland determine that it can no longer meet its obligations under Data Protection Laws with respect to the Personal Data it receives or has access to in meeting its obligations under the agreement.
4. CUSTOMER OBLIGATIONS FOR PERSONAL DATA
4.1 Customer shall ensure it is not subject to any prohibition or restriction which would: (i) prevent or restrict it from disclosing or transferring the Customer Personal Data to Hyland; (ii) prevent or restrict it from granting Hyland access to the Customer Personal Data; and/or (iii) prevent or restrict Hyland from Processing the Customer Personal Data, in each case as required for Hyland to perform the Hyland Insight Pilot Program or as otherwise permitted in the applicable Hyland agreement.
4.2 Customer shall ensure all required consents and approvals have been obtained and all fair processing or other required notices or disclosures have been given and are sufficient in scope to enable Hyland to Process the Customer Personal Data in accordance with applicable Data Protection Laws.
Appendix A
Subject Matter and Duration of the Processing | The subject matter of the Processing is Hyland’s fulfilment of its obligations under the Hyland Insight Pilot Program Agreement. The duration of the Processing is the term of the Hyland Insight Pilot Program Agreement, and any exit period, if applicable. |
Categories of Data Subjects whose Personal Data is Processed | Any Data Subject whose Personal Data is transferred to Hyland under the Hyland Insight Pilot Program Agreement, which could include the following categories:
|
Nature and Purpose of the Processing | The purpose of the Processing is to provide the Hyland Insight Pilot Program and otherwise for Hyland’s fulfilment of its obligations under the Hyland Insight Pilot Program Agreement. The nature of the Processing may include, but is not limited to, collection, recording, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
Categories of Personal Data Processed | Any Personal Data submitted by Customer to Hyland under the Hyland Master Agreement. |
Sub-Processors | Amazon Web Services, Inc. Snowflake Inc. DataDog, Inc. MongoDB, Inc. Pendo.io Inc. Hyland Software, Inc. Affiliated Companies |
[The most current version of this page shall be such in effect as of 11:59 p.m. ET of the date stamped on such online version.]