Building an intellectual property clause

How to build an intellectual property clause

In this article, we have a look at some of the important aspects that must be kept in mind when drafting intellectual property clauses for services agreements.

Most disputed terms WCC ranking: 

19

Most important terms WCC ranking: 

16

Most negotiated terms WCC ranking: 

12

What is the purpose of an Intellectual Property clause in a services agreement?

The Intellectual Property clause determines which Party owns which intellectual property that will be used or created during the Agreement. The Intellectual Property clause may also provide for various obligations in respect the intellectual property, for example, an obligation to assist with the registration of intellectual property.

What is Background IPR

A provider may have to bring a couple of things to the table to perform the service. For example, the provider’s know-how, their systems and technology. The provider may have certain intellectual property rights in respect of the know-how, systems and technology. These rights are referred to as the Background Intellectual Property Rights (Background IPR).

What is Foreground IPR

Foreground Intellectual Property Rights (Foreground IPR), are intellectual property rights that arise due to the activity conducted under the Agreement.

Building blocks of an Intellectual Property Clause

building blocks of an intellectual property clause

What is Background IPR

The devil is in the details when it comes to definitions.

Usually, Intellectual Property Rights is defined separately from Background IPR, and you should therefore start with the definition of Intellectual Property Rights.

The Intellectual Property Rights definition may also contain various embedded defined terms. For example, Know-How, Patents etc. 

Here are examples of definitions that you may need when building your Intellectual Property clause:

Backround IPR means, by reference to a Party, all Intellectual Property Rights, excluding Foreground IPR, owned by such Party or any of its Affiliates, or licensed or made available by a third party to such Party and under which such Party is authorised to grant licenses.

Intellectual Property Rights means unpatented inventions, Patents, trademarks, service marks, trade names, domain names, copyrights (including rights in software), moral rights, rights in designs, Know-How, database rights, topography rights, mask work rights, utility models and all other intellectual property rights and forms of protection of a similar nature, licences to such rights, in each case whether registered or pending registration, and rights to apply for any such rights.

Know-How means all knowledge, drawings, specifications, samples, models, instructions, algorithms, working methods, ideas, concepts, technology, applied development engineering data, reports, notes and all other technical or commercial information, data and documents of any kind.

Patent means all patents and patent applications in any jurisdiction in the world, including any divisional, continuation, continuation-in-part, reissue, renewal, re-examination or extension thereof.

Retention of ownership

Ownership of the Background IPR will usually be retained by the respective Parties.

Some of the Background IPR (for example, Know-How), will be used to create Foreground IPR. For this reason, a licence is required in respect of the Background IPR. Who provides the licence will depend on the circumstances. Generally, both Parties will be making available Background IPR for the project, and therefore, both Parties licence their Background IPR. 

Licence in respect of Background IPR

Generally, a “project licence” is provided in terms of which each Party licences their Background IPR to the other for purposes of and to the extent required to perform their obligations under the Agreement. Without such a licence, an infringement question may arise.

It may happen that some of the Background IP will be used to create the Foreground IP. If this is the case, you want to be clear on the terms of the Background IPR licence. In other words, you want to expressly stipulate the scope of the Background IPR licence.

You will need to consider:

  • To whom is the Background IPR licenced (does it include Affiliates)?
  • What can the licensee do under the licence? Modify, distribute, sell create derivative works etc?
  • Are there any restrictions? For example, restrictions relating to territory, field of use, external use etc.
  • What about assignment and sub-licensing?

If you are acting for the customer, the typical licence you would require in this regard is a worldwide, no-charge, royalty-free, perpetual, irrevocable, exclusive, sublicensable licence.

What is Foreground IPR

Basically, anything that is created as a result of the activities conducted under the Agreement.

Here is an example definition:

Foreground IPR means all Intellectual Property Rights that arise as a result of or in the context of any activity pursuant to this Agreement.

Who owns the Foreground IPR

Most of the time the Foreground IPR will be owned by the Customer paying for the work. There are situations where the Provider would want to own the Foreground IPR. If this is the case, the Provider will need to provide a licence to the Customer to enable them to use the Foreground IPR.

 

Licence and obligations

When the Provider is providing a licence in respect of the Foreground IPR to the Customer, You will need to consider:

  • To whom is the Foreground IPR licenced (does it include Affiliates)?
  • What can the licensee do under the licence? Modify, distribute, sell create derivative works etc?
  • Are there any restrictions? For example, restrictions relating to territory, field of use, external use etc.
  • What about assignment and sub-licensing?

If you are acting for the Customer, the typical licence you would require in this regard is a worldwide, no-charge, royalty-free, perpetual, irrevocable, exclusive, sublicensable licence with scope that is as close as possible to “ownership”.

The general obligations relating to licencing must also be included, for example, that the Customer must assist with the registration of any Foreground IPR. And also, specifically, provide who needs to pay the fees and costs relating to the imposed obligations.

Non-asserts

If the Foreground IPR will be owned by the Provider, the Provider may want to make use of a non-assertation clause which will mean that the Customer cannot seek to enforce any Intellectual Property Rights it may have against the Provider in respect of the Foreground IPR.

Waiver of moral rights

Certain Intellectual Property Rights cannot be assigned and if you, as Provider, don’t want a situation where objections arise that relate to certain creative works, inserting a waiver of moral rights must be considered.

Example clauses

Customer friendly

1.           INTELLECTUAL PROPERTY

1.1         Background IPR:  Each Party retains ownership of their Background IPR and Intellectual Property developed outside the scope of this Agreement.

1.2         Background IPR Licence grant:  The Provider hereby grants to the Customer a irrevocable, non-exclusive, worldwide, no-charge, royalty-free, perpetual, sublicensable licence in respect of the Background IPR, under the following terms:

(a)         The Provider can create derivative works, display, or perform in any media and through any technology or other means of delivery, whether now known or developed in the future, distribute, sell, offer to sell, import, to make, or have made, to modify, to reproduce, to use externally, and to use internally the Background IPR for purposes of performing their obligations under this Agreement.

(b)         The Background IPR is also licenced to the Affiliates Customer.

(c)         The licence under Section 6.2 will survive termination of this Agreement.

1.3         Foreground IPR:  The Customer will exclusively own all Foreground IPR and the Provider hereby assigns all Foreground IPR to the Customer.

1.4         Obligations relating to Foreground IPR:  The Provider must:

(a)         assist in obtaining, registering, perfecting and enforcing all Foreground IPR; and

(b)         deliver all Foreground IPR.

1.5         Fees and costs:  The Customer must pay all fees and costs to register and protect the Foreground IPR.

Proivder friendly

1.           INTELLECTUAL PROPERTY

1.1         Background IPR:  Each Party retains ownership of their Background IPR and Intellectual Property developed outside the scope of this Agreement.

1.2         Background IPR Licence grant:  The Customer hereby grants to the Customer a irrevocable, non-exclusive, worldwide, no-charge, royalty-free, non-transferable, sublicensable licence in respect of their Background IPR, under the following terms:

(a)         The Provider can create derivative works, display, or perform in any media and through any technology or other means of delivery, whether now known or developed in the future, make, or have made, modify, reproduce, use externally, and use internally the Background IPR for purposes of performing their obligations under this Agreement.

(b)         The Background IPR is also licenced to the Affiliates Provider.

1.3         Ownership of Foreground IPR:  The Provider will exclusively own all Foreground IPR and the Customer hereby assigns all Foreground IPR to the Provider.

1.4         Licence:  Upon Customer’s payment of fees due under the Agreement the Provider grants the Customer an irrevocable, non-exclusive, worldwide, no-charge, royalty-free, perpetual, sublicensable licence in respect of the Foreground IPR, under the following terms:

(a)         The Customer can create derivative works, display, or perform in any media and through any technology or other means of delivery, whether now known or developed in the future, make, or have made, modify, reproduce, use externally, and use internally the Foreground IPR.

(b)         The licence in Section 1.4 will survive termination of this Agreement.

1.5         Obligations:  The Customer must:

(a)         assist in obtaining, registering, perfecting and enforcing all Foreground IPR; and

(b)         deliver all Foreground IPR.

1.6         Fees and costs:  The Provider must pay all fees and costs to register and protect the Foreground IPR.

1.7         Non-assertion and disclosure:  The Customer must not:

(a)         at any time allege the invalidity or otherwise take or permit to be taken any action affecting the validity or enforceability of any Intellectual Property Right obtained, applied for or to be applied for by the Provider; or

(b)         disclose or publish the subject matter of any inventions which may be patentable before the Provider has applied for any patent registration.

1.8         Moral rights:  To the extent permitted under the applicable laws, the Customer hereby waives all moral rights arising from or relating to Intellectual Property Rights created by or in collaboration with the Customer for the benefit of the Provider and all the Provider’s licensees and successors-in-title to the Intellectual Property Rights.

Table of Contents

The Author

Martin Kotze is a commercial lawyer with over 10 years of experience. He specialises in transactional work within the Tech, Financial Services and Property industries. 

He is also one of the co-founders at DocNinja and regularly advises listed companies to small and medium enterprises on how to contract better with their customers. 

Martin Kotze

This is a free 30min consultation to better understand your business and your needs.

Building data privacy and data security clauses

How to build a data protection clause

In this article, we have a look at some of the important aspects that must be kept in mind when drafting data privacy and data protection provisions.

Most disputed terms WCC ranking: 

Data privacy: 28

Data security: 26

Most important terms WCC ranking: 

Data privacy: 8

Data security: 7

Most negotiated terms WCC ranking: 

Data privacy: 17

Data security: 19

What is a Data Privacy clause?

Data Privacy clauses will generally deal with the way in which data (usually Personal Information) must be handled.

What is a Data Security clause?

Data Security clauses usually provide what the Provider must do to protect the Protected Data against unauthorised third-party access and malicious attacks.

What is a Data Protection clause then?

Data protection clauses are in a way a combination of data privacy and data protection clauses.

Building blocks of Data Privacy and Data Security clauses

building blocks of data privacy and data security provisions

What is Protected Data?

Defining Protected Data is important to ensuring balanced and fair data privacy and security provisions.

Generally, Protected Data will be personal information as defined by applicable data privacy and security laws. The aforementioned, however, does not mean that the definition of Protected Data should be limited to Personal Information. The Customer may want a much broader definition of Protected Data that includes all the data that the Customer provides to the Provider. For example:

Protected Data means all information processed or stored through the System by Customer or on Customer’s behalf, and includes, without limitation, information provided by Customer’s customers, employees, and other users and by other third parties, other information generated through use of the System by or on Customer’s behalf, and copies of all such information rendered onto paper or other non-electronic media.

If you are the Provider, you want to use a narrow definition and may even consider carving out certain types of data from the definition. For example:

Excluded Data means personal tax numbers, financial account data, and credit card and other payment card numbers;

Protected Data means personal information as contemplated under applicable data privacy and security laws, but specifically excludes Excluded Data;

If you are the Provider, you don’t want a situation where there is a Data Incident and, for example, credit card data is exposed and there was no need for you in the first place to process any such credit card data. 

If you follow the approach where certain data is excluded, make sure that a warranty is included in the Data Protection Schedule where the Customer warrants that they will not provide any Excluded Data to the Provider.

It may be that you want Protected Data to be regarded as Confidential Information. If you decide to go this route make sure that you address the situation where there is a conflict between the Data Protection Schedule and the confidentiality provisions.

Handling of Protected Data - Authorised Persons

A narrow definition of Authorised Persons may favour the Customer. On the other hand, the Provider would want to make sure the definition of Authorised Persons is wide enough to include sub-contractors so that there is no need to obtain written approvals for each sub-contractor.

Authorised Persons should, however, be limited to people who need to handle the data to fulfil the Provider’s obligations under the Agreement.

Handling of Protected Data - Aggregated and anonymised data

A Provider may want to use the Protected Data for its own purposes. Generally, if the Provider wants to use the Protected Data, it needs to be anonymised first. If you are the Customer, you would want to make sure that if the Protected Data is anonymised, such a process must and cannot be reversed.

Handling of Protected Data - Personal Information requests

Privacy legislation generally provides certain rights to data subjects when it comes to their Personal Information. For example, the “right to know,” delete, or the “right to be forgotten”. As a Customer, you may want to impose certain obligations on the Provider if a personal information request is directed at the Provider.

Access, location and deletion of Protected Data

If you are the Customer, you want to control the access, location and deletion of Protected Data.

Data privacy laws may determine certain requirements if Protected Data is moved cross-border. As a Customer, you do not want to be exposed to a situation where Protected Data is moved cross-border to a jurisdiction with less stringent data privacy and data security laws than those applicable within the current jurisdiction.

As a Customer, you can also consider specifying certain data centres within the current jurisdiction where data can be stored.

As Provider, the commercials of the transaction must be kept in mind when considering access, location and deletion of Protected Data. It may be useful to reserve a right to charge fees and costs for time spent assisting the Customer with providing access, deleting and moving Protected Data.  

Data security audits & certifications

Generally, the two standards that will be considered will be ISO 27001 and SOC 2.

A difference between ISO 27001 and SOC 2 is that SOC 2 is not a certification. If you pass the ISO 27001 requirements, then your business is ISO 27001 certified. However, in the case of SOC 2, the auditor issues a formal report, confirming whether or not you met the relevant criteria. 

ISO 27001 is a common European procurement requirement and is internationally recognized as the highest standard in information security. In the US market, many Customers will want the reassurance that the Provider is SOC 2 compliant.

Minimum safeguards

If you acting for the Customer, especially in the situation where the Provider is not required to produce an ISO 27001 certificate or an SOC2 report, you want to place certain contractual obligations on the Provider regarding data security.

Or, if there is a requirement that the Provider produces a ISO 27001 certificate or an SOC2 report, there are situations where the Customer may require further measures to be put in place that goes beyond what is required under ISO 27001/ SOC2.

Data incidents & deletion of data

Data Incidents

When considering provisions relating to Data Incidents, the definition of a Data Incident is a good point of departure.

Generally, Data Incidents include the unauthorised disclosure of, access to, or use of Protected Data

As Provider, you may want to consider narrowing the above broad and general definition to more specific scenarios where, for example, an unauthorised third-party obtains and threatens the distributions of Protected Data.

The obligations placed on the Provider relating to Data Incidents require detailed consideration. Examples of these obligations include:

  • Notifying the Customer
  • Cooperation with law enforcement
  • Assistance with notifying third parties whose data may have been exposed

 

Most of these obligations are generally aimed at damage control. However, a Customer may want to add obligations that require compensation, in some form, as a result of the Data Incident. 

As a Customer, you want to be in control of whatever happens after the occurrence of a Data Incident. As Provider, you do not want to be subjected to obligations that will be detrimental to your business financially.

 

Deletion of data

As a Customer, you want to have certain rights regarding the deletion of Protected Data.

Making sure that erasure leaves no data readable, decipherable, or recoverable may be expensive. Therefore, as Provider, you may want to consider adding provisions that the data deletion will be done using commercially feasible methods.

Data protection indemnity

The remedies and relief for breach of the Data Protection Schedule or the Data Protection Laws are usually addressed by an indemnity (see How to build an indemnity clause).

Breach & equitable relief

A Customer may also want to include a provision stipulating that a breach of the Data Protection Schedule will be deemed material with the hope that this will help them terminate the Agreement for cause if there is a breach.

Example schedule

Customer friendly

SCHEDULE – DATA PROTECTION

 

1.1.       Handling of Protected Data: 

(a)          Standard of care:  The Provider must keep and maintain all Protected Data in strict confidence, using such degree of care as is appropriate to avoid unauthorised access, use or disclosure.

(b)          Usage of Protected Data:  The Provider must use and disclose Protected Data solely and exclusively for the purposes for which the Protected Data, or access to it, is provided pursuant to the terms and conditions of the Agreement, and not use, sell, rent, transfer, distribute, or otherwise disclose or make available Protected Data for the Customer’s own purposes or for the benefit of anyone other than the Customer, in each case, without Customer’s prior written consent.

(c)          Disclosure:  The Provider must not, directly or indirectly, disclose Protected Data to any person other than Authorised Persons, without express written consent from the Customer, unless and to the extent required by government authorities or as otherwise, to the extent expressly required, by applicable law, in which case, the Provider must use reasonable efforts to notify the Customer before such disclosure or as soon thereafter as reasonably possible.

(d)          Responsibility for Authorised Persons:  The Provider is responsible for and remain liable to the Customer for the actions and omissions of such Authorised Persons concerning the treatment of such Protected Data as if they were the Provider’s own actions and omissions.

(e)          Written undertaking required from Authorised Persons:  The Provider must require the Authorised Persons that has access to Protected Data to execute a written undertaking to comply with this Schedule.

1.2.       Confidential information:  All Protected Data provided by the Customer to the Provider or to which the Provider may be exposed or acquire in terms of this Agreement, constitutes Confidential Information.

1.3.       Conflicts:  If there is a conflict or inconsistency between this Schedule and the confidentiality within the main body of the Agreement, the terms in this Schedule governs and controls.

1.4.       Cross border transfer:  The Provider must not transfer Protected Data (or allow Authorised Persons to transfer Protected Data) outside Republic of South Africa unless it receives the Customer’s prior written consent.

1.5.       Additional charges:  The Provider may charge additional fees at their standard rates for activities required by the Customer to assist them to comply with Data Protection Laws.

1.6.       Access rights:  The Customer may access and copy any Protected Data in the Provider’s possession or control at any time and the Provider:

(a)          must provide reasonable assistance to the Customer to access and copy the Protected Data.

(b)          may charge their reasonable then-standard fees for any assistance provided under 1.6.

1.7.       Protected data requests:  If the Provider receives a consumer “right to know,” deletion, “right to be forgotten,” or similar request related to Protected Data within Protected Data (the “Consumer Requests”), the Provider must not reply without the Customers written authorisation and shall, at the Customer’s expense, comply with the Customer’s reasonable written instructions for Consumer Requests (if any), subject to Data Protection Laws.

1.8.       Audits and certifications: 

(a)          The Provider must maintain annually updated reports and certifications (as may be applicable) of compliance with the following:

(i)           ISO 27001;

(ii)          SOC 2 Type II; and

(iii)         PCI Level 2.

(b)          The Provider must:

(i)           provide the Customer a copy of the most current certifications and reports (as may be applicable) within 30 days of request and thereafter annually within 30 days of completion of thereof; and

(ii)          if there are any deficiencies identified or changes suggested relating to the provisions of the Services under the Agreement, the Provider must exercise reasonable efforts to promptly address such deficiencies and changes.

(c)          Notwithstanding anything in this Schedule, the Provider is not required to permit any audit that may compromise the security of the Provider’ other customers’ data.

(d)          Any report provided under this Schedule must be regarded as confidential information.

1.9.       Inspections: 

(a)          If requested by the Customer, the Provider must permit inspection and security review by the Customer of systems processing Protected Data and on the Provider’s policies and procedures relating to data security.

(b)          The Customer may request an inspection contemplated in 1.9, every half-yearly starting from the date that this Agreement becomes effective.

(c)          Notwithstanding anything in this Schedule, the Provider is not required to permit any inspection that may compromise the security of the Provider’ other customers’ data.

1.10.    Data Incidents:  If there is a Data Incident, or if Provider suspects a Data Incident, the Provider must:

(a)          promptly, and in any case within 24 hours, give notification by telephone, in person, or by other real-time, in-person communication;

(b)          cooperate with law enforcement agencies, where applicable, to investigate and resolve the Data Incident;

(c)          provide reasonable assistance in notifying applicable third parties;

(d)          comply with applicable laws governing data breach notification and response;

(e)          if the Data Incident results from their breach of this Agreement or negligent or unauthorised act or omission of an Authorised Person, compensate the other Party for any reasonable expense related to notification of consumers;

(f)           give the other Party prompt access to such records related to a Data Incident as may reasonably be requested (such records will be regarded as confidential information and there will be no obligation to provide access to records that might compromise the security of the other customers); and

(g)          provide the name and contact information for an employee who shall serve as primary security contact and must be available to assist 24 hours per day,  7 days per week as a contact in resolving obligations associated with a Data Incident.

1.11.    Third-parties and Data Incidents: 

(a)          The Provider must not inform any third party of any Data Incident without first obtaining the Customer’s prior written consent, other than to inform a complainant that the matter has been forwarded to the Customer’s legal counsel. The Customer has the sole right to determine:

(i)           whether notice of the Data Incident is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies or others as required by law or regulation, or otherwise in the Customer’s discretion; and

(ii)          the contents of such notice, whether any type of remediation may be offered to affected persons, and the nature and extent of any such remediation.

(b)          The Provider must reasonably cooperate at its own expense with the Customer in any litigation or other formal action deemed reasonably necessary by the Customer to protect their rights relating to the use, disclosure, protection and maintenance of Protected Data.

(c)          If there is a Data Incident, the Provider must use their reasonable efforts to prevent a recurrence of any such Data Incident.

(d)          Nothing in this Schedule limits other rights or remedies of the Customer, if any, resulting from a Data Incident.

1.12.    Deletion of Protected Date:  Except as required by Data Protection Laws or authorised pursuant to a data deletion policy accepted in writing by each party, the Provider must not erase Protected Data or any copy thereof without the Customer’s prior written consent. The Provider must:

(a)          on request promptly erase all Protected Data from all systems under Provider’s control and direct and ensure erasure by any and all of its subcontractors that have access to Protected Data;

(b)          within 30 days of termination of this Agreement, erase all Protected Data in Provider’s possession or control, including without limitation in the possession or control of its subcontractors;

(c)          after erasure leave no data readable, decipherable, or recoverable on its computers or other media or those of its subcontractors, using the best erasure methods commercially feasible; and

(d)          promptly after any erasure of Protected Data or any part of it, certify such erasure.

1.13.    Minimum safeguards:  In addition to any other safeguards contemplated in this Schedule, the Provider must ensure at minimum that that:

(a)          their Personnel each have a unique user ID assigned to them, subject to strict confidentiality undertakings in terms of a password and confidentiality policy;

(b)          there are passwords required for any access to Data in line with its password policy;

(c)          its operating systems are secure and that the security settings in respect thereof are aligned with good industry practice;

(d)          its administrator accounts (and records of usage in relation thereto) are stored securely and can be accessed in the event of any service restoration or fault determination;

(e)          access to Data be limited to Personnel on a “need to know” basis, which Personal shall strictly utilise their unique user ID and applicable passwords to access same (the access to such Data shall be subject to a two-step authorisation/authentication process);

(f)           all Data is backed-up regularly, and to ensure that back up testing is conducted regularly in order to ensure that Data can be recovered in the event that such Data is lost, damaged or destroyed;

(g)          its environment has comprehensive malware protection software employed, which software is specifically designed to protect against the most recent malware infections;

(h)          frequent vulnerability scanning is conducted in order to assess whether any computers, networks or applications have any vulnerabilities to cyber-attacks; and

(i)           all designated networks, employ intrusion detection systems and intrusion prevention systems, and record any security incidents.

1.14.    IT network infrastructure diagram:  Upon the Customer’s written request, the Customer must provide the Customer with a network diagram that outlines the Provider’s information technology network infrastructure and all equipment used in relation to fulfilling of its obligations under the Agreement, including:

(a)          connectivity to the Customer’s and all third parties who may access the Provider’s network to the extent the network contains Protected Data;

(b)          all network connections including remote access services and wireless connectivity;

(c)          all access control devices (for example, firewall, packet filters, intrusion detection and access-list routers);

(d)          all back-up or redundant servers; and

(e)          permitted access through each network connection.

1.15.    Material breach:  Any breach of the obligations under this Schedule, is deemed a material breach of the Agreement.

1.16.    Equitable relief: 

(a)          The Provider acknowledges that:

(i)           no adequate remedy exists at law if it fails to perform or breaches any of its obligations under this Schedule;

(ii)          it would be difficult to determine the damages resulting from a breach of this Schedule, and such breach would cause irreparable harm to the Customer; and

(iii)         a grant of injunctive relief provides the best remedy for any such breach, without any requirement that the Customer prove actual damage or post a bond or other security.

(b)          To the extent permitted under Data Protection Laws, the Provider waives any opposition to such injunctive relief contemplated in Section 1.16 or any right to such proof, bond, or other security.

(c)          The Provider’s obligations in this Schedule apply likewise to the Provider’s successors, including without limitation to any trustee in bankruptcy.

 

Provider friendly

SCHEDULE – DATA PROTECTION

 

1.1.       Handling of Protected Data: 

(a)          Standard of care:  The Provider must keep and maintain all Protected Data in strict confidence, using such degree of care as is appropriate to avoid unauthorised access, use or disclosure.

(b)          Usage of Protected Data:  The Provider must use and disclose Protected Data solely and exclusively for the purposes for which the Protected Data, or access to it, is provided pursuant to the terms and conditions of the Agreement, and not use, sell, rent, transfer, distribute, or otherwise disclose or make available Protected Data for the Customer’s own purposes or for the benefit of anyone other than the Customer, in each case, without Customer’s prior written consent.

(c)          Disclosure:  The Provider must not, directly or indirectly, disclose Protected Data to any person other than Authorised Persons, without express written consent from the Customer, unless and to the extent required by government authorities or as otherwise, to the extent expressly required, by applicable law, in which case, the Provider must use reasonable efforts to notify the Customer before such disclosure or as soon thereafter as reasonably possible.

(d)          Responsibility for Authorised Persons:  The Provider is responsible for and remain liable to the Customer for the actions and omissions of such Authorised Persons concerning the treatment of such Protected Data as if they were the Provider’s own actions and omissions.

(e)          Written undertaking required from Authorised Persons:  The Provider must require the Authorised Persons that has access to Protected Data to execute a written undertaking to comply with this Schedule.

1.2.       Additional charges:  The Provider may charge additional fees at their standard rates for activities required by the Customer to assist them to comply with Data Protection Laws.

1.3.       Aggregated and anonymized data:  The Customer hereby authorises the Provider to:

(a)          Anonymize Customer Data and to combine it with data from other customers into a new aggregate dataset; and

(b)          use such Anonymized Customer Data as a component of such new aggregate dataset for any legal business purpose, including without limitation for distribution to third-parties.

1.4.       Minimum safeguards:  In addition to any other safeguards contemplated in this Schedule, the Provider must ensure at minimum that that:

(a)          their Personnel each have a unique user ID assigned to them, subject to strict confidentiality undertakings in terms of a password and confidentiality policy;

(b)          there are passwords required for any access to Data in line with its password policy;

(c)          its operating systems are secure and that the security settings in respect thereof are aligned with good industry practice;

(d)          its administrator accounts (and records of usage in relation thereto) are stored securely and can be accessed in the event of any service restoration or fault determination;

(e)          access to Data be limited to Personnel on a “need to know” basis, which Personal shall strictly utilise their unique user ID and applicable passwords to access same (the access to such Data shall be subject to a two-step authorisation/authentication process);

(f)           all Data is backed-up regularly, and to ensure that back up testing is conducted regularly in order to ensure that Data can be recovered in the event that such Data is lost, damaged or destroyed;

(g)          its environment has comprehensive malware protection software employed, which software is specifically designed to protect against the most recent malware infections;

(h)          frequent vulnerability scanning is conducted in order to assess whether any computers, networks or applications have any vulnerabilities to cyber-attacks; and

(i)           all designated networks, employ intrusion detection systems and intrusion prevention systems, and record any security incidents.

Table of Contents

The Author

Martin Kotze is a commercial lawyer with over 10 years of experience. He specialises in transactional work within the Tech, Financial Services and Property industries. 

He is also one of the co-founders at DocNinja and regularly advises listed companies to small and medium enterprises on how to contract better with their customers. 

Martin Kotze

This is a free 30min consultation to better understand your business and your needs.

Building a confidentiality clause

How to build a confidentiality clause

In this article, we have a look at some of the important aspects that must be kept in mind when drafting confidentiality clauses.

Most disputed terms WCC ranking: 

outside top 30

Most important terms WCC ranking: 

26

Most negotiated terms WCC ranking: 

13

What is the purpose of a confidentiality clause?

If certain information relating to your business ends up in the wrong hands, it can be devasting for your business. Therefore, to protect against situations where someone discloses confidential information, a non-disclosure agreement (NDA) will be entered into, or a confidentiality clause will be inserted in the Agreement governing the transaction concluded between the parties.

Confidentiality Agreement vs NDA vs Proprietary Information Agreement vs Secrecy Agreement

These agreements may have subtle differences, however, in practice, they all aim to achieve the same purpose – i.e. to prohibit the disclosure of information that can damage or negatively impact a business.

Building blocks of a Confidentiality Clause

building a confidentiality clause

What is Confidential Information?

There are a couple of approaches when it comes to defining Confidential Information.

Suppose you need to get out of the blocks quickly. In that case, you can consider stipulating that all information exchanged between the Parties relating to the Purpose must be regarded as Confidential Information.

Another approach may be a more detailed and specific approach where you stipulate the type of information that will be regarded as confidential information. For example:

  • any information of the Disclosing Party relating to financial structure, accounting methods, cash flows, revenue forecast methodology, and market forecast methodology;
  • any information of the Disclosing Party relating to plans, designs, drawings, functional and technical requirements and specifications;
  • etc.

Confidential Info of Affiliates & third-parties

To avoid certain disputes in the future, remember to stipulate whether information:

  • disclosed before the Signature Date will also be regarded as Confidential Information under the confidentiality clause;
  • of the Disclosing Party’s Affiliates must be treated as Confidential Information (also remember to make sure your definitions of “Affiliate” and “Control” aligns with the intention of the Parties); and
  • of any third parties disclosed by the Disclosing Party must be treated as Confidential Information.

The Purpose of the disclosure

The purpose of the disclosure plays an important role in confidentiality clauses.

Generally, the purpose of the disclosure is linked to the extent to which the Receiving Party can use the confidential information. So, for example, the Confidential Information can only be used to the extent that it is required by the Receiving Party to give effect to the concluded Agreement. If the Receiving Party uses the Confidential Information for any other purpose, the Receiving Party will be in breach of the confidentiality clause.

If you are acting for a Party that will disclose most of the Confidential Information, make sure to use narrow and specific wording for the purpose!

Labelling

If you are mainly receiving Confidential Information, it will help if you require “labelling” of information. This will assist you in knowing which information must be handled with care.

When you are the Party that will mainly be Disclosing Information, you would likely want to follow a different approach. For example, you can stipulate that any information that the Receiving Party should reasonably have understood (because of legends or other markings, the circumstances of disclosure, or the nature of the information) to be confidential will be regarded as Confidential Information.

Permitted receivers / authorised recipients

A permitted receiver is usually a person who works for or assists the Receiving Party somehow. For example, the Receiving Party’s lawyers or accountants.

If you are acting for the Disclosing Party, You want to impose various obligations on the Receiving Party regarding permitted receivers. For example, the Receiving Party must require the permitted assigns to sign confidentiality undertakings that are to the satisfaction of the Disclosing Party if the Receiving Party wants to make available the Confidential Information to a permitted receiver.

Excluded information

Information generally excluded from Confidential Information:

  • information known to the Receiving Party before disclosure by the Disclosing Party;
  • information that is or becomes publicly known, not as a result of a breach of this Agreement, by the Receiving Party;
  • information developed independently by the Receiving Party in circumstances that are not a breach of this Agreement; and
  • information which Receiving Party receives from a third party who can disclose the Confidential Information free of restriction and without obligation.

Handling of Confidential Information

If you are acting for the Party that will mainly be disclosing confidential information, you must be clear on how Confidential Information must be handled.

As a start, you want to impose certain obligations on the Receiving Party, for example:

  • The Receiving Party must protect the Confidential Information by using the same standard of care to safeguard their confidential information; and
  • A Receiving Party must take reasonable steps to prevent any unauthorised disclosure of the Confidential Information.

Also, consider what needs to happen if the Receiving Party becomes aware that there has been unauthorised access to the Confidential Information. Generally, you would want to impose an obligation on the Receiving Party to report the unauthorised access as soon as possible and to assist in mitigating any adverse effects of the unauthorised access.

On the flip side, if you act for the party that will mainly be Receiving Confidential Information, you want to limit express obligations that may open you up to liability claims.

Ownership of Confidential Information

There may be situations where Confidential Information that is disclosed may be used by the Receiving Party in one of their processes.

Make sure to expressly state that no ownership relating to the Confidential Information will transfer to the Receiving Party.

If you are acting for the Party that will mainly be disclosing Confidential Information, and if the Receiving Party requires any rights to use the Confidential Information, stipulate that any rights granted in respect of the Confidential Information are only granted to the extent required to fulfil the Purpose expressly stated in the confidentiality clause.

Warranties

A typical warranty you will see within a confidentiality clause is where the Disclosing Party warrants that they can disclose the Confidential Information. As a Receiving Party, you want this warranty. You do not want to get caught up in a situation where you receive confidential information from a Disclosing Party that they were not supposed to disclose.

As a Disclosing Party, you want to disclaim all representations and warranties relating to the Confidential Information. In other words, you do not want to make any warranties in respect of the accuracy, completeness and suitability of the Confidential Information as this may open you up to claims. 

Duration

Confidentiality clauses should survive termination of the Agreement. It will not hurt to stipulate this expressly.

Another aspect that needs to be addressed in your confidentiality is clause is how long will the confidentiality provisions be binding on the Receiving Party.

One approach is to provide that the confidentiality provisions will remain binding as long as the Confidential Information is retained. Another approach may be to provide a fixed period for which the confidentiality provisions will apply after termination of the Agreement.

A fixed period approach may favour the Receiving Party. However, if you will disclose any trade secrets, you should definitely look at providing that the confidentiality provisions will apply indefinitely, to the extent allowed by applicable law.

Remedies

Confidentiality clauses should survive termination of the Agreement. It will not hurt to stipulate this expressly.

Another aspect that needs to be addressed in your confidentiality is clause is how long will the confidentiality provisions be binding on the Receiving Party.

One approach is to provide that the confidentiality provisions will remain binding as long as the Confidential Information is retained. Another approach may be to provide a fixed period for which the confidentiality provisions will apply after termination of the Agreement.

A fixed period approach may favour the Receiving Party. However, if you will disclose any trade secrets, you should definitely look at providing that the confidentiality provisions will apply indefinitely, to the extent allowed by applicable law.

Example clauses

You will mainly be disclosing information

1.           CONFIDENTIAL INFORMATION

1.1         Confidential Information means:

(a)         all information disclosed between the Parties disclosed in connection with the Purpose.

disclosed in connection with the Purpose.

1.2         Disclosing party:  The Confidential Information of both Parties will be protected under this Agreement and both parties will therefore be regarded as a “Disclosing Party”.

1.3         Affiliate confidential information:  Confidential Information will include any Confidential Information of any Affiliate of the Receiving Party.

1.4         Third party confidential information:  Confidential Information will include any Confidential Information of any third party.

1.5         Labelling:  Labelling of Confidential Information is not required. Any information that the Receiving Party should reasonably have understood (because of legends or other markings, the circumstances of disclosure, or the nature of the information) to be confidential will be regarded as Confidential Information.

1.6         Time of disclosure:  The Confidential Information will include Confidential Information disclosed before and after the Signature Date.

1.7         Excluded information:  The following information is not Confidential Information:

(a)         information known to the Receiving Party before disclosure by the Disclosing Party;

(b)         information that is or becomes publicly known, not as a result of a breach of this Agreement by the Receiving Party;

(c)         information developed independently by the Receiving Party in circumstances that are not a breach of this Agreement; and

(d)         information which Receiving Party receives from a third party who can disclose the Confidential Information free of restriction and without obligation.

1.8         Notification and disclosures required in terms of law:  If the Receiving Party is required to disclose Confidential Information to satisfy a court order or to comply with any applicable law the Receiving Party will notify the Disclosing Party in writing before such disclosure to enable the Disclosing Party to protect their interest; and

1.9         Obligations and disclosures required in terms of law:  If the Receiving Party is required to disclose Confidential Information to satisfy a court order or to comply with any applicable law the Receiving Party will only disclose the legally required portion of the information and use reasonable endeavours to protect the confidentiality of such information (the onus is on the Receiving Party to demonstrate that they have complied with this provision).

1.10      Handling of Confidential Information:  A Receiving Party must not disclose the Confidential Information to any third party without first obtaining written consent from the Disclosing Party.

1.11      Standard of care:  A Receiving Party must protect the Confidential Information of a Disclosing Party by using the same standard of care to safeguard their confidential information.

1.12      Steps required to protect Confidential Information:  A Receiving Party must take reasonable steps to prevent any unauthorised disclosure of the Confidential Information.

1.13      Unauthorised access:  A Receiving Party will immediately notify the Disclosing Party if the Receiving Party becomes aware of any loss or any unauthorised access to, or use or disclosure of, any Confidential Information in the control of the Receiving Party or their authorised recipient.

1.14      Cooperation:  The Receiving Party must cooperate with the Disclosing Party to investigate and mitigate any adverse effects of unauthorised access to, or use or disclosure of, any Confidential Information.

1.15      Rights of the Disclosing Party:  A Disclosing Party can at any time require:

(a)         the Receiving Party to return any Confidential Information;

(b)         the Receiving Party to expunge any Confidential Information from any device;

(c)         the Receiving Party to destroy any material relating to the Confidential Information;

(d)         the Receiving Party to cause the return or destruction of any Confidential Information which the Receiving Party disclosed to any third party; and/or

(e)         a written statement under oath that the Receiving Party has not retained any such Confidential Information and that no third party has retained any such Confidential Information.

1.16      Authorised Recipients:  A Receiving Party can disclose the Confidential Information to their representatives, employees, consultants, or professional advisors, if necessary and to the extent required to fulfil the Purpose.

1.17      Confidentiality undertakings:  If a Receiving Party intends to disclose the Confidential Information to their representatives or employees, such representatives or employees must sign a confidentiality undertaking that is to the satisfaction of the Disclosing Party.

1.18      Acknowledgment:  A Receiving Party acknowledges that unauthorised or unlawful use or disclosure of the Confidential Information can cause irreparable damage to the Disclosing Party.

1.19      Indemnity:  The Receiving Party indemnifies the Disclosing Party against any, and all loss suffered where the Receiving Party, or their representative or employee, discloses or uses the Confidential Information unlawfully or without the Disclosing Party’s consent.

1.20      Injunctive relief:  The Receiving Party acknowledges that monetary damages may not be a sufficient remedy for unauthorised or unlawful use or disclosure of the Confidential Information and a Disclosing Party can ask a court for injunctive relief without waiving any other rights or remedies.

1.21      No limitation:  Notwithstanding anything agreed to between the Parties, a claim for breach of the confidentiality provisions, or a claim under 1.19, will not be limited or excluded under any limitation of liability or exclusion of liability provision.

1.22      Ownership and rights:  The Disclosing Party will remain the owner of all rights relating to the Confidential Information. Where rights must be granted in respect of the Confidential Information, such rights are only granted to the extent required to fulfil the purpose in Purpose.

1.23      Termination and survival:  The confidentiality provisions in this Agreement will survive the termination of this Agreement.

1.24      Period:  The confidentiality provisions in this Agreement will bind the Receiving Party for an indefinite period.

1.25      Disclaimer:  The Disclosing Party disclaims all representations, warranties, or assurances for the Confidential Information, including for accuracy, performance, completeness, suitability, or third-party rights.

 

You will mainly be receiving information

1.           CONFIDENTIAL INFORMATION

1.1         Confidential Information means:

(a)         any information of the Disclosing Party relating to strategic objectives and planning for the existing and future needs;

(b)         any information of the Disclosing Party relating to technical, scientific, commercial, financial or market information, know-how, and trade secrets;

(c)         any information of the Disclosing Party relating to data concerning business and donor relationships; and

(d)         any information of the Disclosing Party relating to plans, designs, drawings, functional and technical requirements and specifications.

disclosed in connection with the Purpose.

1.2         Disclosing party:  The Confidential Information of both Parties will be protected under this Agreement and both parties will therefore be regarded as a “Disclosing Party”.

1.3         Labelling:  For Confidential Information to be considered confidential, the information must be marked as confidential or if disclosed orally, identified as confidential in writing within 7.

1.4         Time of disclosure:  Only Confidential Information disclosed after the Signature Date will be regarded as Confidential Information under this Agreement.

1.5         Excluded information:  The following information is not Confidential Information:

(a)         information known to the Receiving Party before disclosure by the Disclosing Party;

(b)         information that is or becomes publicly known, not as a result of a breach of this Agreement by the Receiving Party;

(c)         information developed independently by the Receiving Party in circumstances that are not a breach of this Agreement; and

(d)         information which Receiving Party receives from a third party who can disclose the Confidential Information free of restriction and without obligation.

1.6         Handling of Confidential Information:  A Receiving Party must not disclose the Confidential Information to any third party without first obtaining written consent from the Disclosing Party.

1.7         Rights of the Disclosing Party:  A Disclosing Party can at any time require:

(a)         the Receiving Party to return any Confidential Information;

(b)         the Receiving Party to expunge any Confidential Information from any device;

(c)         the Receiving Party to destroy any material relating to the Confidential Information;

(d)         the Receiving Party to cause the return or destruction of any Confidential Information which the Receiving Party disclosed to any third party; and/or

(e)         a written statement under oath that the Receiving Party has not retained any such Confidential Information and that no third party has retained any such Confidential Information.

1.8         Authorised Recipients:  A Receiving Party can disclose the Confidential Information to their representatives, employees, consultants, or professional advisors, if necessary and to the extent required to fulfil the Purpose.

1.9         Period:  The confidentiality provisions in this Agreement will bind the Receiving Party for 1 years after the Agreement ends.

1.10      Warranties:  The Disclosing Party warrants that they have the right to disclose the Confidential Information to the Receiving Party.

1.11      No further warranties:  The Disclosing Party makes no other express, implied, or statutory warranties in respect of the Confidential Information.

Table of Contents

The Author

Martin Kotze is a commercial lawyer with over 10 years of experience. He specialises in transactional work within the Tech, Financial Services and Property industries. 

He is also one of the co-founders at DocNinja and regularly advises listed companies to small and medium enterprises on how to contract better with their customers. 

Martin Kotze

This is a free 30min consultation to better understand your business and your needs.

Building a limitation of liability clause

How to build a limitation of liability clause

Most disputed terms WCC ranking: 

16

Most important terms WCC ranking: 

6

Most negotiated terms WCC ranking: 

1

What is the purpose of a limitation of liability clause?

There are certain risks that a party will not be willing and able to take. For example, a claim for unlimited consequential losses can mean the end of the business.

Building blocks of a exclusion/limitation of liability clause

building blocks of a limitation of liability clause

Unrecoverable losses

Unrecoverable losses

Unrecoverable losses refer to losses which the Party cannot be held labile for if there is a breach of contract.

These unrecoverable losses are also sometimes referred the waiver of consequential damages (a concept that is often confused).

The waiver of claims relating to these types of losses is usually mutual. However, depending on bargaining power, it may happen that only one of the Parties waives claims relating to the unrecoverable losses.

Type of losses

Parties mistakenly think that waiving consequential damages will include a waiver of claims relating to, for example, loss of business income. However, consequential damages do not describe a particular kind of loss and do not always include a waiver of claims relating to the loss of business income. For example, a loss of business income can also be a direct loss where this loss was foreseeable when the Agreement was concluded, and such a loss would naturally arise from the breach of the Agreement. 

If you want to make sure that all claims relating to losses that the parties intend to waive are being waived, a laundry list of claims relating to losses that will be waived can be included – for example:

loss of profits, loss of business revenues, loss of anticipated savings, loss of goodwill, loss of data etc.

Some of these losses may be direct losses, and some may be consequential losses.

Be careful waiving claims for direct losses. Generally, you cannot waive all liability for breach of contractual obligations (the aggrieved Party must have some form of meaningful recourse in the event of a breach of contract).

Examples of other claims relating to losses that you will likely not be able to waive are losses that relate to:

  • your own fraud/dishonesty; and
  • negligence for death or personal injury.

 

Then there are certain jurisdictions where you cannot waive claims relating to losses sustained for the supply of defective goods (there’s usually consumer protection legislation that regulates this).

The claims relating to losses that can and can’t be waived may differ from one jurisdiction to another. Therefore, an approach adopted in practice is to insert the phrase “to the maximum extent permitted under law” before the rest of the sentence that waives the claims relating to the specific losses.

Carve outs

When you “carve-out” certain types of claims from the unrecoverable loss provisions, it means that if this “carved-out” type of claim is instituted, then the type of loss that was waived can still be persued. 

If you are acting for the Party that is waiving claims that relate to the specific loss that is specified as unrecoverable losses, you want to avoid situations where claims are are “carved out” from the unrecoverable loss provisions. If not possible, your second option will be to try and negotiate that these types of claims must be subject to the maximum liability cap.

Claims that are often “carved-out” from the unrecoverable loss provisions, include:

  • breach of confidentiality provisions under the Agreement
  • claims relating to any indemnity provided under the Agreement
  • breach of the data protection provisions under this Agreement
  • any act or omission that is grossly negligent
  • any act or omission that causes personal injury or death of a third party
  • any act or omission that causes damage to property
  • to wilful misconduct or fraud

Maximum liability

Maximum liability

Maximum liability provisions are also sometimes referred to as the liability cap. These provisions limit the maximum amount that can be claimed from the defaulting Party.

The maximum liability provisions are often a hot topic of negotiation. For example, suppose you are a Provider whose liability is limited to a specific amount. In that case, you want this amount to be as low as possible to ensure that the business will hopefully stay afloat if things go south. On the other hand, if you are the Customer, you want to recover an amount that will sufficiently compensate you for your losses.

Finding a balanced approach to the maximum liability provisions often involves stipulating different liability caps for different types of breaches. For example, if there is a breach of the data protection provisions, the cap will be calculated one way, and if there is a breach of the confidentiality provisions, the cap will be calculated another way. 

Type of claims

It often happens that Parties agree on a general maximum liability amount. However, when the transaction is “mission critical” with risks on both sides, the negotiations start focusing on different liability caps for different types of claims.

For Customer operating in a highly regulated environment, a breach of the data protection provisions may be catastrophic. Therefore, a higher cap for this type of breach may be appropriate.  

Liability cap

There are various ways that the liability cap can be structured.

Examples of different cap structures include:

  • Limited to a specific amount
  • Limited to all amounts paid under the Agreement
  • Limited to a % of the total contract value
  • Limited to the amounts paid under the Agreement for the last x months

 

Another important consideration is if the cap applies per incident or to claims over a period of time? Also, will legal fees, costs and interest also form part of the cap?

Carve-outs

When you “carve-out” certain types of claims from the maximum liability provisions, it means that if this “carved-out” type of claim is instituted, then the claim will not be limited. 

If you are acting for the Party in whose favour the maximum liability cap is agreed waiving claims, you want to avoid situations where claims are are “carved out” from the maximum liability provisions.

Claims that are often “carved-out” from the maximum liability provisions, include:

  • breach of confidentiality provisions under the Agreement
  • claims relating to any indemnity provided under the Agreement
  • breach of the data protection provisions under this Agreement
  • any act or omission that is grossly negligent
  • any act or omission that causes personal injury or death of a third party
  • any act or omission that causes damage to property
  • to wilful misconduct or fraud

Example clauses

Customer friendly

1.           TERMINATION

1.1         Material breach:  If a Party is in material breach of this Agreement and such breach is:

(a)         capable of being rectified, and the defaulting Party fails to rectify the breach within 7 days after the aggrieved Party provides a written notice requiring the defaulting Party to rectify the breach, then the aggrieved Party can terminate this Agreement with immediate effect and claim damages from the defaulting Party; or

(b)         not capable of being rectified, then the aggrieved Party can terminate this Agreement with immediate effect and claim damages from the defaulting Party.

Unless otherwise provided in the Agreement, the relief stipulated above will not limit the aggrieved Party’s rights. The aggrieved Party will have all available rights in terms of applicable law.

1.2         Termination for convenience:  A Party can terminate this Agreement for any reason and no reason before the end of the term of the Agreement by providing 30 days (the “Termination Notice Period”) written notice to the other Party. The Party terminating the Agreement under 1.3 must pay the other Party all amounts due up to the last day of the Termination Notice Period, with an amount equal to 10% of the value of the Agreement’s remainder.

1.3         Process after terminationUnless otherwise provided in the Agreement, when this Agreement terminates for any reason:

(a)         all due fees become payable;

(b)         all licenses granted under this Agreement will terminate;

(c)         all materials provided by either Party to the other under this Agreement will be returned within 30 days after the Agreement’s termination; and

(d)         all data within a Party's possession or control, including without limitation in the possession or control of its subcontractors, must be erased so that it cannot be recoverred.

1.4         Reasonable assistance:  The Provider will assist the Customer as requested to allow the services provided under this Agreement to continue and facilitate the orderly migration of these services (the Termination Assistance) for 60 days after the Agreement’s termination. During the Termination Assistance Period, the Provider must continue to comply with all requirements under this Agreement unless otherwise expressly agreed in the Exit Plan contemplated in 1.6.

1.5         Exit plan:  If and to the extent requested by the Customer, whether prior to or upon termination of this Agreement or during any Termination Assistance period, the Provider must assist the Customer in developing an Exit Plan (the “Exit Plan”) which must specify:

(a)         the tasks to be performed by the Parties in connection with the Termination Assistance;

(b)         the schedule for the performance of tasks under the Exit Plan;

(c)         specific license or ownership rights of the Parties with respect to software or other intellectual property;

(d)         a description and documentation of the services, service levels, fees, and access requirements that will be required to transition the service provided under the Agreement;

(e)         the right to pass confidential product or service information on to other providers; and

(f)           the specific wind-down terms applicable to each stage of the Termination Assistance, including how volume changes will affect the services provisioning.

1.6         Third-party agreements:  If there are third-party agreements that will need to be assigned to the Customer as part of Termination Assistance, and these third-party agreements are used by the Provider to support multiple customers, or these agreements contain provisions against assignment, then the Provider must provide reasonable assistance to the Customer in engaging those third-parties directly.

1.7         Terms of termination assistance:  With regards to the Termination Assistance:

(a)         it must be provided on terms similar to what the Provider offers for the same type of services to other customers of similar size, based on the volume and nature of the services as they are reduced over the life of the Exit Plan;

(b)         if the termination is due to a material breach of the Customer, including non-payment, then the Provider may require that the breach be remedied or the amounts due be paid before providing any Termination Assistance; and

(c)         if the Customer requests the Provider to provide the services under the Agreement directly to a replacement provider, then the Customer must ensure the replacement provider maintains the confidentiality of all information received and cannot use it to gain a competitive advantage over the Provider.

1.8         Survival:  The provisions under Article 1 will survive termination of the Agreement.

 

Provider friendly

1.           TERMINATION

1.1         Material breach:  If a Party is in material breach of this Agreement and such breach is:

(a)         capable of being rectified, and the defaulting Party fails to rectify the breach within 30 days after the aggrieved Party provides a written notice requiring the defaulting Party to rectify the breach, then the aggrieved Party can terminate this Agreement with immediate effect and claim damages from the defaulting Party; or

(b)         not capable of being rectified, then the aggrieved Party can terminate this Agreement with immediate effect and claim damages from the defaulting Party.

Unless otherwise provided in the Agreement, the relief stipulated above will not limit the aggrieved Party’s rights. The aggrieved Party will have all available rights in terms of applicable law.

1.2         Material adverse regulatory change:  The Provider may terminate this Agreement in whole, but not in part, in the event of a change in the regulatory environment applicable to the Provider that the change has a materially adverse effect on the Provider’s ability to fulfil their obligations under this Agreement. The termination right under 1.2 can be exercised by giving at least 2 months' prior written notice to the Customer.

1.3         Additional termination rights:  This Agreement may be terminated by:

(a)         a Party immediately, without advanced notice, if the other Party is deemed unable or admits their inability to pay their debts as they become due;

(b)         a Party immediately, without advanced notice, if the other Party suspends making payments on any of their debts;

(c)         a Party immediately, without advanced notice, if the other Party commences negotiations with their creditors to reschedule their indebtedness because of actual or anticipated financial difficulties; or

(d)         a Party immediately, without advanced notice, if the other Party is found guilty corrupt activities under applicable laws.

1.4         Survival:  The provisions under Article 1 will survive termination of the Agreement.

Can the governing law impact on limitation of liability clauses?

Certain liability cannot be limited under contract. For example, limiting liability relating to fraud or wilful misconduct will not be enforceable.

Public policy and legislation that protect consumer rights may also determine that certain liabilities cannot be limited.

Table of Contents

The Author

Martin Kotze is a commercial lawyer with over 10 years of experience. He specialises in transactional work within the Tech, Financial Services and Property industries. 

He is also one of the co-founders at DocNinja and regularly advises listed companies to small and medium enterprises on how to contract better with their customers. 

Martin Kotze

This is a free 30min consultation to better understand your business and your needs.

Building an indemnity clause

How to build an indemnity clause

In this article, we have a look at some of the important aspects that must be kept in mind when drafting indemnity clauses.

Most disputed terms WCC ranking: 

18

Most important terms WCC ranking: 

23

Most negotiated terms WCC ranking: 

3

What is the purpose of an indemnity clause?

An indemnity clause aims to protect the Indemnified Party against certain liability or losses that the Indemnified Party is not willing to take when entering into the transaction.

For example, suppose you are the Customer using the Provider’s Software. In that case, you do not want to be exposed to claims from third parties for the infringement of intellectual property rights related to the use of the Software. Therefore, the indemnity creates an obligation on the Provider to cover you for the indemnified losses arising from the intellectual property infringement claim.

What are the different types of indemnities?

There is no closed list of types of indemnities. Generally, indemnities can cover claims that third parties may institute (so-called third-party indemnities) and cover any losses that the Indemnified Party may suffer from a breach of the Agreement by the other Party (so-called inter-party indemnities).

The indemnities you would typically want to include in your contract will depend on the transaction you are concluding, the associated risks, and, in some way, your industry.

Common indemnities include:

Indemnities against third-party infringement claims
If you buy Software from someone or resell Software for someone, you don’t want to be exposed to any intellectual property infringement claims relating to the product. The Provider usually carries this risk, and the way you transfer this risk to the Provider is by inserting an indemnity against third party intellectual property claims in the Agreement.

Indemnities against third-party claims
You can consider including an indemnity in respect of any possible third party claim (it all depends on the risks the Indemnified Party faces). Typically, third party indemnities are provided to protect the Indemnified Party against claims relating to personal injury, damage to property, breach of laws and employee and contractor compensation.

Indemnities relating to breach of contract
There are arguments that including an indemnity for the breach of contract provides some substantive and procedural advantages for recovering losses.

There may be jurisdictions where this is the case (provided that the indemnity is correctly drafted).

At the end of the day, if the Parties intend losses can be recovered under the indemnity that is otherwise considered remote, clearly stipulate this in your indemnity!

Indemnities relating to breach of warranties
There may be advantages to “upgrading” the warranties to indemnities. If this will hold any benefit will again depend on the wording of the indemnity, what it says about the remoteness of losses and interpretation.

Do you have a stronger claim under an indemnity?

The general belief is that an indemnity provides an easier way to recover losses and isn’t easily resisted in legal proceedings (this belief is because an indemnity creates a primary obligation and functions as a debt and is not a claim for breach of contract).

If the Indemnified Party suffers the indemnified loss, a claim can be instituted under the indemnity. The usual hurdles relating to causation and mitigation are side-stepped (in a way), and an Indemnified Party may be able to recover more losses (compared to losses recoverable under a breach of contract).

The above, however, only holds if the indemnity is worded properly and used correctly.

TIP – If the intention is that an Indemnified Party can claim losses that were not foreseeable when the Agreement was concluded, expressly stipulate this!

Building blocks of an indemnity clause

building an indemnity clause

The Indemnified Party

The Indemnified Party is the Party that will be protected under the indemnity.

Will the indemnity also protect any third parties, for example, employees of the Indemnified Party?

Suppose you are acting for the Indemnified Party. In that case, you want to try and broaden the scope of the indemnity by adding, for example, Affiliates, agents, contractors, directors, employees and shareholders of the Indemnified Party.

The Indemnified Losses

Indemnified Losses refer to the losses that the Indemnified Party can claim under the indemnity.

For example, suppose it is a third-party IP infringement claim. In that case, the Indemnified Losses may be the amount of any judgment against the Indemnified Party and legal fees and costs reasonably incurred.

It is important to be as specific as possible here and make sure you are clear on the Indemnified Losses.

Also, under the Indemnified Losses, you want to be clear on specific indemnity obligations. For example, in certain jurisdictions, the obligation to indemnify, defend, and hold harmless may provide a more comprehensive indemnity obligation than only the obligation to indemnify.

The Indemnified Event

The Indemnified Event is the trigger required to claim under an indemnity.

For example, an Indemnified Event may be a situation where a third-party institutes (or even only threatens), for example, an IP infringement claim against the Indemnified Party due to the use of Software that the Indemnified Party supplied.

If you are the Indemnified Party, you want the Indemnified Event to be comprehensive and to occur as soon as the possibility of a claim arises.

Claims procedure

Claims procedure refers to the process the Indemnified Party needs to follow to claim under a third party indemnity.

If you are indemnifying someone else, you want then to jump through a couple of hoops before they can claim under the third party indemnity.

Typical claims procedures relate to when notification must be provided to the Indemnifying Party, the right to control the legal proceedings and the obligation to provide reasonable assistance.

Some indemnities provide that if the claims procedures are not adhered to, the Indemnifying Party will be absolved from their obligations under the indemnity. This type of provision benefits the Indemnifying Party and may be necessary for certain circumstances.

The Exclusions

The exclusions refer to the claims that will not be covered under the indemnity and are often the most negotiated part of indemnity provisions.

The effect of an exclusion is that if an Indemnified Event occurs, the Indemnified Party cannot claim under the indemnity.

Examples of typical exclusions are if the Customer modifies the supplied product somehow or the Client uses the product beyond specification/documentation.

These Exclusions must be worded carefully and must usually provide that the exclusion only applies to the extent that the exclusion relates to the claim.

Limitation of liability

A limitation of liability clause may limit the extent to which you can recover losses under an indemnity (i.e. there is a liability cap). If you are acting for the Indemnified Party, you would want to avoid a situation where there is a cap placed on an indemnity claim.

Some commentators argue an indemnity is a debt and not a liability and therefore does not fall under the limitation of liability. But rather be safe than sorry. If you do not want the indemnity to be limited by the limitation of liability, make sure to expressly stipulate this (i.e. carve it out from the scope of the limitation of liability provisions).

Minimum claim amount

Sometimes you want to include a minimum claim amount. In other words, the Indemnifying Party will not be liable for any claim where the claim is below a certain amount.

Defending claims under indemnities can cost a lot of money. You do not want to get involved in legal proceedings where the legal costs will exceed the actual claim amount.

Mitigation

It is possible to argue that there is no obligation to mitigate any losses related to an indemnity claim. However, do you want to leave this open for possible disputes?

It’s recommended that you expressly stipulate whether or not there is an obligation on the Indemnifying Party to take reasonable steps to mitigate their losses.

If you are acting for the Party providing the indemnity, you want the Indemnified Party to do everything possible to keep the Indemnified Loss to a minimum.

Reserved rights

If you are acting for the Indemnifying Party, it is usually a good idea to reserve some rights for the Indemnifying Party if the paw-paw hits the fan.

For example, the Indemnifying Party would typically want to have the right to replace any product subject to an IP infringement claim the moment such a claim is threatened.

Exclusive remedy

Must the indemnity be regarded as the exclusive remedy on the happening of an Indemnified Event? In other words, must the Indemnified Party only be able to claim under the indemnity and will not be allowed to claim damages under breach of contract?

Stipulating that the indemnity is the exclusive remedy can benefit the Indemnifying Party. Suppose the Indemnified Losses part of the indemnity provisions is drafted in your favour. In that case, the losses that can be claimed will be limited and very specific, enabling you to take out appropriate insurance.

However, if you are the Indemnified Party, you what to have all options open and pursue the remedy that will be most beneficial to you. Generally, you don’t want to agree that the indemnity will be the exclusive remedy.

Guarantees and undertakings

If you are acting for the Indemnified Party, it is important to know that entity behind the indemnity will be able to make good on the promise to indemnify. Contracting with an SPV that turns out to be a shell entity may leave you without much recourse if the indemnified event occurs.

A guarantee from the holding company may be an option. With the guarantee, the holding company guarantees the indemnifying party’s performance.

Example clauses

Customer friendly indemnity (third-party IP infringement claims)

1.           INDEMNITY: THIRD PARTY INTELLECTUAL PROPERTY INFRINGEMENT CLAIMS

1.1         Indemnity:  The Provider (the “Indemnifying Party”) must indemnify, defend and hold harmless the Customer, their Affiliates, agents, contractors, directors, employees and shareholders (the “Indemnified Party”) against the Indemnified Losses and Liabilities in Section 1.2 on the happening of an Indemnified Event in 1.3.

1.2         Indemnified Losses:  The losses and liability covered under Section 1.1 are expenses, fines, legal fees and cost, legal fees and cost (reasonably incurred), paying for judgment finally awarded, paying for settlements and penalties (the “Indemnified Losses”).

1.3         Indemnified Event:  The event or circumstances covered under Section 1.1 is where a third party institutes a claim, or threatens a claim, against the Indemnified Party relating to, or arising out of the infringement of intellectual property rights relating to any product or service provided under this Agreement (the “Indemnified Event”).

1.4         Mitigation:  There is no duty on the Indemnified Party to mitigate their losses or liability if there is a claim instituted under Section 1.1.

1.5         No limitation of liability:  Despite anything stipulated in this Agreement, the indemnity under Section 1.1 will not be limited by any limitation of liability provisions in this Agreement.

1.6         Liability cap:  No amounts awarded or agreed to be paid under this indemnity will not count toward any liability cap stipulated in this Agreement.

Provider friendly indemnity (third-party IP infringement claims)

1.           INDEMNITY: THIRD PARTY INTELLECTUAL PROPERTY INFRINGEMENT CLAIMS

1.1         Indemnity:  The Provider (the “Indemnifying Party”) must indemnify the Customer (the “Indemnified Party”) against the Indemnified Losses and Liabilities in Section 1.2 on the happening of an Indemnified Event in 1.3.

1.2         Indemnified Losses:  The losses and liability covered under Section 1.1 are paying for judgment finally awarded, whether or not foreseeable (the “Indemnified Losses”).

1.3         Indemnified Event:  The event or circumstances covered under Section 1.1 is where a third party institutes a claim against the Indemnified Party directly relating to the infringement of intellectual property rights relating to any product or service provided under this Agreement (the “Indemnified Event”).

1.4         Claims procedure:  The Indemnified Party must:

(a)         give the Indemnifying Party the sole right to control the legal proceedings;

(b)         promptly notify the Indemnifying Party of the claim; and

(c)         provide reasonable assistance and cooperation to the Indemnifying Party during the defence of the claim.

1.5         If the Indemnified Party does not notify the Indemnifying Party as per the obligation under Section 1.2, it will not affect the obligation to indemnify as per Section 1.1 unless it materially prejudices the ability to defend the third party infringement claim contemplated in Section 1.1.

1.6         Exclusions:  The Indemnifying Party is not liable to the Indemnified Party for any claim under Section 1.1 to the extent that the product or service provided under this Agreement is:

(a)         combined with any other product, service, or technology;

(b)         distributed outside the Territory;

(c)         modified in any way;

(d)         used beyond specification;

(e)         used in breach of this Agreement or applicable law; or

(f)           used without adherence to requirements.

1.7         Acts or omission by the Indemnified Party:  The Indemnifying Party is not liable to the Indemnified Party for any claim under Section 1.1 to the extent that the claim is a result of an act or omission of the Indemnified Party, their employees, contractors or agents.

1.8         Contributory acts:  Losses caused by a contributory act or omission of the Indemnified Party, their employees, contractors or agents must be apportioned to the Indemnified Party, and the Indemnifying Party is only liable for losses to the extent that it is their fault.

1.9         Miscellaneous:  If a claim under Section 1.1 is made against the Indemnified Party, or is likely to be made in the Indemnifying Party’s opinion, then the Indemnifying Party may modify or replace the product or service under this Agreement that is the subject of the claim, in defence or settlement of the claim.

1.10      Mitigation:  The Indemnified Party must use reasonable efforts to mitigate their liability if there is a claim instituted against them as contemplated under Section 1.1.

1.11      Sole remedy:  Despite anything else stipulated in this Agreement, the indemnity under Section 1.1 is the sole remedy available to the Indemnified Party if a claim, as contemplated under Section 1.1, is instituted against the Indemnified Party.

1.12      Liability cap:  Amounts awarded or agreed to be paid under this indemnity will count towards any liability cap stipulated in this Agreement.

 

Clauses you need to consider with your indemnity clause

Have a look at your limitation of liability clause. As the Indemnified Party, you also want the limitation of liability to cover claims under the indemnity. As the Indemnified Party, you would want unlimited claims when it comes to scenarios that fall under the indemnity.

Table of Contents

The Author

Martin Kotze is a commercial lawyer with over 10 years of experience. He specialises in transactional work within the Tech, Financial Services and Property industries. 

He is also one of the co-founders at DocNinja and regularly advises listed companies to small and medium enterprises on how to contract better with their customers. 

Martin Kotze

This is a free 30min consultation to better understand your business and your needs.