Fast Vendor Terms and Conditions

Fast Vendor Terms and Conditions

Last updated: September 29, 2021

This Fast Vendor Terms and Conditions (“Terms”) supplements, but does not replace, any Statement of Work (“SOW(s)”) entered into by and between Fast AF, Inc., a Delaware corporation (“Fast”), and the individual or entity set forth in the SOW(s) (“Vendor”). The SOW(s) and these Terms together form the “Agreement”. Any terms not defined in these Terms have the meaning set forth in the SOW(s). If any provision of any SOW(s) conflicts with these Terms, the provision of the SOW will prevail, but only as to the conflicting SOW. 

1. Services, Payments, Taxes, and Fees

1.1 Services. Vendor agrees to undertake and complete the “Services” defined in the SOW(s) in accordance with and on the schedule specified therein. Vendor shall deliver and perform all Services: (a) in accordance with the terms and subject to the conditions set forth in the applicable SOW and these Terms; (b) using personnel of required skill, experience, and qualifications; (c) in a timely, professional, and workmanlike manner in accordance with standards generally accepted in Vendor’s industry; and (d) to the reasonable satisfaction of Fast. 

1.2 Payments. As the only consideration due Vendor for the Services, Fast will pay Vendor as expressly stated in the SOW(s). Unless stated otherwise in any SOW, Fast pays invoices within thirty (30) calendar days of receiving such invoice. If any invoiced items are reasonably disputed by Fast, no late fees or interest will be charged on payments withheld by Fast; such withholding during resolution of the dispute(s) will not constitute a default by Fast, nor will it entitle Vendor to suspend or delay provision of of the Services or to terminate the Agreement in whole or in part. Fast will not reimburse Vendor for any ancillary expenses incurred in the performance of the Services unless such expenses are reasonable, were actually incurred as supported by documentation, and were pre-approved in writing by an authorized Fast representative. 

1.3 Taxes and Fees. Fast will pay applicable sales tax, value added tax, or goods and services tax that Vendor is legally obligated to charge (“Taxes”), provided that such Taxes are stated separately on the valid tax invoice that Vendor provides to Fast in accordance with the Agreement. Notwithstanding the foregoing, If Fast provides Vendor an tax exemption document acceptable to the relevant taxing authority, Vendor shall not collect the Taxes covered by such documentation. Fast shall have the right but not the obligation to deduct or withhold any taxes from any amounts payable to Vendor under the Agreement, in which case payment to Vendor as reduced by such itemized deductions or withholdings will constitute full payment and settlement to Vendor of such amounts. Vendor will provide Fast with any forms, documents, or certifications required for Fast to satisfy any information reporting or withholding tax obligations with respect to any amounts payable under the Agreement. Vendor is solely responsible for all other applicable taxes, withholdings, or fees (including interest, penalties, and/or additions thereto) related to this Agreement and agrees to defend, indemnify, and hold Fast harmless from any and all claims, liability, and expenses on account of an alleged failure by Vendor to satisfy any such obligation. 

2. Confidentiality; No Publicity

2.1 Definitions. “Confidential Information” means information previously, presently, or subsequently disclosed, directly or indirectly, by or for the disclosing party (“Discloser”) to the receiving party (“Recipient”), or accessed by Recipient in connection with Recipient’s performance of its obligations under the Agreement, that Discloser reasonably considers confidential or proprietary. Confidential Information includes the Agreement, the terms and conditions of the Agreement, and information exchanged in the course of negotiating the Agreement. Confidential Information does not include information that: (a) was rightfully known by Recipient without restriction before receipt from Discloser; (b) is rightfully disclosed to Recipient without restriction by a third party; (c) is or becomes generally known to the public without violation of this Agreement by Recipient; or (d) is independently developed by Recipient or its employees without access to or reliance on such information. Discloser represents and warrants to Recipient that it is authorized to disclose any and all Confidential Information made available to Recipient under the Agreement. For clarity, as between Fast and Vendor, any Fast data collected, used, processed, or stored by Vendor is Fast Confidential Information.

2.2 Covenants. Recipient agrees: (a) to use Discloser’s Confidential Information only as necessary for Recipient to perform its obligations under the Agreement (or in the case of Fast, to receive the Services and/or to use any materials provided by a subcontractor); (b) to protect Discloser’s Confidential Information with no less than reasonable care; (c) not to disclose, sell, license, transfer, or otherwise make available Discloser’s Confidential Information to any third party unless required as a matter of law, in which case Recipient agrees to notify Discloser in advance of disclosure to the extent permitted by law and moreover limits such disclosure to the minimum necessary to comply with the legal requirement; (d) to share Discloser’s Confidential Information with employees and subcontractors only as necessary to perform the Agreement, under confidentiality obligations at least as restrictive as those in this Agreement; (e) to immediately notify Discloser upon discovery of any loss of or unauthorized access to Discloser’s Confidential Information; (f) upon written request by Discloser, to return or certify destruction of all documents and other tangible materials representing Discloser’s Confidential Information and all copies thereof, provided, however, that (1) Fast will not be required to remove copies of Vendor’s Confidential Information from any backup media or servers and (2) Vendor may keep its personal copies of its compensation records and of this Agreement; (g) not to copy, decompile, disassemble, or otherwise reverse engineer any of Discloser’s Confidential Information; (h) not to export any Confidential Information in violation of export control laws; (i) that all Confidential Information is and shall remain the exclusive property of Discloser; and (j) that due to the unique nature of Confidential Information, unauthorized disclosure or misuse of Confidential Information would cause not only financial harm to Discloser, but also irreparable harm for which money damages may not be an adequate remedy, and accordingly, breach or threatened breach of any provision of this Section 2 shall entitle Discloser, in addition to any other legal or equitable remedies, to immediate equitable relief, including an injunction, without the necessity of posting any bond.

2.3 Safe Harbor. Notwithstanding any other provision of this Agreement, the following Section 2.3 shall apply if Vendor is an individual. An individual will not be held criminally or civilly liable under any federal or state trade secret law for any disclosure of a trade secret that: (a) is made: (i) in confidence to a federal, state, or local government official, either directly or indirectly, or to an attorney; and (ii) solely for the purpose of reporting or investigating a suspected violation of law; or (b) is made in a complaint or other document that is filed under seal in a lawsuit or other proceeding. Moreover, an individual who files a lawsuit for retaliation by Fast for reporting a suspected violation of law may disclose Fast’s trade secret(s) to the individual’s attorney and use the trade secret information in the court proceeding, if he or she (a) files any document containing the trade secret under seal; and (b) does not disclose the trade secret, except pursuant to court order.

2.4 No Publicity. Neither party will issue or make, directly or indirectly, any press releases or other public announcements relating to the Agreement or the underlying transaction(s) between Fast and Vendor without the prior written approval of the other party. Each party reserves the right to withhold approval in its sole discretion.

3. Ownership 

3.1 Fast Property. “Fast Property” means: (a) any Fast Confidential Information; (b) any: (i) trade secrets; (ii) patents and patent applications; (iii) trademarks and trademark applications; (iv) service marks and service mark applications; (v) trade dress, logos, business names, and trade names; (vi) Internet domain names; (vii) copyrights and copyright applications (and neighboring rights); (viii) moral rights, paternity rights, and/or integrity rights; (ix) rights in databases and data collections; (x) design rights; (xi) rights in know-how; (xii) rights in utility models; (xiii) rights in inventions (whether patentable or not); (xiv) topography rights; (xv) rights in data; (xvi) rights in software; and (xvii) other proprietary rights (collectively, “Intellectual Property”) of Fast’s; (c) any data or information systems of Fast’s. 

3.2 Works for Hire. Subject to the exceptions set forth in Section 3.4, below, Vendor agrees that all results of the Services (whether completed or not completed) and all work performed by Vendor related to this Agreement, whether solely or together with Fast, whether or not created using or relying on Fast Property, and whether or not using or incorporating Fast Property, including without limitation all notes, reports, developments, documentation, drawings, software, inventions, creations, works, devices, models, trade secrets, work-in-progress, and deliverables, whether or not patentable or copyrightable (the “Work Product”), is all considered “work made for hire” and will be protected as such. Work Product is and will be the sole property of Fast

3.3 Intellectual Property. All Intellectual Property related to the Work Product or otherwise conceived, reduced to practice, or filed by Vendor during any SOW Term or up to one (1) year after all SOW Terms, now known or hereafter recognized, whether registered or unregistered, in any jurisdiction worldwide, shall be presumptively owned by Fast. 

3.4 Exceptions. Notwithstanding the foregoing, pursuant to California Labor Code Section 2870 or equivalent applicable law, any work or intellectual property of the Vendor that: (a) was developed by Vendor completely entirely on their own time without use of Fast equipment, supplies, facilities, trade secret information, or Confidential Information, and (b) that does not relate at the time of conception or reduction to practice of the invention to Fast’s business, or actual or demonstrably anticipated research or development of Fast (the “Independent IP”) are not considered Work Product. Also excluded from the definition of Work Product is any “Prior Related IP”, which for the purposes of this Agreement shall mean only work or Intellectual Property relevant to the subject matter of this Agreement or Vendor’s Services: (i) that was conceived in whole or part by Vendor prior to the Effective Date without use of or reference to Fast’s Intellectual Property; (ii) to which Vendor holds right, title, interest, or the ability to license; and (iii) related to Vendor’s business.

3.5 Assignment. Vendor hereby assigns and transfers to Fast, its successors, and affiliated companies: all right, title, and interest in all Work Product, as well as all Intellectual Property thereto, in all countries and territories worldwide and under any international conventions thereto. To the extent any such right may not be legally assigned, it is waived and all activities of or authorized by Fast and its successors and affiliates are hereby ratified and consented to. Vendor agrees, during and after the term of this Agreement, to assist Fast from time to time at Fast’s request and expense, to further evidence, record, and perfect such assignments, waivers, and ratifications. Vendor hereby irrevocably designates and appoints Fast as its agents and attorneys-in-fact, coupled with an interest, to act for and on Vendor’s behalf to execute and file any document and to do all other lawfully permitted acts to further the foregoing with the same legal force and effect as if executed by Vendor and all other creators or owners of the applicable Work Product and/or of any modifications, derivatives, or improvements of Work Product including without limitation future products, services, or businesses (collectively, the “Derivatives”). 

3.6 Underlying IP. if Independent IP or Prior Related IP is incorporated into any Work Product, or if the use of Work Product or Derivatives is dependent on use of Independent IP, Prior Related IP, or any other technology or intellectual property rights not effectively assigned to Fast hereunder (collectively, the “Underlying IP”), Vendor hereby grants Fast and its successors a perpetual, irrevocable, worldwide, royalty-free, non-exclusive, sublicensable, and transferable right and license to exploit and use in any manner the Underlying IP in connection with either Work Product or Derivatives. Fast agrees not to use or exploit Vendor’s Underlying IP when not related to Work Product or Derivatives. Vendor represents and warrants to Fast that everything submitted or purportedly assigned to Fast, including without limitation the Services, the Underlying IP, and the Work Product (collectively, the “Assigned Property”) shall be original work created by Vendor and will not infringe or misappropriate any Intellectual Property or other rights of any third party or any non-assigned rights of Vendor. If the Assigned Property does not comply with the foregoing sentence, in addition to any other remedies Fast may have, Vendor will in the following order (at Vendor’s sole cost and expense): (a) procure for Fast the right to continue using the affected Assigned Property; (b) if applicable, replace the affected Assigned Property with conforming and/or non-infringing and non-misappropriating Assigned Property at no cost to Fast; (c) modify the affected Assigned Property to conform or become non-infringing and non-misappropriating without detracting from their functionality or performance; or (d) if the foregoing alternatives are not commercially available, then cease providing the non-conforming or infringing Assigned Property and refund to Fast all monetary sums paid to Vendor for such non-conforming or infringing Assigned Property within fifteen (15) calendar days of such cessation.

4. Vendor Responsibilities

4.1 Compliance. Vendor certifies to Fast that it has and shall obtain all necessary regulatory approvals, licenses, and permits applicable to its business, and shall perform the Services in a manner that complies with, and that allows Fast to be in compliance with, all laws, regulations, and other requirements applicable to the Agreement or the Services, along with applicable industry standards (collectively, “Applicable Laws”). If Vendor is located outside of the U.S., Vendor represents and warrants that all Services are performed outside of the U.S. Without limiting the foregoing, Vendor represents and warrants that it has complied with: (a) the U.S. Foreign Corrupt Practices Act and any other Applicable Laws regarding the offering of unlawful or improper inducements; and (b) all applicable U.S. export controls.

4.2 Employees. Services may only be performed by employees of Vendor, who shall: (a) comply with all Applicable Laws; (b) follow any Fast requirements provided to Vendor; and (c) not remove any property, notes, or other material or records from any Fast facility at which work is conducted. Vendor is responsible for, and assumes all liability with respect to: (x) any of its employees performing Services, including any failure of employees to comply with any duties or obligations imposed on Vendor under the Agreement; and (y) any claims made by its employees against Fast. Fast may request removal of any Vendor employee from the applicable project for any lawful reasons and Vendor shall immediately remove such employee, in which case Fast shall not be responsible for any costs associated with any training, orientation, or other steps necessary to bring replacement employee(s) (regardless of the reason for such replacement) to the same level of knowledge of the Services as the replaced person(s).

4.3 Data and Network Security. Vendor represents, warrants, and covenants that it will maintain no less than industry-standard network security policies and practices in connection with its performance of the Services, and creation, development, and delivery of the Work Product. Vendor represents, warrants, and covenants that it (a) will not, and will not allow others to, download, install, implement or use any malicious code in connection with: (i) any Vendor access to any Fast site; (ii) any access to Fast’s information systems; (iii) any access, communication, contact, or interconnection between the information systems of Fast and Vendor; (iv) any access/exposure to or communication of Fast Property; or (v) any Vendor-hosted interface, which Fast or its actual or prospective users, including without limitation advertisers and content providers, may access; (collectively, “Network Communication(s)”); (b) will not, and will not allow others to, upload any Fast Property, Confidential Information, or any other proprietary information from Network Communication(s) to any external site; (c) will not, and will not allow others to, use Network Communication(s) to send spam or otherwise abuse, disrupt, or misuse the Network Communication(s) in any way; and (d) shall comply with any additional network security terms or conditions provided by Fast in connection with Network Communication(s).

4.4 Additional Representations and Warranties. Vendor represents and warrants for itself and its employees that: (a) it is a validly existing business entity, duly licensed and qualified to carry on its business/operations and perform its obligations; (b) it has all rights, licenses, permits, qualifications, and consents necessary to perform their respective obligations; (c) its performance under the Agreement does not and will not violate or cause a breach of the terms of any other agreement to which it is a party; (d) Work Product furnished hereunder is and will be: (i) new and free from defects in design, materials, and workmanship; (ii) of merchantable quality and fit for the purposes for which they are intended; and (iii) free and clear of all liens, claims, and encumbrances; (e) it has all rights, licenses, permits, qualifications, and consents necessary to grant Fast ownership and use of the Work Product, and delivery to Fast of all rights and licenses in and to the Work Product does not violate any laws; (f) it will take all necessary precautions to prevent injury to any person or damage to any property while performing Services; (g) the Services, the media on which the Services are performed and/or delivered, and the Work Product will be free of viruses, backdoors, and/or other malware; and (h) any open source code used by Vendor has not and will not be used in any manner that could jeopardize Fast’s rights.

4.5 Insurance. Throughout the term of the Agreement, Vendor shall maintain, with financially sound and reputable insurers, minimum insurance coverage consistent with industry standards for the nature of the Services and Vendor’s business. Upon request by Fast, Vendor shall furnish a certificate of insurance evidencing compliance with the above provisions and naming “Fast AF, Inc.” and any other parties reasonably requested by Fast as additional insureds. 

4.6 Transferability. This Agreement and the Services are personal to Vendor, and Vendor shall not have the right or ability to assign, transfer, or subcontract this Agreement or any rights or obligations under this Agreement without the written consent of Fast. Any attempt to do so shall be void. Fast expressly reserves the right to assign this Agreement and to delegate any of its obligations hereunder. 

4.7 No Use of Marks. Vendor is not authorized to use and agrees it will not use any Fast trademarks, logos, service marks, trade names, and/or legal notices pertaining thereto (collectively, “Fast Marks”), without prior written consent from Fast. All rights, title, and interests in the Fast Marks and the goodwill inuring thereto are the exclusive property of Fast.

4.8 Force Majeure. Neither party shall be liable for any failure to perform its obligations hereunder where such failure results from any cause beyond such party’s reasonable control (“Force Majeure Event”), provided that: (a) such occurrence could not have been avoided by commercially reasonable precautions and cannot be circumvented through the use of commercially reasonable alternative sources; and (b) such party continues to use commercially reasonable efforts to recommence performance whenever and to whatever extent possible. If the Services cannot be completed or provided due to a Force Majeure Event, Fast shall be entitled to a prorated refund of any amounts already paid. 

4.9 Vaccine Policy for Non-Remote Activities. Vendor acknowledges that Fast has implemented a COVID-19 Vaccine Policy for the safety of its employees and other parties authorized to visit Fast facilities or attend Fast-hosted events. If Services are not performed entirely remotely, then Fast may require, in its sole discretion, that Vendor and any other individuals performing the Services take safety precautions, ranging from wearing face masks up to and including completing a full COVID-19 vaccination cycle (two (2) weeks after the final dose of a US-approved vaccine) before engaging in any in-person interactions with Fast employees. Prior to commencement of the Services, Fast will inform Vendor of the specific COVID-19-related vaccination or other safety requirements applicable to Vendor’s provision of any in-person Services. Inability to complete Services, if related to Vendor’s (or any of Vendor’s employees’) failure to comply with Fast’s communicated COVID-19 safety requirements, will be considered a material breach of the Agreement by Vendor entitling Fast to terminate immediately the Agreement and/or any SOWs for cause pursuant to Section 6.3(a) below.

5. Data Protection

5.1 Definitions. As used herein: 

  1. the terms “controller”, “data subject”, “personal data”, “personal data breach”, “process/processing”, “processor”, “special categories of data”, and “supervisory authority” mean the same as those defined terms in the GDPR, or where other Data Protection Laws are applicable, the same meaning as analogous terms in those Data Protection Laws. For example: (i) “controller” means the person or entity that determines the purposes and means of processing personal data, and includes, as applicable, any “business” as that term is defined by the CCPA; and (ii) “processor” means an entity that processes personal data on behalf of a controller, and includes, as applicable, any “service provider” as that term is defined by the CCPA. 
  2. “Data Protection Laws” means applicable laws, statutes, regulations, and binding obligations in relation to the processing of Personal Data, including, without limitation, the EU General Data Protection Regulation (the “GDPR”), the California Consumer Privacy Act (the “CCPA”), the UK Data Protection Act 2018, the Australian Privacy Act 1988 (Cth), and the New Zealand Privacy Act 2020, as those laws may be amended from time to time. 
  3. “Subprocessor” means a processor appointed by Vendor to assist Vendor in providing the Services. A subprocessor processes personal data on Fast’s behalf.

5.2 Covenants. The parties agree:

  1. Each party shall at all times during the term of the Agreement comply with its respective obligations under applicable Data Protection Laws in performing its obligations under the Agreement; 
  2. Where Vendor processes personal data on behalf of Fast, Fast (and/or its affiliates or Users) shall be controller and Vendor shall be the processor and/or subprocessor, as applicable, in relation to the processing of the personal data. Without limiting or affecting Section 5.2(a), the parties will comply with their respective obligations as set out in the Data Protection Schedule attached to these Terms as Exhibit A; and
  3. Vendor shall collect, retain, use, disclose, and otherwise process Personal Information solely to fulfill its obligations to Fast under the Agreement, and on Fast’s behalf, and for no other purposes. In no event shall Vendor attempt to link, identify, or otherwise create a relationship between personal data and non-personal data or any other data without the express authorization of Fast. Upon written request of Fast, Vendor shall assist Fast in complying with Fast’s obligations under Data Protection Laws to respond to requests to delete or access Personal Information. Vendor shall not sell personal data or otherwise disclose personal data for its own commercial purpose. Vendor certifies that it understands its restrictions and obligations set forth in Data Protection Laws and will comply with them.

6. Term and Termination

6.1 Term. This Agreement will commence on the Effective Date as defined in the SOW, and unless earlier terminated in accordance herewith, shall last until the expiration of all SOWs. 

6.2 Termination for Convenience. Fast may terminate any SOW, for convenience, upon thirty (30) calendar days’ written notice. In the event of termination for convenience, Vendor shall be paid all fees and expenses in accordance with the applicable SOW for Services provided through the effective date of termination. 

6.3 Termination for Cause. Fast may terminate the Agreement, in whole or in part: (a) immediately in the event of a breach by Vendor involving confidentiality, security, personal data, Data Privacy Laws (as defined below) or personal safety; or (b) upon written notice if Vendor otherwise materially breaches the Agreement and fails to cure such breach within thirty (30) days of receipt of notice of such breach. If Fast terminates the Agreement pursuant to this Section 6.3, Vendor shall not be entitled to any additional payments following termination. Additionally, Vendor may terminate this agreement upon written notice if Fast materially breaches the Agreement and fails to cure such breach within thirty (30) calendar days of receipt of notice of such breach. If the Agreement is terminated pursuant to this Section, the terminating party reserves cumulatively all other remedies and rights under the Agreement, at law and in equity. 

6.4 Effect of Termination. Upon termination or expiration of this Agreement or any SOW(s), all licenses granted by Fast to Vendor will be terminated immediately. Additionally, for a period of at least three (3) years after the date of the final payment under each SOW, Vendor shall maintain complete and accurate accounting records in connection with the Services sufficient to substantiate its charges, and provide Fast or its designees reasonable access to such records for audit purposes; if any audit reveals that Fast has overpaid any amounts, Vendor shall promptly remit to Fast such overpaid amounts. Sections 1.3, 2, 3, 4, 7, 8, and 9 of this Agreement shall survive any termination or expiration of this Agreement or any SOW(s). 

7. Indemnification

Vendor shall defend, indemnify, and hold harmless Fast and each of its partners, officers, directors, employees, agents, representatives, and personnel (“Fast Indemnitees”) from and against any and all claims, liability, proceedings (including arbitration), and expenses of any kind (including reasonable attorneys’ fees), commenced or threatened by any party, whether actual or alleged, arising out of: (a) the gross negligence or willful misconduct of Vendor or its employees in the performance of any Services; (b) any claim that the Services or any Work Product infringe upon or misappropriate the Intellectual Property rights of any third party; (c) any claim that Vendor has failed to comply with Applicable Laws; (d) any claim brought by, on behalf of, or against any of Vendor’s employees; or (e) any breach of any of Vendor’s representations or warranties, or confidentiality obligations, as set forth in these Terms (including any exhibits attached hereto) (collectively, “Indemnified Claim(s)”). Fast will (at Vendor’s sole expense) reasonably cooperate to facilitate the settlement or defense of such Indemnified Claim. Vendor is solely responsible for defending any Indemnified Claim against a Fast Indemnitee, subject to such Fast Indemnitee’s right to participate with counsel of its own choosing at its own expense, and for payment of all judgments, damages, costs, and expenses, including reasonable attorneys’ fees, resulting from all Indemnified Claims against a Fast Indemnitee; provided however, that Vendor will not agree to any settlement that imposes any obligation or liability on a Fast Indemnitee without such Fast Indemnitee’s prior express written consent.

8. Limitation of Liability 


9. General

This Agreement represents the complete agreement concerning the subject matter hereof between the parties and supersedes all prior agreements and representations between them with respect thereto. This Agreement may be amended or waived only by the written and signed agreement of both parties. Any breach of Sections 2, 3, 4, or 5 hereof will cause irreparable harm to Fast for which damages would not be an adequate remedy, and therefore, Fast will be entitled to injunctive relief with respect thereto in addition to any other remedies. In any action or proceeding to enforce rights under this Agreement, the prevailing party shall be entitled to recover costs and attorneys’ fees. Vendor is an independent contractor and not an employee, agent, partner, or joint venturer of Fast, and as such Vendor shall not be entitled to any benefits, coverages, or privileges, including without limitation social security, unemployment, vacation pay or sick pay, or medical or pension payments, that may be made available to employees of Fast. This Agreement shall be governed by the internal laws of the State of California, without regard to conflicts of laws provisions thereof. Exclusive jurisdiction and venue for any action arising under the Agreement shall be in the federal and state courts located in San Francisco, California, and both parties hereby consent to such jurisdiction and venue for this purpose. In the event that any provision of this Agreement shall be determined to be illegal or unenforceable, that provision will be limited or eliminated to the minimum extent necessary so that the Agreement shall otherwise remain in full force and effect and enforceable. The failure of either party to act with respect to a breach of this Agreement by the other party shall not constitute a waiver and shall not limit such party’s rights with respect to such breach or any subsequent breaches. This Agreement may be executed by written signature or electronically and delivered in multiple counterparts, including facsimile, PDF, or other electronic counterparts, all of which will constitute one and the same instrument and agreement. Each person executing this Agreement on behalf of a party hereto represents and warrants that such person is duly and validly authorized to do so on behalf of such party, with full right and authority to execute this Agreement and to bind such party with respect to all of its obligations hereunder. Any notices sent pursuant to the Agreement shall be in writing and shall be deemed to have been duly given on the day of service if served personally or upon receipt if mailed by certified mail, return receipt requested, or a nationally recognized overnight courier, and addressed to the parties at the addresses set forth in the applicable SOW (or at such other addresses as may be specified by either party in accordance with this Agreement), provided that any and all notices to Fast must also include a copy sent by email to [email protected].

Exhibit A - Data Protection Schedule

Any terms not defined in this Data Protection Schedule (this “Schedule”) shall have the meaning set forth in the Agreement. 

1. Vendor (as processor) agrees with Fast (as controller) that it shall:

  1. process the personal data only in accordance with Fast’s documented instructions as set out in the Agreement, this Schedule and/or as otherwise required for Vendor to provide the Services in accordance with the terms of the Agreement and/or as otherwise instructed in writing by Fast from time to time, unless required to do so by mandatory EU or national law to which Vendor is subject; in such cases Vendor will, unless expressly prohibited by such law, inform Fast of such legal requirement prior to any such processing;
  2. ensure that Vendor personnel who process the personal data are subject to appropriate contractual or statutory obligations of confidentiality;
  3. implement appropriate technical and organizational security and confidentiality measures to provide a level of security for the personal data appropriate to the risk to the personal data, as described in paragraph 4 of this Schedule;
  4. taking into account the nature of Vendor’s processing activities in respect of personal data and at Fast’s request, assist Fast by appropriate technical and organizational measures, insofar as this is possible, to fulfil Fast’s obligations to respond to requests made by data subjects in relation to their rights under Data Protection Laws;
  5. taking into account the nature of Vendor’s processing of the personal data and the information available to Vendor: (i) notify Fast of a personal data breach in relation to the personal data without undue delay; and (ii) at Fast’s request provide reasonable assistance to Fast in relation to any mandatory obligations applicable to Fast in relation to such personal data breach, under Data Protection Laws, in each case (i) and (ii) at Vendor’s reasonable cost;
  6. taking into account the nature of Vendor’s processing of the personal data and at Fast’s request, provide reasonable assistance to Fast in relation to any mandatory obligations applicable to Fast in relation to: (i) the performance of data protection impact assessments (where applicable) by Fast under Data Protection Laws; and, where applicable, and (ii) carrying out consultations with a supervisory authority;
  7. at the election of Fast, delete or return all the personal data to Fast at the end of the term of the Agreement and delete existing copies of such data unless Vendor is subject to a legal requirement to store such data beyond the term of the Agreement, in which case Vendor will return or delete such data as soon as possible;
  8. not have the personal data processed by a subprocessor, except to the extent (i) authorized by Fast under paragraph 2(a) below; and (ii) any such subprocessor is bound by the same data protection obligations as contained in paragraph 1 of this Schedule in respect of the processing of the personal data; 
  9. at Fast’s request, make available to Fast all information necessary to demonstrate compliance with its data protection obligations under this Schedule and allow for and contribute to audits, including inspections, conducted by Fast or another auditor mandated by Fast; and
  10. immediately inform Fast if, in Vendor’s opinion, a personal data processing instruction by Fast infringes Data Protection Laws.

2. Fast agrees and acknowledges that:

  1. with respect to paragraph 1(h) above, Fast hereby gives Vendor a general authorization to have the personal data processed by a subprocessor to the extent that: (i) the engagement of the subprocessor is reasonably necessary for the provision of the Services in accordance with the terms of the Agreement; and (ii) any such subprocessor is bound by the same data protection obligations as contained herein. Vendor shall inform Fast of any intended changes concerning the addition or replacement of subprocessors reasonably in advance of any such changes, thereby giving Fast the opportunity to object to the use of any such new subprocessor.
  2. Fast shall not, by act or omission, cause Vendor to violate any Data Protection Laws, notices provided by Fast to, or consents obtained by Fast from, data subjects as a result of Vendor’s or its processors’ processing of the personal data.

3. Personal Data Processing

The following table describes the subject, scope, nature, and purpose of the personal data processing governed by the provisions of the Agreement (including this Schedule), of which this table forms an integral part:

Subject Matter
Processing carried out in connection with theprovision of the Services by Vendor
Term of the SOW, provided that Vendor may have ongoing obligations with respect to the privacy and security of any personal data processed during the SOW Term. 
Nature & Purpose of the Processing
Vendor processes the personal data in order to provide the Services to Fast in accordance with the Agreement and/or as otherwise instructed in writing by Fast from time to time during the term of the Agreement
Categories of Data Subjects
Fast’s (or Fast affiliates’/partners’) users, prospective users, website users/visitors, employees, or Fast users’ website users/visitors
Types of personal data (i.e., any information relating to an identified or identifiable person) shall include, as applicable:
Contact Details
Name, personal/work phone number,home/work billing address, personal/workemail address
Website Users/Visitors
Name, email address, phone number, billing address, mailing address
Fast Employees
Bank details, human resource records, remuneration details, gender identity, ethnicity and, where necessary, data relating to health
Financial Information
Limited credit card and payment information
Special Categories of Personal Data
Support messages, IP addresses, customerwebsite content

4. Vendor Security Measures

Vendor agrees to implement the following technical and organizational security measures with respect to its processing of the personal data:

Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing, including: 

  • Information Security Policy: The Vendor has a written information security policy in place that specifies the security standards it applies to protect the personal data it processes in accordance with this section. The information security policy mandates the use of appropriate technical and organizational security measures throughout the Vendor's organization to protect personal data against unauthorized and unlawful processing and against accidental loss, damage or destruction. It further describes the measures to be taken, and individuals to be notified, in the event of an actual or suspected data or security breach.
  • Risk Management: The Vendor has risk management processes that are established and managed by organizational stakeholders. The risk management processes include periodic risk assessments that identify critical business processes, potential threats, and vulnerabilities; assess the risk of identified issues; document and communicate those risks; and provide recommendations to reduce the risks.
  • Information Security Officer: The Vendor has appointed a duly skilled, qualified and experienced employee with responsibility for ensuring the security of personal data processed by the Vendor throughout its organization and for reviewing, maintaining and updating the Vendor's information security policy in accordance with best industry practice.
  • Reporting: The Vendor has in place a policy requiring reporting of any suspected policy violations, system intrusions, or other security incidents that might jeopardize the information or information systems owned or controlled by the Vendor.
  • Organizational Security Policy: The Vendor has in place an organizational security policy that defines the roles and responsibilities of the information security team that operates at the strategic, tactical, and operational levels.
  • Personnel Compliance: The Vendor has in place policies that ensure the Vendor’s employees understand what uses of technology and data are permitted by the Vendor, including mandatory security and privacy awareness training for all employees and disciplinary processes to encourage compliance.

Measures to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services, including:

  • Physical Security: All computer and network equipment used in the open areas of the Vendor’s facilities are required to be physically secured with anti-theft devices. Access to data processing facilities is restricted to duly authorized employees and contractors who have been issued with security keys. All system resources and supporting assets located in a facility that handle sensitive data are located in physically secure areas and isolated as necessary. Cameras and other electronic surveillance equipment are placed throughout facilities storing or handling sensitive information assets.
  • Asset Management: The Vendor has in place a policy which establishes the rules and guidelines managing information, hardware, and software assets throughout the lifecycle phases of an information technology asset.
  • Change Control: The Vendor has in place a change control policy to ensure that significant changes to processes and procedures are documented, including production system software, hardware, devices, facilities, networks, and communications links.
  • Firewall and Antivirus Software: The Vendor has in place appropriate firewall, anti-virus, anti-spyware and other anti-malware software and technologies on all networks and systems it uses to process personal data. 
  • Portable Media: The Vendor has in place a policy that restricts the use of unauthorized removable media with assets owned or used by the Vendor. Any devices, discs, and other electronic storage media containing personal data are destroyed once no longer needed in a manner which makes access to the personal data stored on them impossible. They are not to be disclosed to any party not authorised to process personal data unless the data previously stored on those media has been irretrievably destroyed.
  • Access Controls: The Vendor implements technical access controls that restrict access to personal data it processes to duly authorized employees and contractors only. The Vendor further maintains a log of all access to personal data on its systems by any individual. Duly authorized employees and contractors are permitted to access personal data only to the extent necessary for the performance of their duties. The Vendor has appointed a system administrator with overall responsibility for granting, changing or voiding data access privileges to its data processing systems.
  • Usernames / Passwords: Access to personal data is controlled through access privileges, usernames, and confidential passwords. No two employees or contractors may share or use the same username and/or password. Employees and contractors are required to change their passwords on a regular basis and at least once every six months. All employee passwords are stored in encrypted format, and are at least eight characters long consisting of one uppercase letter, one lowercase letter, one numeral and one symbol.
  • Incident Response: The Vendor has in place an incident response policy for monitoring for threats, establishing incident-handling capabilities, creating and maintaining a security incident response team, and developing and maintaining an incident response plan. The incident response plan will establish procedures for identifying, responding to, assessing, and analyzing information security threats. Vendor also has in place disaster recovery and business continuity plans. 

Policies and procedures regarding the encryption of personal data:

  • Encryption: All personal data processed by the Vendor on behalf of the data exporter are stored and transmitted in encrypted format only, including personal data processed by the Vendor on portable media or portable devices.

Policies and procedures to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, including:

  • Power Loss: The Vendor's data processing systems are protected against loss, destruction or damage of personal data due to failure or interference of any power supply.

5. International data transfers

  1. Where Vendor processes the personal data in a jurisdiction other than the jurisdiction in which the personal data originated, Vendor agrees to process the personal data in compliance with all applicable Data Protection Laws of the originating jurisdiction.
  2. To the extent that Vendor processes personal data originating from a member state of the European Economic Area, the United Kingdom, or Switzerland, and the Vendor is established in a jurisdiction that does not provide an adequate level of data protection within the meaning of the originating jurisdiction’s Data Protection Laws, the parties agree to comply with the terms of the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries approved by European Commission Decision of 5 February 2010 (2010/87/EU) (“SCCs”). The parties further agree, if required by law, to enter into any and all further agreements required to adhere to their respective obligations for international data transfers under Data Protection Laws, including but not limited to by inserting the actual text of the SCCs into these Terms, or by agreeing to a superseding set of SCCs that may be subsequently approved by the relevant authorities. For the purpose of the SCCs:
  1. The data exporter is Fast (and/or its affiliates or Users, as applicable).
  2. The data importer is Vendor.
  3. Appendix 1 of the SCCs is completed with the details of processing contained in paragraph 3 of this Schedule.
  4. Appendix 2 of the SCCs is completed with the data security measures contained in paragraph 4 of this Schedule.
  5. Signatures to the Agreement and/or applicable SOW constitute signatures to the SCCs.
  1. When collecting, using, disclosing, or storing personal data that originates from Australia, Vendor agrees to comply with the Australian Privacy Principles as adopted under the Australian Privacy Act 1988 (Cth).
  2. Vendor may transfer the personal data to a subprocessor outside of the jurisdiction from which the personal data originates, provided that the necessary legal conditions for such transfer and processing under Data Protection Laws apply to such transfer and processing. For example, to the extent the personal data originates from a member state of the European Economic Area, United Kingdom, or Switzerland, Vendor agrees that the transfer will comply with applicable data transfer requirements, such as by entering into the EU Standard Contractual Clauses with the subprocessor, or ensuring that the subprocessor is subject to an in force European Commission positive adequacy decision under Article 45 of the GDPR which covers such transfer.