Last Revised on September 15, 2023
Welcome to the Terms of Service (these “Terms”) for the website, Rayyan.ai (the “Website”), and the related mobile applications (the “App”) operated on behalf of Rayyan Systems, Inc. (“Company”, “we” or “us”), and the related API (the “API“), and together with any content, tools, features and functionality offered on or through our Website and the App (the “Services”).
These Terms govern your access to and use of the Services. Please read these Terms carefully, as they include important information about your legal rights. By accessing and/or using the Services, you are agreeing to these Terms. If you do not understand or agree to these Terms, please do not use the Services.
For purposes of these Terms, “you” and “your” means you as the user of the Services. If you use the Services on behalf of a company or other entity then “you” includes you and that entity, and you represent and warrant that (a) you are an authorized representative of the entity with the authority to bind the entity to these Terms, and (b) you agree to these Terms on the entity’s behalf.
Please note that Section 8 contains an arbitration clause and class action waiver. By agreeing to these Terms, you agree (a) to resolve all disputes with us through binding individual arbitration, which means that you waive any right to have those disputes decided by a judge or jury, and (b) that you waive your right to participate in class actions, class arbitrations, or representative actions. You have the right to opt-out of arbitration as explained in Section 8.
TABLE OF CONTENTS
- WHO MAY USE THE SERVICES
- USER ACCOUNTS AND MEMBERSHIPS
- RIGHTS WE GRANT YOU
- OWNERSHIP AND CONTENT
- THIRD PARTY SERVICES AND MATERIALS
- DISCLAIMERS, LIMITATIONS OF LIABILITY AND INDEMNIFICATION
- ARBITRATION AND CLASS ACTION WAIVER
- ADDITIONAL PROVISIONS
GDPR DATA PROCESSING ADDENDUM
- CONDITIONS OF PROCESSING
- RAYYAN’S OBLIGATIONS
- CUSTOMER’S OBLIGATIONS
- CHANGES IN APPLICABLE DATA PROTECTION LAWS
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
1. WHO MAY USE THE SERVICES
You must be 18 years of age or older to use the Services. By using the Services, you represent and warrant that you meet this requirement.
2. USER ACCOUNTS AND MEMBERSHIPS
2.1 Creating and Safeguarding your Account. To use the Services, you may need to create an account (“Account”). You agree to provide us with accurate, complete and updated information for your Account. You can access, edit and update your Account by clicking on your name after signing in and then selecting My Account. You are solely responsible for any activity on your Account and for maintaining the confidentiality and security of your password. You agree that you will not share your Account with any other person. We are not liable for any acts or omissions by you in connection with your Account. You must immediately notify us at firstname.lastname@example.org if you know or have any reason to suspect that your Account or password have been stolen, misappropriated or otherwise compromised, or in case of any actual or suspected unauthorized use of your Account.
2.2 Payment. If you purchase or subscribe to any of our paid Services, you agree to pay us the applicable fees and taxes in U.S. Dollars. Failure to pay these fees and taxes will result in the termination of your access to the paid Services. You agree that (a) we may store and continue billing your payment method (e.g. credit card) to avoid interruption of the Services, and (b) we may calculate taxes payable by you based on the billing information that you provide us at the time of purchase. We reserve the right to change our membership plans or adjust pricing for the Services in any manner and at any time as we may determine in our sole and absolute discretion. Except as otherwise provided in these Terms, any price changes or changes to your membership plan will take effect following reasonable notice to you. All memberships are payable in accordance with payment terms in effect at the time the membership becomes payable. Payment can be made by credit card, debit card, or other means that we may make available. Memberships will not be processed until payment has been received in full, and any holds on your account by any other payment processor are solely your responsibility.
2.3 Membership Renewals and Cancellations. You agree that if you purchase a membership, your membership will automatically renew at the membership period frequency referenced on your membership page (or if not designated, then monthly), and your payment method will automatically be charged at the start of each new membership period for the fees and taxes applicable to that period. To avoid future membership charges, you must cancel your membership 30 days before the membership period renewal date by doing the following: You may modify your membership by going to the “My Account” page and making the relevant changes there.
2.4 No Membership Refunds. Except as expressly set forth in these Terms, payments for any memberships to the Services are non-refundable and there are no credits for partially used periods. Following any cancellation by you, however, you will continue to have access to the paid Services through the end of the membership period for which payment has already been made.
3.3 For the purposes of this Clause 3 of these Terms, the terms “personal data” and “processing” have the same meanings as those given to them in the European Union (“EU”)’s General Data Protection Regulation 2016/679 (the “EU GDPR”) and the United Kingdom (“UK”)’s General Data Protection Regulation and UK Data Protection Act 2018 (together, the “UK GDPR”) (the EU GDPR and UK GDPR together, the “GDPR”).
4. Rights We Grant You
4.1 License Grant. Subject to your compliance with these Terms, the Company hereby grants to you the right to access and use the Services and a personal, worldwide, royalty-free, non-assignable, non-sublicensable, non-transferrable, and non-exclusive license to download the App onto your personal devices, in each case for your internal business purposes only. Your access and use of the Services may be interrupted from time to time for any of several reasons, including, without limitation, the malfunction of equipment, periodic updating, maintenance or repair of the Service or other actions that Company, in its sole discretion, may elect to take.
4.2 Restrictions On Your Use of the Services. You may not do any of the following, unless applicable laws or regulations prohibit these restrictions or you have our written permission to do so:
(a) download, modify, copy, distribute, transmit, display, perform, reproduce, duplicate, publish, license, create derivative works from, or offer for sale any information contained on, or obtained from or through, the Services, provided the foregoing restriction does not apply to Your Content (as defined below);
(b) duplicate, decompile, reverse engineer, disassemble or decode the Services (including any underlying idea or algorithm), or attempt to do any of the same;
(c) use, reproduce or remove any copyright, trademark, service mark, trade name, slogan, logo, image, or other proprietary notation displayed on or through the Services;
(d) use automation software (bots), hacks, unauthorized modifications (mods) or any other unauthorized third-party software designed to modify the Services;
(e) exploit the Services for any commercial purpose, including without limitation communicating or facilitating any commercial advertisement or solicitation; or otherwise allowing third parties who are not authorized to use the Services to exploit our Services;
(f) access or use the Services in any manner that could disable, overburden, damage, disrupt or impair the Services or interfere with any other party’s access to or use of the Services or use any device, software or routine that causes the same;
(g) attempt to gain unauthorized access to, interfere with, damage or disrupt the Services, accounts registered to other users, or the computer systems or networks connected to the Services;
(h) circumvent, remove, alter, deactivate, degrade or thwart any technological measure or content protections of the Services;
(i) allow the Services to be used on an external commercial rental, remote job entry, time-sharing, or service bureau arrangement;
(j) use any robot, spider, crawlers or other automatic device, process, software or queries that intercepts, “mines,” scrapes or otherwise accesses the Services to monitor, extract, copy or collect information or data from or through the Services, or engage in any manual process to do the same;
(k) introduce any viruses, trojan horses, worms, logic bombs or other materials that are malicious or technologically harmful into our systems;
(l) use the Services for illegal, harassing, unethical, or disruptive purposes;
(m) violate any applicable law or regulation in connection with your access to or use of the Services; or
(n) access or use the Services in any way not expressly permitted by these Terms.
4.3 Use of the Services. You are responsible for providing the mobile device, wireless service plan, software, Internet connections and/or other equipment or services that you need to download, install and use the Services. We do not guarantee that the Services can be accessed and used on any particular device or with any particular service plan. We do not guarantee that the Services will be available in, or that orders for products can be placed from, any particular geographic location. As part of the Services and to update you regarding the status of deliveries, you may receive push notifications, local client notifications, text messages, picture messages, alerts, emails or other types of messages directly sent to you in connection with the App (“Push Messages”). You acknowledge that, when you use the Services on a wireless device, your wireless service provider may charge you fees for data, text messaging and/or other wireless access, including in connection with Push Messages. You have control over the Push Messages settings, and can opt in or out of these Push Messages through the Services or through your mobile device’s operating system (with the possible exception of infrequent, important service announcements and administrative messages). Please check with your wireless service provider to determine what fees apply to your access to and use of the Services on your wireless device, including your receipt of Push Messages from the Company. You are solely responsible for any fee, cost or expense that you incur to download, install and/or use the Services on your mobile device, including for your receipt of push messages from the Company.
5. OWNERSHIP AND CONTENT
5.1 Ownership of the Services. The Services, including their “look and feel” (e.g., text, graphics, images, logos), proprietary content, information and other materials, are protected under copyright, trademark and other intellectual property laws. You agree that the Company and/or its licensors own all right, title and interest in and to the Services (including any and all intellectual property rights therein) and you agree not to take any action(s) inconsistent with such ownership interests. We and our licensors reserve all rights in connection with the Services and its content (other than Your Content), including, without limitation, the exclusive right to create derivative works.
5.2 Ownership of Trademarks. The Company’s name, the Company’s logo and all related names, logos, product and service names, designs and slogans, including “Rayyan” and “Intelligent Systematic Review” are trademarks of the Company or its affiliates or licensors. Other names, logos, product and service names, designs and slogans that appear on the Services are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by us.
5.3 Ownership of Feedback. We welcome feedback, comments and suggestions for improvements to the Services (“Feedback”). You acknowledge and expressly agree that any contribution of Feedback does not and will not give or grant you any right, title or interest in the Services or in any such Feedback. All Feedback becomes the sole and exclusive property of the Company, and the Company may use and disclose Feedback in any manner and for any purpose whatsoever without further notice or compensation to you and without retention by you of any proprietary or other right or claim. You hereby assign to the Company any and all right, title and interest (including, but not limited to, any patent, copyright, trade secret, trademark, show-how, know-how, moral rights and any and all other intellectual property right) that you may have in and to any and all Feedback.
5.4 Your Content License Grant. In connection with your use of the Services, you may be able to post, upload, or submit content to be made available through the Services (“Your Content”). In order to operate the Service, we must obtain from you certain license rights in Your Content so that actions we take in operating the Service are not considered legal violations. Accordingly, by using the Service and uploading Your Content, you grant us a worldwide, non-exclusive, royalty-free, sublicensable and transferable license to access, use, host, cache, store, reproduce, transmit, display, publish, distribute, and modify (for technical purposes, e.g., making sure content is viewable on smartphones as well as computers and other devices) Your Content but solely as required to be able to operate and provide the Services. You agree that these rights and licenses are royalty free, transferable, sub-licensable, worldwide and irrevocable (for so long as Your Content is stored with us), and include a right for us to make Your Content available to, and pass these rights along to, others with whom we have contractual relationships related to the provision of the Services, solely for the purpose of providing such Services, and to otherwise permit access to or disclose Your Content to third parties if we determine such access is necessary to comply with our legal obligations. As part of the foregoing license grant you agree that, to the extent that you make Your Content available to other users, those other users of the Services shall have the right to comment on and/or tag Your Content and/or use, publish, display, modify or include a copy of Your Content as part of their own use of the Services; except that the foregoing shall not apply to any of Your Content that you post privately for non-public display on the Services. By posting or submitting Your Content through the Services, you represent and warrant that you have, or have obtained, all rights, licenses, consents, permissions, power and/or authority necessary to grant the rights granted herein for Your Content. You agree that Your Content will not contain material subject to copyright or other proprietary rights, unless you have the necessary permission or are otherwise legally entitled to post the material and to grant us the license described above.
(a) As part of the Services, you may be asked to collaborate on another user’s project. You acknowledge and agree that any content, including comments and other inputs, that you provide as part of that collaboration (“Project Content”) is considered an integral part of the project. Accordingly, you hereby grant the project owner a royalty free, transferable, sub-licensable, worldwide and irrevocable license to access and use the Project Content in relation to such project, including to reproduce, distribute, prepare derivative works, display, and perform such Project Content. You also acknowledge that, in order to maintain the integrity of each project, only the project owner may authorize the deletion of any Project Content and such license shall continue until the project owner authorizes the deletion of the Project Content.
(b) We shall not be a contracting party to any agreements or arrangements entered into by you and any other user of the Services (including without limitation project collaborators or project owners) or other third party. You are solely responsible for the execution and/or fulfilment of agreements you enter into. We shall not be held responsible for breaches of duty in relation to such agreements. If there is a dispute between you and another user of the Services (including without limitation project collaborators or project owners) or other third party, you agree that we assume no responsibility and are under no obligation to become involved. You acknowledge and agree that you are solely responsible for any disputes between you and any other user of the Services or other third party that we shall not be involved or in any way responsible for such disputes.
5.6 Enterprise and Team Memberships.
(a) For individuals covered under an enterprise or teams membership, you acknowledge and agree that the administrator of such membership has the right to manage all users granted access to such membership. As such, your administrator may review your projects, allocate roles or project owners of projects and suspend or deactivate your account.
(b) Administrators of enterprise or teams memberships shall ensure that each user accessing the Services under such membership shall register for their own Account and agreed to these Terms.
5.7 Notice of Infringement – DMCA Policy
If you believe that any text, graphics, photos, audio, videos or other materials or works uploaded, downloaded or appearing on the Services have been copied in a way that constitutes copyright infringement, you may submit a notification to our copyright agent in accordance with 17 USC 512(c) of the Digital Millennium Copyright Act (the “DMCA”), by providing the following information in writing:
(a) identification of the copyrighted work that is claimed to be infringed;
(b) identification of the allegedly infringing material that is requested to be removed, including a description of where it is located on the Service;
(c) information for our copyright agent to contact you, such as an address, telephone number and e-mail address;
(d) a statement that you have a good faith belief that the identified, allegedly infringing use is not authorized by the copyright owners, its agent or the law;
(e) a statement that the information above is accurate, and under penalty of perjury, that you are the copyright owner or the authorized person to act on behalf of the copyright owner; and
(f) the physical or electronic signature of a person authorized to act on behalf of the owner of the copyright or of an exclusive right that is allegedly infringed.
Notices of copyright infringement claims should be sent by mail to: Rayyan Systems Inc, Attn: Copyright Agent, 1 Broadway, 14th Floor, Cambridge MA 02142, USA; or by e-mail to email@example.com. It is our policy, in appropriate circumstances and at our discretion, to disable or terminate the accounts of users who repeatedly infringe copyrights or intellectual property rights of others.
A user of the Services who has uploaded or posted materials identified as infringing as described above may supply a counter-notification pursuant to sections 512(g)(2) and (3) of the DMCA. When we receive a counter-notification, we may reinstate the posts or material in question, in our sole discretion. To file a counter-notification with us, you must provide a written communication (by fax or regular mail or by email) that sets forth all of the items required by sections 512(g)(2) and (3) of the DMCA. Please note that you will be liable for damages if you materially misrepresent that content or an activity is not infringing the copyrights of others.
6. THIRD PARTY SERVICES AND MATERIALS
6.1 Use of Third Party Materials in the Services. Certain Services may display, include or make available content, data, information, applications or materials from third parties (“Third Party Materials”) or provide links to certain third party websites. By using the Services, you acknowledge and agree that the Company is not responsible for examining or evaluating the content, accuracy, completeness, availability, timeliness, validity, copyright compliance, legality, decency, quality or any other aspect of such Third Party Materials or websites. We do not warrant or endorse and do not assume and will not have any liability or responsibility to you or any other person for any third-party services, Third Party Materials or third-party websites, or for any other materials, products, or services of third parties. Third Party Materials and links to other websites are provided solely as a convenience to you.
7. DISCLAIMERS, LIMITATIONS OF LIABILITY AND INDEMNIFICATION
7.1 Disclaimers. Your access to and use of the Services are at your own risk. You understand and agree that the Services are provided to you on an “AS IS” and “AS AVAILABLE” basis. Without limiting the foregoing, to the maximum extent permitted under applicable law, the Company, its parents, affiliates, related companies, officers, directors, employees, agents, representatives, partners and licensors (the “the Company Entities”) DISCLAIM ALL WARRANTIES AND CONDITIONS, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. The Company Entities make no warranty or representation and disclaim all responsibility and liability for: (a) the completeness, accuracy, availability, timeliness, security or reliability of the Services; (b) any harm to your computer system, loss of data, or other harm that results from your access to or use of the Services; (c) the operation or compatibility with any other application or any particular system or device; (d) whether the Services will meet your requirements or be available on an uninterrupted, secure or error-free basis; and (e) the deletion of, or the failure to store or transmit, Your Content and other communications maintained by the Services. As between us and you, you agree that it solely your responsibility to (a) inform any of your project collaborators of any relevant policies and practices and settings that may impact the use of the Services; (b) obtain any rights, permissions or consents from such project collaborators that are necessary for the lawful use and operation of the Services; and (c) respond to and resolve any dispute with you and any other user, project owner, project collaborator or other third party relating to or based on the use of the Services or your failure to fulfil these obligations. No advice or information, whether oral or written, obtained from the Company Entities or through the Services, will create any warranty or representation not expressly made herein.
7.2 Limitations of Liability. TO THE EXTENT NOT PROHIBITED BY LAW, YOU AGREE THAT IN NO EVENT WILL THE COMPANY ENTITIES BE LIABLE (A) FOR DAMAGES OF ANY KIND, INCLUDING DIRECT, INDIRECT, SPECIAL, EXEMPLARY, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, LOSS OF USE, DATA OR PROFITS, BUSINESS INTERRUPTION OR ANY OTHER DAMAGES OR LOSSES, ARISING OUT OF OR RELATED TO YOUR USE OR INABILITY TO USE THE SERVICES), HOWEVER CAUSED AND UNDER ANY THEORY OF LIABILITY, WHETHER UNDER THESE TERMS OR OTHERWISE ARISING IN ANY WAY IN CONNECTION WITH THE SERVICES OR THESE TERMS AND WHETHER IN CONTRACT, STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) EVEN IF THE COMPANY ENTITIES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE, OR (B) FOR ANY OTHER CLAIM, DEMAND OR DAMAGES WHATSOEVER RESULTING FROM OR ARISING OUT OF OR IN CONNECTION WITH THESE TERMS OR THE DELIVERY, USE OR PERFORMANCE OF THE SERVICES. SOME JURISDICTIONS (SUCH AS THE STATE OF NEW JERSEY) DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU. THE COMPANY WILL NOT BEAR ANY COST, EXPENSE OR RESPONSIBILITY FOR FACILITATING OR PARTICIPATING IN ANY DISPUTES BETWEEN USERS AND OTHER USERS OR PROJECT OWNER, OR ANY OTHER THIRD PARTIES THAT DO NOT INVOLVE THE COMPANY. THE COMPANY ENTITIES’ TOTAL LIABILITY TO YOU FOR ANY DAMAGES FINALLY AWARDED SHALL NOT EXCEED THE GREATER OF THE AMOUNT OF ONE HUNDRED DOLLARS ($100.00) OR THE AMOUNT YOU PAID THE COMPANY ENTITIES, IF ANY, IN THE PAST SIX (6) MONTHS FOR THE SERVICES (OR OFFERINGS PURCHASED ON THE SERVICES) GIVING RISE TO THE CLAIM. THE FOREGOING LIMITATIONS WILL APPLY EVEN IF THE ABOVE STATED REMEDY FAILS OF ITS ESSENTIAL PURPOSE.
7.3 Indemnification. By entering into these Terms and accessing or using the Services, you agree that you shall defend, indemnify and hold the Company Entities harmless from and against any and all claims, costs, damages, losses, liabilities and expenses (including attorneys’ fees and costs) incurred by the Company Entities arising out of or in connection with: (a) your violation or breach of any term of these Terms or any applicable law or regulation; (b) your violation of any rights of any third party; (c) your access to or use of the Services; (d) Your Content, or (e) your negligence or wilful misconduct.
8. ARBITRATION AND CLASS ACTION WAIVER
8.1 Informal Process First. You agree that in the event of any dispute between you and the Company Entities, you will first contact the Company and make a good faith sustained effort to resolve the dispute before resorting to more formal means of resolution, including without limitation, any court action.
8.2 Arbitration Agreement and Class Action Waiver. After the informal dispute resolution process, any remaining dispute, controversy, or claim (collectively, “Claim”) relating in any way to your use of the Company’s services and/or products, including the Services, will be resolved by arbitration, including threshold questions of arbitrability of the Claim. You and the Company agree that any Claim will be settled by final and binding arbitration, using the English language, administered by JAMS under its Comprehensive Arbitration Rules and Procedures (the “JAMS Rules”) then in effect (those rules are deemed to be incorporated by reference into this section, and as of the date of these Terms). Arbitration will be handled by a sole arbitrator in accordance with the JAMS Rules. Judgment on the arbitration award may be entered in any court that has jurisdiction. Any arbitration under these Terms will take place on an individual basis – class arbitrations and class actions are not permitted. You understand that by agreeing to these Terms, you and the Company are each waiving the right to trial by jury or to participate in a class action or class arbitration. Notwithstanding the foregoing, you and the Company will have the right to bring an action in a court of proper jurisdiction for injunctive or other equitable or conservatory relief, pending a final decision by the arbitrator. You may instead assert your claim in “small claims” court, but only if your claim qualifies, your claim remains in such court and your claim remains on an individual, non-representative and non-class basis.
8.3 Costs of Arbitration. Payment for any and all reasonable JAMS filing, administrative and arbitrator fees will be in accordance with the JAMS Rules. If the value of your claim does not exceed $10,000, the Company will pay for the reasonable filing, administrative and arbitrator fees associated with the arbitration, unless the arbitrator finds that either the substance of your claim or the relief sought was frivolous or brought for an improper purpose.
8.4 Opt-Out. You have the right to opt-out and not be bound by the arbitration provisions set forth in these Terms by sending written notice of your decision to opt-out to firstname.lastname@example.org or to the U.S. mailing address listed in the “How to Contact Us” section of these Terms. The notice must be sent to the Company within thirty (30) days of your registering to use the Services or agreeing to these Terms, otherwise you shall be bound to arbitrate disputes in accordance with these Terms. If you opt-out of these arbitration provisions, the Company also will not be bound by them.
9. ADDITIONAL PROVISIONS
9.2 Updating These Terms. We may modify these Terms from time to time in which case we will update the “Last Revised” date at the top of these Terms. If we make changes that are material, we will use reasonable efforts to attempt to notify you, such as by e-mail and/or by placing a prominent notice on the first page of the Website. However, it is your sole responsibility to review these Terms from time to time to view any such changes. The updated Terms will be effective as of the time of posting, or such later date as may be specified in the updated Terms. Your continued access or use of the Services after the modifications have become effective will be deemed your acceptance of the modified Terms.
9.3 Termination of License and Your Account. If you breach any of the provisions of these Terms, all licenses granted by the Company will terminate automatically. Additionally, the Company may suspend, disable, or delete your Account and/or the Services (or any part of the foregoing) with or without notice, for any or no reason. If the Company deletes your Account for any suspected breach of these Terms by you, you are prohibited from re-registering for the Services under a different name. In the event of Account deletion for any reason, the Company may, but is not obligated to, delete any of Your Content. The Company shall not be responsible for the failure to delete or deletion of Your Content. All sections which by their nature should survive the termination of these Terms shall continue in full force and effect subsequent to and notwithstanding any termination of this Agreement by the Company or you. Termination will not limit any of the Company’s other rights or remedies at law or in equity.
9.4 Injunctive Relief. You agree that a breach of these Terms will cause irreparable injury to the Company for which monetary damages would not be an adequate remedy and the Company shall be entitled to equitable relief in addition to any remedies it may have hereunder or at law without a bond, other security or proof of damages.
9.5 California Residents. If you are a California resident, in accordance with Cal. Civ. Code § 1789.3, you may report complaints to the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs by contacting them in writing at 1625 North Market Blvd., Suite N 112 Sacramento, CA 95834, or by telephone at (800) 952-5210.
9.6 Third Party Beneficiaries. You acknowledge that, with respect to that software licensed to Company by the Qatar Foundation for Education, Science and Community Development, a private institution for public benefit enacted under Qatar Law no. 21 of 2006, P.O. Box 5825, Education City, Doha, Qatar (“QF”), the provisions of its agreement with Company are intended to inure to the benefit of QF as a third-party beneficiary, and QF will be entitled to enforce any or all such provisions against you. You further acknowledge and agree that QF accepts its third-party beneficiary rights hereunder and that such rights will be deemed irrevocable.
9.7 Miscellaneous. If any provision of these Terms shall be unlawful, void or for any reason unenforceable, then that provision shall be deemed severable from these Terms and shall not affect the validity and enforceability of any remaining provisions. These Terms and the licenses granted hereunder may be assigned by the Company but may not be assigned by you without the prior express written consent of the Company. No waiver by either party of any breach or default hereunder shall be deemed to be a waiver of any preceding or subsequent breach or default. The section headings used herein are for reference only and shall not be read to have any legal effect. The Services are operated by us in the United States. Those who choose to access the Services from locations outside the United States do so at their own initiative and are responsible for compliance with applicable local laws. These Terms are governed by the laws of the Commonwealth of Massachusetts, without regard to conflict of laws rules, and the proper venue for any disputes arising out of or relating to any of the same will be the arbitration venue set forth in Section 9, or if arbitration does not apply, then the state and federal courts located in Boston, Massachusetts.
9.8 How to Contact Us. You may contact us regarding the Services or these Terms at: Rayyan Systems Inc., 1 Broadway, 14th Floor, Cambridge, MA 02142, UNITED STATES OF AMERICA, by phone at +16174532567 or by e-mail at email@example.com.
GDPR DATA PROCESSING ADDENDUM
This data processing addendum (including the schedules hereto) (the “DPA”) is entered into between Rayyan Systems Inc., with registered address at 1 Broadway Street, 14th Floor, Cambridge, MA, 02142 USA and company reporting file number 020-28123 (“Rayyan”) and you, the counterparty agreeing to these terms (“Customer”), and are hereby incorporated into and form part of the Terms.
Customer (acting as controller) has appointed Rayyan (acting as processor) to provide the Services to Customer. As a result of its providing such Services to Customer, Rayyan will store and process certain personal information on behalf of Customer, in each case as described further below in Schedule 1 (Processing Details). This DPA is being put in place to ensure Rayyan processes Customer’s personal data on the Customer’s instructions and in compliance with Applicable Data Protection Laws (as defined below).
1.1 For the purposes of this DPA, the following expressions bear the following meanings unless the context otherwise requires:
“Applicable Data Protection Laws” means (a) the EU GDPR; (b) the Privacy and Electronic Communications Directive 2002/58/EC; (c) the UK Data Protection Act 2018 (“DPA”), the UK GDPR as defined by the DPA as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, and the Privacy and Electronic Communications Regulations 2003; and (d) any relevant law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument which implements any of the above or which otherwise relates to data protection, privacy or the use of personal data, in each case as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time;
“Data Subject” shall have the meaning given in the relevant Applicable Data Protection Laws;
“Personal Data” shall have the meaning given in the relevant Applicable Data Protection Laws;
“Process”, “Processed” or “Processing” shall have the meaning given in the relevant Applicable Data Protection Laws;
“Regulator” means a data protection supervisory authority which has jurisdiction over a Customer’s Processing of Personal Data;
“Standard Contractual Clauses” means: (i) in respect of transfers of Personal Data subject to the EU GDPR, the standard contractual clauses for the transfer of Personal Data to Third Countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the standard contractual clauses for the transfer of Personal Data to data processors established in Third Countries set out in the Commission Decision of 5 February 2010, or any equivalent clauses issued by the relevant competent authority of the UK, in each case as amended, updated or replaced from time to time; and
“Third Country” means (i) in relation to Personal Data transfers from the European Economic Area (“EEA”), any country outside of the scope of the data protection laws of the EEA, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time; and (ii) in relation to Personal Data transfers from the UK, any country outside of the scope of the data protection laws of the UK, excluding countries approved as providing adequate protection for Personal Data by the relevant competent authority of the UK from time to time.
2. CONDITIONS OF PROCESSING
2.1 This DPA governs the terms under which Rayyan is required to Process Personal Data on behalf of the Customer if and to the extent that the GDPR or UK GDPR applies to Rayyan’s Processing of Personal Data on Customer’s behalf
3. RAYYAN’S OBLIGATIONS
3.1 Rayyan shall only Process Personal Data on behalf of the Customer and in accordance with, and for the purposes set out in the documented instructions received from the Customer unless required to Process such Personal Data by applicable law to which Rayyan is subject; in such a case, Rayyan shall inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
3.2 Rayyan shall ensure that employees, agents, officers, consultants, sub-processors, and advisers authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3 Rayyan shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purpose of the Processing as set out in Schedule 2.
3.4 Rayyan shall without undue delay notify the Customer about any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data belonging to the Customer or any accidental or unauthorised access or any other event affecting the integrity, availability or confidentiality of the Personal Data belonging to the Customer (with further information about the breach provided in phases as more details become available).
3.5 Rayyan shall upon written request from Customer from time to time provide Customer with such information as is reasonably necessary to demonstrate compliance with the obligations laid down in this DPA.
3.6 Rayyan shall permit the Customer, at the Customer’s cost and no more than once annually, upon thirty (30) days’ notice, to be given in writing, to have access to the appropriate part of Rayyan’s premises, systems, equipment, and other materials and data Processing facilities to enable the Customer to inspect or audit the same for the purposes of monitoring compliance with Rayyan’s obligations under this DPA. Such inspection shall:
(a) be carried out by the Customer or an inspection body composed of independent members and in possession of the required professional qualifications and bound by a duty of confidentiality, selected by the Customer, where applicable, in agreement with the Regulator; and
(b) not relieve Rayyan of any of its obligations under this DPA.
(a) a Data Subject exercises his or her rights under the Applicable Data Protection Law in respect of Personal Data Processed by Rayyan on behalf of the Customer; or
(b) the Customer is required to deal or comply with any assessment, enquiry, notice or investigation by the Regulator or to provide notice to the Regulator or a Data Subject in relation to a personal data breach; or
(c) the Customer is required under the Applicable Data Protection Laws to carry out a mandatory data protection impact assessment or consult with the Regulator prior to Processing Personal Data entrusted to the Data Processer under this DPA,
then Rayyan will provide reasonable assistance to the Customer to enable the Customer to comply with obligations which arise as a result thereof.
3.8 The Customer acknowledges and agrees that Rayyan will Process Personal Data in a Third Country and that it may appoint affiliates or third party sub-processor to Process the Personal Data in a Third Country in accordance with Applicable Data Protection Laws.
3.9 Upon termination, Rayyan shall, at the choice of the Customer:
(a) return to the Customer all of the Personal Data and any copies thereof which it is Processing or has Processed upon behalf of that Customer; or
(b) destroy all Personal Data it has Processed on behalf of the Customer after the end of the provision of Services relating to the Processing, and destroy all copies of the Personal Data unless applicable law requires storage of such Personal Data; and
(c) in each case cease Processing Personal Data on behalf of the Customer.
4. CUSTOMER’S OBLIGATIONS
4.1 The Customer warrants that: (i) the legislation applicable to it does not prevent Rayyan from fulfilling the instructions received from the Customer and performing Rayyan’s obligations under this DPA; and (ii) it has complied and continues to comply with the Applicable Data Protection Laws, in particular that it has obtained any necessary consents or given any necessary notices, and otherwise has a legitimate ground to disclose the data to Rayyan and enable the Processing of the Personal Data by Rayyan as set out in this DPA and as envisaged by the Terms.
4.2 The Customer agrees that it will indemnify and hold harmless Rayyan on demand from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all interest, penalties and legal and other professional costs and expenses) incurred by Rayyan arising directly or indirectly from a breach of this Clause 4.
5. CHANGES IN APPLICABLE DATA PROTECTION LAWS
5.1 The parties agree to negotiate in good faith modifications to this DPA if changes are required for Rayyan to continue to process the Personal Data as contemplated by this DPA in compliance with the Applicable Data Protection Laws or to address the legal interpretation of the Applicable Data Protection Laws, including (i) to comply with the EU GDPR or any national legislation implementing it, or the UK GDPR or the DPA, and any guidance on the interpretation of any of their respective provisions; or (iii) if changes to the membership status of a country in the European Union or the European Economic Area require such modification.
6.1 The Customer hereby grants Rayyan general written authorisation to engage other processors to process Personal Data on behalf of the Customer (“sub-processors”) including those sub-processors set out on the following site: https://www.rayyan.ai/authorised-sub-subprocessors (the “Authorised Sub-processors List”) and subject to this Clause 6.
6.2 If Rayyan appoints a new sub-processor or intends to make any changes concerning the addition or replacement of the sub-processor set out in the Authorised sub-processors List, it shall update its Authorised Sub-processors List online and, after such update, the Customer has ten (10) business days to object to the proposed appointment or replacement. If the Customer does not object, Rayyan may proceed with the appointment or replacement.
6.3 Rayyan shall ensure that it has a written agreement in place with all sub-processors which contains obligations on the sub-processor which are no less onerous on the relevant sub-processor than the obligations on Rayyan under this DPA. Where the sub-processor fails to fulfil its data protection obligations, Rayyan shall remain fully liable to the Customer for the performance of that sub-processor’s data protection obligations.
7. INTERNATIONAL DATA TRANSFERS
7.1 To the extent that the Applicable Data Protection Laws require appropriate safeguards for international data transfers and Rayyan Processes Personal Data in a Third Country and it acts as data importer, Rayyan shall comply with the data importer’s obligations set out in the Standard Contractual Clauses, which are hereby incorporated into and form part of this DPA, and:
(a) for the purposes of Appendix 1 or Annex I (as relevant) of the Standard Contractual Clauses, the parties and Processing details set out in Schedule 1 (Processing Details) shall apply;
(b) for the purposes of Appendix 2 or Annex II (as relevant) of the Standard Contractual Clauses, the technical and organisational security measures set out in Schedule 2 (Technical and Organisation Security Measures) shall apply;
(c) if applicable, for the purposes of Annex III of the Standard Contractual Clauses, the list of authorised sub-processors set out on the Authorised Sub-processors List shall apply; and
(d) if applicable, for the purposes of: (i) Clause 9 of the Standard Contractual Clauses, Option 2 (“General written authorisation”) is deemed to be selected and a notice period of ten (10) business days shall apply; (ii) Clause 11(a) of the Standard Contractual Clauses, the optional wording in relation to independent dispute resolution is deemed to be excluded; (iii) Clause 13 and Annex I.C, the competent supervisory authority shall be the supervisory authority with responsibility for ensuring compliance by the data exporter with the GDPR as regards the data transfer; (iv) Clause 17, Option 2 is deemed to be selected and the governing law shall be Ireland; (v) Clause 18, the competent courts shall be the courts of Ireland.
1. List of Parties
Data Exporter: Customer
Address & Contact Details: As set out in the Terms or as otherwise notified to Rayyan from time to time
Activities relevant to the transfer: Use of the Services
Signature & Date: Executed with the Terms
Data Importer: Rayyan
Address & Contact Details: Rayyan Systems Inc., 1 Broadway, 14th Floor, Cambridge, MA 02142, USA; firstname.lastname@example.org or email@example.com
Activities relevant to the transfer: Provision of the Services
Signature & Date: Executed with the Terms
1. Description of Transfer
Purpose / Nature of Processing Operations
The Personal Data Processed by Rayyan will be Processed for the following purpose(s):
In order for Rayyan to provide the Services to Customer as specified in the Terms.
The Personal Data Processed by Rayyan will be Processed for the following duration:
For the duration of the Terms.
The Personal Data Processed by Rayyan concern the following categories of Data Subjects:
The participants in the Customer’s research or individuals whose personal data is otherwise incorporated into Customer’s data uploaded to the Services,
Categories of Personal Data
The Personal Data Processed by Rayyan includes the following categories of data:
Any personal data uploaded onto the Services by Customer.
Special Categories of Data (if appropriate)
The Personal Data Processed by Rayyan concern the following special categories of data:
Any sensitive personal data uploaded onto the Services by Customer.
Frequency of Transfer
As specified in the DPA and the Terms.
For transfers to (sub-)processors, also specify subject matter, nature and duration of the Processing
As specified in the DPA and the Terms.
1. Competent Supervisory Authority As specified in the DPA and the Terms.
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
1. Physical Access Management
The Data Processor shall take, among others, the following technical and organizational measures in order to establish the identity of the authorized persons and prevent unauthorized access to the Data Processor’s premises and facilities in which the Data are processed:
- User data resides in secure cloud based infrastructure within secure datacenters
- Employees and visitors have no physical access to datacenters which are managed by subprocessors
- All entrances are locked and can only be accessed with the appropriate key/chipcard
- Windows and doors are protected by an alarm system
- All visitors are required to present identification and are signed in by authorized staff
- Video monitoring of visitors
- Visitors are accompanied by Data Processor’s personnel at all times
- Full perimeter and interior surveillance cameras
- Trained security are stationed in and around the building 24×7
2. System Entry Management
The Data Processor shall take, among others, the following technical and organizational measures in order to prevent unauthorized access to the data processing systems:
- Unique user authentication via username and password for each network and system access required (default passwords changed at 1st login)
- Use of state-of-the-art anti-virus software that includes e-mail filtering and malware detection
- Use of fire walls
- During idle times, user and administrator PCs are automatically locked; PCs are equipped with biometric technology for additional authentication and login protection.
- Administrator passwords are changed at least every 90 days and only allow complex passwords
- Concept of least privilege, allowing only the necessary access for users to accomplish their job function. Access above these least privileges requires appropriate authorization
- Starter, mover & leaver housekeeping processes in place which covers role-based access rights
- IT access privileges are reviewed regularly (at least every quarter) by appropriate personnel
- RSA 2-factor authentication in place for remote connections
- Network monitoring services in place 24x7x365 to detect unauthorized activities
- Vulnerability scanning and remediation in place
- Data centre and website penetration testing programme in place
3. Data Access Management
The Data Processor shall take, among others, the following technical and organizational measures in order to prevent unauthorized activities in the data processing systems outside the scope of any granted authorizations:
- User and administrator access to the network is based on a role based access rights model. There is an authorization concept in place that grants access rights to data only on a “need to know” basis
- Administration of user rights through system administrators
- Number of administrators is reduced to the absolute minimum
- Internal control audits undertaken regularly
- Network monitoring services in place 24x7x365 to detect unauthorized activities
4. Onward Data Transfer
The Data Processor shall take, among others, the following technical and organizational measures in order to ensure that personal data cannot be read, copied, altered or removed by unauthorized persons under their electronic transmission or during their transport or recording on data carriers and to guarantee that it is possible to examine and establish where personal data are or have had to be transmitted by data transmission equipment:
- Remote access (including during remote maintenance or service procedures) to the IT systems only via VPN tunnels or other state-of-the-art secure, encrypted connections
- Data transferred by the Data Processor is transported and saved in encrypted form. The relevant areas of the data carriers are encrypted using data and hard drive encryption software
- The secure transfer modes and encryption methods are regularly updated and kept state-of-the-art
- Secure communication session established via HTTPS and SFTP protocols across all applications / services
- Encrypted certificates utilized for authentication between the web client and the web server across all websites
5. Input Management
The Data Processor shall take, among others, the following technical and organizational measures in order to ensure that it is subsequently possible to verify and establish whether and by whom personal data have been entered into data processing systems, altered or removed:
- Access to electronic documents/applications is documented via auditable log files
- Protocolling input, modification and deletion of data by use of individual usernames
The Data Processor shall take, among others, the following technical and organizational measures in order to ensure that personal data which are processed on behalf of Data Controller can only be processed in compliance with Data Controller’s instructions:
- Clear and binding internal policies contain formalized instructions for data processing procedures
- Unambiguous language in the underlying contracts
- Careful selection of contractors, especially with regard to data security aspects
- Internal monitoring of quality of service includes compliance with contractual arrangements
- Regular staff training to ensure compliance with contractual arrangements and maintain awareness regarding data protection requirements
- Secure destruction processes in place to industry standards utilising specialised 3rdparty with disposal certificates produced
- Periodic risk assessments focus on how insider access is controlled and monitored
- The Data Processor’s corporate network is separated from its customer services network by means of complex segregation devices
The Data Processor shall take, among others, the following technical and organizational measures in order to protect the data from accidental destruction or loss:
- Data recovery measures and emergency plan in place and regularly tested
- Implementation of state-of-the-art backup methods such as: tape backup, data mirroring, and so on.
- Physical separation of the back up data. Data stored in the archive is saved using redundant systems.
- Uses a combination of full, differential, and cumulative backups to ensure data integrity and timely restoration
- Backup tapes are securely stored both on-site and off-site to provide protection against disaster and efficient data recovery
- Data is stored redundantly on multiple devices
- Integrity of stored data periodically verified
8. Separation and Purpose
The Data Processor shall take, among others, the following technical and organizational measures in order to ensure that data collected for different purposes are processed separately:
- Implementation of an authorization concept
- Logical separation of electronically stored customer data (on the software side) to ensure that each client’s data is isolated from any other client’s data
- A container architecture is in use