Skip to main content

Subscription Agreement

This Quark Subscription Agreement (“Agreement”) is entered into by and between Quark Software, Inc., a Delaware corporation with its principal place of business at the address identified above (“Quark”), and
{Customer Name} (“Customer”), a {State of Incorporation} {Company Type}, with its principal place of business at the address identified below. This Agreement sets forth the terms and conditions under which Quark agrees to provide, and Customer agrees to obtain, access to the Quark online services described herein.

1. Software as a service.

1.1 Access. Commencing on the Effective Date of this Agreement, Quark shall make available to Customer the Quark software identified in one or more applicable orders referencing this Agreement (each an “Order”) as hosted by Quark for use by Customer within the use limitations set forth in the Order (the “Service”) under the terms of this Agreement.

1.2 Rights to the Service. Subject to the terms and conditions of this Agreement, Quark hereby grants Customer a non-exclusive, non-transferable, worldwide right during the Term to access the Service and permit the number of individual users specified in the Order to use the Service solely for Customer’s internal purposes up to the limits set forth in the applicable Order (“Authorized Users”).

1.3 Updates. At no charge to Customer, Quark shall install on its servers any software updates deemed reasonably necessary to address errors, bugs or other performance issues in the Service (collectively, “Updates”). Updates (if any) shall be subject to the same terms and conditions of this Agreement.

1.4 Restrictions and Conditions. Customer shall not, directly, indirectly or through its Authorized Users, employees and/or the services of independent contractors: (a) attempt to sell, transfer, assign, rent, lend, lease, sublicense or otherwise provide third parties rights to the Service; (b) “frame,” “mirror,” copy or otherwise enable third parties to use the Service (or any component thereof) as a service bureau or other outsourced service; (c) allow access to the Service by multiple individuals impersonating a single end user; (d) use the Service in a manner that interferes with, degrades, or disrupts the integrity or performance of any Quark technologies, services, systems or other offerings, including data transmission, storage and backup; (e) use the Service for the purpose of developing a product or service that competes with the Quark online products and services; (f) circumvent or disable any security features or functionality associated with Service; or (g) use the Service in any manner prohibited by law. All rights not expressly granted to Customer are reserved by Quark, its suppliers and licensor.

1.5 API Access. If Customer is granted API access with respect to the Service, Customer will not exceed normal usage patterns and volumes, as determined by Quark in its discretion, or use the APIs in a manner that degrades the applicable Quark or that is intended to circumvent security features or license restrictions. With respect to API or automated access to the Service, a non- human operated program or device shall be counted as an end user whenever such a device accesses the Service. If non-human program or device is interacting with the Service on behalf of or as a result of a human interaction with the non-human program or device, then that human must be licensed as an end user. If human-operated devices are connecting to the Service, then all humans operating these devices need to be licensed. If non-human operated devices and human-operated devices are connecting to the Service and are mutually exclusive, then all non-human devices and all humans operating devices need to be licensed. Quark reserves the right to suspend API access at any time in its sole discretion.

2. Confidentiality.

2.1 Confidentiality. Each party agrees that, without the express consent of the other party, none of its employees or agents will disclose to any third party any information or material that the other party designates as confidential (including without limitation the terms and conditions of this Agreement) unless such information or material (a) is or becomes publicly known through no wrongful act of the receiving party, (b) is received from a third party without restriction and without breach of any confidentiality obligation to the other party, (c) is independently developed by the receiving party, or (d) is required by law to be disclosed (provided that the other party is given advance notice of, and an opportunity to, contest any such requirement). All prices and other payment terms are confidential information of Quark.

2.2 Customer Content. As between the parties, Customer owns all rights, title and interest in and to all content and other data submitted by Customer or its Authorized Users to the Service (“Customer Content”). Customer shall have sole responsibility for the legality, reliability, accuracy and quality of Customer Content. Customer hereby grants to Quark a non-exclusive, royalty-free, worldwide license to use, copy, store, modify, distribute, transfer and display the Customer Content solely for the purpose of providing the Service to Customer, and for the limited purposes described in this Section. Notwithstanding the foregoing, Quark may use aggregated and anonymized Customer Content for any purpose. Resulting models will not include, or be reversable to expose, the identity of Customer, its Authorized Users or any other person. If requested by Customer within thirty (30) days of the expiration or termination of this Agreement, Quark shall make available to Customer all Customer Content stored within the Service at the time of expiration or termination. Thirty (30) days after termination, Quark shall have no further obligation to Customer and may, at its option, permanently delete or destroy the Service and all information and materials contained therein. 

3. Services. 

Additional support services, including custom configuration, consulting, training and system integration, may be separately purchased from Quark (“Professional Services”). For clarity, Quark has no obligation to support Customer’s own technology, internal infrastructure, provide free training, or provide consulting on customer created content or third-party technologies and services unless agreed to in writing via an approved sales agreement and or statement of work. Any Professional Services purchased by Customer shall be specified in a written mutually agreed Statement of Work or Service Order (each a “Service Order”) referenced on an Order. Quark grants Customer non-exclusive, non-transferable, non-assignable, non-sub-licensable right to use any deliverable provided as part of the Professional Services solely as necessary for and in conjunction with Customer’s use of the Service, and Quark shall retain all right, title and interest in and to any such deliverable and any derivative, enhancement or modification thereto.

 

4. Customer Obligations.

4.1 Fees and Payment Terms. In consideration of the rights granted herein, Customer shall pay Quark the amounts specified in the initial Order located in Exhibit A, separately attached and incorporated herein to the Agreement (“Fees”). 

  1. Fees are exclusive of any applicable sales, use, import or export taxes, duties, fees, value-added taxes, tariffs or other amounts attributable to Customer’s execution of this Agreement or use of the Service (collectively, “Sales Taxes”). Customer shall be solely responsible for the payment of any Sales Taxes. In the event Quark is required to pay Sales Taxes on Customer’s behalf, Customer shall promptly reimburse Quark for all amounts paid.
  2. All amounts shall be paid to Quark within thirty (30) days of receipt of an undisputed invoice. An invoice shall be deemed undisputed if, within such thirty (30) day period, Customer fails to notify Quark in writing of any disputed amounts. Fees under the Agreement and any Order will be paid by electronic funds transfer using the EFT information provided to Customer on the applicable invoice.
  3. Fees not paid when due shall be subject to a late fee equal to one and one half percent (1.5%) of the unpaid balance per month or the highest monthly rate permitted by applicable law. Quark further reserves (among other rights and remedies) the right to suspend access to the Service. In the event service is suspended due to non-payment or non-renewal, amounts payable to Quark shall continue to accrue during any period of suspension, and a reinstatement fee of 15% of the fees for the then-current term will apply as a condition of reinstatement.
  4. Except as otherwise specified in this Agreement, fees are based on services purchased and not actual usage, payment obligations are non-cancelable, fees paid are non-refundable, and the scope of the subscription cannot be decreased during the relevant subscription term.
  5. Unless otherwise agreed in writing, service fees are subject to annual increases to the level of then-current standard pricing, which will become effective beginning upon the first day of each renewal subscription term. Quark shall notify Customer of any increase at least 60 days prior to renewal. Such notice may be in the form of an invoice or any other form of notice used by Quark to communicate with Customer. Customer acknowledges that the following do not constitute fee increases: (i) additional fees for any upgrade or any additional services that Customer orders; (ii) overage fees for usage in excess of Customer’s usage tier; and (iii) expiration of any discount or incentive programs to which Customer was previously entitled.

4.2 Compliance with Laws. The Quark software and Service are of U.S. origin. Customer shall adhere to all applicable state, federal, local and international laws and treaties in all jurisdictions in which Customer uses the Service, including all end-user, end-use and destination restrictions issued by U.S. and other governments and the U.S. Export Administration Act and its associated regulations. Customer will not upload any data or information to the Service for which Customer does not have full and unrestricted rights. Notwithstanding anything to the contrary in this Agreement or any other agreement between the parties, Customer will not upload any data or information that is subject to the Health Insurance Portability and Accountability Act of 1996 or sensitive financial information regulated under the Gramm-Leach-Bliley Act of 1999. If Customer provides personal information that is subject
to European data protection regulations, Quark’s processing of such information will be governed by the Data Processing Addendum attached hereto as Exhibit D, which is incorporated by reference and subject to the terms of this Agreement.

5. Terms and Termination.

5.1 Term. Unless otherwise specified in the Order, the initial term of this Agreement will begin on the Effective Date and shall continue thereafter until the End Date specified in the Order (the “Initial Term”), and shall thereafter automatically renew for additional periods of one (1) year unless either party provides written notice of its intention not to renew to the other party at least thirty (30) days prior to expiration of the current term (each a “Renewal Term,” and collectively together with the Initial Term, the “Term”). If no End Date is specified in the Order, the End Date will be one year from the Effective Date of this Agreement.

5.2 Termination. Either party may terminate this Agreement if the other party materially breaches this Agreement and such breach has not been cured within thirty (30) days of providing notice thereof.

5.3 Effect of Termination. Upon expiration or termination for any reason, Customer shall discontinue all use of the Service, and return any and all software and documentation provided to Customer by Quark.

6. Indemnification.

6.1 Customer. Customer shall indemnify and hold Quark, its suppliers and licensors harmless from and against any and all claims, costs, damages, losses, liabilities and expenses (including reasonable attorneys’ fees and costs) arising out of or in connection with a claim which, if true, would constitute a breach of Customer’s obligations under Section 1 or 4 of this Agreement. In the event Quark is required to seek legal remedies to enforce collection of any amounts due under this Agreement, Customer agrees to reimburse for all additional costs associated with collection of that past due amount, including reimbursement of collection and attorney’s fees.

6.2 Quark. Quark shall indemnify and hold Customer harmless from and against any and all claims, costs, damages, losses, liabilities and expenses (including attorneys’ fees and costs) arising out a third-party claim that the Service infringes or misappropriates any U.S. patents issued as of the Effective Date or any copyright or trade secret of any third party during the term of this Agreement. Quark shall have no indemnification obligation, and Customer shall indemnify Quark pursuant to this Agreement, for claims of infringement arising from the combination of Service with any unique aspects of Customer’s business, for instance Customer’s content, products, services, hardware or business processes, or for any use of the Service or any Quark software not expressly authorized herein.

6.3 Process. A party seeking indemnification hereunder shall promptly notify in writing the other party of any claim for which defense and indemnification is sought. Each party agrees that it will not, without the other’s prior written consent, enter into any settlement or compromise of any claim that: (a) results, or creates a likelihood of a result, that in any way diminishes or impairs any right or defense that would otherwise exist absent such settlement or compromise; or (b) constitutes or includes an admission of liability, fault, negligence or wrongdoing on the part of the other party. Each indemnifying party has the sole right to control the defense of any claim for which it is providing indemnification hereunder with counsel mutually acceptable to the parties. The indemnified party may, at its own expense, participate in the defense of any such claim.

7. Warranty / Liability / Total Liability. 

Mutual Warranties. Each party represents and warrants to the other that it is duly authorized to execute this Agreement and perform the obligations set forth herein. 

7.1 Disclaimer. THE SERVICE AND ANY QUARK TRAINING, INSTRUCTION AND SUPPORT OR OTHER SERVICES PROVIDED IN CONNECTION WITH THIS AGREEMENT (COLLECTIVELY, “SERVICES”) ARE PROVIDED STRICTLY ON AN “AS IS” BASIS. ALL CONDITIONS, REPRESENTATIONS AND WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OF MERCHANTABILITY, TITLE, FITNESS FOR A PARTICULAR PURPOSE, OR SATISFACTORY RESULTS ARE HEREBY DISCLAIMED TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW BY Quark, ITS SUPPLIERS AND ITS LICENSORS. 

7.2 Customer acknowledges and agrees that Service may be subject to interruption, limitations, delays, and other problems inherent in the use of Internet applications and electronic communications. Quark is not responsible for any such delays, delivery failures, or any other damage resulting from events beyond Quark’s reasonable control, without regard to whether such events are reasonably foreseeable by Quark.

7.3 Limitation. CUSTOMER’S EXCLUSIVE REMEDY AND QUARK’S, ITS SUPPLIERS’ AND LICENSORS’ TOTAL AGGREGATE LIABILITY RELATING TO, ARISING OUT OF, IN CONNECTION WITH, OR INCIDENTAL TO THIS AGREEMENT, WHETHER FOR BREACH OF CONTRACT, BREACH OF WARRANTY, INDEMNIFICATION OR ANY OTHER CLAIM SHALL BE LIMITED TO THE ACTUAL DIRECT DAMAGES INCURRED BY CUSTOMER, UP TO THE AGGREGATE AMOUNTS PAID BY CUSTOMER AND RECEIVED BY QUARK HEREUNDER DURING THE TWELVE MONTHS IMMEDIATELY PRECEEDING THE APPLICABLE CLAIM. THE EXISTENCE OF MULTIPLE CLAIMS OR SUITS UNDER OR RELATED TO THIS AGREEMENT WILL NOT ENLARGE OR EXTEND THIS LIMITATION OF DAMAGES. CUSTOMER HEREBY RELEASES QUARK, ITS SUPPLIERS AND LICENSORS FROM ALL OBLIGATIONS, LIABILITY, CLAIMS OR DEMANDS IN EXCESS OF THIS LIMITATION. NEITHER PARTY WILL BRING A CLAIM AGAINST THE OTHER WITH RESPECT TO THE SUBJECT MATTER OF THE AGREEMENT MORE THAN TWELVE MONTHS AFTER THE EXPIRATION OR TERMINATION OF THE AGREEMENT FOR ANY REASON, AND EACH PARTY HEREBY WAIVES ITS RIGHT TO DO SO.

7.4 Exclusion of Certain Damages and Limitations of Types of Liability. IN NO EVENT WILL QUARK BE LIABLE FOR ANY SPECIAL, CONSEQUENTIAL, INCIDENTAL, INDIRECT OR PUNITIVE DAMAGES, OR LOST PROFITS OR LOST REVENUE ARISING OUT OF OR RELATED TO THE SUBJECT MATTER OF THIS AGREEMENT OR THE USE OF OR INABILITY TO USE THE SERVICE. THE FOREGOING EXCLUSION AND LIABILITY LIMITATIONS APPLY EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND EVEN IN THE EVENT OF STRICT OR PRODUCT LIABILITY. 

7.5 Interpretation. The limitations in sections 7.3 and 7.4 are independent of each other. The limitation of damages set forth in section 7.3 shall survive any failure of essential purpose of the limited remedy in section 7.4.

8. Notices and Requests.

Either party may give notice to the other party by means of electronic mail to the primary contact designated on the Order or by written communication sent by first class mail or pre-paid post, either of which shall constitute written notice under this Agreement. All additional access licenses purchased by Customer during the Term shall be subject to the terms of this Agreement. For clarity, in no event shall any other term or provision of this Agreement be deemed modified, amended or altered as a result of such purchase and all other changes to this Agreement shall be governed by terms of Section 9, below.

9. Additional Terms.

Quark shall not be bound by any subsequent terms, conditions or other obligations included in any Customer purchase order, receipt, acceptance, confirmation or other correspondence from Customer unless expressly assented to in writing by Quark and counter-signed by its authorized agent. The parties may supplement the terms of this Agreement at any time by signing a written addendum, which shall be deemed incorporated by this reference upon execution. The terms of any addendum shall control any conflicting terms in this Agreement. Unless expressly stated otherwise in an applicable addendum, all addenda shall terminate upon the expiration or termination of this Agreement.

10. General.

This Agreement shall be governed by Michigan law and controlling United States federal law, without regard to the choice or conflicts of law provisions of any jurisdiction to the contrary, and any disputes, actions, claims or causes of action arising out of or in connection with this Agreement or the Service shall be subject to the exclusive jurisdiction of the state and federal courts located in Grand Rapids, Michigan. No joint venture, partnership, employment, agency or exclusive relationship exists between the parties as a result of this Agreement or use of the Service. The failure of Quark to enforce any right or provision in this Agreement shall not constitute a waiver of such right or provision. All disclaimers, limitations, payment obligations and restrictions of warranty shall survive termination of this Agreement, as well as the provisions of this “General” section shall survive termination of this Agreement. If any part of this Agreement is found to be illegal, unenforceable, or invalid, Customer’s right to use the Service will immediately terminate, except for those provisions noted above which will continue in full force and effect. This Agreement, together with it’s the following exhibits, comprises the entire agreement between Customer and Quark and supersedes all prior or contemporaneous negotiations, discussions or agreements, whether written or oral, between the parties regarding the subject matter contained herein:

For good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties hereby agree to enter into this Subscription Agreement as of the latter of the two signature dates, below (the “Effective Date”).

Acknowledge and Agreed:

{Customer Name}

Signature: _______________________________

Name: _______________________________

Title: _______________________________

Date: _______________________________

Quark Software Inc.

Signature: _______________________________

Name: _______________________________

Title: _______________________________

Date: _______________________________

Exhibit A: Order

Quark Order Form

Subscriber Name:

<Customer Name>

Effective Date:

<Date Executed Below>

Order Form #

001

This Order is for the purchase by the company specified above (the “Customer”) of subscriptions to Quark Software, Inc. (“Quark”) Service and is governed by and subject to the Quark Subscription Agreement executed by the parties, or if no such agreement has been executed by the parties, the Quark Subscription Agreement located at [http://www.quark.com/subscriptionagreement] (the “Subscription Agreement”). Order line items for Professional Services shall reference mutually agreed Service Orders, which shall also be executed by both parties and attached to the Order that references them.

Product Name

Unit

Term

Unit Price

Discount

Extended Fee

<<This description will describe the specific customer’s quote information>>

<< >>
Users

1st Installment to Begin on | <<DATE>> |

     

<<This description will describe the specific customer’s quote information>>

<< >>
Users

2nd Installment to Begin on | <<DATE>> |

     

<<This description will describe the specific customer’s quote information>>

<< >>
Users

3rd Installment to Begin on | <<DATE>> |

     

Net Total

         

Designated Support Contacts:

Designated Management Contact

1st Technical Support Contact

Name:

Title:

Email:

Cell #:

2nd Technical Support Contact

Name:

Title:

Email:

Cell #:

Designated Management Contact
(Needed for Support Escalation Process)

Name:

Title:

Email:

Cell #:

  1. Please enter PO# if required for invoicing or initial if purchase order is not required. ______________.
  2. Payment of Quark invoices net 30 from the date of the invoice for this order. Thereafter annual subscription fees will be paid in advance. The parties agree that all payments will be by ACH or electronic funds transfer in accordance with instructions included on Quark invoices.
  3. Any discount offers contained on this Order Form are specific to this order and are not applicable to any future orders. New pricing will be in effect at the end of the subscription term on this order
  4. Subscription fees for multi-year terms will be paid annually in advance including any payment processing fees. For the sake of clarity, while payments will be made in annual intervals, the Customer agrees to pay through the end of the agreed upon subscription Term. Fees are based on the rights purchased and owned regardless of whether Customer uses the rights that are granted during the applicable Term.
  5. Provided Pricing under this Order Form is only valid through date
  6. Professional Services Cost in Order form are paid upfront and will be detailed on a separate Statement of Work (SOW) signed at a later date. <<date>>

EXHIBIT B

Service Level Agreement

Definitions

Term Description

Availability Zone (AZ)

One or more discrete data centers with redundant power, networking, and connectivity in an AWS Region.

Core Business Hours

8am-6pm for the geography that the application instance is located in.

Customer

Refers to potential, past, or current customers.

Development

The development environment is the location of the main development activities for customizations to the application. This is where developers spend time functionally testing and improving the code that has been written to work with the application.
Typically, a development environment meets the minimum system requirements for the application to function and are often housed on premise, for greater control and flexibility.

Demo/Sandbox

Environments which are used for demonstration and feature walkthrough purposes

Hosting

Hosting makes legacy applications and websites accessible over the internet, using cloud resources.

Minor Environments

Minor Environments are non-production environments. Environments with UAT/Staging, Quality Assurance (QA)/Test or Development classifications, that may have been sold at a reduced service/license rate

Production

Production is the fully supported, resilient application environment. It is ready to be used by end users, to carry out their activities.

QA/Test

An environment where tests can run uninterrupted. Tests can be for checking that new releases and or features have not broken any customizations or configurations made, or that new customizations developed work as expected with the final product.
Typically, a test environment meets the minimum system requirements for the application to function and are often housed on premise, for greater control and flexibility.

Region

Separate geographic areas that AWS uses to house its infrastructure. These are distributed around the world so that customers can choose a region closest to them in order to host their cloud infrastructure there.

RPO

Recovery Point Objective – the maximum amount of data, as measured by time, that can be lost after a recovery from a disaster, failure, or comparable event before data loss will exceed what is acceptable to an organization.

RTO

Recovery Time Objective – the maximum tolerable length of time that a computer, system, network or application can be down after a failure or disaster occurs.

SaaS

Software-as-a-Service (SaaS) is a software licensing model, which allows access to a software application on a subscription basis, using a web browser. SaaS allows each user to access programs via the Internet, instead of having to install the software on the user’s computer.

SLA

Service Level Agreement

UAT/Staging

A UAT environment is set up for “user acceptance” of new functionality, along with testing how new customizations may affect the production system.
A UAT environment should be used to test all configuration or migration scripts and procedures, before they are applied to the production environment. This should ensure that all upgrades to the production environment will be completed reliably without errors.

Service Level Agreement

This Quark Service Level Agreement (this “SLA”) is a policy governing the use of the Included Services (listed below) and applies separately to each account using the Included Services.

The following are the standard Service Level Agreements (SLA’s) in use for providing the Included Services (listed below) by Quark, when purchased with Production licenses. These will be in use, unless individual additional terms have been agreed to in a separate contractual document, approved and signed by the Quark Management Team.

Included Services

  • Section 1 – Cloud Hosting Service Levels for Quark Publishing Platform
  • Section 2 – SaaS Service Levels for Quark Publishing Platform NextGen and Quark Docurated for Enterprise
  • Section 3 – SaaS Service Levels for Quark Docurated

Section 1 – Cloud Hosting Service Levels for Quark Publishing Platform

1. Access. Quark shall make the Production hosting service available twenty-four (24) hours per day, seven (7) days a week with the minimum uptime level shown below, for production environments. These numbers are based on uptime levels Quark receives as part of its IaaS, from its Cloud Service Providers (dependent on the environment purchased and component types used).

Such service availability numbers do not, however, include regularly scheduled maintenance or any unscheduled downtime due to failures beyond Quark’s control (such as errors or malfunctions due to Customer’s computer systems, local networks, or Internet connectivity).

Quark makes two SLA commitments for the Included Production Hosting Services:

  • For all environments that are running a single Instance, in one Availability Zone, we will ensure availability 99.5% of the time, in any given month (This is the base level commitment provided with all included services).
  • For all environments that have two or more instances deployed across multiple Availability Zones, we will ensure at least one environment is available 99.8% of the time, in any given month (Available to purchase as an additional service called Active Redundancy).

Please consult with your Quark support or cloud team representative, if any information is needed as to which category your environment falls into.

1.1. Minor Hosting Environments are not subject to this SLA. Minor Environments are sold at a lower price point and as such are not generally deployed with the same infrastructure resources as a Production level environment. These environments are much more flexible in their usage, for testing and updating of applications and therefore cannot be guaranteed at the same availability level as the production level SLA. Specific SLA requirements for these environments can be provided if needed and will incur additional cost.

Minor environments are representative for validation and testing purposes, but not replicas of Production, meaning performance levels should not be expected to be the same as Production environments.

2. Scheduled Maintenance and Upgrades. A regular scheduled maintenance window will need to be agreed. Quark shall conduct scheduled service maintenance outside of Core Business Hours or on weekends, where this is possible. If this is not possible, Quark support staff will work with the customer admin to minimize disruption. Quark shall give the Customer at least seventy-two (72) hours prior notice of the exact date and time of such scheduled maintenance via e-mail or other timely means of communication.

2.1. Demo/Sandbox level environments are provided with no SLA and will be maintained and upgraded at Quark’s discretion.

2.2. Product version upgrades can be requested by a customer admin contact, only after 30 days have elapsed, following the release date for a new version of a Quark application. The Hosting contract entitles the customer to one major version upgrade per year within the hosting service price, with other upgrades being able to be purchased via professional services. Downtime will need to be scheduled with the customer admin contact for upgrade requests. Downtime will be minimized, as upgrade employees will be trained and practiced in the upgrade of the software and if scheduled can be outside of peak environment usage times.

2.3. Customers that choose to stay on older versions of the application cannot be guaranteed that all fixes built will be backwards compatible with their version. Supported versions for fixes are current and current-1.

3. Data Retention and Recovery. Quark shall backup the Production Hosting service and other environment levels as follows:

Environment Level Backup Cycle RPO RTO

Production

Daily

4 hours (point in time recovery)

8 hours for in region issue and recovery in separate AZ 24 hours if primary region is down – cross region recovery

UAT/Staging

Daily

24 hours

24 hours

QA/Test

N/A

N/A

N/A

Development

N/A

N/A

N/A

3.1. Backups are kept for 30 days, offering a maximum restore point of 30 days. Backups will be stored in encrypted form, either in a secure secondary data center location or using a Cloud Service Provider service, that offers redundancy as standard. Quark shall implement sufficient measures to ensure that the backup data is accessible and maintained in a manner to enable restoration of the backup version of the service in the event of a system malfunction or outage.

3.2. Recovered environments will ensure basic product functionality and will be at 25-50% capacity of primary environments. Other recovery timeframes or requirements can be discussed but will incur additional cost. A disaster recovery test will be performed annually, to ensure the processes used, resources needed, and data format are correct, to allow this timeframe to be achieved.

3.4. Quark will restore the service to a mutually agreed backup point, as part of normal service delivery, if an issue in data integrity is seen, as the result of issues with the service being delivered i.e. issues with maintenance activities, the infrastructure, services or the application itself.

Quark does not guarantee to restore the data to a backup point, due to a customer end user having corrupted data or having incorrectly removed data from the system, whilst using the application or its API’s. The customer should reach out to the Quark service desk and an assessment will be made on what can be done. This will usually incur additional cost.

3.5. All data will be kept in the system for the duration of the service subscription, unless removed by the customer beforehand. Up to 30 days after the end of a subscription the data will be securely stored and the customer can request for it to be temporarily restored and made available, to aid only in data export activities. After the 30-day retention, the data will be permanently removed from the system, but may remain in standard backup cycles for a total of 60 days post end of subscription.

3.6. If a customer reinstates their subscription outside of the 30-day retention period, there will be no guarantee that their previous customer data will be available and the customer may be treated as a net new customer from a data perspective.

4. Requests for Support. Quark service representatives will be available to respond to support requests via email, online ticketing portal and phone. Quark support representatives shall respond to all customer support requests in a timely and professional manner and in accordance with our Product Support SLAs.

5. Security Measures. Quark shall take, at a minimum, the following measures to protect the Service:

  • Single tenancy, with dedicated Virtual Private Cloud
  • Encryption in transit (TLS 1.2 and security certificates)
  • Encryption at rest – EBS Volume, RDS and S3 encryption as standard, via AWS KMS
  • Firewall and AWS security groups
  • Resource monitoring and resource threshold alerting
  • IP whitelisting available at customer request
  • Role-based access control
  • Intrusion monitoring by Amazon GuardDuty
  • Full segregation of hosting environments from any standard Quark internal network, ensuring segregation of duties and no service data transfer.
  • Penetration testing (performed annually as part of the service)

Section 2 – SaaS Service Levels for Quark Publishing Platform NextGen and Quark Docurated for Enterprise

1. Access. Quark shall make the Production application service available twenty-four (24) hours per day, seven (7) days a week with the minimum uptime level of ninety-nine and nine tenths of a percent (99.9%) measured on a monthly basis. This is based on uptime levels Quark receives as part of its IaaS, from its Cloud Service Provider and the inclusion of components in the system being deployed over multiple Availability Zones.

Such service availability does not, however, include regularly scheduled maintenance or any unscheduled downtime due to failures beyond Quark’s control (such as errors or malfunctions due to Customer’s computer systems, local networks or Internet connectivity).

1.1. Minor SaaS Environments are not subject to this SLA. Minor Environments are sold at a lower price point and as such are not generally deployed with the same infrastructure resources as a Production level environment. These environments are much more flexible in their usage, for testing and updating of applications and therefore cannot be guaranteed at the same availability level as the production level SLA. Specific SLA requirements for these environments can be provided if needed and will incur additional cost.

Minor environments are representative for validation and testing purposes, but not replicas of Production, meaning performance levels should not be expected to be the same as Production environments.

2. Scheduled Maintenance and Upgrades. Quark shall conduct scheduled service maintenance outside of Core Business Hours or on weekends, where possible. If this is not possible, Quark support staff will work with the customer admin to minimize disruption. Quark shall give the Customer at least seventy-two (72) hours prior notice of the exact date and time of such scheduled maintenance via e-mail or other timely means of communication.

2.1. Demo/Sandbox level environments are provided with no SLA and will be maintained and upgraded at Quark’s discretion.

2.2. Upgrades to Production and Minor levels of QPP NextGen application environments will be agreed with the customer admin, before any activity would occur. Upgrade of the application will incur downtime.

2.3. Planned upgrades to the Production Quark Docurated for Enterprise multi-tenant systems will be delivered as per the product release schedule and communicated to the customer admin contact well in advance. Customers must receive the product updates at the same time as the other multi-tenant customers, unless they have purchased a single-tenant environment.

Planned upgrades to the Quark Docurated for Enterprise UAT multi-tenant systems will be delivered as per the product release schedule and communicated to the customer admin contact well in advance. As they live on a different cluster to Production environments, upgrades will be scheduled ahead of any new versions being delivered to Production, to allow customer testing. Customers must receive the product updates at the same time as the other multi-tenant customers, unless they have purchased a single-tenant environment.

2.4. Customers that choose to stay on older versions of the applications cannot be guaranteed that all fixes built will be backwards compatible with their version. Supported versions for fixes are current and current-1.

3. Data Retention and Recovery. Quark shall backup the service as follows:

Environment Level Backup Cycle RPO RTO

Production

Continuous

4 hours (point in time recovery)

8 hours for in region issue and recovery 24 hours if primary region is down – cross region recovery

UAT/Staging

Daily

24 hours

24 hours

QA/Test

N/A

N/A

N/A

Development

N/A

N/A

N/A

3.1. Backups are kept for 30 days, offering a maximum restore point of 30 days. Backups will be stored in encrypted form, either in a secure secondary data center location or using a Cloud Service Provider service, that offers redundancy as standard. Quark shall implement sufficient measures to ensure that the backup data is accessible and maintained in a manner to enable restoration of the backup version of the service in the event of a system malfunction or outage.

3.3. Recovered environments will ensure basic product functionality and will be at 25-50% capacity of production environments. Other recovery timeframes can be discussed but will incur additional cost. A disaster recovery test will be performed annually, to ensure the processes used, resources needed, and data format are correct, to allow this timeframe to be achieved.

3.3. Quark will restore the service to a mutually agreed backup point, as part of normal service delivery, if an issue in data integrity is seen, as the result of issues with the service being delivered i.e. issues with maintenance activities, the infrastructure, services or the application itself.

Quark does not guarantee to restore the data to a backup point, due to a customer end user having corrupted data or having incorrectly removed data from the system, whilst using the application or its API’s. The customer should reach out to the Quark service desk and an assessment will be made on what can be done. This may incur additional cost.

3.4. All data will be kept in the system for the duration of the service subscription, unless removed by the customer beforehand. Up to 30 days after the end of a subscription the data will be securely stored and the customer can request for it to be temporarily restored and made available, to aid only in data export activities. After the 30-day retention, the data will be permanently removed from the system, but may remain in standard backup cycles for a total of 60 days post end of subscription.

3.5. If a customer reinstates their subscription outside of the 30-day retention period, there will be no guarantee that their previous customer data will be available and the customer may be treated as a net new customer from a data perspective.

4. Requests for Support. Quark service representatives will be available to respond to support requests via email, online ticketing portal and phone. Quark support representatives shall respond to all customer support requests in a timely and professional manner and in accordance with our Product Support SLAs.

5. Security Measures. Quark shall take, at a minimum, the following measures to protect the Service:

  • Multi tenancy offering with shared VPC and also Single tenancy offering, with dedicated VPC (Additional cost)
  • Encryption in transit (TLS 1.2 and security certificates)
  • Encryption at rest – EBS Volume, RDS and S3 encryption as standard, via AWS KMS
  • Firewall and AWS security groups
  • Resource and infrastructure monitoring and resource threshold alerting – via AWS Config, CloudWatch and CloudTrail
  • IP whitelisting available at customer request (Single tenant only)
  • Role-based access control
  • Intrusion monitoring by Amazon GuardDuty
  • Base container and OS scanning by Amazon Inspector
  • AWS security Hub for compliance with CIS Security Controls
  • Multi-factor authentication can be applied and controlled by integration with customer’s IDP
  • (SAML2)

  • Full segregation of SaaS environments from any standard Quark internal network, ensuring segregation of duties and no service data transfer.
  • Penetration testing (performed annually as part of the service)

Section 3 – SaaS Service Levels for Quark Docurated

1. Access. Quark shall make the Production Multi-Tenant application service available twenty-four (24) hours per day, seven (7) days a week with the minimum uptime level of ninety-nine and five tenths of a percent (99.5%) measured on a monthly basis. This is based on uptime levels Quark receives as part of its IaaS, from its Cloud Service Provider.

Such service availability does not, however, include regularly scheduled maintenance or any unscheduled downtime due to failures beyond Quark’s control (such as errors or malfunctions due to Customer’s computer systems, local networks or Internet connectivity).

2. Scheduled Maintenance and Upgrades. Quark shall conduct scheduled service maintenance outside of Core Business Hours or on weekends, where possible. If this is not possible, Quark support staff will work with the customer admin to minimize disruption. Quark shall give the Customer at least forty-eight (48) hours prior notice of the exact date and time of such scheduled maintenance via e-mail or other timely means of communication.

2.1. Planned upgrades to the Production Quark Docurated multi-tenant systems will be delivered as per the product release schedule and communicated to the customer admin contact well in advance. Customers must receive the product updates at the same time as the other multi-tenant customers, unless they have purchased a single-tenant environment.

3. Data Retention and Recovery. Quark shall backup the service as follows:

Environment Level Backup Cycle RPO RTO

Production

Daily

24 hours

24 hours

3.1. Backups are kept for 30 days, offering a maximum restore point of 30 days. Backups will be stored in encrypted form, either in a secure secondary data center location or using a Cloud Service Provider service, that offers redundancy as standard. Quark shall implement sufficient measures to ensure that the backup data is accessible and maintained in a manner to enable restoration of the backup version of the service in the event of a system malfunction or outage.

3.3. Recovered environments will ensure basic product functionality and will be at 25-50% capacity of production environments. Other recovery timeframes can be discussed but will incur additional cost. A disaster recovery test will be performed annually, to ensure the processes used, resources needed, and data format are correct, to allow this timeframe to be achieved.

3.6. Quark will restore the service to a mutually agreed backup point, as part of normal service delivery, if an issue in data integrity is seen, as the result of issues with the service being delivered i.e. issues with maintenance activities, the infrastructure, services or the application itself.

Quark does not guarantee to restore the data to a backup point, due to a customer end user having corrupted data or having incorrectly removed data from the system, whilst using the application or its API’s. The customer should reach out to the Quark service desk and an assessment will be made on what can be done. This may incur additional cost.

3.7. All data will be kept in the system for the duration of the service subscription, unless removed by the customer beforehand. Up to 30 days after the end of a subscription the data will be securely stored and the customer can request for it to be temporarily restored and made available, to aid only in data export activities. After the 30-day retention, the data will be permanently removed from the system, but may remain in standard backup cycles for a total of 60 days post end of subscription.

3.8. If a customer reinstates their subscription outside of the 30-day retention period, there will be no guarantee that their previous customer data will be available and the customer may be treated as a net new customer from a data perspective.

4. Requests for Support. Quark service representatives will be available to respond to support requests via email, online ticketing portal and phone. Quark support representatives shall respond to all customer support requests in a timely and professional manner and in accordance with our Product Support SLAs.

5. Security Measures. Quark shall take, at a minimum, the following measures to protect the Service:

  • Multi tenancy offering with shared VPC
  • Encryption in transit (TLS 1.2 and security certificates)
  • Encryption at rest – EBS Volume and S3 encryption as standard, via AWS KMS
  • Firewall and AWS security groups
  • Resource and infrastructure monitoring and resource threshold alerting – via AWS Config, CloudWatch and CloudTrail
  • Role-based access control
  • Intrusion monitoring by Amazon GuardDuty
  • Base container and OS scanning by Amazon Inspector
  • AWS security Hub for compliance with CIS Security Controls
  • Multi-factor authentication can be applied and controlled by integration with customer’s IDP (SAML2)
  • Full segregation of SaaS environments from any standard Quark internal network, ensuring segregation of duties and no service data transfer.

EXHIBIT C

Support Policy

Support Terms

Annual Security Questionnaire

Quark will use a questionnaire to support your internal security review once a year.

Access to a Customer Support Lead

Customers will have access to a Quark customer support lead (CSL). This CSL is not guaranteed to be the same person every time.

Dedicated Customer Support Lead

Customers will always interact with the same CSL.

End of Sale (EOS)

The date a software product release stops being sold. We support up to two major versions before they are declared EOS (the current major version and the one before it).

End of Life (EOL)

The date on which a software product reaches its end of life in terms of technical support and product updates. Our EOL cycle generally spans 24 to 30 months. We support up to two major versions before they are declared EOL (the current major version and the one before it). Once a software product reaches EOL, it is not available for download/install, and is not supported or updated.

Self-Service Support

Self-service support documentation is available on our support portal at support.quark.com.

Major Release

A new version of software product that includes changes to the architecture and/or delivers significant new features, enhancements to existing features, or performance improvements, as well as error corrections. Quark delivers at least one major release annually.

Feature Release

A superseding release of the current major release that adds to, improves or enhances substantial features, functionalities and capabilities of the current release. Quark delivers feature releases every six months, referred to as semi- annual releases.

Maintenance Release / Bug Fix

An update, upgrade, revision, patch, bug x, security/vulnerability x or an im- proved, upgraded or enhanced version of the software product to which a customer is rightfully entitled by way of a valid maintenance agreement, warranty or other Quark contract.

OS Upgrade Release

A release that addresses compatibility with the latest OS upgrades. Major and maintenance releases address OS upgrade issues.

Legacy Version

A software product that has reached its EOL. No support is available for a legacy version unless stipulated in the maintenance contract or agreed in writing with Quark.

Leadership Council Membership

This relates to membership of our Customer Leadership Council (CLC). The CLC gives our most important enterprise customers the chance to openly discuss the software with other users, gain new ideas for use cases and provide suggestions on future product innovation. Meetings are held throughout the year virtually.

Security Updates

Quark continuously reviews its software products for any security/vulnerability risks and releases updates to manage/mitigate those risks.

Remote Desktop Diagnostics

A customer may request support services via remote computer access. In doing so, they agree to grant Quark Support access to any and all customer systems dependent on Quark products via an external computer controlled by Quark. The sole purpose of this access is to provide support services to the customer.

Technical Support

Technical Support includes troubleshooting of technical issues and provide resolution/possible workaround to the end user with case type of an outage, defect, product issue, installation support, product information, how to or sales question.

User Group Membership

Access to our online user group where customers can interact with Quark on a daily basis, raise and vote on ideas, and provide product feedback.

3-Strike Policy

Our 3-strike policy applies on Pending or Resolved cases where our status is marked as With Customer, meaning we are still waiting on a response or a confirmation from the customer that the case has been resolved. The Quark support team shall make three attempts to contact the customer by phone or email within the designated Case Closure Policy timeframe before closing the case.

With Customer status

For Pending cases where we are still waiting to receive requested information from the customer, stopping us from taking the case to Resolved.

With Customer- on Hold Status

For Pending cases where the customer is unable to share the requested information within 3 business days.

Response Time

Time to acknowledge and confirm the severity, business impact and collect all required information to reproduce/confirm the case. Response Time clock will start once the case is reported in Support Portal and stop once awaiting information from client.

Target Resolution Time

Quark will use commercially reasonable efforts to provide Workaround or a Fix or inform the estimated time for resolution. Target Resolution SLA clock will start once issue is confirmed and stop once awaiting information from client.

RCA Time

Time to determine the root cause of the case and/ Or preventive steps. RCA SLA will start after resolution is accepted by the customer.

Support Entitlements

The following information details Quark’s provision of support to an eligible entity (“customer”) for the applicable products (each a “product” and collectively<“products”).

PROCESS FOR FEATURE REQUEST

If the support request (Case) does not qualify as a valid product failure when compared to its associated documentation, then it will be treated as a feature request and may be scheduled for an upcoming product release or as a paid customization delivered through Professional Services.

Quark Support Case Management

Quark manages cases through a Maintenance Release process governed in accordance with the below SLA:

Level 1 – Critical Business Impact
Renders the Quark product inoperable or causes the Quark products to fail catastrophically. All users are impacted.
Response Time – 3 business hours
Target Resolution – within 1 business day
RCA Analysis within 10 business days of resolution of case

Level 2 – Major Business Impact
Severely degraded performance or some important functionality is unavailable, but the product continues to operate although in a restricted fashion. No workaround is available, and some users are impacted.
Response Time – 2 business days
Target Resolution within 10 business days
*RCA Analysis within 20 business days of resolution of case / request of RCA whichever is later

Level 3 – Medium Impact
No major impact on the use of Quark products, and short-term workaround is available. Only a few users are affected.
Response Time – 5 business days
Target Resolution – within 30 business days

Level 4 – Low Impact
Standard functionality queries, like how-to questions or requests for product info, and documentation errors.
Response Time – 10 business days
Target Resolution – within 90 business days

Processing Support Request Within Defined Resolution Time

  • Quark will use commercially reasonable efforts to diagnose a technical issue and provide a remedy by eliminating the defect, providing software updates, demonstrating how to avoid the issue, or informing the end user that the issue requires more time to resolve. Despite Quark’s exercise of reasonable efforts, we may not be able to resolve some problems, so a resolution time is not guaranteed.
  • The processing time begins when the Quark’s Support Team acknowledges receipt of the support request. If the support request cannot be resolved within a commercially reasonable timeframe, the support request may be escalated within the Quark Support organization.
  • Customer’s designated technical contact must be available to work with Quark Support while Quark works to resolve the support request.
  • The SLA is applicable only to reported cases occurring within a production environment and with a case type of an outage, defect, product issue, installation support, product information, how-to or sales question.

Case Closure Policy

With Customer or Resolved status

The Quark support team shall apply the With Customer 3-Strike Policy for closing cases. They shall make three attempts to contact the customer by phone or email at one business day, two business days and three business days from when the last contact was made. After this, the case would be closed. The customer may request to place the case into the With Customer – On Hold status if their end user is unable to reply.

With Customer – On Hold status

The maximum duration of keeping the case under the status With Customer on Hold is shown below, after which the Quark support team would move the case to Closed.

  • Level 1- 1 business day
  • Level 2- 10 business days
  • Level 3- 30 business days
  • Level 4- 90 business days

Closed status

The case remains Closed , unless the customer wishes to re-open it. The Quark support team would create a new case if this need arose, taking reference from the previous case.

Technical Support Exclusions

  • Altered, damaged or Modified Quark Products
  • Errors caused by End User’s negligence, hardware malfunction or other causes beyond the reasonable control of Quark.
  • Quark Products installed in a hardware or operating environment not supported by Quark. or
  • Third-party software or components not licensed through or approved by Quark.
  • Custom Applications. Assistance in the development of custom applications for and/or from Quark Products is not included in the Maintenance Services.
  • Designated Employees. Only employees of End User designated as Support Representatives may contact Quark for the provision of the Maintenance Services. When setting up its account on the Support Portal and from time to time thereafter, Customer shall designate a limited number of qualified employees to serve as Support Representatives. Exceptions may be made in the case of an emergency.
  • End User Equipment. End User is responsible for the provision and maintenance of all equipment, hardware, telephone lines, communications or technology interfaces needed to operate the Quark Products and for Quark to provide the Maintenance Services.

Right to Modify Resolution Times

Quark reserves the right to alter resolution times, with reasonable discretion, and will notify customers in advance if any change to the resolution time occurs.

Customers who have a valid support plan or contract may contact Quark Support at https://www.quark.com/contact or call at the numbers below:

UNITED STATES
9 AM – 8 PM EST
800-676-4575

GERMANY
8.30 AM – 5.30 PM CEST
800-180-0101

UNITED KINGDOM
8:30 AM – 5:30 PM BST
0808-101-7082

FRANCE
8:30 AM – 5: 30 PM CEST
800-913-457

INDIA
10:00 AM – 7: 00 PM IST
000800-050-2361

QuarkXPress, QuarkXPress CopyDesk & Quark App Publishing Studio Support Plans

Commercial Plans & Support Entitlement

License Type: QuarkXPress Subscription

Product Upgrades

  • Major Releases – Yes
  • Maintenance Releases – Yes

Product Support

  • Technical Support – Yes
  • Support Hours – 18×5
  • Email/Web Portal Support – Yes
  • Phone – Yes
  • Chat – Yes
  • Access to Knowledge Base – Yes
  • Multi-Language Support – EN, FR, GE Remote Desktop Diagnostics – – Yes
  • Download and Installation – Yes
  • Serial Number and Activation – Yes

License Type – QuarkXPress Perpetual

Commercial Plan -Inactive Maintenance & Support Plan

Product Upgrades

  • Major Releases – No
  • Maintenance Releases – No

Product Support

  • Technical Support – No
  • Support Hours – NA
  • Email/Web Portal Support – No
  • Phone – No
  • Chat – Sales / Account Queries
  • Access to Knowledge Base – Yes
  • Multi-Language Support – EN, FR, GE
  • Remote Desktop Diagnostics – No
  • Download and Installation – Yes
  • Serial Number and Activation – Yes

Commercial Plan – Active Maintenance & Support Plan

Product Upgrades

  • Major Releases – Yes
  • Maintenance Releases – Yes

Product Support

  • Technical Support – Yes
  • Support Hours – 18×5
  • Email/Web Portal Support – Yes
  • Phone – Yes
  • Chat – Yes
  • Access to Knowledge Base – Yes
  • Multi-Language Support – EN, FR, GE
  • Remote Desktop Diagnostics – Yes
  • Download and Installation – Yes
  • Serial Number and Activation – Yes

Quark Publishing Platform (QPP), Quark Docurated for Enterprise & Quark Docurated Support Plans

Plan Name – Base Support Plan

Product Upgrades

  • Major Releases – Yes
  • Maintenance Releases – Yes
  • Security Updates & Review – Yes
  • Deployments – No

Product Support

  • Technical Support – Yes
  • Support Hours – 9×5
  • Phone/Chat/E-mail & Web Portal – Yes
  • Access to Knowledge Base – Yes
  • Multi-Language Support – EN, FR, GE
  • Consultancy for Enhancements & Escalations – No
  • Membership – User Group Membership
  • Access to CSL – Access
  • CSL Touchpoints – Quarterly
  • Roadmap Updates with PM – No
  • Annual Security Questionnaire Response – No
  • Pager During Weekends – No

Quark Publishing Platform (QPP), Quark Docurated for Enterprise & Quark Docurated Support Plans

Plan Name – Extended Support Plan

Product Upgrades

  • Major Releases – Yes
  • Maintenance Releases – Yes
  • Security Updates & Review – Yes
  • Deployments – No

Product Support

  • Technical Support – Yes
  • Support Hours – 24×5
  • Phone/Chat/E-mail & Web Portal – Yes
  • Access to Knowledge Base – Yes
  • Multi-Language Support – EN, FR, GE
  • Consultancy for Enhancements & Escalations – No
  • Membership – User Group Membership
  • Access to CSL – Dedicated
  • CSL Touchpoints – Monthly
  • Roadmap Updates with PM – No
  • Annual Security Questionnaire Response – No
  • Pager During Weekends – No

Plan Name – Premium Support Plan

Product Upgrades

  • Major Releases – Yes
  • Maintenance Releases – Yes
  • Security Updates & Review – Yes
  • Deployments – Yes

Product Support

  • Technical Support – Yes
  • Support Hours – 24×7
  • Phone/Chat/E-mail & Web Portal – Yes
  • Access to Knowledge Base – Yes
  • Multi-Language Support – EN, FR, GE
  • Consultancy for Enhancements & Escalations – Yes
  • Membership – Leadership Group Membership
  • Access to CSL – Dedicated
  • CSL Touchpoints – Bi- Weekly
  • Roadmap Updates with PM – Yes
  • Annual Security Questionnaire Response – Yes
  • Pager During Weekends – Yes

Supported Versions

Current Version

  • New/Improved Features – Yes
  • OS Upgrade Release – Yes
  • Bug Fixes – Yes
  • Technical Support – Yes
  • Self-Service Support – Yes

EOS

  • New/Improved Features – No
  • OS Upgrade Release – No
  • Bug Fixes – Yes
  • Technical Support – Yes
  • Self-Service Support – Yes

EOL

  • New/Improved Features – No
  • OS Upgrade Release – No
  • Bug Fixes – No
  • Technical Support – No
  • Self-Service Support – No

Supported Versions — QuarkXPress & QuarkXPress CopyDesk

2023 – Current Version

  • EOS – No
  • EOL – 30 Nov 2025

2022 – Current Version

  • EOS – No
  • EOL – 30 Nov 2024

2021 or prior – Legacy Version

  • EOS – Yes
  • EOL – Yes, Since (30 Nov 2022)

Supported Versions — Quark Publishing Platform (QPP)

QPP 16.x – Current Version

  • EOS – No
  • EOL – No

QPP 15.x – Current Version

  • EOS – Yes
  • EOL – 31 Dec 2024

QPP 14.x or Prior – Legacy Version

  • EOS – Yes
  • EOL – Yes

Supported Versions — QPP NextGen

NG 2.x – Current Version

  • EOS – No
  • EOL – No

NG 1.x – Previous Version

  • EOS – Yes
  • EOL – 31 Jan 2023

Supported Versions – Quark Docurated for Enterprise & Quark Docurated (Latest Version)

  • New/Improved Features – Yes
  • OS Upgrade Release – Yes
  • Bug Fixes – Yes
  • Self-Service Support – Yes

OS Support — QuarkXPress / QuarkXPress CopyDesk

2023

macOS Supported

  • macOS 12.4 (Monterey)
  • 11.x (Big Sur)
  • 10.15.x (Catalina)

Windows OS Supported

  • Windows 11 Version 21H2 (64 bit) or later,
  • Windows 10 Version 21H1 (64 bit) or later,
  • Microsoft Windows 8.1 with April 2014 update rollup update (KB2919355), and March 2014 servicing stack update (KB2919442) (64 bit)

2021

macOS Supported

  • macOS 12.0.1 (Monterey)
  • 11.6.1 (Big Sur)
  • 10.15.7 (Catalina)

Windows OS Supported

  • Windows 11 Version 21H2 (64 bit) or later,
  • Windows 10 Version 21H1 (64 bit) or later,
  • Microsoft Windows 8.1 with April 2014 update rollup update (KB2919355), and March 2014 servicing stack update (KB2919442) (64 bit)

OS Support — Quark App Publishing Studio

OS COMPATIBILITY

  • iOS: 13, 14, 15 and 16
  • Android: 8 and above

BROWSER SUPPORT

Latest versions of the following browsers:

  • Google Chrome
  • Microsoft Edge
  • Safari (Mac)
  • Firefox
  • Opera

OS Support — Quark Publishing Platform

QPP 16.x

Windows OS Supported

  • Windows Server 2012 R2, 64-bit
  • Windows Server 2016, 64-bit
  • Windows Server 2019, 64-bit

Linux OS Supported

  • Red Hat Enterprise Linux Server release 7.7 (Maipo)

QPP 15.x

Windows OS Supported

  • Windows Server 2012 R2, 64-bit
  • Windows Server 2016, 64-bit
  • Windows Server 2019, 64-bit

Linux OS Supported

  • Red Hat Enterprise Linux Server release 7.7 (Maipo)

Browser Support — QPP & QPP NextGen (Quark Author)

QPP NextGen

  • Google Chrome (latest released version)
  • Apple Safari (latest released version)

QPP 15.x and QPP 16.x

  • Google Chrome (latest)
  • Apple Safari (latest)
  • Internet Explorer – 10 & 11

OS Support — QuarkXPress Server

QuarkXPress Server 18.x (2022)

  • Windows Server 2012 R2, 64-bit
  • Windows Server 2016, 64-bit
  • Windows Server 2019, 64-bit

QuarkXPress Server 16.x (2020)

  • Windows Server 2012 R2, 64-bit
  • Windows Server 2016, 64-bit
  • Windows Server 2019, 64-bit

OS Support — Quark XML Author

Quark XML Author 7.x (for QPP)

  • Windows 7 — 32-bit, 64-bit (Enterprise, Professional or Ultimate)
  • Windows 8 — 32-bit, 64-bit
  • Windows 8.1 — 32-bit, 64-bit
  • Windows 10 — 32-bit, 64-bit

Quark XML Author 8.x (for QPP NextGen)

  • Windows 8 — 64-bit
  • Windows 8.1 — 64-bit
  • Windows 10 — 64-bit

MS Office Support – Quark XML Author

Quark XML Author 7.x (For QPP)

  • Microsoft Office 2010 32-bit, Professional Edition
  • Microsoft Office 2013 32-bit, Professional Edition (Build 4849.1000 or later)
  • Microsoft Office 2016 32-bit, Professional Edition (Semi-annual Channel: Version 1602, Build 6741.2071, released on September 13, 2016 or later.)
  • Microsoft Office 2016 64-bit, Microsoft Office 365 ProPlus (Semiannual Channel: Version 1701, Build 7766.2092, released on June13, 2017 or later.)

Quark XML Author 8.x (For QPP NextGen)

  • Microsoft Office 2016 64 bit, Professional Edition (Deferred Channel: Version 1602, Build 6741.2071. Released on September 13, 2016)”
  • Microsoft Office 365 (2016 and 2019) 64-bit

OS Support — Quark Docurated for Enterprise & Quark Docurated

OS / BROWSER SUPPORT

Quark Docurated web-based services are supported on the latest version of the following browsers:

  • Windows 10: Latest versions of Chrome, Edge, IE 11
  • Mac 10.14 and later: Latest versions of Safari, Chrome
  • iOS 12, 13 or 14: Latest versions of Safari, Chrome

Support for EOL Versions

Support Policy

Applicable if the customer commits to upgrade completion by December 31, 2022.

Quark shall use commercially reasonable efforts to diagnose a technical issue and provide a remedy with a possible workaround or resolution for avoiding the issue. It shall provide resolution for case types of outage, product issue, installation support, product information or how-to / sales questions.

Any issue defined as requiring a new product release such as a product defect, security issue or new feature request will not be supported.

Self-service support will continue to be available for all known product issues.

Support for Clients Using EOL* Versions

Plan Name & Support Eligibility

Product Upgrades

  • Major & maintenance releases / security updates & reviews / feature releases – No
  • Deployments / integrations – Yes

Product Support

  • Technical – Yes
  • Phone / chat / email / web portal – Yes
  • Access to knowledge base – Yes
  • Multi-language (EN, FR, GE) – Yes

EXHIBIT D

Data Processing Addendum

This Data Processing Addendum (“DPA”) is entered into by and between [CUSTOMER_NAME] (“Customer”) and Quark Software, Inc. (“Quark”). This DPA is incorporated into and supplemental to the Quark Master Subscription Agreement entered into between the parties which governs the provision of the Quark services by Quark to the subscriber of Quark’s services (“Agreement”). Except as modified below, the terms of the Agreement shall remain in full force and effect.

1. DEFINITIONS

1.1. Definitions: Capitalized terms not defined herein shall have the meaning given in the Agreement. In this DPA, the following terms (and derivations of such terms) shall have the following meanings:

1.1.1. “Applicable Data Protection Law” means all privacy and data protection laws that apply to Quark’s processing of Data under the Agreement (including, where applicable, the California Consumer Privacy Act of 2018 including its associated regulations and as amended (the “CCPA”), and European Data Protection Law).

1.1.2. Controller” means the entity that determines the purposes and means of the processing of Personal Data;

1.1.3. “Data” means Personal Data provided by Customer (directly or indirectly) to Quark for processing under the Agreement as more particularly identified in Appendix A (Processing Particulars);

1.1.4. “European Data Protection Law” means all EU and U.K. regulations or other legislation applicable (in whole or in part) to the processing of Personal Data under the Agreement (such as Regulation (EU) 2016/679 (the “GDPR”), the U.K. GDPR (defined below), and the Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance (“Swiss Addendum”); the national laws of each EEA member state and the U.K. implementing any EU directive applicable (in whole or in part) to the processing of Personal Data (such as Directive 2002/58/EC); and any other national laws of each EEA member state and the U.K. applicable (in whole or in part) to the Processing of Personal Data; in each case as amended or superseded from time to time.

1.1.5. “Model Clauses” means the standard contractual clauses attached to the European Commission’s Implementing Decision of 4 June 2021 under Article 28 (7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29 (7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council, on standard contractual clauses, selecting Module Two between controllers and processors in any case where Customer is a Controller, and Module Three between processors in any case where Customer is a Processor, and excluding optional clauses unless otherwise specified), and any replacement, amendment or restatement of the foregoing, as issued by the European Commission, on or after the effective date of this DPA.

1.1.6. “Personal Data” means any information relating to an identified or identifiable natural person (a “Data Subject”), the processing of which is governed by Applicable Data Protection Law; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Where the CCPA applies, ‘Personal Data’ includes “personal information” as defined by the CCPA. Personal Data does not include anonymous or de-identified information or aggregated information derived from Personal Data.

1.1.7. “processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organizing, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

1.1.8. “Processor” means an entity that processes Personal Data on behalf of the Controller. Where applicable, Processor includes “service provider” as defined by the CCPA.

1.1.9. “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Data.

1.1.10. “Sensitive Data” means any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences.

1.1.11. “Sub-Processor” means an entity engaged by the Processor or any further sub-contractor to process Personal Data on behalf of and under the instructions of the Controller.

1.1.12. “U.K. GDPR” means the GDPR, as it forms part of the domestic law of the United Kingdom by virtue of Section 3 of the European Union (Withdrawal) Act 2018.

2. DATA PROTECTION

2.1. Relationship of the parties: As between the parties and for the purposes of this DPA, Customer appoints Quark as a Processor to process the Data on behalf of Customer. Where applicable, Quark is a “service provider” as defined in the CCPA. Customer shall comply with Applicable Data Protection law, including but not limited to providing notice to Data Subjects, and obtaining and periodically refreshing the consent of Data Subjects, where required, to Customer’s use of Quark’s Services and Customer’s own processing of Data. Customer represents and warrants it has and will continue to have the right to transfer Data to Quark for processing in accordance with the Agreement and this DPA. Quark shall comply with Applicable Data Protection Law and understands and shall comply with the prohibitions on Processors set forth in the CCPA with respect to such Data, including, without limitation and to the extent applicable in each case: (i) selling or sharing any Data (as the terms “sell” and “share” are each defined within the CCPA) where the sale or sharing of such Data is restricted by the CCPA, (ii) disclosing such Data to any party outside of the direct business relationship between Quark and Customer, or (iii) retaining, using or disclosing such Data for a commercial purpose other than performing the Services as set forth in the Agreement with Customer, or as otherwise expressly permitted under this DPA or the Agreement.

2.2. Purpose limitation: Each party acknowledges and agrees that all Data is disclosed by Customer hereunder only for those limited and specified purposes set forth in the Agreement and this DPA. Quark shall process the Data as a Processor only as necessary to perform the Services for Customer under the Agreement, and strictly in accordance with the documented instructions of Customer (including those in this DPA and the Agreement). In no event shall Quark process the Data for its own purposes or those of any third party. Quark may also anonymize or deidentify Data in accordance with Applicable Data Protection Law. Customer shall only give lawful instructions that comply with Applicable Data Protection Law and shall ensure that Quark’s processing of Data, when done in accordance with Customer’s instructions, will not cause Quark to violate Applicable Data Protection Law. Quark shall inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law. In any case where confirmation of a Controller’s instructions is required by Applicable Data Protection Law, the parties agree that the Agreement, together with this DPA, represents the complete and final documented instructions from the Controller of the Data to Quark as of the date of this DPA for the processing of Data. Nothing in this DPA shall be read to limit any obligations of Quark to assist Customer with Customer’s reasonable and appropriate efforts to ensure that Quark processes such Data in a manner consistent with each party’s obligations under the CCPA, including (i) the obligation to immediately notify Customer if Quark determines it can no longer meet its obligations under the CCPA with respect to such Data, and (ii) the obligation not to combine any such Data relating to a specific consumer with any other data about the same consumer in Quark’s possession and/or control, whether received from or on behalf of another person or persons or collected by Quark from its own interaction(s) with the consumer.

2.3. International transfers of Data: Quark is located in the United States and processes Data in the United States, for the activities including sales and marketing, operations, finance and customer technical support, amongst others. For Quark to perform Services for Customer pursuant to the Agreement, Customer consents to transfer (directly or indirectly) some Personal Data to Quark in the United States, as above. Quark SaaS products are offered in the geographical regions of EU, USA and Australia and the customer chooses the primary location for the environment at contract time. Customer Service Data is processed and resides within the geographical region that is chosen by the Data Controller (Customer). Within the SaaS and cloud hosting service environments, Quark will not transfer or process any Personal Information outside the region without the consent of the Data Controller (Customer). For Personal Data subject to European Data Protection Law, Quark agrees to abide by and process the Data in compliance with the Model Clauses, which are incorporated in full by reference and form an integral part of this DPA. For the purposes of the Model Clauses, the parties agree that:

2.3.1. Quark is the “data importer” and Customer is the “data exporter” (notwithstanding that Customer may itself be located outside the EEA/UK and/or a Processor acting on behalf of a third-party Controller);

2.3.2. Appendix A (Processing Particulars), Appendix B (Specific Security Measures), and Appendix C (Sub-processor List) of this DPA shall form Annex I, Annex II, and Annex III of the Model Clauses, respectively;

2.3.3. Option 2 under clause 9 of the Model Clauses will apply with respect to Sub-Processors. Annex III of the Model Clauses shall be subject to General Written Authorization, where “General Written Authorization” means that Quark has Customer’s general authorization (or the general authorization of the Controller of the Data) for the engagement of sub- processor(s) from the list set forth in Appendix C, which shall be amended from time to time in accordance with the terms of the Agreement, this DPA, and all Applicable Data Protection Law;

2.3.4. Audits described in clause 8.9 of the Model Clauses shall be carried out in accordance with the audit provisions detailed in Section 2.12 of this DPA;

2.3.5. The option under clause 11 of the Model Clauses shall not apply;

2.3.6. For purposes of clauses 17 and 18 of the Model Clauses, this DPA shall be governed by the laws of the Republic of Ireland. Any dispute arising from this DPA shall be resolved by the courts of the Republic of Ireland, and each party agrees to submit themselves to the jurisdiction of the same; and

2.3.7. It is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the Model Clauses. Accordingly, if and to the extent the Model Clauses conflict with any provision of this DPA, the Model Clauses shall prevail to the extent of such conflict with respect to Personal Data processed pursuant to the Model Clauses. Customer warrants it will not transfer any Sensitive Data to Quark.

2.4. Law enforcement requests.

2.4.1. If Quark becomes aware that any law enforcement, regulatory, judicial or governmental

authority (an “Authority”) wishes to obtain access to or a copy of some or all Data, whether on a voluntary or a mandatory basis, then unless legally prohibited as part of a mandatory legal compulsion that requires disclosure of Data to such Authority, Quark shall:

(a) promptly notify Customer of such Authority’s data access request;
(b) inform the Authority that any and all requests or demands for access to Data should be notified to or served upon Customer in writing; and
(c) not provide the Authority with access to Data unless and until authorized by Customer.

2.4.2. If Quark is under a legal prohibition that prevents it from complying with Section 2.4.1(a)-(c) in full, Quark shall use reasonable and lawful efforts to challenge such prohibition (and Customer acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended Authority access request). If Quark makes a disclosure of Data to an Authority (whether with Customer’s authorization or due to a mandatory legal compulsion), Quark shall only disclose such Data to the extent Quark is legally required to do so.

2.4.3. Section 2.4.1 shall not apply in the event that, taking into account the nature, scope, context and purposes of the intended Authority’s access to the Data, Quark has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual. In such event, Quark shall notify Customer as soon as possible following such Authority’s access and provide Customer with full details of the same, unless and to the extent that Quark is legally prohibited from doing so;

2.4.4. Solely with respect to Data that is subject to the GDPR, and/or where Data whose disclosure is otherwise restricted by Applicable Data Protection Law, Quark shall not knowingly disclose Data to an Authority in a massive, disproportionate and indiscriminate manner that goes beyond what is necessary in a democratic society. Quark shall have in place, maintain and comply with a policy governing Personal Data access requests from Authorities which at minimum prohibits:

(a) massive, disproportionate or indiscriminate disclosure of Personal Data relating to Data Subjects in the EEA and the United Kingdom; and
(b) disclosure of Personal Data relating to data subjects in the EEA, and the United Kingdom to an Authority without a subpoena, warrant, writ, decree, summons or other legally binding order that compels disclosure of such Personal Data.

2.5. Confidentiality of processing: Quark shall ensure that any person that it authorizes to process the Data (including Quark’s staff, agents and subcontractors) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to process the Data who is not under such a duty of confidentiality.

2.6. Security: Quark shall implement appropriate technical and organizational measures to protect the Data from (i) accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data. At a minimum, such measures shall include the security measures identified in Appendix B. With respect to evaluation of the appropriate level of security for the processing of the Data, each party represents and warrants that:

2.6.1 It has taken due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the Data; and

2.6.2 It has evaluated the use of encryption and/or pseudonymization for the Data and has determined that the level provided by Quark is appropriate for the Data.

2.6.3 To the extent that the CCPA applies to the processing of the Data, the party has determined that the technical and organizational measures provided by Quark is no less than the level of security required by the CCPA.

2.7. Subcontracting: Quark shall not subcontract any processing of the Data to a third-party Sub- Processor unless: (i) Quark provides to Customer an up-to-date list of its then-current Sub- Processors upon request; and (ii) Quark provides at least thirty (30) days’ prior notice of the addition or removal of any Sub-Processor (including the details of the processing it performs or will perform, and the location of such processing). If Customer objects to Quark’s appointment of a third-party Sub-Processor on reasonable grounds relating to the protection of the Data, then either Quark will not appoint the Sub-Processor, or Customer may elect to suspend or discontinue the affected Services by providing written notice to Quark. Customer shall notify Quark of its objection within ten (10) business days after its receipt of Quark’s notice, and Customer’s objection shall be sent to and explain the reasonable grounds for Customer’s objection. If a timely objection is not made, Quark will be deemed to have been authorized by Customer (or, if Customer is a Processor of the Data, by the Controller of the Data) to appoint the new Sub-Processor. Quark shall impose the data protection terms consistent with the obligations set forth herein on any Sub- Processor it appoints as those provided for by this DPA, provided however the Customer’s acknowledges that Quark’s cloud service providers may not offer the audit rights and access described in this DPA, and that Quark’s obligations with respect to such audit and access rights are limited to those that the cloud service providers make available to Quark.

2.8. Cooperation and individuals’ rights: Customer is responsible for responding to Data Subject requests using Customer’s own access to the relevant Data. Quark shall provide all reasonable Quark Data Processing Addendum (Last Rev. Feb. 21, 2023) and timely assistance to enable Customer to respond to: (i) any request from an individual to exercise any of its rights under Applicable Data Protection Law, and (ii) any other correspondence received from a regulator or public authority in connection with the processing of the Data. In the event that any such communication is made directly to Quark, Quark shall promptly (and in any event, no later than within forty-eight (48) hours of receiving such communication) inform Customer providing full details of the same and shall not respond to the communication unless specifically required by law or authorized by Customer.

2.9. Data Protection Impact Assessment: Taking into account the nature of the processing and the information available to Quark, Quark shall provide Customer with reasonable and timely assistance with any data protection impact assessments as required by Applicable Data Protection Law and, where necessary, consultations with data protection authorities.

2.10. Security Incidents: Upon becoming aware of a Security Incident, Quark shall inform Customer without undue delay and shall provide all such timely information and cooperation to enable Customer to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. Quark shall further take such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all material developments in connection with the Security Incident. Quark shall not notify any third parties of a Security Incident affecting the Data unless and to the extent that: (a) Customer has agreed to such notification, and/or (b) notification is required to be made by Quark under Applicable Data Protection Law.

2.11. Deletion or return of Data: Upon termination or expiry of the Agreement, Quark shall (at Customer’s election) delete or return all Data, including copies in Quark’s possession or control no later than within sixty (60) days of Customer’s election. This requirement shall not apply to the extent that Quark is required by applicable laws to retain some or all of the Data, in which event Quark shall isolate and protect the Data from any further processing except to the extent required by such law, shall only retain such Data for as long as it is required under applicable laws, and shall continue to ensure compliance with all Applicable Data Protection Law during such retention.

2.12. Audit: Quark uses an external auditor to verify the adequacy of its security measures and controls for its Services. The audit is conducted annually by an independent third-party in accordance with ISO 27001 standards and results in the generation of an audit report (“Audit Report”) which is Quark’s confidential information. Upon written request, Quark shall provide Customer with a copy of the most recent Audit Report subject to confidentiality obligations of the Agreement or a non- disclosure agreement covering the Audit Report.

3. Miscellaneous

3.1. The obligations placed upon each party under this DPA shall survive so long as Quark and/or its Sub-Processors process Data on behalf of Customer.

3.2. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.

3.3. It is not the intention of either party, nor shall it be the effect of this DPA, to contradict or restrict any provision of the Model Clauses and/or any Applicable Data Protection Law. To the extent that any provision of the Model Clauses conflicts with this DPA, the Model Clauses shall prevail to the extent of such conflict with respect to Personal Data which is subject to the Model Clauses. In no event shall this DPA restrict or limit the rights of any Data Subject or of any Authority. If there is a change in law requiring any change to this DPA to enable either party to continue to comply with Applicable Data Protection Law, the parties will negotiate in good faith to amend this DPA to the extent reasonably necessary to comply with Applicable Data Protection Law.

3.4. If any provision of this DPA is deemed invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended to ensure its validity and enforceability while preserving the parties’ intentions as closely as possible; or (ii) if that is not possible, then construed in a manner as if the invalid or unenforceable part had never been included herein.

3.5. The term of this DPA will terminate automatically without requiring any further action by either party upon the later of (i) the termination of the Agreement, or (ii) when all Personal Data is removed from Quark’s systems and records, and/or is otherwise rendered unavailable to Quark for further Processing.

SIGNED by the parties or their duly authorized representatives:

QUARK SOFTWARE INC. [CUSTOMER_NAME]

Name

Name

Title

Title

Signature

Signature

Date

Date

APPENDIX A – PROCESSING PARTICULARS

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Name: Customer set forth in Agreement
Address: As set forth in the Agreement, or as set forth below.
Role: Controller or Processor

Data importer(s):

Name: Quark Software Inc.
Address: 1600 East Beltline Ave., N.E., Suite 210, Grand Rapids, MI 49525
Role: Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Customer may submit Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of data subjects:

  • Employees, agents, advisors, freelancers of Customer (who are natural persons); and
  • Customer’s users, partners, and customers and the users and employees of those entities.

Categories of personal data transferred

Customer may submit Personal Data, the extent of which is determined and controlled by Customer (including Customer’s users, partners, and customers, in each case as applicable) in its sole discretion, and which may include, but is not limited to, the following types of Personal Data:

  • Identification and contact data (name, address, phone number, email address);
  • IT information (computer ID, user ID and password, domain name, IP address, log files, software usage pattern tracking information (i.e. cookies and information recorded for operation and training purposes); and
  • If the parties mutually agree on expanded use case, financial information (account details, payment information).

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

No sensitive data is transferred.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Data is transferred on a continuous basis during the term of the Quark Master Subscription Agreement and this DPA.

Nature of the processing

The nature of the processing of Customer Data is set out in the Quark Master Subscription Agreement and this DPA.

Purpose(s) of the data transfer and further processing

The purpose of the processing of Customer Data are set out in the Quark Master Subscription Agreement and this DPA.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Personal Data shall be retained by Quark for no longer than necessary to effect the services set out in the Quark Master Subscription Agreement and this DPA, subject to exemptions as set forth in Section 2.11 of this DPA.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Quark transfers the Personal Data listed above to certain Sub-Processors (listed in Appendix C) for the sole purpose of facilitating Quark’s provision of services under the Quark Master Subscription Agreement. Sub- Processors have been instructed to retain any Personal Data processed by Quark for no longer than necessary to render sub-processing services for Quark.

APPENDIX B – SPECIFIC SECURITY MEASURES

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Security Controls

Quark’s information technology systems, which include those owned by them or those owned and operated by a third party for the benefit and use by Quark (“System”) includes a variety of security controls. These controls include:

  • Unique User identifiers (User IDs) to ensure that activities can be attributed to the responsible individual.
  • The ability to accept logins to the System from only authorized IP address ranges.
  • Controls to revoke access after several consecutive failed login attempts.
  • Controls on the number of invalid login requests before locking out a User.
  • Password controls, via SAML2 integration can be delegated and controlled by the customer IDP

Quark has achieved ISO27001 certification and the Information Security Management System (ISMS) that runs the SaaS service is now subject to an annual independent audit. If customer has purchased Platinum Support package, Quark will support an annual customer audit by security questionnaire, providing evidence of controls where possible, for customer to assess if controls comply with any needed industry or country specific information security requirements. More frequent review, or findings meaning that additional controls may be required to be implemented, may require additional commercial discussions between the parties, to come to a mutually agreed upon action plan.

Intrusion Detection

Quark, or an authorized third party, will monitor the System for unauthorized intrusions using network- based intrusion detection mechanisms.

User Authentication

Access to the Service requires a valid User ID and password combination, which are encrypted via SSL while in transmission. An encrypted session ID cookie is used to uniquely identify each User.

Security Logs

Quark shall ensure that log information for all Quark cloud systems, including applications, services, servers and other equipment is logged to their respective system log facility or a centralized logging account, in order to protect the logs from tampering and ensure investigations can be performed as needed. Logging will be kept for a minimum of 90 days and if there is suspicion of inappropriate access, Quark has the ability to review log entry records to assist in forensic analysis.

Incident Management

Quark maintains security incident management policies and procedures, including detailed security incident escalation procedures.

Quark will promptly notify Subscriber in the event Quark becomes aware of an actual or reasonably suspected unauthorized disclosure of Subscriber data.

Training and Awareness of Employees

All employees go through annual Information Security, Data Privacy and Compliance Training, delivered by a 3rd party training solution. Training is also completed during the onboarding process for new hires. Other role specific training is provided as needed.

All employees have to review and attest annually to a Code of Conduct and an Acceptable Use Policy.

Physical Security

Quark’s production data centers are provided by AWS and have an access system that controls access to the data center. This system permits only authorized personnel to have access to secure areas. The facility is designed to withstand adverse weather and other reasonably predictable natural conditions, is secured by around-the-clock guards, biometric access screening and escort-controlled access, and is also supported by on-site back-up generators in the event of a power failure.

Data Encryption

Quark uses industry accepted encryption products to protect Subscriber Data and communications during transmissions between Subscriber’s network and the Service, including 256-bit GoDaddy SSL Certification and 1024-bit RSA public keys.

Encryption at Rest (EBS Volumes, S3 and RDS, via AWS KMS)

System Changes and Enhancements

Quark plans to enhance and maintain the System during the term of the Agreement. Security controls, procedures, policies and features may change or be added.

Quark will provide security controls that deliver a level of security protection that is not materially lower than that provided as of the Effective Date and that meet the financial industry laws and regulations

Vendor Management

Quark performs due diligence on its critical vendors at purchase, at renewal, including getting an NDA, a contract and DPA’s in place, to ensure vendors only process data in order to provide Quark the purchased services and have the technical and organizational measures needed, to fully protect the data, based on its classification.

Vulnerability Management

Quark’s SaaS systems undergo an annual Independent PEN Test of a standard deployment Base container and OS scanning is performed by Amazon Inspector

AWS security Hub is used for tracking of compliance with CIS Security Controls

Open-Source Vulnerability scanning, SAST and DAST scanning are performed as part of the System Development Lifecycle

Monitoring

SaaS Infrastructure, assets and resources are monitored by AWS Config, CloudWatch and CloudTrail

Backups

Backups encrypted and copied to second region

APPENDIX C – LIST OF SUB-PROCESSORS

The controller has authorized the use of the following sub-processors:

Name Processing Territory(ies)

Amazon Web Services, Inc.

Cloud service provider and associated infrastructure services (analytics, compute, database, security, networking, and storage)

Headquartered in United States (not the location of processing activities)

Multi-tenant SaaS systems – QPP NextGen, Quark Docurated for Enterprise and Quark Docurated:

  • Deployed in AWS data centers in the United States, EU and Australia (Data Controller choice as to which will be used for primary data location)

Single-tenant SaaS systems – QPP NextGen and Quark Docurated for Enterprise:

  • Deployed in any of the AWS data center locations, selected by the Data Controller

Single-tenant cloud-hosting systems – QPP hosting:

  • Deployed in any of the AWS data center locations, selected by the Data Controller

Service Cloud (Salesforce)

Technical product support ticketing

United States

Nalpeiron

Quark Product Licensing

United States

APPENDIX D – COMPETENT SUPERVISORY AUTHORITY

For the purposes of any Personal Data subject to the GDPR and/or the GDPR as implemented in the domestic law of the United Kingdom by virtue of Section 3 of the European Union (Withdrawal) Act 2018, where such personal data processed in accordance with the Model Clauses, the competent supervisory authority shall be as follows:

(i) where Customer is established in an EU member state, the supervisory authority with responsibility for ensuring Customer’s compliance with the GDPR shall act as competent supervisory authority;

(j) where Customer is not established in an EU member state, but falls within the extra-territorial scope of the GDPR and has appointed a representative, the supervisory authority of the EU member state in which Customer’s representative is established shall act as competent supervisory authority; or

(k) where Customer is not established in an EU member state but falls within the extra-territorial scope of the GDPR without however having to appoint a representative, the supervisory authority of the EU member state in which the Data Subjects are predominantly located shall act as competent supervisory authority.

In relation to Personal Data that is subject to the U.K. GDPR, the competent supervisory authority is the United Kingdom Information Commissioner’s Office, subject to the additional terms set forth in the International Data Transfer Addendum to the EU Model Clauses attached hereto as “Appendix E”.

In relation to Personal Data that is subject to the data privacy laws of Switzerland, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

APPENDIX E – U.K. INTERNATIONAL DATA TRANSFER ADDENDUM

This U.K. INTERNATIONAL DATA TRANSFER ADDENDUM (“IDTA”) forms a part of the Data Processing Addendum (“DPA”) entered into by and between Quark, Inc. (“Quark”) and the party identified as the Customer in the DPA (“Customer”). Unless otherwise specified, all capitalized terms used in this IDTA have the meanings provided in the DPA.

1. Scope of IDTA. The obligations set forth in this IDTA apply solely to Personal Data subject to the U.K. GDPR that is processed under the DPA (“U.K. Personal Data”).

2. Incorporation of the U.K. Addendum. The parties agree that the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, as issued by the U.K. Information Commissioner’s Office under s.119A (1) of the U.K. Data Protection Act 2018 (“U.K. Addendum”) is incorporated by reference into and forms a part of this IDTA as if fully set forth herein. Each party agrees that execution of the DPA (to which this IDTA is attached as an appendix and incorporated by reference) shall have the same effect as if the parties had simultaneously executed a copy of the U.K. Addendum.

3. Interpretation of the Model Clauses. For purposes of Processing U.K. Personal Data, any references in the DPA to the Model Clauses shall be read to incorporate the mandatory amendments to the Model Clauses set forth in the U.K. Addendum.

4. Addendum Terms. Tables 1 through 4 of the U.K. Addendum shall be completed as follows:

a. In Table 1 of the U.K. Addendum, the “Start Date” shall be the Effective Date of the DPA, and the details and contact information for the “data exporter” and the “data importer” shall be as specified in Appendix I of the DPA.
b. In Table 2 of the U.K. Addendum:
i. The version of the Model Clauses incorporated by reference into the DPA shall be the version applicable to this IDTA.
ii. Those provisions of the Model Clauses applicable under Module Two shall apply to this IDTA.
iii. The optional clauses and provisions of the Model Clauses applicable to this IDTA shall be those clauses and provisions specified in Section 2.3 of the DPA.

c. In Table 3 of the U.K. Addendum, the information required in Annexes I (both 1A and 1B), II, and III shall be as provided in Appendices A, B, and C of the DPA, respectively.

d. In Table 4 of the U.K. Addendum, if the ICO issues any revisions to the U.K. Addendum after the Effective Date (“ICO Revision”), Customer and Quark shall each have the right to terminate this IDTA in accordance with the U.K. Addendum, the DPA, and the Agreement.. Upon such termination of this IDTA:

i. Quark shall cease its Processing of the U.K. Personal Data; and
ii. Each party shall follow the processes described in Section 2.11 of the DPA with respect to the U.K. Personal Data.

Notwithstanding the foregoing, termination of this IDTA in the event of an ICO Revision shall not terminate the DPA, the Agreement, and/or the obligations of either party arising thereunder with respect to Personal Data other than U.K. Personal Data, except and unless expressly agreed by and between the parties.

5. No Amendments. The terms of the U.K. Addendum have not been amended in any way except as expressly stated herein.