@open-agreements/open-agreements 0.2.2 → 0.3.0

package/content/templates/common-paper-data-processing-agreement/README.md

@@ -40,6 +40,22 @@ A data processing agreement based on [Common Paper's](https://commonpaper.com) s
 | `cap_multiplier` | string | no | Liability cap multiplier |
 | `policy_url` | string | no | URL of where to find policies |
 
+
+### Signature Block
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `provider_signatory_type` | enum (`entity` / `individual`) | no | Whether the Provider signatory is an entity or individual (default: `entity`) |
+| `provider_signatory_name` | string | no | Full legal name of the Provider's signatory |
+| `provider_signatory_title` | string | no | Title/role of the Provider's signatory (entity only) |
+| `provider_signatory_company` | string | no | Company name for the Provider signatory (entity only) |
+| `customer_signatory_type` | enum (`entity` / `individual`) | no | Whether the Customer signatory is an entity or individual (default: `entity`) |
+| `customer_signatory_name` | string | no | Full legal name of the Customer's signatory |
+| `customer_signatory_title` | string | no | Title/role of the Customer's signatory (entity only) |
+| `customer_signatory_company` | string | no | Company name for the Customer signatory (entity only) |
+
+> **Note:** `*_title` and `*_company` are only rendered when the corresponding `*_type` is `entity` (default). When set to `individual`, those cells are left blank even if values are provided.
+
 ## Attribution
 
 Based on the Common Paper Data Processing Agreement, available at https://commonpaper.com.

package/content/templates/common-paper-data-processing-agreement/metadata.yaml

@@ -106,18 +106,412 @@ fields:
     type: string
     description: General text box entry
     section: Terms
-  - name: fill_in_value
+  - name: other_security_certification
     type: string
-    description: General fill-in value
-    section: Terms
+    description: Name of additional security certification (e.g. "ISO 27701 Privacy Information Management")
+    section: Security
+  - name: dpa_covered_claims_detail
+    type: string
+    description: Specific scope of DPA Covered Claims (e.g., breach of DPA, gross negligence resulting in Security Incident)
+    section: Legal
   - name: cap_multiplier
     type: string
     description: Liability cap multiplier
     section: Liability
+  - name: greater_of_dollar
+    type: string
+    description: Dollar amount for the greater-of liability cap
+    section: Liability
   - name: policy_url
     type: string
     description: URL of where to find policies
     section: Privacy
+  - name: has_subprocessor
+    type: boolean
+    description: >-
+      Set to true when a pre-approved subprocessor is specified.
+    section: Privacy
+  - name: dpa_security_reasonable_efforts
+    type: boolean
+    description: >-
+      Set to true when Provider will use commercially reasonable efforts
+      to secure the Service from unauthorized access.
+    section: Security
+  - name: has_dpa_security_policy
+    type: boolean
+    description: >-
+      Set to true when Provider has a Security Policy available at the
+      specified policy_url.
+    section: Security
+  - name: has_dpa_security_certifications
+    type: boolean
+    description: >-
+      Set to true when Provider maintains annually updated security
+      reports or certifications.
+    section: Security
+  - name: cert_iso_27001
+    type: boolean
+    description: Set to true when Provider holds ISO 27001 certification.
+    section: Security
+  - name: cert_penetration_testing
+    type: boolean
+    description: Set to true when Provider performs regular penetration testing.
+    section: Security
+  - name: cert_soc2_type1
+    type: boolean
+    description: Set to true when Provider holds SOC 2 Type I certification.
+    section: Security
+  - name: cert_pci_level1
+    type: boolean
+    description: Set to true when Provider holds PCI Level 1 certification.
+    section: Security
+  - name: cert_soc2_type2
+    type: boolean
+    description: Set to true when Provider holds SOC 2 Type II certification.
+    section: Security
+  - name: cert_pci_level2
+    type: boolean
+    description: Set to true when Provider holds PCI Level 2 certification.
+    section: Security
+  - name: cert_hipaa
+    type: boolean
+    description: Set to true when Provider holds HIPAA certification.
+    section: Security
+  - name: cert_fedramp
+    type: boolean
+    description: Set to true when Provider holds FedRAMP Authorization.
+    section: Security
+  - name: cert_other
+    type: boolean
+    description: >-
+      Set to true to include an additional security certification.
+      Specify the certification in other_security_certification.
+    section: Security
+  - name: indemnification_csa_reference
+    type: boolean
+    description: >-
+      Set to true when using Common Paper CSA-style indemnification
+      reference for DPA Covered Claims.
+    section: Liability
+  - name: indemnification_non_csa_reference
+    type: boolean
+    description: >-
+      Set to true when using non-CSA indemnification language for
+      DPA Covered Claims.
+    section: Liability
+  - name: cap_csa_reference
+    type: boolean
+    description: >-
+      Set to true when using CSA-style Increased Claim cap for
+      DPA Covered Claims.
+    section: Liability
+  - name: cap_non_csa_reference
+    type: boolean
+    description: >-
+      Set to true when using non-CSA liability cap language for
+      DPA Covered Claims.
+    section: Liability
+  - name: has_dpa_governing_law
+    type: boolean
+    description: >-
+      Set to true when DPA-specific governing law overrides the
+      Agreement's governing law clause.
+    section: Legal
+  - name: has_ccpa_terms
+    type: boolean
+    description: >-
+      Set to true when California Consumer Privacy Act (CCPA) terms
+      are included in the DPA.
+    section: Legal
+  - name: has_eea_transfers
+    type: boolean
+    description: >-
+      Set to true when EEA data transfer mechanisms are specified.
+    section: Privacy
+  - name: has_uk_transfers
+    type: boolean
+    description: >-
+      Set to true when UK data transfer mechanisms are specified.
+    section: Privacy
+  - name: data_subject_end_users
+    type: boolean
+    description: >-
+      Set to true when end users or customers are included as
+      data subjects.
+    section: Privacy
+  - name: data_subject_employees
+    type: boolean
+    description: >-
+      Set to true when employees are included as data subjects.
+    section: Privacy
+  - name: data_subject_custom
+    type: boolean
+    description: >-
+      Set to true to include a custom data subject category.
+      Specify in custom_option.
+    section: Privacy
+  - name: pd_name
+    type: boolean
+    description: Set to true when Name is a category of personal data processed.
+    section: Privacy
+  - name: pd_contact
+    type: boolean
+    description: >-
+      Set to true when contact information (email, phone, address)
+      is a category of personal data processed.
+    section: Privacy
+  - name: pd_employment
+    type: boolean
+    description: >-
+      Set to true when employment information (employee ID, compensation)
+      is a category of personal data processed.
+    section: Privacy
+  - name: pd_financial
+    type: boolean
+    description: >-
+      Set to true when financial information (bank account numbers)
+      is a category of personal data processed.
+    section: Privacy
+  - name: pd_professional
+    type: boolean
+    description: >-
+      Set to true when professional or biographic information (resume, CV)
+      is a category of personal data processed.
+    section: Privacy
+  - name: pd_transactional
+    type: boolean
+    description: >-
+      Set to true when transactional information (account info, purchases)
+      is a category of personal data processed.
+    section: Privacy
+  - name: pd_user_activity
+    type: boolean
+    description: >-
+      Set to true when user activity and analysis (device info, IP address)
+      is a category of personal data processed.
+    section: Privacy
+  - name: pd_location
+    type: boolean
+    description: >-
+      Set to true when location information is a category of personal
+      data processed.
+    section: Privacy
+  - name: pd_custom
+    type: boolean
+    description: >-
+      Set to true to include a custom personal data category.
+      Specify in custom_option.
+    section: Privacy
+  - name: security_measures_see_policy
+    type: boolean
+    description: >-
+      Set to true when security measures reference the Security Policy.
+    section: Security
+  - name: security_measures_custom
+    type: boolean
+    description: >-
+      Set to true to include custom security measures.
+      Specify in custom_option.
+    section: Security
+  - name: processing_continuous
+    type: boolean
+    description: >-
+      Set to true when data processing is continuous.
+    section: Privacy
+  - name: processing_frequency_custom
+    type: boolean
+    description: >-
+      Set to true to specify a custom processing frequency.
+      Specify in custom_options.
+    section: Privacy
+  - name: pa_receiving
+    type: boolean
+    description: >-
+      Set to true when receiving data (collection, accessing, retrieval)
+      is a processing activity.
+    section: Privacy
+  - name: pa_holding
+    type: boolean
+    description: >-
+      Set to true when holding data (storage, organization, structuring)
+      is a processing activity.
+    section: Privacy
+  - name: pa_using
+    type: boolean
+    description: >-
+      Set to true when using data (analysis, consultation, testing)
+      is a processing activity.
+    section: Privacy
+  - name: pa_updating
+    type: boolean
+    description: >-
+      Set to true when updating data (correcting, adaptation, alteration)
+      is a processing activity.
+    section: Privacy
+  - name: pa_protecting
+    type: boolean
+    description: >-
+      Set to true when protecting data (restricting, encrypting, testing)
+      is a processing activity.
+    section: Privacy
+  - name: pa_sharing
+    type: boolean
+    description: >-
+      Set to true when sharing data (disclosure, dissemination)
+      is a processing activity.
+    section: Privacy
+  - name: pa_returning
+    type: boolean
+    description: >-
+      Set to true when returning data to the data exporter or data
+      subject is a processing activity.
+    section: Privacy
+  - name: pa_erasing
+    type: boolean
+    description: >-
+      Set to true when erasing data (destruction, deletion)
+      is a processing activity.
+    section: Privacy
+  - name: pa_custom
+    type: boolean
+    description: >-
+      Set to true to include a custom processing activity.
+      Specify in custom_options.
+    section: Privacy
+  - name: sm_pseudonymization
+    type: boolean
+    description: >-
+      Set to true when pseudonymization and encryption of personal data
+      is a security measure.
+    section: Security
+  - name: sm_confidentiality
+    type: boolean
+    description: >-
+      Set to true when ensuring ongoing confidentiality, integrity,
+      availability, and resilience is a security measure.
+    section: Security
+  - name: sm_restore
+    type: boolean
+    description: >-
+      Set to true when ability to restore availability and access
+      after incidents is a security measure.
+    section: Security
+  - name: sm_testing
+    type: boolean
+    description: >-
+      Set to true when regular testing and evaluation of security
+      measures is a security measure.
+    section: Security
+  - name: sm_user_auth
+    type: boolean
+    description: >-
+      Set to true when user identification and authorization process
+      protection is a security measure.
+    section: Security
+  - name: sm_transit
+    type: boolean
+    description: >-
+      Set to true when protecting personal data during transmission
+      (in transit) is a security measure.
+    section: Security
+  - name: sm_storage
+    type: boolean
+    description: >-
+      Set to true when protecting personal data during storage
+      (at rest) is a security measure.
+    section: Security
+  - name: sm_physical
+    type: boolean
+    description: >-
+      Set to true when physical security of processing locations
+      is a security measure.
+    section: Security
+  - name: sm_logging
+    type: boolean
+    description: Set to true when events logging is a security measure.
+    section: Security
+  - name: sm_config
+    type: boolean
+    description: >-
+      Set to true when systems configuration and default configuration
+      is a security measure.
+    section: Security
+  - name: sm_governance
+    type: boolean
+    description: >-
+      Set to true when internal IT and IT security governance and
+      management is a security measure.
+    section: Security
+  - name: sm_certification
+    type: boolean
+    description: >-
+      Set to true when certification or assurance of processes and
+      products is a security measure.
+    section: Security
+  - name: sm_minimization
+    type: boolean
+    description: Set to true when data minimization is a security measure.
+    section: Security
+  - name: sm_quality
+    type: boolean
+    description: Set to true when ensuring data quality is a security measure.
+    section: Security
+  - name: sm_retention
+    type: boolean
+    description: >-
+      Set to true when ensuring limited data retention is a security measure.
+    section: Security
+  - name: sm_accountability
+    type: boolean
+    description: >-
+      Set to true when ensuring accountability is a security measure.
+    section: Security
+  - name: sm_portability
+    type: boolean
+    description: >-
+      Set to true when allowing data portability and ensuring erasure
+      is a security measure.
+    section: Security
+  - name: provider_signatory_type
+    type: enum
+    description: Whether the Provider signatory is an entity or individual
+    options:
+      - entity
+      - individual
+    default: entity
+    section: Signature Block
+  - name: provider_signatory_name
+    type: string
+    description: Full legal name of the Provider's signatory
+    section: Signature Block
+  - name: provider_signatory_title
+    type: string
+    description: Title/role of the Provider's signatory (entity only)
+    section: Signature Block
+  - name: provider_signatory_company
+    type: string
+    description: Company name for the Provider signatory (entity only)
+    section: Signature Block
+  - name: customer_signatory_type
+    type: enum
+    description: Whether the Customer signatory is an entity or individual
+    options:
+      - entity
+      - individual
+    default: entity
+    section: Signature Block
+  - name: customer_signatory_name
+    type: string
+    description: Full legal name of the Customer's signatory
+    section: Signature Block
+  - name: customer_signatory_title
+    type: string
+    description: Title/role of the Customer's signatory (entity only)
+    section: Signature Block
+  - name: customer_signatory_company
+    type: string
+    description: Company name for the Customer signatory (entity only)
+    section: Signature Block
 required_fields:
   - company_name
   - product_name

package/content/templates/common-paper-data-processing-agreement/replacements.json

@@ -1,3 +1,4 @@
 {
-  "[_________]": "{greater_of_dollar}"
+  "[_________]": "{greater_of_dollar}",
+  "[(1) Provider\u2019s breach or alleged breach of the DPA, or (2) Provider\u2019s gross negligence or willful misconduct, in each case, that results in a Security Incident.]": "{dpa_covered_claims_detail}"
 }

package/content/templates/common-paper-data-processing-agreement/selections.json

@@ -0,0 +1,211 @@
+{
+  "groups": [
+    {
+      "id": "has_subprocessor",
+      "type": "checkbox",
+      "standalone": true,
+      "options": [
+        { "marker": "{subprocessor_name}", "trigger": { "field": "has_subprocessor" } }
+      ]
+    },
+    {
+      "id": "security_commitments",
+      "type": "checkbox",
+      "options": [
+        { "marker": "Provider will use commercially reasonable efforts to secure the Service from unauthorized access", "trigger": { "field": "dpa_security_reasonable_efforts" } },
+        { "marker": "Security Policy available at {policy_url}", "trigger": { "field": "has_dpa_security_policy" } },
+        { "marker": "Provider will maintain annually updated reports or annual certifications", "trigger": { "field": "has_dpa_security_certifications" } }
+      ]
+    },
+    {
+      "id": "security_cert_iso27001",
+      "type": "checkbox",
+      "standalone": true,
+      "options": [
+        { "marker": "ISO 27001", "trigger": { "field": "cert_iso_27001" } }
+      ]
+    },
+    {
+      "id": "security_cert_pentest",
+      "type": "checkbox",
+      "standalone": true,
+      "options": [
+        { "marker": "Penetration testing", "trigger": { "field": "cert_penetration_testing" } }
+      ]
+    },
+    {
+      "id": "security_cert_soc2_type1",
+      "type": "checkbox",
+      "standalone": true,
+      "options": [
+        { "marker": "SOC 2 Type I", "trigger": { "field": "cert_soc2_type1" } }
+      ]
+    },
+    {
+      "id": "security_cert_pci_level1",
+      "type": "checkbox",
+      "standalone": true,
+      "options": [
+        { "marker": "PCI Level 1", "trigger": { "field": "cert_pci_level1" } }
+      ]
+    },
+    {
+      "id": "security_cert_soc2_type2",
+      "type": "checkbox",
+      "standalone": true,
+      "options": [
+        { "marker": "SOC 2 Type II", "trigger": { "field": "cert_soc2_type2" } }
+      ]
+    },
+    {
+      "id": "security_cert_pci_level2",
+      "type": "checkbox",
+      "standalone": true,
+      "options": [
+        { "marker": "PCI Level 2", "trigger": { "field": "cert_pci_level2" } }
+      ]
+    },
+    {
+      "id": "security_cert_hipaa",
+      "type": "checkbox",
+      "standalone": true,
+      "options": [
+        { "marker": "HIPAA", "trigger": { "field": "cert_hipaa" } }
+      ]
+    },
+    {
+      "id": "security_cert_fedramp",
+      "type": "checkbox",
+      "standalone": true,
+      "options": [
+        { "marker": "FedRAMP Authorized", "trigger": { "field": "cert_fedramp" } }
+      ]
+    },
+    {
+      "id": "security_cert_other",
+      "type": "checkbox",
+      "standalone": true,
+      "options": [
+        { "marker": "Other: {other_security_certification}", "trigger": { "field": "cert_other" } }
+      ]
+    },
+    {
+      "id": "indemnification_type",
+      "type": "checkbox",
+      "options": [
+        { "marker": "{csa_reference} The Agreement includes an additional Provider Covered Claim", "trigger": { "field": "indemnification_csa_reference" } },
+        { "marker": "{non_csa_reference} Without limiting the indemnity obligations", "trigger": { "field": "indemnification_non_csa_reference" } }
+      ]
+    },
+    {
+      "id": "cap_type",
+      "type": "checkbox",
+      "options": [
+        { "marker": "{csa_reference} The Agreement includes an additional Increased Claim", "trigger": { "field": "cap_csa_reference" } },
+        { "marker": "{non_csa_reference} The following is added to the end of Section 8.1", "trigger": { "field": "cap_non_csa_reference" } }
+      ]
+    },
+    {
+      "id": "dpa_governing_law",
+      "type": "checkbox",
+      "standalone": true,
+      "options": [
+        { "marker": "Notwithstanding the governing law or similar clauses of the Agreement, all interpretations and disputes about this DPA", "trigger": { "field": "has_dpa_governing_law" } }
+      ]
+    },
+    {
+      "id": "ccpa_terms",
+      "type": "checkbox",
+      "standalone": true,
+      "options": [
+        { "marker": "California Consumer Privacy Act", "trigger": { "field": "has_ccpa_terms" } }
+      ]
+    },
+    {
+      "id": "transfer_mechanisms",
+      "type": "checkbox",
+      "options": [
+        { "marker": "EEA Transfers:", "trigger": { "field": "has_eea_transfers" } },
+        { "marker": "UK Transfers:", "trigger": { "field": "has_uk_transfers" } }
+      ]
+    },
+    {
+      "id": "data_subjects",
+      "type": "checkbox",
+      "options": [
+        { "marker": "Customer\u2019s end users or customers", "trigger": { "field": "data_subject_end_users" } },
+        { "marker": "Customer\u2019s employees", "trigger": { "field": "data_subject_employees" } },
+        { "marker": "{custom_option}", "trigger": { "field": "data_subject_custom" } }
+      ]
+    },
+    {
+      "id": "personal_data_types",
+      "type": "checkbox",
+      "options": [
+        { "marker": "Name", "trigger": { "field": "pd_name" } },
+        { "marker": "Contact information such as email, phone number, or address", "trigger": { "field": "pd_contact" } },
+        { "marker": "Employment information such as employee ID or compensation", "trigger": { "field": "pd_employment" } },
+        { "marker": "Financial information such as bank account numbers", "trigger": { "field": "pd_financial" } },
+        { "marker": "Professional or biographic information such as resume or CV", "trigger": { "field": "pd_professional" } },
+        { "marker": "Transactional information such as account information or purchases", "trigger": { "field": "pd_transactional" } },
+        { "marker": "User activity and analysis such as device information or IP address", "trigger": { "field": "pd_user_activity" } },
+        { "marker": "Location information", "trigger": { "field": "pd_location" } },
+        { "marker": "{custom_option}", "trigger": { "field": "pd_custom" } }
+      ]
+    },
+    {
+      "id": "security_measures_reference",
+      "type": "checkbox",
+      "options": [
+        { "marker": "See Security Policy", "trigger": { "field": "security_measures_see_policy" } },
+        { "marker": "{custom_option}", "trigger": { "field": "security_measures_custom" } }
+      ]
+    },
+    {
+      "id": "processing_frequency",
+      "type": "checkbox",
+      "options": [
+        { "marker": "Continuous", "trigger": { "field": "processing_continuous" } },
+        { "marker": "{custom_options}", "trigger": { "field": "processing_frequency_custom" } }
+      ]
+    },
+    {
+      "id": "processing_activities",
+      "type": "checkbox",
+      "options": [
+        { "marker": "Receiving data, including collection, accessing, retrieval, recording, and data entry", "trigger": { "field": "pa_receiving" } },
+        { "marker": "Holding data, including storage, organization, and structuring", "trigger": { "field": "pa_holding" } },
+        { "marker": "Using data, including analysis, consultation, testing, automated decision making, and profiling", "trigger": { "field": "pa_using" } },
+        { "marker": "Updating data, including correcting, adaptation, alteration, alignment, and combination", "trigger": { "field": "pa_updating" } },
+        { "marker": "Protecting data, including restricting, encrypting, and security testing", "trigger": { "field": "pa_protecting" } },
+        { "marker": "Sharing data, including disclosure, dissemination, allowing access, or otherwise making available", "trigger": { "field": "pa_sharing" } },
+        { "marker": "Returning data to the data exporter or data subject", "trigger": { "field": "pa_returning" } },
+        { "marker": "Erasing data, including destruction and deletion", "trigger": { "field": "pa_erasing" } },
+        { "marker": "{custom_options}", "trigger": { "field": "pa_custom" } }
+      ]
+    },
+    {
+      "id": "security_measures_detail",
+      "type": "checkbox",
+      "options": [
+        { "marker": "Pseudonymization and encryption of personal data:", "trigger": { "field": "sm_pseudonymization" } },
+        { "marker": "Ensuring ongoing confidentiality, integrity, availability, and resilience", "trigger": { "field": "sm_confidentiality" } },
+        { "marker": "Ability to restore the availability of and access to Customer Personal Data", "trigger": { "field": "sm_restore" } },
+        { "marker": "Regular testing, assessment, and evaluation of the effectiveness", "trigger": { "field": "sm_testing" } },
+        { "marker": "User identification and authorization process and protection:", "trigger": { "field": "sm_user_auth" } },
+        { "marker": "Protecting Customer Personal Data during transmission", "trigger": { "field": "sm_transit" } },
+        { "marker": "Protecting Customer Personal Data during storage", "trigger": { "field": "sm_storage" } },
+        { "marker": "Physical security where Customer Personal Data is processed:", "trigger": { "field": "sm_physical" } },
+        { "marker": "Events logging:", "trigger": { "field": "sm_logging" } },
+        { "marker": "Systems configuration, including default configuration:", "trigger": { "field": "sm_config" } },
+        { "marker": "Internal IT and IT security governance and management:", "trigger": { "field": "sm_governance" } },
+        { "marker": "Certification or assurance of processes and products:", "trigger": { "field": "sm_certification" } },
+        { "marker": "Ensuring data minimization:", "trigger": { "field": "sm_minimization" } },
+        { "marker": "Ensuring data quality:", "trigger": { "field": "sm_quality" } },
+        { "marker": "Ensuring limited data retention:", "trigger": { "field": "sm_retention" } },
+        { "marker": "Ensuring accountability:", "trigger": { "field": "sm_accountability" } },
+        { "marker": "Allowing data portability and ensuring erasure:", "trigger": { "field": "sm_portability" } }
+      ]
+    }
+  ]
+}

package/content/templates/common-paper-design-partner-agreement/README.md

@@ -23,6 +23,24 @@ A design partner agreement based on [Common Paper's](https://commonpaper.com) st
 | `governing_law` | string | yes | State whose laws govern the agreement |
 | `jurisdiction` | string | yes | Courts with jurisdiction over disputes |
 
+
+### Signature Block
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `provider_signatory_type` | enum (`entity` / `individual`) | no | Whether the Provider signatory is an entity or individual (default: `entity`) |
+| `provider_signatory_name` | string | no | Full legal name of the Provider's signatory |
+| `provider_signatory_title` | string | no | Title/role of the Provider's signatory (entity only) |
+| `provider_signatory_company` | string | no | Company name for the Provider signatory (entity only) |
+| `provider_signatory_email` | string | no | Notice email address for the Provider |
+| `partner_signatory_type` | enum (`entity` / `individual`) | no | Whether the Partner signatory is an entity or individual (default: `entity`) |
+| `partner_signatory_name` | string | no | Full legal name of the Partner's signatory |
+| `partner_signatory_title` | string | no | Title/role of the Partner's signatory (entity only) |
+| `partner_signatory_company` | string | no | Company name for the Partner signatory (entity only) |
+| `partner_signatory_email` | string | no | Notice email address for the Partner |
+
+> **Note:** `*_title` and `*_company` are only rendered when the corresponding `*_type` is `entity` (default). When set to `individual`, those cells are left blank even if values are provided.
+
 ## Attribution
 
 Based on the Common Paper Design Partner Agreement, available at https://commonpaper.com.