INTERNATIONAL DECISION SYSTEMS
MASTER SOFTWARE AS A SERVICE AGREEMENT (USA)
BY SIGNING AN ORDER FORM REFERENCING THESE TERMS OR PAYING AN INVOICE REFERENCING THESE TERMS, THE CUSTOMER AGREES TO THE FOLLOWING TERMS AND CONDITIONS OF THIS MASTER SOFTWARE AS A SERVICE AGREEMENT, INCLUDING ALL ORDER FORMS, ATTACHMENTS, EXHIBITS AND SCHEDULES HERETO (COLLECTIVELY THE “AGREEMENT”) GOVERNING THE USE OF THE SERVICES (DEFINED BELOW) OFFERED BY INTERNATIONAL DECISION SYSTEMS, INC. (DBA SOLIFI), A COMPANY INCORPORATED IN DELAWARE, U.S.A., HAVING ITS PRINCIPAL OFFICE AT 220 S. 6TH STREET, SUITE 700, MINNEAPOLIS, MN 55402 U.S.A. (“SUPPLIER”).
1.1 “Affiliate” means any entity which directly or indirectly, through one or more intermediaries, controls, or is controlled by, or is under common control with a party to this Agreement, by way of majority voting stock ownership or the ability to otherwise direct or cause the direction of the management and policies of such party.
1.2 “Application Service(s)” means, collectively, any package as listed on the applicable Order Form and as further described in the applicable Documentation but excluding Third Party Components and Professional Services.
1.3 “Authorized Users” means individuals who are authorized by Customer to use the Services subject to restrictions set forth in Section 2.8 of this Agreement or as otherwise defined, restricted or limited in an Order Form, for whom subscriptions to Services have been procured during the Subscription Period, and who have been supplied user identifications and passwords by Customer (or by Supplier at Customer’s request). Authorized Users may include: (a) Customers’ employees; and (b) contractors and other third parties authorized by Customer to access the Services in compliance with Section 2.8 of this Agreement.
1.4 “Confidential Information” means the terms of this Agreement and any trade secrets or other nonpublic information of a party to this Agreement that is identified as or would be reasonably understood to be confidential and/or proprietary. Confidential Information of Supplier includes, without limitation, Services (and all algorithms, methods, techniques, and code and processes revealed or utilized therein and any related documentation), its user interfaces or other business plans, finances, marketing plans, customers, prospects, or other affairs that is disclosed to a Customer during the Subscription Term and that such Customer knows or has reason to know is confidential, proprietary, or trade secret information of the Supplier. Confidential Information of the Customer includes Customer Data. Notwithstanding the foregoing, with the exception of Personal Data, Confidential Information does not include any information that: (a) was known to the Receiving Party prior to receiving the same from the Disclosing Party in connection with this Agreement; (b) is independently developed by the Receiving Party without use of or reference to the Confidential Information of the Disclosing Party; (c) acquired by the Receiving Party from another source without restriction as to use or disclosure; or (d) is or becomes part of the public domain through no fault or action of the Receiving Party.
1.5 “Customer Data” means all electronic data (including Personal Data) submitted to the Services and the data (including Personal Data) available to Authorized Users from the Services.
1.6 “Disclosing Party” means the party to this Agreement disclosing Confidential Information to the Receiving Party.
1.7 “Documentation” means the then-current user manuals for the Application Services made accessible by Supplier to Customer, as updated from time to time.
1.8 “Effective Date” means the date the Order Form is last signed by the parties as noted in the signature blocks or specified in the Order Form.
1.9 “Error” means a reproducible defect or combination of defects that results in a failure of the Application Services to function substantially in accordance with the applicable Documentation. A reproducible defect shall mean a defect that Supplier can verify and reproduce using that version of the Application Services made available by Supplier to Customer under this Agreement. Errors shall exclude those discrepancies caused by: (a) the hardware, network or operating system on which Customer connects to the Application Services; (b) use of the Application Services not in accordance with Supplier’s then-current instructions; (c) third party infrastructure providers (e.g. Amazon Web Services); (d) data which does not conform to Supplier’s specified data format; (e) negligence of Customer, accident, misuse or operator error; (f) any other software (e.g., database software) that connects to the Application Services; or (g) any other cause which, in Supplier’s reasonable determination, is not inherent in the Application Services. In addition, an Error shall not include any Services downtime that is subject to the Service Level Commitments set forth in Exhibit C.
1.10 “Force Majeure Event” means any occurrence or omission as a result of which the party relying on it is prevented or delayed in performing any of its obligations under this Agreement and that is beyond the reasonable control of that party, including, without limitation, acts of God, acts of government (including compliance with any law or governmental order, rule, regulation or direction), floods, fires, earthquakes, civil unrest and/or commotion, sabotage and/or malicious damage, acts of terror, strikes or other labor problems (other than those involving Supplier’s employees), failure of a utility service or transport or telecommunications network including but not limited to cloud or Internet service provider failures, breakdown of plant or machinery, default of suppliers or sub-contractors, or delays, or denial of service attack.
1.11 “Intellectual Property Rights” means any and all rights in patents, patent applications, copyrights, copyright registrations, trade secrets, trademarks and service marks (including, where applicable, all derivative works of the foregoing).
1.12 “Managed Cloud Services” means support, infrastructure and application administration provided by Supplier to Customer as listed in Supplier’s then current “Managed Cloud Services Description” set forth under the Order Form and may be updated from time to time.
1.13 “Order Form” means the Supplier order form or other similar Supplier ordering document signed by the parties incorporating the terms of this Agreement, by which Customer purchases the Services or any Add-on Services, as described in Section 2.5, to be provided by Supplier subject to the terms of this Agreement. Each Order Form will describe the Services to be provided by Supplier, the Effective Date, charges, and payment terms and any other agreed terms and conditions applicable to such Services. Order Forms shall be deemed incorporated herein by reference.
1.14 “Personal Data” means data provided to Supplier by or at the direction of Customer, or to which access was provided to Supplier in the course of Supplier’s performance of Services that identifies or can be used to identify individual customer and consumer information or authenticate an individual. Personal Data includes any non-public personal information regarding any individual that is subject to applicable privacy laws and regulations governing the confidentiality and protection of non-public personal information.
1.15 “Professional Services” means the general consulting, project management, system design, conversion, programming, system training, implementation, and/or training services to be provided by Supplier or its contractors to Customer pursuant to a separate professional services agreement and statement of work entered into by the parties.
1.16 “Receiving Party” means the party to this Agreement receiving Confidential Information from the Disclosing Party.
1.17 “Services” means Application Services and Managed Cloud Services collectively.
1.18 “Subscription Fees” means the fees for the provision of Services as set forth on the applicable Order Form or invoice.
1.19 “Subscription Term” means the then current period during which Customer is licensed to use the Services under an Order Form. Unless otherwise set forth in an Order Form, the Subscription Term commences on the Effective Date of the applicable Order Form.
1.20 “Support” is defined in Section 2.1.
1.21 “Term” is defined in Section 4.
1.22 “Third Party Components” means all hardware and software, including free and open source software, integrations, applications, or implementation, customization and other consulting services related thereto, owned by a party other than Supplier and that interoperate with the Services.
1.23 “Use Description” means the description of restrictions on Customer’s use of and payment for the Services as set forth on the applicable Order Form (e.g., and without limitation, Authorized Users, Application Services, Add-on Services, Asset Value, Contract Count, Revenue as defined in the applicable Order Form).
2. USE OF THE SERVICES
2.1 Services and Support. Supplier will provide Customer with Services, and allow Authorized Users to access the Services in connection with Customer’s use of the Services, as set forth in one or more mutually agreed to and signed Order Forms during the applicable Subscription Term. Prior to obtaining access to the Services, Customer shall ensure that Authorized Users have executed a form of non-disclosure agreement with Customer or are otherwise bound by an obligation of confidentiality that protects Supplier’s Confidential Information to the same extent as this Agreement and in each case is registered in the Application Services with a unique UserID and a unique password. Customer shall ensure that no Authorized User is an equipment finance and/or leasing software or services provider or a representative of any such entity and that no Authorized User otherwise could reasonably be regarded as posing a threat to protection of Supplier’s Intellectual Property Rights. In consideration of the Subscription Fees, Supplier grants to Customer the right to use a limited, personal, non-exclusive, non-transferable, non-sublicensable license during the Subscription Term to access and use and permit Authorized Users to access and use the Services (as identified in the relevant Order Form) provided by Supplier to Customer in accordance with the Use Description, Documentation and this Agreement; in all cases, solely for the purposes of managing Customer’s own operations in accordance with the restrictions detailed in Section 2.8. Subject to Customer paying the applicable fee for the Services, Supplier shall, pursuant to the Supplier’s then current support guide and (a) provide Customer with access (via the internet, telephone or other means established by Supplier) to Supplier’s support helpline, (b) install, when and if generally available, updates, enhancements or modifications to the then-current, general release version of the Applications Services that are not separately priced or licensed as new products; and (c) shall use reasonable efforts to correct or provide work around solutions to Errors (the foregoing referred to collectively as “Support”). All fees for Support are included in the Subscription Fees.
2.2 Service Level. During the Subscription Term, Supplier will: (a) make the Application Services available in accordance with the then current “Service Level Commitment” listed on Exhibit C, as updated from time to time by Supplier; (b) upon receipt of notice that the availability of the Application Services has been interrupted in accordance with the Service Level Commitment, promptly use reasonable efforts to restore the Application Services. If the Application Services fail to achieve such “Service Level Commitment,” in addition to the non-monetary remedies that may be available to Customer under Section 7.1 of this Agreement, Customer will be entitled, as its sole and exclusive remedy for failure to meet the Service Level Commitment, to a credit for the Application Services in accordance with the terms set forth in the Service Level Commitment. Supplier will provide the Application Services only in accordance with laws applicable to Supplier’s provision of the Application Services.
2.3 Subscriptions. Unless otherwise specified in the applicable Order Form, (a) Services are purchased as subscriptions and may be accessed by Authorized Users consistent with the Use Descriptions, and (b) Authorized Users may reproduce, without modification, and internally use a reasonable number of copies of the Documentation solely in connection with the use of the Services in support of Authorized Users internal business operations. Except as otherwise provided in the Order Form or this Agreement, each Order Form and Subscription Term is non-cancellable and shall be subject to the terms and conditions of this Agreement.
2.4 Changes to Services. Supplier may update or modify the functionality, user interface, Documentation and other user information, or other components of the Services from time to time in its sole discretion, but will not materially diminish the functionality of a Service during the Subscription Term for that Service. Supplier will provide reasonable notice to Customer of any material modifications or updates prior to the change taking effect.
2.5 Add-On Services. Additional Application Services and/or Managed Cloud Services may be added during the applicable Subscription Term by executing one or more mutually agreed to Order Forms. Unless otherwise stated on an Order Form, the added Services shall terminate on the same date as the pre-existing subscriptions.
2.6 Professional Services. Customer may from time to time request that Supplier provide Professional Services. Any such Professional Services shall be provided by Supplier or its contractors pursuant to a separately executed professional services agreement between the parties and not under this Agreement.
2.7 Supplier Compliance with Laws. Supplier will comply with those laws applicable to Supplier for the provision of Services. Supplier does not guarantee the compliance of any Services or Customer’s use of any Services will enable Customer to comply, with the laws, regulations, or rules of any territory.
2.8 Use Restrictions. Customer is responsible for all activities conducted under its Authorized User logins and for its Authorized Users’ compliance with this Agreement. Authorized Users may only use the Services during the Subscription Term and subject to any Use Descriptions specified in the applicable Order Form. Except as otherwise explicitly provided in this Agreement or as may be expressly permitted by applicable law, Customer and Authorized Users will not, and will not permit third parties to: (a) use the Services except as expressly authorized in this Agreement; (b) access or use the Services to circumvent or exceed the Use Descriptions restrictions; (c) use any device, software, or routine that interferes or disrupts any application, function, or use of the Services; (d) copy, modify, translate, transmit, reproduce, distribute, republish, display, frame, or mirror the Services, except as permitted by this Agreement; (e) decompile, reverse-compile, disassemble, reverse-engineer or otherwise reduce to human-perceivable form all or any part of the Services or any part of the Services or otherwise attempt to discover any source code or create derivative works of the Services or any part of the Services; (f) rent, lease, resell, or sublicense; (g) use the Services to provide as a service bureau or to otherwise provide data processing services to third parties); (h) circumvent or disable any security or other technological features or measures of any Services or any part of the Services; (i) use the Services to build a similar or competitive product or service; (j) create user accounts under false or fraudulent pretenses; (k) except as provided in an Order Form, create shared or generic identifications and passwords to any Services; (l) use the Services in a manner that is contrary to applicable law or in violation of any third party rights of privacy or Intellectual Property Rights; (m) use the Services to send or store viruses, worms, time bombs, Trojan horses, or other harmful or malicious code, files, scripts, agents or programs; (n) access the Services for purposes of monitoring its availability, performance or functionality, or for any other benchmarking or competitive purposes; (o) remove, alter or obscure any of the Intellectual Property Rights notice(s) or restrictive legend(s) embedded in or that Supplier otherwise provides with the Services; (p) interfere with or disrupt the integrity or performance of the Services; or (q) obtain unauthorized access to the Services (including without limitation permitting access to or use of the Services via another system or tool, the primary effect of which is to enable input of requests or transactions by other than Authorized Users).
2.9 Customer Compliance with Laws. Customer will use the Services only in compliance with the terms of this Agreement (including any applicable Order Form and Documentation), and in accordance with all applicable laws, including those related to export, electronic communications, anti-spam legislations, data privacy and the transmission of personal data in any applicable jurisdiction when using the Services and obtain any permits, licenses and authorizations required for such compliance. Customer will immediately report to Supplier and use reasonable efforts to stop any access or use of the Services not in compliance with such terms or in accordance with such laws.
2.10 Protection against Unauthorized Use. Customer shall: (a) ensure that all access and use of the Services by its Authorized Users is in accordance with the terms and conditions of this Agreement, and (b) enforce a policy that protects log-in credentials for the Services and prevents Authorized Users from sharing any log-in credentials. Customer will, and ensure Authorized Users will, safeguard and prevent any unauthorized use of the Services and immediately notify Supplier in writing of any unauthorized use that comes to Customer’s attention. If there is unauthorized use by anyone who obtained access to the Services directly or indirectly through Customer, Customer will take, at Customer’s sole cost, all steps reasonably necessary to terminate the unauthorized use.
2.11 Ownership Rights.
- (a) Ownership of Customer Data and Customer Confidential Information. As between Supplier and Customer, Customer shall retain all title and Intellectual Property Rights in and to the Customer Data and Customer Confidential Information; however, Customer grants to Supplier an irrevocable, non-exclusive, royalty-free license: (i) for the Subscription Term, to use the Customer Data to provide Services to the Customer; and (ii) on an irrevocable, perpetual, non-exclusive, royalty-free, sub-licensable, transferable basis to aggregate de-identified statistical data regarding the use and functioning of its system by its various licensees, and all such data (none of which shall be considered Customer Data), will be the sole property of and vest in Supplier and to the extent that such Intellectual Property Rights in any such statistical data are for whatever reason vested in Customer then Customer hereby irrevocably assigns all such Intellectual Property Rights (by way of present and future assignment) to Supplier.
- (b) Ownership of Services and Derivatives. As between Supplier and Customer, Supplier shall retain all title and Intellectual Property Rights in and to the Services including any modifications and derivatives thereof. Customer does not acquire any rights, express or implied, in the Services, other than those specified in this Agreement. Customer hereby irrevocably assigns to Supplier any and all rights it may be deemed to have in the Services or any modifications or derivative thereof and (other than the rights expressly granted under this Agreement). Customer grants the Supplier a royalty-free, worldwide, perpetual license, subject to the confidentiality restrictions set forth in Section 11, to commercially exploit, use and incorporate into the Services any suggestions, enhancement requests, recommendations or other feedback provided by Customer, including Authorized Users, relating to the operation of the Services.
- (c) Further Acts. Customer shall execute, at Supplier’s reasonable expense, all documents necessary to implement and effect the assignments referred to in this section 2.11.
2.12 Customer Systems. Customer is responsible for obtaining, maintaining and supporting all internet access, computer hardware and other equipment and Services needed for it to access the Services and Supplier shall have no liability for failure to provide Services or inability to meet Service Level Commitments to the extent caused by any failure of the Customer to meet such responsibilities.
3. THIRD PARTY PRODUCT PROVIDERS
3.1 Acquisition of Third Party Components. Supplier or third parties may from time to time make available to Customer Third Party Components, including but not limited to third party applications and implementation, customization and other consulting services. Any acquisition by Customer of such Third Party Components, and any exchange of data between Customer and any Third Party Component provider, is solely between Customer and the Third Party Component provider. Supplier does not warrant or support Third Party Components, whether or not they are designated by Supplier as “certified” or otherwise, except as specified in an Order Form.
3.2 Third Party Components and Customer Data. If Customer installs or enables Third Party Components for use with the Services, Customer acknowledges that Supplier may allow Third Party Components to access Customer Data as required for the interoperation of such Third Party Components with the Services. Supplier shall not be responsible for any disclosure, modification or deletion of Customer Data resulting from any such access by Third Party Component providers. The Services shall allow Customer to restrict such access by restricting Authorized Users from installing or enabling such Third Party Components for use with the Services and it is the Customer’s responsibility to implement any access restriction settings within the Services that it requires to protect its Customer Data.
3.3 Integration with Third Party Components. The Services may contain features designed to interoperate with Third Party Components. To use such features, Customer may be required to obtain access to such Third Party Components from the provider. If the provider of any such Third Party Components ceases to make Third Party Components available for interoperation with the corresponding Services feature(s) on reasonable terms, Supplier may cease providing such Services feature(s) without entitling Customer to any refund, credit, or other compensation.
4. TERM4.1 The term of this Agreement shall commence on the Effective Date and shall continue until the date that the Service(s) set forth in all Order Forms are expired or terminated in accordance with the terms therein or this Agreement (the “Term”). Customer understands that it is responsible for all subscription fees under a Subscription Term regardless of actual use. During a Subscription Term, this Agreement may only be terminated pursuant to clause 7.1 or 7.2 of this Agreement. Unless otherwise specified therein, after the expiration of a multi-year Subscription Term listed in the Order Form, the Subscription Term will automatically renew for additional renewal Subscription Terms of twelve (12) months (“Renewal Subscription Term”). Supplier reserves the right to change then current fees for any Renewal Subscription Term. Customer or Supplier may elect to not renew the Subscription Term by providing written notice to the other party at least ninety (90) days before the commencement of the next Renewal Subscription Term.
5. FORCE MAJEURE
5.1 No party will be in default if its delay or failure to perform any obligation under this Agreement is caused solely by a Force Majeure Event. This Section 5 does not excuse either party’s obligation to take reasonable steps to follow its normal disaster recovery procedures or Customer’s obligations to pay amounts due under this Agreement.
6. FEES AND PAYMENT
6.1 Subscription Fees. Customer will pay Supplier the Service Fees and any other amounts owing under this Agreement within thirty (30) days of the invoice date unless otherwise specified on the Order Form, plus any applicable sales, use, excise, or other taxes. The fees for Add-on Services and other items procured during an existing Subscription Term will be prorated through the end date of the Subscription Term for the applicable Services. Except as otherwise specified in an Order Form (a) payment obligations are non-cancellable and fees paid are nonrefundable; and (b) subscriptions for modules, bundles, package, and add-on services set forth on an Order Form may only be reduced with at least ninety (90) days’ written notice prior to the commencement of a Renewal Subscription Term. If any fee payable is not paid within thirty (30) days from the date of the date of the invoice, Customer shall pay Supplier interest on the amount outstanding from the date due until payment is made at the rate of 1.5% of the outstanding balance per month, or the maximum permitted by law, whichever is lower, from the date such payment was due until the date paid.
6.2 Suspension of Services and Acceleration. If Supplier does not receive any undisputed amount due from Customer under this Agreement within thirty (30) days of when the amount became overdue, Supplier may in its discretion either, (i) accelerate Customer’s unpaid fee obligations under this Agreement so that all such obligations become immediately due and payable, or (ii) suspend Services to Customer until such amounts are paid in full. Supplier will give Customer at least fourteen (14) days’ prior notice that Supplier intends to accelerate the unpaid fees or suspend Services, in accordance with Section 11.4 (Notice), before accelerating fees or suspending Services to Customer. If Customer requires Supplier to use a system of payment that causes Supplier to incur any fees or Supplier incurs fees in connection with the Services, Supplier may invoice, and Customer will pay, all of those amounts. Other than Supplier’s right to terminate this Agreement for material breach, Customer’s payment of accelerated fees will be Supplier’s sole and exclusive remedy and Customer’s sole obligation for breach due to nonpayment.
6.3 Taxes. Other than net income taxes imposed on Supplier, Customer will bear all taxes, duties, and other governmental charges (collectively, “taxes”) resulting from this Agreement. Supplier shall invoice Customer the amount of the applicable taxes and Customer shall make payment under the invoice to Supplier within thirty (30) days of the invoice date. Customer will provide Supplier with official receipts issued by the appropriate taxing authority or such other evidence as is reasonably requested by Supplier to establish that such taxes have been paid.
6.4 Disputed Expenses, Fees or Charges. Customer shall have thirty (30) days after the date of an invoice to dispute in good faith an expense, fee or charge, by providing sufficient communication in electronic form, or otherwise, to allow Supplier to respond, or Customer shall be deemed to have otherwise waived its right to object. Customer shall not withhold payment of any undisputed amounts included in an invoice and shall pay those undisputed amounts within the original payment terms of the invoice. Payment of expenses, fees or charges for which a dispute has arisen shall be paid no later than sixty (60) days after the date of the invoice.
6.5 No set-off. Customer shall pay all amounts due to Supplier in full, without any set-off, counter-claim or deductions.
7. TERMINATION OF APPLICATION SERVICES
7.1 Termination for Material Breach. Either party may immediately terminate this Agreement and all Order Forms issued hereunder, in whole or in part, in the event the other party commits a material breach of any provision of this Agreement (other than the failure to pay any fees due under this Agreement, which is addressed below) which is not cured within thirty (30) days of written notice from the non-breaching party. A notice of breach of this Agreement shall not constitute a notice of termination under this Agreement. Any notice of termination shall be provided separately. If Supplier does not receive any amount due from Customer within thirty (30) days of when the amount became overdue, Supplier may terminate this Agreement, the Services, or any Order Form.
7.2 Additional Termination Rights. Supplier may immediately terminate this Agreement and all Order Forms issued hereunder, in whole or in part, in the event: (a) Customer assigns or transfers any rights under this Agreement in violation of Section 13.8; (b) Customer threatens, or resolves to become, subject to any form of insolvency administration; or (c) Customer ceases or threatens to cease carrying on its business, ceases to conduct its business in the ordinary course, enters into a scheme or arrangement or compromise with or for any of its creditors, or makes a general assignment for the benefit of its creditors.
7.3 Post-Termination Obligations. Upon expiration or termination of this Agreement: (a) Supplier may upon notice to Customer deactivate the Customer’s account and discontinue the provision of Services, (b) except in the event of Supplier’s material breach, the total amount of all unpaid fees for the entire Subscription Term will become immediately due upon the deactivation or suspension; (c) Supplier will archive the Customer Data for ninety (90) days after Supplier deactivates the Services; (d) upon Customer’s written request up to thirty (30) days after the date that Supplier may deactivate the Services, Supplier will make the Customer Data available to Customer in a mutually agreed to format at Supplier’s then current Professional Services rates; and (e) subject to 7.3(d), Supplier will be entitled to delete all Customer Data ninety (90) days following the deactivation date of the Services.
7.4 Survivorship. The following Sections will survive expiration or termination of this Agreement: 1, 2.11, 5, 6.1, 6.3, 6.4, 7.3, 7.4, 8.3, 9.2, 9.3, 10, 11, and 13.
8. WARRANTIES, REMEDIES, AND DISCLAIMER
8.1 Mutual Warranties. Each party represents and warrants to the other that this Agreement has been duly executed and delivered and constitutes a valid and binding agreement enforceable against such party in accordance with its terms.
8.2 Supplier Warranties. During the Subscription Term, Supplier warrants that: (a) the Application Services will operate without Errors; and (b) the Managed Cloud Services will be performed in a professional and workmanlike manner. As Customer’s sole and exclusive remedy for Supplier’s breach of these warranties, Supplier shall use commercially reasonable efforts to modify the Application Services to correct the Error or provide the Managed Cloud Services in a professional and workmanlike manner, as applicable. If Supplier is unable to do so in a commercially reasonable period of time given the severity of the Error or failure to perform Managed Cloud Services as warranted (not less than 30 days for either material Errors or failures to perform Managed Cloud Services as warranted, or such longer period as may be required for nonmaterial Errors or nonmaterial failures of the Managed Cloud Services to perform as warranted), Customer shall be entitled to terminate the Agreement pursuant to Section 7.1 (Termination for Material Breach) hereof and receive a pro rata refund of the subscription fees paid for its use of the Services for the terminated portion of the Subscription Term. The remedies in this Section 8.2 (Supplier Warranties) represent Supplier’s sole obligations and liability for a breach of the foregoing warranties. Customer must provide written notice to Supplier of any warranty claim. Such warranty shall apply only if the applicable Services have been utilized in accordance with the applicable Documentation, this Agreement and applicable law.
8.3 Disclaimer. THE LIMITED WARRANTIES IN SECTIONS 8.1 AND2 ARE MADE BY SUPPLIER TO CUSTOMER EXCLUSIVELY AND ARE IN LIEU OF ALL OTHER SUPPLIER WARRANTIES. ANY AND ALL OTHER WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES COMPLIANCE WITH APPLICABLE TAX LAWS OR TAX RULINGS, AS WELL AS ANY WARRANTIES IMPLIED BY LAW, SUCH AS THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT OR THOSE ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE, ARE HEREBY EXPRESSLY DISCLAIMED BY SUPPLIER AND ARE EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW. THE ABOVE WARRANTIES DO NOT GUARANTEE THAT THE APPLICATION SERVICES WILL BE SECURE, PERFORM UNINTERUPTED, OR ERROR-FREE, OR THAT SUPPLIER WILL BE ABLE TO CORRECT ALL ERRORS OR THAT THE SERVICES MEET CUSTOMER’S REQUIREMENTS. SUPPLIER DOES NOT WARRANT THAT ANY INFORMATION PROVIDED THROUGH THE SERVICES IS ACCURATE OR COMPLETE OR THAT ANY INFORMATION PROVIDED THROUGH THE SERVICES WILL ALWAYS BE AVAILABLE. SUPPLIER EXERCISES NO CONTROL OVER AND EXPRESSLY DISCLAIMS ANY LIABILITY ARISING OUT OF OR BASED UPON THE RESULTS OF CUSTOMER’S USE OF THE SERVICES.
9. INDEMNITY OBLIGATIONS
9.1 Supplier’s Indemnity Obligations. Subject to the terms of this Section 9 (Indemnity Obligations), Supplier shall defend, indemnify and hold harmless Customer and its Affiliates from and against any loss, cost and expense (including reasonable attorneys’ fees) that Customer incurs because of a third-party claim that the use of the Application Services as used in accordance with this Agreement infringe a third party’s Intellectual Property Rights. Supplier will have no obligation to indemnify Customer or liability for any such third party infringement claim to the extent caused by (a) the use of the Application Services in violation of this Agreement or applicable law, (b) the use of the Application Services after Supplier notifies Customer to discontinue use because of an infringement claim, (c) modifications to the Application Services not made by Supplier or made by Supplier based on Customer specifications or requirements, and (d) the use of the Application Services in combination with any non-Supplier software, application, or service, or (e) any product or service offered by Customer.
9.2 Customer’s Indemnity Obligations. Customer shall defend, indemnify and hold harmless Supplier, its Affiliates and third parties from and against any loss, cost and expense (including reasonable attorneys’ fees) that Supplier incurs because of a third party claim alleging that (a) Customer’s use of the Application Services miscalculated or otherwise mistakenly charged such third party for taxes, payments, or other amounts that were not otherwise properly owed as a result of Customer’s input, failure to use the Application Services in accordance with Documentation or failure to verify each asset location and applicable tax rate, (b) the Customer Data or use of any trademarks or service marks, infringe the copyright or trademark or misappropriates the trade secrets of a third party, or has caused harm to a third party, or (c) arising out of Customer’s breach of Section 2 (Use of the Services).
9.3 Notice and Obligations to Receive Indemnity. A party seeking indemnity agrees to no later than thirty (30) days after it receives notice of the claim (or sooner if required by applicable laws) to (a) promptly notify the indemnifying party in writing as to any such third-party claim or action, (b) give the indemnifying party sole control of the defense and any settlement negotiations, provided, that the indemnifying party will not agree to any settlement without the indemnified party’s prior written consent, unless such settlement includes a release of all claims by the claiming party against the indemnified party, does not require payment of any money by the indemnified party, and does not require the indemnified party to admit any wrongdoing, and (c) provide the indemnifying party with the information, authority, and assistance reasonably necessary to defend against or settle any such claim or proceeding. If the indemnified party chooses to represent its own interests in any such action, it may do so at its own expense, but such representation must not prejudice the indemnifying party’s right to control the defense of the claim and negotiate its settlement or compromise.
9.4 Mitigation/Limited Remedy. In the event of an infringement claim against Customer, or if Supplier reasonably believes the Application Services may infringe or misappropriate the Intellectual Property Rights of another, Supplier may in its sole discretion and at no cost to Customer (a) modify the Application Services so that they no longer infringe or misappropriate, without breaching Supplier’s warranty set forth in Section 8.2(a) (Supplier Warranties), (b) obtain a license for Customer’s continued use of the Application Services in accordance with this Agreement, or (c) terminate Customer’s subscriptions for such Application Services upon thirty (30) days’ written notice and refund to Customer any prepaid fees covering the remainder of the Subscription Term after the effective date of termination. SECTIONS 9.1 and 9.4 (Supplier’s Indemnity Obligations and Mitigation/Limited Remedy) SETS FORTH SUPPLIER’S EXCLUSIVE OBLIGATION AND LIABILITY WITH RESPECT TO INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS.
10. LIMITATIONS OF LIABILITY
10.1 Exclusion of Consequential and Related Damages. NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED IN THIS AGREEMENT AND ONLY TO THE EXTENT PERMITTED BY ANY APPLICABLE LAW, SUPPLIER, ITS AFFILIATES AND THIRD PARTIES WILL NOT BE LIABLE TO ANYONE FOR LOST PROFITS OR REVENUE OR FOR INCIDENTAL, CONSEQUENTIAL, PUNITIVE, COVER, SPECIAL, RELIANCE OR EXEMPLARY DAMAGES, OR INDIRECT DAMAGES OF ANY TYPE OR KIND HOWEVER CAUSED, WHETHER FROM BREACH OF WARRANTY, BREACH OR REPUDIATION OF CONTRACT, NEGLIGENCE, OR ANY OTHER LEGAL CAUSE OF ACTION FROM OR IN CONNECTION WITH THIS AGREEMENT (AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES). CERTAIN STATES AND/OR JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, IN WHICH CASE SUCH DAMAGES SHALL BE SUBJECT TO THE LIMITATIONS SET FORTH IN SECTION 10.2 (CAP ON LIABILITY) BELOW.
10.2 Cap on Liability. THE TOTAL AGGREGATE MAXIMUM LIABILITY OF SUPPLIER, ITS AFFILIATES AND THIRD PARTIES ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, THE SERVICES, OR ANY LICENSE, USE OR OTHER EMPLOYMENT OF THE APPLICATION SERVICES, WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM BASED ON BREACH OF CONTRACT, BREACH OF WARRANTY, NEGLIGENCE, TORT, STATUTORY DUTY, OR OTHERWISE, SHALL BE AN AMOUNT EQUAL TO THE EQUIVALENT OF THE MOST RECENT TWELVE (12) MONTHS OF SUBSCRIPTION FEES ACTUALLY PAID TO SUPPLIER BEFORE THE TIME OF THE EVENT, AND IN THE EVENT OF A BREACH OF SECTIONS 11 (CONFIDENTIAL INFORMATION) OR 12 (SAFEGUARDING CUSTOMER DATA) OF THIS AGREEMENT, SUCH MAXIMUM LIABILITY OF SUPPLIER SHALL BE AN AMOUNT EQUAL TO TWO (2) TIMES THE EQUIVALENT OF THE MOST RECENT 12 MONTHS OF SUBSCRIPTION FEES ACTUALLY PAID TO SUPPLIER THE TIME OF THE EVENT.
10.3 Exceptions. THE LIMITATIONS OF LIABILITY SET FORTH IN SECTION 10.2 (CAP ON LIABILITY) SHALL NOT APPLY TO: (A) FEES PAID OR PAYABLE UNDER THIS AGREEMENT; (B) A BREACH OF SECTIONS 2.8 – 2.11 (USE RESTRICTIONS, COMPLIANCE WITH LAWS, PROTECTION AGAINST UNAUTHORIZED USE, AND OWNERSHIP RIGHTS); (C) EITHER PARTY’S INDEMNITY OBLIGATIONS EXCEPT AS SET FORTH IN SECTION 9.4 (MITIGATION/LIMITED REMEDY); OR (D) DAMAGES CAUSED BY A PARTY’S WILLFUL MISCONDUCT.
10.4 Independent Allocations of Risk. EACH PROVISION OF THIS AGREEMENT THAT PROVIDES FOR A LIMITATION OF LIABILITY, DISCLAIMER OF WARRANTIES, OR EXCLUSION OF DAMAGES IS TO ALLOCATE THE RISKS OF THIS AGREEMENT BETWEEN THE PARTIES. THIS ALLOCATION IS REFLECTED IN THE PRICING OFFERED BY SUPPLIER TO CUSTOMER AND IS AN ESSENTIAL ELEMENT OF THE BASIS OF THE BARGAIN BETWEEN THE PARTIES. EACH OF THESE PROVISIONS IS SEVERABLE AND INDEPENDENT OF ALL OTHER PROVISIONS OF THIS AGREEMENT. THE LIMITATIONS IN SECTION 8 AND THIS SECTION 10 WILL SURVIVE AND APPLY NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY IN THIS AGREEMENT.
11 CONFIDENTIAL INFORMATION
11.1 Confidentiality. The Confidential Information disclosed under this Agreement may be used, disclosed or reproduced only to the extent necessary to further and fulfill the purposes of this Agreement. Except as otherwise permitted under this Agreement, the Receiving Party will not knowingly disclose to any third party, or make any use of the Disclosing Party’s Confidential Information. The Receiving Party will use at least the same standard of care to maintain the confidentiality of the Disclosing Party’s Confidential Information that it uses to maintain the confidentiality of its own Confidential Information, but in no event less than reasonable care. The non-disclosure and non-use obligations of this Agreement will remain in full force with respect to each item of Confidential Information for a period of five (5) years after Receiving Party’s receipt of that item; provided, however, that Customer’s obligations to maintain the Services and Documentation as confidential will survive in perpetuity. In addition, each party shall only hold all Personal Data as Confidential Information for as long as required by the applicable statutory, legal and regulatory requirements. Each of Supplier and Customer shall be responsible for the breach of the confidentiality terms contained in this Section 11 (Confidential Information) by any of its directors, officers, employees, Authorized Users, agents, accountants and advisors. Notwithstanding the foregoing, Supplier has the right to use the information as described in section 2.11(a) and this Section 11 is not intended to prevent (a) Supplier from using suggestions for product improvements provided by Customers, subject to any Intellectual Property Rights of the Disclosing Party, or (b) Supplier from using aggregated data regarding the use of the Managed Cloud Services to provide reports or analytics to Customer or to improve the performance of the Services, provided such data does not contain any Personal Data regarding Customer, its employees, customers or Authorized Users.
11.2 Exceptions. Notwithstanding the above, nothing herein shall prevent Receiving Party from disclosing Confidential Information Receiving Party is required to disclose by court order pursuant to the rules and regulations of a governmental agency or body having jurisdiction over Receiving Party, to the extent so required; provided, however, that prior to any such disclosure, Receiving Party shall, when legally permissible (a) notify Disclosing Party promptly in writing of any order or request to disclose and of the facts and circumstances surrounding such order or request so that the Disclosing Party may seek an appropriate protective order and (b) cooperate with Disclosing Party, at Disclosing Party’s sole cost and expense, in any proceeding to obtain an appropriate protective order.
11.3 Notification Obligations. Receiving Party will promptly provide Disclosing Party with written notice of any actual or threatened breach of which it is aware. Receiving Party agrees to take all reasonable measures, including, but not limited to, court proceedings at each Receiving Party’s own expense, to restrain current or future officers, employees, agents, consultants, contractors or advisors from unauthorized use or disclosure of Confidential Information.
11.4 Termination. Receiving Party shall: (a) when contractually permissible or otherwise legally required and reasonably requested by Disclosing Party, or (b) upon the expiration of this Agreement, whichever occurs first, promptly destroy Confidential Information of Disclosing Party, any copies thereof, and all notes, correspondence, documents or other records relating to Confidential Information then in Receiving Party’s possession; provided, however, Receiving Party may keep an archival set of its working papers together with such copies of Disclosing Party’s Confidential Information necessary to comply with applicable laws, regulations and professional standards with respect to the documentation of work performed.
12. SAFEGUARDING CUSTOMER DATA
12.1 Safeguarding Customer Data. Supplier shall maintain appropriate administrative, physical, and technical safeguards designed to protect the security, confidentiality and integrity of Customer Data in the possession or under the control of Supplier or to which Supplier has access, which are: (a) no less rigorous than those maintained by Supplier for its own information of a similar nature; (b) no less rigorous than generally accepted industry standards; and (c) required by applicable laws. Other than with respect to Supplier’s rights to de-identified data described in Section 2.11(a), Supplier shall not (i) modify Customer Data, (ii) disclose Customer Data except as compelled by law in accordance with Section 11.2 (Exceptions) or as expressly permitted in writing by Customer, or (iii) access Customer Data, except to provide the Services and prevent or address service or technical problems, monitor, make improvements, or adjustments to the Managed Cloud Services or at Customer’s request in connection with Customer support matters. Customer acknowledges that certain user-defined fields may be enabled by Customer, its affiliates or its third party agents to include Customer Data and other potentially sensitive information and that Supplier will have no obligation to de-identify or otherwise protect such fields unless the use of those fields enabled as apart of Supplier’s Professional Services or Managed Cloud Services.
12.2 Security. Without limiting the generality of Subsection 12.1, Supplier shall implement, maintain, and adhere to security policies and standards designed to protect Customer Data. Supplier’s public-facing Security Standards are attached hereto as Exhibit A, which may be updated from time to time.
12.3 Cloud Provider. Supplier currently leverages Amazon Web Services (“AWS”) for its infrastructure and service components. For these components, Supplier works in a shared responsibility model with AWS. AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate, including network and internet connectivity, while the Supplier assumes responsibilities and management of the guest operating system and configuration of the AWS provided security group firewall. Supplier may change its cloud provider in its sole discretion upon advance written notice to Customer, which may be in the form of an email or other electronic transmission.
13.1 Notice. The following notice types must be in writing and given within the time periods set forth below, and will be deemed given when delivered personally; sent by registered or certified mail, return receipt requested; confirmed by first class mail; or sent by overnight courier. Notices must be sent to a party at its address shown on the signature page of this Agreement, or to such other place as the party may subsequently designate for its receipt of notices in accordance with this Section.
|NOTICE TYPE:||TIME PERIOD:|
|Infringement claim||Within thirty (30) days of notification of claim (or sooner if required by law)|
|Breach of Section 8.2 or other breach by Supplier||Within ninety (90) days of breach|
|Fee dispute||Within thirty (30) days from date of invoice|
|Non-renewal of Subscription Term||Within (90) days before the commencement of the next Renewal Subscription Term|
All other notices and correspondence, including invoices, payments, and other documents and communications may be sent electronically or via regular mail.
13.2 Independent Contractors. The parties to this Agreement are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties. No party will have the power to bind the other, nor will any party misstate or misrepresent its relationship under this Agreement.
13.3 Anti-Corruption. Customer has not received or been offered any illegal or improper bribe, kickback, payment, gift, or thing of value from any Supplier employees or agents in connection with this Agreement. Reasonable gifts and entertainment provided in the ordinary course of business do not violate the above restriction. If Customer learns of any violation of the above restriction, Customer will promptly notify Supplier’s Legal Department ([email protected]).
13.4 No Third-Party Beneficiaries. Supplier and Customer intend that this Agreement will not benefit or create any right or cause of action in, or on behalf of, any person or entity other than the parties.
13.5 Waiver. No failure or delay, even if recurring, by either party in exercising any right under this Agreement shall constitute a waiver of that right.
13.6 Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, the provision shall be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions of this Agreement shall remain in effect.
13.7 Attorney Fees. Customer shall pay on demand all of Supplier’s reasonable attorney fees and other costs incurred by Supplier to collect any fees or charges due Supplier under this Agreement following Customer breach of Section 6.1 (Subscription Fees).
13.8 Assignability. Customer may assign or transfer this Agreement, by operation of law or otherwise, in its entirety without consent assign, to: (i) a parent, sister company, Affiliate, related party or wholly-owned subsidiary (each, a “Related Party”); or (ii) any person that becomes the successor entity of either party in connection with a change of control (which shall include a direct or indirect transfer of all or substantially all of such Customer’s stock or assets to a third party, a merger, reorganization or any other such transaction), or any such transaction by a parent corporation of Customer, provided, however, that in no event may Customer assign, delegate or otherwise transfer this Agreement to an equipment finance and/or leasing software or services provider (except for Related Parties) without prior express written permission of Supplier. Any attempt at an assignment where consent is required will be void without the prior written consent of Supplier.
13.9 Export. The Services, other technology Supplier make available, and derivatives thereof may be subject to export laws and regulations of the United States and other jurisdictions. Each party represents that it is not named on any U.S. government denied-party list. Customer shall not permit any access or use of any Services in a U.S.-embargoed country or in violation of any U.S. export law or regulation.
13.10 Contractors. Supplier may perform any of its obligations under this Agreement though any of Supplier’s Affiliates or subcontractors (“Contractors”), but, in all such cases, Supplier will remain subject to the obligations contained in this Agreement. Supplier will keep and have available all necessary records and make all payments, reports, collections, and deductions, and otherwise do any and all things necessary so as to fully comply with all federal, state and local laws, ordinances and regulations regarding its Contractors.
13.11 Non-Solicitation. During the term of the Services and for a period of twelve (12) calendar months after the Supplier has ceased supplying Services to the Customer for any reason, the Customer must not, and will procure that any affiliate of Customer does not, directly or indirectly Solicit for employment or retention as an independent contractor, or in any way employ or allow any Resource of Supplier to perform services that are the same or similar to Services or support performed by Supplier in connection with Supplier’s products without the prior written consent of Supplier. For purposes of this Section: “Resource” means: (a) employees or independent contractors of Supplier who performed services, support or demonstrations of the Supplier’s products for Customer, and (b) former employees of Supplier who have performed services in connection with the Services and whose employment with Supplier ended less than twelve (12) months prior to the date of such offer to hire, hire, Solicitation, or employment; and “Solicit” does not include: (1) general solicitations, such as advertisements in newspapers, trade publications or directed at a broad audience, or (2) referrals to Customer by a search firm, employment agency or similar firm, provided, however, that such firm was not specifically directed by Customer. Notwithstanding the foregoing, Customer is not permitted to hire or offer for hire any Supplier Resource to perform services that are the same or similar to Services performed by Supplier in connection with Supplier’s products if such Resource responds to a general solicitation or referral as described in (1) and (2) above. In the event a court or competent jurisdiction deems any term, obligation, or condition of this section unenforceable, the provisions of Section 13.6 shall apply.
13.12 Publicity. Supplier may disclose Customer name when included in lists of Supplier customers including but not limited to general marketing materials, website, press releases, user-conferences and customer lists.
13.13 Governing Law. This Agreement will be interpreted, construed, and enforced in all respects in accordance with the local laws of the State of New York, U.S.A., without reference to its choice of law rules and not including the provisions of the 1980 U.N. Convention on Contracts for the International Sale of Goods or the Uniform Computer Information Act. Any dispute arising under these terms and conditions will be settled amicably and, if not successful, the dispute must be referred to a competent court in Minnesota. Supplier and Customer each waive their right to a trial by jury for any disputes between the parties.
13.14 Counterparts. This Agreement and any amendments to this Agreement or other signed agreement or instrument entered into in connection with this Agreement, may be executed in counterpart. Any such counterpart, to the extent delivered by means of digital imaging, facsimile machine, or electronic mail will be treated in all manner and respects as an original executed counterpart and will be considered to have the same binding legal effect as if it were the original signed version thereof delivered in person.
13.15 Conflicts. In the case of conflict or ambiguity between: (a) any provision contained in the body of this Agreement and any provision contained in the Exhibits, the provision in the body of this Agreement shall take precedence; and (b) the provisions of any Order Form and the provisions contained in the body of this Agreement (including Exhibits), the provisions contained in the Order Form shall take precedence.
13.16 Entire Agreement and Modifications. This Agreement, including the Order Forms, and all exhibits referenced therein, are the complete and exclusive statement of the Agreement and supersede all prior understandings and other prior or contemporaneous oral or written communications or obligations between the parties relating hereto, all of which are terminated. Each party acknowledges that in entering into this Agreement and any Order Forms, it does not rely on any statement, representation, assurance, or warranty (whether made innocently or negligently) that is not set out in the Agreement or any Order Form. Each party agrees that it shall have no claim for innocent or negligent misrepresentation or negligent misstatement based on any statement in the Agreement or any Order Form. No usage of trade or other regular practice or method of dealing between the parties will be used to modify, interpret, supplement, or alter the terms of this Agreement. No modification of this Agreement will be effective unless it is in writing, is signed by each party, and expressly provides that it amends this Agreement. Supplier will not be bound by, and specifically objects to, any term, condition, or other provision that is different from or in addition to this Agreement that is proffered by Customer in any purchase order, receipt, acceptance, confirmation, correspondence, or otherwise, unless Supplier specifically agrees to such provision in a writing signed by an authorized agent of Supplier.
Information Security Program. Supplier will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) identify reasonably foreseeable and internal risks to security and unauthorized access to the Supplier network, (b) minimize security risks, including through risk assessment and regular testing; and (c) address information security, physical security, and business continuity management.
1. NETWORK SECURITY
- (a) Vulnerability Identification. Supplier will use commercially reasonable efforts to monitor, on a regular basis, reputable sources of computer security vulnerability information such as FIRST, CERT/CC, and Supplier mailing lists, and take appropriate measures to obtain, test, and apply relevant service packs, patches, upgrades, and workarounds.
- (b) Access Controls. The Supplier network on which Customer Data is stored will be electronically accessible to employees, contractors and any other person only as necessary to provide the Services. Supplier will maintain access controls and policies to manage what access is allowed to the Supplier network from each network connection and user.
- (c) Secure Transmission. Supplier shall ensure that all remote administrative access to production systems of the Supplier network is performed over encrypted connections (e.g., SSH, SCP, SSL-enabled web-management interfaces, and VPN solutions).
- (d)Penetration Testing. Supplier (or its service provider) will conduct external and internal penetration tests on an annual basis and provide to Customer a summary of the report detailing any critical and high-level issues based on the CVSS rating assigned to the issue as it applies to Customer Data, if requested by Customer. If such penetration tests expose vulnerabilities that Supplier believes could result in a breach of security, Supplier shall use commercially reasonable efforts to implement an appropriate remedy in a timely manner.
- (e) Log Maintenance. Supplier will maintain material event log files concerning activity on the Customer network related to: (a) user sessions established; (b) failed user authentication attempts and unauthorized attempts to access resources; and (c) events generated (e.g., commands issued) to make changes in security profiles, permission levels, application security configurations, and/or system resources.
- (f) The Supplier shall ensure that all Customer Data is protected by encryption while in use, at rest and during transmission. Supplier shall not unlock, reverse engineer, or otherwise link to a known person, hashed, encrypted, or otherwise anonymized Customer Data.
- (g) Intrusion Protection and Detection. Supplier shall deploy multiple layers of defense on Supplier network, including, but not limited to firewalls, network intrusion detection, and host-based intrusion detection systems. All security monitoring systems including, but not limited to, firewalls and intrusion detection systems will be monitored 24 hours per day, 365 days per year. Supplier shall configure firewalls, network routers, switches, load balancers, name servers, mail servers, and other network components in accordance with commercially reasonable industry standards. Supplier shall maintain corrective action and incident response plans to respond to potential security threats. Supplier shall configure infrastructure platforms and services (operating systems, web servers, database servers, firewalls, routers, etc.) used to provide Services under this Agreement and authentication mechanisms according to reasonable industry standards.
- (a) Coordination and Training. Supplier shall ensure that one or more employees coordinate the information security program, and that applicable employees are regularly trained on how to comply with the information security program. All personnel having access to Customer Data shall be informed of its restricted nature and their obligations with respect to protection and restricted use of Customer Data.
- (b) Pre-Employment Screening. Supplier shall conduct criminal background checks, as permitted by applicable law, as part of pre-employment screening practices for employees and contractors commensurate with the employee’s or contractor’s position and level of access to the Facilities. Supplier will not permit an employee or contractor to have access to the non-public Customer Data if such employee or contractor has failed to pass such background check.
3. PHYSICAL SECURITY
- (a) Physical Access Controls. Physical components of the Supplier network are housed in nondescript facilities (the “Facilities”). Physical barriers are used to prevent unauthorized entrance to the Facilities both at the perimeter and at building access points. Passage through the physical barriers at the Facilities requires either electronic access control validation (e.g., card access systems, etc.) or validation by human security personnel (e.g., contract or in-house security guard service, receptionist, etc.). Employees and contractors are assigned photo-ID badges that must be worn while the employees and contractors are at any of the Facilities. Visitors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor is at any of the Facilities, and are continually escorted by authorized employees or contractors while visiting the Facilities.
- (b) Limited Employee and Contractor Access. Supplier provides access to the Facilities to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked, even if the employee or contractor continues to be an employee of Supplier or its affiliates.
- (c) Physical Security Protections. All access points (other than main entry doors) are maintained in a secured (locked) state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities. Supplier also maintains electronic intrusion detection systems designed to detect unauthorized access to the Facilities, including monitoring points of vulnerability (e.g., primary entry doors, emergency egress doors, roof hatches, dock bay doors, etc.) with door contacts, glass breakage devices, interior motion-detection, or other devices designed to detect individuals attempting to gain access to the Facilities. All physical access to the Facilities by employees and contractors is logged and routinely audited.
4. CONTINUED EVALUATION
Supplier will conduct periodic reviews of the security of its Supplier network and adequacy of its information security program as measured against industry security standards and its policies and procedures. Supplier will continually evaluate the security of its Supplier network and associated Services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.
5. BREACH NOTIFICATION
Without limiting Supplier’s obligation under law, In the event Supplier becomes aware that the security of any Customer Data, including Personal Data, has been compromised, or that Customer Data has been or is reasonably expected to be subject to a use or disclosure not authorized by this Agreement (a “Data Security Incident”), Supplier shall: (a) promptly (and in any event within 48 hours of becoming aware of such Data Security Incident), notify Customer, in writing, of the occurrence of such Data Security Incident; (b) investigate such Data Security Incident and conduct a reasonable analysis of the cause(s) of such Data Security Incident; (c) provide periodic updates of any ongoing investigation to Customer; (d) develop and implement an appropriate plan to remediate the cause of such Data Security Incident to the extent such cause is within Supplier’s control; and (e) cooperate with Customer’s reasonable investigation or Customer’s efforts to comply with any notification or other regulatory requirements applicable to such Data Security Incident.
Support Service Levels And Continuous Improvement
As part of the Annual Subscription Fees, Supplier will make best efforts to meet the Response Targets set forth each Severity Level described in this Exhibit during the Subscription Term.
Case Severity Level
A Solifi support representative will work with the customer to assign the appropriate severity level to the Case based on the following descriptions:
|Severity 1||System Down. Users cannot conduct any business on the system|
|Severity 2||System severely impacted. A critical business process is not functioning.|
|Severity 3||System moderately impacted. The problem affects a small area of business. A workaround may be suggested or in place.|
|Severity 4||System minimally impacted. A minor error or issue is occurring that does not affect the business.|
Each Response Target below is calculated base on the difference between the time an incident is logged into Supplier’s tracking system and the time of the first communication sent to the Customer regarding the incident.
Supplier’s current Response Targets are defined in the following table:
|Severity Level:||Response Targets:|
|Severity 1 – Production Down||Within 1 hour|
|Severity 2 – High||Within 4 hours|
|Severity 3 – Medium||Within 24 hours|
|Severity 4 – Low||Within 48 hours|
The above Response Targets may be modified by Supplier from time to time to reflect current business practices, however such targets will not fall below the times set forth herein.
Service Level Commitment
1.) Uptime. Supplier will use commercially reasonable efforts to make the Services available with a quarterly uptime percentage of at least 99.5% during each calendar quarter of the Term, excluding regularly scheduled maintenance times or Force Majeure Events (“Quarterly Uptime Percentage”). If in any calendar quarter this uptime commitment is not met by Supplier and Customer was negatively impacted (i.e., attempted to log into or access the Service and failed due to the unscheduled downtime of the Services), Supplier shall provide, as the sole and exclusive remedy in connection with any interruption of Services a service credit equal to 25% of one month’s fee for the use of the Services during that calendar quarter. Only one service credit shall be available to Customer during any calendar quarter.
2.) Scheduled and Unscheduled Maintenance. Regularly scheduled maintenance time does not count as downtime. Regularly scheduled maintenance time typically is communicated at least a week in advance, scheduled to occur at night. Scheduled maintenance time may be amended by Supplier for operational purposes at its discretion from time to time with notice to Customer. Supplier in its sole discretion may take the Service down for unscheduled maintenance and in that event, will attempt to notify Customer in advance in accordance with the notice section set forth below in Section 4 of this Exhibit C. Such unscheduled maintenance will be counted against the uptime guarantee.
3.) Credit Request. In order to receive a credit under this Service Level Commitment, Customer must request it by emailing Supplier at [email protected] within fifteen (15) days of the end of the calendar quarter with details of the incident. Customers who are past due or in default with respect to any payment or any material contractual obligations to Supplier are not eligible for any credit under this Services Level Commitment. The service credit may be applied on the Customer’s next invoice or an extension of the Subscription Term. Service level downtime will be calculated using Supplier’s system logs and other records.
4.) Updates/Notice. Notices will be sufficient if provided to a user designated as an administrator of your Supplier cloud account either: (a) as a note on the screen presented immediately after completion of the log in authentication credentials at the log in screen, or (b) by email to the registered email address provided for the administrator(s) for Customer’s account.
5.) Exclusions. Supplier sandbox and test accounts and other nonproduction or test environments are expressly excluded from this or any other service level commitment.
6.) Backup and Disaster Recovery. The Supplier cloud solution is hosted in a primary data center, which is backed up by a second data center to provide disaster recovery protection. There are nightly backups of the databases and transaction logs saved at regular intervals.