MASTER SAAS AND SERVICES AGREEMENT
This Master SaaS and Services Agreement (this “Agreement”) is entered into by and between Skypoint Cloud Inc., a Delaware corporation (“Skypoint”) with a place of business at 14631 SW Milikan Way Beaverton, OR 97003 and you (“Customer”). Skypoint and Customer are sometimes referred to jointly as the “parties” or singularly as a “party.”
RECITALS
WHEREAS, Customer desires to obtain access to the Services with respect to certain of its information technology needs; and Skypoint wishes to provide the Services to Customer, each on the terms and conditions set forth in this Agreement.
NOW, THEREFORE, in consideration of the mutual covenants and promises set forth herein, and other valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:
1. SERVICES
1.1 Purpose. This Agreement sets forth the terms and conditions under which Skypoint agrees to provide (i) certain hosted “software as a service” (“Subscription Services”) for certain software applications (each such application together with any applicable documentation thereto, and programming and user interfaces therefor, a “Platform”) to Authorized Users, as further set forth on each order form (“Order Form”) and (ii) if applicable, all other implementation services, customization, integration, data import and export, monitoring, technical support, maintenance, training, backup and recovery, and change management (“Professional Services” together with Subscription Services, the “Services”) related to Customer’s access to, and use of, such Subscription Services and each Platform, as further set forth on each statement of services (“Statement of Work”) issued hereunder (Order Forms and Statements of Work are sometimes referred to jointly as a “Statement of Services”).
1.2 The Services; Access and Use License. Subject to the terms and conditions of this Agreement, during the Term, Skypoint shall use commercially reasonable efforts to provide Customer the Professional Services. Subject to the terms and conditions of this Agreement, during the Term, Skypoint hereby grants Customer and Authorized Users a non-exclusive, non- sublicensable, nontransferable, worldwide license to access and use the Platform, solely for internal business purposes as set forth herein.
1.3 Subscription Services. Each applicable Order Form shall specify and further describe the Subscription Services to be provided in accordance with the representations and warranties set forth herein, and shall identify, each applicable Platform, user limitations, fees, subscription term and other applicable terms and conditions. For the avoidance of doubt, if there is a conflict between the terms of this Agreement and the terms of any Order Form, the terms of this Agreement will control the conflict.
1.4 Professional Services. Each applicable Statement of Work shall specify and further describe the Professional Services to be provided in accordance with the representations and warranties set forth herein, and may, but need not, include, the Professional Services offered, limitations, milestones, fees, term and other applicable terms and conditions. For the avoidance of doubt, if there is a conflict between the terms of this Agreement and the terms of any Statement of Work, the terms of this Agreement will control the conflict.
1.5 Changes to Platform. Skypoint may, in its sole discretion, make any changes to any Platform that it deems necessary or useful to (i) maintain or enhance (a) the quality or delivery of Skypoint’s products or services to its customers, (b) the competitive strength of, or market for, Skypoint’s products or services, (c) such Platform’s cost efficiency or performance, or (ii) to comply with applicable law. All such changes and modifications are subject to the license grants to Customer in this Section 1. Skypoint will use commercially reasonable efforts to notify Customer in advance of any material changes that may disrupt the Platform.
2. PLATFORM ACCESS AND AUTHORIZED USER
2.1 Administrative Users. During the configuration and set-up process for each Platform, Customer will identify a tenant administrative owner.
2.2 Authorized Users. Customer may allow such number of Customer’s employees and/or independent contractors as is indicated on an Order Form to use the applicable Platform on behalf of Customer as “Customer Users.” Additionally, if applicable to a Platform, Customer may allow such number of designees (“Vendor Users” and together with Customer Users, “Authorized Users”) to access each Platform in connection with such Authorized Users’ activity with Customer through such Platform subject to the terms of this Agreement. Authorized User subscriptions are for designated Authorized Users and cannot be shared or used by more than one Authorized User, but may be reassigned to new Authorized Users replacing former Authorized Users who no longer require ongoing use of the applicable Platform.
2.3 Authorized User Conditions to Use. As a condition to access and use of a Platform, each Authorized User shall agree to abide by the terms of this Agreement, and, in each case, Customer shall ensure such compliance. Customer shall immediately notify Skypoint of any violation of the terms of any of the foregoing by any Authorized User upon becoming aware of such violation and shall be liable for any breach of this Agreement by any Authorized User.
2.4 Account Responsibility. Customer will be responsible for (i) its and its Authorized Users’ access and use of the Platform and Subscription Services, and (ii) securing its Skypoint account, passwords (including but not limited to administrative and user passwords) and files. However, Skypoint will ensure that prior to access and use of a Platform by an Authorized User, each Authorized User is required to set up Single Sign On and Multi-Factor User Authentication security measures.
3. ADDITIONAL RESTRICTIONS AND RESPONSIBILITIES
3.1 Software Restrictions. Customer will not, nor permit or encourage any third party to, directly or indirectly (i) reverse engineer, decompile, disassemble or otherwise attempt to discover or derive the source code, object code or underlying structure, ideas, know- how or algorithms relevant to a Platform or any software, documentation or data related to a Platform (“Software”); (ii) modify, translate, or create derivative works based on a Platform or any Software; (iii) use a Platform or any Software for timesharing or service bureau purposes; (iv) modify, remove or obstruct any proprietary notices or labels; or (v) use any Software or a Platform in any manner to assist or take part in the development, marketing or sale of a product potentially competitive with such Software or Platform. For the avoidance of doubt, Software and the Services are the Confidential Information of Skypoint, and Customer will comply with Section 5 with respect thereto.
3.2 Customer Compliance. Customer shall use, and will ensure that all Authorized Users use, each Platform, Software, and the Services in full compliance with this Agreement and all applicable laws and regulations, including but not limited to laws governing the privacy and security of protected or confidential information. Skypoint may suspend Customer’s account and access to each Platform and performance of the Services at any time if Skypoint reasonably believes that Customer is in violation of this Agreement; provided that Skypoint shall undertake commercially reasonable efforts to provide Customer with notice and an opportunity to cure prior to any such suspension. Although Skypoint has no obligation to monitor Customer’s use of a Platform, Skypoint may do so.
3.3 Cooperation. Customer shall provide all cooperation and assistance as Skypoint may reasonably request that is necessary to enable Skypoint to exercise its rights and perform its obligations under, and in connection with, this Agreement, including providing Skypoint with such access to Customer’s premises and its information technology infrastructure as is necessary for Skypoint to perform the Services in accordance with this Agreement.
3.4 Training and Education. Customer shall use commercially reasonable efforts to cause Customer Users to be, at all times, educated and trained in the proper use and operation each Platform such Customer Users utilize, and to ensure that each Platform is used in accordance with this Agreement.
3.5 Customer Systems. Customer shall be responsible for maintaining—both the functionality and security of—any equipment and ancillary services owned or licensed by Customer and needed to connect to, access or otherwise use each Platform, including modems, hardware, servers, software, operating systems, networking, web servers and the like.
3.6 Restrictions on Export. Customer may not remove or export from the United States or allow the export or reexport of the Software or anything related to a Platform, Software or Services, or any direct product thereof in violation of any restrictions, laws or regulations of any United States or foreign agency or authority.
3.7 DFARS. Software, each Platform and the Services and any documentation provided by Skypoint are deemed to be “commercial computer software” and “commercial computer software documentation” pursuant to Defense Federal Acquisition Regulation Supplement, codified under Chapter 2 of Title 48, United States Code of Federal Regulations, Section 227.7202, and Federal Acquisition Regulation, codified in Title 48 of the United States Code of Federal Regulations, Section 12.12. Any use, modification, reproduction, release, performance, display, or disclosure of the Software or documentation by the United States Government is governed solely by this Agreement and is prohibited except to the extent expressly permitted by this Agreement.
4. SUPPORT SERVICES. Skypoint will provide Customer with support services in connection with the Platform in accordance with the Service Level Agreement, entered into by and between Skypoint and Customer (such Service Level Agreement is incorporated herein by reference).
5. CONFIDENTIALITY
5.1 Confidential Information. Each party (the “Receiving Party”) understands that the other party (the “Disclosing Party”) has been, and may be, exposed to or acquired business, technical or financial information relating to the Disclosing Party’s business (hereinafter referred to as “Confidential Information”). Confidential Information of Skypoint includes non-public information regarding features, functionality and performance of each Platform and Software. Confidential Information of Customer includes non-public data provided by Customer to Skypoint to enable the provision of access to, and use of, the Services as well as all content, data and information recorded and stored by each Platform for Customer (“Customer Data”). The terms and conditions of this Agreement, including all pricing and related metrics, are Skypoint’s Confidential Information.
5.2 Exceptions. Notwithstanding anything to the contrary contained herein, Confidential Information shall not include any information (other than Customer Data) that the Receiving Party can document (i) is or becomes generally available to the public, (ii) was in its possession or known by it prior to receipt from the Disclosing Party, (iii) was rightfully disclosed to it without restriction by a third party, or (iv) was independently developed without use of any Confidential Information of the Disclosing Party.
5.3 Non-use and Non-disclosure. With respect to Confidential Information of the Disclosing Party, the Receiving Party agrees to: (i) use the same degree of care to protect the confidentiality, and prevent the unauthorized use or disclosure, of such Confidential Information it uses to protect its own proprietary and confidential information of like nature, which shall not be less than a reasonable degree of care, (ii) hold all such Confidential Information in strict confidence and not use, sell, copy, transfer reproduce, or divulge such Confidential Information to any third party, except the Receiving Party’s employees, legal and financial advisors and those third parties with a “need-to-know” and that have signed a non-disclosure agreement with terms at least as restrictive as the provisions of this Agreement or are otherwise legally obligated not to disclose such Confidential Information, prior to any disclosure to such third parties, (iii) not use such Confidential Information for any purposes whatsoever other than the performance of, or as otherwise authorized by, this Agreement.
5.4 Compelled Disclosure. Notwithstanding Section 5.3, the Receiving Party may disclose Confidential Information of the Disclosing Party to the extent necessary to comply with a court order or applicable law; provided, however that the Receiving Party delivers reasonable advance notice of such disclosure to the Disclosing Party and uses reasonable efforts to secure confidential treatment of such Confidential Information, in whole or in part.
5.5 Protection of Customer Data. The parties will comply with the Data Processing Addendum attached hereto as Exhibit A (“DPA”), that is hereby incorporated by reference into this Agreement.
5.6 Remedies for Breach of Obligation of Confidentiality. The Receiving Party acknowledges that breach of its obligation of confidentiality may cause irreparable harm to the Disclosing Party for which the Disclosing Party may not be fully or adequately compensated by recovery of monetary damages. Accordingly, in the event of any violation, or threatened violation, by the Receiving Party of its obligations under this Section, the Disclosing Party shall be entitled to seek injunctive relief from a court of competent jurisdiction in addition to any other remedy that may be available at law or in equity, without the necessity of posting bond or proving actual damages.
6. PROPRIETARY RIGHTS
6.1 Ownership. Customer shall own all right, title and interest in and to the Customer Data. Skypoint shall own and retain all right, title and interest in and to (i) each Platform, Software and the Services and all improvements, enhancements or modifications thereto, (ii) any software, applications, inventions or other technology developed in connection with the Services, and (iii) all intellectual property and proprietary rights in and related to any of the foregoing (collectively, “Services IP”). To the extent Customer acquires any right, title or interest in the Platform, the Software or the Services or any intellectual property rights or other proprietary rights associated therewith or embodied therein, Customer hereby assigns all of its right, title and interest in such Services IP to Skypoint.
6.2 Customer Data License. Customer hereby grants to Skypoint a non-exclusive, non-transferable, non-sublicensable, worldwide and royalty-free license to use Customer Data solely to provide the Services to Customer hereunder. For the avoidance of doubt, Skypoint may use, reproduce and disclose, for any lawful purpose and without notifying Customer and without obtaining Customer’s prior permission or consent, Platform-, Software- and Services-related information, data and material that is anonymized, deidentified, or that could otherwise be used to identify Customer or any other identifiable individual person or entity, including without limitation, information, data and material that is based on or derived from Customer Data (“Aggregated Data”). Such lawful purposes may include, without limitation, use of Aggregated Data to promote the Platform, Software, and the Services (and/or Skypoint’s other products or services), for evaluating the efficiency, utility and functionality of the Platform, Software, and the Services (and/or Skypoint’s other products or services), and for enhancing and improving the Platform, Software, and the Services (and/or Skypoint’s other products or services). All Aggregated Data is and shall at all times remain the sole and exclusive property of Skypoint. Skypoint will back-up the Customer Data: (i) to the extent the Platform backs-up and maintains the Customer Data as part of its normal operation and functionality; and (ii) in accordance with the provisions of the DPA. However, Customer acknowledges and agrees that Skypoint is not a data hosting company and that the Platform is not primarily a data hosting service. Accordingly, Customer shall maintain its own data back-ups and redundant data archives and the Platform shall not be the sole repository of the content, data and information making up the Customer Data. Customer acknowledges that it will not have access to Customer Data through Skypoint or any Platform following the expiration or termination of this Agreement.
6.3 No Other Rights. No rights or licenses are granted except as expressly set forth herein.
7. FEES & PAYMENT
7.1 Fees. Customer will pay Skypoint the then-applicable fees described in an Order Form or Statement of Work, as applicable, in accordance with the terms set forth therein (“Fees”), including, for the avoidance of doubt, any fees incurred through Customer’s use of a Platform exceeding a services capacity parameter specified on an Order Form.
7.2 Renewal Fees. 60 days in advance of the renewal date, Skypoint will provide customer with a notice for renewal that will include the renewal fee and renewal term length, including specific dates. Upon confirmation from Customer, Skypoint will provide an order form for the authorized Customer executive to sign. Upon signature of the order form, Skypoint will charge the first renewal fee with Customer having net 30 days to provide payment. Each “Renewal Fee” shall equal the Service Fee or Renewal Fee, as applicable, due to Skypoint during previous term as may be increased through mutual acceptance of the parties and specified on the applicable Order Form; provided, if the Initial Term was greater than one (1) year, for purposes of calculating the initial Renewal Fee the Service Fee shall be prorated to one (1) year. Notwithstanding the foregoing, if Customer is not liable to Skypoint for a Service Fee under an Order Form, no Renewal Fees shall be charged to Customer with respect to such Order Form.
7.3 Reimbursable Expenses. In addition to the Fees, if applicable, Customer shall reimburse Skypoint for reasonable out-of-pocket expenses incurred by Skypoint in connection with performing the Professional Services and in each case approved in writing by Customer prior to such expenses being incurred.
7.4 Payment. Skypoint will issue invoices for Fees to Customer. Full payment for the undisputed portions of any invoices issued in any given month must be received by Skypoint thirty (30) days after the receipt of the applicable invoice (unless otherwise specified on the applicable Order Form). Unpaid amounts of undisputed invoices are subject to a finance charge of 1.5% per month on any outstanding balance, or the maximum permitted by law, whichever is lower, plus all expenses of collection. In addition to any other remedies available, Skypoint may suspend Services in the event of payment delinquency of an undisputed invoice that has not been cured within ten (10) days of notice to Customer of such delinquency.
7.5 Payment Disputes. If Customer believes that Skypoint has billed Customer incorrectly, Customer must contact Skypoint no later than thirty (30) days after the closing date on the first billing statement in which the believed error or problem appeared in order to receive an adjustment or credit. Inquiries should be directed to Skypoint’s customer support department or the applicable Account Manager.
7.6 Taxes. Customer shall pay, and shall be liable for, all taxes relating to Skypoint’s provision of the Services hereunder. Skypoint shall pay, and shall be liable for, taxes based on its net income or capital.
7.7 No Deductions or Setoffs. All amounts payable to Skypoint hereunder shall be paid by Customer to Skypoint in full without any setoff, recoupment, counterclaim, deduction, debit or withholding for any reason except as may be required by applicable law.
8. TERM AND TERMINATION
8.1 Term. This Agreement shall remain in effect so long as there is an active Statement of Services, unless the Agreement is terminated as provided below (the “Term”). The term of each Statement of Services shall begin on the applicable “Services Effective Date” and continue for the “Service Term,” in each case as specified in such Statement of Services. Each Order Form shall renew upon advance mutual agreement (no later than thirty (30) days prior to the expiration of the then current Service Term) of the parties for additional (i) one (1) year periods if the Service Term is equal to or greater than one (1) year, or (ii) periods equal to the Service Term if the Service Term is less than one (1) year (each, a “Renewal Term”).
8.2 Termination. Skypoint may terminate this Agreement upon written notice to Customer if no Statement of Services is in effect. In addition to any other remedies it may have, either party may also terminate this Agreement upon written notice if the other party fails to pay any undisputed amount when due and fails to cure within ten (10) days of being notified of the delinquency or otherwise materially breaches this Agreement and fails to cure such breach within thirty (30) days or such longer period as agreed upon by both parties in writing after receipt of written notice of such breach from the non-breaching party. Customer may terminate this Agreement at any time (i) for convenience upon sixty (60) days’ written notice to Skypoint; provided, it is expressly agreed that Customer shall not activate this termination provision to circumvent the requirements of this Agreement in any way.
8.3 Effect of Termination. Upon termination of the Agreement, each outstanding Statement of Services, if any, shall terminate and Customer shall immediately cease all use of, and all access to, the Subscription Services and Skypoint shall immediately cease providing the Professional Services. If Skypoint terminates this Agreement for non-payment or material breach (as set forth in this Section), all Fees for Services rendered to date will become immediately due and payable.
8.4 Survival. Sections 3.1, 5, 6, 7 (solely with respect to any fees owed for services already rendered at the time of termination or expiration), 8.4, and 10–18 shall survive any termination or expiration of this Agreement. All other rights and obligations shall be of no further force or effect.
9. WARRANTY AND DISCLAIMER
9.1 Warranties. Skypoint represents and warrants that it will perform the Professional Services in a professional and workmanlike manner. Each party represents and warrants that it has the legal power to enter into this Agreement. Additionally, Customer warrants that (i) Customer owns or has a license to use and has obtained all consents and approvals necessary for the provision and use of all of the Customer Data that is placed on, transmitted via or recorded by a Platform and the Services.
9.2 Specially Protected Data. Unless specifically agreed to in writing by Skypoint, no Customer Data will include social security numbers or other government-issued identification numbers, financial account numbers, credit card or debit card numbers, credit report information or other personal financial information, health or medical information or other information that is subject to international, federal, state, or local laws or ordinances now or hereafter enacted regarding data protection or privacy (“Specially Protected Data”), including, but not limited to, the Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act, the Fair Credit Reporting Act, the Children’s Online Privacy Protection Act and the Gramm-Leach-Bliley Act (collectively “Data Privacy and Security Laws”).
9.3 Compliance with Data Privacy and Security Laws. If and to the extent that Customer Data, or Company’s access and use of the Platform and Subscription Services, are subject to one or more Data Privacy and Security Laws regarding Specially Protected Data, Customer and Skypoint will execute a Data Privacy and Security Addendum. The terms and conditions of this Agreement, including the confidentiality obligations and rights to disclosure under Section 5, will be subject to the terms of such Data Privacy and Security Addendum. For the avoidance of doubt, Skypoint makes no representations or warranties regarding compliance with Data Privacy and Security Laws regarding Specially Protected Data unless addressed in a Data Privacy and Security Addendum.
9.4 Disclaimer. EXCEPT AS EXPRESSLY PROVIDED HEREIN OR IN A STATEMENT OF SERVICE, SKYPOINT DOES NOT WARRANT THAT ACCESS TO THE PLATFORMS, SOFTWARE OR SERVICES WILL BE UNINTERRUPTED OR ERROR FREE, NOR DOES SKYPOINT MAKE ANY WARRANTY AS TO THE RESULTS THAT MAY BE OBTAINED FROM USE OF THE SERVICES. FURTHER, SKYPOINT MAKES NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO SERVICES PROVIDED BY THIRD PARTY TECHNOLOGY SERVICE PROVIDERS RELATING TO OR SUPPORTING A PLATFORM, INCLUDING HOSTING AND MAINTENANCE SERVICES, AND ANY CLAIM OF CUSTOMER ARISING FROM OR RELATING TO SUCH SERVICES SHALL, AS BETWEEN SKYPOINT AND SUCH SERVICE PROVIDER, BE SOLELY AGAINST SUCH SERVICE PROVIDER. EXCEPT AS SET FORTH HEREIN, THE CUSTOMER DATA, PLATFORMS, SOFTWARE AND SERVICES ARE PROVIDED “AS IS,” AND EACH PARTY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE THERETO, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW.
10. INDEMNITY
10.1 Indemnification by Skypoint. Skypoint will defend Customer and its affiliates, and their respective directors, officers, agents, and employees from and against any claim, suit, demand, or action made or brought against Customer by a third party arising out of or related to (a) the Services, or Customer’s use or access thereof in accordance with this Agreement, infringes any intellectual property rights of such third party, or (b) Skypoint’s breach of its obligations under this Agreement, and will indemnify and hold harmless Customer from any damages, losses, liabilities, costs and fees (including reasonable attorney’s fees) in connection with or in settlement of any such claim, suit, demand, or action. The foregoing obligations in sub-section (a) do not apply with respect to portions or components of any Platform or Service (i) not supplied by Skypoint, (ii) made in whole or in part in accordance with Customer specifications, (iii) that are modified by Customer after delivery, or granting of access, by Skypoint, (iv) combined with other products, processes or materials by Customer where the alleged infringement relates to such combination, (v) where Customer continues allegedly infringing activity after being notified thereof or after being informed of modifications that would have avoided the alleged infringement, or (vi) where Customer’s use of the Services is not strictly in accordance with this Agreement. If, due to a claim of infringement, a Platform is held by a court of competent jurisdiction to be or is believed by Skypoint to be infringing, Skypoint may, at its option and expense (a) replace or modify such Platform to be non- infringing provided that such modification or replacement contains substantially similar features and functionality, (b) obtain for Customer a license to continue using such Platform, or (c) if neither of the foregoing is commercially practicable, terminate this Agreement and Customer’s rights hereunder and provide Customer a refund of any prepaid, unused fees for such Platform. This Section states Customer’s sole and exclusive remedies for claims of infringement.
11. LIMITATION OF LIABILITY. EXCEPT IN CONNECTION WITH A PARTY’S INDEMNIFICATION OBLIGATIONS OR BREACH OF SECTION 4 (“CONFIDENTIALITY”), IN NO EVENT SHALL (I) EITHER PARTY’S LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY EXCEED IN THE AGGREGATE THE TOTAL FEES PAID OR OWED BY CUSTOMER HEREUNDER DURING THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE DATE OF THE EVENT GIVING RISE TO THE CLAIM (SUCH AMOUNT BEING INTENDED AS A CUMULATIVE CAP AND NOT PER INCIDENT), AND (II) EITHER PARTY HAVE ANY LIABILITY TO THE OTHER FOR ANY LOST PROFITS OR REVENUES OR FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, COVER, SPECIAL, EXEMPLARY OR PUNITIVE DAMAGES, HOWEVER CAUSED, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING LIMITATIONS AND DISCLAIMERS SHALL NOT APPLY TO THE EXTENT PROHIBITED BY APPLICABLE LAW. NOTWITHSTANDING THE PRECEDING SENTENCE, IN NO EVENT SHALL SKYPOINT’S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THE EXCLUDED CLAIMS EXCEED IN THE AGGREGATE THE TOTAL FEES PAID OR OWED BY CUSTOMER HEREUNDER DURING THE THIRTY-SIX (36) MONTHS IMMEDIATELY PRECEDING THE DATE OF THE EVENT GIVING RISE TO THE CLAIM (SUCH AMOUNT BEING INTENDED AS A CUMULATIVE CAP AND NOT PER INCIDENT). THE FOREGOING LIMITATIONS AND DISCLAIMERS SHALL NOT APPLY TO THE EXTENT PROHIBITED BY APPLICABLE LAW.
12. GOVERNING LAW AND DISPUTE RESOLUTION This Agreement is governed in all respects by the laws of the State of New York, without giving effect to its rules relating to conflict of laws. Neither any adoption of the Uniform Computer Information Transactions Act nor the U.N. Convention on the International Sale of Goods applies to this Agreement or to the rights or duties of the parties under this Agreement. Any dispute arising out of or relating to this Agreement, or its subject matter, shall be resolved exclusively by binding arbitration under the Commercial Arbitration Rules of the American Arbitration Association (“AAA”). Either party may send a notice to the other party of its intention to file a case with the AAA under this Section (“Arbitration Notice”). The arbitration will be conducted in New York, New York by a single arbitrator knowledgeable in government contracting matters and the commercial aspects of “software as a service” arrangements and intellectual property. The parties will mutually appoint an arbitrator within thirty (30) days of the Arbitration Notice. If the parties are unable to agree on an arbitrator, then the AAA will appoint an arbitrator who meets the foregoing knowledge requirements. The arbitration hearing will commence within sixty (60) days after the appointment of the arbitrator and the hearing will be completed and an award rendered in writing within sixty (60) days after the commencement of the hearing. Prior to the hearing, each party will have the right to take up to four (4) evidentiary depositions, and exchange two (2) sets of document production requests and two sets, each, of not more than ten (10) interrogatories. The arbitrator will provide detailed written explanations to the parties to support their award and regardless of outcome, each party shall pay its own costs and expenses (including attorneys’ fees) associated with the arbitration proceeding and fifty percent (50%) of the fees of the arbitrator and the AAA. The arbitration award will be final and binding and may be enforced in any court of competent jurisdiction.
13. SECURITY Skypoint may, from time to time, host and/or maintain a Platform using Microsoft Azure cloud services and Customer acknowledges that Skypoint cannot offer any additional or modified procedures other than those put in place by such technology provider with respect to such technology service.
14. PUBLICITY Customer agrees that Skypoint may identify Customer as a customer and use Customer’s logo and trademark in Skypoint’s promotional materials only with Customer’s prior written approval of each such use of the Customer’s name, logos or trademarks. Notwithstanding anything herein to the contrary, each party acknowledges that the other party may disclose the existence and terms and conditions of this Agreement to its advisors, actual and potential sources of financing and to third parties for purposes of due diligence in connection with any merger, reorganization, consolidation, sale of assets or similar transaction.
15. NOTICES All notices, consents, and other communications between the parties under or regarding this Agreement must be in writing (which includes email and facsimile) and be addressed according to information provided on an Order Form. All notices, consents and other communications between the parties under a Statement of Services will be sent to the recipient’s address specified thereon. All communications will be deemed to have been received on the date actually received. Either party may change its address for notices by giving written notice of the new address to the other party in accordance with this Section.
16. FORCE MAJEURE Neither party shall be responsible nor liable for any delays or failures in performance from any cause beyond its control, including, but not limited to acts of God, changes to law or regulations, embargoes, war, terrorist acts, riots, fires, earthquakes, floods, power blackouts, strikes, or weather conditions. Where there is an event of force majeure, the party prevented from or delayed in performing its obligations under this contract must promptly notify the other party giving full particulars of the event of force majeure and the reasons for such event preventing that party from, or delaying that party in performing its obligations under this Agreement and that party must use commercially reasonable efforts to mitigate the effect of the event of force majeure upon its or their performance of the Agreement and to fulfill its obligations under that Agreement.
17. ASSIGNMENT Neither party may assign this Agreement to any third party without the prior written consent of the other; provided that no consent is required in connection with an assignment to an affiliate or in connection with any merger, reorganization, consolidation, sale of assets or similar transaction. Skypoint may sublicense any or all of its obligations hereunder upon prior written consent of Customer. For the avoidance of doubt, a third-party technology provider that provides features or functionality in connection with a Platform shall not be deemed a sublicensee under this Agreement.
18. GENERAL PROVISIONS If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable. This Agreement, together with Statement of Services entered into hereunder and all exhibits, annexes and addenda hereto and thereto is the complete and exclusive statement of the mutual understanding of the parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement. All waivers and modifications must be in a writing signed by both parties, except as otherwise provided herein. No agency, partnership, joint venture, or employment is created as a result of this Agreement, and neither party has authority of any kind to bind the other party in any respect whatsoever. In the event of a conflict between this Agreement and any Statement of Services, such Statement of Services shall prevail unless otherwise expressly indicated in this Agreement or such Statement of Services. The heading references herein are for convenience purposes only and shall not be deemed to limit or affect any of the provisions hereof. Unless otherwise indicated to the contrary herein by the context or use thereof: (i) the words “hereof,” “hereby,” “herein,” “hereto,” and “hereunder” and words of similar import shall refer to this Agreement as a whole and not to any particular Section or paragraph of this Agreement; (ii) the words “include,” “includes” or “including” are deemed to be followed by the words “without limitation;” (iii) references to a “Section” or “Exhibit” are references to a section of, or exhibit to this Agreement; and (iv) derivative forms of defined terms will have correlative meanings.
By accepting this agreement during the platform sign up, each party acknowledges that it has carefully read and fully understood this Agreement, and each agrees to be bound by the terms of this Agreement.
EXHIBIT A
DATA PROCESSING ADDENDUM
This Data Processing Addendum (the “DPA”) is entered into between you (“Customer”) and the vendor identified in the signature block below (“Vendor”). This DPA amends and forms part of that certain Master SaaS and Services Agreement (“Master Agreement”).
8. DEFINITIONS
In addition to capitalized terms defined in context or under the Master Agreement, the following terms will have the meaning ascribed below:
(a) “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., including applicable regulations.
(b) “Data Protection Law” means any and all privacy, security and data protection laws and regulations that apply to the Personal Data processed by Vendor under the Master Agreement, including, as applicable, the GDPR, Member State laws implementing the GDPR and the CCPA.
(c) “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(d) “Personal Data” means any data that Vendor processes in connection with the Services that is deemed “personal data” or “personal information” (or other similar variations of such terms) under Data Protection Law.
(e) “Security Breach” means any accidental or unlawful destruction, loss, or alteration of Personal Data, or any unauthorized use or disclosure of, or access to, Personal Data.
(f) “Services” means the services provided by Vendor pursuant to the Master Agreement.
(g) In addition, the following lowercase terms as used in this DPA will be defined as follows: (i) “sell” and “service provider” will have the meaning given to them under the CCPA; and (ii) “process” and “processor” will have the meaning given to them under the GDPR.
2. DATA PROCESSING AND PROTECTION
2.1 Vendor Responsibilities. Vendor will (a) process the Personal Data solely in a manner consistent with documented instructions from Customer, including with regard to transfers of Personal Data to a third country, which will include processing (i) authorized under the Master Agreement, including as specified in Attachment 1 to this DPA and (ii) consistent with other reasonable instructions of Customer; (b) subject to the specific limitations regarding Specially Protected Data in Section 9.2 and 9.3 of the Master Agreement, process the Personal Data in accordance with all applicable Data Protection Laws; and (c) not: (i) collect, retain, use, disclose or otherwise process the Personal Data for any purpose other than as necessary for the specific purpose of performing Services on behalf of Customer; (ii) collect, retain, use, disclose or otherwise process the Personal Data for a commercial purpose other than to provide the Services to Customer; (iii) sell the Personal Data; (iv) combine the Personal Data with data received from other entities; or (v) process the Personal Data outside the direct business relationship between Vendor and Customer. Notwithstanding the foregoing, Vendor may process Personal Data to build or improve the quality of Vendor’s services, provided such use does not include building or modifying individual profiles that will be used to provide services to another business or to correct or augment data acquired from another source.
2.2 Confidentiality. Vendor will treat all Personal Data as the confidential information of Customer and ensure that persons authorized by Vendor to process any Personal Data are subject to appropriate confidentiality obligations.
2.3 Security. Vendor will protect Personal Data in accordance with requirements under Data Protection Law. Without limiting the foregoing, Vendor will use measures to protect Personal Data that will meet or exceed the requirements specified Attachment 2 to this DPA.
2.4 Return or Disposal. At the choice of Customer, Vendor will (or will enable Customer via the Services to) delete or return (and will delete existing copies of) all Personal Data after the end of the provision of Services unless Data Protection Law requires the storage of such Personal Data by Vendor.
3. ASSISTANCE
3.1 Data Subject’s Rights Assistance. Vendor will promptly notify Customer of any individual rights request to exercise a data right under Data Protection Law. At Customer’s request, Vendor will assist Customer in responding to such requests including by appropriate technical and organizational measures for the fulfilment of Customer’s obligations to respond to requests for exercising any individual’s rights provided under Data Protection Law, including rights stated in Chapter III of the GDPR.
3.2 Security Assistance. Vendor will cooperate in good faith with Customer in Customer’s efforts to ensure Vendor’s compliance with any security requirements under Data Protection Law, including by facilitating Customer’s exercise of audits pursuant to Section 4 of this DPA and complying with any commitments under Attachment 2.
3.3 Data Protection Impact Assessment Assistance. Vendor will provide reasonable assistance to Customer as required for Customer to comply with its obligations under Articles 35 and 36 of the GDPR in connection with Vendor’s processing of Personal Data under the Master Agreement.
3.4 Security Breach Notice and Assistance. In addition to any commitments under Attachment 2, Vendor will (a) define and document an incident management procedure that facilitates the triage of a security related event, including a Security Breach, and ensures timely and thorough incident management; (b) notify Customer promptly and without undue delay after becoming aware of a Security Breach; (c) ensure contractors, employees and third party users are made aware of their responsibility to report all Security Breaches in a timely manner; (d) report all Security Breaches through predefined communications channels in a prompt and expedient manner in compliance with statutory, regulatory and contractual requirements; © upon request of Customer, provide reasonable assistance to Customer to facilitate Customer’s notice of such Security Breach to regulators or affected individuals, including assistance to facilitate Customer’s compliance with Articles 33 and 34 of the GDPR or notification obligations under other Data Protection Law; (f) in the event a Security Breach results in or requires legal action, implement proper forensic procedures including chain of custody for collection, retention and presentation of evidence to support such legal action; and (g) put in place mechanism to monitor and quantify the types, volumes, and costs of Security Breach.
4. AUDITS
Vendor will obtain and share results of an independent review of information systems security at least annually to determine both the adequacy of and compliance with information and security controls, including but not limited to (SOC2 Type II) or ISO 27001 certification. Additionally, Vendor will make available to Customer all information necessary to demonstrate compliance with the obligations in this DPA and allow for and contribute to audits conducted by Customer (or another auditor mandated by Customer that is reasonably acceptable to Vendor) in accordance with the terms of this Section 4. Any such audit must be tailored to what is reasonably necessary to verify Vendor’s compliance with this DPA, and must occur during Vendor’s normal business hours. In connection with any such audit, the auditor will: (a) observe reasonable on-site access and other restrictions reasonably imposed by Vendor; (b) comply with reasonable and applicable on-site policies and procedures provided by Vendor, and (c) not unreasonably interfere with Vendor’s business activities. Customer will provide written communication of any audit findings to Vendor, and the results of the audit will be the confidential information of Vendor. Customer will provide no less than thirty (30) days’ advance notice of its request for any such audit and will cooperate in good faith with Vendor to schedule any such audit on a mutually agreed upon date and time (such agreement not to be unreasonably withheld by either party).
5. SUBPROCESSORS
Customer authorizes Vendor to use subcontractors to process Personal Data in connection with the provision of Services to Customer (“Subprocessor”). Vendor will provide Customer with notice of any intended changes concerning the addition or replacement of its Subprocessors and provide Customer with the opportunity to object to such changes. Vendor will impose data protection obligations upon any Subprocessor that are no less protective than those included in this DPA. Vendor will remain fully responsible and liable for any acts or omissions of its Subprocessors.
6. DATA TRANSFERS
If Personal Data that originates in the EEA, UK or Switzerland is transferred by Customer to Vendor for processing in a country not subject to an adequacy decision in accordance with the GDPR (“Data Transfer”), the parties will conduct such Data Transfer in accordance with this Section 6. Any Data Transfer will be conducted pursuant to the Standard Contractual Clauses (which will be deemed executed by the parties as of the effective date of this DPA), and the following terms will apply: (a) Customer will be referred to as the “Data Exporter” and Vendor will be referred to as the “Data Importer” in such clauses with relevant company name and address details from this DPA and the Master Agreement being used accordingly; (b) details in Attachment 1 of this DPA will be used to complete Appendix 1 of those clauses; (c) details of Attachment 2 of this DPA will be used to complete Appendix 2 of those clauses; and (d) if there is any conflict between this DPA or the Master Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail. “Standard Contractual Clauses” means Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593) (the text of which is available at: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087).
7. VENDOR INDEMNIFICATION
Vendor will defend, indemnify and hold harmless Customer, its affiliates and its and their respective directors, officers, employees, agents, successors and assigns from and against any third-party claims, allegations or investigations and associated liabilities, losses, damages and expenses to the extent arising from or related to (a) Vendor’s breach of this DPA; or (b) Vendor’s negligent acts or omissions or willful misconduct.
8. MISCELLANEOUS
The terms of this DPA will control to the extent there is any conflict between terms of this DPA and the terms of the Master Agreement. Except as specifically amended and modified by this DPA, the terms and provisions of the Master Agreement remain unchanged and in full force and effect.
By accepting this agreement during the platform sign up, each party acknowledges that it has carefully read and fully understood this DPA, and each agrees to be bound by the terms of this DPA.
Attachment 1 – Scope of Processing
Subject-Matter and Duration of Processing
Vendor processes Personal Data for the subject matter specified under the Master Agreement and until the Master Agreement terminates or expires, unless otherwise agreed upon by the parties in writing.
Nature and Purpose of Processing (i.e., Processing operations)
Extract, Load, Transform and Store Data In Customer managed Azure Subscription Storage Resources
Types of Personal Data
Personally Identifiable Information, Transactional and Behavioral Data
Categories of Data Subjects
Not Applicable
Special Categories of Data (as applicable)
None
Attachment 2 – Data Security Attachment
1. Program. Vendor will implement and maintain a comprehensive written information security program, which contains appropriate administrative, technical and organizational safeguards that comply with this Attachment 2.
2. Access Controls. Vendor will: (a) abide by the “principle of least privilege,” pursuant to which Vendor will permit access to Personal Data by its personnel solely on a need-to-know basis; (b) promptly terminate its personnel’s access to Personal Data when such access is no longer required for performance under the Agreement, including by de-provisioning access by personnel or other parties upon the termination of their employment, contract or agreement with Vendor; (c) log the details of any access to Personal Data, and retain such records for no less than 90 days; and (d) be responsible for any processing of Personal Data by its personnel. Vendor will put in place procedures for granting and revoking normal and privileged access to applications, databases, and server and network infrastructure in accordance with business, security, compliance and service level agreement (SLA) requirements. Vendor will ensure all levels of user access are reviewed by Vendor’s management at least bi-annually and documented. Vendor will ensure access to Personal Data is role based and meets segregation of duties requirements. Vendor will require any passwords to be complex and implement lockout on inactivity after 15 mins and lockout on user accounts after 5 invalid attempts.
3. Account Management. Vendor will use reasonable measures to manage the creation, use, and deletion of all account credentials used to access the facilities, systems, equipment, hardware, and software used in connection with any processing of Personal Data (“Vendor Systems”), including by implementing: (a) a segregated account with unique credentials for each user; (b) strict management of administrative accounts; (c) password best practices, including the use of strong passwords and secure password storage; and (d) periodic audits of accounts and credentials.
4. Information Security Management System. Vendor will develop, document, approve and implement an Information Security Management System (ISMS) that includes administrative, technical, and physical safeguards to protect assets and data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. The security program should address, but is not limited to, the following issues: Risk management, Security policy, Organization of information security, Asset management, Human resources security, Physical and environmental security, Communications and operations management, Access control, Information systems acquisition, development, and maintenance, Information Security Incident Management, and Business Continuity. Vendor’s management should review the ISMS at planned intervals or as a result of changes to the organization to ensure its continuing effectiveness and accuracy. Roles and responsibilities of contractors, employees and third party users must be documented as they relate to information assets and security. Vendor’s managers should be responsible for maintaining awareness of and complying with security policies, procedures and standards that are relevant to their area of responsibility.
5. Security Architecture. Vendor put in place processes to implement and enforce (through automation) user credential and password controls for applications, databases and server and network infrastructure requiring the following minimum standards: (a) user identity verification prior to password resets; (b) timely access revocation for terminated users; (c) remove/disable inactive user accounts at least every 90 days; (d) unique user IDs and disallow group, shared, or generic accounts and passwords; (e) password expiration at least every 90 days; (f) strong passwords containing both numeric and alphabetic characters; (g) user ID lockout after not more than six (5) attempts; (h) re-enter password to reactivate terminal after session idle time for more than 15 minutes; and (i) maintain user activity logs for privileged access or access to sensitive data. Vendor will establish policies and procedures and implement mechanisms to ensure security (e.g., encryption, access controls, and leakage prevention) and integrity of data exchanged between one or more system interfaces, jurisdictions, or with a third party shared services provider to prevent improper disclosure, alteration or destruction complying with legislative, regulatory, and contractual requirements. Vendor will authenticate remote users with administrative privileges with strong two factor authentication mechanisms before allowed access to any information processing facilities. Vendor will design and configure network environments to restrict connections between trusted and untrusted networks and review at planned intervals, documenting the business justification for use of all services, protocols, and ports allowed, including rationale or compensating controls implemented for those protocols considered to be insecure. Vendor will ensure network architecture diagrams clearly identify high-risk environments and data flows that may have regulatory compliance impacts. Vendor will separate system and network environments by firewalls to ensure the following requirements are adhered to: (i) business and customer requirements; (ii) security requirements; (iii) compliance with legislative, regulatory, and contractual requirements; (iv) separation of production and non-production environments; and (v) preserve protection and isolation of sensitive data. Vendor will establish policies and procedures and implement mechanisms to protect wireless network environments, including the following: (w) perimeter firewalls implemented and configured to restrict unauthorized traffic; (x) security settings enabled with strong encryption for authentication and transmission, replacing vendor default settings (e.g., encryption keys, passwords, SNMP community strings, etc.); (y) logical and physical user access to wireless network devices restricted to authorized personnel; and (z) the capability to detect the presence of unauthorized (rogue) wireless network devices for a timely disconnect from the network. Vender will use an external accurate, externally agreed upon, time source to synchronize the system clocks of all relevant information processing systems within the organization or explicitly defined security domain to facilitate tracing and reconstitution of activity timelines. Vendor will authorize mobile code before its installation and use and shall ensure the configuration of that the authorized mobile code operates according to a clearly defined security policy. Vendor will ensure all unauthorized mobile code is prevented from executing.
6. Information Security Policy. Vendor will maintain a formal information security policy that establishes the direction of the organization and aligns to best practices, regulatory, federal/provincial and international laws where applicable, which policy is supported by a strategic plan and security program with well-defined roles and responsibilities for leadership. Vendor will ensure that all information system documentation (e.g. administrator and user guides, architecture diagrams, etc.) are maintained and made available to authorized personnel. Vendor will communicate such policies and documents to its employees, contractors and other relevant external parties. Vendor will establish baseline security requirements which will be applied to the design and implementation of (developed or purchased) applications, databases, systems, and network infrastructure and ensure that compliance with security baseline requirements is reassessed at least annually or upon significant changes.
7. Operations Management. Vendor will clearly document network and infrastructure service level agreements, security controls, capacity and service levels and business or customer requirements, and appropriately monitor the same. Vendor will plan, prepare, and measure the availability, quality and capacity of resources to deliver the required system performance in accordance with regulatory, contractual and business requirements. Vendor will make projections of future capacity to mitigate the risk of system overload.
8. Risk Management. Vendor will perform formal risk assessments at least annually, or at planned intervals, determining the likelihood and impact of all identified risks. Vendor will independently determine the likelihood and impact associated with inherent and residual risk, considering all risk categories (e.g., audit results, threat and vulnerability analysis, and regulatory compliance). Vendor will mitigate risks to an acceptable level, based on risk criteria that are established and documented in accordance with reasonable resolution time frames and executive approval. Vendor will update risk assessment results into security policies, procedures, standards and controls to ensure they remain relevant and effective.
9. Vulnerability Management. Vendor will: (a) use automated vulnerability scanning tools to perform appropriate scans of the Vendor Systems; (b) log vulnerability scan reports; (c) conduct periodic reviews of vulnerability scan reports over time; (d) use appropriate patch management and software update tools for the Vendor Systems; (e) prioritize and remediate vulnerabilities by severity; and (f) use compensating controls if no patch or remediation is immediately available.
10. Security Segmentation. Vendor will monitor, detect and restrict the flow of information on a multilayered basis within the Vendor Systems using appropriate tools such as firewalls, proxies, and network-based intrusion detection systems.
11. Human Resources Security. Vendor will ensure that, subject to local laws, regulations, and contractual constraints, all employment candidates, contractors and third parties are subject to background checks. Vendor will ensure that prior to granting individuals physical or logical access to facilities, systems or data, employees, contractors, third party users and customers agree, in writing, to terms which explicitly include the parties’ responsibility for information security. Vendor will establish a security awareness training program for all contractors, third party users and employees of the organization who will handle Personal Data and mandate the same when appropriate. Vendor will provide all individuals with access to organizational data appropriate awareness training and regular updates in organizational procedures, process and policies, relating to their function, and ensure such individuals are aware of their responsibilities towards (a) complying with published security policies, procedures, standards and applicable regulatory requirements; (b) maintaining a safe and secure working environment; (c) leaving unattended equipment in a secure manner; and (d) complying with procedures that govern employee termination and discipline to ensure privileges are revoked in a timely and comprehensive manner.
12. Data Governance. Vendor will conduct, at least annually, data governance risk assessments that consider the following: (a) awareness of where sensitive data is stored and transmitted across applications, databases, servers and network infrastructure; (b) compliance with defined retention periods and end-of-life disposal requirements; and (c) data classification and protection from unauthorized use, access, loss, destruction, and falsification. Vendor will establish data retention and storage procedures and implement backup or redundancy mechanisms to ensure compliance with regulatory, statutory, contractual or business requirements. Vendor will test the recovery of backups at planned intervals. Vendor will document procedures for the secure disposal and complete removal data from all storage media, ensuring data is not recoverable by any computer forensic means. Vendor will put in place mechanisms to ensure data is not replicated or used in non-production environments
13. Data Loss Prevention. Vendor will use reasonable data loss prevention measures to identify, monitor and protect Personal Data in use, in transit and at rest. Such data loss prevention processes and tools will include, at a minimum: (a) appropriate automated tools to identify attempts of data exfiltration; (b) the prohibition of, or secure and managed use of, portable devices; (c) use of appropriate certificate-based security; and (d) secure key management policies and procedures.
14. Technical Security. Vendor will encrypt, using industry-standard encryption tools, all Personal Data that Vendor: (a) transmits or sends wirelessly or across public networks or within the Vendor Systems; (b) stores on laptops or storage media, and (c) stores on portable devices or within the Vendor System. Vendor will safeguard the security and confidentiality of all encryption keys associated with encrypted Personal Data. Vendor will (a) restrict access to diagnostic and configuration ports to authorized individuals and applications; (b) define procedures for vulnerability and patch management that ensure application, system, and network device vulnerabilities are evaluated and vendor-supplied security patches are applied in a timely manner; (c) restrict utility programs and privileged management accounts capable of potentially overriding system, object, network, virtual machine and application controls and disallow utilities that can shut down virtualized partitions; (d) put in place antivirus mechanisms capable of detecting, removing, and protecting against all known types of malicious or unauthorized software with antivirus signatures updated at least every 24 hours; (e) where applicable, implement effective key management procedures to support encryption of data in storage and in transmission; (f) control and restrict access to sensitive data from portable and mobile devices, such as laptops, tablets and cell; and (g) prohibit the installation of unauthorized software and establish for all production systems methods to prevent and detection violations.
15. Pseudonymization. Vendor will, where possible and consistent with the Services, use commercially reasonable pseudonymization techniques to protect Personal Data.
16. Secure Software Development and Maintenance. Vendor represents and warrants that any software used in connection with the processing of Personal Data is or has been developed using secure software development practices, including by: (a) segregating development and production environments; (b) filtering out potentially malicious character sequences in user inputs; (c) using secure communication techniques, including encryption; (d) using sound memory management practices; (e) using web application firewalls to address common web application attacks such as cross-site scripting, SQL injection and command injection; (f) implementing the OWASP Top Ten recommendations, as applicable; (g) patching of software; (h) testing object code and source code for common coding errors and vulnerabilities using code analysis tools; (i) testing of web applications for vulnerabilities using web application scanners; and (j) testing software for performance under denial of service and other resource exhaustion attacks. Vendor will ensure that any SaaS/Could applications integrate support SAML 2 to integrate with SSO and that any applications that store Personal Data have the ability to search and report on information on individual subjects and delete or mask data. Vendor will design applications in accordance with industry accepted security standards (e.g.: OWASP for web applications) and comply with applicable regulatory and business requirements. Vendor will separate development, test, and operational facilities to reduce the risks of unauthorized access or changes to the operational system. Vendor will document, test, and approve changes to the production environment prior to implementation. Production software and hardware changes may include applications, systems, databases and network devices requiring patches, service packs, and other updates and modifications. Vendor will implement a program for the systematic monitoring and evaluation to ensure that standards of quality are being met are established for all software developed by the organization. Vendor will establish and document quality evaluation and acceptance criteria for information systems, upgrades, and will carry out tests of the system(s) are carried out both during development and prior to acceptance to maintain security. Vendor will establish a program for the systematic monitoring and evaluation to ensure that standards of quality are being met for all outsourced software development. Vendor will supervise and monitor the development of all outsourced software and will include security requirements, independent security review of the outsourced environment by a certified individual, certified security training for outsourced software developers, and code reviews.
17. Business Continuity Management. Vendor will implement a defined and documented method for determining the impact of any disruption to the organization which method must: (a) identify critical products and services; (b) identify all dependencies, including processes, applications, business partners and third party service providers; (c) include an understanding of threats to critical products and services; (d) determine impacts resulting from planned or unplanned disruptions and how these vary over time; (e) establish maximum tolerable period for disruption; (f) establish priorities for recovery; and (g) establish recovery time and recovery point objectives for resumption of critical products and services within their maximum tolerable period of disruption. Vendor must establish, document and adopt a consistent unified framework for business continuity planning and plan development to ensure all business continuity plans are consistent in addressing priorities for testing and maintenance and information security requirements. Requirements for business continuity plans must include the following: (i) a defined purpose and scope, aligned with relevant dependencies; (ii) accessibility to and understandability by those who will use them; (iii) ownership by a named person(s) who is responsible for their review, update and approval; (iv) defined lines of communication, roles and responsibilities; (v) detailed recovery procedures, manual work-around and reference information; and (vi) a method for plan invocation. Business continuity plans are tested at planned intervals or upon significant organizational or environmental changes to ensure continuing effectiveness. Vendor will anticipate, design and apply countermeasures for physical protection against damage from natural causes and disasters as well as deliberate attacks including fire, flood, atmospheric electrical discharge, solar induced geomagnetic storm, wind, earthquake, tsunami, explosion, nuclear mishap, volcanic activity, biological hazard, civil unrest, mudslide, tectonic activity, and other forms of natural or man-made disaster.
18. PCI Compliance. To the extent any Personal Data includes “cardholder data,” as such term is defined by the Payment Card Industry Data Security Standard (“PCI DSS”), Vendor will: (a) comply with the PCI DSS and other applicable payment card issuer, brand or association rules and requirements; (b) fully cooperate with any security review or investigation as may be required by any payment card issuer, brand or association or law enforcement entity regarding compliance with the PCI DSS, including by providing data security reports; (c) pay any fines and penalties in the event Vendor or any of its subcontractors fail to comply with such rules or requirements; and (d) on no less than an annual basis, at its own expense, undergo a PCI DSS compliance audit or self-assessment, as applicable, and provide the results of such audit or self-assessment, along with evidence of compliance (in the form of an Attestation of Compliance or ROC), to Customer.
19. Physical Safeguards. Vendor will maintain physical access controls that secure relevant Vendor Systems used to process any Personal Data, including an access control system that enables Vendor to monitor and control physical access to each Vendor facility, that includes 24×7 physical security monitoring systems and the use of trained and experienced security guards. Vendor will also (a) maintain procedures governing asset management for secure repurposing of equipment and resources prior to tenant re-assignment, (b) restrict physical access to information assets and functions by users and support personnel only to authorized personnel, (c) implement physical security perimeters (fences, walls, barrier, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks and security patrols) to safeguard sensitive data and information systems, (d) obtain authorization from Customer prior to relocation or transfer of hardware, software or data containing Customer information to any physical location not directly operated and owned or leased by Vendor, and (e) maintain a complete inventory of critical assets.
20. Administrative Safeguards. Prior to providing access to Personal Data to any of its personnel, Vendor will: (a) conduct appropriate reliability evaluations of such personnel, including by performing appropriate background screening; and (b) provide appropriate security training to such personnel. Vendor will periodically provide additional training to its personnel as may be appropriate to help ensure that Vendor’s information security program meets or exceeds prevailing industry standards.
21. Monitoring. Vendor will maintain audit logs that record privileged user access activities, authorized and unauthorized access attempts, system exceptions, and information security events and will retain such logs, complying with applicable policies and regulations. Vendor will ensure audit logs are reviewed and file integrity (host) and network intrusion detection (IDS) tools are implemented to help facilitate timely detection, investigation by root cause analysis and response to incidents. Vendor will restrict physical and logical user access to audit logs to authorized personnel. Vendor will appropriately segment and restrict access to, and use of, audit tools that interact with the organizations information systems to prevent compromise and misuse of log data.