Terms of Service
Software as a Service Master Agreement
This Software as a Service Master Services Agreement ("MSA") is effective as of the Effective Date and is entered into by Client and Provider.
These terms and conditions create a contract between You and Us (the “Agreement”). Please read the Agreement carefully as this Agreement governs your acquisition and use of our social media monitoring services. If you register for a free or paid trial for our social media monitoring services, this Agreement will also govern that free or paid trial. To confirm your understanding and acceptance of the Agreement, click “Agree” at the end of this Agreement.
If you are entering into this Agreement on behalf of a company or other legal entity, you represent that you have the authority to bind such entity and its affiliates to these terms and conditions, in which case the terms “You” or “Your” shall refer to such entity and its affiliates. If you do not have such authority, or if you do not agree with these terms and conditions, You must not click “Agree” at the end of this Agreement and You may not use Liferaft.
You also may not access or use Liferaft for purposes of monitoring the availability, performance or functionality of Liferaft, or for any other benchmarking or competitive purposes. All proprietary rights and intellectual property remains the sole property of SNI.
It is effective between You and Us as of the date You accept this Agreement.
1. DEFINITIONS
1.1. "Affiliate" means any entity which Client Controls or is Controlled by (either indirectly or directly), or is under common Control with Client; provided that such Affiliate has established privity of contract with Provider under terms identical to this Agreement in accordance with Section 2.1(B) hereof.
1.2. "Agreement" means, collectively, this MSA, all schedules appended hereto, and all Service Orders.
1.3. "Background IP" means all Intellectual Property owned by a party
- (A) before Client begins using the Services, or
- (B) is developed by a party independent of the Agreement.
1.4. "Client Data" means all data collected, compiled, received, stored, derived or maintained by Provider in connection with Client's use of the Services or Provider's performance of its obligations under this Agreement, but does not include Indexed Content.
1.5. "Control" means direct or indirect ownership or control of more than 50% of the voting interests of a body corporate, partnership or other such legal entity or organization.
1.6. "Indexed Content" means information and data that are searched and made available to Client through the Services, which include, without limitation, links, posts, and content from publicly available sources such as social media platforms and the deep and dark web.
1.7. "Intellectual Property" or "IP" means anything protectable by an Intellectual Property Right.
1.8. "Intellectual Property Right(s)" means all registered or unregistered intellectual property rights throughout the world, including: rights in patents, copyrights, trademarks, trade secrets, designs, databases, and domain names, and moral rights.
1.9. "Personnel" means Provider (if an individual) and all employees and agents of Provider and its subcontractors and their agents.
1.10. "Provider Materials" means any content, information, reports, documents, or other materials provided or made accessible by Provider to Client for download or export from the Services, excluding any Client Data.
1.11. "Service Order" means a fully-signed order or purchase order issued under this MSA for Services, in a format similar to Schedule A (Service Order Template).
1.12. "Services" means the software as a service branded as Liferaft (or such other name or brand as is used or implemented from time to time by Provider) provided by Provider to Client under this Agreement as more particularly set out in a Service Order and includes, as applicable, Provider's software, APIs, documentation, and other systems necessary for Client's access and use of the services.
1.13. "Tax(es)"means all government-imposed taxes, except for taxes based on Provider's or Personnel's net income, net worth, asset value, property value, or employment.
1.14. "Updates" means any modifications, upgrades, updates or enhancements made to the Services from time to time.
1.15. "Users" means individuals who are authorized by Client to use the Services, for whom a subscription to the Services have been ordered, and who have been supplied user identifications and passwords by Provider at Client's request. Users shall at all times be employees, consultants, contractors and agents of Client.
1.16. In this Agreement, (A) "include" or "including" means "including but not limited to," and (B) examples are illustrative and not the sole examples of a particular concept.
2. SERVICES
2.1. Services; Requirements.
- (A) Ordering Services. The Services are purchased as subscriptions and Provider will provide the Services to Client as specified in this Agreement and all applicable Service Orders. Provider will provide support and maintenance in accordance with Schedule B (Maintenance and Support) and meet the performance standards in Schedule C (Performance Standards) and the applicable Service Order.
- (B) Ordering by Affiliates. Affiliates can execute Service Orders referencing this MSA with Provider, but the Service Order will form a separate contract between the parties and incorporate all of the terms of this MSA by reference. For the purpose of that Service Order, the term Client in this MSA will refer to the Affiliate executing the Service Order. The Services may be subject to the User data allotments which shall be specified in a Service Order. For the purposes of determining whether Client has exceeded any applicable data allotments as set out in a Service Order, all User data allotments under a Service Order shall be aggregated and divided by the total number of Users. For clarity, when determining if Client has exceeded any applicable data allotments, Users of Affiliates shall not be included in the denominator of the foregoing equation.
2.2. Notice of Delays. Provider will promptly notify Client in writing of anything that is likely to cause a delay in the delivery of the Services.
3. PAYMENT
3.1. Invoices.
- (A) Submitting Invoices. Provider will invoice Client in accordance with the fee(s) specified in each applicable Service Order. Provider will invoice Client annually in advance for the Services.
- (B) Paying Invoices. Client will pay Provider within 30 days after Client receives an invoice.
3.2. Expenses. If applicable, Client will reimburse Provider for expenses up to the amounts specified in the applicable Service Order, and only if they are:
- (A) actual, reasonable, and necessary (without mark-ups or commissions);
- (B) approved in advance and in writing by Client; and
- (C) accompanied by receipts and other documentation that Client may request establishing the type, date, amount, payment, and purpose for such expenses.
3.3. No Right to Offset Payment. Client shall not be permitted to offset any payment obligations to Provider that Client may incur under this Agreement against any fees owed to Client and not yet paid by Provider under this Agreement or any other agreement between Provider and Client.
3.4. Taxes.
- (A) Invoicing and Payment. Taxes are not included in the fees set out in any Service Order. Client will pay itemized, correctly-stated Taxes for the purchased Services unless not required to do so in accordance with all applicable laws.
- (B) Withholding Taxes. If legally required, Client will withhold Taxes from its payments to Provider and provide a withholding Tax certificate.
4. INTELLECTUAL PROPERTY; USAGE RIGHTS; LICENSES.
4.1. Provider Materials Usage Rights. Provider hereby grants to Client a non-exclusive, worldwide, royalty-free, fully paid-up, enterprise-wide, license to use the Provider Materials during the Term.
4.2. Reservation of Rights.
- (A) Background IP. Except for the rights expressly granted pursuant to this Section 4, neither party will own or acquire any right, title, or interest to the other party's Background IP under this Agreement.
- (B) Client Data and IP. Client owns and reserves all right, title and interest (including Intellectual Property Rights) to the Client Data. Except as may expressly be specified in this Agreement, no right, title, or interest to any of the Client IP is transferred to Provider.
- (C) Services. As between Client and Provider, except as may be expressly specified in this Agreement, Provider owns and reserves all right, title and interest (including Intellectual Property Rights) in and to the Services, including all Updates made thereto from time to time, including, without limitation, if Updates were, in whole or in part, designed and / or implemented by Provider based upon suggestions, enhancement requests, recommendations, or other feedback relating to the Services provided by Client (including any of its Users, agents, or employees).
- (D) Indexed Content. Client does not own or control Indexed Content. Indexed Content shall not be considered Client Data pursuant to this Agreement or any other agreement between Client and Provider. Indexed Content is provided "as is", exclusive from any warranty whatsoever.
- (E) Restrictions. Client shall not, at any time, decompile, disassemble, reverse engineer, or otherwise attempt to extract the source code of the Services.
5. CONFIDENTIALITY; CLIENT DATA; PUBLICITY; SECURITY; COVENANTS
5.1. Definition. “Confidential Information” means information that one party discloses to the other party under this Agreement, and that is marked as confidential or would normally be considered confidential information under the circumstances. It does not include information that is independently developed by the recipient, is rightfully given to the recipient by a third party without confidentiality obligations, or becomes public through no fault of the recipient. Each party’s Background IP is its Confidential Information. The Client Data is Client’s Confidential Information.
5.2. Confidentiality Obligations.
- (A) Non-Disclosure. The recipient will not disclose the discloser’s Confidential Information, except to employees, affiliates, agents, professional advisors, or third-party contractors (“Delegates”) who need to know it and who have a legal obligation to keep it confidential. The recipient will use the Confidential Information only to exercise rights and fulfill obligations under this Agreement. The recipient may disclose Confidential Information when legally compelled by a court or other government authority. To the extent permitted by law, recipient will promptly provide the discloser with sufficient notice of all available details of the legal requirement and reasonably cooperate with the discloser’s efforts to challenge the disclosure, seek an appropriate protective order, or pursue such other legal action, as the discloser may deem appropriate. The recipient will ensure that its Delegates are also subject to the same non-disclosure and use obligations.
- (B) Client Data. Provider may collect, use, store and retain only Client Data as necessary for Provider to perform the Services in accordance with this Agreement.
5.3.No Rights. Except for the limited rights under this Agreement, neither party acquires any right, title, or interest in the other party’s Confidential Information.
5.4. Security. Provider will comply with Schedule D (Information Security) in addition to this Section 5.
5.5. Automation Restriction. Client hereby agrees that at no time shall it permit any program, application or system (each an “Automated Program”) to interact or integrate with the Services (including, for greater certainty, through any application programming interface) for the purpose of gathering, generating or compiling data therefrom by means of automation, computerization or mechanization where such data is then sold or transferred for consideration by Client to any third party through such Automated Program. If Provider reasonably suspects that Client is in violation of this Section 5.5 at any time during the Term, Provider may, in its sole and unfettered discretion, immediately suspend Client’s access to the Services (including all Users) or terminate the Service Order and this Agreement.
6. REPRESENTATIONS AND WARRANTIES.
6.1. Mutual. Each party represents and warrants that it has full power and authority to enter into and fulfill its obligations under this Agreement.
6.2. FCRA. Each party represents and warrants to the other that it is not a consumer-reporting agency as defined by the Fair Credit Reporting Act, 15 U.S.C. §1681 et seq. (“FCRA”), and that the Services provided to Client hereunder do not constitute “Consumer Reports”, as defined in the FCRA. Client covenants with Provider that it will not use the Service to determine any consumer’s eligibility for any product or service to be used by a consumer for personal, family or household purposes. Client will not use the Service in whole or in part: (i) as a factor in establishing a consumer’s eligibility for credit; (ii) as a factor in establishing a consumer’s eligibility for insurance; (iii) for employment purposes; (iv) in connection with a determination of an individual’s eligibility for a license or other benefit granted by a governmental authority; or (v) in connection with any permissible purpose as defined by the FCRA.
6.3. Provider. Provider represents and warrants that:
- (A) Services and Software. The Services (i) do not violate or infringe any third party’s Intellectual Property Rights, (ii) will be free from any viruses or other malicious code, and (iii) do not contain any copy protection, automatic shut-down, lockout, “time bomb” or similar mechanisms that could interfere with Client’s exercise of its business or its rights under this Agreement.
- (B) Quality. Provider’s performance under this Agreement will be of professional quality and performed with reasonable skill and care consistent with generally-accepted industry standards.
- (C) Specifications and Requirements. The Services will meet this Agreement’s specifications and requirements.
- (D) Legal Proceedings. No legal proceedings have been threatened or brought against Provider that could threaten the provision of the Services, and Provider will promptly notify Client in writing if such legal proceedings are brought against Provider during the Term.
- (E) Provider Intellectual Property Rights Rights. Provider has and will retain all necessary Intellectual Property Rights to grant the rights hereby granted in this Agreement and provide the Services to Client, at no greater cost to Client than specified in the applicable Service Order.
- (F) No Breach of Third-Party Obligations. Provider’s and Personnel’s fulfillment of their obligations under this Agreement will not breach any obligations they have to any third party.
- (G) Compliance with Laws. In connection with this Agreement, Provider and Personnel will comply with all applicable laws and regulations, including those identified below. Provider will use commercially reasonable and good faith efforts to comply with Client’s due diligence process, including providing requested information.
- (H) Import and Export. Provider will comply with all applicable import and export laws and trade sanction regulations.
- (I) Tax. Provider will comply with all applicable tax laws as to the Services.
7. DEFENCE AND INDEMNITY
7.1. Obligations. Provider will defend and indemnify Client and its directors, officers, and employees against all settlement amounts approved by Provider and any liabilities, damages, losses, costs, fees (including legal fees), and expenses in connection with any third-party claim or legal proceeding (including action by a government authority) to the extent arising from:
- (A) Provider’s breach of warranty, negligence, willful misconduct, fraud, misrepresentation, or violation of applicable laws;
- (B) any breach of Section 5 (Confidentiality; Client Data; Publicity; Security) or applicable data protection laws by Provider; and
- (C) an allegation that use of the Services infringes or misappropriates any third party’s rights, including Intellectual Property Rights.
7.2. Exclusions. This Section 7 (Defence and Indemnity) will not apply to the extent the underlying allegation arises from:
- (A) modifications to the Services not authorized or made by Provider; or
- (B) compliance with designs or instructions provided by Client in writing.
7.3. Control of Defence. Provider shall have the full responsibility for and control of the defence (including any settlement) of any such suit or proceeding; provided, however, that (a) such defence shall be conducted at Provider’s sole cost and expense, (b) Provider shall keep Client informed of, and consult with Client in connection with, the progress of such litigation and settlement, (c) Client may appoint its own non-controlling counsel at its own cost and expense, and (d) Provider shall not have the right to settle any such claim without the prior written approval of Client if such settlement requires Client to admit liability, pay money, or take (or refrain from taking) any action, will require Client’s prior written consent.
7.4. Other Remedies. In addition to the indemnity obligations in this Section 7 (Defence and Indemnity), in the event of an allegation that the use of the Services infringes or misappropriates any third-party rights, including Intellectual Property Rights, Provider will do the following at its sole expense:
- (A) procure the right for Client and its Users to continue using the Services in compliance with this Agreement; or
- (B) modify the Services to make them non-infringing without materially reducing functionality; or
- (C) if reasonable alternative is available, replace the Services with a non-infringing, functionally-equivalent alternative.
8. LIMITATIONS OF LIABILITY
8.1. Liability. IN SECTION 8 (LIMITATIONS OF LIABILITY), “LIABILITY” MEANS ANY LIABILITY, WHETHER UNDER CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE (WHETHER OR NOT FORESEEABLE OR CONTEMPLATED BY THE PARTIES).
8.2. Limitations.
SUBJECT TO SECTION 8.3 (EXCEPTIONS TO LIMITATIONS):
- (A) NEITHER PARTY WILL HAVE ANY LIABILITY ARISING OUT OF OR RELATING TO THIS AGREEMENT FOR: (1) THE OTHER PARTY’S LOST REVENUES OR PROFITS; (2) INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL LOSSES; OR (3) EXEMPLARY OR PUNITIVE DAMAGES; AND
- (B) EACH PARTY’S AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THIS AGREEMENT WILL NOT EXCEED THE AMOUNTS PAID AND PAYABLE BY CLIENT TO PROVIDER UNDER THIS AGREEMENT FOR THE 12 MONTHS PRECEDING THE SUBJECT CLAIM.
8.3. Exceptions to Limitations. THIS AGREEMENT DOES NOT EXCLUDE OR LIMIT EITHER PARTY’S LIABILITY FOR: (A) FRAUD OR FRAUDULENT MISREPRESENTATION; (B) BREACH OF SECTION 5 (CONFIDENTIALITY; CLIENT DATA; PUBLICITY; SECURITY); (C) ITS OBLIGATIONS UNDER SECTION 3 (PAYMENT) AND SECTION 7 (DEFENCE AND INDEMNITY); OR (E) MATTERS FOR WHICH LIABILITY CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW.
9. TERMINATION.
9.1. Termination for Breach. Either party may immediately terminate this MSA, any Service Order on written notice if:
- (A) the other party breaches Section 5 (Confidentiality; Client Data; Publicity; Security) or Section 6 (Representations and Warranties); or
- (B) the other party is in material breach of this Agreement and fails to cure that breach within 30 days after receiving written notice from the first party identifying the breach.
9.2. Termination for Convenience. Subject to any Service Order to the contrary, on or after the date that is one year from the Effective Date, Client may terminate this MSA and any Service Order for convenience on 30 days written notice to Provider, subject to Section 9.4(B) (Effects on Invoices).
9.3. Effects of Termination.
- (A) Effects on Service Orders. Unless otherwise specified in the termination notice, termination is effective immediately and Provider will stop work on all applicable Service Orders immediately on receipt of the termination notice. Termination of this MSA terminates all outstanding Service Orders.
- (B) Effects on Invoices. Client will pay for the Services up to and including the date of termination.
- (C) Survival. Sections 1 (Definitions), 3 (Payment), 4.2 (Provider Materials Usage Rights), 4.3 (Reservation of Rights), 5 (Confidentiality; Client Data; Publicity; Security), 7 (Defence and Indemnity), 9 (Limitations of Liability), 9.3 (Effects of Termination), 9.4 (Return of Data), and 10 (General) will survive any termination of this Agreement.
9.4. Return of Data. Upon termination or expiration of any Service Order, Provider will either (i) provide Client with all Client Data contained in the Services or otherwise in the possession or control of Provider in a format and media reasonably acceptable to Client, or (ii) will destroy all such Client Data in accordance with Schedule D (Information Security).
10. GENERAL
10.1. Insurance. Provider will maintain insurance policies in accordance with Schedule E (Insurance).
10.2. Records and Government Audit.
- (A) Maintaining Records. Provider will maintain complete and accurate records relating to this Agreement.
- (B) Notice of Government Audits. If a government authority audits any portion of Provider’s business related to the Services or Deliverables, Provider will promptly notify Client and provide Client with reasonably-requested information about the audit.
10.3. Notices. All notices of termination or breach will be in English, in writing and addressed to the other party’s legal department. All other notices will be in English, in writing and addressed to the other party’s primary contact. Notice can be by email and will be treated as given on receipt, as verified by written or automated receipt or by electronic log (as applicable).
10.4. Assignment. Provider may not assign or transfer its rights or obligations under this Agreement, and any attempt to do so is void. Notwithstanding the foregoing, Provider may assign this Agreement in its entirety (including all current Service Orders), without consent of Client, in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets. In addition, and for greater certainty only, Provider may at any time complete a change of control transaction (for example, through a stock purchase or sale, merger, or other form of corporate transaction).
10.5. Subcontracting. Provider may delegate, at its discretion, or subcontract any of its obligations under this Agreement without Client’s written consent; provided, however, that Provider will at all times remain liable for all subcontracted obligations and all acts or omissions of its subcontractors.
10.6. Force Majeure. Neither party will be liable for failure or delay in performance to the extent caused by circumstances beyond its reasonable control.
10.7. No Waiver. Neither party will be treated as having waived any rights by not exercising (or delaying the exercise of) any rights under this Agreement.
10.8. No Agency. This Agreement does not create any agency, partnership or joint venture between the parties.
10.9. No Third-Party Beneficiaries. This Agreement does not confer any benefits on any third party unless it expressly states that it does.
10.10. Execution. The parties may execute this Agreement using electronic signatures, electronic copies, and counterparts.
10.11. Entire Agreement. This Agreement states all the terms agreed between the parties and supersedes all other agreements between the parties as of the Effective Date relating to its subject matter. In entering into this Agreement neither party has relied on, and neither party will have any right or remedy based on, any statement, representation, or warranty (whether made negligently or innocently), except those expressly stated in this Agreement. Any terms or conditions on a quote, invoice, or other similar document from Provider related to this Agreement or the Services are void. Any “click-through”, “click-wrap”, or other online terms or conditions that Client or its Users are required to accept will not be binding and will have no legal effect or validity as to the Services, this MSA, or the applicable Service Order.
10.12. Amendments. Any amendment must be in writing, signed by both parties, and expressly state that it is amending this Agreement.
10.13. Severability. If any part of this Agreement is invalid, illegal, or unenforceable, the rest of this Agreement will remain in effect.
10.14. Order of Precedence. If there is any conflict or inconsistency between any of the provisions of the MSA, a Service Order and any other terms, conditions or other agreements between Client and Provider with respect to the Services, the following order of precedence shall apply: (i) a Service Order, (ii) the MSA, and (iii) any other terms, conditions or other agreements between Client and Provider.
10.15. Governing Law. ALL CLAIMS ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL BE GOVERNED BY NEW YORK LAW, EXCLUDING NEW YORK’S CONFLICT OF LAWS RULES, AND WILL BE LITIGATED EXCLUSIVELY IN THE FEDERAL OR STATE COURTS OF NEW YORK COUNTY, NEW YORK, USA; THE PARTIES CONSENT TO PERSONAL JURISDICTION IN THOSE COURTS.
SCHEDULE B
MAINTENANCE AND SUPPORT
Provider will maintain and support the Services to ensure connectivity and access by Client, its affiliates and its Users. Provider will promptly repair or replace, without any additional charge, the Services, to fix any bugs, defects, errors, or vulnerabilities (collectively, “Errors“). Provider will provide the support services on a 24×7 basis, 365 days per year.
Provider will provide the maintenance and support services described below:
1. UPDATES AND UPGRADES
Provider will update the Services and make available to Client all non-premium patches, enhancements, updates, upgrades and new versions of the Services that Provider makes generally commercially available (“Updates“) and any such Updates will be deemed part of the Services. All premium Updates will be made available to Client only if expressly provided on a Service Order.
Provider represents and warrants that no Update (A) will impair the operation or disable or inhibit any functions or features of the Services or cause performance of the Services to be degraded; or (B) adversely affect form, fit, function, reliability, safety or serviceability of the Services.
2. AVAILABILITY AND CONTACTS.
Provider will make technical support available to Client by toll-free telephone number and e-mail, 24 hours per day, 7 days per week. Provider’s support Personnel will provide Client with remote assistance for help in using and operating the Services and to accept reports of Errors in the Services. Provider will ensure that Personnel performing any maintenance and support services are experienced, knowledgeable and qualified in the use, maintenance and support of the Services.
Contact information for technical support is as follows:
Toll-Free Telephone Number: 1.888.250.2586
E-mail: support@liferaftlabs.com
3. ERROR CORRECTION
If Client reports to Provider any Error in the Services (the Severity Level to be reasonably determined by Provider), Provider will respond to such reports as described in Section 4 (Response Times) below:
“Severity Level 1” is an emergency condition which makes the use or continued use of any one or more functions of the Services impossible or significantly impaired.
“Severity Level 2” is, other than any Severity Level 1 Error, any condition which makes the use or continued use of any one or more functions of the Services difficult and which Client cannot reasonably circumvent or avoid on a temporary basis without the expenditure of significant time or effort.
“Severity Level 3” is, other than any Severity Level 1 or Severity Level 2 Error, any limited problem condition which is not critical in that no loss of Client Data occurs and which Client can reasonably circumvent or avoid on a temporary basis without the expenditure of significant time or effort.
“Severity Level 4” is, other than any Severity Level 1, Severity Level 2 or Severity Level 3 Error, a minor problem condition or documentation error which Client can easily circumvent or avoid.
“Severity Level 5” is a vulnerability in the Services that:
- (a) poses a serious imminent or active threat to Client’s uptime, Users, data, reputation, services or networks. This rare type of vulnerability encompasses active attacks or situations where there is a reasonable belief that exploitation will occur such as: the existence of an exploit or reports of similar attacks against other companies. This may also encompass less severe vulnerabilities that have gained notice in the press or prominent blogs; or
- (b) are serious and potentially dangerous to Client’s uptime, Users, data, reputation, services or networks, but there is no indication of imminent threat or active attack. These types of issues may also be reasonably difficult to exploit or may only be exposed to internal users but involve very sensitive data. Provider may have been notified about this vulnerability by an external party, but they have not made it publicly known.
4. RESPONSE TIMES
Provider will respond to an Error, depending on the Severity Level, within the timeframes indicated in the chart below, starting from the time Client notifies Provider of the Error:
Severity Level | Response Time | Workaround Time | Resolution Time |
Severity Level 1 | Within 30 minutes | 1 hour | 4 hours |
Severity Level 2 | Within 4 hours | 4 hours | 1 day |
Severity Level 3 | Within 1 day | 1 day | 7 days |
Severity Level 4 | Within 1 day | 1 day | Earlier of 30 days or next Update |
Severity Level 5 | Within 1 day | N/A | 30 days |
5. NO ADDITIONAL CHARGES
Except as otherwise stated in a Service Order, Provider will provide maintenance and support services at no additional charge.
SCHEDULE C
PERFORMANCE STANDARDS
1. Definitions. The following definitions will apply with respect to this Schedule:
1.1 “Downtime” means the time that users of the Services are not able to (a) access the Services, (b) perform ordinary functions to use or receive Services in accordance with specifications, or (c) utilize the Services for normal business operations due to failure malfunction or delay. Downtime does not include any unavailability of the Services due to System Maintenance or a failure or defect arising out of a Force Majeure Event.
1.2 “Force Majeure Event” means any failure or delay caused by or the result of causes beyond the reasonable control of a party and could not have been avoided or corrected through the exercise of reasonable diligence, including, but not limited to, acts of God, fire, flood, hurricane or other natural catastrophe, terrorist actions, laws, orders, regulations, directions or actions of governmental authorities.
1.3 “System Availability” will be calculated on a calendar month basis using the following formula: Total System Availability multiplied by 99.5%.
1.4 “System Maintenance” means time that the Services are not accessible to Client due to maintenance, including for maintenance and upgrading of the software and hardware used by Provider to provide the Services. System Maintenance includes scheduled, unscheduled and emergency maintenance.
1.5 “Total Scheduled Availability” means (i) 1,440 minutes per day, 7 days a week multiplied by the number of days in a calendar month, minus (ii) System Maintenance.
2. Service Level Standards. Provider will at all times during the Term maintain the following service levels for the Services (collectively, the “Service Levels“):
2.1. System Availability Service Level. Provider will provide 99.5% System Availability for each calendar month of the Term, excluding any System Maintenance or Force Majeure Events (as defined below) that result in the Services not being available to any User.
3. Backups. Provider will back up all Client Data entered into the Services since the last backup daily to Provider’s backup location. Provider will create a full backup (complete data copy) at least once per week at such backup location. Provider will ensure that backups do not cause Downtime. Provider will ensure that daily incremental backups in combination with weekly full backups are complete so that no more than 24 hours’ worth of data will be lost in the event of a disaster.
4. Reporting. During the term of this Agreement, Provider will, upon Client’s reasonable request (which made be made by telephone or email), provide monthly reports to Client that include Provider’s performance with respect to the Service Levels and such other metrics as reasonably requested by Client from time-to-time.
5. SLA Credits. If Provider fails to meet any of the Service Levels, Provider will, upon Client’s written request, issue credits to Client, calculated as follows (the “SLA Credits“):
5.1 SLA Credits for Service Availability Service Level Failure. If the System Availability during any given calendar month falls below 99.5% as calculated herein, Provider will provide Client with a SLA Credit equal to the percentage of the total monthly fee (calculated on a pro rata basis if fees are invoiced other than monthly) applicable to the month in which the Service Level failure occurred corresponding to the System Availability Level in the chart below:
System Availability Level | SLA Credit |
99.1-99.5% | 1% of total monthly fee applicable to month in which failure occurred |
96.6-99% | 10% of total monthly fee applicable to month in which failure occurred |
95-96.5% | 25% of total monthly fee applicable to month in which failure occurred |
90.1%-95% | 50% of total monthly fee applicable to month in which failure occurred |
<90% | 100% of total monthly fee applicable to month in which failure occurred |
5.2 SLA Credit Procedures. Provider will credit all SLA Credits accrued to Client in the calendar month in which the SLA Credits accrue, provided that if no further invoices will be submitted to Client hereunder, Provider will pay such SLA Credits to Client within 30 days of the end of the calendar month in which such SLA Credits accrue.
5.3 System Maintenance. Provider may conduct System Maintenance from time to time in accordance with this Agreement, provided however, that the total time of such System Maintenance shall be no more than 360 minutes (6 hours) per calendar month. For all planned System Maintenance, Provider shall provide Client with not less than 2 days prior written notice. For all emergency or unplanned System Maintenance, Provider shall provide Client with as much prior written notice as is possible given the reason and subject of the System Maintenance. Provider may from time to time change its planned System Maintenance window upon written notice to Client.
SCHEDULE D
INFORMATION SECURITY
Data Protection Addendum
Part A: General Information Security Terms
1.INTRODUCTION
1.1 Status of the Addendum. This Data Protection Addendum (“DPA“) forms part of the Agreement and incorporates (a) the mandatory terms set out in this Part A (General Information Security Terms), and (b) the Supplemental Terms, to the extent applicable.
1.2 Order of Precedence. Unless otherwise stated in the Agreement, if there is any conflict or inconsistency between this DPA and the Agreement, this DPA will prevail.
1.3 Supplemental Terms. In addition to this Part A (General Information Security Terms), the following supplemental terms are part of the DPA to the extent applicable: Part B (EU Data Protection Requirements) of this DPA will apply to the extent the Services include access to Personal Information subject to EU Data Protection Laws.
2. DEFINITIONS; INTERPRETATION
2.1 Definitions. In this DPA:
- (a) “Access” or “Accessing” means to create, collect, acquire, receive, record, consult, use, process, alter, store, maintain, retrieve, disclose, or dispose of. Access also includes “processing” within the meaning of the EU Data Protection Laws.
- (b) “Applicable Laws” means all privacy, data security, and data protection laws, directives, regulations, and rules in any jurisdiction applicable to Provider Accessing Personal Information for the Services.
- (c) “Applicable Standards” means government standards, industry standards, and best practices applicable to Provider Accessing Personal Information for the Services.
- (e) “Data Controller” has the same meaning as “controller” in EU Data Protection Laws.
- (f) “Data Processor” has the same meaning as “processor” in EU Data Protection Laws.
- (g) “Data Subject“has the same meaning as”data subject”in EU Data Protection Laws.
- (h) “GDPR” means the General Data Protection Regulation (EU) 2016/679 on data protection and privacy for all individuals within the European Union (“EU“) and the European Economic Area (“EEA“), as amended or modified from time to time.
- (i) “EU Data Protection Laws” means, as applicable: (i) the GDPR; and (ii) any other applicable data protection laws or regulations modeled on the GDPR or enacted in replacement of the GDPR.
- (j) “EU Personal Information” means Personal Information subject to EU Data Protection Laws.
- (k) “includes” or “including” means “including but not limited to”.
- (l) “Personal Information” means (i) any information about an identified or identifiable individual; or (ii) information that is not specifically about an identifiable individual but, when combined with other information, may identify an individual. Personal Information includes names, email addresses, postal addresses, telephone numbers, government identification numbers, financial account numbers, payment card information, credit report information, biometric information, online identifiers (including IP addresses and cookie identifiers), network and hardware identifiers, and geolocation information, and any information that constitutes “personal data” within the meaning of EU Data Protection Laws.
- (m) “Protected Information” means Personal Information and Client Confidential Information that Provider or a Subcontractor may Access in performing Services. Protected Information does not include the parties’ business contact information (specifically, business addresses, phone numbers, and email addresses, including a party’s contact persons’ names used solely to facilitate the parties’ communications for administration of the Agreement).
- (n) “Provider“means the Provider under the MSA, which is the party (including any personnel, contractor, or agent acting on behalf of such party) that performs Services for Client or its affiliates under the Agreement.
- (o) “reasonable” means reasonable and appropriate to (i) the size, scope, and complexity of Provider’s business; (ii) the nature of Protected Information being Accessed; and (iii) the need for privacy, confidentiality, and security of Protected Information.
- (p) “Regulator” or “Regulatory” means an entity with supervisory or regulatory authority over Client or its affiliate under Applicable Laws.
- (q) “Safeguards” means the practices, procedures, and systems, including administrative, technical, and physical safeguards to (A) protect the security, confidentiality, and integrity of Protected Information, (B) ensure against anticipated threats or hazards to the security or integrity of Protected Information, and (C) protect against unauthorized access to or use of Protected Information.
- (r)”Secondary Use” means Access to Protected Information for purposes other than as necessary to fulfill the Agreement and comply with the specific instructions stated in the Agreement.
- (s) “Security Incident“means actual or reasonable degree of certainty of unauthorized use, destruction, loss, control, alteration, acquisition, exfiltration, theft, retention, disclosure of, or access to, Protected Information for which Provider is responsible. Security Incidents do not include unsuccessful access attempts or attacks that do not compromise the confidentiality, integrity, or availability of Protected Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
- (t) “Services” means any goods or services that Provider or a Subcontractor provide(s) to or for Client either (a) under one or more Service Orders entered under the Agreement; or (b) if no Service Order has been entered under the Agreement, under the Agreement itself.
- (u) “Subcontractor” means any parent company, subsidiary, agent, contractor, sub-contractor, sub-processor, or other third party Provider authorizes to act on its behalf in connection with processing Personal Information exclusively intended for the Services.
2.2 Interpretation. All capitalized terms that are not expressly defined in the DPA will have the meanings given to them in the Agreement. Any examples in this DPA are illustrative and not the sole examples of a particular concept.
3. COMPLIANCE WITH LAWS; USE LIMITATION.
3.1 Compliance with Applicable Laws and Applicable Standards. When Provider Access’s Protected Information under the Agreement, Provider will at all times comply with all Applicable Laws and Applicable Standards, including any requirements applicable to the cross-border transfer of Personal Information. Provider will promptly notify Client if Provider reasonably believes compliance with this DPA will interfere with its obligations under Applicable Laws.
3.2 Use Limitation. Provider will Access Protected Information only for the limited and specified purposes stated in the Agreement and to exercise its rights and fulfill its obligations under the Agreement and not for any Secondary Use.
4. SUBCONTRACTORS
Provider may not subcontract the performance of any part of the Services to any Subcontractor without Client’s prior written consent or general written authorization. If and to the extent Client gives prior consent or authorization, Provider will:
- (a) carry out adequate due diligence of any Subcontractor to ensure its capability of providing the level of security and privacy required by the Agreement;
- (b) contractually require any Subcontractor to prevent Secondary Use and protect Protected Information using at least the same level of protection required of Provider under this DPA; and
- (c) retain oversight of and be responsible for Subcontractors’ acts and omissions in connection with this Agreement.
5. SAFEGUARDS
At all times that Provider Accesses Protected Information, Provider will maintain reasonable technical, organizational, administrative, and physical controls and comply with this DPA, Applicable Standards, and Applicable Laws, including the following:
- (a) Physical Controls. Provider will maintain physical controls designed to secure relevant facilities, including layered controls covering perimeter and interior barriers, individual physical access controls, strongly-constructed facilities, suitable locks with key management procedures, access logging, and intruder alarms/alerts and response procedures.
- (b) Technical Controls. To the extent Provider Accesses Protected Information, Provider agrees to:
- (i) establish and enforce access control policies and measures to ensure that only individuals who have a legitimate need to Access Protected Information will have such access, including multi-factor authentication;
- (ii) promptly terminate an individual’s access to Protected Information when such access is no longer required for performance under the Agreement;
- (iii) maintain reasonable and up-to-date anti-malware, anti-spam, and similar controls on Provider’s networks, systems, and devices;
- (iv) log the appropriate details of access to Protected Information on Provider systems and equipment, plus alarms for attempted access violations, and retain such records for no less than 90 days;
- (v) maintain controls and processes designed to ensure that all operating system and application security patches are installed within the timeframe recommended or required by the issuer of the patch; and
- (vi) implement reasonable user account management procedures to securely create, amend, and delete user accounts on networks, systems, and devices through which Provider Accesses Protected Information, including monitoring redundant accounts and ensuring that information owners properly authorize all user account requests.
- (c) Personnel Security. Provider will maintain policies and practices in accordance with Applicable Laws in respect of all personnel who Access Protected Information or who implement, maintain, or administer Provider Safeguards.
- (d) Training and Supervision. Provider will provide reasonable ongoing privacy and information security training and supervision for all Provider’s personnel who Accesses Protected Information.
6. ASSESSMENTS; AUDITS; CORRECTIONS
6.1 Provider’s Continuous Self-Assessment.
Provider will continuously monitor risk to Protected Information and ensure that the Safeguards are properly designed and maintained to protect the confidentiality, integrity, and availability of Protected Information. As part of Provider’s continuous self-assessment program Provider will at a minimum do the following: (1) periodically (but no less than once per year) ensure third party penetration tests and other appropriate vulnerability tests are conducted, and (2) promptly fix high and critical severity findings (if any).
6.2 Certifications; Regulatory Audits.
- (a) Certifications. Provider will implement and maintain ISO 27001 security certifications for the Services and all times during the term of this Agreement and will provide a copy of such certification to Client upon request and annually thereafter (upon request) upon such certification being renewed.
- (b) Regulatory Audit. If a Regulator requires an audit of the data processing facilities from which Provider processes Personal Information in order to ascertain or monitor Client’s compliance with Applicable Law, Provider agrees that it will cooperate with such audit.
6.3 Correcting Vulnerabilities. If either party discovers that Provider’s Safeguards contain a vulnerability, Provider will promptly correct or mitigate any vulnerability within a reasonable period at Provider’s own cost and expense.
7. SECURITY INCIDENT RESPONSE
7.1 Security Incident Response Program. Provider will maintain a reasonable Security Incident response program.
7.2 Security Incident Notification.
- (a) If Provider becomes aware of a Security Incident, Provider will promptly:
- (i) stop the unauthorized access;
- (ii) secure Protected Information;
- (iii) notify Client (in no event more than 24 hours after discovery of the Security Incident) by sending an email to [l] with the information described in Subsection (b) below. This notification is required even if Provider has not conclusively established the nature or extent of the Security Incident; and
- (iv) assist Client in complying with its Security Incident notification or cure obligations under Applicable Laws and as otherwise reasonably requested.
- (b) Provider will provide reasonable information about the Security Incident, including:
- (i) a description of Protected Information subject to the Security Incident (including the categories and number of data records and Data Subjects concerned) and the likely consequences of the Security Incident;
- (ii) the date and time of the Security Incident;
- (iii) a description of the circumstances that led to the Security Incident (e.g., loss, theft, copying);
- (iv) a description of the measures Provider has taken and propose to take to address the Security Incident; and
- (v) relevant contact people who will be reasonably available until the parties mutually agree that the Security Incident has been resolved.
7.3 Remediation; Investigation. Provider, at its own cost and expense, will take appropriate steps to promptly remediate the root cause(s) of any Security Incident, and will reasonably cooperate with Client with respect to the investigation and remediation of such incident, including providing such assistance as required to enable Client to satisfy its obligation to notify individuals and cure an alleged violation related to a Security Incident. Provider will promptly provide Client the results of the investigation and any remediation already undertaken.
7.4 No Unauthorized Statements. Except as required by Applicable Laws, Provider will not make (or permit any third party to make) any statement concerning the Security Incident that directly or indirectly references Client, unless Client provides its explicit written authorization.
8. LEGAL PROCESS
If Provider or anyone to whom Provider provides access to Protected Information becomes legally compelled by a court or other government authority to disclose Protected Information, then to the extent permitted by law, Provider will promptly inform Client of any request and reasonably cooperate with Client’s efforts to challenge the disclosure, seek an appropriate protective order, or pursue such other legal action as Client may deem appropriate. Unless required by Applicable Laws, Provider will not respond to such request, unless Client has authorized Provider to do so.
9. RECORDS; DESTRUCTION; RESPONDING TO ACCESS REQUESTS; SANITIZATION
9.1 Return or Deletion of Information. Upon the termination or expiration of the Agreement or the relevant Service Order for the Services, Provider will delete and render Protected Information, securely dispose of all hard copies (if any), and where requested certify in .
10. SURVIVAL
Provider acknowledges that its obligations under this DPA may survive expiration or termination of the Agreement for the time it continues to have access to Protected Information if so provided by Applicable Laws.
Part B: EU Data Protection Requirements
1. INTRODUCTION
This Part B will only apply to the extent the Services require that Provider Access Personal Information subject to EU Data Protection Laws.
2. TYPES AND CATEGORIES OF PERSONAL INFORMATION
The purchase order(s) or statement(s) of work associated with the Services will specify the subject matter and duration of the processing, the categories of Data Subjects, and the types and categories of Personal Information Accessed.
3. ROLES AND RESPONSIBILITIES
3.1 If EU Data Protection Laws apply to the Services, the parties acknowledge and agree that:
the subject matter and details to the processing are as described in the Agreement;
Client or its affiliate is a controller of the Personal Information;
Provider is a processor of the Personal Information; and
Provider will comply with Client’s written instructions and the terms of this Agreement with respect to the Personal Information.
3.2 Provider Obligations as a Data Processor
Provider will:
- (a) Access Personal Information only on behalf of Client and in accordance with Client’s documented instructions and the terms of this Agreement unless Provider is otherwise required by EU Data Protection Law, in which case Provider will inform Client of that legal requirement before Accessing the Personal Information, unless informing Client is prohibited by law on important grounds of public interest. Provider will immediately inform Client if, in Provider’s opinion, Client’s instructions infringe EU Data Protection Law.
- (b) implement and maintain appropriate technical and organizational measures to meet Provider’s obligations under Applicable Laws and this DPA;
- (c) promptly delete the Personal Information in Provider’s control at Client’s direction;
- (d) provide Client with reasonable information about any Subcontractor, but only if required by Applicable Laws.
- (e) promptly notify Client of any Data Subjects’ request to exercise their legal rights or to access, correct, amend, delete, or restrict that person’s Personal Information, to object to the Accessing of Personal Information or exercise the right to data portability in respect of Personal Information. Provider agrees to not respond to such requests without first giving Client prior written notice of such request;
- (f) cooperate with and assist Client in investigating Data Subjects’ exercise of their legal rights;
- (g) appoint a Data Protection Officer if required pursuant to Applicable Laws, and notify Client of the Data Protection Officer’s contact information on Client’s request; and
- (h) maintain adequate records of processing activities as set out more fully in Article 30 of the GDPR.
4. DATA TRANSFERS.
4.1 Transfers of Data Out of the European Economic Area and Switzerland. Provider may transfer EU Personal Information outside the European Economic Area or Switzerland, if Provider complies with the provisions on the transfer of personal data to third countries in EU Data Protection Laws.
SCHEDULE E
INSURANCE
During the Term and at its own expense, Provider will maintain the following insurance coverage in connection with the Services:
1. STANDARD COVERAGES
Provider may use any combination of the following insurance to meet the total limit requirements of this Section.
1.1. Commercial General Liability insurance, including contractual liability coverage, on an occurrence basis for bodily injury, death, “broad form” property damage, products and completed operations, and personal and advertising injury, with coverage limits of not less than CAD $2,000,000 per occurrence.
2. SPECIFIC COVERAGES
2.1. Professional Liability. If Provider’s provision of the Services includes consultative, design, or development services, then Provider will additionally maintain professional liability insurance, with coverage limits of not less than CAD $2,000,000 per claim.
2.2. Network Security and Privacy Liability. Provider will additionally maintain network security and privacy liability insurance with coverage limits of not less than CAD $2,000,000 per claim.
3. COVERAGE REQUIREMENTS
3.1. Primary Coverage. Provider’s policies will be considered primary without right of contribution from Client’s insurance policies.
3.2. Policy Limits. Provider’s policies will apply to the full extent provided by the policies. The coverage requirements in Sections 1 (Standard Coverages) and 2 (Specific Coverages) above will not lower the coverage limits of Provider’s policies, and will not limit Provider’s obligations or liability under this Agreement (including indemnities).
4. PROVIDER RESPONSIBLE FOR OWN INSURANCE COVERAGE
4.1. Provider’s Activities at Own Risk. All of Provider’s activities under this Agreement will be at Provider’s own risk.
4.2. Provider Responsible for Subcontractor’s Insurance Coverage. Provider is solely responsible for ensuring that its subcontractors maintain insurance coverage that is usual, reasonable and customary for the services provided by such subcontractors to ensure that Provider can meet its requirements and obligations under this Agreement.
5. CERTIFICATES OF INSURANCE
5.1. Evidence of Insurance Coverage. Upon Client’s request, Provider will provide evidence of required insurance coverage to Client or Client’s third-party vendor.
5.2. Client Not Obligated to Review Insurance Coverage. Client’s failure to request, review, or object to the terms of Provider’s certificates of insurance will not waive any of Provider’s obligations under this Agreement.