MASTER SOFTWARE SERVICES AGREEMENT
BACKGROUND
Provider has developed the Disclo software application and suite of online services (collectively the “Disclo Services”) to assist employers and their employees with certain compliance obligations under the Americans With Disabilities Act (“ADA”) and related communications matters, which Provider makes available through its Provider Platform. Client desires to subscribe to the Disclo Services in accordance with the terms and conditions of this Agreement.
NOW, THEREFORE, in consideration of the mutual promises and covenants herein contained and other valuable consideration, the parties agree as follows:
AGREEMENT
- DEFINITIONS.
- “Client Data” means the information provided by Client that is used with the Disclo Services, including Personal Data.
- “Documentation” means any proprietary Disclo end user documentation made available to Client by Provider for use with the Disclo Services and Provider Platform, including any such documentation available online or otherwise, as amended or updated by Provider from time to time in its discretion.
- “Intellectual Property Rights” shall mean all intellectual property rights or similar proprietary rights, including (a) patent rights and utility models, (b) copyrights and database rights, (c) trademarks, trade names, domain names and trade dress and the goodwill associated therewith, (d) trade secrets, (e) mask works, and (f) industrial design rights; in each case, including any registrations of, applications to register, and renewals and extensions of, any of the foregoing in any jurisdiction in the world.
- “Personal Data” means (i) any non-public information (a) which alone or in combination with other information can be used to identify a living natural person, or (b) that identifies, relates to describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or a group of individuals who cohabitate with one another at the same residential address, and (ii) any information that is considered to be protected health information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the regulations thereunder.
- “Professional Services” means any consulting, custom development or other professional services provided by Provider to Client hereunder in connection with the Provider Platform.
- “Provider Platform” means the Provider data collection, analytics and action platform that comprises certain software applications that are owned, licensed, or otherwise controlled by Provider, operated and hosted by Provider on Provider’s servers, and made available via the Internet on a software-as-a-service (“SaaS”) basis. As used herein, the term “Provider Platform” shall also include Documentation, and all updates, bug fixes, error corrections or other minor enhancements, modifications and improvements to the Provider Platform or any portion or component thereof, made available to Client by Provider.
- “Subscription Term” means the subscription period for the Disclo Services commencing with the Initial Subscription Term noted on the attached Order Form and continuing thereafter for consecutive Renewal Periods as set forth on the attached Order Form; provided that either party may terminate the Subscription Term by providing written notice to the other party at least 60 days prior to the end of the then applicable annual subscription period, of such notifying party’s desire not to renew this Agreement at the end of such applicable subscription period.
- “Users” means employees of Client who are authorized by Client to use the Provider Platform and the Disclo Services and who have been supplied user identifications and passwords by Client pursuant to Section 3.1.
- PROVIDER PLATFORM ACCESS.
- Access and Use. Subject to the terms and conditions of this Agreement, Provider grants to Client during the relevant Subscription Term a limited, non-exclusive, non-transferable right and license, without the right to sublicense, for its Users to access and use the Disclo Services via the Provider Platform for Client’s internal business purposes and not for the benefit of any other person or entity.
- Use Restrictions. Client shall not, directly or indirectly, and Client shall not permit any User or third party to, (i) reverse engineer, decompile, disassemble or otherwise attempt to discover the object code, source code or underlying ideas or algorithms of the Provider Platform; (ii) modify, translate, or create derivative works based on any element of the Provider Platform or any related documentation; (iii) rent, lease, distribute, sell, resell, assign, or otherwise transfer its rights to use the Disclo Services or Provider Platform; (iv) use the Disclo Services or Provider Platform for timesharing purposes or otherwise for the benefit of any person or entity other than for the benefit of Client and Users; (v) remove any proprietary notices from the Documentation; (vi) publish or disclose to third parties any evaluation of the Disclo Services or Provider Platform without Provider’s prior written consent; (vii) use the Disclo Services or Provider Platform for any purpose other than its intended purpose; (viii) interfere with or disrupt the integrity or performance of the Disclo Services or Provider Platform; or (ix) attempt to gain unauthorized access to the Disclo Services or Provider Platform.
- SECURITY MATTERS.
- Passwords. Provider will issue to Client and/or authorize a Client account manager to create and issue to each User, a user login and password for access and use of the Disclo Services and the Provider Platform. Client and its Users are responsible for maintaining the confidentiality of all user logins and passwords and for ensuring that each user login and password is used only by the User to which it was issued. Client is responsible for any and all access and use of the Disclo Services or Provider Platform that occurs under Client’s account. Client shall restrict its Users from sharing passwords. Client agrees to immediately notify Provider of any unauthorized use of Client’s or any User’s account and/or login and password, or any other breach of security known to Client. Provider shall have no liability for any loss or damage arising from Client’s failure to comply with the terms set forth in this Section.
- No Circumvention of Security. Neither Client nor any User may circumvent or otherwise interfere with any user authentication or security of the Provider Platform. Client will immediately notify Provider of any breach, or attempted breach, of security known to Client.
- Provider Security Measures. Provider will maintain commercially reasonable administrative and technical security measures intended to protect against unauthorized access to, disclosure or use of any Personal Data stored by Provider on the Provider Platform in connection with Client or its Users’ use of the Disclo Services or Provider Platform. Among the measures that Provider will implement are the following:
(i) Maintaining a certification that the Disclo Services are compliant with the security requirements of HIPAA;
(ii) Completing a SOC2 compliance audit concerning the Disclo Services on an annual basis;
(iii) Assisting Client in requiring that all Users whose Personal Data is stored or otherwise processed through the Disclo Services provide a waiver and consent to allow such Personal Data to be so stored or processed;
(iv) Maintaining Errors & Omissions insurance; and
(v) Undertaking those obligations set forth in the Disclo Data Processing and Security Addendum attached hereto as Exhibit C.
- CLIENT OBLIGATIONS FOR HARDWARE AND SOFTWARE. Client is responsible for (i) obtaining, deploying and maintaining the Client’s computer hardware, software, modems, routers and other communications equipment and systems necessary for Client and its Users to access and use the Disclo Services and Provider Platform via the Internet; (ii) contracting with an Internet service provider or other service providers to access and use the Disclo Services and Provider Platform via the Internet; and (iii) paying all third party fees and access charges incurred in connection with the foregoing. Except as specifically set forth in this Agreement or a Statement of Work, Provider shall not be responsible for supplying any hardware, software or other equipment to Client under this Agreement
- SUPPORT SERVICES.
- Performance. Subject to the terms and conditions of this Agreement, Provider will provide the Support Services for the Disclo Services during the applicable Subscription Term. Certain enhancements to the Provider Platform made generally available at no cost to all subscribing customers for Disclo Services during the applicable Subscription Term will be made available to Client at no additional charge. However, the availability of some new enhancements to the Provider Platform may require the payment of additional fees, and Provider will determine at its sole discretion whether access to any other such new enhancements will require an additional fee. This Agreement will apply to, and the Provider Platform includes, any enhancements, updates, upgrades and new modules or offerings subsequently provided by Provider to Client hereunder.
- Designated Provider Account Executive. Provider shall designate one of its employees (the “Designated Account Executive”) who will serve as Provider’s principal contact to address Client support matters, including any problems or issues with the Disclo Services and Provider Platform on behalf of Client and its Users
- Designated Client Employee. Following the Effective Date, Client shall designate one of its employees (the “Designated Employee”) who will serve as Client’s principal contact for Provider’s support team and will be responsible for reporting problems or issues with the Disclo Services and Provider Platform on behalf of Client and its Users.
- PROFESSIONAL SERVICES. The parties shall complete a statement of work (“Statement of Work” or “SOW”) referencing this Agreement for all Professional Services to be provided by Provider to Client pursuant to a Client request from time to time. Each Statement of Work shall (a) be signed by authorized representatives of both parties, (b) identify the Professional Services to be performed and any deliverables to be provided by Provider for Client, (c) set forth the terms and conditions for the performance of such Professional Services and (d) be incorporated in this Agreement by reference and made a part hereof. Provider and Client shall cooperate to enable Provider to perform the Professional Services according to the dates of performance and delivery terms set forth in each Statement of Work.
- FEES AND PAYMENT.
- Subscription Fees. Client shall pay to Provider the subscription fees and charges (the “Subscription Fees”) for the Disclo Services for the applicable Subscription Term in the amounts and in the manner provided for on Order Form. Subscription Fees are non-cancelable during the Subscription Term.
- Other Fees. Client shall pay to Provider the fees, if any, set forth in an applicable Statement of Work for Professional Services, together with any reasonable out-of-pocket expenses that may be incurred by Provider or its personnel in connection with the Support Services or Professional Services, including any travel and living expenses.
- REPRESENTATIONS AND WARRANTIES.
- Provider Warranty.
- Provider Platform Warranty. Provider warrants to Client that the Disclo Services shall, under normal use and service, substantially conform to, and perform in all material respects, the functions described in the applicable Documentation. If any such Disclo Services fail to comply with the foregoing warranty, Client shall provide written notice to Provider and describe in reasonable detail the nature of the non-conformity. In such event, Provider shall use reasonable efforts to repair or rectify such non-conformity. If Provider is unable to repair or rectify such non-conformity, then Provider may terminate this Agreement (including without limitation the licenses granted in this Agreement) with respect to the non-conforming Disclo Services and in such event, Provider will refund to Client on a pro-rata basis as applicable the portion of Subscription Fees paid to Provider prior to termination applicable to the access and use of such non-conforming Disclo Services after the termination date. THE REMEDY SET FORTH IN THIS SECTION SHALL BE PROVIDER’S SOLE OBLIGATION FOR ANY BREACH OF THE WARRANTY SET FORTH IN THIS SECTION.
- Exclusions. The warranty in this Section 8.1 does not cover defects or non-conformities arising from (i) misuse of the Provider Platform or the Documentation, (ii) any modifications to the Provider Platform made by any person or entity other than Provider that is not previously approved by Provider, (iii) any use of the Disclo Services or Provider Platform by Client or its Users beyond the scope of the express rights licenses granted in this Agreement, (iv) any use of the Provider Platform in combination with other software, hardware or data not specified by Provider or otherwise necessary to utilize the Provider Platform as intended, or (v) Provider’s compliance with Client’s request for changes to the Provider Platform or with Client’s designs, specifications or instructions.
- Client Warranties.
- Client Warranty. Client represents and warrants that Client has the right, including in respect of all relevant data privacy and other laws, to provide Provider access to and use of the Client Data and Personal Data, including without limitation, for use in connection with the Disclo Services, Provider Platform, Professional Services, and Support Services.
- Disclaimer. THE WARRANTIES SET FORTH IN THIS SECTION 8 AND IN ANY STATEMENT OF WORK ARE IN LIEU OF ALL OTHER WARRANTIES OR CONDITIONS, AND, EXCEPT FOR THE EXPRESS WARRANTIES SET FORTH IN THIS SECTION 8 OR ANY STATEMENT OF WORK, THE DISCLO SERVICES, PROVIDER PLATFORM, SUPPORT SERVICES, AND PROFESSIONAL SERVICES ARE PROVIDED ON AN AS-IS BASIS AND CLIENT’S USE OF THE PROVIDER PLATFORM, DISCLO SERVICES, SUPPORT SERVICES, AND PROFESSIONAL SERVICES IS OTHERWISE AT ITS OWN RISK. PROVIDER DOES NOT MAKE, AND HEREBY DISCLAIMS, ANY AND ALL OTHER EXPRESS AND/OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT AND TITLE, AND ANY WARRANTIES ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
NO AGENT OF EITHER PARTY IS AUTHORIZED TO ALTER OR EXPAND THE WARRANTIES OF SUCH PARTY SET FORTH HEREIN. PROVIDER DOES NOT WARRANT THAT THE DISCLO SERVICES OR PROVIDER PLATFORM IS OR WILL BE UNINTERRUPTED OR ERROR FREE. CLIENT ACKNOWLEDGES AND AGREES THAT THE PROVIDER PLATFORM (AS WITH TECHNOLOGY GENERALLY), MAY HAVE ERRORS OR “BUGS” AND MAY ENCOUNTER UNEXPECTED TECHNICAL PROBLEMS. ACCORDINGLY, FROM TIME TO TIME, CLIENT MAY EXPERIENCE DOWNTIME AND ERRORS IN THE OPERATION, FUNCTIONALITY OR PERFORMANCE OF THE PROVIDER PLATFORM OR DISCLO SERVICES. ACCORDINGLY, CLIENT SHALL PUT IN PLACE REASONABLE INTERNAL PROCEDURES AND PROCESSES TO ENABLE IT TO MINIMIZE ANY INCONVENIENCE AND ANY ADVERSE IMPACT OF ANY SUCH DOWNTIME OR ERROR.
- INDEMNIFICATION.
- Provider Indemnity.
(a) Indemnity. Provider shall, subject to the terms and conditions set forth in this Agreement, indemnify, hold harmless, and defend Client, its successors and assigns (and its and their officers, directors, employees, contractors, customers, and agents) from and against any and all third party claims, losses, liabilities, damages, settlements, expenses and costs (including, without limitation, attorneys’ fees and court costs) awarded to a third party by a court of competent jurisdiction or in a settlement approved by Provider which arise out of or relate to (i) any and all third party claim or threat thereof against Client (a “Provider Indemnity Claim”) alleging that Client’s use of the Provider Platform and Disclo Services in accordance with the terms of this Agreement infringes any United States copyright or United States patent, or (ii) any breach or alleged breach by Provider of any of its covenants, representations or warranties set forth in this Agreement. Provider’s obligations under this Section are conditioned upon (X) Provider being promptly notified in writing of such Provider Indemnity Claim, provided, however, that the failure to give such notice shall not relieve Provider of its obligations hereunder except to the extent that Provider was actually and materially prejudiced by such failure, (Y) Provider having the exclusive right to control the defense and/or settlement of the Provider Indemnity Claim, and (Z) Client providing reasonable assistance (at Provider’s request and expense) in the defense of the Provider Indemnity Claim. In no event shall Client settle any Provider Indemnity Claim without Provider’s prior written approval, which approval shall not be unreasonably withheld or delayed. Client may, at its own expense, engage separate counsel to advise Client regarding a Claim and to participate in the defense of the Provider Indemnity Claim, subject to Provider’s right to control the defense and settlement.
(b) Mitigation. In the event of any such third party Provider Indemnity Claim or threat thereof, Provider, at its sole option and expense, may (i) procure for Client the right to continue to use the allegedly infringing Disclo Services or Provider Platform, or (ii) replace or modify the Provider Platform with functionally equivalent software and/or Services. If neither subpart (i) nor (ii) of this paragraph is commercially reasonable or practical in the reasonable opinion of Provider, Provider may terminate this Agreement with respect to the allegedly infringing Disclo Services or Provider Platform, and the license thereto granted hereunder, upon fifteen (15) days written notice to Client. In the event of such termination, Provider shall refund to Client any portion of Subscription Fees paid to Provider by Client for use of the allegedly infringing Disclo Services or Provider Platform following the date of such termination.
(c) Exclusions. Notwithstanding anything to the contrary in this Agreement, Provider shall have no obligations to Client pursuant to this Section 9.1 with respect to any infringement or alleged infringement resulting or arising from (1) any modifications to the Provider Platform made by any person or entity other than Provider that is not previously approved by Provider, (2) any use of the Provider Platform or Disclo Services by Client or its Users beyond the scope of the express rights and licenses granted in this Agreement, (3) any use of the Disclo Services or Provider Platform in combination with other service, software, hardware or data, or (4) Provider’s compliance with Client’s request for changes to the Provider Platform or with Client’s designs, specifications or instructions.
- Client Indemnity. Client shall indemnify, hold harmless, and defend, Provider and its licensors, successors and assigns (and its and their officers, directors, employees, contractors, customers, and agents) from and against any and all third party claims, losses, liabilities, damages, settlements, expenses and costs (including, without limitation, attorneys’ fees and court costs) awarded to a third party by a court of competent jurisdiction or in a settlement approved by Client which arise out of or relate to (i) any and all third party claim or threat thereof against Provider (a “Client Indemnity Claim”) that the Client Data infringes any United States copyright or United States patent; or (ii) any breach or alleged breach by Client of any of its covenants, representations or warranties set forth in this Agreement. Client’s obligations under this Section are conditioned upon (X) Client being promptly notified in writing of such Client Indemnity Claim; provided, however, that the failure to give such notice shall not relieve Client of its obligations hereunder except to the extent that Client was actually and materially prejudiced by such failure, (Y) Client having the exclusive right to control the defense and/or settlement of the Client Indemnity Claim, and (Z) Provider providing reasonable assistance (at Client’s request and expense) in the defense of the Client Indemnity Claim. In no event shall Provider settle any Client Indemnity Claim without Client’s prior written approval, not to be unreasonably withheld or delayed. Client may not settle any claim for which indemnification is sought under this Section without the prior written approval of Provider, which approval shall not be unreasonably withheld or delayed.
- CONFIDENTIALITY.
- Confidential Information. “Confidential Information” means any and all non-public technical and non-technical information disclosed by one party (the “Disclosing Party”) to the other party (the “Receiving Party”) in any form or medium, whether oral, written, graphical or electronic, pursuant to this Agreement, that is marked confidential and proprietary, or that the Disclosing Party identifies as confidential and proprietary, or that by the nature of the circumstances surrounding the disclosure or receipt ought to be treated as confidential and proprietary information, including but not limited to: (i) techniques, sketches, drawings, models, inventions (whether or not patented or patentable), know-how, processes, apparatus, formulae, equipment, algorithms, software programs, software source documents, APIs, and other creative works (whether or not copyrighted or copyrightable); (ii) information concerning research, experimental work, development, design details and specifications, engineering, financial information, procurement requirements, purchasing, manufacturing, customer lists, business forecasts, sales and merchandising and marketing plans and information; (iii) proprietary or confidential information of any third party who may disclose such information to Disclosing Party or Receiving Party in the course of Disclosing Party’s business; and (iv) the terms of this Agreement and any Statement of Work. Confidential Information of Provider shall include the Provider Platform and the Disclo Services. Confidential Information of Client shall include the Client Data and Personal Data of Users. Confidential Information also includes all summaries and abstracts of Confidential Information.
- Non-Disclosure. Each party acknowledges that in the course of the performance of this Agreement, it may obtain the Confidential Information of the other party. The Receiving Party shall, at all times, both during the Term and thereafter, keep in confidence and trust all of the Disclosing Party’s Confidential Information received by it. The Receiving Party shall not use the Confidential Information of the Disclosing Party other than as necessary to fulfill the Receiving Party’s obligations or to exercise the Receiving Party’s rights under the terms of this Agreement. Each party agrees to secure and protect the other party’s Confidential Information with the same degree of care and in a manner consistent with the maintenance of such party’s own Confidential Information (but in no event less than reasonable care), and to take appropriate action by instruction or agreement with its employees, affiliates or other agents who are permitted access to the other party’s Confidential Information to satisfy its obligations under this Section. The Receiving Party shall not disclose Confidential Information of the Disclosing Party to any person or entity other than its officers, employees, affiliates and agents who need access to such Confidential Information in order to effect the intent of this Agreement and who are subject to confidentiality obligations at least as stringent as the obligations set forth in this Agreement.
- Exceptions to Confidential Information. The definition of “Confidential Information” shall exclude, and the obligations set forth in Section 10.2 shall not apply to, information which: (i) was known by the Receiving Party prior to receipt from the Disclosing Party either itself or through receipt directly or indirectly from a source other than one having an obligation of confidentiality to the Disclosing Party; (ii) was developed by the Receiving Party without use of the Disclosing Party’s Confidential Information; or (iii) becomes publicly known or otherwise ceases to be secret or confidential, except as a result of a breach of this Agreement or any obligation of confidentiality by the Receiving Party. Nothing in this Agreement shall prevent the Receiving Party from disclosing Confidential Information to the extent the Receiving Party is legally compelled to do so by any governmental investigative or judicial agency pursuant to proceedings over which such agency has jurisdiction; provided, however, that prior to any such disclosure, the Receiving Party shall (i) assert the confidential nature of the Confidential Information to the agency; (ii) immediately notify the Disclosing Party in writing of the agency’s order or request to disclose; and (iii) cooperate fully with the Disclosing Party in protecting against any such disclosure and/or obtaining a protective order narrowing the scope of the compelled disclosure and protecting its confidentiality.
- DATA.
- Client Data. Client shall be solely responsible for the accuracy, quality, legality, reliability, appropriateness of and the parties’ respective rights to use all Client Data under this Agreement. In particular, Client has control over whether any Personal Data is collected and processed by the Provider Platform. Client represents and warrants that (i) it will provide all required notice(s) to and obtain all required consent(s) from each User regarding the Client’s collection, disclosure, analysis and use of Client Data, including any Personal Data, and (ii) that the collection, disclosure, analysis and use of Client Data, as contemplated under this Agreement, complies with all applicable laws, rules and regulations.
- Usage Data. Notwithstanding anything else in the Agreement or otherwise, Provider may monitor Client’s and Users’ use of the Disclo Services and Provider Platform and use data and information related to Client Data and Client’s and Users’ use of the Disclo Services in an aggregate or de-identified manner, including to compile statistical and performance information related to the provision and operation of the Provider Platform and Disclo Services. Client agrees that Provider may use such information to the extent allowed by applicable law or regulation and/or for purposes of data gathering, analysis, service enhancement and marketing, provided that such data and information does not identify (or cannot reasonably be associated with) Client or its Confidential Information. Provider retains all Intellectual Property Rights in such aggregated and de-identified data and information.
- PROPRIETARY RIGHTS.
- Ownership. Client acknowledges that the Provider Platform and the Disclo Services, and all Intellectual Property Rights therein, are the sole and exclusive property of Provider and its licensors. Provider acknowledges that the Client Data and Personal Data of Users, and all Intellectual Property Rights therein, are the sole and exclusive property of Client and its licensors (or individual Users, as applicable). Each party retains all other rights not expressly granted in this Agreement.
- Provider Developments. All inventions, works of authorship and developments conceived, created, written, or generated by or on behalf of Provider, whether solely or jointly, including without limitation, in connection with Provider’s performance of the Professional Services hereunder, including Deliverables (“Provider Developments”), including all Intellectual Property Rights therein, shall be the sole and exclusive property of Provider.
- License to Client Data. Client grants to Provider a royalty-free, nonexclusive, limited right and license to access and use the Client Data (a) during the Subscription Term, to provide the Disclo Services and to analyze and improve Provider and the Disclo Services; and (b) at any time, to compile and use data, statistics, measurements or other metrics derived from Client Data (including in combination with the aggregate or de-identified customer data of other Provider customers), in each case solely in aggregate or de-identified form, for Provider’s own purposes. Aggregate or de-identified data means data that does not identify (or cannot reasonably be associated with) Client or any User. The right in clause (b) of this Section 12.3 shall be irrevocable and perpetual.
- Disclosure of Client Data. Provider shall not disclose Client Data or Personal Data of Users to third parties, except: (i) as necessary to provide the Disclo Services to Client and Users; (ii) to Provider’s service providers who are not permitted to use such data except on behalf of Provider in connection with the Disclo Services provided to Client; (iii) as required by law or to comply with legal process; (iv) to troubleshoot problems with the Disclo Services as used by Client; (v) to any successor in interest, including as part of a merger, acquisition or transfer of assets, or as part of a bankruptcy proceeding; or (vi) in aggregate or de-identified form (and in a manner that cannot reasonably be associated with Client or any User).
- Limited Feedback License. Client hereby grants to Provider, at no charge, a non-exclusive, royalty-free, worldwide, transferable, sublicensable (through one or more tiers), perpetual, irrevocable license under Client’s Intellectual Property Rights in and to suggestions, comments and other forms of feedback (“Feedback”) provided by or on behalf of Client to Provider regarding the Disclo Services and Provider Platform, including Feedback regarding features, usability and use, and bug reports, to reproduce, perform, display, create derivative works of the Feedback and distribute such Feedback and/or derivative works in the Provider Platform or any other products or services. Feedback is provided “as is” without warranty of any kind and shall not include any Confidential Information of Client.
- LIMITATION OF LIABILITY.
- No Consequential Damages. EXCEPT FOR (I) THE INDEMNIFICATION OBLIGATIONS FOR THIRD PARTY INDEMNITY CLAIMS FOR INTELLECTUAL PROPERTY RIGHTS INFRINGEMENT UNDER EITHER SECTION 9.1 OR 9.2, (II) DAMAGES ARISING FROM A PARTY’S INFRINGEMENT OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS, (III) DAMAGES ARISING FROM A PARTY’S BREACH OF ITS CONFIDENTIALITY OBLIGATIONS HEREUNDER, OR (IV) DAMAGES ARISING FROM A PARTY’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, NETHER PARTY OR ITS LICENSORS SHALL BE LIABLE TO THE OTHER HEREUNDER FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, OR ANY DAMAGES FOR LOST DATA, BUSINESS INTERRUPTION, LOST PROFITS, LOST REVENUE OR LOST BUSINESS, ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, EVEN IF A PARTY OR ITS LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, INCLUDING WITHOUT LIMITATION, ANY SUCH DAMAGES ARISING OUT OF THE LICENSING, PROVISION OR USE OF THE PROVIDER PLATFORM, DISCLO SERVICES, PROFESSIONAL SERVICES, OR SUPPORT SERVICES OR RESULTS THEREOF. PROVIDER WILL NOT BE LIABLE FOR THE COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES.
- Limits on Liability. EXCEPT FOR (I) THE INDEMNIFICATION OBLIGATIONS FOR THIRD PARTY INDEMNITY CLAIMS FOR INTELLECTUAL PROPERTY RIGHTS INFRINGEMENT UNDER EITHER SECTION 9.1 OR 9.2, (II) DAMAGES ARISING FROM A PARTY’S INFRINGEMENT OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS, (III) DAMAGES ARISING FROM A PARTY’S BREACH OF ITS CONFIDENTIALITY OBLIGATIONS HEREUNDER, OR (IV) DAMAGES ARISING FROM A PARTY’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, NEITHER PARTY OR ITS LICENSORS SHALL BE LIABLE FOR CUMULATIVE, AGGREGATE DAMAGES GREATER THAN THE SUM OF THE AMOUNTS HAVING THEN ACTUALLY BEEN PAID OR PAYABLE BY CLIENT TO PROVIDER UNDER THIS AGREEMENT DURING THE TWELVE (12) MONTH PERIOD PRECEDING THE DATE THE CLAIM AROSE.
- TERM AND TERMINATION.
- Term. The term of this Agreement shall commence on the Effective Date and continue until the expiration or termination of the Subscription Term for Disclo Services, unless earlier terminated as provided in this Agreement.
- Termination for Cause. Either party may terminate this Agreement (and all Subscription Term(s)) upon written notice to the other party in the event the other party (a) becomes insolvent or bankrupt or admits its inability to pay its debts as they mature, makes an assignment for the benefit of its creditors or ceases to function as a going concern or to conduct its operations in the normal course of business and such proceeding has not been dismissed or stayed with 60 days of commencement; or (b) commits a material breach of any provision of this Agreement and does not remedy such breach within thirty (30) days after receipt of written notice from the non-defaulting party or such other period as the parties may agree.
- Effects of Termination. Upon expiration or termination of this Agreement, (i) Client’s use of and access to the Disclo Services and Provider Platform and the performance of all Support Services and Professional Services shall cease; (ii) all Statement(s) of Work shall terminate; and (iii) all fees and other amounts owed under this Agreement through the date of termination shall be immediately due and payable by Client, including without limitation, all fees incurred under any outstanding Statement of Work up through the date of termination for any Professional Services completed and a pro-rated portion of the fees incurred for any partially completed Professional Services. In addition, within ten (10) days of the effective date of termination each Receiving Party shall (a) return to the Disclosing Party, or at the Disclosing Party’s option, the Receiving Party shall destroy, all items of Confidential Information then in the Receiving Party’s possession or control, including any copies, extracts or portions thereof, and (b) upon request shall certify in writing to Disclosing Party that it has complied with the foregoing. Following such 10-day period, Provider shall have no obligation to maintain or provide any Client Data and may thereafter unless legally prohibited, delete all Client Data in its systems or otherwise in its possession or under its control.
- Survival. This Section and Sections 1 (Definitions), 2.2 (Use Restrictions), 7 (Fees and Payments), 8 (Representations and Warranties), 9 (Indemnification), 10 (Confidentiality), 11 (Data), 12 (Proprietary Rights), 13 (Limitation of Liability), 14.3 (Effects of Termination), and 15 (Miscellaneous) shall survive any termination or expiration of this Agreement.
- MISCELLANEOUS.
- Notices. Whenever, under the terms of or in connection with this Agreement, any notice, consent, approval, authorization or other information is proper or required to be given by either party, such notice, consent, approval, authorization or other information shall be in writing and shall be given or made by reputable overnight courier with documentation of receipt to the intended recipient thereof or by registered or certified mail, return receipt requested, and with all postage prepaid, to the address set forth in the preamble of this Agreement, or to such other address for either party as may be supplied by notice given in accordance herewith.
- Amendment; Waiver. This Agreement may only be amended or supplemented by a writing that is signed by duly authorized representatives of both parties. No consent by either party to, or waiver of, a breach by either party, whether express or implied, shall constitute consent to, waiver of, or excuse of any other, different, or subsequent breach by either party.
- Severability. If any provision of this Agreement is held invalid or unenforceable for any reason, the remainder of the provision shall be amended to achieve, as closely as possible the economic effect of the original term and all other provisions shall continue in full force and effect.
- Governing Law. This Agreement and the rights and obligations of the parties to and under this agreement shall be governed by and construed under the laws of the United States and the State of New York as applied to agreements entered into and to be performed in such state without giving effect to conflicts of laws rules or principles. For any disputes arising out of this Agreement, the parties consent to exclusive jurisdiction and venue in the state and federal courts located in the State of New York.
- Force Majeure. Neither party shall be liable for any failure or delay in performance under this Agreement due to fire, explosion, earthquake, storm, flood or other weather; unavailability of necessary utilities or raw materials; Internet service provider failures or delays, or denial of service attacks; war, civil unrest, acts of terror, insurrection, riot, acts of God or the public enemy; strikes or other labor problems; any law, act, order, proclamation, decree, regulation, ordinance, or instructions of government or other public authorities, or judgment or decree of a court of competent jurisdiction (not arising out of breach by such party of this Agreement); any public health emergency, epidemic or pandemic; or any other event beyond the reasonable control of the party whose performance is to be excused. In the event that Provider is prevented by a force majeure condition from performing its obligations hereunder for a period of at least 30 consecutive days, the Client may terminate this Agreement upon written notice and thereafter Client shall have no further obligation for any payments under this Agreement for use of the Provider Platform other than any then past due payments.
- Assignment. Neither party may assign its rights or obligations under this Agreement, whether voluntarily or by operation of law or otherwise, without the other party’s prior written consent; provided that either party may assign this Agreement in connection with an acquisition, sale or transfer of all or substantially all of its assets, stock or business by sale, merger, consolidation, or similar transaction.
- Relationship of the Parties. Provider is an independent contractor to Client. There is no relationship of agency, partnership, joint venture, employment, or franchise between the parties. Neither party has the authority to bind the other or to incur any obligation on its behalf.
- Counterparts; Electronic Signatures. This Agreement may be executed in two counterparts, each of which shall be deemed an original, but both of which together shall constitute one and the same instrument. If this Agreement is executed in counterparts, no signatory hereto shall be bound until both the parties named below have duly executed or caused to be duly executed a counterpart of this Agreement. Signatures of the parties made or exchange by electronic means shall be binding.
- Entire Agreement. This Agreement, including all Statement(s) of Work and Exhibits to this Agreement, constitutes the entire agreement between the parties relating to this subject matter and supersedes all prior or simultaneous understandings, representations, discussions, negotiations, and agreements, whether written or oral, concerning such subject matter.
Disclo Data Processing and Security Addendum
This Addendum supplements the Master Software Services Agreement (the “Agreement”) between Chronically Capable Inc. dba Disclo (“Provider”) and the Client thereunder and governs the manner in which Client’s Personal Data shall be handled or Processed by Provider. Capitalized terms used herein and not defined herein shall have the meanings ascribed thereto in the Agreement.
- Definitions
In this Addendum, save where the context requires otherwise, the following words and expressions have the following meaning:
“Data Protection Laws” means all federal, state, regional, territorial, national and local laws, regulations, and rules by any government, agency or authority that relate to the Processing or the security of Personal Data and which are applicable to Client or the Processing of Personal Data by Provider. For the avoidance of doubt the foregoing includes, where applicable, (i) the EU Data Protection Directive 95/46/EC and its national implementations in each case as amended, replaced or superseded from time to time, including without limitation the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (collectively the “GDPR”), and (ii) the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and their related regulations (collectively the “CPRA”).
“Personal Data” shall mean any (i) non-public information which alone or in combination with other information can be used to identify a living natural person, or that identifies, relates to describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or a group of individuals who cohabitate with one another at the same residential address, and (ii) any information that is considered to be protected health information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the regulations thereunder.
“Personnel” shall mean any employee, staff member, agency worker or other full time or temporary, paid, or unpaid person working for the Provider.
“Process” (or “Processed” or “Processing”) shall mean any operation or set of operations which is performed upon data or information, whether or not by automatic means, such as access, collection, compilation, use, disclosure, duplication, organization, storage, alteration, transmission, combination, redaction, erasure or destruction.
“Services” means those products, services, and other deliverables provided by Provider under the Agreement.
“Standard Contractual Clauses” means the Standard Contractual Clauses for the transfer of personal data third countries pursuant to Commission Decision (2021/914), as set out as an exhibit in such Commission Decision, as such clauses may be amended from time to time.
“Subcontractor” shall mean any third party, including any affiliate companies of Provider, with whom Provider enters into a contract, agreement or arrangement whereby such third party shall Process Client’s Personal Data.
“Supervisory Authority” shall mean any competent regulatory authority including data protection authorities and law enforcement agencies.
“Valid Transfer Mechanism” means a data transfer mechanism permitted by Data Protection Laws of the European Union as a lawful basis for transferring Personal Data to a recipient outside the European Economic Area (“EEA”), which may include the Standard Contractual Clauses or certification under an applicable official program between the U.S. and the European Union that is in the nature of a “safe harbor” or accepted set of practices for data privacy safeguards (or any updates to or replacements thereof).
- General Obligations Concerning Personal Data
- Provider shall comply with the terms of this Addendum, and all applicable Data Protection Laws relating to the Processing of Personal Data.
- Provider will Process Personal Data only as necessary to perform the Services or otherwise as expressly authorized in writing by Client unless Processing is required by applicable Data Protection Laws to which the Provider is subject, in which case the Provider should, to the extent permitted by applicable Data Protection Laws, inform Client of that legal requirement before Processing that Personal Data.
- Provider agrees that Client is the controller of Personal Data and has the sole right to determine the purposes for which Provider may Process Personal Data. Provider will only Process Personal Data as a processor acting in accordance with the instructions of Client.
- Provider shall not publish, disclose, divulge or otherwise permit third parties to access Personal Data except in accordance with this Addendum or with Client’s prior written consent.
- Where relevant by virtue of applicable Data Protection Laws, Provider shall provide reasonable assistance to Client with any data protection impact assessments which are referred to in such Data Protection Laws and with any prior consultations to any Supervisory Authority, in each case solely in relation to Processing of Personal Data and taking into account the nature of the Processing and the information available to the Provider.
- Location of Provider Hosted Facilities and Client’s Personal Data
- Unless authorized otherwise in writing by Client, Client’s Personal Data will be hosted or stored only in the United States. Provider shall not initiate transfers of Client’s Personal Data outside the country that Client’s Personal Data was received by the Provider unless Provider: (i) has obtained the prior written consent of Client for such transfer or access to such other country; and (ii) has taken appropriate and reasonable measures to comply with applicable Data Protection Laws prior to such transfer or access, including implementing a Valid Transfer Mechanism.
- At Client’s reasonable request Provider will enter into (and cause its Subcontractors, Provider’s affiliate companies and other third parties, as applicable, to enter into) such agreements (including Standard Contractual Clauses) as Client requests to address applicable Data Protection Laws pertaining to the transfer or Processing of Personal Data.
- Notification of Access Requests and Complaints
- Unless prohibited by law, Provider shall promptly (but in any event within 72 hours of the receipt of such request) notify Client of any of the following requests made by or received from individuals identified by Personal Data, a Supervisory Authority, or other third party (each a "Data Protection Communication"): (i) any request to Provider to access or have copies of Client’s Personal Data; or (ii) any complaint or allegation made to Provider relating to Client’s Personal Data.
- Provider shall not respond to a Data Protection Communication unless Provider is explicitly authorized to do so by Client or Provider is legally compelled to respond: (i) under a subpoena, court order or similar legal document issued by a court or Supervisory Authority, or (ii) by other applicable law.
- Provider shall provide reasonable assistance and cooperation to Client in the preparation of any response by Client to a Data Protection Communication and agrees to assist within such timeframe as reasonably specified by Client. In particular, the Provider shall, at Client’s reasonable request:
- provide Client with the ability to correct, delete, block, access or copy the Personal Data that is Processed by Provider; and
- promptly correct, delete, block, access or copy Personal Data that is Processed by Provider.
- Data Security Requirements
- Provider shall implement appropriate and reasonable technical and organizational measures to: (i) protect Client’s Personal Data against accidental loss or damage and unauthorized access, use, disclosure, alteration, or destruction (ii) ensure the confidentiality, security, integrity, and availability of Client’s Personal Data and (iii) securely dispose of Client’s Personal Data and tangible property containing Client’s Personal Data (as and when required), taking into account available technology so that such information cannot be practicably read or reconstructed.
- Provider shall document, in a written security policy, Client’s Personal Data handling procedures designed to implement technical and organizational measures to protect Client’s Personal Data as required by the applicable Data Protection Laws and this Addendum.
- Provider shall document, in a written business continuity plan, its policies and procedures to recover Client’s Personal Data and the Services following an unplanned event or circumstance resulting in an interruption of or inaccessibility to Client’s Personal Data and the Services.
- Access to Client’s Personal Data must only be granted to Personnel that:
- the Provider has taken reasonable steps to ensure the reliability of;
- are granted the minimum access level(s) necessary to perform their job function;
- have been trained in the proper handling of Client’s Personal Data (in accordance with the requirements of applicable Data Protection Laws and this Addendum); and
- are subject to written obligations of confidentiality in respect of Client’s Personal Data.
- Where Personnel access Client’s Personal Data through the Provider’s IT systems or other electronic devices, such access shall be granted by Provider only to Personnel who:
- have been authorized by Provider to access Client’s Personal Data for the purpose of providing the Services;
- can be uniquely identified when accessing Client’s Personal Data (e.g., by a unique User ID); and
- have entered a correct password or other authorizing token to indicate that they are authorized to access the Client’s Personal Data.
- Provider shall record the date, time, requestor and nature of the Personnel’s access to (i.e., read-only or modify) and other Processing of Client’s Personal Data in a log file.
- Provider shall retain a complete audit trail of all physical and electronic access to and other Processing of Client’s Personal Data for a minimum of one year.
- Provider shall implement procedures to modify or revoke access permissions to Client’s Personal Data when Personnel leave Provider or when their job responsibilities change.
- Provider shall encrypt all Personal Data at rest or in transit that Provider Processes on behalf of Client where such Processing takes place using laptops or other portable electronic devices.
- Good Industry Practice will be employed to ensure the secure destruction of Client’s Personal Data when such destruction is necessary. Whenever possible, secure disposal alternatives such as on-site shredding prior to recycling or placement in secure on-site Provider trash bins with subsequent off-site shredding by a licensed contractor shall be implemented.
- Storage of Client’s Personal Data on the Provider IT systems and backups of said data should be encrypted when at rest consistent with Good Industry Practice.
- Passwords of Provider Personnel used to access Client’s Personal Data shall utilize a minimum of 8 characters with a combination of alpha-numeric and special characters. Passwords must be changed every 30 days. Lockout for accounts should occur after ten (10) invalid authentication attempts within a 10-minute period and for a period of no less than twenty (20) minutes
- Access on computing devices to Client’s Personal Data shall terminate after a maximum one (1) hour of inactivity.
- To protect the accuracy and integrity of Client’s Personal Data, all such information must be backed up regularly (no less often than weekly unless otherwise agreed by Client in writing) and the backups stored in secure, environmentally-controlled, limited-access facilities.
- Transmission of Client Confidential Information
- All Client’s Personal Data shall be encrypted during transmission by Provider Personnel.
- Unless required to be transmitted in another manner by a lawful order from a Supervisory Authority or applicable court, Provider shall not electronically transmit Client’s Personal Data over publicly-accessible networks unless Client has requested such manner of transmission or unless the Personal Data is encrypted in transit.
- Regularly Monitor and Test Networks
- Provider shall regularly test its IT systems, processes and software to ensure reasonable security measures (including, without limitation, those required under this Addendum) are maintained over time and following any changes. Such testing should address all security controls and access mechanisms, through the use of network and application layer vulnerability assessments.
- Provider shall run internal and external network vulnerability scans at least monthly and after any change in the network configuration (e.g., new system component installations, changes in network topology, firewall rule modifications, or product upgrades).
- Provider shall implement network intrusion detection, host-based intrusion detection, and/or intrusion prevention systems to monitor all network traffic and alert Provider’s information security department or function of any Security Incident (as defined below) relating to Client’s Personal Data.
- Provider shall promptly install any security-related fixes identified by its hardware or software Providers if the security threat being addressed by the fix is one that threatens the privacy, security or integrity of any Client’s Personal Data. Such upgrades must be made as soon as they can safely be installed and integrated into Provider’s existing IT systems.
- Breach Notification and Incident Responses
- In the event Provider knows or suspects that there has been any accidental or unlawful destruction, loss, alteration, unauthorised access to, Client’s Personal Data (each a “Security Incident”), Provider shall promptly (and in any case not more than 72 hours of becoming aware of a Security Incident) notify Client of any Security Incident affecting the Personal Data that Provider maintains on Client’s behalf.
- The notice under Section 8.1 will include (to the extent that such information is known at the time): (i) the date or date range of the Security Incident; (ii) the date the Provider discovered the Security Incident; (iii) a description of the Security Incident; (iv) the number of Users and other individuals affected by the Security Incident; (v) types of Personal Data involved in the Security Incident; the likely consequences of the Security Incident; and the steps that Provider has taken to investigate the Security Incident, and mitigate potential harm and possible adverse effects. Provider will promptly supplement the notice as necessary with information about the Security Incident as Provider obtains the information, including Provider’s assessment as to whether the Security Incident is reportable under Data Protection Laws. Provider provide sufficient information to allow Client to meet its obligations under Data Protection Laws and under contract, if applicable. To the extent any applicable law requires that the affected Users and other individuals or governmental authority be notified of a Security Incident with respect to IT systems under the control of Provider or any of its Subcontractors, Provider will be responsible for, at its own cost and expense, for the following:
- At Client’s request, and where possible under law, providing such notices to Users and other individuals or governmental authorities containing the information required by applicable law, Provider will obtain Client’s prior approval of any content, form and timing of such notice;
- Conducting any forensic and security review, investigation and audit in connection with such Security Incident;
- Providing any legally mandated remediation services to such Users and other individuals as required under applicable Data Protection Laws; and
- Providing reasonable cooperation to Client in responding to such Security Incident.
- To the extent that Client is subject to or involved in an investigation by a governmental authority, litigation, or any inquiry, formal or informal, arising out of or related to a Security Incident, Provider will provide reasonable cooperation to Client in responding to such event.
- Right to Audit
- Provider shall maintain, and make available to Client upon Client’s reasonable request, records and information necessary to demonstrate its compliance with the terms of this Addendum and shall permit Client, or a third party chosen by Client and reasonably acceptable to Provider, to audit Provider’s records, facilities, IT systems and practices relating to its obligations under this Addendum upon reasonable notice and during regular business hours and at Client’s expense, at the locations where such records, facilities, IT systems and practices are maintained or implemented, for purposes of verifying Provider’s compliance with this Addendum.
- At Provider’s request, Client will require any third party it employs to conduct any part of the review under Section 9.1 immediately above to sign a reasonable form of non-disclosure agreement and agree not to disclose any of Provider’s confidential information. Client will make the results of any such review available to Provider.
- Termination Obligations
- Upon termination of the Services, Provider shall, at Client’s option, delete or return all Personal Data to Client or delete existing copies, unless applicable law requires storage of the Personal Data. In such case, Provider shall continue to ensure the confidentiality of all such Personal Data in accordance with the terms of this Addendum.
- Data Processing by Subcontractors
- Provider may engage Subcontractors to Process Personal Data. Provider shall ensure that any such Subcontractor has entered into a written agreement requiring the Subcontractor to abide by terms no less protective as to Personal Data than those provided in this Addendum. Provider shall be liable for the acts and omissions of any Subcontractors to the same extent as if the acts and omissions were performed by Provider.
- Where Processing for Client is undertaken for Personal Data subject to the GDPR, Provider shall give Client prior written notice of the appointment of any Subcontractor, including a summary of the Processing to be undertaken by the Subcontractor.
- If, within thirty (30) calendar days of receipt of notification of a proposed new Subcontractor, Client notifies Provider in writing of any reasonable objections to the proposed Subcontractor, Provider shall not appoint and shall not disclose Personal Data provided by Client to the proposed Subcontractor until reasonable steps have been taken to address the objections raised.
- No Third Party Rights
- Other than Provider and Client, (i) nothing in this Addendum shall be construed in any way to give any person or entity any legal or equitable right, benefit, remedy, or claim under or with respect to this Addendum or any provision of this Addendum, and (ii) no person or entity is or is intended to be a third party beneficiary of this Addendum or any provision of this Addendum. This Addendum and all of its terms, provisions, and conditions are for the sole and exclusive benefit of Provider and Client and their permitted successors and assigns.
- General Provisions
- Termination. The term of this Addendum will end simultaneously and automatically with the termination of the Agreement.
- Section Headings. The section headings contained in this Addendum are for reference purposes only and shall not in any way affect the meaning or interpretation of this Addendum.
- Precedence. If there is any ambiguity or inconsistency in or between the other documents comprising the Agreement and this Addendum, the terms and conditions of this Addendum shall take priority.
- Governing Law. This Addendum shall be governed by the same governing law as that of the Agreement.