RiskSense Master Services and Subscription Agreement
Last Updated: September 05, 2018
This MASTER SERVICES AND SUBSCRIPTION Agreement (“Agreement”) contains the terms for use of the RISKSENSE SERVICE and is between RISKSENSE, Inc., a Delaware corporation having a place of business AT 1230 Midas Way, Suite 220 Sunnyvale, CA 94085 (“RISKSENSE”) and the party agreeing to the terms of this Agreement (“CUSTOMER”). By EXECUTING AN ORDER FORM THAT REFERENCES THIS AGREEMENT, clicking an “Accept” or similar button, or otherwise using the RISKSENSE SERVICE, CUSTOMER agrees to be bound by the terms of this Agreement. CUSTOMER may not ACCESS OR use the RISKSENSE SERVICE without agreeing to this Agreement first. If a written agreement regarding CUSTOMER’S use of the RISKSENSE SERVICE exists between and has been executed by both RISKSENSE and CUSTOMER, the terms of that written agreement shall take precedence over this Agreement.
“Asset” Every physical and virtual object being registered, managed, and discovered by the RiskSense Service as measured by overall instances used by Customer, as well as Customer’s subsidiaries and affiliates. Assets include objects on premise (including network devices, applications, databases), in the cloud, IoT, or mobile devices and is typically identified by a unique IP or MAC address, but also includes web application software and databases.
“Affiliate” means, with respect to a party, any entity which directly or indirectly Controls, is Controlled by, or is under common Control with such party.
“Confidential Information” has the meaning set forth in Section 11.
“Control” means ownership or control, directly or indirectly, of at least 50% of the voting interests of the subject entity.
“Customer Data” means all electronic data or information submitted by Customer or any of its Affiliates in the RiskSense Service.
“Customer Equipment” means Customer’s and its Affiliates’ computer hardware, software and network infrastructure used to access the RiskSense Service.
“Data Protection Laws and Regulations” means all EU/Swiss applicable legislation with respect to the processing of personal data.
“Documentation” means the published specifications of the RiskSense Service, as may be updated or amended from time to time, as determined by RiskSense.
“Extension Term” means each renewal subscription period for which the subscription term applicable to an Order Form is extended pursuant to Section 13.
“Force Majeure Event” means a natural disaster, actions or decrees of governmental bodies or communications line failure which (i) hinders, delays or prevents a party from performing its obligations, and (ii) is beyond the reasonable control of, and without the fault or negligence of, such party, and (iii) by the exercise of reasonable diligence such party is unable to prevent or provide against.
“Initial Term” means the first subscription term period for the RiskSense Service defined on an Order Form, or if no such term period is defined, twelve (12) months, commencing on the date Customer executes such Order Form.
“Order Form” means RiskSense’s paper-based or online ordering document for the RiskSense Service signed by RiskSense and Customer.
“Professional Services” means the installation, implementation, training, or other professional services listed in Section 4 and further identified in an Order Form.
“RiskSense Service” means the RiskSense online cyber risk management platform.
“Subscription Fees” mean the fees paid by Customer for the right to access and use the RiskSense Service during the Term.
“Taxes” means any direct or indirect local, state, federal or foreign value-added, sales, use or withholding taxes.
“Term” as it relates to an Order Form means the Initial Term and any Extension Term applicable to each Order Form, and as it relates to this Agreement, is as defined in Section 13.1 below.
“Users” means Customer’s and its Affiliates and their respective employees, agents, contractors, service providers or consultants who are authorized by Customer to use the RiskSense Service and who have been supplied user identifications and passwords by Customer or by RiskSense at Customer’s or its Affiliates’ request.
- TERMS OF RISKSENSE SERVICE.
RiskSense shall make the RiskSense Service available to Customer and its Affiliates in accordance with this Agreement, and each Order Form mutually entered into and, to the extent not in conflict with this Agreement or an Order Form or the Documentation. Subject to the terms of this Agreement, RiskSense grants Customer and its Affiliates a world-wide, fully-paid, royalty-free, limited term, non-sublicensable, non-transferable (except as otherwise provided herein), and non-exclusive license to access, and use the RiskSense Service solely for its internal business purposes. The license granted hereunder is limited to the maximum number of Assets specified in each Order Form and is subject to any additional terms and conditions specified on an Order Form. Any third-party component embedded, included or provided by RiskSense for use with the RiskSense Service may only be used in conjunction with the RiskSense Service, and such use is subject to this Agreement.
- CUSTOMER RESPONSIBILITIES RELATING TO USE OF THE RISKSENSE SERVICE.
3.1 Customer is responsible for the use of the RiskSense Service by its Users and obtaining and maintaining any Customer Equipment and any ancillary services needed to connect to, access or otherwise use the RiskSense Service and to comply with any corresponding requirements as set forth in the Documentation.
3.2 Customer agrees to use the RiskSense Service in compliance with applicable law (including but not limited to anti-spam laws), and not: (a) resell, sublicense, lease, time-share or otherwise make the RiskSense Service available to any third party other than as contemplated or allowed by this Agreement; or (b) use the RiskSense Service to intentionally send or store infringing or unlawful material or material containing software viruses, worms, Trojan horses or other harmful computer code, files, scripts, agents or programs.
3.3 Customer agrees to not (a) modify, copy or create derivative works of the RiskSense Service; (b) reverse engineer the RiskSense Service; (c) access the RiskSense Service or the purpose of building a competitive product or service; (d) do any “mirroring” or “framing” of any part of the Service, or create Internet links to the RiskSense Service which include log-in information, user names, passwords, and/or secure cookies; (e) use the RiskSense Service, for purposes of product evaluation, benchmarking or other comparative analysis intended for publication without RiskSense’s prior written consent; or (f) provide access to the RiskSense Service by a known direct competitor of RiskSense.
3.4 IF CUSTOMER FAILS TO COMPLY WITH THE OBLIGATIONS SET FORTH IN THIS SECTION 3 RISKSENSE SHALL INFORM CUSTOMER THEREOF IN WRITING AND RESERVES THE RIGHT TO SUSPEND THE RISKSENSE SERVICE IF THE FAILURE IS NOT REMEDIED WITHIN FIVE (5) BUSINESS DAYS.
- PROFESSIONAL SERVICES.
RiskSense will provide Professional Services identified and described under and at the rates set forth in an Order Form. Professional Services may also be as stated in a mutually agreed upon statement of work that specifically incorporates this Agreement by reference (“SOW”).
5.1 As between the parties and except as otherwise defined as “Owned by Customer” in a SOW, RiskSense shall retain all ownership rights in the RiskSense Service, the technology, software, hardware, products, processes, algorithms, user interfaces and know-how related to the RiskSense Service and all work developed or created by RiskSense during the course of providing the RiskSense Service, Support, and Professional Services to Customer in each to the extent not constituting Customer Information (as defined below). Customer shall have or retain all ownership rights in the Customer Data and all data, text, files, data, output, programs, files, information, or other information material that Customer or its Affiliates provides in conjunction with the RiskSense Service (collectively, “Customer Information’). As applicable, RiskSense hereby assigns and will assign all Customer Information to Customer. Customer and its Affiliates may export its Customer Data from the RiskSense Service at any time during its subscription Term. No license, right or interest in any RiskSense or Customer trademark, copyright, trade name or service mark is granted hereunder.
5.2 RiskSense shall own any suggestions, enhancement requests, recommendations or other feedback provided by Customer or its Users relating to the operation of the RiskSense Service.
6.1 Unless otherwise specified on an Order Form, the Fees shall be as stated in each Order and shall be payable in advance. In the event Customer issues purchase orders in its normal course of business, Customer shall provide RiskSense with a purchase order within five (5) days of the Effective Date, or if Customer does not provide RiskSense with such purchase order, Customer authorizes RiskSense to accept this Agreement in lieu of a purchase order.
6.2 Unless otherwise provided, RiskSense’s fees do not include any Taxes, and Customer is responsible for paying all Taxes arising from its purchases hereunder, excluding Taxes based on RiskSense’s net income, employees, or property. If RiskSense has the legal obligation to pay or collect Taxes for which Customer is responsible, the appropriate amount of such Taxes shall be invoiced to and paid by Customer, unless Customer provides a valid tax exemption certificate authorized by the appropriate taxing authority.
6.3 Customer shall reimburse RiskSense for all reasonable, pre-approved and appropriately documented, out-of-pocket travel and related expenses incurred by RiskSense in performing any Professional Services at Customer’s location.
6.4 If Customer’s use of the RiskSense Service is greater than that contracted for then RiskSense will provide written notice (which may be via email) to Customer. Following confirmation of Customer’s receipt of such notice, and provided that Customer does not contest RiskSense’s assertion, then Customer will be invoiced for the additional Asset license Subscription Fees (at the rates specified in the applicable Order Form) for the period commencing on the date of use of such additional Subscription Fees through the remainder of the then current subscription term, and the unpaid Subscription Fees shall be payable in accordance with this Agreement.
RiskSense shall provide its standard support as set forth in the RiskSense Support Policy found at https://www.risksense.com/service-level-agreement/ (“Support”).
- REPRESENTATIONS AND WARRANTIES.
8.1 Each party represents and warrants that (i) it has all necessary right, title and authority to enter into and perform under this Agreement; and (ii) it shall comply with all other applicable laws in its performance hereunder. Customer warrants that it has the rights to provide and use any and all Customer Data in accordance with the terms of the Agreement and the foregoing doesn’t violate the rights of any third-parties.
8.2 RiskSense warrants that the RiskSense Service will substantially conform in all material respects to the Documentation. Customer will provide prompt written notice of any non-conformity. As Customer’s sole and exclusive remedy and RiskSense’s entire liability for any breach of the foregoing warranty, RiskSense will fix, provide a work around, or otherwise repair or replace the nonconforming portion of the RiskSense Service, or, if RiskSense is unable to do so, terminate the license for the Cloud Service and return the RiskSense Service Fees paid to RiskSense for the period beginning with Customer’s notice of RiskSense through the remainder of the Initial Term or then-current Extension Term, as applicable.
8.3 RiskSense shall provide its service level agreement as set forth in the RiskSense SLA found at https://www.risksense.com/service-level agreement.
8.4 EXCEPT AS EXPRESSLY PROVIDED HEREIN, NEITHER PARTY NOR ITS LICENSORS OR SUPPLIERS MAKES ANY WARRANTIES OF ANY KIND, WHETHER IMPLIED, STATUTORY OR OTHERWISE, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. RiskSense DOES NOT WARRANT THE OPERATION OF THE RiskSense SERVICE WILL BE UNINTERRUPTED OR ERROR-FREE.
- INTELLECTUAL PROPERTY INFRINGEMENT INDEMNITY.
9.1 RiskSense shall defend, indemnify and hold Customer and its Affiliates (collectively, “Customer Group”) harmless against any loss, damage or costs (including reasonable attorneys’ fees) incurred in connection with claims, demands, suits, or proceedings (“Claims”) made or brought against any member of Customer Group by a third party (a) alleging that use of the RiskSense Service and the results of the Professional Services as contemplated hereunder infringes the U.S. patent, copyright or other intellectual property right of a third party. Customer agrees to (a) promptly give written notice of the Claim to RiskSense (provided that the obligations under this Section 9.1 shall not be reduced by the failure to give such notice except to the extent RiskSense is materially prejudiced by such failure); (b) give RiskSense sole control of the defense and settlement of the Claim (provided that RiskSense may not settle any Claim unless it unconditionally releases Customer of all liability and obligation); and (c) provide to RiskSense, at RiskSense’ cost, all reasonable assistance.
9.2 RiskSense will, at its sole option and expense: (i) procure for Customer the right to continue using the RiskSense Service and the results of the Professional Services under the terms of this Agreement; (ii) replace or modify the RiskSense Service and the results of the Professional Services to be non-infringing without material decrease in functionality; or (iii) if the foregoing options are not reasonably practicable, terminate the license for the infringing RiskSense Service and the results of the Professional Services and provide a pro-rata refund of the RiskSense Service and the results of the Professional Services fees paid by Customer in the then-current Term.
9.3 RiskSense shall have no liability for any Claim to the extent the Claim is based upon (i) the use of the RiskSense Service or the results of the Professional Services in combination with any other product, service or device not furnished, recommended or approved by RiskSense in writing, if such Claim would have been avoided by the use of the RiskSense Service or the results of the Professional Services, without such product, service or device; or (ii) Customer’s use of the RiskSense Service and the results of the Professional Services other than in accordance with this Agreement.
9.4 THE PROVISIONS OF THIS SECTION 9 SET FORTH RISKSENSE’S SOLE AND EXCLUSIVE OBLIGATIONS, AND CUSTOMER’S SOLE AND EXCLUSIVE REMEDIES, WITH RESPECT TO INFRINGEMENT OR MISAPPROPRIATION OF THIRD PARTY INTELLECTUAL PROPERTY RIGHTS OF ANY KIND.
- INDEMNIFICATION BY CUSTOMER.
Customer shall defend, indemnify and hold RiskSense and its Affiliates (collectively, “RiskSense Group”) harmless against any loss, damage or costs (including reasonable attorneys’ fees) incurred in connection with Claims made or brought against RiskSense any member of RiskSense Group, by a third party alleging that the Customer Data created and stored by Customer in the RiskSense Service or otherwise provided to RiskSense in connection with the Agreement (i) violates any applicable law or regulation; or (ii) infringes any U.S. patent, copyright or other intellectual property right of a third party. RiskSense agrees to (a) promptly give written notice of the Claim to Customer (provided that the obligations under this Section 10 shall not be reduced by the failure to give such notice except to the extent Customer is materially prejudiced by such failure); (b) give Customer sole control of the defense and settlement of the Claim (provided that Customer may not settle any Claim unless it unconditionally releases RiskSense of all liability and obligation); and (c) provide to Customer, at Customer’s cost, all reasonable assistance.
11.1 As used herein, “Confidential Information” means all confidential and proprietary information of a party (“Disclosing Party”) disclosed to the other party (“Receiving Party”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure, including the terms and conditions of this Agreement, Customer Data, business and marketing plans, technology and technical information, product designs, and business processes. Confidential Information shall not include any information that: (i) is or becomes generally known to the public without breach of any obligation owed to Disclosing Party; (ii) was known to Receiving Party prior to its disclosure by Disclosing Party without breach of any confidentiality obligation owed to Disclosing Party; (iii) was independently developed by Receiving Party without breach of any confidentiality obligation owed to Disclosing Party or access to or reliance on Disclosing Party’s Confidential Information; or (iv) is received from a third party without breach of any confidentiality obligation owed to Disclosing Party.
11.2 Receiving Party shall not disclose any Confidential Information of Disclosing Party for any purpose outside the scope of this Agreement, except as allowed by the terms of this Agreement or with Disclosing Party’s prior written consent. Receiving Party shall protect the confidentiality of Disclosing Party’s Confidential Information in the same manner that it protects the confidentiality of its own Confidential Information of like kind (but in no event using less than reasonable care). RiskSense represents and warrants that it will maintain the confidentiality of Customer Data in accordance with all applicable laws and, except as required by applicable law, will not disclose Customer Data to any third party for any purpose other than to provide the RiskSense Service Customer and to otherwise improve the RiskSense Service, provided, however, that RiskSense may compile aggregate data related to Customer’ s usage of the RiskSense Service and may use and/or disclose such aggregate data to third parties, to the extent that Customer is not identified as the source of such data and as long as the data does not reveal the identity, whether directly or indirectly, of any individual, or specific data entered by or relating to any individual. Such uses include notifying Customer and other customers about cyber risk and other network and system threats and vulnerabilities. Receiving Party shall promptly notify Disclosing Party if it becomes aware of any actual or reasonably suspected breach of confidentiality of Disclosing Party’s Confidential Information.
11.3 If Receiving Party is compelled by law to disclose Confidential Information of Disclosing Party, it shall provide Disclosing Party with (a) prior written notice of such compelled disclosure (to the extent legally permitted) and (b) reasonable assistance in contesting the disclosure, at Disclosing Party’s option and cost. Any actual disclosure shall be limited to the minimum amount of information necessary to comply with the disclosure demand as advised by legal counsel.
11.4 If Receiving Party discloses (or threatens to disclose) any Confidential Information of Disclosing Party in breach of confidentiality protections hereunder, Disclosing Party shall have the right, in addition to any other remedies available to it, to seek injunctive relief to enjoin such acts, it being acknowledged by the parties that any other available remedies are inadequate.
11.5 Upon any termination of this Agreement, the Receiving Party shall continue to maintain the confidentiality of the Disclosing Party’s Confidential Information and, upon request and to the extent practicable, return to the Disclosing Party or destroy (at the Disclosing Party’s election) all materials containing such Confidential Information.
11.6 RiskSense shall comply with all Data Protection Laws and Regulations in the provision of the RiskSense Service.
- LIMITATION OF LIABILITY.
12.1 EXCEPT (i) FOR THE PARTIES’ INDEMNIFICATION OBLIGATIONS; AND (ii) EITHER PARTY’S MATERIAL BREACH OF SECTION 11, IN NO EVENT SHALL EITHER PARTY’S AGGREGATE LIABILITY ARISING OUT OF THIS AGREEMENT, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, EXCEED THE FEES PAID OR PAYABLE TO RISKSENSE DURING THE (12) TWELVE MONTHS PRIOR TO WHEN THE CLAIM ACCRUED.
12.2 TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT SHALL EITHER PARTY OR ITS LICENSORS OR SUPPLIERS HAVE ANY LIABILITY TO THE OTHER PARTY FOR ANY LOST PROFITS OR FOR ANY SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED AND, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
- TERM AND TERMINATION.
13.1 This Agreement commences on the date the first Order Form is executed (“Effective Date”) and continues until all Order Forms entered into under this Agreement have expired or been terminated unless terminated as otherwise provided herein. The Initial Term applicable to each Order Form commences upon Customer’s execution of such Order Form and upon expiration of the Initial Term, the RiskSense Service subscription term applicable to such Order Form shall continue to renew for Extension Terms equal to twelve (12) months, unless either party gives notice to the other party of its desire to not renew at least thirty (30) days prior to the end of the then-current Term.
13.2 A party may terminate this Agreement for cause: (i) upon 30 days written notice to the other party of a material breach of this Agreement if such breach remains uncured at the expiration of such period; (ii) immediately upon written notice if the other party becomes the subject of a bankruptcy, insolvency, receivership, liquidation, assignment for the benefit of creditors or similar proceeding; or (iii) as otherwise provided herein.
13.3 The parties’ rights and obligations under Sections 5, 6, 8.3, 9-12, 13.3, and 14 shall survive termination of this Agreement.
13.4 Upon the Effective Date of termination of this Agreement Customer’s license to use the RiskSense Service will cease. Upon request by Customer, provided that such request is made within 30 days of the Effective Date of termination, RiskSense will make available to Customer for download a file of Customer Data in comma separated value (.csv) format. After such 30 day period RiskSense will have no obligation to maintain any Customer Data and will not retain copies or records of Customer Data in its system or otherwise.
14.1 The parties are independent contractors, and no partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties is created hereby. There are no third-party beneficiaries to this Agreement.
- Notices shall be in writing and delivered by nationally recognized overnight delivery service or certified or registered U.S. Mail to RiskSense at the address first listed above and to Customer, at the address on file with RiskSense, and are effective upon receipt.
- No amendment or waiver of any provision of this Agreement shall be effective unless in writing and signed by Customer and RiskSense. To the extent of any conflict between this Agreement, the Order Form, and any other document referenced herein, this Agreement shall prevail unless expressly stated otherwise. Notwithstanding any language to the contrary therein, no terms stated in a purchase order or similar ordering document (other than a Statement of Work or other mutually executed order document expressly incorporated herein) shall be incorporated into this Agreement, and all such terms shall be void. This Agreement represents the entire agreement of the parties, and supersedes all prior or contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter.
- Either party may include the other’s name or logo in customer or vendor lists in accordance with the other’s standard guidelines. In addition, RiskSense may refer to Customer’s intended use of the RiskSense Service in discussions with RiskSense customers, prospective customers, and other third-parties.
- No failure or delay in exercising any right hereunder shall constitute a waiver of such right. Except as otherwise provided, remedies provided herein are in addition to, and not exclusive of, any other remedies of a party at law or in equity. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, such provision shall be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions shall remain in effect.
- Neither party shall be liable to the other for any delay or failure to perform hereunder (excluding payment obligations) due to a natural disaster, actions or decrees of governmental bodies or communications failure which (i) hinders, delays or prevents a party in performing any of its obligations, (ii) is beyond the control of, and without the fault or negligence of, such party, or (iii) by the exercise of reasonable diligence such party is unable to prevent or provide against (“Force Majeure Event).
- Neither party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the other (not to be unreasonably withheld). Notwithstanding the foregoing, (i) either party may assign this Agreement in its entirety (including all Order Forms hereunder), upon written notice to the other party, to an Affiliate or, to its successor in interest resulting from a merger, reorganization, or sale of all or substantially all assets or equity, and (ii) RiskSense may use subcontractors in the ordinary course of business. Any attempted assignment in breach of this section shall be void. This Agreement shall bind and inure to the benefit of the parties, their respective successors and permitted assigns.
- Each party agrees to comply with all applicable regulations of the United States Department of Commerce and with the United States Export Administration Act, as amended from time to time, and with all applicable laws and regulations of other jurisdictions with respect to the provision and use of the RiskSense Service.
This Agreement shall be governed exclusively by the internal laws of the state of California, without regard to its conflicts of laws rules. Any dispute arising hereunder shall be brought exclusively in the courts located in Santa Clara County. The United Nations Convention on Contracts for the International Sale of Goods shall not apply.