SaaS Subscription Agreement

Montague Law | Free Legal Form Template

DOWNLOAD WORD DOCUMENT

10. DATA PROTECTION IMPACT ASSESSMENTS

10.1 Processor Assistance. The Processor shall provide reasonable assistance to the Controller with any Data Protection Impact Assessments and prior consultations with Supervisory Authorities or other competent data privacy authorities which the Controller reasonably considers to be required by Article 35 or Article 36 of the GDPR (or equivalent provisions under applicable Data Protection Laws), in each case solely in relation to Processing of Personal Data by the Processor on behalf of the Controller and taking into account the nature of the Processing and the information available to the Processor.

10.2 Information to be Provided. The Processor’s assistance pursuant to Section 10.1 shall include, without limitation, providing to the Controller: (a) a description of the Processing operations to be carried out by the Processor; (b) information regarding the Technical and Organizational Measures implemented by the Processor; (c) an assessment of the risks to the rights and freedoms of Data Subjects arising from the Processing, as reasonably known to the Processor; (d) any measures envisaged by the Processor to address identified risks; and (e) such other information as may be reasonably requested by the Controller to enable the Controller to complete a Data Protection Impact Assessment.

10.3 Prior Consultation. Where the Controller determines, following the completion of a Data Protection Impact Assessment, that prior consultation with a Supervisory Authority is required pursuant to Article 36 of the GDPR (or equivalent provisions under applicable Data Protection Laws), the Processor shall cooperate with the Controller and the relevant Supervisory Authority in connection with such prior consultation and shall provide such additional information regarding the Processing as may be requested by the Supervisory Authority.

10.4 Costs. The Controller shall reimburse the Processor for the reasonable costs and expenses incurred by the Processor in providing assistance under this Section 10, to the extent that such assistance requires material effort beyond the Processor’s standard service offering, provided that the Processor has obtained the Controller’s prior written approval of such costs.

11. TERM AND TERMINATION

11.1 Term. This DPA shall become effective on the Effective Date and shall remain in force until the earlier of: (a) the termination or expiration of the Main Agreement; or (b) the date on which the Processor ceases all Processing of Personal Data on behalf of the Controller. The provisions of this DPA that by their nature are intended to survive termination or expiration, including, without limitation, Sections 4.7 (Deletion and Return of Personal Data), 4.8 (Audit Rights), 8 (Data Breach Notification), 12 (Liability and Indemnification), and 13 (Miscellaneous), shall survive termination or expiration of this DPA.

11.2 Effect of Termination on Personal Data. Upon termination or expiration of this DPA, the Processor shall, at the Controller’s written election and instruction, either: (a) return all Personal Data to the Controller in a structured, commonly used, and machine-readable format, together with any copies thereof, within thirty (30) days following the effective date of termination; or (b) securely delete or destroy all Personal Data in the Processor’s possession or control, including all copies, backups, and archives, within sixty (60) days following the effective date of termination, using methods that render the Personal Data unrecoverable. If the Controller does not provide instructions within thirty (30) days following termination, the Processor shall securely delete or destroy all Personal Data in accordance with clause (b) of the preceding sentence.

11.3 Certification of Deletion. Following the completion of the return, deletion, or destruction of Personal Data pursuant to Section 11.2, the Processor shall provide written certification to the Controller, signed by an authorized officer of the Processor, confirming that all Personal Data has been returned, deleted, or destroyed in accordance with this DPA.

11.4 Retention Exception. Notwithstanding Sections 11.2 and 11.3, the Processor may retain Personal Data to the extent required by applicable law, provided that: (a) the Processor shall inform the Controller of such retention requirement, including the legal basis for and the period of such retention; (b) the Processor shall continue to comply with its obligations under this DPA with respect to any retained Personal Data; (c) the Processor shall limit Processing of such retained Personal Data to the purposes required by applicable law; and (d) the Processor shall securely delete or destroy such retained Personal Data promptly upon the expiration of the applicable retention period.

RECITALS

WHEREAS, [COMPANY NAME], a [STATE] corporation with its principal place of business at [ADDRESS] ("Provider"), is engaged in the business of providing cloud-based software-as-a-service solutions and related services;

WHEREAS, [CUSTOMER NAME], a [STATE] [entity type] with its principal place of business at [ADDRESS] ("Customer"), desires to obtain access to and use of the Service (as defined below) for its internal business operations;

WHEREAS, Provider desires to grant Customer a limited, non-exclusive right to access and use the Service, and Customer desires to obtain such access and use, in each case subject to the terms and conditions set forth in this SaaS Subscription Agreement (this "Agreement");

WHEREAS, the parties intend this Agreement to govern all aspects of Customer’s subscription to and use of the Service, including without limitation the rights and obligations of each party with respect to access, data, payment, confidentiality, intellectual property, and liability; and

WHEREAS, Provider and Customer each acknowledge that they have had the opportunity to review this Agreement and to negotiate the terms contained herein;

NOW, THEREFORE, in consideration of the mutual covenants, representations, warranties, and agreements set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:

12. LIABILITY AND INDEMNIFICATION

12.1 Allocation of Liability. Each Party shall be liable for its own acts and omissions in connection with its respective obligations under this DPA and applicable Data Protection Laws. The Processor shall be liable for damage caused by Processing only where it has not complied with obligations of applicable Data Protection Laws specifically directed to processors, or where it has acted outside of or contrary to the Controller’s lawful instructions.

12.2 Indemnification by the Processor. The Processor shall defend, indemnify, and hold harmless the Controller and its officers, directors, employees, agents, successors, and assigns from and against any and all claims, actions, demands, losses, damages, liabilities, costs, and expenses (including reasonable attorneys’ fees and court costs) arising out of or relating to: (a) the Processor’s breach of this DPA or applicable Data Protection Laws; (b) any act or omission of a Sub-processor engaged by the Processor; (c) any Personal Data Breach caused by the Processor’s failure to comply with its obligations under this DPA; or (d) any fines, penalties, or sanctions imposed by a Supervisory Authority directly attributable to the Processor’s breach of this DPA or applicable Data Protection Laws.

12.3 Indemnification by the Controller. The Controller shall defend, indemnify, and hold harmless the Processor and its officers, directors, employees, agents, successors, and assigns from and against any and all claims, actions, demands, losses, damages, liabilities, costs, and expenses (including reasonable attorneys’ fees and court costs) arising out of or relating to: (a) the Controller’s breach of this DPA or applicable Data Protection Laws; (b) the Controller’s unlawful or unauthorized instructions to the Processor; or (c) any claim that the Personal Data provided by the Controller to the Processor was collected or Processed by the Controller in violation of applicable Data Protection Laws.

12.4 Limitations on Liability. The aggregate liability of each Party under this DPA shall be subject to any limitations of liability set forth in the Main Agreement, provided that: (a) no limitation of liability shall apply to the extent prohibited by applicable Data Protection Laws; (b) the limitations of liability set forth in the Main Agreement shall not limit either Party’s liability for breaches of its obligations under applicable Data Protection Laws to the extent that such limitations would be inconsistent with applicable Data Protection Laws; and (c) nothing in this DPA shall be construed to limit a Data Subject’s rights against either Party under applicable Data Protection Laws.

12.5 Mitigation. Each Party shall take commercially reasonable steps to mitigate any damages for which the other Party may be liable under this DPA. Neither Party shall be liable for any indirect, incidental, consequential, special, punitive, or exemplary damages arising under or in connection with this DPA, except to the extent that such limitation is prohibited by applicable Data Protection Laws or to the extent that such damages are owed to a Data Subject.

13. MISCELLANEOUS

13.1 Governing Law. This DPA shall be governed by and construed in accordance with the laws of the State of [STATE], without regard to its conflicts of law principles, except to the extent that applicable Data Protection Laws require the application of the laws of another jurisdiction. Notwithstanding the foregoing, to the extent that the GDPR applies to the Processing of Personal Data under this DPA, issues of interpretation arising from the GDPR shall be resolved in accordance with the law of the European Union and the applicable Member State.

13.2 Dispute Resolution. Any dispute arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution provisions of the Main Agreement, provided that Data Subjects who are beneficiaries of the Standard Contractual Clauses shall have the rights specified therein, including the right to lodge a complaint with a Supervisory Authority and to seek judicial remedies.

13.3 Amendments. This DPA may not be modified, amended, or supplemented except by a written instrument duly executed by authorized representatives of both Parties. Notwithstanding the foregoing, the Processor may update Annex 2 (Technical and Organizational Security Measures) from time to time in accordance with Section 7.7 of this DPA, provided that such updates do not materially decrease the overall level of security.

13.4 Severability. If any provision of this DPA is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, such invalidity, illegality, or unenforceability shall not affect any other provision of this DPA, and this DPA shall be construed as if such invalid, illegal, or unenforceable provision had never been contained herein. The Parties shall negotiate in good faith to replace any invalid, illegal, or unenforceable provision with a valid, legal, and enforceable provision that achieves, to the greatest extent possible, the economic, business, and other purposes of the invalid, illegal, or unenforceable provision.

13.5 Order of Precedence. In the event of any conflict or inconsistency between the terms of this DPA and the terms of the Main Agreement, the terms of this DPA shall prevail to the extent of such conflict or inconsistency with respect to the Processing of Personal Data. In the event of any conflict between this DPA and any Standard Contractual Clauses entered into between the Parties, the Standard Contractual Clauses shall prevail to the extent of such conflict.

13.6 Entire Agreement. This DPA, together with the Main Agreement, the Standard Contractual Clauses (where applicable), and the Annexes hereto, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, proposals, representations, warranties, and understandings of the Parties, whether written or oral, relating to such subject matter.

13.7 Notices. All notices required or permitted to be given under this DPA shall be in writing and shall be deemed given: (a) when delivered personally; (b) when sent by confirmed electronic mail; (c) one (1) business day after being sent by nationally recognized overnight courier; or (d) three (3) business days after being mailed by registered or certified mail, return receipt requested, postage prepaid, to the addresses specified in the Main Agreement or such other address as may be designated by a Party in writing.

13.8 Assignment. Neither Party may assign or transfer this DPA, in whole or in part, without the prior written consent of the other Party, except that either Party may assign this DPA without consent in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets, provided that the assignee agrees in writing to be bound by the terms of this DPA.

13.9 Waiver. No waiver of any provision of this DPA shall be effective unless made in writing and signed by the waiving Party. The failure of either Party to enforce any provision of this DPA shall not constitute a waiver of such provision or of the right to enforce it at a later time.

13.10 Counterparts. This DPA may be executed in one or more counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Electronic signatures shall be deemed to be original signatures for all purposes.

1. DEFINITIONS

"Affiliate" means, with respect to a party, any entity that directly or indirectly controls, is controlled by, or is under common control with such party, where "control" means ownership of more than fifty percent (50%) of the voting securities or equivalent ownership interest of such entity.

"Authorized Users" means the individuals who are authorized by Customer to access and use the Service under the rights granted to Customer pursuant to this Agreement, subject to any limitations on the number of such users as set forth in the applicable Order Form.

"Confidential Information" means all non-public information disclosed by one party (the "Disclosing Party") to the other party (the "Receiving Party"), whether orally, in writing, or by any other means, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure, including without limitation technical data, trade secrets, business plans, financial information, customer lists, pricing information, product roadmaps, source code, algorithms, and the terms and conditions of this Agreement. Confidential Information shall not include information that: (a) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party; (b) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party; (c) is received from a third party without breach of any obligation owed to the Disclosing Party; or (d) was independently developed by the Receiving Party without reference to or use of the Disclosing Party’s Confidential Information.

"Customer Data" means all electronic data, information, content, records, and files that are uploaded, submitted, stored, transmitted, or otherwise provided by or on behalf of Customer or its Authorized Users to the Service or collected and processed by the Service on Customer’s behalf, excluding any Provider Technology.

"Documentation" means the user manuals, technical specifications, help files, API documentation, and other written or electronic materials made available by Provider to Customer that describe the features, functions, and operation of the Service, as updated by Provider from time to time.

"Effective Date" means [DATE], the date on which this Agreement is executed by both parties.

"Feedback" means any suggestions, enhancement requests, recommendations, corrections, or other feedback provided by Customer or its Authorized Users to Provider regarding the Service or any Provider Technology.

"Initial Term" has the meaning set forth in Section 4.1.

"Intellectual Property Rights" means all patent rights, copyrights, trademark rights, rights in trade secrets, database rights, moral rights, rights of publicity, and any other intellectual property rights (whether registered or unregistered) throughout the world, including all applications and registrations relating to any of the foregoing.

"Laws" means all applicable federal, state, provincial, municipal, local, and foreign laws, statutes, regulations, rules, codes, ordinances, orders, decrees, directives, and governmental requirements, including without limitation all applicable data protection and privacy laws and regulations.

"Losses" means any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees, the costs of enforcing any right to indemnification hereunder, and the cost of pursuing any insurance providers.

"Order Form" means any ordering document, statement of work, or online registration form executed or completed by the parties that references this Agreement and specifies, among other things, the Service plan selected, the number of Authorized Users, the Subscription Fees, the Subscription Term, and any other terms applicable to Customer’s subscription.

"Permitted Use" means use of the Service by Authorized Users solely for Customer’s internal business operations in accordance with this Agreement, the Documentation, and any applicable Order Form, and not for the benefit of any third party other than Customer’s Affiliates as expressly authorized herein.

"Provider Technology" means the Service, the Documentation, and all technology, software, algorithms, user interfaces, trade secrets, techniques, designs, inventions, works of authorship, and other tangible and intangible materials and intellectual property made available or used by Provider in connection with the Service, together with all improvements, modifications, enhancements, derivative works, and updates thereto, regardless of whether such improvements, modifications, enhancements, derivative works, or updates are made by Provider, Customer, or any third party.

"Renewal Term" has the meaning set forth in Section 4.2.

"Service" means Provider’s proprietary cloud-based software-as-a-service platform and any related applications, tools, and functionality as described in the applicable Order Form and Documentation, including all updates, upgrades, new versions, and enhancements thereto made generally available by Provider during the Subscription Term.

"Service Level" means the performance standards and uptime commitments for the Service as set forth in Section 7 of this Agreement.

"Subscription Fees" means the fees payable by Customer for access to and use of the Service during the Subscription Term, as set forth in the applicable Order Form.

"Subscription Term" means, collectively, the Initial Term and any Renewal Term(s), as set forth in Section 4.

"Users" or "User" means the individual persons (whether employees, contractors, or agents of Customer or its Affiliates) who are registered to access and use the Service under Customer’s account, each of whom must qualify as an Authorized User.

13A. ANNUAL REVIEW

13A.1 Annual Review. The parties shall conduct a review of this Agreement at least once per calendar year (or more frequently if required by changes in applicable Data Protection Laws) to assess whether the terms remain adequate in light of: (a) changes to applicable Data Protection Laws; (b) guidance or decisions issued by Supervisory Authorities; (c) changes to the nature, scope, or purpose of processing activities; (d) changes to the types of Personal Data processed or categories of Data Subjects; and (e) developments in data protection best practices and standards.

13A.2 Updates. If either party determines that amendments to this Agreement are necessary as a result of the annual review, the parties shall negotiate in good faith to agree upon appropriate amendments within sixty (60) days. If the parties cannot agree on necessary amendments, either party may terminate this Agreement upon ninety (90) days written notice.

13A.3 Records of Review. The parties shall maintain records of each annual review, including the date of review, participants, findings, and any agreed actions or amendments.

ANNEX 1: DETAILS OF PROCESSING

This Annex 1 forms part of the DPA and describes the details of the Processing of Personal Data by the Processor on behalf of the Controller.

Subject Matter of Processing: The Processing of Personal Data by the Processor is necessary for the Processor to provide the Services to the Controller pursuant to the Main Agreement. The subject matter of the Processing is the provision of [description of services] as further described in the Main Agreement.

Duration of Processing: The Processor will Process Personal Data for the duration of the Main Agreement, unless otherwise agreed in writing or required by applicable law. Personal Data shall be deleted or returned in accordance with Section 11 (Term and Termination) of the DPA upon termination or expiration of the Main Agreement.

Nature and Purpose of Processing: The Processor will Process Personal Data for the purpose of providing the Services under the Main Agreement, which may include, without limitation: (a) receiving, storing, and organizing Personal Data provided by or on behalf of the Controller; (b) processing, transforming, and analyzing Personal Data as necessary to deliver the Services; (c) transmitting, displaying, or making Personal Data available to the Controller and its authorized users; (d) creating backups and copies of Personal Data for disaster recovery and business continuity purposes; and (e) such other Processing activities as are reasonably necessary to perform the Services.

Types of Personal Data Processed: The following types of Personal Data may be Processed by the Processor in connection with the Services: (a) contact information, including names, email addresses, telephone numbers, mailing addresses, and job titles; (b) account and profile information, including usernames, user IDs, and account preferences; (c) transactional data, including records of transactions, orders, and interactions; (d) usage data, including log data, device information, IP addresses, browser type, and clickstream data; (e) communications data, including the content of messages, emails, and other communications; (f) financial data, including billing information and payment records (excluding full payment card numbers); and (g) such other categories of Personal Data as may be provided by the Controller to the Processor in connection with the Services from time to time.

Categories of Data Subjects: The Personal Data Processed under this DPA may relate to the following categories of Data Subjects: (a) the Controller’s employees, contractors, and other personnel; (b) the Controller’s customers and prospective customers; (c) the Controller’s vendors, suppliers, and business partners; (d) end users of the Controller’s products or services; and (e) such other categories of Data Subjects as may be identified by the Controller from time to time in connection with the Services.

Special Categories of Data: The Parties do not anticipate the Processing of special categories of Personal Data (as defined in Article 9 of the GDPR) or Personal Data relating to criminal convictions and offences (as defined in Article 10 of the GDPR) under this DPA. If the Controller intends to instruct the Processor to Process any such data, the Controller shall notify the Processor in advance and the Parties shall agree on any additional safeguards or measures required by applicable Data Protection Laws prior to the commencement of such Processing.

2. ACCESS AND USE RIGHTS

2.1 Grant of Access. Subject to and conditioned upon Customer’s compliance with the terms and conditions of this Agreement, including the timely payment of all Subscription Fees, Provider hereby grants to Customer a limited, non-exclusive, non-transferable (except as set forth in Section 16.4), non-sublicensable right to access and use the Service during the Subscription Term, solely for the Permitted Use, and solely in accordance with the terms and conditions set forth in this Agreement, the applicable Order Form, and the Documentation.

2.2 Authorized Users. Customer may permit its Authorized Users to access and use the Service, provided that the number of Authorized Users does not exceed the maximum number specified in the applicable Order Form. Customer shall ensure that each Authorized User is assigned a unique user identification and password, and Customer shall be responsible for maintaining the confidentiality of all user identification credentials. Customer shall not permit any Authorized User to share login credentials with any other individual, and Customer shall promptly notify Provider if Customer becomes aware of any unauthorized access to or use of the Service or any Authorized User’s account.

2.3 Customer Responsibilities. Customer is responsible for all activities that occur under its account and the accounts of its Authorized Users, regardless of whether such activities are authorized by Customer. Customer shall: (a) ensure that all Authorized Users comply with the terms and conditions of this Agreement; (b) use commercially reasonable efforts to prevent unauthorized access to or use of the Service; (c) promptly notify Provider of any unauthorized access or use of which Customer becomes aware; and (d) use the Service only in compliance with all applicable Laws. Any act or omission of an Authorized User that would constitute a breach of this Agreement if committed by Customer shall be deemed a breach by Customer.

2.4 Usage Limitations. Customer’s use of the Service shall be subject to any usage limitations specified in the applicable Order Form, including without limitation limitations on the number of Authorized Users, storage capacity, bandwidth, API call volumes, transaction volumes, and any other quantitative or qualitative restrictions. If Customer exceeds any usage limitation, Provider may: (a) notify Customer and require Customer to purchase additional capacity or subscriptions at Provider’s then-current rates; (b) throttle or restrict Customer’s access to the affected features or functionality until such time as Customer’s usage falls within the applicable limitations; or (c) invoice Customer for the excess usage at Provider’s then-current overage rates as published on its website or as otherwise communicated to Customer.

2.5 Restrictions on Use. Customer shall not, and shall not permit any Authorized User or third party to: (a) copy, modify, adapt, translate, or create derivative works of the Service or any component thereof; (b) reverse engineer, disassemble, decompile, or otherwise attempt to derive the source code, object code, underlying structure, algorithms, or ideas of the Service, except to the extent that such restriction is expressly prohibited by applicable Law; (c) sublicense, sell, rent, lease, lend, distribute, transfer, or otherwise make available the Service to any third party, except as expressly permitted under this Agreement; (d) use the Service for the benefit of any third party, including without limitation by operating a service bureau, timesharing, outsourcing, or application service provider arrangement; (e) remove, alter, or obscure any proprietary notices, labels, or marks on or in the Service or Documentation; (f) use the Service in any manner that violates any applicable Law or regulation or the rights of any third party; (g) use the Service to transmit any viruses, malware, worms, Trojan horses, or other harmful or malicious code; (h) interfere with or disrupt the integrity or performance of the Service or any third-party data contained therein; (i) gain or attempt to gain unauthorized access to the Service, its related systems or networks, or any accounts of other customers of Provider; (j) use the Service to perform competitive analysis, benchmarking, or for the purpose of building a competitive product or service; (k) use any automated means, including robots, crawlers, or data mining tools, to access or collect data from the Service, except through Provider’s published API in compliance with this Agreement; or (l) use the Service in any manner that could damage, disable, overburden, or impair the Service or interfere with any other party’s use of the Service.

2.6 API Access. To the extent that Provider makes available application programming interfaces ("APIs") for the Service, Customer may access and use such APIs solely for the Permitted Use and in compliance with the Documentation and any published API usage policies. Provider reserves the right to limit, throttle, or revoke API access at any time in its sole discretion if Provider reasonably determines that Customer’s use of the API adversely affects the performance, stability, or security of the Service. Customer shall not use the API to develop, offer, or operate a competing service or product.

Provider shall publish and maintain documentation specifying the applicable rate limits, quotas, and usage restrictions for API access (collectively, "API Limits"). API Limits shall be set at levels sufficient to support Customer’s Permitted Use as reasonably anticipated based on the applicable Order Form. Provider shall provide Customer with at least sixty (60) days prior written notice of any material reduction in API Limits. If Customer requires API capacity in excess of the published API Limits, Customer may request increased capacity, and Provider shall offer such increased capacity at commercially reasonable rates. Provider shall implement reasonable mechanisms to alert Customer when Customer’s API usage approaches the applicable API Limits, including usage dashboards and threshold notifications at seventy-five percent (75%) and ninety percent (90%) of applicable limits.

2.7 Third-Party Products. The Service may integrate with or provide access to certain third-party applications, products, services, or content (collectively, "Third-Party Products"). Customer’s use of any Third-Party Products is subject to the applicable third-party terms of service and privacy policies, and Provider makes no representations or warranties regarding any Third-Party Products. Provider shall have no liability for any Third-Party Products or for any loss or damage arising from Customer’s use thereof.

ANNEX 2: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

This Annex 2 forms part of the DPA and describes the Technical and Organizational Measures implemented by the Processor to protect Personal Data in accordance with Section 7 (Security Measures) of the DPA. The Processor may update these measures from time to time in accordance with Section 7.7, provided that such updates do not materially decrease the overall level of security.

1. Encryption. (a) Encryption in transit: All Personal Data transmitted over public networks shall be encrypted using TLS 1.2 or higher. (b) Encryption at rest: All Personal Data stored at rest shall be encrypted using AES-256 encryption or equivalent. (c) Key management: Encryption keys shall be generated, stored, rotated, and destroyed in accordance with industry-standard key management practices. Encryption keys shall be stored separately from the encrypted data and access to encryption keys shall be restricted to authorized personnel on a need-to-know basis.

2. Access Controls. (a) Authentication: Multi-factor authentication (MFA) shall be required for all access to systems and applications that Process Personal Data. (b) Authorization: Access to Personal Data shall be granted on a least-privilege and need-to-know basis, with role-based access controls (RBAC) implemented across all systems. (c) Password management: Passwords shall meet minimum complexity requirements, shall be changed at regular intervals, and shall be stored using strong, salted, one-way hashing algorithms. (d) Access reviews: Access rights shall be reviewed at least quarterly and promptly revoked upon termination of employment or change of role. (e) Privileged access: Administrative and privileged access shall be subject to enhanced monitoring, logging, and approval workflows.

3. Network Security. (a) Firewalls: Network firewalls shall be configured to restrict inbound and outbound traffic to authorized services and protocols. (b) Intrusion detection and prevention: Intrusion detection systems (IDS) and intrusion prevention systems (IPS) shall be deployed to monitor network traffic for suspicious activity. (c) Network segmentation: Networks shall be segmented to isolate systems that Process Personal Data from other systems and to limit lateral movement in the event of a compromise. (d) VPN: Remote access to the Processor’s network shall require the use of a virtual private network (VPN) or equivalent secure connection.

4. Physical Security. (a) Data center security: The Processor’s data centers (including third-party hosting providers) shall maintain physical security controls, including, without limitation, perimeter security, 24/7 monitoring (including CCTV), access controls (badge readers, biometric authentication), visitor management, and environmental controls (fire suppression, climate control, power redundancy). (b) Workstation security: Workstations used to access Personal Data shall be protected by full-disk encryption, automatic screen locks, and endpoint protection software. (c) Media disposal: Physical media containing Personal Data shall be securely destroyed or degaussed when no longer needed.

5. Data Minimization and Retention. (a) The Processor shall Process only the minimum amount of Personal Data necessary to provide the Services. (b) Personal Data shall be retained only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required by applicable law. (c) Upon expiration of the applicable retention period, Personal Data shall be securely deleted or destroyed in accordance with the DPA.

2A. ACCEPTABLE USE POLICY

2A.1 General Restrictions. In addition to the restrictions set forth in Section 2.5, Customer and its Authorized Users shall comply with this Acceptable Use Policy (this "AUP") at all times when accessing or using the Service.

2A.2 Prohibited Activities. Customer and its Authorized Users shall not use the Service to: (a) store, transmit, or distribute content that is illegal, defamatory, obscene, threatening, invasive of privacy, or otherwise objectionable; (b) transmit unsolicited bulk communications (spam) or engage in phishing; (c) impersonate any person or entity or falsely claim an affiliation with any person or entity; (d) engage in any activity that constitutes a violation of the privacy rights or other rights of third parties; (e) introduce viruses, malware, worms, or other malicious code; (f) attempt to gain unauthorized access to systems, accounts, or data not belonging to Customer; (g) use the Service for cryptocurrency mining or similar resource-intensive computation not authorized by Provider; (h) circumvent or disable security features of the Service; or (i) use the Service in a manner that could harm minors.

2A.3 Resource Usage. Customer shall not consume computational, storage, or network resources in a manner that disrupts or degrades the Service for other customers. Provider may implement fair use policies and notify Customer of excessive usage patterns.

2A.4 Enforcement. Provider may, upon reasonable notice (or immediately in the case of urgent security threats), suspend Customer’s access to the Service for violations of this AUP. Provider shall notify Customer promptly of any suspension and cooperate with Customer to resolve the issue.

2A.5 Updates. Provider may update this AUP from time to time upon thirty (30) days prior written notice to Customer. Material changes to the AUP that restrict Customer’s previously-permitted uses shall not take effect during the then-current Subscription Term without Customer’s consent.

ANNEX 2: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES (continued)

6. Availability and Resilience. (a) Business continuity: The Processor shall maintain a business continuity plan that includes procedures for ensuring the continued availability and security of Personal Data in the event of a disruption. (b) Disaster recovery: The Processor shall maintain a disaster recovery plan that includes procedures for the timely restoration of availability and access to Personal Data in the event of a physical or technical incident. (c) Backups: Personal Data shall be backed up at regular intervals using encrypted backup media, and backups shall be tested at least annually to verify their integrity and recoverability. (d) Redundancy: Critical systems and infrastructure shall be designed with appropriate redundancy to minimize the risk of single points of failure.

7. Vulnerability Management and Patch Management. (a) Vulnerability scanning: Systems that Process Personal Data shall be subject to regular vulnerability scanning (at least monthly) and remediation. (b) Penetration testing: Independent third-party penetration testing shall be conducted at least annually. (c) Patch management: Security patches and updates shall be applied in a timely manner, with critical patches applied within the timeframe recommended by the vendor or within seventy-two (72) hours of release, whichever is shorter. (d) Secure development: The Processor shall follow secure software development practices, including code reviews, static analysis, and security testing.

8. Incident Response. (a) The Processor shall maintain a documented incident response plan that includes procedures for detecting, reporting, investigating, containing, and remediating security incidents. (b) The incident response plan shall designate an incident response team with clearly defined roles and responsibilities. (c) The incident response plan shall be tested at least annually through tabletop exercises or simulations, and the results of such tests shall be documented and used to improve the plan.

9. Logging and Monitoring. (a) Audit logs: Access to systems containing Personal Data shall be logged, including the identity of the user, the date and time of access, and the action performed. (b) Log retention: Audit logs shall be retained for a minimum of twelve (12) months, or such longer period as required by applicable law. (c) Log protection: Audit logs shall be protected against unauthorized access, modification, and deletion. (d) Monitoring: The Processor shall implement continuous monitoring of systems that Process Personal Data to detect security events and anomalous activity.

10. Employee and Contractor Security. (a) Background checks: The Processor shall conduct background checks on personnel with access to Personal Data, to the extent permitted by applicable law. (b) Security training: All personnel with access to Personal Data shall receive data protection and information security training upon hiring and at least annually thereafter. (c) Acceptable use policies: The Processor shall maintain and enforce acceptable use policies governing the use of systems, networks, and data by personnel. (d) Separation of duties: Critical functions shall be separated among different individuals to reduce the risk of fraud, error, or misuse.


This template is provided by Montague Law for informational purposes only and does not constitute legal advice. Consult a qualified attorney before using this document.

3. SUBSCRIPTION TERM AND RENEWAL

3.1 Initial Term. The initial subscription term shall commence on the Effective Date and shall continue for the period specified in the applicable Order Form, unless earlier terminated in accordance with this Agreement (the "Initial Term"). If no initial subscription term is specified in the applicable Order Form, the Initial Term shall be twelve (12) months from the Effective Date.

3.2 Automatic Renewal. Unless either party provides written notice of non-renewal to the other party at least thirty (30) days prior to the expiration of the then-current Subscription Term, this Agreement shall automatically renew for successive periods equal in duration to the Initial Term (each, a "Renewal Term"). Each Renewal Term shall be subject to the same terms and conditions as set forth in this Agreement, except that Provider may increase the Subscription Fees for any Renewal Term upon not less than sixty (60) days’ prior written notice to Customer before the commencement of such Renewal Term.

Notwithstanding Section 4.4, any increase in Subscription Fees upon automatic renewal shall not exceed the greater of (a) three percent (3%) of the Subscription Fees in effect during the immediately preceding Subscription Term and (b) the percentage increase in the Consumer Price Index for All Urban Consumers (CPI-U) published by the U.S. Bureau of Labor Statistics for the twelve (12) month period ending sixty (60) days prior to the commencement of the applicable Renewal Term ("CPI Increase"), in each case calculated on an annualized basis. Any proposed increase in excess of such cap shall require Customer’s express written consent and shall constitute a material change subject to Customer’s non-renewal right under Section 3.3.

3.3 Cancellation and Non-Renewal. Either party may elect not to renew this Agreement by providing written notice of non-renewal to the other party in accordance with Section 3.2. Notices of non-renewal must be delivered in writing and in the manner specified in Section 16.6 of this Agreement. Notwithstanding any notice of non-renewal, Customer shall remain obligated to pay all Subscription Fees and other charges accrued or payable through the end of the then-current Subscription Term.

3.4 Changes Upon Renewal. Provider reserves the right to modify the terms and conditions of this Agreement, including without limitation the Service features, functionality, Service Levels, and support terms, effective upon the commencement of any Renewal Term, provided that Provider gives Customer written notice of any material changes at least sixty (60) days prior to the commencement of such Renewal Term. If Customer objects to any such material changes, Customer may decline to renew this Agreement by providing written notice of non-renewal in accordance with Section 3.2 prior to the commencement of such Renewal Term.

4. FEES AND PAYMENT

4.1 Subscription Fees. Customer shall pay the Subscription Fees specified in the applicable Order Form in accordance with the billing cycle and payment terms set forth therein. Unless otherwise specified in the applicable Order Form, Subscription Fees shall be invoiced in advance on a monthly or annual basis, as selected by Customer at the time of subscription.

4.2 Billing Cycle. If Customer selects a monthly billing cycle, Provider shall invoice Customer on or about the first day of each calendar month during the Subscription Term, and each such invoice shall be due and payable within thirty (30) days of the invoice date. If Customer selects an annual billing cycle, Provider shall invoice Customer on or about the commencement date of the Initial Term and each anniversary thereof during the Subscription Term, and each such invoice shall be due and payable within thirty (30) days of the invoice date. Unless otherwise agreed in writing, all Subscription Fees for the Initial Term are non-refundable and non-cancellable.

4.3 Payment Methods. Customer shall pay all invoices by wire transfer, ACH transfer, credit card, or such other payment method as Provider may accept from time to time. Customer authorizes Provider to charge the payment method on file for all Subscription Fees and other amounts due under this Agreement. If Customer pays by credit card, Customer authorizes Provider to charge Customer’s credit card automatically on a recurring basis in accordance with the applicable billing cycle.

4.4 Price Changes. Provider may change the Subscription Fees for any Renewal Term upon not less than sixty (60) days’ prior written notice to Customer before the commencement of such Renewal Term. Any such price change shall not affect the Subscription Fees payable during the then-current Subscription Term. If Customer does not agree to any price change, Customer’s sole and exclusive remedy shall be to provide notice of non-renewal in accordance with Section 3.2.

4.5 Late Payments. Any amounts not paid when due shall bear interest at the rate of one and one-half percent (1.5%) per month (or, if lower, the maximum rate permitted by applicable Law), calculated from the date such payment was due until the date of actual payment. Customer shall reimburse Provider for all reasonable costs and expenses incurred in collecting any late payments, including without limitation reasonable attorneys’ fees and collection agency costs.

4.6 Suspension for Non-Payment. If any undisputed amount remains overdue for more than fifteen (15) days after Provider has provided written notice of such overdue amount to Customer, Provider may, without limiting its other rights and remedies, suspend Customer’s and all Authorized Users’ access to the Service until such time as all overdue amounts, including accrued interest, are paid in full. Provider shall provide Customer with at least five (5) business days’ prior written notice before suspending access for non-payment. Any such suspension shall not relieve Customer of its obligation to pay all Subscription Fees and other amounts due under this Agreement.

4.7 Taxes. All Subscription Fees and other amounts payable under this Agreement are exclusive of, and Customer shall be solely responsible for, all sales, use, excise, value-added, withholding, and other taxes, levies, duties, and governmental charges of any kind (collectively, "Taxes") imposed on or in connection with this Agreement or Customer’s receipt or use of the Service, excluding only taxes based solely on Provider’s net income. If Provider is required by Law to collect or remit any Taxes on behalf of Customer, Provider shall invoice Customer for such Taxes, and Customer shall pay such Taxes in addition to the Subscription Fees. If Customer is required by Law to withhold any Taxes from payments to Provider, Customer shall gross up its payment to Provider so that the net amount received by Provider after withholding equals the full amount that would have been received absent such withholding.

4.8 Disputed Charges. If Customer disputes any charge on an invoice in good faith, Customer shall provide written notice of such dispute to Provider within fifteen (15) days of the invoice date, specifying in reasonable detail the nature and basis of the dispute. Customer shall pay any undisputed amounts in accordance with this Section 4 while the parties work in good faith to resolve the disputed charges. If the parties are unable to resolve the dispute within thirty (30) days of Provider’s receipt of Customer’s written notice, either party may pursue resolution in accordance with Section 16.2.

5. CUSTOMER DATA

5.1 Ownership. As between Provider and Customer, Customer retains all right, title, and interest in and to all Customer Data, including all Intellectual Property Rights therein. Nothing in this Agreement shall be construed to transfer or assign to Provider any ownership rights in any Customer Data.

5.2 License to Provider. Customer hereby grants to Provider a limited, non-exclusive, non-transferable (except as set forth in Section 16.4), royalty-free license to access, use, copy, store, transmit, display, modify, and process the Customer Data solely to the extent necessary to: (a) provide, maintain, and improve the Service in accordance with this Agreement; (b) comply with applicable Laws; (c) enforce this Agreement; and (d) as otherwise expressly permitted in writing by Customer. For the avoidance of doubt, Provider shall not use Customer Data for any purpose other than the purposes set forth in this Section 5.2, and Provider shall not sell, rent, lease, or otherwise disclose Customer Data to any third party except as expressly authorized by Customer or as required by applicable Law.

5.3 Aggregated and De-Identified Data. Notwithstanding anything to the contrary in this Agreement, Provider may collect, use, and disclose aggregated and de-identified data derived from Customer Data ("Aggregated Data"), provided that such Aggregated Data: (a) does not identify Customer, any Authorized User, or any natural person; (b) cannot reasonably be used to re-identify Customer, any Authorized User, or any natural person; and (c) is used only for Provider’s legitimate business purposes, including product improvement, analytics, and benchmarking. Provider shall own all right, title, and interest in such Aggregated Data.

5.4 Data Portability. Upon Customer’s written request, submitted at any time during the Subscription Term or within thirty (30) days following the expiration or termination of this Agreement, Provider shall make Customer Data available to Customer for export or download in a commonly used, machine-readable format. Provider shall use commercially reasonable efforts to make Customer Data available for export within ten (10) business days of receiving Customer’s written request.

5.5 Data Deletion. Subject to Section 5.4 and Section 14.5, upon the expiration or termination of this Agreement, Provider shall delete or destroy all Customer Data in its possession or control within sixty (60) days following the expiration of the thirty (30) day data retrieval period set forth in Section 14.5, unless Provider is required by applicable Law to retain such Customer Data for a longer period, in which case Provider shall isolate and protect the Customer Data from further processing and delete such Customer Data upon expiration of the applicable retention period. Provider shall, upon Customer’s request, certify in writing the deletion or destruction of Customer Data in accordance with this Section 5.5.

5.6 Backup. Provider shall maintain commercially reasonable backup and disaster recovery procedures for Customer Data stored in the Service. Notwithstanding the foregoing, Customer acknowledges and agrees that it is solely responsible for maintaining its own backup copies of Customer Data and that Provider shall not be liable for any loss, corruption, or destruction of Customer Data except to the extent caused by Provider’s gross negligence or willful misconduct.

5.7 Data Accuracy. Customer is solely responsible for the accuracy, quality, integrity, legality, reliability, and appropriateness of all Customer Data. Provider shall have no obligation to review, validate, or verify any Customer Data for accuracy or completeness.

6. SERVICE LEVEL AGREEMENT

6.1 Uptime Commitment. During the Subscription Term, Provider shall use commercially reasonable efforts to make the Service available to Customer with a monthly uptime percentage of at least ninety-nine and nine-tenths percent (99.9%) (the "Uptime Commitment"), measured on a calendar month basis. "Uptime" is calculated as the total number of minutes in a calendar month minus the number of minutes of Downtime, divided by the total number of minutes in such calendar month, expressed as a percentage. "Downtime" means any period during which the Service is materially unavailable or materially inoperable for Customer, as verified by Provider’s monitoring systems, excluding Excluded Downtime (as defined in Section 6.5).

6.2 Scheduled Maintenance. Provider shall use commercially reasonable efforts to perform routine scheduled maintenance during off-peak hours (between 12:00 a.m. and 6:00 a.m. Eastern Time on Saturdays and Sundays) and shall provide Customer with at least forty-eight (48) hours’ prior notice of any scheduled maintenance that is reasonably expected to result in Downtime. Time during scheduled maintenance windows for which Provider has provided the required notice shall not constitute Downtime for purposes of calculating the Uptime Commitment. Provider shall use commercially reasonable efforts to minimize the duration and frequency of scheduled maintenance.

6.3 Service Credits. If the Service fails to meet the Uptime Commitment in any calendar month, Customer shall be eligible to receive a service credit ("Service Credit") as follows: (a) if the monthly uptime percentage is less than 99.9% but equal to or greater than 99.0%, Customer shall receive a Service Credit equal to five percent (5%) of the monthly Subscription Fees for the affected month; (b) if the monthly uptime percentage is less than 99.0% but equal to or greater than 95.0%, Customer shall receive a Service Credit equal to ten percent (10%) of the monthly Subscription Fees for the affected month; and (c) if the monthly uptime percentage is less than 95.0%, Customer shall receive a Service Credit equal to twenty-five percent (25%) of the monthly Subscription Fees for the affected month. In no event shall the aggregate Service Credits issued to Customer in any single calendar month exceed twenty-five percent (25%) of the monthly Subscription Fees for such month.

6.4 Credit Request Procedure. To receive a Service Credit, Customer must submit a written request to Provider within thirty (30) days following the end of the calendar month in which the Downtime occurred. Each such request must include: (a) the dates and times of each incident of Downtime; (b) a description of the impact on Customer’s use of the Service; and (c) any supporting documentation reasonably available to Customer. Provider shall evaluate each request and, if it determines that a Service Credit is warranted, shall apply such Service Credit to Customer’s next invoice. If Customer is on an annual billing cycle, the Service Credit shall be applied to the next renewal invoice or, if the Agreement will not be renewed, refunded to Customer within thirty (30) days.

6.5 Exclusions. The Uptime Commitment shall not apply to any Downtime or performance issues resulting from: (a) scheduled maintenance performed in accordance with Section 6.2; (b) emergency maintenance required to address critical security vulnerabilities or system integrity issues, provided that Provider uses commercially reasonable efforts to provide advance notice; (c) factors outside of Provider’s reasonable control, including without limitation force majeure events as described in Section 16.3; (d) Customer’s or any Authorized User’s equipment, software, network connections, or other infrastructure; (e) Customer’s or any Authorized User’s use of the Service in a manner not in accordance with the Documentation or this Agreement; (f) any third-party services, hardware, or software not provided by Provider; (g) denial-of-service attacks or other cyber attacks directed at Provider’s infrastructure, provided that Provider uses commercially reasonable efforts to mitigate such attacks; or (h) Customer’s breach of this Agreement.

6.6 Sole and Exclusive Remedy. The Service Credits described in this Section 6 shall be Customer’s sole and exclusive remedy, and Provider’s sole and exclusive liability, for any failure to meet the Uptime Commitment or any other failure of the Service to meet the Service Levels, except where such failure constitutes a material breach of this Agreement giving rise to Customer’s termination rights under Section 14.1.

6A. DISASTER RECOVERY AND BUSINESS CONTINUITY

6A.1 Business Continuity Plan. Provider shall maintain a comprehensive business continuity and disaster recovery plan (the "BC/DR Plan") that addresses, at a minimum: (a) identification of critical systems and services; (b) risk assessment and mitigation strategies; (c) recovery procedures for each critical system; (d) communication protocols during an incident; and (e) personnel roles and responsibilities.

6A.2 Recovery Objectives. Provider commits to the following recovery objectives: (a) Recovery Time Objective (RTO): the Service shall be restored to operational status within [NUMBER] hours following a disaster event; and (b) Recovery Point Objective (RPO): in the event of a disaster, Customer Data shall be recoverable to a point in time no more than [NUMBER] hours prior to the disaster event.

6A.3 Testing. Provider shall test its BC/DR Plan at least once per calendar year and shall provide Customer with a summary of test results upon reasonable written request. Provider shall promptly remediate any material deficiencies identified during testing.

6A.4 Geographic Redundancy. Provider shall maintain geographically redundant infrastructure such that a failure at any single data center location shall not result in a loss of Customer Data or an interruption of Service exceeding the RTO set forth in Section 6A.2.

7. SUPPORT

7.1 Standard Support. During the Subscription Term, Provider shall provide Customer with standard technical support for the Service at no additional charge ("Standard Support"). Standard Support shall include: (a) access to Provider’s online help center, knowledge base, and Documentation; (b) email-based technical support during Provider’s standard business hours (Monday through Friday, 9:00 a.m. to 6:00 p.m. Eastern Time, excluding Provider-observed holidays); and (c) access to Provider’s community forums and self-service troubleshooting tools.

7.2 Premium Support. Provider may offer enhanced support plans ("Premium Support") for an additional fee as set forth in the applicable Order Form. Premium Support may include, without limitation: (a) twenty-four hours per day, seven days per week (24/7) support availability; (b) telephone-based technical support; (c) dedicated account management; (d) priority response and resolution times; (e) on-site or remote training sessions; and (f) proactive system monitoring and performance reporting. The specific features and terms of any Premium Support plan shall be as described in the applicable Order Form or support plan documentation.

7.3 Response Times. Provider shall use commercially reasonable efforts to respond to Customer support requests within the following timeframes, based on the severity of the issue: (a) Severity 1 (Critical) – a complete outage of the Service or a condition that renders the Service entirely unusable for all Authorized Users: response within one (1) hour for Standard Support, thirty (30) minutes for Premium Support; (b) Severity 2 (High) – a major feature or functionality is materially impaired but the Service remains partially usable: response within four (4) hours for Standard Support, two (2) hours for Premium Support; (c) Severity 3 (Medium) – a non-critical feature or functionality is impaired, with a workaround available: response within one (1) business day for Standard Support, four (4) hours for Premium Support; (d) Severity 4 (Low) – a general question, cosmetic issue, or minor inconvenience with minimal impact on functionality: response within two (2) business days for Standard Support, one (1) business day for Premium Support.

7.4 Escalation Procedures. If Customer believes that a support request is not being addressed in a timely or satisfactory manner, Customer may escalate the request by notifying Provider’s designated escalation contact in writing. Provider shall investigate and respond to all escalation requests within one (1) business day. If the issue remains unresolved after initial escalation, Customer may escalate the matter to Provider’s management team. Provider shall maintain and make available to Customer a current escalation contact list with names, titles, and contact information for each level of escalation.

7.5 Documentation and Training. Provider shall maintain and make available to Customer current Documentation for the Service, including user guides, API documentation, release notes, and system requirements. Provider shall make commercially reasonable efforts to update the Documentation to reflect material changes to the Service within a reasonable period following the release of such changes. Provider may, from time to time, offer training resources such as webinars, tutorials, and online courses to assist Customer and its Authorized Users in the effective use of the Service.

7.6 Customer Cooperation. Customer acknowledges that Provider’s ability to provide effective support depends upon Customer’s cooperation. Customer shall: (a) provide Provider with sufficient detail regarding any issue or inquiry to enable Provider to diagnose and address the matter; (b) implement any reasonable recommendations or fixes provided by Provider in a timely manner; (c) designate a reasonable number of trained technical contacts who shall serve as the primary points of contact for support-related communications; and (d) provide Provider with reasonable remote access to Customer’s systems and environments to the extent necessary for troubleshooting purposes, subject to Customer’s reasonable security requirements.

8. INTELLECTUAL PROPERTY

8.1 Provider Intellectual Property. As between the parties, Provider retains all right, title, and interest in and to the Provider Technology, including all Intellectual Property Rights therein. No rights or licenses are granted to Customer with respect to the Provider Technology except as expressly set forth in this Agreement. Without limiting the generality of the foregoing, Customer acknowledges that the Service is provided on a subscription basis and that Customer acquires no ownership rights in the Service or any component thereof under this Agreement.

8.2 Customer Intellectual Property. As between the parties, Customer retains all right, title, and interest in and to the Customer Data, including all Intellectual Property Rights therein. No rights or licenses are granted to Provider with respect to Customer Data except as expressly set forth in this Agreement.

8.3 Feedback. If Customer or any Authorized User provides any Feedback to Provider, Customer hereby grants to Provider a worldwide, non-exclusive, irrevocable, perpetual, royalty-free, fully paid-up, transferable, sublicensable (through multiple tiers) license to use, reproduce, modify, create derivative works based upon, distribute, publicly perform, publicly display, and otherwise exploit such Feedback for any purpose, without restriction, obligation, or compensation to Customer or any Authorized User. Customer acknowledges and agrees that Provider may incorporate Feedback into the Service or any other Provider product or service without any obligation of attribution or compensation.

8.4 No Implied Licenses. Except for the limited rights and licenses expressly granted under this Agreement, nothing in this Agreement grants, by implication, waiver, estoppel, or otherwise, to either party any Intellectual Property Rights or other right, title, or interest in or to the other party’s technology, information, or intellectual property.

8.5 Trademark Usage. Neither party may use the other party’s name, logo, trademarks, or service marks without the prior written consent of the other party, except that: (a) Provider may include Customer’s name and logo in its list of customers on Provider’s website and in marketing materials, subject to Customer’s prior written approval of the specific use, which approval shall not be unreasonably withheld; and (b) Customer may use Provider’s name and trademarks solely to the extent necessary to identify Provider as the provider of the Service in the ordinary course of Customer’s internal business operations. Each party shall comply with the other party’s published trademark usage guidelines, if any.

8.6 Reservation of Rights. All rights not expressly granted herein are reserved. Provider reserves all rights in the Provider Technology and Customer reserves all rights in the Customer Data.

9. CONFIDENTIALITY

9.1 Obligations. The Receiving Party shall: (a) not disclose or otherwise make available any Confidential Information of the Disclosing Party to any third party without the prior written consent of the Disclosing Party, except as expressly permitted in this Agreement; (b) use the Confidential Information of the Disclosing Party only for the purposes of exercising its rights and performing its obligations under this Agreement; and (c) protect the Confidential Information of the Disclosing Party using the same degree of care that the Receiving Party uses to protect its own Confidential Information of a similar nature, but in no event less than a reasonable degree of care. The Receiving Party may disclose Confidential Information of the Disclosing Party only to those of its employees, officers, directors, contractors, advisors, and agents who have a bona fide need to know such Confidential Information for the purposes of this Agreement and who are bound by obligations of confidentiality at least as protective as those set forth in this Section 9.

9.2 Exclusions. The obligations of confidentiality set forth in this Section 9 shall not apply to information that the Receiving Party can demonstrate by clear and convincing evidence: (a) is or becomes generally known to the public through no act or omission of the Receiving Party or any person to whom the Receiving Party has disclosed such information; (b) was in the Receiving Party’s lawful possession prior to the Disclosing Party’s disclosure thereof, as evidenced by the Receiving Party’s written records; (c) is lawfully received by the Receiving Party from a third party who is not under any obligation of confidentiality with respect to such information and who has the right to disclose such information without restriction; or (d) is independently developed by the Receiving Party without reference to or use of the Disclosing Party’s Confidential Information, as evidenced by the Receiving Party’s written records.

9.3 Compelled Disclosure. If the Receiving Party is compelled by applicable Law, regulation, legal process, or order of a court of competent jurisdiction or governmental authority (including a subpoena, civil investigative demand, or similar legal process) to disclose any Confidential Information of the Disclosing Party, the Receiving Party shall: (a) provide the Disclosing Party with prompt written notice of such requirement prior to disclosure (to the extent legally permitted) so that the Disclosing Party may seek a protective order or other appropriate remedy or waive compliance with this Section 9; (b) cooperate with the Disclosing Party, at the Disclosing Party’s expense, in any effort by the Disclosing Party to obtain a protective order or other appropriate remedy; and (c) disclose only that portion of the Confidential Information that is legally required to be disclosed. Any Confidential Information disclosed pursuant to this Section 9.3 shall retain its confidential status for all other purposes under this Agreement.

9.4 Injunctive Relief. Each party acknowledges that any breach or threatened breach of this Section 9 may cause irreparable harm to the Disclosing Party for which monetary damages would be an inadequate remedy. Accordingly, in addition to any other remedies available at law or in equity, the Disclosing Party shall be entitled to seek injunctive or other equitable relief to prevent or restrain any such breach or threatened breach, without the necessity of posting a bond or proving actual damages.

9.5 Return or Destruction. Upon the expiration or termination of this Agreement, or upon the Disclosing Party’s earlier written request, the Receiving Party shall promptly return to the Disclosing Party or destroy all copies of the Disclosing Party’s Confidential Information in the Receiving Party’s possession or control, and shall certify such return or destruction in writing within ten (10) business days. Notwithstanding the foregoing, the Receiving Party may retain copies of Confidential Information: (a) to the extent required by applicable Law or regulation; (b) in standard electronic backup and archival systems, provided that such copies remain subject to the confidentiality obligations of this Section 9; or (c) as necessary to exercise or enforce its rights under this Agreement.

9.6 Survival. The obligations of confidentiality set forth in this Section 9 shall survive the expiration or termination of this Agreement for a period of three (3) years following the date of expiration or termination; provided, however, that with respect to any Confidential Information that constitutes a trade secret under applicable Law, the obligations of confidentiality shall survive for so long as such information remains a trade secret.

10. REPRESENTATIONS AND WARRANTIES

10.1 Provider Representations and Warranties. Provider represents and warrants to Customer that: (a) the Service will materially conform to the functionality described in the Documentation during the Subscription Term; (b) Provider will provide the Service in a professional and workmanlike manner consistent with generally accepted industry standards; (c) to Provider’s knowledge, the Service, as provided by Provider to Customer and used in accordance with this Agreement and the Documentation, does not infringe, misappropriate, or otherwise violate the Intellectual Property Rights of any third party; (d) Provider will comply with all Laws applicable to Provider in its provision of the Service, including without limitation applicable data protection and privacy laws; (e) Provider has the full corporate right, power, and authority to enter into this Agreement and to perform the acts required of it hereunder; and (f) the execution of this Agreement by Provider and the performance by Provider of its obligations hereunder do not and will not violate any other agreement to which Provider is a party.

10.2 Customer Representations and Warranties. Customer represents and warrants to Provider that: (a) Customer has the full corporate right, power, and authority to enter into this Agreement and to perform the acts required of it hereunder; (b) the execution of this Agreement by Customer and the performance by Customer of its obligations hereunder do not and will not violate any other agreement to which Customer is a party; (c) Customer will use the Service solely for lawful purposes and in compliance with all applicable Laws; (d) Customer has all rights, licenses, consents, and permissions necessary to submit, upload, and transmit Customer Data to the Service and to grant the licenses set forth in this Agreement; and (e) the Customer Data, and Customer’s and its Authorized Users’ use of the Service, will not infringe, misappropriate, or otherwise violate the rights of any third party.

10.3 Warranty Remedies. If the Service fails to conform to the warranty set forth in Section 10.1(a), Customer shall provide Provider with written notice describing the non-conformity in reasonable detail, and Provider shall use commercially reasonable efforts to correct the reported non-conformity within thirty (30) days of receipt of such notice. If Provider is unable to correct the non-conformity within such thirty (30) day period, Customer may, as its sole and exclusive remedy for such warranty breach, terminate this Agreement upon written notice to Provider and receive a pro rata refund of any prepaid Subscription Fees for the unused portion of the then-current Subscription Term.

10.4 DISCLAIMER OF WARRANTIES. EXCEPT FOR THE EXPRESS WARRANTIES SET FORTH IN THIS SECTION 10, THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE." TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, PROVIDER HEREBY DISCLAIMS ALL OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WITHOUT LIMITATION ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, QUALITY, ACCURACY, AND QUIET ENJOYMENT. PROVIDER DOES NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, COMPLETELY SECURE, OR FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS, OR THAT THE SERVICE WILL MEET CUSTOMER’S REQUIREMENTS OR EXPECTATIONS. PROVIDER DOES NOT WARRANT THAT ANY DEFECTS OR ERRORS IN THE SERVICE WILL BE CORRECTED. NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED BY CUSTOMER FROM PROVIDER OR THROUGH THE SERVICE SHALL CREATE ANY WARRANTY NOT EXPRESSLY STATED HEREIN.

11. INDEMNIFICATION

11.1 Provider Indemnification. Provider shall defend, indemnify, and hold harmless Customer, its Affiliates, and their respective officers, directors, employees, agents, successors, and assigns (collectively, the "Customer Indemnitees") from and against any and all Losses arising out of or relating to any third-party claim, suit, action, or proceeding (each, a "Claim") alleging that Customer’s use of the Service in accordance with this Agreement infringes, misappropriates, or otherwise violates the Intellectual Property Rights of any third party (an "Infringement Claim"); provided, however, that Provider shall have no obligation under this Section 11.1 to the extent that any such Infringement Claim arises from: (a) Customer’s use of the Service in combination with any third-party product, service, software, or technology not provided, recommended, or approved by Provider; (b) Customer’s modification of the Service or any component thereof; (c) Customer’s use of the Service in a manner not in accordance with this Agreement or the Documentation; (d) Customer’s use of a version of the Service other than the most current version made available by Provider, if the alleged infringement would have been avoided by the use of such most current version; or (e) Customer Data.

11.2 Customer Indemnification. Customer shall defend, indemnify, and hold harmless Provider, its Affiliates, and their respective officers, directors, employees, agents, successors, and assigns (collectively, the "Provider Indemnitees") from and against any and all Losses arising out of or relating to any Claim: (a) alleging that the Customer Data, or Provider’s use of the Customer Data in accordance with this Agreement, infringes, misappropriates, or otherwise violates the Intellectual Property Rights or other rights of any third party; (b) arising from Customer’s or any Authorized User’s use of the Service in violation of this Agreement, the Documentation, or applicable Laws; (c) arising from Customer’s breach of any representation or warranty set forth in Section 10.2; or (d) arising from Customer’s or any Authorized User’s negligence or willful misconduct.

11.3 Indemnification Procedures. The indemnification obligations set forth in Sections 11.1 and 11.2 are subject to the following conditions: (a) the indemnified party shall provide the indemnifying party with prompt written notice of any Claim for which indemnification is sought, provided that the failure to provide prompt notice shall not relieve the indemnifying party of its indemnification obligations except to the extent that the indemnifying party is materially prejudiced by such failure; (b) the indemnifying party shall have sole control of the defense and settlement of any such Claim, provided that the indemnifying party shall not settle any Claim in a manner that imposes any obligation, restriction, or liability on the indemnified party without the indemnified party’s prior written consent, which consent shall not be unreasonably withheld, conditioned, or delayed; (c) the indemnified party shall reasonably cooperate with the indemnifying party in the defense of any such Claim, at the indemnifying party’s expense; and (d) the indemnified party shall have the right to participate in the defense of any such Claim at its own expense and with counsel of its own choosing.

11.4 Provider Mitigation. In the event that the Service becomes, or in Provider’s reasonable judgment is likely to become, the subject of an Infringement Claim, Provider may, at its sole option and expense: (a) modify the Service so that it becomes non-infringing without materially diminishing its functionality; (b) obtain a license for Customer to continue using the Service in accordance with this Agreement; (c) replace the Service with a functionally equivalent non-infringing alternative; or (d) if none of the foregoing options is commercially practicable, terminate this Agreement (or the portion thereof relating to the infringing component) upon written notice to Customer and refund to Customer any prepaid Subscription Fees for the unused portion of the then-current Subscription Term. This Section 11.4, together with Section 11.1, states Provider’s sole and exclusive liability, and Customer’s sole and exclusive remedy, with respect to any actual or alleged infringement, misappropriation, or other violation of any third party’s Intellectual Property Rights.

12. LIMITATION OF LIABILITY

12.1 Aggregate Cap. EXCEPT AS SET FORTH IN SECTION 12.3, IN NO EVENT SHALL EITHER PARTY’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR ANY OTHER LEGAL OR EQUITABLE THEORY, EXCEED THE TOTAL AMOUNT OF SUBSCRIPTION FEES ACTUALLY PAID BY CUSTOMER TO PROVIDER DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM (THE "LIABILITY CAP"). IF THIS AGREEMENT HAS BEEN IN EFFECT FOR LESS THAN TWELVE (12) MONTHS, THE LIABILITY CAP SHALL BE CALCULATED BY ANNUALIZING THE SUBSCRIPTION FEES PAID OR PAYABLE DURING THE PERIOD THE AGREEMENT HAS BEEN IN EFFECT.

12.2 Exclusion of Consequential Damages. EXCEPT AS SET FORTH IN SECTION 12.3, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER PARTY OR TO ANY THIRD PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING WITHOUT LIMITATION DAMAGES FOR LOSS OF PROFITS, LOSS OF REVENUE, LOSS OF BUSINESS OPPORTUNITIES, LOSS OF GOODWILL, LOSS OF USE, LOSS OF DATA, COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR INTERRUPTION OF BUSINESS, HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR OTHERWISE, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND EVEN IF A REMEDY SET FORTH HEREIN IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE.

12.3 Exceptions to Limitation. The limitations set forth in Sections 12.1 and 12.2 shall not apply to, and neither party’s liability shall be limited with respect to: (a) a party’s indemnification obligations under Section 11; (b) a party’s breach of its confidentiality obligations under Section 9; (c) a party’s willful misconduct, fraud, or gross negligence; (d) Provider’s infringement, misappropriation, or other violation of Customer’s Intellectual Property Rights in the Customer Data; (e) Customer’s infringement, misappropriation, or other violation of Provider’s Intellectual Property Rights in the Provider Technology; or (f) Customer’s payment obligations under Section 4. For the exceptions set forth in clauses (a) through (e) of this Section 12.3, each party’s aggregate liability shall not exceed two (2) times the Liability Cap.

12.4 Failure of Essential Purpose. THE PARTIES ACKNOWLEDGE THAT THE LIMITATIONS OF LIABILITY SET FORTH IN THIS SECTION 12 ARE AN ESSENTIAL ELEMENT OF THE BARGAIN BETWEEN THE PARTIES, AND THAT IN THE ABSENCE OF SUCH LIMITATIONS, THE ECONOMIC TERMS OF THIS AGREEMENT WOULD BE MATERIALLY DIFFERENT. THE LIMITATIONS OF LIABILITY SET FORTH IN THIS SECTION 12 SHALL APPLY NOTWITHSTANDING THE FAILURE OF THE ESSENTIAL PURPOSE OF ANY LIMITED REMEDY SET FORTH IN THIS AGREEMENT, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW.

12.5 Basis of the Bargain. EACH PARTY ACKNOWLEDGES THAT THE OTHER PARTY HAS SET ITS PRICES AND ENTERED INTO THIS AGREEMENT IN RELIANCE UPON THE LIMITATIONS OF LIABILITY AND THE DISCLAIMERS OF WARRANTIES AND DAMAGES SET FORTH HEREIN, AND THAT THE SAME FORM AN ESSENTIAL BASIS OF THE BARGAIN BETWEEN THE PARTIES.

13. TERM AND TERMINATION

13.1 Termination for Material Breach. Either party may terminate this Agreement upon written notice to the other party if the other party commits a material breach of this Agreement and fails to cure such breach within thirty (30) days after receipt of written notice specifying the nature of the breach in reasonable detail. For purposes of this Section 13.1, material breach shall include, without limitation: (a) Customer’s failure to pay any undisputed amounts when due under Section 4; (b) Customer’s use of the Service in material violation of the restrictions set forth in Section 2.5; (c) Provider’s failure to provide the Service in material conformance with the Documentation for a period exceeding thirty (30) consecutive days; and (d) either party’s breach of its confidentiality obligations under Section 9.

13.2 Termination for Convenience. Either party may terminate this Agreement for convenience by providing the other party with at least thirty (30) days’ prior written notice. In the event that Customer terminates this Agreement for convenience, Customer shall not be entitled to any refund of prepaid Subscription Fees, and all Subscription Fees remaining unpaid for the balance of the then-current Subscription Term shall become immediately due and payable. In the event that Provider terminates this Agreement for convenience, Provider shall refund to Customer a pro rata portion of any prepaid Subscription Fees for the unused portion of the then-current Subscription Term.

13.3 Termination for Insolvency. Either party may terminate this Agreement immediately upon written notice to the other party if the other party: (a) becomes insolvent or is generally unable to pay its debts as they become due; (b) files or has filed against it a petition in bankruptcy, receivership, or similar proceeding that is not dismissed within sixty (60) days; (c) makes a general assignment for the benefit of its creditors; (d) has a receiver, trustee, custodian, or similar agent appointed by order of any court of competent jurisdiction to take charge of or sell any material portion of its property or business; or (e) dissolves, liquidates, winds up, or ceases to conduct business in the ordinary course.

13.4 Effect of Termination. Upon the expiration or termination of this Agreement for any reason: (a) all rights and licenses granted to Customer under this Agreement shall immediately cease, and Customer and all Authorized Users shall immediately discontinue all access to and use of the Service; (b) Customer shall pay to Provider all Subscription Fees and other amounts accrued or payable through the effective date of expiration or termination; (c) each party shall comply with its obligations under Section 9.5 regarding the return or destruction of Confidential Information; (d) Provider shall make Customer Data available for retrieval in accordance with Section 14.5; and (e) each party shall promptly return or destroy all property of the other party in its possession or control.

13.5 Data Retrieval Period. Following the expiration or termination of this Agreement, Provider shall maintain Customer Data in the Service for a period of thirty (30) days (the "Data Retrieval Period") to allow Customer to retrieve or export its Customer Data in accordance with Section 5.4. During the Data Retrieval Period, Customer shall have limited, read-only access to the Service solely for the purpose of retrieving Customer Data. After the expiration of the Data Retrieval Period, Provider shall delete or destroy all Customer Data in accordance with Section 5.5.

13.6 Survival. The following provisions of this Agreement shall survive the expiration or termination of this Agreement for any reason: Section 1 (Definitions), Section 4 (Fees and Payment, with respect to amounts accrued prior to termination), Section 5 (Customer Data, as applicable to post-termination obligations), Section 8 (Intellectual Property), Section 9 (Confidentiality), Section 10.4 (Disclaimer of Warranties), Section 11 (Indemnification), Section 12 (Limitation of Liability), this Section 13.6 (Survival), and Section 16 (Miscellaneous). In addition, any provision of this Agreement that by its nature or context is intended to survive expiration or termination shall so survive.

14. DATA PRIVACY AND SECURITY

14.1 Compliance with Data Protection Laws. Each party shall comply with all applicable data protection and privacy laws, regulations, and rules (collectively, "Data Protection Laws") in connection with its performance under this Agreement, including without limitation the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 ("CCPA"), and any other applicable federal, state, provincial, or national data protection or privacy law. To the extent that Provider processes any personal data (as defined under applicable Data Protection Laws) on behalf of Customer in connection with the provision of the Service, the parties shall enter into a Data Processing Addendum ("DPA") substantially in the form provided by Provider, which DPA shall be incorporated into and form an integral part of this Agreement.

14.2 Security Measures. Provider shall implement and maintain administrative, technical, and physical security measures designed to protect Customer Data against unauthorized access, acquisition, use, disclosure, destruction, alteration, or loss, in accordance with industry standards and best practices (including, without limitation, SOC 2 Type II, ISO 27001, or equivalent standards). Such measures shall include, at a minimum: (a) encryption of Customer Data in transit and at rest using commercially reasonable encryption standards; (b) access controls, including multi-factor authentication, role-based access controls, and principle of least privilege; (c) regular vulnerability assessments, penetration testing, and security audits; (d) intrusion detection and prevention systems; (e) employee security awareness training; and (f) incident response and disaster recovery plans. Provider shall, upon Customer’s reasonable written request no more than once per twelve-month period, provide Customer with a summary of Provider’s then-current security measures and certifications.

Provider shall maintain a current SOC 2 Type II audit report (or equivalent) covering the trust services criteria of security, availability, and confidentiality. Provider shall, upon Customer’s written request (no more than once per twelve (12) month period), provide Customer with a copy of Provider’s most recent SOC 2 Type II report (or a summary thereof) within thirty (30) days of such request. If Provider’s SOC 2 report identifies any material exceptions or findings, Provider shall disclose such exceptions to Customer and provide a remediation plan with target completion dates.

14.3 Security Breach Notification. In the event that Provider becomes aware of any unauthorized access to, acquisition of, use of, disclosure of, or loss of Customer Data (a "Security Breach"), Provider shall: (a) notify Customer in writing without undue delay and in any event within seventy-two (72) hours of becoming aware of the Security Breach; (b) promptly investigate the Security Breach and take all commercially reasonable steps to mitigate the effects of the Security Breach and to prevent further unauthorized access, acquisition, use, disclosure, or loss; (c) cooperate with Customer and provide Customer with all information reasonably necessary for Customer to comply with its notification obligations under applicable Data Protection Laws; (d) provide Customer with a detailed written report of the Security Breach, including the nature and scope of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its adverse effects; and (e) at Provider’s sole cost and expense, provide reasonable assistance to Customer in connection with any notifications that Customer is required to make to affected data subjects, regulatory authorities, or other third parties.

14.4 Data Processing Limitations. Provider shall process Customer Data solely for the purpose of providing, maintaining, and improving the Service in accordance with this Agreement and Customer’s documented instructions. Provider shall not: (a) sell Customer Data to any third party; (b) retain, use, or disclose Customer Data for any commercial purpose other than the provision of the Service; (c) process Customer Data outside the scope of Customer’s documented instructions, unless required to do so by applicable Law, in which case Provider shall inform Customer of that legal requirement before processing (unless such Law prohibits such notification on important grounds of public interest); or (d) transfer Customer Data to any jurisdiction outside the country in which Customer’s data is stored without Customer’s prior written consent, and then only in compliance with applicable Data Protection Laws, including the implementation of appropriate safeguards such as standard contractual clauses, binding corporate rules, or other legally recognized transfer mechanisms.

14.5 Subprocessors. Provider shall not engage any subprocessor to process Customer Data without Customer’s prior written consent, which may be provided on a general or specific basis. Provider shall maintain a list of its subprocessors and shall provide Customer with reasonable advance notice of any intended changes to such list, including the addition or replacement of subprocessors, so that Customer may have the opportunity to object to such changes. Provider shall impose data protection obligations on each subprocessor that are no less protective than those imposed on Provider under this Agreement.

14.6 Security Testing Rights. (a) Provider Testing. Provider shall conduct penetration testing of the Service and its supporting infrastructure at least annually using a qualified independent third-party security firm. Provider shall promptly remediate critical and high-severity vulnerabilities identified during such testing. Upon Customer’s written request, Provider shall provide a summary of testing methodology and findings (with sensitive details redacted as appropriate). (b) Customer Testing. Customer may, upon at least thirty (30) days prior written notice, conduct its own penetration testing or security assessment of the Service, provided that (i) such testing is conducted by a qualified third-party firm reasonably acceptable to Provider, (ii) the scope and methodology are agreed in advance with Provider, (iii) testing does not disrupt the Service for other customers, and (iv) Customer shares all findings with Provider. Customer shall bear the costs of its own testing. Provider shall remediate critical and high-severity vulnerabilities identified by Customer’s testing within timeframes mutually agreed by the parties.

15. MISCELLANEOUS

15.1 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of [STATE], without giving effect to any choice of law or conflict of law provisions that would cause the application of the laws of any other jurisdiction. The parties hereby irrevocably submit to the exclusive jurisdiction of the federal and state courts located in [STATE] for the adjudication of any dispute arising out of or relating to this Agreement, and each party hereby irrevocably waives, and agrees not to assert in any suit, action, or proceeding, any claim that it is not personally subject to the jurisdiction of any such court, that such suit, action, or proceeding is brought in an inconvenient forum, or that the venue of such suit, action, or proceeding is improper.

15.2 Dispute Resolution. The parties shall attempt to resolve any dispute, controversy, or claim arising out of or relating to this Agreement (a "Dispute") through good faith negotiation between senior executives of each party who have authority to settle the Dispute. Either party may initiate such negotiations by providing written notice to the other party, and the senior executives shall meet (in person or by teleconference) within fifteen (15) business days of receipt of such notice. If the Dispute is not resolved through negotiation within thirty (30) days of the initial notice, either party may pursue resolution through binding arbitration administered by the American Arbitration Association ("AAA") in accordance with its Commercial Arbitration Rules then in effect, or either party may pursue resolution through litigation in a court of competent jurisdiction as set forth in Section 15.1, at the election of the party initiating the proceeding. Any arbitration shall be conducted by a single arbitrator mutually agreed upon by the parties, or if the parties cannot agree, appointed by the AAA. The arbitration shall be conducted in [STATE], and the arbitrator’s decision shall be final and binding. Judgment on the award rendered by the arbitrator may be entered in any court having jurisdiction thereof. Notwithstanding the foregoing, either party may seek injunctive or other equitable relief from any court of competent jurisdiction at any time, without first resorting to the dispute resolution procedures set forth in this Section 15.2.

15.3 Force Majeure. Neither party shall be liable for any delay in or failure of performance of its obligations under this Agreement (other than payment obligations) to the extent that such delay or failure results from any cause beyond such party’s reasonable control, including without limitation acts of God, fire, flood, earthquake, hurricane, tornado, epidemic, pandemic, explosion, war, invasion, hostilities (whether or not war is declared), terrorist threats or acts, riot, civil commotion, blockade, embargo, sanctions, strikes, lockouts, or other labor disputes, failure or disruption of utility services, telecommunications, internet services, or cloud infrastructure, governmental action, or any other event or circumstance of a similar nature beyond the affected party’s reasonable control (each, a "Force Majeure Event"). The affected party shall: (a) give prompt written notice to the other party of the Force Majeure Event and the expected duration thereof; (b) use commercially reasonable efforts to mitigate the effects of the Force Majeure Event and resume performance as soon as practicable; and (c) provide periodic updates to the other party regarding the status of the Force Majeure Event and efforts to resume performance. If a Force Majeure Event continues for more than ninety (90) consecutive days, either party may terminate this Agreement upon written notice to the other party, and Provider shall refund to Customer a pro rata portion of any prepaid Subscription Fees for the unused portion of the then-current Subscription Term.

15.4 Assignment. Neither party may assign, transfer, delegate, or otherwise dispose of this Agreement or any of its rights or obligations hereunder, in whole or in part, without the prior written consent of the other party, which consent shall not be unreasonably withheld, conditioned, or delayed; provided, however, that either party may assign this Agreement in its entirety without the other party’s consent to: (a) an Affiliate; or (b) a successor in interest in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of the assigning party’s assets or equity, provided that the assignee agrees in writing to be bound by all terms and conditions of this Agreement. Any attempted assignment in violation of this Section 15.4 shall be null and void. Subject to the foregoing, this Agreement shall be binding upon and inure to the benefit of the parties and their respective successors and permitted assigns.

15.5 Notices. All notices, requests, demands, consents, and other communications required or permitted under this Agreement shall be in writing and shall be deemed to have been duly given: (a) upon delivery, if delivered personally; (b) upon confirmed receipt, if sent by registered or certified mail, return receipt requested, postage prepaid; (c) one (1) business day after deposit with a nationally recognized overnight courier service, with delivery confirmation; or (d) upon confirmed delivery, if sent by email with read receipt confirmation, provided that email notice shall be followed by a copy sent by one of the other methods described in this Section 15.5 within two (2) business days. Notices shall be sent to the addresses or email addresses specified in the applicable Order Form or to such other address as a party may designate by written notice to the other party in accordance with this Section 15.5.

15.6 Entire Agreement. This Agreement, together with all Order Forms, the DPA (if applicable), and any other exhibits, schedules, or attachments hereto, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, understandings, negotiations, and discussions, whether oral or written, between the parties with respect to such subject matter. In the event of any conflict between the terms and conditions of this Agreement and the terms and conditions of any Order Form, the terms and conditions of the Order Form shall control to the extent of such conflict, unless the Order Form expressly states otherwise.

15.7 Amendments. No amendment, modification, supplement, or waiver of any provision of this Agreement shall be effective unless made in writing and duly executed by an authorized representative of each party. No terms or conditions set forth in any purchase order, invoice, acknowledgment, or other business form used by Customer shall modify, supplement, or supersede the terms and conditions of this Agreement, regardless of any failure by Provider to object to such terms or conditions.

15.8 Export Compliance. Customer shall comply with all applicable export control and sanctions laws and regulations of the United States and all other relevant jurisdictions (collectively, "Export Laws"), including without limitation the Export Administration Regulations administered by the U.S. Department of Commerce, the International Traffic in Arms Regulations administered by the U.S. Department of State, and the sanctions programs administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control. Customer shall not, directly or indirectly, export, re-export, or otherwise make available the Service or any related technology, information, or data to any country, territory, entity, or individual prohibited or restricted under applicable Export Laws without first obtaining all required governmental authorizations.

15.9 Anti-Corruption and Anti-Bribery. Each party represents and warrants that it has not and will not, in connection with this Agreement, directly or indirectly: (a) offer, pay, promise, authorize, or give any money, gift, or anything of value to any government official, political party, political candidate, or any person acting in an official capacity, for the purpose of influencing any act or decision of such person, or securing any improper advantage, in violation of any applicable anti-corruption or anti-bribery law; or (b) violate or cause the other party to violate any applicable anti-corruption or anti-bribery law, including without limitation the U.S. Foreign Corrupt Practices Act of 1977, the U.K. Bribery Act 2010, or any similar law of any other jurisdiction.

15.10 Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be invalid, illegal, or unenforceable in any respect, such provision shall be modified to the minimum extent necessary to make it valid, legal, and enforceable while preserving the parties’ original intent, or if such modification is not possible, such provision shall be severed from this Agreement, and the remaining provisions of this Agreement shall continue in full force and effect. The parties shall negotiate in good faith a valid, legal, and enforceable substitute provision that most nearly effects the parties’ intent in entering into this Agreement.

15.11 Waiver. No failure or delay by either party in exercising any right, power, or remedy under this Agreement shall operate as a waiver thereof, nor shall any single or partial exercise of any such right, power, or remedy preclude any other or further exercise thereof or the exercise of any other right, power, or remedy. No waiver of any provision of this Agreement shall be effective unless made in writing and signed by the party granting such waiver. A waiver of any breach of this Agreement shall not constitute a waiver of any subsequent or other breach.

15.12 Counterparts. This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument. Execution and delivery of this Agreement by exchange of facsimile or electronic copies bearing the facsimile or electronic signature of a party shall constitute a valid and binding execution and delivery of this Agreement by such party. Such facsimile or electronic copies shall constitute enforceable original documents.

15.13 Relationship of the Parties. The relationship between the parties is that of independent contractors. Nothing in this Agreement shall be construed to create a partnership, joint venture, franchise, fiduciary, employment, or agency relationship between the parties. Neither party has the authority to bind the other party or to incur any obligation on behalf of the other party. Each party shall be solely responsible for the supervision, daily direction, control, payment of salary and benefits, and withholding and payment of applicable taxes for its own personnel.

15.14 Third-Party Beneficiaries. This Agreement is for the sole benefit of the parties hereto and their respective successors and permitted assigns, and nothing herein, express or implied, is intended to or shall confer upon any other person or entity any legal or equitable right, benefit, or remedy of any nature whatsoever under or by reason of this Agreement.

15.15 Construction. The headings in this Agreement are for convenience of reference only and shall not affect the interpretation of this Agreement. The words "include," "includes," and "including" shall be deemed to be followed by "without limitation." The word "or" is not exclusive. References to "Sections" refer to sections of this Agreement unless otherwise specified. All references to currency shall be to United States Dollars unless otherwise specified.

SIGNATURE

IN WITNESS WHEREOF, the parties hereto have executed this SaaS Subscription Agreement as of the Effective Date.

[COMPANY NAME]

By: ___________________________

Name: ___________________________

Title: ___________________________

Date: [DATE]

[CUSTOMER NAME]

By: ___________________________

Name: ___________________________

Title: ___________________________

Date: [DATE]


This template is provided by Montague Law for informational purposes only and does not constitute legal advice. Consult a qualified attorney before using this document.