GENERAL TERMS AND CONDITIONS
These General Terms and Conditions and the Order (together, the “Agreement”) are by and between OSPInsight International, Inc., a Utah corporation (“OSPI”) and the entity or person identified on the Order referencing this Agreement (“Customer”) and is effective upon Customer’s access to the Services or indication of consent electronically (the “Effective Date”).
Customer desires to license certain software from OSPI, and OSPI will provide such software as provided in this Agreement. In consideration of the foregoing, the mutual covenants and agreements made in this Agreement and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, and intending to be legally bound, the parties agree as follows:
1. Definitions. Except to the extent they are given a different definition in another exhibit or attachment, the following terms shall have the definitions given to them below when they appear in this Agreement:
1.1 "Affiliate" means any entity or person controlling, controlled by, or under common control with OSPI, whether present or future. OSPI may be acting for itself or as agent for one or more Affiliates, as specified in a duly executed authorization.
1.2 “Customer Data” means the data, information, images, and other content that is uploaded to, imported into or created in the Subscription Service by the Users. Customer Data does not include Statistical Data.
1.3 “Documentation” means OSPI’s end user documentation for the Subscription Service available in-product and through the online help feature of the Subscription Service at https://help.ospinsight.com as may be updated by OSPI from time to time.
1.4 “Hosted Deployment” means OSPI’s Subscription Service delivered via the internet in a cloud-hosted environment.
1.5 “Information Security Program” means OSPI’s then-current data security and data management policies and procedures that apply to the operation and use of the Services.
1.6 “Non-OSPI Application” means a web-based, offline, mobile, or other software application or functionality that is provided by a third-party, is not owned by OSPI or under OSPI’s control and interoperates with a Service, including the third-party printers described below.
1.7 “Order” means an order form, invoice, statement of work or other document (including any online submission form or electronic order) that forms part of this Agreement detailing, amongst other things, the Services to be provided, the Subscription Term of the Services, and the fees payable by Customer.
1.8 “OSPI Assets” means (a) the Subscription Service (but not any Customer Data or Customer Confidential Information contained therein); (b) all OSPI technology, software, data, methodologies, changes, improvements, components and documentation used to provide the Services or made available in connection herewith, and all intellectual property, proprietary rights and underlying source code and object code in and to the foregoing; and (c) all other intellectual property owned by OSPI and all copyrights, patents, trademarks and trade names, trade secrets, specifications, methodologies, documentation, algorithms, criteria, designs, report formats and know-how.
1.9 “Personal Data” means information that relates or could reasonably be linked to, or is capable of being associated with, directly or indirectly, an identified or identifiable person, including names, email addresses, postal addresses, identification numbers, location data, online identifiers or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the person.
1.10 “Protected Information” means information that is subject to specific regulations or laws that impose increased protections and/or obligations with respect to handling that type of information or that is not appropriate for use in the Subscription Service, as intended. Protected Information includes, without limitation, data that is subject to the Payment Card Industry Data Security Standards (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach-Bliley Act (GLBA) or any similar legislation in an applicable jurisdiction, or any credit or debit card and magnetic stripe information, social security numbers, driver’s license numbers, passport numbers, government issued identification numbers, health-related information, biometric data, financial account information, personally identifiable information collected from children under the age of 16 or from online services directed toward children, or information deemed “sensitive” under applicable law (such as racial or ethnic origin, political opinions, or religious or philosophical beliefs).
1.11 “Security Breach” means a breach of security leading to any accidental, unlawful, or unauthorized access, use, disclosure, alteration, destruction, or loss of Customer Data.
1.12 “Services” means the Subscription Service, Support, and any other services provided by OSPI to Customer, but excludes any Non-OSPI Application.
1.13 “Statistical Data” means statistical data generated or related to the provision, operation or use of the Subscription Service, including measurement and usage statistics, configurations, survey responses, and performance results.
1.14 “Subscription Service” means OSPI’s internet-delivered, cloud-hosted, software as a service offering(s) described in an Order, which may include one or more of OSPI’s core products and/or premium add-ons.
1.15 “Subscription Term” means the subscription term listed in an Order.
1.16 “Support” means the support services described in Section 4.1.
1.17 “Users” means any individual authorized or invited by Customer or one of Customer’s Users to access and use the Subscription Service (each with a unique login and password) pursuant to the terms of this Agreement.
2.1 Subscription Service. Subject to payment of the applicable fees and the terms of this Agreement and the applicable Order, the Users may access and use the Subscription Service during the Subscription Term solely for Customer’s internal business operations. Customer may purchase additional Subscription Services, or add licensed Users during the applicable Subscription Term at Customer’s then-current price per licensed User and the related fees will be prorated for the remainder of the applicable Subscription Term.
2.2 Subscription Renewal. After the initial Subscription Term, Customer’s Subscription Service will automatically renew for successive periods of 12 months, unless either party notifies the other party of termination, in writing, at least 30 days before the end of the current Subscription Term. At least 30 days before the end of the current Subscription Term, OSPI will notify Customer if there will be an increase in the fees; otherwise Customer will receive a renewal Order on or about the date of renewal.
3. Use of the Services
3.1 Access and Users. Customer will obtain, maintain, and support all internet access, equipment, and ancillary services needed to access the Services. User subscriptions are for named individuals and cannot be shared or used by more than one individual at a time. Each User must keep a secure password for accessing the Subscription Service, and each User shall keep such password confidential. Customer will (a) obtain from Users any consents necessary for OSPI to provide the Services; (b) maintain commercially reasonable security standards with respect to use of the OSPI Assets; and (c) in the event of any unauthorized access or use of the Services, promptly notify OSPI at firstname.lastname@example.org.
3.2 Customer Responsibilities. Customer is responsible for (a) access to and use of the Subscription Service by the Users and the Users’ compliance with this Agreement; (b) the secure transmission of Customer Data to the Subscription Service; (c) the legality, reliability, integrity, accuracy and quality of the Customer Data and the means by which Customer or the Users acquired the Customer Data; (d) if desired, backing-up the Customer Data outside of the Subscription Service; and (e) if required, providing qualified personnel to timely perform Customer’s duties and tasks specified in an Order. Customer acknowledges that the Subscription Service was not designed or intended to process or manage any Protected Information. OSPI is not responsible for damages associated with Protected Information created, stored, shared or processed through the Subscription Service.
3.3 Use Restrictions. Customer will not and will ensure that the Users do not: (a) license, sublicense, sell, resell, rent, lease, transfer, distribute, provide access, or otherwise commercially exploit, or make the Services available to any third-party except as expressly authorized herein; (b) copy, modify, translate, adapt, merge, or create derivative works of the Services or disassemble, decompile, reverse engineer or otherwise extract the source code of, or reduce to human-perceivable form, any part of them unless the foregoing restrictions are expressly prohibited by applicable law; (c) use or access the Services (i) for competitive purposes or (ii) other than in compliance with all applicable laws and regulations (including export control laws and restrictions) and Customer represents and warrants that Customer and all Users are not a located within or a citizen of an embargoed or otherwise restricted nation (including without limitation Iran, Syria, Sudan, Cuba and North Korea) and that you are not otherwise prohibited under any export laws from receiving the Services or Deliverables; (d) remove or modify any proprietary markings or restrictive legends in the Subscription Service; (e) infringe or misappropriate any OSPI Assets; (f) attempt to gain unauthorized access to the Services or any portion thereof; (g) introduce into the Subscription Service viruses, malware, Trojan horses, worms, spyware or other destructive code, or otherwise engage in any malicious act or disrupt the security, integrity or operation of the Subscription Service; (h) access or attempt to access the Subscription Service by any means other than OSPI’s publicly supported interfaces, including through any automated means (i.e. use of scripts or web crawlers); (i) probe, scan, or test the vulnerability of any OSPI system or network; or (j) access, store, create, share, display, publish or transmit any material that is unlawful or related to illegal activity, threatening, deceptive, defamatory, discriminatory, obscene, libellous, an invasive of another’s privacy, or infringes the intellectual property rights of a third-party through the Subscription Service.
4. Provision of the Services
4.1 Support. OSPI provides technical support for the Subscription Service through its online Help Center available https://help.ospinsight.com, as applicable. Support requests may be submitted to email@example.com. Technical product support is available during OSPI’s normal business hours of 9:00AM to 5:00PM Mountain Time, Monday through Friday, excluding federal and state holidays. Customer will receive the technical support and service level commitments set forth on Schedule A, Enterprise Support and Service Commitment.
4.2 Updates. OSPI makes updates (e.g. bug fixes, enhancements) to the Subscription Service on an ongoing basis. Customer consents to OSPI’s delivery of updates automatically through the Subscription Service. Except for urgent updates, OSPI schedules maintenance during non-peak usage hours (that minimizes the impact on all Users, worldwide) and will provide 12 hours’ advance notice of any planned unavailability.
4.3 Data Security. OSPI will maintain appropriate administrative, physical, technical and organizational measures to protect the security, confidentiality, and integrity of Customer Data in accordance with its Information Security Program set forth on Schedule B, Information Security Program. During the Subscription Term, OSPI will engage, at its expense, an independent third-party to conduct an audit of OSPI’s operations with respect to the Subscription Service in accordance with the Statement on Standards for Attestation Engagements No. 18 (the “SSAE 18”), and have such firm issue a SOC 2 report (or a substantially similar report of a successor auditing standard). Any revisions to the Information Security Program will not diminish OSPI’s current data security obligations. OSPI will notify Customer promptly of any Security Breach and will cooperate with Customer in the investigation and mitigation of any such incident.
4.4 Data Processing. Customer hereby grants OSPI a worldwide, non-exclusive, non-transferable, right to access, use and process Customer Data: (a) as requested by Customer or a User; (b) as necessary to provide and improve the Services, including to identify, investigate, or resolve technical problems with the Services and to detect and protect against fraud; and (c) as required by applicable law, regulation, legal process or enforceable governmental request and to detect and prevent violations of this Agreement. OSPI will process Personal Data contained in the Customer Data solely for the purpose of performing the Services and will not collect, use, disclose, release, disseminate, transfer, or otherwise communicate or make available to a third-party such Personal Data except to provide the Services or as expressly permitted by this Agreement.
4.5 Service Providers. OSPI may utilize subcontractors or SaaS tools in connection with OSPI’s provision of the Services, including processing Customer Data, provided that such third-parties (a) are subject to confidentiality obligations substantially as protective of Customer Data as those set forth herein; and (b) maintain appropriate data security obligations taking into account the state of the art, costs of implementation and the type of data. OSPI is responsible for such third-parties’ acts and omissions in relation to OSPI’s obligations hereunder.
4.6 Account Information. OSPI will use data provided in connection with the creation or administration of Customer and User accounts to set up and maintain such accounts, to inform Customer and Users about features of the Services, to provide and maintain the Services, and as necessary to comply with applicable law, regulation, legal process or enforceable governmental requests and to detect and prevent fraud and or violations of this Agreement.
5.1 Definition. “Confidential Information” means non-public, proprietary, business, technical, security, legal, or financial information that is either marked or identified as Confidential Information or would reasonably be understood to be confidential, including information about products, processes, services, trade secrets, marketing and business plans, client lists, financial information, system architecture, security programs, and intellectual property. Notwithstanding the foregoing, Confidential Information does not include information that: (a) the receiving party possesses without a duty to keep confidential prior to acquiring it from the disclosing party; (b) is or becomes publicly available through no violation of this Agreement by the receiving party; (c) is given to the receiving party by a third-party not under a confidentiality obligation to the disclosing party; or (d) is developed by the receiving party independently of, and without reliance on, confidential or proprietary information provided by the disclosing party.
5.2 Use and Disclosure of Confidential Information. Each party may be given access to Confidential Information of the other party in connection with this Agreement. The receiving party may only use this Confidential Information as provided for in this Agreement or to exercise its rights hereunder and may only share this Confidential Information with its employees, agents, advisors and service providers who need to know it, provided they are subject to similar confidentiality obligations. The receiving party will use the same degree of care, but no less than a reasonable degree of care, as such party uses with respect to its own Confidential Information to protect the disclosing party’s Confidential Information and to prevent any unauthorized use or disclosure thereof. Neither party shall be responsible for any loss, destruction, alteration or disclosure of Confidential Information caused by any third-party not under the receiving party’s control. If the receiving party is compelled by law to disclose the other party’s Confidential Information, it shall provide the disclosing party with prior written notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the disclosing party’s cost, if the disclosing party wishes to contest the disclosure.
6. Intellectual Property and Proprietary Rights
6.1 Customer Data. As between the parties, Customer owns all right, title, and interest in and to Customer Data, including all intellectual property and proprietary rights therein. Except as expressly set forth herein, OSPI acquires no right, title, or interest from Customer hereunder in or to Customer Data.
6.2 OSPI Assets, Feedback and Statistical Data. As between the parties, OSPI owns all right, title, and interest in and to the OSPI Assets and OSPI Confidential Information, including all intellectual property and proprietary rights therein. Except as expressly set forth herein, OSPI does not convey any rights to Customer or any User. Customer or Users may provide feedback or suggestions about the features, functions, or operation of the Services (“Customer Feedback”). If Customer or the Users provide any Customer Feedback, OSPI may, without any cost to OSPI, freely use and exploit the Customer Feedback (without any obligations or restrictions). Customer is not required to provide Customer Feedback and OSPI is not required to use or incorporate Customer Feedback into any of its products or Services. In addition, OSPI owns all rights to the Statistical Data. OSPI may use the Statistical Data for its own business purposes (such as improving, testing, and maintaining the Subscription Service and developing additional products and services), and from time to time, provided that it does not reveal the identity, directly or indirectly, of any User or Customer, may publish any Customer Feedback and aggregated Statistical Data.
6.3 Database Structure. The database structure of the OSPI software consists of intellectual property, trade secrets, confidential, and proprietary information of OSPI, and is made available to the Customer to be used strictly in accordance with this Agreement and solely for purposes of allowing Customer to link to data external to the application and to allow the Customer the ability to create reports and perform other analysis on the data contained in the OSPI software database. Customer agrees that the database structure and any knowledge thereof will not be used for purposes of moving the data to any software or other application, including without limitation one that replaces or competes with the OSPI software or contains similar functionality. Also, in no event shall Customer give or allow access to either the database structure or any knowledge thereof to another entity or party for any purpose, including without limitation moving the data to any software or other application that replaces or competes with the with OSPI software or contains similar functionality. In the event that such a service is required, Customer shall contract with OSPI at its then applicable rates to migrate the data to a format conducive to such a transfer.
6.4 Reproduction. Customer shall not reproduce or modify, in whole or in part, the OSPI Assets or OSPI Confidential Information, nor shall Customer merge any of the foregoing into other program materials to form a modified or updated work provided that any copyright or proprietary labels, legends, or notices are included in or placed upon any such modified or updated work.
6.5 Restrictions. Customer agrees not to: (i) reverse engineer, decompile, disassemble, or otherwise attempt to determine source code or protocols from the OSPI Assets and/or the OSPI Confidential Information; (ii) lease, rent, or sublicense the OSPI Assets and/or the OSPI Confidential Information to any third-party; or (iii) create or attempt to create any derivative works from the OSPI Assets and/or the OSPI Confidential Information.
7. Other products and Services
7.1 Free Services. If Customer receives any Services free of charge, such Services are made available to Customer “AS-IS” without any representations, warranties, support, maintenance or other obligation of any kind. OSPI may terminate Customer’s access to, or use of, a free Service at any time.
7.2 Beta Features. OSPI may make new features of the Subscription Service available to Customer or certain Users. Notwithstanding any other provision herein, Services released as beta, pilot, limited release, non-production or evaluation. (“Beta Features”) are made available to Customer “AS-IS” without any warranty, support, maintenance or other obligation of any kind. OSPI may terminate access to, or use of, a Beta Feature at any time. Beta Features will not diminish the functionality of the Subscription Services.
7.3 Third-Party Software. OSPI may utilize third-party software components (“Third Party Applications”) as part of the Subscription Service. OSPI makes no warranties or guarantees of continued service with the third-party components other than to make a best effort to replace the functionality of the feature if such feature becomes unavailable or is no longer supported. OSPI may change or discontinue use of any Third Party Application at any time, provided that the functionality of the Subscription Service is not materially affected. Upon request, OSPI shall provide Customer with copies of all licenses for any Third Party Applications incorporated into the Subscription Service.
7.4 Non-OSPI Application. If Customer wants to utilize interoperability with a Non-OSPI Application, Customer may need to purchase a subscription for such product. OSPI is not responsible for the Non-OSPI Applications and any use thereof is subject to the end user license or other use agreement that Customer or a User accepts from, or establishes with, the third-party. OSPI has no liability with respect to procurement or use of Non-OSPI Applications.
8. Representations and Warranties
8.1 OSPI. OSPI warrants that the Services will conform in all material respects to the Documentation and service levels set forth in Schedule A, Enterprise Support and Service Commitment when accessed and used in accordance with the Documentation. OSPI does not make any representations or guarantees regarding uptime or availability of the Services unless specifically identified in Schedule A. The remedies set forth in Schedule A are Customer’s sole remedies and OSPI’s sole liability under the limited warranty set forth in this Section. THE FOREGOING WARRANTY DOES NOT APPLY, AND PROVIDER STRICTLY DISCLAIMS ALL WARRANTIES, WITH RESPECT TO ANY NON-OSPI APPLICATION OR ANY THIRD-PARTY PRODUCT. These warranties will not apply to any failure caused by a defect in, or modification to, the applicable Service caused or made by Customer, any User, or a person acting at Customer’s direction.
8.2 Customer. If Customer chooses to enable administrative controls over access to the Subscription Service by Customer e-mail domains (i.e. OSPI’s lock-down and consolidation features), Customer represents and warrants that it owns such e-mail domain(s) and that it owns the content that has been created by individuals with such e-mail domains. Customer will appoint an administrator to manage its account and will be solely responsible for the administrator’s acts and omissions with respect to the Services. The undersigned representative of Customer represents that such individual has the authority to bind Customer to this Agreement. A User that has been granted access to use the Subscription Service by an account administrator is also required to abide by the terms of this Agreement.
8.3 Disclaimer. EXCEPT AS EXPRESSLY PROVIDED HEREIN, THE SERVICES ARE PROVIDED “AS IS” AND OSPI MAKES NO REPRESENTATION OR WARRANTY OF ANY KIND, WHETHER WRITTEN, ORAL, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. OSPI MAKES NO WARRANTY OF ANY KIND THAT THE SERVICES, OR ANY PRODUCTS OR RESULTS OF THE USE THEREOF, WILL MEET CUSTOMER’S OR ANY OTHER PERSON’S REQUIREMENTS, OPERATE WITHOUT INTERRUPTION, ACHIEVE ANY INTENDED RESULT, BE COMPATIBLE OR WORK WITH ANY SOFTWARE, SYSTEM, OR OTHER SERVICES, OR BE SECURE, ACCURATE, COMPLETE, FREE OF HARMFUL CODE, OR ERROR FREE.
9.1 Fees. Customer will pay all fees specified in each Order Except as expressly set forth herein (a) all fees are non-cancellable and once paid are non-refundable; and (b) quantities purchased cannot be decreased during a Subscription Term.
9.2 Payment Terms. OSPI will invoice Customer and, unless otherwise agreed to in the Order, invoiced fees will be due within 30 days from the invoice date. Billing disputes must be notified to OSPI in writing within 30 days from the invoice date. Customer agrees to promptly notify OSPI in writing of any changes to its billing information. Except as prohibited by law, OSPI may charge a late fee of 1.5% (or the highest rate permitted by law, whichever is less) per month on past due amounts. If Customer requires a purchase order, vendor registration form, or other documentation, such requirement will in no way relieve, affect or delay Customer’s obligation to pay any amounts due hereunder.
9.3 Currency and Taxes. All amounts payable to OSPI hereunder will be paid in the currency set forth in the Order (or USD if not specified) and are exclusive of any applicable sales or use taxes (such as GST or VAT). These taxes (if applicable) will be stated separately on each invoice, unless Customer provides (in advance) a valid tax exemption certificate authorized by the applicable taxing authority.
10.1 By OSPI. OSPI will defend Customer, its officers, directors and employees (the “Customer Indemnified Parties”) against any claim, demand, suit or proceeding (each, a “Claim”) made or brought against the Customer Indemnified Parties by a third-party alleging that a Subscription Service infringes or misappropriates such third-party’s intellectual property rights, and will indemnify the Customer Indemnified Parties from any finally awarded damages or settlement amount and reasonable expenses (including attorneys’ fees) to the extent arising from such Claim. Notwithstanding the foregoing, OSPI will not be obligated to indemnify Customer if an infringement or misappropriation claim arises from: (a) the Customer Data; (b) Customer’s or User’s misuse of the Service or any Non-OSPI Application or unauthorized modification of the OSPI Assets; (c) Customer’s or User’s use of the Service in combination with any products, services, or technology provided by a third-party or a modification of the Subscription Service . by Customer or User, if the Subscription Service or use thereof would not infringe without such combination or modification; or (d) continued use of the Subscription Service after notice by OSPI to discontinue use. If an infringement or misappropriation Claim is made or threatened, OSPI may, in its sole discretion: (i) replace or modify the infringing Subscription Service so that it is non-infringing (but functionally equivalent); (ii) procure the right for Customer to continue its use of the Subscription Service; or (iii) notwithstanding OSPI’s obligation to indemnify hereunder, terminate use of the infringing Subscription Service and refund any unused prepaid fees covering the terminated portion of the Subscription Service
10.2 Customer. Customer will defend OSPI and OSPI’s affiliates, and their respective officers, directors and employees (the “OSPI Indemnified Parties”) made or brought against the OSPI Indemnified Parties by a third-party or User (a) alleging the Customer Data infringes or misappropriates any intellectual property rights; (b) related to ownership of Customer Data; (c) negligence or willful misconduct; (d) use of the Services in a manner not authorized by this Agreement[; (e) use of the Services in combination with data, software, hardware, equipment, or technology not provided by OSPI in writing; (f) modifications to the Services not made by OSPI; or (g) related to the administrator’s actions with respect to the Customer’s account, and will indemnify the OSPI Indemnified Parties from any finally awarded damages or settlement amount and reasonable expenses (including attorneys’ fees) to the extent arising from such Claim.
10.3 Process. The party seeking indemnification (the “Indemnified Party”) will provide the other party (the “Indemnifying Party”) prompt written notice upon becoming aware of any Claim subject to indemnification hereunder (a delay in providing notice does not excuse these obligations unless the Indemnifying Party is prejudiced by such delay) and reasonable cooperation to the Indemnifying Party in the defense, investigation or settlement of any Claim at the Indemnifying Party’s expense. The Indemnifying Party will have sole control of such defense, provided that the Indemnified Party may participate in its own defense at its sole expense. The Indemnifying Party may not settle a Claim without the Indemnified Party’s consent if such settlement imposes a payment or other obligation on the Indemnified Party. This section sets forth the Indemnifying Party’s sole liability to, and the Indemnified Party’s exclusive remedy for, any type of claim or action described in this Section.
11. Limitation of liability
11.1 Limitation of Liability. TO THE EXTENT PERMITTED BY LAW, NEITHER PARTY WILL BE LIABLE TO THE OTHER PARTY (REGARDLESS OF THE BASIS OR TYPE OF CLAIM AND EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES) FOR ANY LOST PROFITS, REVENUES OR DATA, BUSINESS INTERRUPTION, DEPLETION OF GOODWILL, COVER, OR INDIRECT, SPECIAL, EXEMPLARY, PUNITIVE, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT. EXCEPT FOR A PARTY’S (A) INDEMNIFICATION OBLIGATIONS PURSUANT TO SECTION 10, OR (B) A PARTY’S INFRINGEMENT OR MISAPPROPRIATION OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS, EACH PARTY’S AGGREGATE LIABILITY FOR DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT (WHETHER IN CONTRACT, TORT OR OTHERWISE) WILL NOT EXCEED THE AMOUNT PAID OR PAYABLE BY CUSTOMER HEREUNDER WITHIN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO LIABILITY.
11.2 General. The parties acknowledge and agree that the limitations of liability, disclaimer of warranties, and any exclusion of damages included herein represent an allocation of risk between the parties (including the risk that a remedy may fail of its essential purpose) which is reflected by the fees paid.
12. Term and termination
12.1 Term. This Agreement will begin as of the Effective Date and continue for the Subscription Term stated therein. Purchases of non-recurring or one-time Services made via an Order will not automatically renew.
12.2 Termination for Cause. Either party may terminate this Agreement if the other party (a) commits a material breach of this Agreement and does not cure the breach within 30 days of receiving written notice of the breach; or (b) immediately upon the other party ceasing to operate in the ordinary course, making an assignment for benefit of creditors, or becoming the subject of any bankruptcy, liquidation, dissolution, or similar proceeding. If Customer terminates this Agreement for cause, OSPI will refund Customer the unused prepaid fees covering the terminated portion of the Service.
12.3 Suspension of Subscription Service. OSPI reserves the right to suspend access to the Subscription Service if (a) Customer has undisputed amounts more than 30 days past due; (b) OSPI reasonably determines that Customer or its Users are in breach of this Agreement, which is not cured within 30 days of OSPI providing written notice to the account administrator; or (c) OSPI reasonably determines that Customer or its Users are using the Subscription Service in a way that creates a security vulnerability, may disrupt others’ use of the Subscription Service, or have misappropriated or infringed OSPI’s or another third-party’s intellectual property or proprietary rights. OSPI will only suspend access to the extent, and for the duration, necessary to address the violation and will promptly restore access once the issue has been resolved. OSPI will not suspend access if Customer is (reasonably and in good faith) disputing a charge and cooperating in resolving the dispute.
12.4 Effect of Termination. On the termination of this Agreement, (a) all Orders will terminate; (b) OSPI will disable Customer and each User’s access to the paid Services; (c) Customer will pay any accrued but unpaid fees prior to the effective date of termination; (d) each party will return and make no further use of, or destroy, any Confidential Information belonging to the other party, subject to (e); and (e) OSPI will delete all Customer Data in accordance with its automated deletion schedule and back-up policy. Any post-termination transition assistance requested from OSPI is subject to the mutual agreement of the parties (and may require payment of Professional Services fees). Any terms that are expressly stated to survive or by their nature survive termination or expiration hereof, will survive (including, Sections 5, 6, 9, 10, 11, 12.4 and 13).
13.1 Insurance. OSPI will, at its expense, maintain commercially reasonable insurance coverage during the Subscription Term, evidenced by a certificate of insurance.
13.2 Compliance with Laws. OSPI will comply with all laws and regulations (including export control laws and restrictions) applicable to its provision of the Services to its users generally (i.e. without regard for Customer’s particular use of the Services or laws and regulations specific to Customer and its industry).
13.3 Relationship of the Parties. The parties are independent contractors. This Agreement does not create or imply any agency, partnership, or franchise relationship. This Agreement is intended for the benefit of the parties and not any third-party. Neither party has the authority to assume or create any obligation on behalf of the other party.
13.4 Force Majeure. Neither party is liable for delay or default hereunder (except for any obligations to make payments) if caused by conditions beyond its reasonable control, including natural disasters, acts of God, hacker attacks, acts of terror or war, riots, actions or decrees of governmental bodies, changes in applicable laws, or communication or power failures.
13.5 Governing Law. Unless otherwise agreed in an Order, this Agreement is governed by the laws of the State of Utah, without regard to its conflicts of law rules, and each party hereby consents to exclusive jurisdiction and venue in the state and federal courts located in Salt Lake County, Utah for any dispute arising hereunder.
13.6 Injunctive Relief. Each party acknowledges that any breach, threatened or actual, of the confidentiality and intellectual property obligations hereunder may cause irreparable injury to the other party for which there may not be an adequate remedy at law. Therefore, upon any such breach or threat thereof, the party alleging breach shall be entitled to seek injunctive and other appropriate equitable relief in addition to any other remedies available to it, without the requirement of posting a bond.
13.7 Notices. Any notice by a party hereunder will be in English, in writing and either personally delivered, sent via e-mail or delivered by first-class mail, postage prepaid, or by recognized commercial carrier addressed to the other party at the address specified on the Order as may be updated in accordance with this Section. If an e-mail address is not provided in the Order, OSPI will use the administrator’s contact information designated in the Subscription Service. Notices will be effective upon personal delivery or upon confirmation of receipt (or refusal to accept receipt).
13.8 Publicity. Unless otherwise set forth in an Order, OSPI may use Customer’s name, corresponding trademark or logo, and non-competitive use details in both text and pictures on its website and in marketing materials to identify Customer as a customer, subject to any usage guidelines Customer provides. In addition, OSPI may disclose the relationship between it and Customer if legally required or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets.
13.9 Assignment. Neither the rights nor the obligations arising under this Agreement are assignable or transferable by either party without the other party’s prior written consent, which shall not be unreasonably withheld or delayed, and any attempted assignment or transfer shall be void and without effect. Notwithstanding the foregoing, either party may assign this Agreement (including all Orders) without the consent of the other party to a successor in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets not involving a direct competitor of the non-assigning party, provided that, in the case of Customer, all fees owed and due have been paid. Subject to the foregoing, this Agreement shall bind and inure to the benefit of the parties, their respective successors, and permitted assigns.
13.10 Amendment and Waiver. Any modification, or amendment of this Agreement must be in writing and signed by authorized representatives of both parties. Any waiver of this Agreement must be in writing and no written waiver will operate or be construed as a waiver of any subsequent breach. The failure of either party to exercise or enforce any right or provision of this Agreement will not constitute a waiver of such right or provision or of any other right or provision.
13.11 Miscellaneous. This Agreement, and any exhibits, schedules or documents referred to in it, constitute the entire agreement between the parties and supersede all prior or contemporaneous representations, agreements or understandings (written or verbal) relating to the subject matter hereof. If any terms of this Agreement are found to be invalid or unenforceable, the remaining terms of this Agreement will remain in full force and effect and the invalid or unenforceable provision will be deemed modified so that it is valid and enforceable to the maximum extent permitted by law. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (a) the applicable Order form; (b) this Agreement; and (c) the Documentation.
ENTERPRISE SUPPORT AND SERVICE COMMITMENT
- Enterprise Support
- Response Times. OSPI will respond to standard technical support requests within 1 business day. Urgent technical support requests that compromise the ability for the Customer to use or access OSPI services outside of normal support hours shall be responded to within 12 hours if Customer calls 1-801-936-0970 in addition to submitting the support ticket via email. In the event of any loss or damage to Customer Data in a Hosted Deployment, OSPI will restore the lost or damaged Customer Data from the latest available back-up of such Customer Data maintained by OSPI within a commercially reasonable amount of time.
- Continuous Efforts. The account administrator of an enterprise account may request Continuous Efforts to resolve a severe case, as confirmed by OSPI. “Continuous Efforts” means work will continue after OSPI’s normal business hours, including weekends and local holidays.
- Customer’s Designated Contacts. When submitting a problem report, Customer or the User must (a) provide sufficient information about the problem to enable OSPI to reproduce it; and (b) provide OSPI with reasonable assistance, as requested, to help troubleshoot the problem. To the extent required, Customer’s account administrator will be responsible for (i) overseeing requests for assistance, and (ii) developing and deploying troubleshooting processes within Customer’s organization. Customer’s account administrator must be technically skilled and knowledgeable about the Subscription Service and the environment in which it is being used, in order to help resolve system issues and to assist OSPI in analyzing and resolving support requests; otherwise, OSPI’s ability to provide support services to Customer may be impaired.
- Disclaimer. OSPI will not be responsible for providing support for problems in the operation or performance of the Subscription Service if the problem relates to errors in Customer Data, an SLA Exclusion (defined below), or any unauthorized use or modification of the Subscription Service, including modifications to the database schema OSPI’s ability to comply with this Exhibit may depend on OSPI being able to contact the account administrator, a designated contact or a
- Service Commitment
- Service Levels. OSPI will use commercially reasonable efforts to meet an Uptime Availability for the Subscription Service of at least 99.9% per month. “Uptime Availability” is calculated by subtracting from 100% the percentage of five-minute periods during the applicable month in which a material number of the authorized Users are unable to list, open, or save changes to the OSPI database in the Subscription Service, excluding downtime resulting directly or indirectly from any SLA Exclusion. If Customer has been using the Services for less than a full calendar month, the service month is still the preceding calendar month but any days prior to use of the Subscription Service will be deemed to have had 100% Uptime Availability.
- “SLA Exclusion” means any unavailability or performance issues related to the Subscription Service that result from (a) a suspension or termination of the right to use the Subscription Service in accordance with this Agreement; (b) factors outside of OSPI’s reasonable control, including any force majeure event or any technology issues originating from the Customer, User or third-party not within OSPI’s control; or (b) any scheduled maintenance or outages.
- Service Credit. To receive a service credit, Customer must submit a written request to firstname.lastname@example.org within 30 days of the service If OSPI confirms the Uptime Availability was less than 99.9% for the applicable month, OSPI will issue a service credit equal to 10% of Customer’s monthly subscription fees. This credit will only apply against future payments otherwise due from Customer; provided that, if there is no future payment due, OSPI will extend the Subscription Service for the period of time corresponding to the service credit. This credit is Customer’s sole and exclusive remedy for OSPI not meeting the Uptime Availability for the Subscription Service. Service credits may not be transferred or applied to any other account.
INFORMATION SECURITY PROGRAM
- General Provision
- Information Security Program. OSPI maintains and implements its Information Security Program which establishes proper policies, procedures, and standards to protect the confidentiality, integrity and availability of all information and data, whether in electronic or tangible form. The Information Security Program protects against anticipated or actual threats or hazards, including Security Breaches. The Information Security Program contains administrative, physical, technical, and organizational safeguards in accordance with industry best practices having regard to the state of the art, the costs of implementation, the likelihood of an incident, and the perceived security risk. OSPI implements and enforces disciplinary measures against employees and contractors for failure to abide by its Information Security Program.
- Notification of Security Breaches. In the event of a Security Breach, OSPI will promptly, and in accordance with applicable laws, inform Customer and provide available details of the Security Breach, including the nature and scope of the incident and what types of data may have been accessed, lost, or misused.
- Secure Disposal. OSPI securely disposes of Customer Data in accordance with applicable law, taking into account currently available technology so that Customer Data cannot be reasonably read or reconstructed.
- Personnel Training. OSPI provides annual security awareness and privacy and confidentiality training to all personnel who process or may have access to Customer Data. These trainings educate personnel about the importance of information security, laws and contractual obligations that govern personal information and Customer Data, and instructs them on how to safeguard such data against data loss, misuse, or security breaches through physical, logical, and social engineering mechanisms.
- User Access Management. OSPI implements access control policies to support creation, amendment, and deletion of user accounts for systems or applications storing or allowing access to Customer Data. OSPI’s user account and access provisioning process assigns and revokes access rights to systems and applications. Personnel accounts privileges are allocated on a “least privilege” basis. Personnel access to environments and Customer Data are restricted and segregated based on job responsibilities. Personnel access to systems and applications with access to Customer Data are reviewed on at least a quarterly basis.
- Passwords and Multi-factor Authentication. Industry standard password security is implemented for all OSPI employee accounts. Policies include minimum length, complexity, restrictions on password reuse, number of password resets in a given timeframe, and frequency in which passwords must be changed. OSPI has implemented and maintains a multi-factor authentication method required for access to applications and systems containing Customer Data.
- Employee Termination. OSPI maintains an employee termination process that specifies timeframes for termination of logical and physical access, including procedures for OSPI to collect any devices or equipment containing Customer Data from the terminating employee, at the time of termination.
- Secure User Authentication. OSPI ensures proper user authentication for all of its employees and contractors with access to Customer Data, including by assigning each employee and contractor unique access credentials for access to any system on which Customer Data can be accessed and prohibiting employees and contractors from sharing their access credentials. OSPI ensures that all persons having access to OSPI’s systems and Customer Data have appropriately controlled and limited access, access is removed when no longer required or appropriate, and all persons who should not have access (e.g. terminated employees) cannot obtain access.
- Separation of Duties. OSPI maintains separation of duties to prevent end-to-end control of a process by one individual.
- Data Storage. Unless otherwise agreed to in an Order, OSPI stores Customer Data in the United States.
- Application Security
- Change Control. OSPI maintains policies and procedures for managing changes and updates to production systems, applications, and databases, including processes for documenting security patching, authentication, and the testing and approval of changes into production.
- Secure Communications. OSPI employs industry standard communication security measures to protect data from unauthorized access. The service security measures include server authentication and data encryption. The data processing environment is protected using one or more firewalls that are updated according to industry standards.
- Key Management. OSPI implements key management procedures that include the secure generation, distribution, activation, storage, recovery, and replacement/update of cryptographic keys. Keys are rotated on a regular basis and lost, corrupted, or expired keys are revoked or disabled immediately.
- Logging and Monitoring. OSPI generates administrator and event logs for systems and applications that store, allow access to, or process Customer Data. Logs are archived for a minimum of 180 days. Logs for all applications, systems, or infrastructure that supports, processes, or stores confidential or higher data are archived for at least one year. Logs capture key security event types. Access to modify system logs is restricted. In the event of a confirmed Security Breach, appropriate logs may be shared with Customer upon reasonable request. OSPI reviews system logs regularly to identify system failures, faults, or potential security incidents affecting Customer Data.
- Anti-Virus/Anti-Malware. OSPI implements appropriate anti-virus/anti-malware detection software across all information systems processing Customer Data in its organization that are determined to be at risk, and where an acceptable solution is available. OSPI maintains anti-virus/anti-malware software to ensure it is up-to-date with the most recent virus and malware signatures and definitions. On systems where anti-virus/anti-malware is not implemented, appropriate system hardening procedures are applied to minimize exposure.
- Intrusion Detection. OSPI implements and maintains an intrusion detection monitoring process at the network and/or host level to detect unwanted or hostile network traffic. OSPI updates its intrusion detection software continuously, on a scheduled basis following the availability of updates by the software provider. OSPI implements measures to ensure that OSPI is alerted when the system detects unusual or malicious activity.
- Data Segmentation. To prevent unauthorized access to Customer Data, OSPI implements technical controls to ensure that Customer Data is properly segmented from data belonging to OSPI’s other customers.
- Secure Coding Practices. Developers attend secure development training periodically. All new code is peer-reviewed and undergoes full quality assurance and regression testing prior to being introduced into production. OSPI logically or physically separates environments for development, testing, and production.
- Physical Security
- Facilities. At facilities that OSPI controls, OSPI maintains appropriate physical security measures to ensure the safety and protection of employees, company assets, and Customer Data. OSPI will continually monitor any changes to the physical infrastructure and known threats.
- Data Security
- Encryption. OSPI encrypts Customer Data, when writing to removable devices, and while in transit. OSPI utilizes industry standard platform and data-appropriate encryption in non-deprecated, open/validated formats, and standard algorithms.
- Vulnerability & Patch Management. OSPI maintains a vulnerability management process to identity, report, and remediate vulnerabilities by performing vulnerability scans, implementing vendor patches or fixes, and developing a remediation plan for critical vulnerabilities. OSPI applies security patches on a regular basis to server, firewalls, and systems used to access or process Customer Data.
- Data Transfers and Downloads. OSPI uses commercially reasonable efforts to prevent Customer Data from being taken from OSPI’s premises, copied, or downloaded unless approved by Customer.
- Storage Media. OSPI has implemented industry standard disk-level encryption on all machines that store or otherwise process Customer Data. OSPI will ensure that any storage media within its control (whether magnetic, optical, non-volatile solid state, paper, or otherwise capable of retaining information) that captures Customer Data will be securely erased or destroyed before repurposing or disposal.
- Vendor Assessments. Prior to engaging new third-party service providers and vendors that will have access to Customer Data, OSPI conducts a risk assessment of the data security practices of each third-party. OSPI also conducts periodic reviews of each third-party to ensure their data security practices continue to meet the necessary requirements to protect Customer Data. OSPI bears sole responsibility for its subcontractors.
- Testing and Audits
- Penetration Tests. OSPI periodically undertakes an application penetration test by an independent third-party. OSPI remediates all critical and high vulnerabilities identified in the penetration test. All other findings are remediated in a timeframe that is commensurate with the identified risks.
- Vulnerability Scanning. OSPI performs regular vulnerability scanning against services and key infrastructure utilizing industry standard tools or well-known external suppliers. Internal scans are performed at least monthly. External scans are performed at least quarterly, utilizing a Payment Card Industry Security Standards Council Approved Scanning Vendor.
- Disaster Recovery & Business Continuity
- Risk Assessment. OSPI maintains a risk assessment program to help identify foreseeable internal and external risks to OSPI’s information resources and determine if existing controls, policies, and procedures are adequate.
- Backups. OSPI backs-up its production databases according to a defined schedule and stores back-ups offsite.
- Disaster Recovery Plan. OSPI maintains a disaster recovery plan that is consistent with industry standards. Regular testing of the disaster recovery plan is conducted to ensure its continued effectiveness.
- Business Continuity Plan. OSPI maintains a business continuity plan to manage and minimize the effects of unplanned disruptive events (cyber, physical, or natural). This plan includes procedures to be followed in the event of an actual or potential business interruption and have a stated goal of resumption of routine services within 48 hours of such event.