SafeBase SaaS Terms

1. SAAS SERVICES AND SUPPORT

1.1            Subject to the terms hereof, Company will provide Customer with services described in Exhibit A in accordance with the Service Levels described Exhibit B.

2. RESTRICTIONS AND RESPONSIBILITIES

2.1            Customer will not, directly or indirectly: reverse engineer, decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas, know-how or algorithms relevant to the Services or any software, documentation or data related to the Services (“Software”); modify, translate, or create derivative works based on the Services or any Software (except to the extent expressly permitted by Company or authorized within the Services); use the Services or any Software for timesharing or service bureau purposes or otherwise for the benefit of a third; or remove any proprietary notices or labels.    

2.2            Further, Customer may not remove or export from the United States or allow the export or re-export of the Services, Software or anything related thereto, or any direct product thereof in violation of any restrictions, laws or regulations of the United States Department of Commerce, the United States Department of Treasury Office of Foreign Assets Control, or any other United States or foreign agency or authority.  As defined in FAR section 2.101, the Software and documentation are “commercial items” and according to DFAR section 252.227 7014(a)(1) and (5) are deemed to be “commercial computer software” and “commercial computer software documentation.”  Consistent with DFAR section 227.7202 and FAR section 12.212, any use modification, reproduction, release, performance, display, or disclosure of such commercial software or commercial software documentation by the U.S. Government will be governed solely by the terms of this Agreement and will be prohibited except to the extent expressly permitted by the terms of this Agreement.  

2.3            Customer represents, covenants, and warrants that Customer will use the Services only in compliance with all applicable laws and regulations.  Although Company has no obligation to monitor Customer’s use of the Services, Company may do so and may prohibit any use of the Services it believes may be (or alleged to be) in violation of the foregoing or of this Agreement.

2.4            Customer shall be responsible for obtaining and maintaining any equipment and ancillary services needed to connect to, access or otherwise use the Services, including, without limitation, modems, hardware, servers, software, operating systems, networking, web servers and the like (collectively, “Equipment”).  Customer shall also be responsible for maintaining the security of the Equipment, Customer account, passwords (including but not limited to administrative and user passwords) and files, and for all uses of Customer account or the Equipment with or without Customer’s knowledge or consent.

3. CONFIDENTIALITY; PROPRIETARY RIGHTS

3.1 Each party (the “Receiving Party”) understands that the other party (the “Disclosing Party”) has disclosed or may disclose business, technical or financial information relating to the Disclosing Party’s business (hereinafter referred to as “Proprietary Information” of the Disclosing Party).  Proprietary Information of Company includes non-public information regarding features, functionality and performance of the Service.  Proprietary Information of Customer includes non-public data provided by Customer to Company to enable the provision of the Services (“Customer Data”). With respect to the Disclosing Party’s Proprietary Information, the Receiving Party agrees to: (i) take reasonable precautions to protect such Proprietary Information, (ii) not to use it (except in performance of the Services or as otherwise permitted herein), (iii) only provide such Proprietary Information to employees are required to have access to such Proprietary Information; and (iv) not divulge to any third person any such Proprietary Information.  The Disclosing Party agrees that the foregoing shall not apply with respect to any information after five (5) years following the disclosure thereof or any information that the Receiving Party can document (a) is or becomes generally available to the public, or (b) was in its possession or known by it prior to receipt from the Disclosing Party, or (c) was rightfully disclosed to it without restriction by a third party, or (d) was independently developed without use of any Proprietary Information of the Disclosing Party or (e) is required to be disclosed by law.  

3.2            Customer shall own all right, title and interest in and to the Customer Data, as well as any data that is based on or derived from the Customer Data and provided to Customer as part of the Services. Company shall own and retain all right, title and interest in and to (a) the Services and Software, all improvements, enhancements or modifications thereto, (b) any software, applications, inventions or other technology developed in connection with Implementation Services or support, and (c) all intellectual property rights related to any of the foregoing.  

3.3            Notwithstanding anything to the contrary, Company shall have the right collect and analyze data and other information relating to the provision, use and performance of various aspects of the Services and related systems and technologies (including, without limitation, information concerning Customer Data and data derived therefrom), and Company will be free (during and after the term hereof) to (i) use such information and data to improve and enhance the Services and for other internal development, diagnostic and corrective purposes in connection with the Services and other Company offerings, so long as such use does not result in identifying Customer or any of Customer’s end users to third parties that do not require access to such information in connection with the purpose described in this clause (ii) disclose such data solely in aggregate or other de-identified form in connection with its business. No rights or licenses are granted except as expressly set forth herein.  

3.4 If, in connection with providing the Services under this Agreement, Company processes Customer Personal Data (defined in the DPA) on behalf of Customer, the Data Processing Addendum (“DPA”) accessible at https://safebase.io/dpa will govern Company’s processing of such Customer Personal Data.

4. PAYMENT OF FEES

4.1            Customer will pay Company the then applicable fees described in the Agreement for the Services and Implementation Services in accordance with the terms therein (the “Fees”).  If Customer’s use of the Services exceeds the Service Capacity set forth on the Agreement or otherwise requires the payment of additional fees (per the terms of this Agreement), Customer shall be billed for such usage and Customer agrees to pay the additional fees in the manner provided herein.  Company reserves the right to change the Fees or applicable charges and to institute new charges and Fees at the end of the Initial Service Term or then current renewal term, upon thirty (30) days prior notice to Customer (which may be sent by email). If Customer believes that Company has billed Customer incorrectly, Customer must contact Company no later than 60 days after the closing date on the first billing statement in which the error or problem appeared, in order to receive an adjustment or credit.  Inquiries should be directed to Company’s customer support department.

4.2            Company may choose to bill through an invoice, in which case, full payment for invoices issued in any given month must be received by Company thirty (30) days after the mailing date of the invoice.  Unpaid amounts are subject to a finance charge of 1.5% per month on any outstanding balance, or the maximum permitted by law, whichever is lower, plus all expenses of collection and may result in immediate termination of Service. Customer shall be responsible for all taxes associated with Services.  

5. TERM AND TERMINATION

5.1            Subject to earlier termination as provided below, this Agreement is for the Initial Service Term as specified in the Agreement, and shall be automatically renewed for additional periods of the same duration as the Initial Service Term (collectively, the “Term”), unless either party requests termination at least thirty (30) days prior to the end of the then-current term.

5.2            In addition to any other remedies it may have, either party may also terminate this Agreement upon thirty (30) days’ notice (or without notice in the case of nonpayment), if the other party materially breaches any of the terms or conditions of this Agreement.  Customer will pay in full for the Services up to and including the last day on which the Services are provided. All sections of this Agreement which by their nature should survive termination will survive termination, including, without limitation, accrued rights to payment, confidentiality obligations, warranty disclaimers, and limitations of liability.  

6. WARRANTY AND DISCLAIMER

Company shall, in a manner consistent with prevailing industry standards, maintain the Services in a manner which minimizes errors and interruptions in the Services and shall perform the Implementation Services in a professional and workmanlike manner.  Services may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, either by Company or by third-party providers, or because of other causes beyond Company’s reasonable control, but Company shall use commercially reasonable efforts to provide advance notice in writing or by e-mail of any scheduled service disruption.  HOWEVER, COMPANY DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED OR ERROR FREE; NOR DOES IT MAKE ANY WARRANTY AS TO THE RESULTS THAT MAY BE OBTAINED FROM USE OF THE SERVICES.  EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION, THE SERVICES AND IMPLEMENTATION SERVICES ARE PROVIDED “AS IS” AND COMPANY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

7. INDEMNITY

Company shall indemnify and hold Customer harmless from liability to third parties resulting from infringement by the Service of any United States patent or any copyright or misappropriation of any trade secret, provided Company is promptly notified of any and all threats, claims and proceedings related thereto and given reasonable assistance and the opportunity to assume sole control over defense and settlement; Company will not be responsible for any settlement it does not approve in writing.  The foregoing obligations do not apply with respect to portions or components of the Service (i) not supplied by Company, (ii) made in whole or in part in accordance with Customer specifications, (iii) that are modified after delivery by Company, (iv) combined with other products, processes or materials where the alleged infringement relates to such combination, (v) where Customer continues allegedly infringing activity after being notified thereof or after being informed of modifications that would have avoided the alleged infringement, or (vi) where Customer’s use of the Service is not strictly in accordance with this Agreement.  If, due to a claim of infringement, the Services are held by a court of competent jurisdiction to be or are believed by Company to be infringing, Company may, at its option and expense (a) replace or modify the Service to be non-infringing provided that such modification or replacement contains substantially similar features and functionality, (b) obtain for Customer a license to continue using the Service, or (c) if neither of the foregoing is commercially practicable, terminate this Agreement and Customer’s rights hereunder and provide Customer a refund of any prepaid, unused fees for the Service. Customer shall indemnify and hold harmless Company against all claims, liabilities, losses, costs, expenses, including reasonable attorneys’ fees, judgments, fines, or penalties, and actions brought by third parties relating to Customer’s violation of law or unauthorized use of the Service.

8.   LIMITATION OF LIABILITY

NOTWITHSTANDING ANYTHING TO THE CONTRARY, EXCEPT FOR (I) BODILY INJURY OF A PERSON, (II) A PARTY’S CONFIDENTIALITY OBLIGATIONS UNDER SECTION 3, OR (III) A PARTY’S INDEMNIFICATION OBLIGATIONS UNDER SECTION 7, NEITHER PARTY (NOR ITS SUPPLIERS, OFFICERS, AFFILIATES, REPRESENTATIVES, CONTRACTORS AND EMPLOYEES) SHALL BE RESPONSIBLE OR LIABLE WITH RESPECT TO ANY SUBJECT MATTER OF THIS AGREEMENT OR TERMS AND CONDITIONS RELATED THERETO UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY FOR: (A) ANY INDIRECT, EXEMPLARY, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES. NOTWITHSTANDING ANYTHING TO THE CONTRARY, NEITHER PARTY (NOR ITS SUPPLIERS, OFFICERS, AFFILIATES, REPRESENTATIVES, CONTRACTORS AND EMPLOYEES) SHALL BE RESPONSIBLE OR LIABLE WITH RESPECT TO ANY SUBJECT MATTER OF THIS AGREEMENT FOR ANY AMOUNTS THAT, TOGETHER WITH AMOUNTS ASSOCIATED WITH ALL OTHER CLAIMS, EXCEED THE FEES PAID BY CUSTOMER TO COMPANY FOR THE SERVICES UNDER THIS AGREEMENT IN THE 12 MONTHS PRIOR TO THE ACT THAT GAVE RISE TO THE LIABILITY, IN EACH CASE, WHETHER OR NOT COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.  

9. MISCELLANEOUS

If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable.  This Agreement is not assignable, transferable or sublicensable by Customer except with Company’s prior written consent.  Company may transfer and assign any of its rights and obligations under this Agreement without consent. Company shall have the right to use and display Customer’s logos and trade names solely for marketing and promotional purposes in connection with Company's website and marketing materials, subject to Customer’s trademark usage guidelines provided to Company. This Agreement is the complete and exclusive statement of the mutual understanding of the parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement, and that all waivers and modifications must be in a writing signed by both parties, except as otherwise provided herein.  No agency, partnership, joint venture, or employment is created as a result of this Agreement and Customer does not have any authority of any kind to bind Company in any respect whatsoever.  In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover costs and attorneys’ fees.  All notices under this Agreement will be in writing and will be deemed to have been duly given when received, if personally delivered; when receipt is electronically confirmed, if transmitted by facsimile or e-mail; the day after it is sent, if sent for next day delivery by recognized overnight delivery service; and upon receipt, if sent by certified or registered mail, return receipt requested.  This Agreement shall be governed by the laws of the State of California without regard to its conflict of laws provisions.

EXHIBIT A

Available Features and Statement of Work

Company to provide a third-party vendor security assessment automation platform, consisting of the following features:

• Interactive Public Security Portal: public-facing Security Portal with security program details that can be accessed at a web address decided by the Customer.

• Private Security Portal Sharing: share security program details with Customer’s prospective customers and track their interaction with content on the page. Information is gated by an automated NDA signing process to protect Customer confidential information.

• Security Knowledge Base: completed questionnaires are uploaded by Customer to the Security Knowledge Base which provides instant search to help Customer’s users find answers to security questions.

• Security Portal Analytics Dashboard: provides aggregate statistics of the performance of the both the Interactive Public Security Portal and the Private Security Portal products, including the number of views, number of comments, and number of NDAs signed.

• G-Suite SSO and Enterprise SSO (SAML, etc.): Single Sign-On functionality included with the Services provides enhanced security and identity management to manage the access to the application.

• Custom domain with TLS: allow customers of Customer to view the public Security Portal on a designated subdomain.

• Workflow Automation with Interactive Slack Bot: functionality that allows Customer users to pass relevant events from the application to designated Slack workspaces and channels.

• Google Analytics Integration: pass website traffic information to Google Analytics.  

• Intercom Integration: support Intercom chat bot on the Security Portal for direct Customer conversations.

• Basic Support includes: Intercom Chat Support, email support, and help center articles.

Onboarding SOW:

• Edit and publish Security Portal items based on the material information provided by Customer.

• Complete the CNAME re-direct to enable hosting of the Security Portal on SafeBase at the designated URL chosen by Customer.

• Configure role-based access control as requested by Customer policies.

• As part of the registration process, Customer will identify an administrative user name and password for Customer’s Company account.  Company reserves the right to refuse registration of, or cancel, passwords it deems inappropriate.

EXHIBIT B

Service Level Terms

The Services shall be available 99%, measured monthly, excluding holidays and weekends and scheduled maintenance.  If Customer requests maintenance during these hours, any uptime or downtime calculation will exclude periods affected by such maintenance.  Further, any downtime resulting from outages of third-party connections or utilities or other reasons beyond Company’s control will also be excluded from any such calculation.

Customer's sole and exclusive remedy, and Company's entire liability, in connection with Service availability shall be that for each period of downtime lasting longer than five hours, Company will credit Customer 5% of Service fees for each period of 30 or more consecutive minutes of downtime; provided that no more than one such credit will accrue per day.  Downtime shall begin to accrue as soon as Customer (with notice to Company) recognizes that downtime is taking place and continues until the availability of the Services is restored.  In order to receive downtime credit, Customer must notify Company in writing within 24 hours from the time of downtime, and failure to provide such notice will forfeit the right to receive downtime credit.  Such credits may not be redeemed for cash and shall not be cumulative beyond a total of credits for one (1) week of Service Fees in any one (1) calendar month in any event.  Company will only apply a credit to the month in which the incident occurred.  Company’s blocking of data communications or other Service in accordance with its policies shall not be deemed to be a failure of Company to provide adequate service levels under this Agreement.