End User SaaS Agreement

FAQ FOR SECURITYSCORECARD END USER SAAS AGREEMENT

SecurityScorecard, Inc. (“SSC”) is excited to have you join our family of customers, and to do so as efficiently and quickly as possible. Context is always important when reviewing agreements and we find it useful to provide critical information on our services and how they are provided to facilitate onboarding new customer. We encourage whoever is reviewing our standard terms or End User SaaS Agreement (“EUSA”) to read this FAQ before starting their review.

We are a SaaS company providing cybersecurity ratings and related third-party risk management services (the “Services”); we provide the Services using solely outside-in, publicly available data that is collected and ultimately displayed in our UI via our proprietary technology. We do not collect, store, process, or otherwise, use personal data (other than for login credentials).

What am I buying? The SecurityScorecard Services.

Multi-tenant Offering. The Services are a cloud-based multi-tenancy software as a service (“SaaS”) solution, this means that all our customers access the Services on a shared architecture, code base, and infrastructure. It also means there is no customization as we don’t create any custom IP, custom deliverables, or works-made-for-hire for you – and there is no transfer of IP ownership between the parties, nor are we able to provide custom service offerings with respect to policies and procedures (e.g., usage restrictions, Privacy Policy, feedback use license, security policies, insurance policies.

Nature of the Services. The cybersecurity ratings (“Ratings”) provided by the Services are based only on information from publicly available sourceswhich is collected through a combination of our own scanning technology and third-party data feeds. Our collection relies on the use of tools like scans, data feeds, sensors, honeypots, and sinkholes. No intrusive techniques are used by SecurityScorecard, we do not attempt to bypass security controls, nor do we have any access to any Customer systems. The third-party risk management solution (“Atlas”) provided by the Services is designed only to handle security assessment-related information which may be uploaded by such third-party that is issued a security assessment request as part of your use of the Services. This information should be non-personal in nature. The Services do not require any Customer to provide, nor are the Services designed to handle, process, store, or otherwise be used in connection with, sensitive personal information.

Why use the SecurityScorecard EUSA?

Written with our Services in Mind. We have drafted our EUSA to reflect the fact that we are a shared, multi-tenant solution and we are unable to apply, for example, different security terms, privacy policy terms, SLA obligations, and customer usage rights or restrictions. We regularly review our EUSA and have created a fair and balanced agreement based on customer feedback and industry-standard positions. When we use a customer’s EUSA, we always make extensive changes to align the terms to reflect the nature of our Services and our cloud based multi-tenancy infrastructure, leading to similar terms at a slower pace.

For Cyber-Security, Speed is of the Essence. Our EUSA is designed to get you onboarded quickly so that we can help you protect your virtual assets. Our internal data shows that when customers use our EUSA, they are onboarded up to 3x fasterthan when customers provide their own EUSA. Every minute not onboarded is another minute you do not have the unique insights into your cyber-security posture that SecurityScorecard provides.

Pre-paid and Non-Cancellable Subscription. SecurityScorecard does not provide convenience termination language because our pricing is based upon commitment and we rely on the financial commitment of all customers in order to constantly scale and improve the Services. Customers can choose one-year or multi-year terms under an Order Form, depending on the length of price lock desired.

Is a Data Processing Agreement Required Pursuant to GDPR?

No DPA is Required, We are a Data Controller. Article 28 of the GDPR only applies to a company (i.e., a “processor”) that processes personal data on behalf of another company. As indicated above, the limited personal data that you supply to the Ratings platform and/or Atlas (e.g., account credentials, and contact information to transmit invitations to vendors to submit security information through the platform) are controlled and retained by us. Because SecurityScorecard is a controller, a processor-controller DPA is not necessary under the GDPR.


SecurityScorecard End User SaaS Agreement

LAST UPDATED MAY 26, 2023

THIS END USER SAAS AGREEMENT GOVERNS YOUR USE OF OUR SERVICES. SSC PERMITS YOU TO PURCHASE, ACCESS, AND/OR USE THE SERVICES ONLY IN ACCORDANCE WITH THE TERMS OF THIS AGREEMENT.

IF YOU REGISTER FOR A FREE TRIAL OF OUR SERVICES OR OTHERWISE UTILIZE FREE CAPABILITIES, THIS AGREEMENT WILL ALSO GOVERN THAT FREE TRIAL, UNLESS OTHERWISE PROVIDED HEREIN.

BY ACCEPTING THIS AGREEMENT, EITHER BY CLICKING A BOX INDICATING YOUR ACCEPTANCE, USING OUR SERVICES, OR EXECUTING THIS AGREEMENT OR AN ORDER FORM THAT REFERENCES THIS AGREEMENT OR RELATES TO THE SERVICES, YOU AGREE TO THE TERMS OF THIS AGREEMENT, INCLUDING ALL TERMS INCORPORATED BY REFERENCE. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE SERVICES.

You may not access the Services or request information from our Services if you are a direct competitor of SSC, except with our prior written consent. In addition, you may not access the Services for purposes of monitoring their availability, performance or functionality, or for any other competitive purposes.

This Agreement was last updated as of the date above. It is effective between you and SSC as of the earlier of: (a) the date you accept this Agreement or (b) the date you first access or otherwise use the Services.

1. DEFINITIONS

1.1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2. “Agreement” means this End User SaaS Agreement.
1.3. “Applicable Data Privacy Laws” means the data privacy and security laws of the relevant jurisdiction, including but not limited to the European Union’s General Data Protection Regulation 2016/679 (“GDPR”) and the California Consumer Privacy Act (“CCPA”).
1.4. “Beta Services” means certain features, technologies, and services that are not generally available to customers, as updated from time to time.
1.5. “Credit(s)” means a credit for SSC’s Atlas platform associated with a sent questionnaire.
1.6. “Customer,” “you” or “your” means the person accepting this Agreement, or, if applicable, the company or other legal entity for which Customer is accepting this Agreement.
1.7. “Customer Services Data” means electronic data and information submitted by or for Customer to the Services or collected and processed by or for Customer as a result of your use of the Services (e.g., username, vendor contact information, support requests, issue remediation).
1.8. “Documentation” means the documentation and Service feature descriptions, as updated from time to time, as provided by SSC (whether online or otherwise).
1.9. “Disruption Event” means either: (a) a User’s use of the Services which could disrupt: (i) the Services; (ii) other customers’ use of the Services; or (iii) SSC network or servers used to provide the Services; or (b) unauthorized third-party access to the Services.
1.10. “Generic Reports” means reports that may include Customer Services Data in an anonymous, generic, de-identified format aggregated with other data not constituting Customer Services Data solely and exclusively for analyzing customer needs, improving SSC products and services, or providing benchmark data of usage and configuration of applications to other customers.
1.11. “Malicious Code” means code, files, scripts, agents or programs intended to do harm, including, for example, viruses, worms, time bombs, and trojan horses.
1.12. “Non-SSC Applications” means a web-based or offline software application that is provided by Customer or a third party and is not owned, operated, controlled, or otherwise provided by SSC (including any third-party integrations or partner products promoted by SSC), whether such application interoperates with the Services or is provided on a stand-alone basis.
1.13. Non-SSC Material” means files, documents, or other materials of third parties made available by SSC via the Services but not otherwise owned or controlled by SSC.
1.14. “Order Form” means a purchase order, quote, online subscription, or other ordering document specifying the Services to be provided hereunder that is entered into between (a) Customer and (b) SSC or any of SSC’s Affiliates or Resellers, including any addenda and supplements thereto. For the avoidance of doubt, Customer’s subscription confirmation within the Services platform shall be considered an “Order Form” for purposes hereof.
1.15. “Personal Information” means information relating to an identified or identifiable natural person.
1.16. “Privacy Policy” means SSC’s Privacy Policy, as updated from time-to-time, located at: https://securityscorecard.com/… or such other URL as SSC may provide from time to time.
1.17. “Professional Services” means the product implementation, training, and/or other professional services to be provided by SSC to Customer (if any).
1.18. “Purchased Services” means Services (including Professional Services, but excluding any SSC API Services) that Customer purchases under an Order Form, as distinguished from those provided pursuant to a free trial.
1.19. “Reseller” means one of SSC’s preferred partner resellers through whom Customer purchases the Services.
1.20. “Services” means the products and services made available online or otherwise by SSC, including customer support services provided in connection with SSC’s SaaS offerings. “Services” exclude Non-SSC Applications and any products, services or content related thereto.
1.21. “Slot(s)” means a unique top-level domain maintained in Customer’s portfolio on the Services, subject to change during a twelve (12) month period a maximum of 10 times.
1.22. “SOW” means the Statement of Work applicable to any Professional Services package purchased by Customer as part of the Purchased Services (if any).
1.23. “SSC,” “we,” or “us” means SecurityScorecard, Inc.
1.24. “SSC API Services” means the product and services related to SSC API functionality, including the use or development of API Integration(s). For purposes of this definition, “API Integrations” means the systematic interactions between Non-SSC Applications and the Services that are developed through the SSC API.
1.25. “Subscription Term” means the period of time during which Users are permitted to use the Services hereunder, as specified in the applicable Order Form and including all renewals or extensions thereof.
1.26. “Suspend” or “Suspension” means the immediate disabling of access to the Services, or components of the Services, as applicable, to prevent further use of the Services.
1.27. “User” means an individual who is authorized by Customer to use one or more of the Services and to whom Customer (or SSC at your request) has supplied a user identification and password. Users may include, for example, your employees, consultants, contractors, and agents.

2. FREE TRIAL. If Customer registers on the SSC website for a free trial or otherwise utilizes the functionality of the Services for free, SSC will make one or more Services available to Customer on a trial basis, free of charge, until the earlier of (a) the end of the free trial period for which Customer registered to use the applicable Service(s), or (b) the start date of any Purchased Service subscriptions ordered by Customer for such Service(s). CUSTOMER SERVICES DATA ON SSC SYSTEMS OR IN OUR POSSESSION OR CONTROL, ANY REPORTS, AND ANY CUSTOMIZATIONS MADE TO THE SERVICES BY OR FOR YOU, DURING YOUR FREE TRIAL MAY BE PERMANENTLY LOST OR DELETED AT THE END OF THE FREE TRIAL PERIOD UNLESS CUSTOMER PURCHASES A SUBSCRIPTION TO THE SAME SERVICES AS THOSE COVERED BY THE TRIAL OR PURCHASES UPGRADED SERVICES BEFORE THE END OF THE TRIAL PERIOD. SSC WILL HAVE NO LIABILITY FOR ANY HARM OR DAMAGE ARISING OUT OF OR IN CONNECTION WITH A FREE TRIAL. NOTWITHSTANDING SECTION 8 (REPRESENTATIONS, WARRANTIES, EXCLUSIVE REMEDIES, AND DISCLAIMERS), DURING THE FREE TRIAL THE SERVICES ARE PROVIDED “AS-IS” WITHOUT ANY WARRANTY. Please review the Documentation during the trial period so that you become familiar with the features and functions of the Services before you make your purchase.

3. SSC RESPONSIBILITIES

3.1. Provision of Purchased Services. SSC will (a) make the Purchased Services available to Customer pursuant to this Agreement and the applicable Order Forms and SOWs, and (b) provide standard support for the Purchased Services to Customer at no additional charge. Notwithstanding the foregoing, the Purchased Services may not be available due to: (i) planned downtime (of which SSC shall give advanced electronic notice through the Services or otherwise and which SSC shall schedule to the extent practicable during the weekend hours), and (ii) circumstances beyond our reasonable control, including, for example, an act of God, act of government, flood, fire, earthquake, civil unrest, act of terror, pandemic, epidemic, quarantine restriction, strike or other labor problem (other than one involving SSC employees), Internet service provider failure or delay, Non-SSC Application failure or delay, or for denial of service attack. SSC reserves the right to make changes to the Services at any time and from time to time, provided, however, that SSC will not materially decrease the functionality of the Purchased Services during a Subscription Term. If SSC materially decreases the functionality to the Purchased Services, SSC will notify Customer of such change in accordance with Section 12.1 (Manner of Giving Notice).
3.2. Provision of SSC API Services. In connection with Customer’s Purchased Services, SSC may make the SSC API Services available to Customer and the following terms and restrictions shall apply to Customer’s use of the API Services.
3.2.1. Usage Restrictions. In addition to the restrictions set forth in Section 4.4, except as expressly and unambiguously authorized under this Agreement or by SSC in writing, Customer shall not (i) disclose or provide the API to any person or entity other than to Customer’s employees or consultants, or contractors who have a need to know, (ii) use the SSC API Services in a product or service that is commercially released; (iii) exceed 100 calls / hour; or (iv) use the API in a manner that, as determined by SSC in its sole discretion, constitutes excessive or abusive usage, or otherwise fails to comply or is inconsistent with any part of the Documentation.
3.2.2. Proprietary Rights. As between the parties, SSC owns all rights, title, and interest in and to the SSC API Services and all other output of the API. Except to the limited extent expressly provided in this Agreement, SSC does not grant, and Customer shall not acquire, any right, title or interest (including, without limitation, any implied license) in or to the SSC API Services or output thereof.
3.2.3. Disclaimers. SSC reserves the right to limit access or functionality of the SSC API Services at any time. SSC API Services are provided “AS IS” and SSC disclaims all warranties relating to the API, express or implied, including but not limited to any warranties against infringement, merchantability and fitness for a particular purpose.
3.3. Protection of Customer Services Data. SSC will maintain industry-standard administrative, physical, and technical safeguards for protection of the security, confidentiality, and integrity of Services and the Customer Services Data. Those safeguards will include, but will not be limited to, safeguards to ensure the security of the information technology systems used to provide the Services, maintaining and testing (at least annually) an incident management program, and measures for preventing inappropriate access, use, modification or disclosure of Customer Services Data by SSC personnel. SSC will promptly inform Customer following discovery of any breach of security, confidentiality, and/or integrity of the Services or Customer Services Data affecting Customer.
3.4. Beta Services. From time to time, SSC may invite Customer to try Beta Services at no charge. Customer may accept or decline any such trial in its sole discretion. Beta Services will be clearly designated as beta, pilot, limited release, developer preview, non-production, evaluation or by a description of similar import. Beta Services are for evaluation purposes and not for production use, are not considered “Services” under this Agreement, are not supported, and may be subject to additional terms. Unless otherwise stated, any Beta Services trial period will expire upon the date that a version of the Beta Services becomes generally available. SSC may discontinue Beta Services at any time in its sole discretion and may never make them generally available. SSC WILL HAVE NO LIABILITY FOR ANY HARM OR DAMAGE ARISING OUT OF OR IN CONNECTION WITH A BETA SERVICE. NOTWITHSTANDING SECTION 8 (REPRESENTATIONS, WARRANTIES, EXCLUSIVE REMEDIES, AND DISCLAIMERS), BETA SERVICES ARE PROVIDED “AS-IS” WITHOUT ANY WARRANTY.

4. USE OF SERVICES; NON-SSC APPLICATIONS; AFFILIATES

4.1. Subscriptions. Unless otherwise provided in the applicable Order Form, (a) Services are purchased as subscriptions, (b) subscriptions may be added during a Subscription Term, with the term for such additional subscription(s) to be prorated for the portion of that Subscription Term remaining at the time the mid-term subscriptions are added, and (c) any added subscriptions will terminate on the same date as the Subscription Term, subject to any automatic renewals that may apply as set forth below in Section 11.2 below.
4.2. Usage Limits. Services are subject to usage limits, including, for example, the quantities specified in the applicable Order Form(s). Unless otherwise specified, a quantity in an Order Form refers to Slots or Credits, as applicable. If Customer exceeds its then-current contractual usage limit as set forth in the relevant Order Form, Customer may incur additional fees for excess usage if it does not reduce overuse within ten (10) days after notice from SSC and in such case, shall remit payment in accordance with Section 5 (Fees and Payment); Customer’s then-current contractual usage limit will automatically be increased to the new number of Slots or Credits for the remainder of the Subscription Term and thereafter (if applicable).
4.3. Customer Responsibilities. Customer will (a) be responsible for Users’ compliance with this Agreement and for all activities that occur through Users’ use of Services, (b) be responsible for the accuracy, quality and legality of Customer Services Data, including any obtaining all required consents or rights required to use Customer Services Data, (c) to prevent unauthorized access to or use of Services (including not sharing any User passwords), and notify SSC promptly of any such unauthorized access or use, and (d) if applicable, comply with the terms of service for any Non-SSC Application with which Customer uses the Services.
4.4. Usage Restrictions. Solely for purposes of this Section 4.4, “Services” shall include SSC API Services. Customer will not (a) make any Service available to, or use any Service for the benefit of, anyone other than Customer or Users, including any part, feature, function or output of a Service, (b) sell, resell, license, sublicense, distribute, rent or lease any Service or any part, feature, function or output thereof (e.g., reports, screenshots), or include any Service in a service bureau or outsourcing offering, (c) use a Service to store or transmit infringing, libelous, or otherwise unlawful or tortious material, or to store or transmit material in violation of third-party privacy rights, (d) use a Service to store or transmit Malicious Code, (e) use a Service in violation of this Agreement, applicable laws or government regulations, or form otherwise fraudulent or malicious purposes, (f) interfere with or disrupt the integrity or performance of any Service or third-party data contained therein, (g) attempt to gain unauthorized access to any Service or its related systems or networks, (h) use or permit direct or indirect access to or use of any Service in a way that circumvents a contractual usage limit, (i) publish, display, or copy (provided that Customer and its Users can copy as reasonably necessary to its and their rights under this Agreement and in connection with ordinary course back-up and disaster recovery procedures) a Service or any part, feature, function, output, or user interface thereof (this includes a prohibition on any publication of ratings, scores, reports or components thereof), (j) remove any legal, copyright, trademark or other proprietary rights notices contained in or on materials Customer receives or accesses through the Services; (k) frame or mirror any part of any Service, other than framing on your own intranets or otherwise for your own internal business purposes or as permitted in this Agreement, (l) access any Service in order to build a competitive product or service or use a Service in a way that competes with products or services offered by SSC, or (m) copy, adapt, reformat, reverse-engineer, disassemble, decompile, download, translate or otherwise modify any Service or SSC’s website, through automated or other means.
4.5. Privacy.
4.5.1. SSC may collect personal information in connection with Customer’s use of the Services. SSC’s Privacy Policy describes what data is collected, the purpose of the collection, the means by which SSC processes such data, and the third parties with whom the data may be shared.
4.5.2. To the extent Customer provides personal information to SSC, Customer represents that it has complied with all Applicable Data Privacy Laws concerning its collection and disclosure of such information, and that it is not relying upon SSC to discharge any of customer’s obligations or responsibilities under Applicable Data Privacy laws.
4.5.3. With respect to the personal information that it receives from Customer or Users, SSC represents that it has and will independently comply with all obligations imposed by Applicable Data Privacy upon controllers, that it will not consider itself to be a joint controller with Customer, and that it will not rely upon Customer to perform any of SSC’s obligations as a controller.
4.6. Suspension. If SSC becomes aware of a User’s violation of this Agreement, then SSC may specifically request that Customer Suspend that User’s use of the Services. If Customer fails to comply with our request to Suspend a User’s use of the Services, then SSC may Suspend that User’s use of the Services. The duration of any Suspension by SSC will be until the applicable User has cured the breach that caused the Suspension. Notwithstanding the foregoing, if there is a Disruption Event, then SSC may automatically Suspend the offending use. The Suspension will be to the minimum extent and of the minimum duration required to prevent or terminate the Disruption Event. If SSC Suspends a User’s use of the Services for any reason without prior notice to Customer, then at your request, SSC will provide Customer with the reason for the Suspension as soon as is reasonably possible.
4.7. Non-SSC Applications.
4.7.1. Acquisition and Use of Non-SSC Applications. SSC or third parties may make available third-party products or services, including, for example, Non-SSC Applications and implementation and other consulting services. If Customer elects to acquire or use such Non-SSC Applications, any exchange of data between Customer and any non-SSC provider is solely between Customer and the applicable non-SSC provider. SSC DOES NOT WARRANT OR SUPPORT NON-SSC APPLICATIONS OR OTHER NON-SSC PRODUCTS OR SERVICES, WHETHER OR NOT THEY ARE DESIGNATED BY SSC. SUCH NON-SSC APPLICATIONS ARE NOT UNDER THE CONTROL OF SSC AND SSC IS NOT RESPONSIBLE FOR THE PRODUCT, SERVICES, WEBSITE, OR CONTENT OF ANY THIRD-PARTY PROVIDER. Non-SSC Applications may be subject to additional terms and conditions between the provider of such Non-SSC Application and Customer, including terms related to the collection, use and processing of Personal Information. If Customer elects to acquire or use a Non-SSC Application, it is Customer’s responsibility to review and understand these additional terms.
4.7.2. Non-SSC Applications and Your Customer Services Data. If Customer installs or enables a Non-SSC Application for use with a Service, Customer grants SSC permission to allow the provider of that Non-SSC Application to access Customer Services Data as required for the interoperation of that Non-SSC Application with the Service. SSC is not responsible or liable for any disclosure, modification or deletion of Customer Services Data resulting from access by a Non-SSC Application. SSC is not responsible or liable to Customer if you install, connect, enable, use or share any integration, feature, workflows, actions, or suggestions authored or made available by an entity other than SSC.
4.7.3. Integration with Non-SSC Applications. The Services may contain features designed to interoperate with Non-SSC Applications. To use such features, Customer may be required to obtain access to Non-SSC Applications from their providers and may be required to grant SSC access to your account(s) on the Non-SSC Applications.
4.7.4. Use of Non-SSC Materials. Third parties may make available Non-SSC Materials using the Services for Customer to view, download or otherwise use. NON-SSC MATERIAL IS PROVIDED “AS-IS” WITHOUT ANY WARRANTY AND SSC MAKES NO REPRESENTATION WITH RESPECT TO NON-SSC MATERIAL AND SSC WILL HAVE NO LIABILITY FOR ANY HARM OR DAMAGE ARISING OUT OF OR IN CONNECTION WITH NON-SSC MATERIAL.

5. FEES AND PAYMENT FOR PURCHASED SERVICES

5.1.Reseller Purchases. If Customer purchases the Services through a Reseller, all payment-related terms (including, but not limited to, pricing, invoicing, billing, payment methods, and late payment charges) will be set forth in Customer’s agreement directly with such Reseller and such payment-related terms will supersede any conflicting terms set forth in this Section 5. SSC may suspend or terminate your access to the Services in the event of non-payment of the applicable fees to SSC by the Reseller due to your non-payment, or Customer’s uncured breach of this Agreement. Notwithstanding anything to the contrary, the agreement between Customer and a Reseller: (i) shall not modify any of the terms set forth herein other than Sections those portions of Section 5 related to billing and payments, and (ii) is not binding on SSC.
5.2. Fees. Customer will pay all fees specified in Order Forms. Except as otherwise specified herein or in an Order Form, (i) fees are based on the Service purchased and not actual usage, (ii) payment obligations are non-cancelable and fees paid are non-refundable except as set forth in Section 11.4 below, and (iii) quantities purchased cannot be decreased during the relevant Subscription Term.
5.3. Invoicing and Payment. Fees shall be invoiced in advance, either annually or in accordance with any different billing frequency stated in the applicable Order Form. Unless otherwise stated in the Order Form, invoiced charges are due upon receipt of such invoice and payable net thirty (30) from the invoice date. Any payments not made within thirty (30) days of the receipt of such invoice shall accrue interest at the rate of 1.5% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower. Customer is responsible for providing complete and accurate billing and contact information to SSC and notifying SSC of any changes to such information. Customer acknowledges and agrees that SSC may engage third-party payment processors, which includes Stripe and its affiliates, to process online payments made by Customer hereunder, and that such payment processors will be provided your payment information in order to help us process your payment.
5.4. Overdue Charges. If any undisputed invoiced amount is not received by SSC thirty (30) days after the invoice date, then without limiting our rights or remedies (a) SSC may condition future subscription renewals and Order Forms on payment terms shorter than those specified in Section 5.3 (Invoicing and Payment), and/or (b) SSC may require Customer to pay all reasonable collections or legal fees incurred by SSC in order to collect payment of the corresponding undisputed invoiced amount.
5.5. Suspension of Service and Acceleration. If any amount owing by Customer under this or any other agreement for Purchased Services is thirty (30) or more days overdue, SSC may, without limiting other rights and remedies, accelerate Customer’s unpaid fee obligations under such agreements so that all such obligations become immediately due and payable, and suspend Services to Customer until such amounts are paid in full. SSC will give Customer at least 10 days’ prior notice, in accordance with Section 12.1 , before Suspending Services to Customer pursuant to the foregoing.
5.6. Taxes. Our fees do not include any taxes, levies, duties or similar governmental assessments of any nature, including, for example, value-added, sales, use or withholding taxes, assessable by any jurisdiction whatsoever (collectively, “Taxes”). Customer is responsible for paying all Taxes associated with its purchases hereunder. If SSC has the legal obligation to pay or collect Taxes for which Customer is responsible under this Section 5.6, SSC will invoice Customer and Customer will pay that amount unless Customer provides SSC with a valid tax exemption certificate authorized by the appropriate taxing authority. For clarity, SSC is solely responsible for taxes assessable against SSC based on our income, property, and employees.
5.7. Future Functionality. Customer agrees that its purchases are not contingent on the delivery of any future functionality or features, or dependent on any oral or written public comments made by SSC regarding future functionality or features.

6. PROPRIETARY RIGHTS AND LICENSES

6.1. Reservation of Rights. Subject to the limited rights expressly granted hereunder, SSC reserves all of its right, title, and interest in and to the Services and any proprietary materials of SSC contained therein, including all intellectual property rights therein and thereto, and Customer acquires no rights with respect to the Services, by implication or otherwise, except for those expressly granted in this Agreement. Customer reserve all of Customer’s rights, title and interest in Customer Services Data, provided that SSC may use Customer Services Data to create Generic Reports and as provided in Section 6.2 below. No rights are granted to Customer hereunder other than as expressly set forth herein.
6.2. SSC Rights to Use Customer Services Data. Customer grants SSC the right to use Customer Services Data, in compliance with applicable law, in order to: (a) provide the Services in accordance with this Agreement and the Privacy Policy, (b) communicate with any vendors or contacts provided by Customer, (c) prevent or address service or technical problems, (d) as Customer expressly permits, or (e) as may be required by law. SSC may also use Customer Services Data in an aggregated, de-identified and generic manner, in compliance with applicable law, for marketing, survey purposes, setting benchmarks, feature suggestions, product analytics and new product features or services, Services utilization analyses and related purposes, provided that (i) it is used only for internal administrative purposes and general usage statistics; (ii) does not identify Customer or its agents, representatives, customers or employees and is not attributable to such persons or entities in any way; and (iii) where Customer Services Data is used in this manner to create publicly disclosed general usage statistics, such statistics are used to report only the total aggregate use among SSC customers.
6.3. License by Customer to Use Feedback. Customer grants to SSC a worldwide, perpetual, irrevocable, transferable, royalty-free license to use and incorporate into the Services any suggestion, enhancement request, recommendation, correction or other feedback provided by Customer or Users relating to the operation of the Services, provided that SSC shall not identify Customer as the source of such feedback.

7. CONFIDENTIALITY

7.1. Definition of Confidential Information. “Confidential Information” means all information and materials disclosed by a party (“Disclosing Party”) to the other party (“Receiving Party”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. SSC Confidential Information includes the Services and any proprietary materials provided through the Services; Customer Confidential Information includes Customer Services Data; and Confidential Information of each party includes any proprietary pricing Customer might receive as a quote, offer, or in an Order Form, as well as business and marketing plans, technology and technical information, product plans and designs, and business processes disclosed by such party. However, Confidential Information does not include any information that (i) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party, (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party, (iii) is received from a third party without breach of any obligation owed to the Disclosing Party, or (iv) was independently developed by the Receiving Party as shown by documents and other competent evidence in the Receiving Party’s possession.
7.2. Protection of Confidential Information. The Receiving Party will (i) use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but not less than reasonable care), (ii) not use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement, and (ii) except as otherwise authorized by the Disclosing Party in writing, disclose Confidential Information of the Disclosing Party only to those of its employees, officers, advisors, contractors, and agents and its Affiliates’ employees, officers, advisors, contractors, and agents who need that access for purposes consistent with this Agreement and who are subject to confidentiality obligations consistent with this Agreement. Receiving Party is fully responsible for the compliance of its employees, officers, advisors, contractors, and agents and its Affiliates’ employees, officers, advisors, contractors, and agents with the terms of this Section 7.
7.3. Compelled Disclosure. The Receiving Party may disclose Confidential Information of the Disclosing Party to the extent compelled by law or by the order of a court or similar judicial or administrative body to do so, provided the Receiving Party gives the Disclosing Party prior notice of the compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure. If the Receiving Party is compelled by law to disclose the Disclosing Party’s Confidential Information as part of a civil proceeding to which the Disclosing Party is a party, and the Disclosing Party is not contesting the disclosure, the Disclosing Party will reimburse the Receiving Party for its reasonable cost of compiling and providing secure access to that Confidential Information.

8. REPRESENTATIONS, WARRANTIES, EXCLUSIVE REMEDIES, AND DISCLAIMERS

8.1. Representations. Each party represents that it has validly entered into this Agreement and has the legal power to do so.
8.2. SSC Warranties. SSC warrants that: (a) the Purchased Services will perform materially in accordance with the specifications set forth in the Documentation; (b) SSC will provide the Professional Services, if applicable, in a professional and workmanlike manner; and (c) SSC has used commercially reasonable efforts to detect and prevent the introduction of Malicious Code into the Services. For any breach of the above warranties, Customer’s exclusive remedy and SSC’s sole obligation is those described in Sections 11.3 (Termination) and 11.4 (Refund or Payment upon Termination).
8.3. Mutual Warranties. Each party warrants that it will comply with all laws and regulations applicable to its provision or use of the Services, as applicable (including applicable security breach notification law).
8.4. Disclaimers. EXCEPT AS EXPRESSLY PROVIDED HEREIN, NEITHER PARTY MAKES ANY WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AND EACH PARTY SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. EACH PARTY DISCLAIMS ALL LIABILITY AND INDEMNIFICATION OBLIGATIONS FOR ANY HARM OR DAMAGES CAUSED BY ANY THIRD-PARTY HOSTING PROVIDERS OR NON-SSC APPLICATIONS.

9. MUTUAL INDEMNIFICATION

9.1. Indemnification by SSC. SSC will defend Customer against any claim, demand, suit or proceeding made or brought against Customer by a third party alleging that the use of a Purchased Service in accordance with this Agreement infringes or misappropriates such third party’s intellectual property rights (a “Claim Against Customer”), and will indemnify Customer from any damages, attorney fees and costs finally awarded against Customer as a result of, or for amounts paid by Customer under a court-approved settlement of, a Claim Against Customer, provided Customer (a) promptly give SSC written notice of the Claim Against Customer, (b) give SSC sole control of the defense and settlement of the Claim Against Customer (except that SSC may not settle any Claim Against Customer unless it unconditionally releases Customer of all liability), and (c) give SSC all reasonable assistance, at our expense. If SSC receives information about an infringement or misappropriation claim related to a Service, SSC may in its discretion and at no cost to Customer (i) modify the Service so that it no longer infringes or misappropriates, without breaching the warranties under Section 8.2 (SSC Warranties), or (ii) obtain a license for Customer’s continued use of that Service in accordance with this Agreement, and if neither (i) or (ii) is commercially reasonable, (iii) terminate Customer’s subscriptions for that Service upon thirty (30) days’ written notice and refund Customer any prepaid fees covering the remainder of the term of the terminated subscriptions. The above defense and indemnification obligations do not apply to the extent a Claim Against Customer arises from: (i) a Non-SSC Application, (ii) Customer’s breach of this Agreement, (iii) Customer’s negligence, recklessness, gross negligence, or willful misconduct (iv) any use of the Services in combination with other products, equipment, software or data not supplied by SSC; or (v) any modification of the Services by any person other than SSC or its authorized representatives.
9.2. Indemnification by Customer. Customer will defend SSC against any claim, demand, suit or proceeding made or brought against SSC by a third party alleging that Customer Services Data, or your use of any Service in breach of this Agreement, infringes or misappropriates such third party’s intellectual property rights (a “Claim Against SSC”), and will indemnify SSC from any damages, attorney fees and costs finally awarded against SSC as a result of, or for any amounts paid by SSC under a court-approved settlement of, a Claim Against SSC, provided SSC (a) promptly gives Customer written notice of the Claim Against SSC, (b) gives Customer sole control of the defense and settlement of the Claim Against SSC (except that Customer may not settle any Claim Against SSC unless it unconditionally releases SSC of all liability), and (c) gives Customer all reasonable assistance, at your expense. The above defense and indemnification obligations do not apply to the extent a Claim Against SSC arises from: (i) SSC’s breach of this Agreement, or (ii) SSC’s negligence, recklessness, gross negligence, or willful misconduct.
9.3. Exclusive Remedy. This Section 9 states the indemnifying party’s sole liability to, and the indemnified party’s exclusive remedy against, the other party for any type of claim described in this Section 9.

10. LIMITATION OF LIABILITY

10.1. Limitation of Liability. EXCEPT FOR EACH PARTY’S INDEMNIFICATION OBLIGATIONS UNDER SECTION 9 AND CUSTOMER’S PAYMENT OBLIGATIONS UNDER SECTION 5, NEITHER PARTY’S LIABILITY WITH RESPECT TO ANY SINGLE INCIDENT OR SERIES OF RELATED INCIDENTS ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL EXCEED THE AMOUNT PAID BY CUSTOMER HEREUNDER IN THE 12 MONTHS PRECEDING THE INCIDENT OR SERIES OF RELATED INCIDENTS, PROVIDED THAT IN NO EVENT WILL EITHER PARTY’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT EXCEED THE TOTAL AMOUNT PAID BY CUSTOMER HEREUNDER. THE ABOVE LIMITATIONS WILL APPLY WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY. THE FOREGOING DISCLAIMER WILL NOT APPLY TO THE EXTENT PROHIBITED BY LAW.
10.2. Exclusion of Consequential and Related Damages. EXCEPT FOR EACH PARTY’S INDEMNIFICATION OBLIGATIONS UNDER SECTION 9, IN NO EVENT WILL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER PARTY FOR ANY LOST PROFITS, REVENUES OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, COVER OR PUNITIVE DAMAGES (INCLUDING, WITHOUT LIMITATION, LOSS OF PROFITS OR GOODWILL), WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY, EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING DISCLAIMER WILL NOT APPLY TO THE EXTENT PROHIBITED BY LAW.

11. TERM AND TERMINATION

11.1. Term of Agreement. This Agreement commences on the Effective Date set forth on the signature page and continues for so long as SSC is providing Services.
11.2. Term of Purchased Subscriptions; AUTO-RENEWAL OF SUBSCRIPTION TERM. The Subscription Term shall be, and shall renew, as specified in the applicable Order Form. If no such term or renewal period is specified, Subscriptions will have an initial term of one year and will automatically renew for additional periods equal to the expiring Subscription Term or one (1) year (whichever is shorter), unless either party gives the other notice of non-renewal at least sixty (60) days before the end of the relevant Subscription Term in accordance with Section 12.1.
11.3. Termination. A party may terminate this Agreement, any Order Form or SOW (i) thirty (30) days after providing written notice to the other party of a material breach of its obligations under this Agreement or the relevant Order Form or SOW if such breach remains uncured at the expiration of such 30-day period, (ii) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors, or (iii) upon ten (10) days’ written notice to the other party if the other party is in material breach of this Agreement more than two (2) times notwithstanding any cure of such breaches.
11.4. Refund or Payment upon Termination. If this Agreement is terminated by Customer for material uncured breach in accordance with Section 11.3(i) or (iii), SSC will refund Customer any prepaid fees covering the remainder of the Subscription Term of all Order Forms or SOW after the effective date of termination. If this Agreement is terminated by SSC in accordance with Section 11.3, Customer will pay any unpaid fees covering the remainder of the Subscription Term of all Order Forms. In no event will termination relieve Customer of its obligation to pay any fees payable to SSC for the Subscription Term period prior to the effective date of termination.
11.5. Customer Services Data. After the effective date of termination or expiration of this Agreement, SSC will have no obligation to maintain or provide Customer Services Data, and may, in its sole discretion, delete or destroy all copies of Customer Services Data in our systems or otherwise in our possession or control, unless legally prohibited.
11.6. Surviving Provisions. The Sections that are intended by their nature to survive termination or expiration shall so survive any termination or expiration of this Agreement.

12. NOTICES, GOVERNING LAW AND JURISDICTION

12.1. Manner of Giving Notice. All notices, permissions, and approvals hereunder shall be in writing and shall be deemed to have been given upon: (i) personal delivery, (ii) the second business day after mailing, (iii) the second business day after sending by confirmed facsimile, or (iv) the first business day after sending by email (provided email shall not be sufficient for notices of an indemnifiable claim). Notices to SSC shall be addressed to SecurityScorecard, Inc., Attn: Legal Department; 1140 Avenue of the Americas, 19th Floor, New York, NY 10036, United States; with copy to [email protected]. Billing-related notices to Customer shall be addressed to the relevant billing contact designated by Customer. All other notices to Customer shall be addressed to the relevant Services system administrator designated by Customer, in writing, by like notice.
12.2. Agreement to Governing Law and Jurisdiction. Each party agrees that this Agreement is governed by and shall be construed in accordance with the laws of the State of New York, in all respects, without regard to choice or conflicts of law rules, and that all disputes arising out of or relating to this Agreement are limited to the exclusive jurisdiction and venue of the state and federal courts located within New York County, New York. Each party hereby consents to and waives any objections with respect to such jurisdiction and venue.

13. GENERAL PROVISIONS

13.1. Entire Agreement and Order of Precedence. This Agreement, including any Order Forms, is the entire agreement between Customer and SSC regarding Customer’s use of Services and supersedes all prior and contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter (including any non-disclosure agreement between Customer and SSC where the sole purpose was to evaluate the subscription hereunder). No waiver of any provision of this Agreement will be effective unless in writing and signed by the party against whom the waiver is to be asserted. No modification or amendment of any provision of this Agreement, an Order Form or SOW will be effective unless in writing and signed by the party against whom the waiver is to be asserted. The parties agree that any term or condition stated in any Customer purchase order or in any other order documentation (excluding Order Forms) is void. In the event of any conflict or inconsistency among the following documents, the order of precedence shall be: (1) the applicable Order Form or SOW, (2) this Agreement, and (3) the Documentation.
13.2. Assignment. Neither party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the other party’s prior written consent (not to be unreasonably withheld); provided, however, either party may assign this Agreement in its entirety (including all Order Forms and SOWs hereunder), without the other party’s consent to its Affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets or equity securities. Notwithstanding the foregoing, if a party is acquired by, sells substantially all of its assets to, or undergoes a change of control in favor of, a direct competitor of the other party, then such other party may terminate this Agreement upon written notice.
13.3. Relationship of the Parties. The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the parties.
13.4. Third-Party Beneficiaries. The parties do not intend to create any third-party beneficiaries of this Agreement, and nothing in this Agreement is intended, nor shall anything herein be construed to create any rights, legal or equitable, in any person other than the Parties to this Agreement.
13.5. Waiver. No failure or delay by either party in exercising any right under this Agreement will constitute a waiver of that right.
13.6. Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, the provision will be deemed null and void, and the remaining provisions of this Agreement will remain in effect.
13.7. Headings. Headings are used in this Agreement and all associated agreements are solely for convenience and shall not be deemed to affect in any manner the meaning or intent of the applicable agreement or any provision there/hereof.
13.8. Equitable Relief. Nothing in this Agreement will limit either party’s ability to seek equitable relief.
13.9. Force Majeure. Except for payment obligations, neither party will be liable for inadequate performance to the extent caused by a condition (for example, natural disaster, an act of war or terrorism, riot, labor condition, governmental action, pandemic, epidemic, quarantine restriction, and Internet disturbance) that was beyond the party’s reasonable control.
13.10. Jury Trial Waiver. EACH PARTY HEREBY WAIVES ITS RIGHTS TO A JURY TRIAL OF ANY CLAIM OR CAUSE OF ACTION BASED UPON OR ARISING OUT OF THIS AGREEMENT OR THE SUBJECT MATTER HEREOF. THE SCOPE OF THIS WAIVER IS INTENDED TO BE ALL-ENCOMPASSING OF ANY AND ALL DISPUTES THAT MAY BE FILED IN ANY COURT AND THAT RELATE TO THE SUBJECT MATTER OF THIS TRANSACTION, INCLUDING, WITHOUT LIMITATION, CONTRACT CLAIMS, TORT CLAIMS (INCLUDING NEGLIGENCE), BREACH OF DUTY CLAIMS, AND ALL OTHER COMMON LAW AND STATUTORY CLAIMS. THIS SECTION HAS BEEN FULLY DISCUSSED BY EACH OF THE PARTIES HERETO AND THESE PROVISIONS WILL NOT BE SUBJECT TO ANY EXCEPTIONS. EACH PARTY HERETO HEREBY FURTHER WARRANTS AND REPRESENTS THAT SUCH PARTY HAS REVIEWED THIS WAIVER WITH ITS LEGAL COUNSEL, AND THAT SUCH PARTY KNOWINGLY AND VOLUNTARILY WAIVES ITS JURY TRIAL RIGHTS FOLLOWING CONSULTATION WITH LEGAL COUNSEL.