SecurityPal Terms and Conditions

Last Updated November 11, 2022

MASTER SERVICES AGREEMENT

This Master Services Agreement (“Agreement”) is effective as of the date last signed below (“Effective Date”) by and between SecurityPal, Inc., a Delaware corporation with its principal place of business at 415 Mission Street, Floor 37, Suite 117, San Francisco, CA 94105 (“SecurityPal”) and [Client Name], a [State] [Type of entity], with its principal address at [City, State, and Zip] (“Client”). SecurityPal and Client agree as follows:

  1. Definitions. In addition to capitalized terms defined elsewhere in this Agreement, the following terms shall have the meanings set forth below:
  1. Affiliates” means an entity that Controls, is Controlled by, or is under common Control with the subject entity. 
  2. Aggregated Anonymous Data” means aggregated and anonymized data and information derived from Client Data used by SecurityPal for internal business purposes including to provide, develop and improve the Software and Services. Aggregated Anonymous Data is not Client Data and do not consist of Personal Data (as defined in the DPA). 
  3. Client Data” means any information and/or data (e.g., Security Questionnaires, Client answers and libraries) provided or transferred to SecurityPal by Client via the Services or Software.
  4. Completed Security Questionnaires” means Security Questionnaires that have been completed by SecurityPal via the Software and Services subject to the Service Level set forth in the Order Form. 
  5. Confidential Information” means information disclosed by or on behalf of one party (as discloser) to the other party (as recipient) under this Agreement, in any form, which: (i) the discloser identifies to recipient as “confidential” or “proprietary;” or (ii) should be reasonably understood as confidential or proprietary due to its nature and the circumstances of its disclosure. SecurityPal’s Confidential Information includes technical or performance information about the Services and the Software, and Client’s Confidential Information includes Client Data. Information on an Order Form is each party’s Confidential Information.
  6. Control” for means direct or indirect ownership of control of more than 50% of the voting interests of the subject entity.
  7. Documentation” means the written or online user manuals, help files, specification sheets, or other documentation regarding the Software and the Services made available to Client by SecurityPal. 
  8. DPA” means SecurityPal’s Data Processing Agreement available at: [URL]
  9. Order Form” means each written order or online order specifying the Services to be provided under this Agreement and applicable fees, that is executed in writing between Client and SecurityPal. 
  10. Security Protocols” means SecurityPal’s technical and organizational security measures located here: [URL].  
  11. Security Questionnaire” means a document in any form (e.g., a questionnaire) issued by a third party to Client that requires Client to answer specific questions about Client’s internal security technical and organizational measures.
  12. Security Questionnaire Service Level” has the meaning set forth in the Order Form. 
  13. Service(s)” means SecurityPal’s proprietary cloud software and other services identified in an Order Form and as modified from time to time by SecurityPal. The Services include human resources, the Software and Documentation but not any third-party products.
  14. Software” means the software that SecurityPal develops and maintains in order to provide the Services, and all modifications, updates, upgrades thereto and derivative works thereof.
  15. Subscription Term” means the period of time specified in an Order Form.
  16. Support Terms” means support terms for the Software as set forth in Section__ hereto. 
  17. Users” means anyone that Client allows to use its accounts for the Services, who may include: (a) employees, advisors and contractors of Client and its Affiliates; and (b) others if permitted in this Agreement, the Documentation or an Order Form.
  1. Services
  1. SecurityPal Obligations in the Services. SecurityPal will: 
  1. Perform the Services to create Completed Security Questionnaires in accordance with the Security Questionnaire Service Levels, and up to the number, specified in the Order Form; 
  2. Make the Software available to Client under the terms of this Agreement and as set forth in the applicable Order Form(s) and Documentation; and 
  3. Unless stated otherwise in the applicable Order Form, if Client experiences any errors, bugs, or other issues in its use of the Software and/or Services, SecurityPal will use commercially reasonable efforts to respond as soon as possible (“Support”) in order to resolve the issue or provide a suitable workaround. The fee for Support is included in the cost of the subscription set forth on the Order Form. Client will send any Support requests to SecurityPal via email (to: support@securitypal.com, concierge@securitypal.com, via Slack or live meeting as specified in the Documentation).
  1. Client’s Right to Use the Software. During the Term, SecurityPal grants Client a limited, non-exclusive, non-transferable, non-sublicensable, license to: (i) access and use the Software solely for Client’s internal use for up to the number of Users identified on the Order Form; and (ii) use the Documentation for Client’s internal use in connection with the Software.
  2. Software License Restrictions. Client will not (and will not allow any third party to): (i) use or access the Software for any competitive purposes, including to benchmark or penetration test the Software, without SecurityPal’s express written consent; (ii) market, sublicense, resell, lease, loan, transfer, or otherwise commercially exploit or make the Software available to any third party, except to its Users or a third party that manages Client’s computing environment; (iii) modify, create derivative works, decompile, reverse engineer, attempt to gain access to the source code, or copy the Software, or any of their components; (iv) use or access the Software to submit or transmit any computer viruses, worms, defects, Trojan horses or other items of a destructive nature or to send any commercial solicitation or spam (whether commercial in nature or not); or (v) exploit the Software in any unauthorized way whatsoever, including by trespass or burden (e.g., transmitting corrupted files, spyware, adware, or any other software or programs) or deploying spiders, web-bots, screen-scrapers, or web crawlers, that may damage or adversely affect server or network capacity or Software infrastructure (each, a “License Restriction(s)”).
  1. Client’s Obligations. Client will:
  1. Provide Client Data to SecurityPal: (i) via a mutually agreed upon mechanism or as stated in the Order Form; and/or (ii) by means of digital transfer via the Software; and
  2. Be responsible for: (i) its Users; (ii) all Client Data provided, or otherwise transmitted by Client in connection with the Services, to SecurityPal including Client Data accuracy, quality, and legality, and the means by which Client acquired Client Data; and (iii) maintaining the security of its passwords for accessing the SecurityPal Software and will not disclose any passwords to any third party. Should Client discover an unauthorized disclosure of any such passwords or any unauthorized access to the SecurityPal application, Client will promptly send notify SecurityPal (via  security@securitypalhq.com) describing the incident in detail. Upon the termination of the engagement of any User of the Services, Client will promptly remove access for such User.
  1. License to Client Data; Security of Client Data
  1. License to Client Data. SecurityPal uses machine learning tools and human resources to enhance the Software and Client Data, create Complete Security Questionnaires and Aggregated Anonymous Data, to provide the Services, and otherwise to develop and improve SecurityPal’s products, services and technologies, on the basis of Client Data. Subject to the terms of this Agreement, Client grants SecurityPal a license to use the Client Data for the purposes under this Section 2(c), including as specified in each Order Form, and the DPA.
  2. Security & Privacy. SecurityPal maintains industry-standard physical, technical, and administrative safeguards in order to protect Client Data in accordance with the SecurityPal’s Security Protocols.
  3. DPA. SecurityPal will process all Client Data for the purposes set forth in this Agreement and in accordance with the DPA.
  1. Term & Termination
  1. Term. Unless specified otherwise in the applicable Order Form, the Term commences on the Effective Date and continues for the period specific in the Order Form (“Initial Subscription Term”) and the Agreement will be automatically extended for additional one-year terms (each, a “Renewal Subscription Term”) unless terminated as provided for in this Agreement. No less than thirty (30) days before the end of the Initial Subscription Term or any Renewal Subscription Term thereafter, either party may give the other party written notice of termination, in which case this Agreement will terminate at the end of the current Initial Subscription Term or Renewal Subscription Term. “Term” means the Initial Subscription Term and each Renewal Subscription Term collectively.
  2. Termination for Cause. Either party may terminate this Agreement or any active subscription for cause: (i) upon 30 days written notice to the other party of a material breach if such breach remains uncured at the expiration of the 30-day period; or (ii) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors. 
  3. Effect of Termination. Client’s right to receive the Services and use the Software will cease upon any termination or expiration of this Agreement subject to this Section 5. If Client terminates this Agreement in accordance with Section 5(b), SecurityPal will reimburse Client on a pro-rata basis for any pre-paid fees allocable to the remaining Subscription Term as of the date of such termination. Upon any termination or expiration of this Agreement, within 30 days of Client’s written request, SecurityPal will delete Client Data from the Service, Software and within its control, if any, and each party will delete any Confidential Information of the other in its possession or control. A party may retain Client Data or Confidential Information in accordance with its standard backup or record retention policies, or as required by Laws, subject to Section 7 (Confidentiality).
  4. Survival. The following provisions will survive any expiration or termination of this Agreement: Sections 7 (Confidentiality), 8 (Ownership), 10 (Indemnification), 11 (Limitation on Liability), and 13 (Miscellaneous (as applicable). 
  1. Fees
  1. Client will pay all fees set forth on the applicable Order Form. Following execution of the Order Form, SecurityPal will submit an invoice to Client and payment will be due 30 days from receipt of an undisputed invoice unless otherwise set forth on the Order Form (“Due Date”).
  2. Overdue Charges. If any undisputed, invoiced amount is not received by SecurityPal by the Due Date, then: (i) those charges may accrue late interest at the rate of 2.0% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower; and (ii) SecurityPal may condition future purchases on receipt of payment for previous purchases and/or payment terms shorter than those specified on the previous Order Form.
  3. Taxes. Client is responsible for any sales, use, GST, value-added, withholding or similar taxes or levies that apply to its Order Forms, whether domestic or foreign (“Taxes”), other than SecurityPal’s income tax. Fees and expenses are exclusive of Taxes.
  1. Confidentiality
  1. Use and Protection. As recipient, each party will: (i) use Confidential Information only to fulfill its obligations and exercise its rights under this Agreement; (ii) not disclose Confidential Information to third parties without the discloser's prior approval, except as permitted in this Agreement; and (iii) protect Confidential Information using at least the same precautions recipient uses for its own similar information and no less than a reasonable standard of care.
  2. Permitted Disclosures. The recipient may disclose Confidential Information to its employees, agents, contractors and other representatives having a legitimate need to know, provided it remains responsible for their compliance and they are bound to confidentiality obligations no less protective than this Section 7.
  3. Exclusions. The confidentiality obligations herein do not apply to information that the recipient can document: (i) is or becomes public knowledge through no fault of the recipient which includes any generic and publicly available information in a Security Questionnaire; (ii) it rightfully knew or possessed, without confidentiality restrictions, prior to receipt from the discloser; (iii) it rightfully received from a third party without confidentiality restrictions; or (iv) it independently developed without using or referencing Confidential Information.
  4. Remedies. Breach of this Section 7 may cause substantial harm for which monetary damages are an insufficient remedy. Upon a breach of this Section 7, the discloser may seek appropriate equitable relief, including an injunction, in addition to other remedies.
  5. Required Disclosures. The recipient may disclose Confidential Information (including Client Data) to the extent required by applicable laws. If permitted by such applicable laws, the recipient will give the discloser reasonable advance notice of the required disclosure and reasonably cooperate, at the discloser's expense, to obtain confidential treatment for the Confidential Information.
  6. No Publicity. Neither party may publicly announce this Agreement without the other party's prior approval or except as required by applicable laws.
  1. Ownership
  1. SecurityPal Property. As between the parties, SecurityPal owns and retains all right, title, and interest in and to the Services, Software and Feedback. Except for the limited license granted to Client in Section 2(c), SecurityPal does not by means of this Agreement or otherwise transfer any other rights to Client. For clarity, the Software and access to the Services are licensed, not sold, and Client acquires no ownership or other interest (other than the license rights expressly stated herein) in or to the Service or the Software.
  2. Client Property. As between the parties, Client owns and retains all right, title, and interest in and to the Client Data. Except for the licenses granted to SecurityPal in Section 4, Client does not by means of this Agreement or otherwise transfer any other rights to SecurityPal.
  3. Reserved Rights. Neither party grants the other any rights or licenses not expressly set out in this Agreement.
  4. Feedback. Client may provide comments, suggestions and recommendations to SecurityPal with respect to the Services and Software (including, without limitation, comments, suggestions and recommendations with respect to modifications, enhancements, improvements and other changes) (collectively, “Feedback”). In such event, SecurityPal may freely use and exploit any such Feedback without any obligation to Client, unless otherwise agreed upon by the parties in writing. Client assigns to SecurityPal any proprietary right that Client may have in or to the Feedback.  
  1. Representations & Warranties
  1. Mutual Warranties. Each party represents and warrants that it: (i) has the legal power and authority to enter into this Agreement; and (ii) will comply with all applicable laws that apply to its performance under this Agreement.
  2. Client Representations and Warranties. Client represents and warrants it has all rights necessary to: (i) transfer Client Data to SecurityPal as required hereunder whether directly or via the Software and/or Services; and (ii) grant the licensed and rights to SecurityPal in and to Client Data as specified in this Agreement.
  3. Disclaimers. WITH THE EXCEPTION OF THE LIMITED WARRANTIES SET FORTH IN THIS SECTION 9, THE SERVICES AND SOFTWARE ARE PROVIDED "AS IS" TO THE FULLEST EXTENT PERMITTED BY LAW. SECURITYPAL AND ITS LICENSORS EXPRESSLY DISCLAIM ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF PERFORMANCE, MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSES, AND NON-INFRINGEMENT. SECURITYPAL DOES NOT WARRANT THAT THE SOFTWARE OR SERVICES: (I) ARE ERROR-FREE; (II) WILL PERFORM UNINTERRUPTED; OR (III) WILL MEET CLIENT’S REQUIREMENTS.
  1. Indemnification
  1. Indemnification by SecurityPal. SecurityPal will  defend  Client,  and its Affiliates, against  any  claim,  demand,  suit  or  proceeding  made  or  brought  against  Client  by  a  third  party, and  will  indemnify  Client  from  any  damages,  reasonable attorney  fees  and  costs,  finally  awarded  to the third party claimant  by a court of competent jurisdiction, or  for  any  settlement  approved  in  writing signed by an authorized officer of SecurityPal, alleging the Software and/or the Services  (together, the “SecurityPal Assets”) infringe  or  misappropriate  such  third  party's  United States or European intellectual property rights.

If  SecurityPal becomes, or in SecurityPal’s reasonable opinion is likely to become, the subject of an infringement or misappropriation claim, SecurityPal may, at its option and expense:  (i)  modify  the  SecurityPal Assets so  that  they  are  no  longer  claimed  to  infringe  or  misappropriate; (ii)  obtain  a  license  for  Client’s  continued  use  of  the SecurityPal Assets in  accordance  with  this  Agreement; or  (iii)  terminate  Client’s  subscription(s)  for  the SecurityPal Assets upon  30  days'  written  notice  and  refund  Client  a pro-rata portion of any prepaid  fees  covering  the  remainder  of  the  Subscription Term  of  the  terminated  SecurityPal Assets.

The  above  defense  and  indemnification  obligations  do  not  apply  if  a  claim  against  Client  arises  from:  (x) any unauthorized use, reproduction, or distribution of the SecurityPal Assets or SecurityPal’s intellectual property rights by Client which is the subject of the claim; or (y) any unauthorized combination of, or modification to, the SecurityPal Assets or SecurityPal’s intellectual property rights, other than as expressly approved by SecurityPal that causes the underlying claim where such claim would have not occurred but for such unauthorized act.

  1. Indemnification by Client. Client  will  defend  SecurityPal,  and its Affiliates, against  any  claim,  demand,  suit  or  proceeding  made  or  brought  against  SecurityPal by  a  third  party, and  will  indemnify  SecurityPal from  any  damages,  reasonable attorney  fees  and  costs,  finally  awarded  to the third party claimant  by a court of competent jurisdiction, or  for  any  settlement  approved  in  writing signed by an authorized officer of Client, arising from: (i)  Client’s  use  of  the  SecurityPal Assets in  violation  of  the Agreement; or (ii) for any breach of Section 2(c) (Restrictions) or Section 9(b) (Client Representations & Warranties). The above defense and indemnification obligations do not apply if a claim against SecurityPal arises from SecurityPal’s breach of the license grant to Client Data set forth in Section 4.
  2. Indemnification Process. The indemnified parties will: (i) give the indemnifying party prompt written notice of any claim, action or demand for which indemnity is claimed; (ii) give the indemnifying party sole control over the defense and settlement of the claim, provided that the indemnifying party will not settle any claim that involves the payment of money or acknowledgement of wrongdoing on the part of the indemnified parties without indemnified parties' prior written approval such approval not to be unreasonably withheld, conditioned or delayed; and (iii) provide the indemnifying party with reasonable cooperation, at the indemnified parties' expense, in connection with the defense and settlement of the claim.
  3. Sole and Exclusive Remedy. This Section 10 sets forth the indemnifying party's sole liability to, and the indemnified party's exclusive remedy against, the other party for the third-party claims described herein.
  1. Limitation on Liability
  1. Disclaimer of Consequential and Related Damages. IN NO EVENT WILL EITHER PARTY OR ITS AFFILIATES HAVE ANY LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT FOR ANY LOST PROFITS, REVENUES, GOODWILL, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, COVER, DATA LOSS, BUSINESS INTERRUPTION OR PUNITIVE DAMAGES, WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY, EVEN IF A PARTY OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR IF A PARTY'S OR ITS AFFILIATES' REMEDY OTHERWISE FAILS OF ITS ESSENTIAL PURPOSE. 
  2. Limitation of Liability. EXCEPT FOR (I) CLIENT'S BREACH OF SECTION 2(D) (RESTRICTIONS), (II) EACH PARTY'S OBLIGATIONS UNDER SECTION 10 (INDEMNIFICATION), (III) EITHER PARTY'S BREACH OF CONFIDENTIALITY (BUT NOT RELATING TO ANY LIABILITY ASSOCIATED WITH SECURITYPAL’S SECURITY OBLIGATIONS WITH RESPECT TO CLIENT DATA WHICH REMAINS SUBJECT TO THE EXCLUDED CLAIMS CAP), OR (IV) FOR EITHER PARTY'S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, IN NO EVENT SHALL THE AGGREGATE LIABILITY OF A PARTY (INCLUDING ITS AFFILIATES) UNDER THIS AGREEMENT EXCEED THE TOTAL AMOUNT OF FEES PAID BY CLIENT (AND ITS AFFILIATES) FOR USE OF THE SECURITYPAL ASSETS IN THE TWELVE MONTHS PRIOR TO THE CLAIM GIVING RISE TO SUCH LIABILITY.
  3. Excluded Claims Cap. "Excluded Claims" means any claim and/or liability associated with any breach by SecurityPal of Section 4(b) (Security of Client Data) including for clarity with respect to any claim of liability associated with the DPA or the Security Protocols. SECURITYPAL’S TOTAL, CUMULATIVE LIABILITY FOR ALL EXCLUDED CLAIMS WILL NOT EXCEED THE TWO (2) TIMES THE TOTAL AMOUNT OF FEES PAID FOR USE OF THE SECURITYPAL ASSETS BY CLIENT TO SECURITYPAL UNDER THIS AGREEMENT.
  4. No Limit by Law. THE FOREGOING LIMITATIONS ON LIABILITY WILL NOT APPLY TO THE EXTENT ANY SUCH LIMITATION IS PROHIBITED BY ANY LAWS.
  1. Insurance. SecurityPal will maintain in full force and effect during the Term of this Agreement: 
  1. Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage; 
  2. Worker’s compensation insurance as required by applicable law, including employer’s liability coverage for injury, disease and death, with coverage limits of not less than [$1,000,000] per accident and employee and [$1,000,000] in disease; 
  3. Umbrella liability insurance on an occurrence form, for limits of not less than $4,000,000 per occurrence and in the aggregate; and 
  4. Technology Errors & Omissions liability coverage of not less than $1,000,000.  

Insurance carriers will be rated A-VII or better by A.M. Best Provider. SecurityPal’s coverage will be considered primary without right of contribution of Client’s insurance policies. In no event will the foregoing coverage limits affect or limit in any manner SecurityPal’s contractual liability for indemnification or any other liability of SecurityPal under this Agreement.

  1. Miscellaneous. This Agreement, including all applicable Order Forms, is the entire agreement between the parties and supersedes all prior agreements and understandings concerning the subject matter hereof and may not be amended or modified except by a writing signed by both parties. The parties are independent contractors, and this Agreement will not establish any relationship of partnership, joint venture, or agency between the parties. Failure to exercise any right under this Agreement will not constitute a waiver. There are no third-party beneficiaries to this Agreement. This Agreement is governed by the laws of the State of California without reference to conflicts of law rules. For any dispute relating to this Agreement, the parties consent to personal jurisdiction and the exclusive venue of the courts in San Francisco County, California. Any notice provided by one party to the other under this Agreement will be in writing and sent by electronic mail to the email address listed on the signature page below. If any provision of this Agreement is found unenforceable, this Agreement will be construed as if it had not been included. Neither party may assign this Agreement without the prior, written consent of the other party, except that either party may assign this Agreement without such consent to an affiliate, or in connection with an acquisition of the assigning party or a sale of all or substantially all of its assets. This Agreement may be executed in two or more counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument. Facsimile or other electronic copies of such signed copies will be deemed to be binding originals.