MASTER SERVICES AGREEMENT
Updated March 30, 2023
This SecurityPal Master Services Agreement (“Agreement”) is made between SecurityPal, Inc., a Delaware corporation with its principal place of business at 415 Mission Street, Floor 37, Suite 117, San Francisco, CA 94105 (“SecurityPal”), and Client (defined below) and govern the Client’s use of the Services (each as defined below).
“Client” means a person or entity that accepts and agrees to the terms of this Agreement as of the earlier date (“Start Date”) where such person or entity either clicks a box indicating acceptance of this Agreement, provides Client Data to SecurityPal for processing and/or uses the Services. SecurityPal reserves the right to modify or update this Agreement in its sole discretion, the effective date of such updates and/or modifications will be the earlier of: (i) 30 days from the date of such update or modification; or (ii) Client’s continued use of the Services or transmission of Client Data to SecurityPal.
IF YOU DO NOT ACCEPT THIS AGREEMENT, YOU MAY NOT ACCESS OR USE THE SERVICES. THE SERVICES ARE INTENDED FOR THE CLIENT AND ITS AUTHORIZED USERS ONLY AND ARE NOT FOR USE BY CHILDREN UNDER 13 YEARS OF AGE. IF AN INDIVIDUAL IS ENTERING INTO THIS AGREEMENT ON BEHALF OF A LEGAL ENTITY, SUCH PERSON REPRESENTS AND WARRANTS THAT IT HAS THE LEGAL AUTHORITY TO BIND SUCH LEGAL ENTITY TO THIS AGREEMENT AND THIS AGREEMENT APPLIES TO SUCH ENTITY WHICH IS DEEMED THE CLIENT.
If Client and SecurityPal have executed a written agreement governing Client’s access to and use of the Services as a SecurityPal client, then the terms of such signed agreement will govern and will supersede this Agreement.
SecurityPal and Client agree as follows:
Definitions. In addition to capitalized terms defined elsewhere in this Agreement, the following terms shall have the meanings set forth below:
- “Affiliates” means an entity that Controls, is Controlled by, or is under common Control with the subject entity.
- “Aggregated Anonymous Data” means aggregated and anonymized data and information derived from Client Data used by SecurityPal for internal business purposes including to provide, develop and improve the Software and Services. Aggregated Anonymous Data is not Client Data and do not consist of Personal Data (as defined in the DPA).
- “Client Data” means any information and/or data (e.g., Security Questionnaires, Client answers and libraries) provided or transferred to SecurityPal by Client via the Services or Software.
- “Completed Security Questionnaires” means Security Questionnaires that have been completed by SecurityPal via the Software and Services subject to the Service Level set forth in the Order Form.
- “Confidential Information” means information disclosed by or on behalf of one party (as discloser) to the other party (as recipient) under this Agreement, in any form, which: (i) the discloser identifies to recipient as “confidential” or “proprietary;” or (ii) should be reasonably understood as confidential or proprietary due to its nature and the circumstances of its disclosure. SecurityPal’s Confidential Information includes technical or performance information about the Services and the Software, and Client’s Confidential Information includes Client Data. Information on an Order Form is each party’s Confidential Information.
- “Control” for means direct or indirect ownership of control of more than 50% of the voting interests of the subject entity.
- “Documentation” means the written or online user manuals, help files, specification sheets, or other documentation regarding the Software and the Services made available to Client by SecurityPal.
- “DPA” means SecurityPal’s Data Processing Agreement available at: https://www.securitypalhq.com/dpa.
- “Order Form” means each written order or online order specifying the Services to be provided under this Agreement and applicable fees, that is executed in writing between Client and SecurityPal.
- “Security Protocols” means SecurityPal’s technical and organizational security measures set forth within Annex II to the DPA.
- “Security Questionnaire” means a document in any form (e.g., a questionnaire) issued by a third party to Client that requires Client to answer specific questions about Client’s internal security technical and organizational measures.
- “Security Questionnaire Service Level” has the meaning set forth in the Order Form.
- “Service(s)” means SecurityPal’s proprietary cloud software and other services identified in an Order Form and as modified from time to time by SecurityPal. The Services include human resources, the Software and Documentation but not any third-party products.
- “Software” means the software that SecurityPal develops and maintains in order to provide the Services, and all modifications, updates, upgrades thereto and derivative works thereof.
- “Subscription Term” means the period of time specified in an Order Form.
- “Support Terms” means support terms for the Software as set forth in Section 2(a)(iii) below.
- “Users” means anyone that Client allows to use its accounts for the Services, who may include: (a) employees, advisors and contractors of Client and its Affiliates; and (b) others if permitted in this Agreement, the Documentation or an Order Form.
Services. SecurityPal Obligations in the Services. SecurityPal will:
- Perform the Services to create Completed Security Questionnaires in accordance with the Security Questionnaire Service Levels, and up to the number, specified in the Order Form;
- Make the Software available to Client under the terms of this Agreement and as set forth in the applicable Order Form(s) and Documentation; and
- Unless stated otherwise in the applicable Order Form, if Client experiences any errors, bugs, or other issues in its use of the Software and/or Services, SecurityPal will use commercially reasonable efforts to respond as soon as possible (“Support”) in order to resolve the issue or provide a suitable workaround. The fee for Support is included in the cost of the subscription set forth on the Order Form. Client will send any Support requests to SecurityPal via email (to: email@example.com, firstname.lastname@example.org, via Slack or live meeting as specified in the Documentation).
- Client’s Right to Use the Software. During the Term, SecurityPal grants Client a limited, non-exclusive, non-transferable, non-sublicensable, license to: (i) access and use the Software solely for Client’s internal use for up to the number of Users identified on the Order Form; and (ii) use the Documentation for Client’s internal use in connection with the Software.
- Software License Restrictions. Client will not (and will not allow any third party to): (i) use or access the Software for any competitive purposes, including to benchmark or penetration test the Software, without SecurityPal’s express written consent; (ii) market, sublicense, resell, lease, loan, transfer, or otherwise commercially exploit or make the Software available to any third party, except to its Users or a third party that manages Client’s computing environment; (iii) modify, create derivative works, decompile, reverse engineer, attempt to gain access to the source code, or copy the Software, or any of their components; (iv) use or access the Software to submit or transmit any computer viruses, worms, defects, Trojan horses or other items of a destructive nature or to send any commercial solicitation or spam (whether commercial in nature or not); or (v) exploit the Software in any unauthorized way whatsoever, including by trespass or burden (e.g., transmitting corrupted files, spyware, adware, or any other software or programs) or deploying spiders, web-bots, screen-scrapers, or web crawlers, that may damage or adversely affect server or network capacity or Software infrastructure (each, a “License Restriction(s)”).
Client’s Obligations. Client will:
- Provide Client Data to SecurityPal: (i) via a mutually agreed upon mechanism or as stated in the Order Form; and/or (ii) by means of digital transfer via the Software; and
- Be responsible for: (i) its Users; (ii) all Client Data provided, or otherwise transmitted by Client in connection with the Services, to SecurityPal including Client Data accuracy, quality, and legality, and the means by which Client acquired Client Data; and (iii) maintaining the security of its passwords for accessing the SecurityPal Software and will not disclose any passwords to any third party. Should Client discover an unauthorized disclosure of any such passwords or any unauthorized access to the SecurityPal application, Client will promptly send notify SecurityPal (via email@example.com) describing the incident in detail. Upon the termination of the engagement of any User of the Services, Client will promptly remove access for such User.
License to Client Data; Security of Client Data.
- License to Client Data. SecurityPal uses machine learning tools and human resources to enhance the Software and Client Data, create Complete Security Questionnaires and Aggregated Anonymous Data, to provide the Services, and otherwise to develop and improve SecurityPal’s products, services and technologies, on the basis of Client Data. Subject to the terms of this Agreement, Client grants SecurityPal a license to use the Client Data for the purposes under this Section 2(c), including as specified in each Order Form, and the DPA.
- Security & Privacy. SecurityPal maintains industry-standard physical, technical, and administrative safeguards in order to protect Client Data in accordance with the SecurityPal’s Security Protocols.
- DPA. SecurityPal will process all Client Data for the purposes set forth in this Agreement and in accordance with the DPA.
Term & Termination.
- Term. Unless specified otherwise in the applicable Order Form, the Term commences on the Effective Date and continues for the period specific in the Order Form (“Initial Subscription Term”) and the Agreement will be automatically extended for additional one-year terms (each, a “Renewal Subscription Term”) unless terminated as provided for in this Agreement. No less than thirty (30) days before the end of the Initial Subscription Term or any Renewal Subscription Term thereafter, either party may give the other party written notice of termination, in which case this Agreement will terminate at the end of the current Initial Subscription Term or Renewal Subscription Term. “Term” means the Initial Subscription Term and each Renewal Subscription Term collectively.
- Termination for Cause. Either party may terminate this Agreement or any active subscription for cause: (i) upon 30 days written notice to the other party of a material breach if such breach remains uncured at the expiration of the 30-day period; or (ii) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors.
- Effect of Termination. Client’s right to receive the Services and use the Software will cease upon any termination or expiration of this Agreement subject to this Section 5. If Client terminates this Agreement in accordance with Section 5(b), SecurityPal will reimburse Client on a pro-rata basis for any pre-paid fees allocable to the remaining Subscription Term as of the date of such termination. Upon any termination or expiration of this Agreement, within 30 days of Client’s written request, SecurityPal will delete Client Data from the Service, Software and within its control, if any, and each party will delete any Confidential Information of the other in its possession or control. A party may retain Client Data or Confidential Information in accordance with its standard backup or record retention policies, or as required by Laws, subject to Section 7 (Confidentiality).
- Survival. The following provisions will survive any expiration or termination of this Agreement: Sections 7 (Confidentiality), 8 (Ownership), 10 (Indemnification), 11 (Limitation on Liability), and 13 (Miscellaneous (as applicable).
- Fees. Client will pay all fees set forth on the applicable Order Form. Following execution of the Order Form, SecurityPal will submit an invoice to Client and payment will be due 30 days from receipt of an undisputed invoice unless otherwise set forth on the Order Form (“Due Date”).
- Overdue Charges. If any undisputed, invoiced amount is not received by SecurityPal by the Due Date, then: (i) those charges may accrue late interest at the rate of 2.0% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower; and (ii) SecurityPal may condition future purchases on receipt of payment for previous purchases and/or payment terms shorter than those specified on the previous Order Form.
- Taxes. Client is responsible for any sales, use, GST, value-added, withholding or similar taxes or levies that apply to its Order Forms, whether domestic or foreign (“Taxes”), other than SecurityPal’s income tax. Fees and expenses are exclusive of Taxes.
- Use and Protection. As recipient, each party will: (i) use Confidential Information only to fulfill its obligations and exercise its rights under this Agreement; (ii) not disclose Confidential Information to third parties without the discloser's prior approval, except as permitted in this Agreement; and (iii) protect Confidential Information using at least the same precautions recipient uses for its own similar information and no less than a reasonable standard of care.
- Permitted Disclosures. The recipient may disclose Confidential Information to its employees, agents, contractors and other representatives having a legitimate need to know, provided it remains responsible for their compliance and they are bound to confidentiality obligations no less protective than this Section 7.
- Exclusions. The confidentiality obligations herein do not apply to information that the recipient can document: (i) is or becomes public knowledge through no fault of the recipient; (ii) it rightfully knew or possessed, without confidentiality restrictions, prior to receipt from the discloser; (iii) it rightfully received from a third party without confidentiality restrictions; or (iv) it independently developed without using or referencing Confidential Information.
- Remedies. Breach of this Section 7 may cause substantial harm for which monetary damages are an insufficient remedy. Upon a breach of this Section 7, the discloser may seek appropriate equitable relief, including an injunction, in addition to other remedies.
- Required Disclosures. The recipient may disclose Confidential Information (including Client Data) to the extent required by applicable laws. If permitted by such applicable laws, the recipient will give the discloser reasonable advance notice of the required disclosure and reasonably cooperate, at the discloser's expense, to obtain confidential treatment for the Confidential Information.
- No Publicity. Neither party may publicly announce this Agreement without the other party's prior approval or except as required by applicable laws.
- SecurityPal Property. As between the parties, SecurityPal owns and retains all right, title, and interest in and to the Services, Software and Feedback. Except for the limited license granted to Client in Section 2(c), SecurityPal does not by means of this Agreement or otherwise transfer any other rights to Client. For clarity, the Software and access to the Services are licensed, not sold, and Client acquires no ownership or other interest (other than the license rights expressly stated herein) in or to the Service or the Software.
- Client Property. As between the parties, Client owns and retains all right, title, and interest in and to the Client Data. Except for the licenses granted to SecurityPal in Section 4, Client does not by means of this Agreement or otherwise transfer any other rights to SecurityPal.
- Reserved Rights. Neither party grants the other any rights or licenses not expressly set out in this Agreement.
- Feedback. Client may provide comments, suggestions and recommendations to SecurityPal with respect to the Services and Software (including, without limitation, comments, suggestions and recommendations with respect to modifications, enhancements, improvements and other changes) (collectively, “Feedback”). In such event, SecurityPal may freely use and exploit any such Feedback without any obligation to Client, unless otherwise agreed upon by the parties in writing. Client assigns to SecurityPal any proprietary right that Client may have in or to the Feedback.
Representations & Warranties.
- Mutual Warranties. Each party represents and warrants that it: (i) has the legal power and authority to enter into this Agreement; and (ii) will comply with all applicable laws that apply to its performance under this Agreement.
- Client Representations and Warranties. Client represents and warrants it has all rights necessary to: (i) transfer Client Data to SecurityPal as required hereunder whether directly or via the Software and/or Services; and (ii) grant the licensed and rights to SecurityPal in and to Client Data as specified in this Agreement.
- Disclaimers. WITH THE EXCEPTION OF THE LIMITED WARRANTIES SET FORTH IN THIS SECTION 9, THE SERVICES AND SOFTWARE ARE PROVIDED "AS IS" TO THE FULLEST EXTENT PERMITTED BY LAW. SECURITYPAL AND ITS LICENSORS EXPRESSLY DISCLAIM ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF PERFORMANCE, MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSES, AND NON-INFRINGEMENT. SECURITYPAL DOES NOT WARRANT THAT THE SOFTWARE OR SERVICES: (I) ARE ERROR-FREE; (II) WILL PERFORM UNINTERRUPTED; OR (III) WILL MEET CLIENT’S REQUIREMENTS.
1. Indemnification by SecurityPal. SecurityPal will defend Client, and its Affiliates, against any claim, demand, suit or proceeding made or brought against Client by a third party, and will indemnify Client from any damages, reasonable attorney fees and costs, finally awarded to the third party claimant by a court of competent jurisdiction, or for any settlement approved in writing signed by an authorized officer of SecurityPal, alleging the Software and/or the Services (together, the “SecurityPal Assets”) infringe or misappropriate such third party's United States or European intellectual property rights.
If SecurityPal becomes, or in SecurityPal’s reasonable opinion is likely to become, the subject of an infringement or misappropriation claim, SecurityPal may, at its option and expense: (i) modify the SecurityPal Assets so that they are no longer claimed to infringe or misappropriate; (ii) obtain a license for Client’s continued use of the SecurityPal Assets in accordance with this Agreement; or (iii) terminate Client’s subscription(s) for the SecurityPal Assets upon 30 days' written notice and refund Client a pro-rata portion of any prepaid fees covering the remainder of the Subscription Term of the terminated SecurityPal Assets.
The above defense and indemnification obligations do not apply if a claim against Client arises from: (x) any unauthorized use, reproduction, or distribution of the SecurityPal Assets or SecurityPal’s intellectual property rights by Client which is the subject of the claim; or (y) any unauthorized combination of, or modification to, the SecurityPal Assets or SecurityPal’s intellectual property rights, other than as expressly approved by SecurityPal that causes the underlying claim where such claim would have not occurred but for such unauthorized act.
2. Indemnification by Client. Client will defend SecurityPal, and its Affiliates, against any claim, demand, suit or proceeding made or brought against SecurityPal by a third party, and will indemnify SecurityPal from any damages, reasonable attorney fees and costs, finally awarded to the third party claimant by a court of competent jurisdiction, or for any settlement approved in writing signed by an authorized officer of Client, arising from: (i) Client’s use of the SecurityPal Assets in violation of the Agreement; or (ii) for any breach of Section 2(c) (License Restrictions) or Section 9(b) (Client Representations & Warranties). The above defense and indemnification obligations do not apply if a claim against SecurityPal arises from SecurityPal’s breach of the license grant to Client Data set forth in Section 4.
3. Indemnification Process. The indemnified parties will: (i) give the indemnifying party prompt written notice of any claim, action or demand for which indemnity is claimed; (ii) give the indemnifying party sole control over the defense and settlement of the claim, provided that the indemnifying party will not settle any claim that involves the payment of money or acknowledgement of wrongdoing on the part of the indemnified parties without indemnified parties' prior written approval such approval not to be unreasonably withheld, conditioned or delayed; and (iii) provide the indemnifying party with reasonable cooperation, at the indemnified parties' expense, in connection with the defense and settlement of the claim.
4. Sole and Exclusive Remedy. This Section 10 sets forth the indemnifying party's sole liability to, and the indemnified party's exclusive remedy against, the other party for the third-party claims described herein.
Limitation on Liability.
- Disclaimer of Consequential and Related Damages. IN NO EVENT WILL EITHER PARTY OR ITS AFFILIATES HAVE ANY LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT FOR ANY LOST PROFITS, REVENUES, GOODWILL, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, COVER, DATA LOSS, BUSINESS INTERRUPTION OR PUNITIVE DAMAGES, WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY, EVEN IF A PARTY OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR IF A PARTY'S OR ITS AFFILIATES' REMEDY OTHERWISE FAILS OF ITS ESSENTIAL PURPOSE.
- Limitation of Liability. EXCEPT FOR (I) EACH PARTY'S OBLIGATIONS UNDER SECTION 10 (INDEMNIFICATION), (II) EITHER PARTY'S BREACH OF CONFIDENTIALITY (BUT NOT RELATING TO ANY LIABILITY ASSOCIATED WITH SECURITYPAL’S SECURITY OBLIGATIONS WITH RESPECT TO CLIENT DATA WHICH REMAINS SUBJECT TO THE EXCLUDED CLAIMS CAP), OR (III) FOR EITHER PARTY'S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, IN NO EVENT SHALL THE AGGREGATE LIABILITY OF A PARTY (INCLUDING ITS AFFILIATES) UNDER THIS AGREEMENT EXCEED THE TOTAL AMOUNT OF FEES PAID BY CLIENT (AND ITS AFFILIATES) FOR USE OF THE SECURITYPAL ASSETS IN THE TWELVE MONTHS PRIOR TO THE CLAIM GIVING RISE TO SUCH LIABILITY.
- Excluded Claims Cap. "Excluded Claims" means any claim and/or liability associated with any breach by SecurityPal of Section 4(b) (Security of Client Data) including for clarity with respect to any claim of liability associated with the DPA or the Security Protocols. SECURITYPAL’S TOTAL, CUMULATIVE LIABILITY FOR ALL EXCLUDED CLAIMS WILL NOT EXCEED THE TWO (2) TIMES THE TOTAL AMOUNT OF FEES PAID FOR USE OF THE SECURITYPAL ASSETS BY CLIENT TO SECURITYPAL UNDER THIS AGREEMENT.
- No Limit by Law. THE FOREGOING LIMITATIONS ON LIABILITY WILL NOT APPLY TO THE EXTENT ANY SUCH LIMITATION IS PROHIBITED BY ANY LAWS.
Insurance. SecurityPal will maintain in full force and effect during the Term of this Agreement:
- Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
- Worker’s compensation insurance as required by applicable law, including employer’s liability coverage for injury, disease and death, with coverage limits of not less than $1,000,000 per accident and employee and $1,000,000 in disease;
- Umbrella liability insurance on an occurrence form, for limits of not less than $4,000,000 per occurrence and in the aggregate; and
- Technology Errors & Omissions liability coverage of not less than $1,000,000.
Insurance carriers will be rated A-VII or better by A.M. Best Provider. SecurityPal’s coverage will be considered primary without right of contribution of Client’s insurance policies. In no event will the foregoing coverage limits affect or limit in any manner SecurityPal’s contractual liability for indemnification or any other liability of SecurityPal under this Agreement.
- Miscellaneous. This Agreement, including all applicable Order Forms, is the entire agreement between the parties and supersedes all prior agreements and understandings concerning the subject matter hereof. The parties are independent contractors, and this Agreement will not establish any relationship of partnership, joint venture, or agency between the parties. Failure to exercise any right under this Agreement will not constitute a waiver. There are no third-party beneficiaries to this Agreement. Any notice provided by one party to the other under this Agreement will be in writing and sent by electronic mail to the email address listed on the signature page below. If any provision of this Agreement is found unenforceable, this Agreement will be construed as if it had not been included. Neither party may assign this Agreement without the prior, written consent of the other party, except that either party may assign this Agreement without such consent to an affiliate, or in connection with an acquisition of the assigning party or a sale of all or substantially all of its assets.
This Agreement is governed by the laws of California without reference to conflicts of law rules. If any dispute, controversy or claim cannot be settled by the parties within 30 days of written notice from either party to the other of such dispute, controversy or claim, then, except as set forth below, any dispute, controversy or claim arising under, out of or relating to this Agreement, will be finally determined by arbitration conducted by the JAMS by a single arbiter who will be fluent in written and spoken English. The place of such arbitration will be in San Francisco, California, U.S.A. The sole and exclusive language of arbitration will be English. The judgment of the arbitration will be final, non-appealable (to the extent not inconsistent with applicable law) and binding upon the parties, and judgment may be entered upon the arbital award in any court of competent jurisdiction. The foregoing does not limit or restrict either party from seeking injunctive or other equitable relief with respect to its intellectual property rights hereunder. Subject to the dispute resolution procedures above, any disputes arising out of or related to this Agreement will be subject to the jurisdiction of the state and federal courts of San Francisco County, California, U.S.A.