Zip Security Master Services Agreement

This Master Services Agreement (this “Agreement”), is effective as of the effective date (“Effective Date”) in an associated signed order form (“Order Form”), and is by and between Zip Security, Inc. (“RSL”) and the customer set forth in the Order Form (“Customer”). RSL and Customer may be referred to herein collectively as the “Parties” or individually as a “Party”. In any case of conflict between the MSA and the Order Form, the terms of the Order Form shall govern.

Recitals

A. RSL operates the Services and provides access to its customers; and

B. Customer desires to access and use the Services, and RSL is willing to provide such access, subject to the terms and conditions of this Agreement.

NOW, THEREFORE, in consideration of the mutual covenants, terms, and conditions set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

1. Definitions.

(a) “Aggregate Data” means any data that is derived or aggregated in deidentified form from (i) any Customer Materials; or (ii) Customer’s and/or its Authorized Users’ Use of the Services, including, without limitation, any usage data or trends with respect to the Services.

(b) “Authorized User” means an employee or contractor whom Customer has authorized to Use the Services.

(c) “RSL IP” means the Services, the underlying software provided in conjunction with the Services, algorithms, interfaces, technology, databases, tools, know-how, processes and methods used to provide or deliver the Services or any Professional Services, Documentation and Aggregate Data, all improvements, modifications or enhancements to, or derivative works of, the foregoing (regardless of inventorship or authorship), and all Intellectual Property Rights in and to any of the foregoing.

(d) “Customer Materials” means all information, data, content and other materials, in any form or medium, that is submitted, collected, transmitted or otherwise provided by or on behalf of Customer through the Services or to RSL in connection with Customer’s Use of the Services, but excluding, for clarity, Aggregate Data and any information, data, data models, content or materials owned or controlled by RSL and made available through or in connection with the Services.

(e) “Documentation” means the operator and user manuals, training materials, specifications, minimum system configuration requirements, compatible device and hardware list and other similar materials in hard copy or electronic form if and as provided by RSL to Customer (including any revised versions thereof) relating to the Services, which may be updated from time to time upon notice to Customer.

(f) “Intellectual Property Rights” means patent rights (including, without limitation, patent applications and disclosures), inventions, copyrights, trade secrets, know-how, data and database rights, mask work rights, and any other intellectual property rights recognized in any country or jurisdiction in the world.

(g) “Licensed Volume” means the limits, volume or other measurement or conditions of permitted Use for the applicable Subscription Service as set forth in the applicable Order Form, including any limits on the number of Authorized Users permitted to Use the Services based on Customer’s subscription tier.

(h) “Order Form” means a (i) mutually executed order form or other mutually agreed upon ordering document; (ii) purchase order issued by Customer and accepted by RSL in writing; or (iii) quote issued by RSL and accepted by Customer, in each case which references this Agreement and sets forth the applicable Services and/or Professional Services to be provided by RSL.

(i) “Person” means any individual, corporation, partnership, trust, limited liability company, association, governmental authority or other entity.

(j) “Professional Services” means the implementation and/or other professional services, if any, to be provided by RSL to Customer as set forth in the relevant Order Form.

(k) “Services” means services to deploy, configure and manage security software, as more particularly described or identified in the applicable Order Form.

(l) “Use” means to use and access the Services in accordance with this Agreement and the Documentation.

2. Services, Access and Use.

(a) Services. Subject to the terms and conditions of this Agreement, RSL hereby grants Customer a limited, non-exclusive, non-transferable (except in compliance with Section 13(f)) right to Use the Services during the Term, solely for Customer’s internal business purposes in accordance with, and subject to, the Licensed Volume.

(b) Use Restrictions. Customer will not at any time and will not permit any Person (including, without limitation, Authorized Users) to, directly or indirectly: (i) Use the Services in any manner beyond the scope of rights expressly granted in this Agreement; (ii) modify or create derivative works of the Services or Documentation, in whole or in part; (iii) reverse engineer, disassemble, decompile, decode or otherwise attempt to derive or gain improper access to any software component of the Services, in whole or in part; (iv) frame, mirror, sell, resell, rent or lease Use of the Services to any other Person, or otherwise allow any Person to Use the Services for any purpose other than for the benefit of Customer in accordance with this Agreement; (v) Use the Services or Documentation in any manner or for any purpose that infringes, misappropriates, or otherwise violates any Intellectual Property Right or other right of any Person, or that violates any applicable law; (vi) interfere with, or disrupt the integrity or performance of, the Services, or any data or content contained therein or transmitted thereby; (vii) access or search the Services (or download any data or content contained therein or transmitted thereby) through the use of any engine, software, tool, agent, device or mechanism (including spiders, robots, crawlers or any other similar data mining tools) other than software or Services features provided by RSL for use expressly for such purposes; or (viii) Use the Services, Documentation or any other RSL Confidential Information for benchmarking or competitive analysis with respect to competitive or related products or services, or to develop, commercialize, license or sell any product, service or technology that could, directly or indirectly, compete with the Services.

(c) Authorized Users. Customer will not allow any Person other than Authorized Users to Use the Services. Customer may permit Authorized Users to Use the Services, provided that (i) the Use, including the number of Authorized Users, does not exceed the Licensed Volume; and (ii) Customer ensures each Authorized User complies with all applicable terms and conditions of this Agreement and Customer is responsible for acts or omissions by Authorized Users in connection with their Use of the Services. Customer will, and will require all Authorized Users to, use all reasonable means to secure user names and passwords, hardware and software used to access the Services in accordance with customary security protocols, and will promptly notify RSL if Customer knows or reasonably suspects that any user name and/or password has been compromised.

(d) Third-Party Services. Certain features and functionalities within the Services may allow Customer and its Authorized Users to interface or interact with, access and/or use compatible third-party services, products, technology and content (collectively, “Third-Party Services”) through the Services. RSL does not provide any aspect of the Third-Party Services and is not responsible for any compatibility issues, errors or bugs in the Services or Third-Party Services caused in whole or in part by the Third-Party Services or any update or upgrade thereto. Customer is solely responsible for maintaining the Third-Party Services and obtaining any associated licenses and consents necessary for Customer to use the Third-Party Services in connection with the Services.

(d) Reservation of Rights. Subject to the limited rights expressly granted hereunder, RSL reserves and, as between the Parties will solely own, the RSL IP and all rights, title and interest in and to the RSL IP. No rights are granted to Customer hereunder (whether by implication, estoppel, exhaustion or otherwise) other than as expressly set forth herein.

(f) Feedback. From time to time, Customer or its employees, contractors, or representatives may provide RSL with suggestions, comments, feedback or the like with regard to the Services (collectively, “Feedback”). Customer hereby grants RSL a perpetual, irrevocable, royalty-free and fully-paid up license to use and exploit all Feedback in connection with RSL’s business purposes, including, without limitation, the testing, development, maintenance and improvement of the Services.

3. Fees and Payment.

(a) Fees. Customer will pay RSL the non-refundable fees set forth in the relevant Order Form in accordance with the terms therein (“Fees”) and without offset or deduction. RSL reserves the right to change the Fees or applicable charges and to institute new charges and Fees at the end of the Initial Term or then-current Renewal Term, upon sixty (60) days’ prior notice to Customer (which may be sent by email). Except as otherwise provided in the relevant Order Form, RSL will issue monthly invoices to Customer during the Term, and Customer will pay all amounts set forth on any such invoice no later than thirty (30) days after the date of such invoice.

(b) Payments. Payments due to RSL under this Agreement must be made in U.S. dollars by check, wire transfer of immediately available funds to an account designated by RSL or such other payment method mutually agreed by the Parties. All payments are non-refundable and neither Party will have the right to set off, discount or otherwise reduce or refuse to pay any amounts due to the other Party under this Agreement. If Customer fails to make any payment when due, late charges will accrue at the rate of 1.5% per month or, if lower, the highest rate permitted by applicable law and RSL may suspend Services until all payments are made in full. Customer will reimburse RSL for all reasonable costs and expenses incurred (including reasonable attorneys’ fees) in collecting any late payments or interest.

(c) Taxes. Customer is responsible for all sales, use, ad valorem and excise taxes, and any other similar taxes, duties and charges of any kind imposed by any federal, state, multinational or local governmental regulatory authority on any amount payable by Customer to RSL hereunder, other than any taxes imposed on RSL’s income. Without limiting the foregoing, in the event that Customer is required to deduct or withhold any taxes from the amounts payable to RSL hereunder, Customer will pay an additional amount, so that RSL receives the amounts due to it hereunder in full, as if there were no withholding or deduction.

4. Confidential Information.

(a) As used herein, “Confidential Information” means any information that one Party (the “Disclosing Party”) provides to the other Party (the “Receiving Party”) in connection with this Agreement, whether orally or in writing, that is designated as confidential or that reasonably should be considered to be confidential given the nature of the information and/or the circumstances of disclosure. For clarity, the Services and the Documentation will be deemed Confidential Information of RSL. However, Confidential Information will not include any information or materials that: (i) were, at the date of disclosure, or have subsequently become, generally known or available to the public through no act or failure to act by the Receiving Party; (ii) were rightfully known by the Receiving Party prior to receiving such information or materials from the Disclosing Party; (iii) are rightfully acquired by the Receiving Party from a third party who has the right to disclose such information or materials without breach of any confidentiality or non-use obligation to the Disclosing Party; or (iv) are independently developed by or for the Receiving Party without use of or access to any Confidential Information of the Disclosing Party.

(b) The Receiving Party will maintain the Disclosing Party’s Confidential Information in strict confidence, and will not use the Confidential Information of the Disclosing Party except as necessary to perform its obligations or exercise its rights under this Agreement. The Receiving Party will not disclose or cause to be disclosed any Confidential Information of the Disclosing Party, except (i) to those employees, representatives, or contractors of the Receiving Party who have a bona fide need to know such Confidential Information to perform under this Agreement and who are bound by written agreements with use and nondisclosure restrictions at least as protective as those set forth in this Agreement, or (ii) as such disclosure may be required by the order or requirement of a court, administrative agency or other governmental body, subject to the Receiving Party providing to the Disclosing Party reasonable written notice to allow the Disclosing Party to seek a protective order or otherwise contest the disclosure.

(c) Each Party’s obligations of non-disclosure with regard to Confidential Information are effective as of the Effective Date and will expire five (5) years from the date first disclosed to the Receiving Party; provided, however, with respect to any Confidential Information that constitutes a trade secret (as determined under applicable law), such obligations of non-disclosure will survive the termination or expiration of this Agreement for as long as such Confidential Information remains subject to trade secret protection under applicable law.

(d) Protection under applicable law. The terms and conditions of this Agreement will constitute Confidential Information of each Party but may be disclosed on a confidential basis to a Party’s advisors, attorneys, actual or bona fide potential acquirers, investors or other sources of funding (and their respective advisors and attorneys) for due diligence purposes.

5. Customer Materials and Data.

(a) RSL acknowledges that, as between Customer and RSL and except as set forth in Section 65(b), Customer owns and retains all right, title and interest in and to all Customer Materials.

(b) Customer hereby grants RSL a non-exclusive, worldwide, royalty-free right and license to use, host, reproduce, display, perform, modify the Customer Materials solely for the purpose of hosting, operating, improving and providing the Services, Professional Services and RSL’s other related products, services and technologies during the Term.

(c) Customer represents and warrants that (i) it has obtained and will obtain and continue to have, during the Term, all necessary rights, authority and licenses for the access to and use of the Customer Materials (including any personal data provided or otherwise collected pursuant to Customer’s privacy policy) as contemplated by this Agreement, (ii) RSL’s use of the Customer Materials in accordance with this Agreement will not violate any applicable laws or regulations or cause a breach of any agreement or obligations between Customer and any third party, (iii) Customer has obtained and will obtain and maintain throughout the Term all licenses, rights, consents, and permissions necessary to authorize RSL to exercise the licenses and rights granted by Customer, and perform its obligations, under this Agreement; and (iv) the services performed by RSL for Customer under this Agreement are permitted under all third-party agreements, terms, acceptable use policies, and the like applicable to Customer and its technology infrastructure and will not result in a breach of any agreement between Customer and a third party.

6. Representations and Warranties.

Each Party hereby represents and warrants to the other Party that: (i) it is duly organized, validly existing and in good standing under its jurisdiction of organization and has the right to enter into this Agreement and (ii) the execution, delivery and performance of this Agreement and the consummation of the transactions contemplated hereby are within the corporate powers of such Party and have been duly authorized by all necessary corporate action on the part of such Party, and constitute a valid and binding agreement of such Party.

7. Indemnification

(a) RSL Indemnification. Subject to Section 7(b), RSL will defend Customer against any claim, suit or proceeding brought by a third party (“Claims”) alleging that Customer’s Use of the Services infringes or misappropriates such third party’s Intellectual Property Rights, and will indemnify and hold harmless Customer against any damages and costs awarded against Customer or agreed in settlement by RSL (including reasonable attorneys’ fees) resulting from such Claim.

(b) Exclusions. RSL’s obligations under Section 7(a) will not apply if the underlying third-party Claim arises from or as a result of: (i) Customer’s breach of this Agreement, negligence, willful misconduct or fraud; (ii) any Customer Materials; (iii) Customer’s failure to use any enhancements, modifications, or updates to the Services that have been provided by RSL; (iv) modifications to the Services by anyone other than RSL; or (v) combinations of the Services with software, data or materials not provided by RSL.

(c) IP Remedies. If RSL reasonably believes the Services (or any component thereof) could infringe any third party’s Intellectual Property Rights, RSL may, at its sole option and expense use commercially reasonable efforts to: (i) modify or replace the Services, or any component or part thereof, to make it non-infringing; or (ii) procure the right for Customer to continue Use. If RSL determines that neither alternative is commercially practicable, RSL may terminate this Agreement, in its entirety or with respect to the affected component, by providing written notice to Customer. In the event of any such termination, RSL will refund to Customer a pro-rata portion of the Fees that have been paid for the unexpired portion. The rights and remedies set forth in this Section 7 will constitute Customer’s sole and exclusive remedy for any infringement or misappropriation of Intellectual Property Rights in connection with the Services.

(d) Customer Indemnification. Subject to Section 7(e), Customer will defend RSL against Claims arising from or related to (i) any Customer Materials, including, without limitation, (A) any Claim that the Customer Materials infringe, misappropriate or otherwise violate any third party’s Intellectual Property Rights or privacy or other rights; or (B) any Claim that the use, provision, transmission, display or storage of Customer Materials by Customer or RSL violates any applicable law, rule or regulation, any agreement between Customer and a third party, or any obligation or duty owed by Customer to a third party; (ii) any of Customer’s products or services; (iii) Use of the Services by Customer or its Authorized Users in a manner that is not in accordance with this Agreement or the Documentation, including, without limitation, any breach of the license restrictions in Section 2(b); (iv) any failure by Customer to achieve a Compliance Standard other than as the result of RSL’s breach of this Agreement, or (v) any relationship or dispute between Customer and a third party (including any end user or customer of Customer); and in each case, will indemnify and hold harmless RSL against any damages and costs awarded against RSL or agreed in settlement by Customer (including reasonable attorneys’ fees) resulting from such Claim.

(e) Indemnification Procedures. The Party seeking defense and indemnity (the “Indemnified Party”) will promptly notify the other Party (the “Indemnifying Party”) of the Claim for which indemnity is being sought, and will reasonably cooperate with the Indemnifying Party in the defense and/or settlement thereof. The Indemnifying Party will have the sole right to conduct the defense of any Claim for which the Indemnifying Party is responsible hereunder (provided that the Indemnifying Party may not settle any Claim without the Indemnified Party’s prior written approval unless the settlement is for a monetary amount, unconditionally releases the Indemnified Party from all liability without prejudice, does not require any admission by the Indemnified Party, and does not place restrictions upon the Indemnified Party’s business, products or services). The Indemnified Party may participate in the defense or settlement of any such Claim at its own expense and with its own choice of counsel or, if the Indemnifying Party refuses to fulfill its obligation of defense, the Indemnified Party may defend itself and seek reimbursement from the Indemnifying Party.

8. Professional Services Warranty

RSL warrants that Professional Services will be performed in a good and workmanlike manner consistent with applicable industry standards. This warranty will be in effect for a period of thirty (30) days from the completion of any Professional Services. As Customer’s sole and exclusive remedy and RSL’s entire liability for any breach of the foregoing warranty, RSL will promptly re-perform any Professional Services that fail to meet this limited warranty. 

9. Warranty Disclaimer

EXCEPT AS EXPRESSLY SET FORTH HEREIN, THE SERVICES, PROFESSIONAL SERVICES AND OTHER RSL IP ARE PROVIDED ON AN “AS IS” BASIS, AND RSL MAKES NO WARRANTIES OR REPRESENTATIONS TO CUSTOMER, ITS AUTHORIZED USERS OR TO ANY OTHER PARTY REGARDING THE RSL IP, THE SERVICES, PROFESSIONAL SERVICES OR ANY OTHER SERVICES OR MATERIALS PROVIDED HEREUNDER. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, RSL HEREBY DISCLAIMS ALL WARRANTIES AND REPRESENTATIONS, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, AND ANY WARRANTIES ARISING OUT OF COURSE OF DEALING OR USAGE OF TRADE. WITHOUT LIMITING THE FOREGOING, RSL HEREBY DISCLAIMS ANY WARRANTY THAT USE OF THE SERVICES OR PROFESSIONAL SERVICES WILL BE ERROR-FREE, BUG-FREE OR UNINTERRUPTED, WILL BE SUFFICIENT TO PREVENT THIRD-PARTY ACCESS TO CUSTOMER DATA OR CUSTOMER’S DEVICES, OR WILL MEET THE REQUIREMENTS OF CUSTOMER.

CERTAIN SERVICES ARE PROVIDED TO ASSIST ORGANIZATIONS IN MEETING THE TECHNICAL REQUIREMENTS ASSOCIATED WITH VARIOUS COMPLIANCE FRAMEWORKS.  WHILE RSL MAKES EFFORTS TO MINIMIZE THE BARRIERS TO COMPLIANCE WHEREVER POSSIBLE, IT IS NOT A SUBSTITUTE FOR AN INDEPENDENT EVALUATION NOR IS THE USE OF THE SERVICES INTENDED TO BE AN INDEPENDENT COMPLIANCE SOLUTION.  ACCORDINGLY, RSL MAKES NO REPRESENTATIONS THAT THE USE OF THE SERVICES IS SUFFICIENT TO ACHIEVE COMPLIANCE WITH ANY SPECIFIC LEGAL OR TECHNICAL FRAMEWORK. NOTWITHSTANDING ANYTHING TO THE CONTRARY, EXCEPT AS EXPRESSLY SET FORTH IN A SIGNED AGREEMENT BETWEEN RSL AND CUSTOMER, RSL MAKES NO REPRESENTATIONS, WARRANTIES, OR CLAIMS WHATSOEVER THAT RSL HAS ACHIEVED OR MAINTAINS, OR THAT THE SERVICES COMPLY WITH OR WILL ENABLE OR FACILITATE CUSTOMER’S COMPLIANCE WITH, INDUSTRY STANDARDS, CERTIFICATIONS, GUIDELINES, OR THIRD-PARTY REQUIREMENTS (COLLECTIVELY, “COMPLIANCE STANDARDS”), INCLUDING WITHOUT LIMITATION ANY NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY OR INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) STANDARDS OR GUIDELINES OR CYBERSECURITY STANDARDS OR MODELS PROMULGATED BY GOVERNMENTAL AUTHORITIES. CUSTOMER IS SOLELY RESPONSIBLE FOR DETERMINING WHETHER IT CAN PROVIDE DATA TO RSL WITHOUT VIOLATION OF APPLICABLE LAW, REGULATION, OR POLICY.

10. Limitation of Liability

(a) Exclusion of Damages. EXCEPT FOR: (I) ANY INFRINGEMENT BY ONE PARTY OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS, (II) FRAUD OR WILFUL MISCONDUCT BY EITHER PARTY, OR (III) BREACH OF CUSTOMER’S PAYMENT OBLIGATIONS, NEITHER PARTY WILL BE LIABLE TO THE OTHER FOR ANY INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE OR CONSEQUENTIAL DAMAGES, OR ANY LOSS OF INCOME, DATA, PROFITS, REVENUE OR BUSINESS INTERRUPTION, OR THE COST OF COVER OR SUBSTITUTE SERVICES OR OTHER ECONOMIC LOSS, ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, THE RSL IP OR THE PROVISION OF THE SERVICES AND PROFESSIONAL SERVICES, WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM BASED ON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, AND WHETHER OR NOT SUCH PARTY WAS ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.

(b) Total Liability. IN NO EVENT WILL RSL’S TOTAL LIABILITY TO CUSTOMER OR ITS AUTHORIZED USERS IN CONNECTION WITH THIS AGREEMENT, THE RSL IP OR THE PROVISION OF THE SERVICES OR PROFESSIONAL SERVICES EXCEED THE FEES ACTUALLY PAID BY CUSTOMER TO RSL IN THE SIX (6) MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE CLAIM, REGARDLESS OF THE LEGAL OR EQUITABLE THEORY ON WHICH THE CLAIM OR LIABILITY IS BASED, AND WHETHER OR NOT RSL WAS ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.

(c) Basis of the Bargain. THE PARTIES HEREBY ACKNOWLEDGE AND AGREE THAT THE LIMITATIONS OF LIABILITY IN THIS SECTION 10 ARE AN ESSENTIAL PART OF THE BASIS OF THE BARGAIN BETWEEN RSL AND CUSTOMER, AND WILL APPLY EVEN IF THE REMEDIES AVAILABLE HEREUNDER ARE FOUND TO FAIL THEIR ESSENTIAL PURPOSE.

11. Term and Termination.

(a) Term. The initial term of this Agreement begins on the Effective Date and expires at the end of the Initial Term specified in the relevant Order Form (the “Initial Term”). Following the Initial Term, this Agreement will automatically renew for additional periods of one (1) year (each, a “Renewal Term,” and together with the Initial Term, the “Term”), unless either Party provides the other with at least thirty (30) days’ written notice of its intent not to renew this Agreement prior to the end of the then-current Term.

(b) Termination. Either Party may terminate this Agreement, effective on written notice to the other Party, if the other Party materially breaches this Agreement, and such breach remains uncured thirty (30) days after the non-breaching Party provides the breaching Party with written notice of such breach.

(c) Survival. This Section 11(c) and Sections 1, 2(b), 2(c), 2(f), 3, 4, 5,7, 9, 10, 11(d) and 13 survive any termination or expiration of this Agreement.

(d) Effect of Termination. Upon expiration or termination of this Agreement: (i) the rights granted pursuant to Section 2(a) will terminate; and (ii) Customer will return or destroy, at RSL’s sole option, all RSL Confidential Information in its possession or control, including permanent removal of such RSL Confidential Information (consistent with customary industry practice for data destruction) from any storage devices or other hosting environments that are in Customer’s possession or under Customer’s control, and at RSL’s request, certify in writing to RSL that the RSL Confidential Information has been returned, destroyed or, in the case of electronic communications, deleted. No expiration or termination will affect Customer’s obligation to pay all Fees that may have become due or otherwise accrued through the effective date of expiration or termination, or entitle Customer to any refund.

12. Trademarks.

Customer hereby grants RSL a limited, non-exclusive, royalty-free license to use and display Customer’s name, designated trademarks and associated logos (the “Customer Marks”) during the Term in connection with (i) the hosting, operation and maintenance of the Services; and (ii) RSL’s marketing and promotional efforts for its products and services, including by publicly naming Customer as a customer of RSL and in case studies. All goodwill and improved reputation generated by RSL’s use of the Customer Marks inures to the exclusive benefit of Customer. RSL will use the Customer Marks in the form stipulated by Customer and will conform to and observe such standards as Customer prescribes from time to time in connection with the license granted hereunder.

13. General

(a)Entire Agreement. This Agreement, including its exhibits, is the complete and exclusive agreement between the Parties with respect to its subject matter and supersedes any and all prior or contemporaneous agreements, communications and understandings, both written and oral, with respect to its subject matter. This Agreement may be amended or modified only by a written document executed by duly authorized representatives of the Parties; provided, however, that the version of this Agreement posted at https://www.zipsec.com/terms forty-five (45) days before the first day of a Renewal Term will govern the Order Form during such Renewal Term. No terms, provisions, or conditions of any purchase order, acknowledgement, or other business form that either Party may use in connection with the transactions contemplated by this Agreement will have any effect on the rights, duties, or obligations of the Parties under, or otherwise modify, this Agreement, regardless of any failure of a receiving party to object to these terms, provisions, or conditions.

(b) Notices. All notices required or permitted under this Agreement will be in writing, will reference this Agreement, and will be sent to the relevant address set forth below or to such other address as may be specified by the relevant Party to the other Party in accordance with this Section 13(b). Such notices will be deemed given: (i) when delivered personally; (ii) one (1) business day after deposit with a nationally recognized express courier, with written confirmation of receipt; or (iii) three (3) business days after having been sent by registered or certified mail, return receipt requested, postage prepaid, or (iv) immediately upon delivery by electronic mail.

(c) Waiver. Either Party’s failure to enforce any provision of this Agreement will not constitute a waiver of future enforcement of that or any other provision. No waiver of any provision of this Agreement will be effective unless it is in writing and signed by the Party granting the waiver.

(d) Severability. If any provision of this Agreement is held invalid, illegal or unenforceable, that provision will be enforced to the maximum extent permitted by law, given the fundamental intentions of the Parties, and the remaining provisions of this Agreement will remain in full force and effect.

(e) Governing Law; Jurisdiction. This Agreement will be governed by and construed in accordance with the laws of the State of New York without giving effect to any principles of conflict of laws that would lead to the application of the laws of another jurisdiction. The Parties expressly agree that the United Nations Convention on Contracts for the International Sale of Goods will not apply. Any legal action or proceeding arising under this Agreement will be brought exclusively in the federal or state courts located in Kings County, New York and the Parties irrevocably consent to the personal jurisdiction and venue therein.

(f) Assignment. Neither Party may assign or transfer this Agreement, by operation of law or otherwise, without the other Party’s prior written consent. Any attempt to assign or transfer this Agreement without such consent will be void. Notwithstanding the foregoing, either Party may assign or transfer this Agreement to a third party that succeeds to all or substantially all of the assigning Party’s business and assets relating to the subject matter of this Agreement, whether by sale, merger, operation of law or otherwise. Subject to the foregoing, this Agreement is binding upon and will inure to the benefit of each of the Parties and their respective successors and permitted assigns.

(g) Equitable Relief. Each Party agrees that a breach or threatened breach by such Party of any of its obligations under Section 4 or, in the case of Customer, Section 2(b), would cause the other Party irreparable harm and significant damages for which there may be no adequate remedy under law and that, in the event of such breach or threatened breach, the other Party will have the right to seek immediate equitable relief, including a restraining order, an injunction, specific performance and any other relief that may be available from any court. Such remedies are not exclusive and are in addition to all other remedies that may be available at law, in equity or otherwise.

(h) Force Majeure. Neither Party will be responsible for any failure or delay in the performance of its obligations under this Agreement (except for any payment obligations) due to causes beyond its reasonable control, which may include, without limitation, labor disputes, strikes, lockouts, performance failures of third parties, shortages of or inability to obtain energy, raw materials or supplies, denial of service or other malicious attacks, telecommunications failure or degradation, pandemics, epidemics, public health emergencies, governmental orders and acts (including government-imposed travel restrictions and quarantines), material changes in law, war, terrorism, riot, or acts of God.

(i) Subcontracting. RSL may use subcontractors, and other third-party providers (“Subcontractors”) in connection with the performance of its own obligations hereunder as it deems appropriate; provided that RSL remains responsible for the performance of each such Subcontractor. Notwithstanding anything to the contrary in this Agreement, with respect to any third-party vendors including any hosting (e.g. AWS) or payment vendors (e.g. PayPal), RSL will use commercially reasonable efforts to guard against any damages or issues arising in connection with such vendors, but will not be liable for the acts or omissions of such third-party vendors except to the extent that it has been finally adjudicated that such damages or issues are caused directly from the gross negligence or willful misconduct of RSL.

(j) Export Regulation. Customer will comply with all applicable federal laws, regulations and rules that prohibit or restrict the export or re-export of the Services or software, or any Customer Materials, outside the United States (“Export Rules”), and will complete all undertakings required by Export Rules, including obtaining any necessary export license or other governmental approval.

(k) U.S. Government End Users. The Services, software and Documentation are “commercial computer software” and “commercial computer software documentation,” respectively, as such terms are used in FAR 12.212 and other relevant government procurement regulations. Any use, duplication, or disclosure of the software or its documentation by or on behalf of the U.S. government is subject to restrictions as set forth in this Agreement.

(l) Relationship of the Parties. The relationship between the Parties is that of independent contractors. Nothing in this Agreement will be construed to establish any partnership, joint venture or agency relationship between the Parties. Neither Party will have the power or authority to bind the other or incur any obligations on the other’s behalf without the other Party’s prior written consent.

(m) No Third-Party Beneficiaries. No provision of this Agreement is intended to confer any rights, benefits, remedies, obligations, or liabilities hereunder upon any Person other than the Parties and their respective successors and assigns.

(n) Counterparts. This Agreement may be executed in counterparts, each of which is deemed an original, but all of which together are deemed to be one and the same agreement.

14. SERVICE LEVELS AND SUPPORT

(a) Service Levels. RSL will use commercially reasonable efforts to make the Services available during the Term twenty-four (24) hours a day, seven (7) days a week / excluding holidays and weekends, except for excused downtime, which, for purposes of this Agreement, means (i) planned downtime (with reasonable advance notice to Customer) of the Services; (ii) emergency downtime of the Services; and (iii) any unavailability of the Services caused by circumstances beyond RSL’s reasonable control.

(b) Support. RSL will provide reasonable technical support to Customer by electronic mail in connection with its Use of the Services on weekdays during the hours of 9:00 a.m. to 5:00 p.m. Eastern Time, with the exception of U.S. federal holidays (“Support Hours”), subject to the following conditions: (i) prior to initiating any support request, Customer (and its own personnel responsible for information technology support) will have first attempted to resolve the issue generating the need for such support; and (ii) Customer will reasonably cooperate with RSL support staff as needed to resolve the issue.

Customer may initiate a helpdesk ticket during Support Hours by emailing support at support@zipsec.com

Exhibit

No party will be liable for a failure to perform under this Agreement to the extent such nonperformance is caused by a condition that was beyond the party's reasonable control (including, but not limited to, natural disasters, acts of war or terrorism, riots, global health crisis, acts of God, or government intervention), except for mere economic hardship,(each, a “Force Majeure Event”) so long as the party continues to use commercially reasonable efforts to resume performance; provided, however, that in the event a party

MDR and Other Integrated Third-Party Services

If you elect to purchase Managed Detection & Response services from a third party through RSL (“MDR”) or other  third-party software or services through RSL on your Order Form or otherwise (collectively, “Integrated Third-Party Offerings”), the terms of this Exhibit apply (in addition to other applicable terms) and are hereby incorporated by reference into the Agreement.  

Third Party Beneficiary.  If a third party provides the Integrated Third-Party Offerings, the third party is a third party beneficiary of this Exhibit and any related terms of the Agreement, as if it were a party directly and is entitled to enforce it directly. 

Third-Party Services; Third-Party Standards.  RSL may provide notices to Customer in the Documentation, or in readme, help, notice, about or source files, regarding Integrated Third-Party Offerings.  Except for MDR, Customer’s use of Integrated Third-Party Offerings is sold or licensed to Customer solely under the third-party terms governing use, and RSL is not a party to the third party terms.  For MDR, Customer’s use of Integrated Third-Party Offerings is sold or licensed to Customer solely under the terms of this Exhibit and the MDR Provider (through this Exhibit) is solely responsible except as expressly provided otherwise.  No license, warranty, indemnity, or other obligation of RSL in this Agreement will apply to any Integrated Third-Party Offerings.   Any references in the Services to third-party standards providers (such as NIST) are offered as informational tools, and you are solely responsible for your compliance with any standards or regulations.  RSL offers tools for Customer to use as part of a larger program for compliance standards and industry benchmarks.  These tools are not a guarantee of security or anything else nor a verification of compliance.  Customer must independently ensure it is complying with applicable, current standards and benchmarks and should not rely on any RSL’s services, tools, or checks as a definitive assessment of security or compliance.

For purposes of MDR, the following terms apply:

The MDR provider will perform the Integrated Third-Party Offerings in a competent and timely manner, in good faith and with due professional care, in accordance with the terms of this Exhibit, the applicable SOW between RSL and the MDR Provider, all applicable laws, and any reasonable instructions of RSL or Customer that are necessary for MDR Provider to perform the Integrated Third-Party Offerings.

MDR Provider’s use of subcontractors is permitted as provided in section General (i) and the force majeure terms in General (h) apply to MDR Provider.

Customer hereby grants MDR Provider the right to process customer data solely to the extent reasonably necessary to provide the Integrated Third-Party Offerings to Customer during the Term of this Agreement.

All fees for MDR are nonrefundable and due in advance (or as provided in the Order Form).  Customer must pay all fees for MDR as provided in the applicable Order Form and payment terms are as provided in the Agreement.

Customer hereby represents and warrants that it:

(a) has the right and authority to enter into this Agreement and that its granting of the rights and undertaking of the obligations hereunder will not, to Customer’s knowledge, infringe upon or conflict with any rights of a third party, and that its performance hereunder will not violate any applicable law.

(b) will refrain from publicly disparaging MDR provider’s reputation or the reputation of the Integrated Third-Party Offerings; 

(c) will not knowingly interfere with or disrupt MDR Provider’s performance of the Integrated Third-Party Offerings; 

(d) will not use the Integrated Third-Party Offerings in violation of any Applicable Law; and 

(e) will not otherwise act in a manner that violates the terms of this Agreement.

The Integrated Third-Party Offerings will be terminated if Customer fails to pay in a timely manner, this Agreement is terminated, or the agreement between RSL and MDR provider is terminated. 

End Point Data” means all log data, malicious files and other data collected or otherwise Processed by MDR Provider in connection with the provision of the MRD or the access provided under this Agreement from the end points associated with Customer.  If Customer becomes aware of any actual or reasonably suspected unauthorized access to, or use, loss, disclosure, or other processing of, End Point Data (“Security Breach"), Customer must promptly notify the other party, unless legally prohibited from doing so, within 48 hours or any shorter period of time required by law.  Additionally, each party shall provide all reasonable assistance required by the other party in mitigating and remediating any potential damages resulting from the Security Breach. Unless prohibited by law, each party shall provide the other party with reasonable notice of and the opportunity to review and comment on the content of any public notices, filings or press releases about a Security Breach that identify the other party by name prior to any such publication.

Disclaimer. In connection with the Integrated Third-Party Offerings hereunder, MDR Provider shall have no responsibility for, the adequacy, safety, performance, quality, or accuracy of Customer’s IT systems.

Limitation of Warranty; Limitation of Damages

a. LIMITATION OF WARRANTY. EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT AND ANY SOW AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NEITHER MDR PROVIDER NOR RSL MAKES ANY WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AND SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. MDR PROVIDER DOES NOT WARRANT THAT THE SERVICES WILL BE ERROR FREE OR UNINTERRUPTED. THE LIMITED WARRANTIES PROVIDED IN THIS AGREEMENT AND ANY SOW ARE THE SOLE AND EXCLUSIVE WARRANTIES PROVIDED BY EACH PARTY TO THE OTHER PARTY.

b. LIMITATION OF LIABILITY. EXCEPT WITH RESPECT TO (1) DAMAGES CAUSED BY GROSS NEGLIGENCE, WILLFUL MISCONDUCT, OR FRAUD, (2) CUSTOMER’S PAYMENT OBLIGATIONS, AND (3) MDR PROVIDER’S OR CUSTOMER'S BREACH OF SECURITY OR CONFIDENTIALITY OBLIGATIONS (COLLECTIVELY, “EXCLUDED CLAIMS”), IN NO EVENT SHALL MDR PROVIDER OR CUSTOMER OR THEIR AFFILIATES’ TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO MDR UNDER THIS EXHIBIT, WHETHER IN CONTRACT, TORT OR OTHERWISE, EXCEED THE FEES PAID OR PAYABLE UNDER THIS EXHIBIT FOR THE MDR DURING THE TWELVE MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM FOR THE MDR SERVICES FROM WHICH THE CLAIM AROSE (“GENERAL CAP”), EXCEPT THAT FOR BREACH OF EITHER PARTY’S CONFIDENTIALITY, SECURITY, OR PRIVACY OBLIGATIONS, SUCH PARTY’S TOTAL AGGREGATE LIABILITY WILL BE INCREASED TO 30 MONTHS’ FEES (“ENHANCED CAP”).

c. EXCLUSION OF DAMAGES. EXCEPT FOR EXCLUDED CLAIMS, IN NO EVENT WILL MDR PROVIDER OR CUSTOMER OR THEIR AFFILIATES HAVE LIABILITY FOR LOST PROFITS OR REVENUES, LOSS OF USE OR DATA, BUSINESS INTERRUPTION, OR INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL, OR COVER DAMAGES, HOWEVER CAUSED, WHETHER IN CONTRACT, TORT OR OTHERWISE, EVEN IF MDR PROVIDER OR CUSTOMER OR THEIR AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, THE EXCLUSIONS IN THIS SECTION WILL NOT APPLY TO THE EXTENT PROHIBITED BY LAW. CUSTOMER’S PAYMENT OBLIGATIONS WILL NOT BE CONSIDERED MDR PROVIDER’S LOST PROFITS.

This Exhibit shall be governed by the laws of the State of Delaware without regard to conflicts of law principles and regardless of the location of the invoking party or the court interpreting its terms. The jurisdiction and venue for actions related to this Exhibit will be the state and federal courts located in Wilmington, Delaware, and MDR Provider and Customer submit to the personal jurisdiction of those courts for the purposes of MDR.

No party will be liable for a failure to perform under this Agreement to the extent such nonperformance is caused by a condition that was beyond the party's reasonable control (including, but not limited to, natural disasters, acts of war or terrorism, riots, global health crisis, acts of God, or government intervention), except for mere economic hardship,(each, a “Force Majeure Event”) so long as the party continues to use commercially reasonable efforts to resume performance; provided, however, that in the event a party remains unable to perform due to a Force Majeure Event for a period of thirty (30) days or more, the other party shall be entitled to terminate this Exhibit immediately upon written notice to the party experiencing the Force Majeure Event.

Onboarding.  The following activities constitute the onboarding process and must be performed by Customer as a precondition to delivery of the MDR Services under this Exhibit to Customer: (1) Customer will (a) provide accurate contact information, (b) identify its preference for mode of communication (e.g., email, phone, etc.), and (c) identify the Threat Response Mode. (2) Customer must identify suitably skilled personnel, who have the necessary technical and business knowledge and authority to make decisions concerning the MDR and will work with MDR Provider during the provision of the

Services to Customer.

(3) If using CIR as the MDR Provider, Customer will install either CIR, EDR, or EDR sensors (the “Service Software”) on all Managed Endpoints to be covered by the MDR Service, and the Customer will provide CIR with access to a Third-Party Service. “Managed Endpoint(s)” is any physical or virtual endpoint device or a server system where CIR’s approved endpoint detection and response (EDR) platform is installed, up-to-date, and operational in support of MDR Service delivery.  CIR hereby grants to Customer a non-exclusive, non-transferable, sublicensable, royalty-free, fully paid-up right and license to download, copy, install, and operate the Service Software during the Term for the purposes set forth in this Exhibit.

(4) Customer will configure all required systems designated to receive the MDR Services in accordance with CIR’s reasonable instructions to the extent necessary to enable CIR’s performance of the MDR Services and shall ensure all required license(s), access permissions and other software settings needed for CIR to access any Third-Party Services on which RSL requests CIR perform the MDR Services are in place in order for CIR to perform the MDR Services.

B. Categories of Threat Response Modes

(1) In accordance with this subsection, Customer will select the desired Threat Response Mode for CIR’s interaction with RSL or Customer when a Critical Alert is observed, and an Investigation or Response Action is warranted. Each

Customer may have a different associated Threat Response Mode.  “Critical Alert(s)” is a condition where data generated by a Managed Endpoint or Customer System is identified or detected by CIR as an indicator of malicious or suspicious activity.  “Customer Systems” are supported non-CIR systems (e.g., endpoints, servers, firewalls, etc.) which are configured to send security telemetry from Customer’s security tools to the MDR Service. “Response Action” is an interaction by CIR with a Managed Endpoint to perform investigation and remediation, including but not limited to remote query, host isolation, terminating a process, blocking an IP address, and deleting malicious artifacts. CIR’s escalation of Critical Alerts using RSL’s pre-selected communication preferences shall, also be deemed a Response Action.  “Investigation” is the formal process and methods used by CIR to confirm whether anendpoint is malicious and requires Threat Response.

(2) Threat Response Mode choices are:

(a) “Collaborate Mode” means that administrative users will conduct Investigations and communicate findings to RSL and Customer, but no Response Actions are taken without Customer’s prior consent or active involvement. Notwithstanding the foregoing, certain Response Actions, such as remote query, may be undertaken without Customer’s consent or involvement. An option exists under the Collaborate Mode, which if selected, authorizes the Administrative User to operate in Authorize Mode (as defined below) in the event CIR does not receive acknowledgment from Customer after attempting to contact all Customer-designated contacts.

(b) “Authorize Mode” means that Administrative Users will perform Threat Response independent of Customer and Customer is notified of Response Actions as they are taken or promptly after such Response Actions are completed.

A. Customer must promptly acknowledge receipt of CIR or Administrative User’s communications in writing (via email or other agreed method) and must timely respond to any and all such requests.

B. Customer must: (a) deploy and configure the applicable Service Software to Managed Endpoints; (b) meet minimum system requirements to install Service Software; (c) setup and configure all required Third-Party Services to enable transmission of End Point Data to CIR in a format that is compatible with the Service; and (d) run only supported versions of Service Software and/or third-party security tools.

C. Customer must make reasonable efforts to timely remediate any material compromises reported by CIR or by other third-party technologies that Customer utilizes for cybersecurity detection and protection. CIR will not be responsible or liable for any issues to the extent caused by Customer’s failure to take remediation steps in a timely manner. Additionally, the Administrative Users have no obligation to notify Customer or generate new Critical Alerts for which CIR has already provided recommended remediation steps.

Customer may allow providers of Third Party Services or other security partners to take certain actions on its Customer Systems or in connection with Customer’s End Point Data that fall within the Scope of Services described in this Exhibit, in which case, Customer is solely responsible for all such actions or omissions by such parties. For the avoidance of doubt, neither CIR nor its affiliates or subcontractors that perform MDR Services required hereunder shall be liable for the acts or omissions of Customer’s provider of Third Party Services or security partners unaffiliated with CIR.

A. All activities that are not expressly provided in this Exhibit are outside of the scope of the MDR Services. Customer is solely responsible for taking any actions that are outside of the scope of MDR Services (e.g., CIR’s suggestions regarding on-site response; all litigation and e-Discovery support; and collaboration with law enforcement); and (ii) any actions undertaken by CIR that are not described in this Exhibit but are specifically performed under Customer’s specific written direction.