Prevalent Software as a Service (SaaS) Subscription Agreement

BACKGROUND: Prevalent will provide to Subscriber its software application and/or certain monitoring services as part of the Prevalent Cloud Service offerings as referred to in the Prevalent Sales Quote. In addition, Customer may seek certain additional services at a separate cost as reflected in an associated Prevalent Sales Quote and Statement of Work (“SOW”) and that for the purposes of this Agreement both may be jointly or individually referred to as “Service”). Those Services may contain access to certain third party data that is used in conjunction with the Service which will be governed by separate terms as referenced herein (“Third Party Data”). For the purpose of clarity, the parties acknowledge that the Services include software applications that are governed by the terms of this License and that Service and Software may be jointly referred to throughout this Agreement as Software.  With regard to all Service, Prevalent performance is conditional upon Subscriber fulfilling its obligations; and the use of Third Party Data used in conjunction with the Service remains subject to the third party license terms.  Subscriber will cooperate with Prevalent and will provide safe and timely access to its premises and computer equipment, including remote access, adequate working space, facilities and any other services, personnel, information, tools (including licenses) or materials that Prevalent may reasonably require to perform the Services.

DEFINITIONS: The terms referenced in this Agreement have the following meaning:

  1. “Prevalent Cloud Service” are a certain specified services that are run on the Prevalent Cloud Services Environment and made commercially available by Prevalent under the terms of this Agreement.
  2. “Prevalent Cloud Services Environment” refers to the combination of hardware and software owned, licensed, subscribed to, or managed by Prevalent to which Prevalent grants the Subscriber and users access as part of the Cloud Services that are described in the SOW.  As applicable and subject to the terms of this Agreement and the SOW, Software, third party content and the Subscriber Data and content may be hosted in the Prevalent Cloud Services Environment.
  3. “Prevalent Sales Quote” is a formal Prevalent offer for the sale of specified products and services pursuant to this Agreement, which shall be effective upon Subscriber’s execution thereof.
  4. Prevalent Software Service Description” is the formal Prevalent description of the commercial service offering defining the scope and coverage of the service, as referenced in the Prevalent Sales Quote and attached to this Agreement as Exhibit C.
  5. “Prevalent Portal” means that portion of the Prevalent Cloud Service Environment that Prevalent makes available to Subscriber and their Users.
  6. “Services” means, collectively the Cloud Services, Professional Services and Software in the SOW, the Prevalent Software Service Description referenced on the Prevalent Sales Quote.
  7. “Software” refers to the application software developed and or distributed by Prevalent, as referenced on the Prevalent Sales Quote, and as described in the Prevalent Software Service Description.
  8. “Subscriber” means the Customer named in the associated Prevalent Sales Quote and/or associated Customer Purchase Order.
  9. “Subscriber Data” means any data, content, code, video, images or other materials of any type that Subscriber uploads, submits or otherwise transmits to or through Services.
  10. “Users” means those employees, contractors, and end users, as applicable, authorized by the Subscriber to use the Services in accordance with this Agreement and the Subscriber’s SOW. For Services that are specifically designed to allow the Subscriber’s customers, suppliers or other third parties to access the Services to interact with the Subscriber, such third parties will be considered “Users” subject to the terms of this Agreement and the Subscribers SOW.
  11. “Third Party Software” means third party software offered by Prevalent Inc. (“Prevalent”) that are offered exclusively under the terms of the associated third party software license provided in or with those products, those terms including the warranty and indemnity terms are not expanded or combined with the terms stated below; and except as otherwise expressly provided this license is offered as a Software As A Service (“SaaS”) and Subscriber’s rights to use the third party software shall expire upon the termination or expiration of the Services term. In the event Subscriber has or is procuring a perpetual third party software licenses that they plan to operate in the hosted Prevalent Cloud Service Environment, and Services including but not limited to back up, operational support or administrative service that are provided by Prevalent as an authorized contractor of Subscriber that will be specified in the Prevalent Sales Quote or SOW Similarly, where Subscriber purchases a perpetual license to the Software, that fact shall be noted in the Prevalent Sales Quote or SOW, or separately from this transaction, that Software remains exclusively subject to the Prevalent software license terms that came in or with the associated software. Subscriber remains exclusively responsible to Prevalent or the associated third party under the terms of the respective software license.
  12. “Third Party Data” means data sources provided by a third party license vendor for use with the Service, such as vendor threat monitoring data. For the avoidance of doubt, additional data sources may be added to the Service under additional License terms; Prevalent will advise Subscribers of these additions and provide the additional license terms before any such additional Third Party Data is added to the Service. Subscriber’s use of that data will acknowledge Subscriber’s consent to the Third Party’s Data License attached hereto as Attachment B.

ARTICLE I. SOFTWARE AS A SERVICE (“SaaS”) END USER LICENSE AGREEMENT

1.1) SaaS  END USER LICENSE

The Software provides the functionality as specified in the printed Software service description and product documentation attached hereto as Attachment C. The Software including any pre-existing data, by way of example but not limitation, the policies listed and accompanying documentation are the proprietary property of Prevalent and Prevalent retains any and all rights, title and interest in and to the Software, including in all copies, improvements, enhancements, modifications and derivative works of the Software.

1.2 Third Party Data License

The Software includes access to various confidential and proprietary Third Party Data that is utilized along with the Service as a comparative data source in processing the Subscriber Data and generating various reports and reporting data. The Third Party Data is proprietary and confidential information of Prevalent’s Third Party Data sources and provided exclusively subject to the Third Party Data Source License, Attachment B. This information is compiled from third party sources, including but not limited to, public records, user submissions, and other commercially available data sources. These sources may not be accurate or complete, or up-to-date and is subject to ongoing and continual change without notice. Neither Prevalent nor its Third Party Data sources make any representations or warranties regarding the data and assume no responsibility, for the accuracy, completeness, or currency of the data, or any decisions Subscriber makes based in whole or part on this data or information. This data and information is not a substitute for Subscriber’s own professional judgment, professional advice, or the need to seek additional input and research before making any decisions and should NOT be used alone to make decisions. Subscriber shall use Third Party Data solely in connection with present or prospective credit, financial or risk management transactions with the business entities to which the Subscriber inquiry relates.  Moreover, Subscriber acknowledges that the Third Party Data will not be used: i) in determining personal, family or household eligibility for obtaining credit or insurance; ii) nor shall it be used for employment purposes (but may be used when evaluating and individual as an independent consultant vendor); nor iii) for any other purpose governed by the Fair Credit Reporting Act. Subscribers will abide by all applicable laws and acknowledge that Third Party Data sources may revise their license and otherwise require written assurance of lawful use as a condition for continued use of their Third Party Data. Prevalent further represents use reasonable commercial efforts to: (i) help ensure the appropriateness of the Third Party Data before it is selected for use with the Service; (ii) to promptly remove Third Party Data from the Service that is identified as inaccurate data; and (iii) promptly advise Subscriber of known or suspected problems and/or concerns with Third Party Data.

1.3.) ACCEPTANCE.

SUBSCRIBER BY ITS USE OF THE SOFTWARE ACCEPTS AND AGREES TO BE BOUND BY THE TERMS OF THIS AGREEMENT. SUBSCRIBER FURTHER ACKNOWLEDGES THIS FACT BY SELECTING THE “ACCEPT” OPTION AFTER LOGGING IN TO THE SOFTWARE  WITH A REGISTERED USER ID. LICENSEE MUST AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, INCLUDING, BUT NOT LIMITED TO, THE THIRD PARTY DATA LICENSE TERMS BEFORE SUBSCRIBER WILL BE PERMITTED LAWFUL ACCESS TO THE SOFTWARE. IF SUBSCRIBER DOES NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT AND THE THIRD PARTY DATA LICENSES, SUBSCRIBER MUST SELECT “DECLINE”; AND SUBSCRIBER MUST NOT ACCESS OR OTHERWISE USE THE SOFTWARE.

1.4) Software License Grant.

Subject to Subscriber’s compliance with the terms and conditions of this Agreement, Prevalent grants to Subscriber a non-exclusive, non-transferable license to use Software solely in Subscriber’s internal business operations during the term of this License. Subscriber is provided a right to use the Software within the Prevalent Cloud Services Environment in accordance with the scope and term of the Subscription Agreement as specified below, which is offered as a Service. For the purpose of clarity, no third party may rely in any manner on the reports, results, recommendation work product provided by or generated through the Service, except for informational purposes solely for the benefit of the Subscriber. Subscriber rights to use the Service shall be limited to those expressly granted in this Agreement. All rights not expressly granted to Subscriber are retained by Prevalent. The Service is protected by copyright laws, trade secret, as well as laws and any applicable regulations and/or treaties related to other forms of intellectual property. Prevalent owns, or has the necessary rights in, all intellectual property rights in the Service. The license to use the Service is subject to these rights and to all the terms and conditions of this Agreement. Subscriber is granted only the non-exclusive, non-transferable right to use the Service and related user documentation solely on the hosted Prevalent Cloud Service Environment during the term of  the License as specified in the Prevalent Sales Quote, and does not acquire any rights of ownership in such materials.

To enable Prevalent to provide the Subscriber with the Services, the Subscriber grants Prevalent the right to use, process, collect, copy, store, transmit, modify and create derivative works of Subscriber Data, in each case solely to the extent necessary to provide the applicable Service to Subscriber in accordance with this Agreement within data centers located within the United States,  for the duration of the Services period plus any additional post-termination period during which Prevalent provides the Customer with access to retrieve an export file of Subscriber’s content, not to exceed 60 days. The license granted by this Agreement shall apply only for the number of user id’s, or capacity (i.e. number of vendors etc.) provided for pursuant to the associated Prevalent Sales Quote (the “Subscription Agreement”), and shall only be valid for such time as the Subscription Agreement remains in full force and effect; in the event Subscriber terminates or otherwise discontinues their use of the hosted Prevalent Cloud  Service Environment with Prevalent, this license and Subscriber’s right to use the Service shall terminate without further notice. Subscriber shall take appropriate steps, including limiting access to user IDs and passwords, to limit access to the Software to those of its employees who are authorized to use the Software – and to agree to the terms of this Agreement on behalf of Subscriber. Subscriber remains responsible for any and all actions taken using Subscriber accounts and passwords, and Subscriber agrees to immediately notify Prevalent of any unauthorized use of which Subscriber becomes aware, or reasonably suspect.

Subscriber acknowledges that the data collected by the Service may be retraceable to individuals (“Personal Data”). Each time a User logs onto the Service, certain information, including the username, sms number, email address, internet protocol addresses, will be processed by the Service application software. This information is used to manage the User’s account, Services and personalized features. Prevalent may match the user name to personally identifiable information in order to provide the User with Services that User is entitled to use and provide relevant information. Subscriber will clearly and conspicuously notify all Users and other persons or entities using the Service of the foregoing collection, transmission, and use of the data, including any Personal Data contained therein. Subscriber will obtain all necessary consents from their Users and other personnel, persons or entities using the Service. The Subscriber does not acquire under this Agreement any right or license to use the Services, including the Prevalent Software or hosting environment, in excess of the scope and/or duration of the Services stated in the Prevalent Sales Quote and/or SOW.

The Subscriber agrees not to use or permit use of the Services, including by uploading, emailing, posting, publishing or otherwise transmitting any material, including the Subscriber Data, Service generated work product or report, or third party content, for any purpose that may (a) menace or harass any person or cause damage or injury to any person or property, (b) involve the publication of any material that is false, defamatory, harassing or obscene, (c) violate privacy rights or promote bigotry, racism, hatred or harm, (d) constitute unsolicited bulk e-mail, “junk mail”, “spam” or chain letters; (e) constitute an infringement of intellectual property or other proprietary rights, (f) frame, scrape, link or mirror any content forming a part of the Service, other than Subscriber’s own intranets or otherwise for its own internal use; (g) upload to the Service or use the Service to send or store viruses, worms, time-bombs, Trojan horses or other harmful or malicious code or (h) otherwise violate applicable laws, ordinances or regulations.  In addition to any other rights afforded to Prevalent under this Agreement, Prevalent reserves the right, but has no obligation, to take remedial action if any material violates the foregoing restrictions, including the removal or disablement of access to such material.  Prevalent shall have no liability to the Subscriber in the event that Prevalent takes such action.  The Subscriber shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness and ownership of all of Subscriber Data.  The Subscriber agrees to defend and indemnify Prevalent against any claim arising out of a violation of Subscriber obligations under this section.

1.5) Restrictions on Transfer, Use, Alteration and Copying

Subscriber may not, without Prevalent’s prior written consent, conduct, cause or permit the: (i) use, copying, modification, rental, lease, sublease, sublicense, or transfer of the Service except as expressly provided in this Agreement; (ii) creation of any derivative works based on the Service or its accompanying documentation including but not limited to translations, (iii) alteration of any files or libraries in any portion of the Service, or reproduction of the database portion or creation of any tables or reports relating to the database portion; (iv) reverse engineering, disassembly, or decompiling of the Service; (v) use of the Service in connection with service bureau, facility management, timeshare, service provider or like activity whereby Subscriber operates or uses the Service for the benefit of a third party;  (vi) use of the Service, including any data, information or reports generated by the Service, by any party other than Subscriber and its subcontractors and agents acting on Subscriber’s behalf and subject to the terms of this Agreement; or (vii) falsely imply any sponsorship or association with Prevalent. Any violation of this section shall result in immediate termination of this Agreement, which termination shall not be exclusive of other remedies available to Prevalent.

Except for the purposes of training, translation, Subscriber’s internal backup, operational support or internal distribution, Subscriber may not copy or allow others to copy any part of the user documentation or other printed material provided with the Service.

1.6) Security. Prevalent implements security procedures to help protect Subscriber Data from security attacks. However, Subscriber understand that use of the Services necessarily involves transmission of Subscriber Data over networks that are not owned, operated or controlled by Prevalent, and we are not responsible for any of Subscriber Data lost, altered, intercepted or stored across such networks. We cannot guarantee that our security procedures will be error-free, that transmissions of Subscriber Data will always be secure or that unauthorized third parties will never be able to defeat our security measures or those of our third party service providers.  Notwithstanding the foregoing, Prevalent  acknowledges and confirms that it has in place and will maintain throughout the term of this Agreement appropriate technical and organizational measures to help secure against the accidental, unauthorized or unlawful processing, destruction, loss, damage or disclosure of Subscriber Data and adequate security programs and procedures to ensure that unauthorized persons or parties do not have access to any equipment used to process such information or data.  Prevalent shall, upon Subscriber’s reasonable request, provide Subscriber with information regarding its privacy and security practices, and permit Subscriber reasonable access to audit Prevalents’s compliance with its obligations hereunder.  In the event Prevalent discovers any unauthorized use or disclosure of Subscriber Data, in the event Prevalent becomes the subject of any regulatory or other investigation (public or private) relating to its data handling practices or in the event Prevalent receives a request from any third party for access to Subscriber Data, it will, to the extent permitted by the terms of any such inquiry or investigation, immediately notify Subscriber of the nature and scope of such unauthorized disclosure or use or inquiry and cooperate with Subscriber in order to afford Subscriber the opportunity to evaluate the scope and nature of the disclosure and limit its scope.

1.7) Sensitive Data. 

Subscriber will not submit to the Services (or use the Services to collect): (i) any personally identifiable information, except as necessary for the establishment of your Prevalent account; (ii) any patient, medical or other protected health information regulated by HIPAA or any similar federal or state laws, rules or regulations; or (iii) any other information subject to regulation or protection under specific laws such as the Gramm-Leach-Bliley Act (or related rules or regulations) ((i) through (iii), collectively, “Sensitive Data”). You also acknowledge that Prevalent is not acting as your Business Associate or subcontractor (as such terms are defined and used in HIPAA) and that the Services are not HIPAA compliant. “HIPAA” means the Health Insurance Portability and Accountability Act, as amended and supplemented. Notwithstanding any other provision to the contrary, Prevalent has no liability under this Agreement for Sensitive Data.

1.8) Indemnity for Subscriber Data. 

Subscriber shall bear sole responsibility for any information uploaded or supplied by Subscriber in connection with use of the Service, including but not limited to ensuring that the use of the Service to store, process and transmit Subscriber Data is compliant with all applicable laws and regulations. IN NO EVENT SHALL PREVALENT BEAR ANY LIABILITY FOR THE USE OR LOSS OF ANY INFORMATION UPLOADED OR SUPPLIED BY LICENSEE IN CONNECTION WITH USE OF THE SERVICE.  Subscriber will defend, indemnify and hold harmless Prevalent from and against any loss, cost, liability or damage, including attorneys’ fees, for which Prevalent becomes liable arising from or relating to any claim relating to Subscriber’s inappropriate use of Subscriber Data in violation of this Agreement, including but not limited to any claim brought by a third party alleging that Subscriber Data, or Subscriber’s use of the Services in breach of this Agreement, infringes or misappropriates the intellectual property rights of a third party or violates applicable law. Prevalent shall not be responsible or liable for the deletion, alteration, destruction, damage, loss or failure to store any Subscriber Data unless, and only to the extent that, such deletion, alteration, destruction, damage, loss or failure to store any Subscriber Data is directly and proximately caused by Prevalent’s negligent actions and subject to any limitations set forth in this Agreement.

1.9) LEGAL COMPLIANCE. 

Subscriber must ensure that Subscriber’s use of Services and all Subscriber Data is at all times compliant with our Acceptable Use Policy (available upon request) and all applicable local, state, federal and international laws and regulations (“Laws”). Subscriber represents and warrants that: (i) Subscriber has obtained all necessary rights, releases and permissions to provide all Subscriber Data to Prevalent and to grant the rights granted to Prevalent in this Agreement and (ii) Subscriber Data and its transfer to and use by Prevalent as authorized by Subscriber under this Agreement do not violate any Laws (including without limitation those relating to export control and electronic communications) or rights of any third party, including without limitation any intellectual property rights, rights of privacy, or rights of publicity, and any use, collection and disclosure authorized herein is not inconsistent with the terms of any applicable privacy policies. Other than its security obligations described in our Prevalent Privacy Policy, the current version of which is available at http://www.prevalent.net/ethics-and-privacy/, Prevalent assumes no responsibility or liability for Subscriber Data, and Subscriber shall be solely responsible for Subscriber Data and the consequences of using, disclosing, storing, or transmitting it.

1.10) Removals and Suspension. 

Prevalent has no obligation to monitor any content uploaded to the Services. Nonetheless, if we deem such action necessary based on Subscriber’s violation of this Agreement or in response to takedown requests that we receive with regard to violations of law including but not limited to copyright, patent or trademark law, we may: (1) remove Subscriber Data from the Services or (2) suspend Subscriber access to the Services. Prevalent will generally alert Subscriber when we take such action and give Subscriber a reasonable opportunity to cure Subscriber’s breach, but if Prevalent determines that Subscriber actions endanger the operation of the Service or other users, Prevalent may suspend your access immediately without notice. Subscriber will continue to be charged for the Service during any suspension period or series thereof lasting fewer than 30 days. Prevalent has no liability to Subscriber for removing or deleting Subscriber Data from or suspending Subscriber’s access to any Services as described in this section.

1.11) Deletion at End of Subscription Term.

Prevalent may remove or delete Subscriber Data within a reasonable period (no more than 60 days) of time after the termination of Subscriber’s Subscription Term but must first afford Subscriber the opportunity to retrieve copies thereof in accordance with Section 1.14 below.

1.12) Service-Specific Terms.

Some of Prevalent’s Services may be subject to additional terms specific to that service as set forth in our SOW, Prevalent Service Description or Prevalent Sales Quote.

1.13) TERM OF SERVICES PERIOD  

Services provided under this Agreement shall be provided for the Services period defined in the Prevalent Sales Quote or SOW, unless earlier suspended or terminated in accordance with this Agreement or the SOW.  Unless otherwise stated in the Prevalent Sales Quote or SOW, Services that are ordered will automatically renew for additional month to month periods, subject to a 90 day termination notice services periods unless (i) the Subscriber  provides Prevalent with written notice no later than ninety (90) days prior to the end of the applicable Services period of the Subscriber’ intention not to renew such Services, or (ii) Prevalent provides Subscriber with written notice no later than ninety (90) days prior to the end of the applicable Services period of its intention not to renew such Services.

Upon the end of the Services, the Subscriber no longer has rights to access or use the Services; however, at the Subscriber’ request, and for a period of up to 60 days after the end of the applicable Services, Prevalent will make available to the Subscriber the Subscriber Content as existing in the Prevalent Cloud  Services Environment on the date of termination,; For the avoidance of doubt Subscriber Content does not include any Prevalent or third party data or  licensed content..

1.14)  TRANSITION SERVICES 

Provided that this Agreement or a SOW has not been terminated by Prevalent due to Subscriber failure to pay any undisputed amount due Prevalent, Prevalent will provide to Subscriber’ assistance reasonably requested by Subscriber to effect the orderly transition of the Services, in whole or in part, to Subscriber (such assistance shall be known as the “Transition Services”) following the termination of this Agreement or a SOW, in whole or in part.  The Transition Services shall be provided by Prevalent as-available on a time and materials basis and may include at Prevalent then customary rates: (a) developing a plan for the orderly transition of the terminated Services from Prevalent to Subscriber; (b) if required, transferring the Subscriber content; (c) using commercially reasonable efforts to assist Subscriber in acquiring any necessary rights to legally and physically access and use any third-party technologies and documentation then being used by Prevalent in connection with the Services; (d) using commercially reasonable efforts to make available to Subscriber, pursuant to mutually agreeable terms and conditions, any third-party services then being used by Prevalent in connection with the Services; and, (e) such other activities upon which the parties may agree.

1.15)  Limited Warranty.

Prevalent represents and warrants to Subscriber that the Service will in substantial compliance with the printed product information attached hereto as Attachment C. In the event of a breach, Subscriber will promptly notify Prevalent of the non-conformity in writing and Prevalent will use reasonable commercial efforts to repair the Service to operate in compliance with its written description in compliance with the Service Level Agreement set forth in Attachment A. Subscriber’s exclusive remedy for breach of this warranty is for Prevalent to correct or work around the reported malfunction upon request. If the malfunction persists in causing a material failure in Subscriber’s production instances of the Service to conform to the Product documentation or SOW without correction or work-around forty-five (45) days after written notice to Prevalent of a warranty claim under this Section 1.14, then Subscriber may terminate the affected Service and Prevalent shall refund to Subscriber any prepaid subscription fees covering the remainder of the Term of the affected Service after the date of termination . All warranties cover only defects arising under normal use and do not include malfunctions or failure resulting from misuse, abuse, neglect, alteration, problems with electrical power, acts of nature, or damage determined by Prevalent to have been caused by Subscriber. All limited warranties on the Service are granted only to Subscriber and are non-transferable. This remedy represents Prevalent’s exclusive duty and Subscriber’s sole remedy even in the event that the remedy should fail in its essential purpose. Notwithstanding any other provision in this Agreement, Prevalent shall have no obligation to support, and shall have no liability or obligation due to unavailability, malfunction or degradation of performance in the Service that is due to a custom applications, or modifications of the Prevalent Software or Service by any person other than Prevalent or a person acting at Prevalent’s direction.

Notwithstanding anything to the contrary in this Agreement, Prevalent represents, warrants and covenants that:

(i)            during the Term, it will comply with all applicable laws, regulatory requirements and codes of practice, including all data protection legislation;

(ii)          the Service will be provided in a competent and professional manner and with all reasonable skill, care and diligence in accordance with the highest industry standards of quality and integrity; provided however that where this Agreement specifies a particular standard or criteria for performance, this warranty is not intended to and does not diminish that standard or criteria for performance;
(iii)        it does and shall continue to provide security commensurate with industry practice, and to protect any web server which Prevalent uses to provide the Services, against the risk of penetration by a third party by: (i) protecting against client-side intrusions; and (ii) protecting against third-party intrusions;

(iv)          it has (a) not intentionally introduced into the Service and has taken commercially reasonable precautions to prevent the introduction and proliferation of malicious code into Subscriber’s, Users’ and Prevalent’s computer environment and systems, and (b) tested and regularly tests the Service to ensure that it does not contain or transmit any malicious code or any other contaminant, including codes, commands or instructions that may be used to alter, delete, damage or disable the Service, other software, the Subscriber Data or Subscriber’s internal computer systems, or access Subscriber Data or systems, except for the express purposes of providing the Service.  Without limiting Prevalent’s other obligations under this Agreement;

(v)   it shall not copy, retrieve, store, share or use the Subscriber Data for any reason whatsoever except solely for the purposes of providing the Service; and

(vi)  it owns and/or has the right to license the Service to Subscriber under this Agreement;

Prevalent makes no warranty that the Software will meet Subscriber’s requirements or operate under Subscriber’s specific conditions of use. Prevalent makes no warranty that operation of the Service will be secure, error free, or free from interruption. EXCEPT AS EXPLICITLY PROVIDED IN THIS AGREEMENT OR OTHERWISE AGREED TO IN WRITING BY PREVALENT, PREVALENT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN FACT OR IN LAW, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OTHER THAN AS SET FORTH IN THIS AGREEMENT. SUBSCRIBER MUST DETERMINE WHETHER THE SERVICE SUFFICIENTLY MEETS  SUBSCRIBER’S REQUIREMENTS FOR SECURITY AND UNINTERRUPTABILITY. EXCEPT TO THE EXTENT ATTRIBUTABLE TO A BREACH OF PREVALENT’S SECURITY OR SERVICE LEVEL OBLIGATIONS HEREUNDER, SUBSCRIBER BEARS SOLE RESPONSIBILITY AND ALL LIABILITY FOR ANY LOSS INCURRED DUE TO FAILURE OF THE SERVICE TO MEET SUBSCRIBER’S REQUIREMENTS. PREVALENT WILL NOT, UNDER ANY CIRCUMSTANCES, BE RESPONSIBLE OR LIABLE FOR THE LOSS OF DATA ON ANY SUBSCRIBER COMPUTER OR INFORMATION STORAGE DEVICE. IN ADDITION, SUBSCRIBER ACKNOWLEDGES AND AGREES THAT (A) THE SERVICE DOES NOT CONSTITUTE THE PROVISION OF LEGAL ADVICE OR SERVICES IN ANY MANNER; (B) THE SERVICE DOES NOT ENSURE SUBSCRIBER’S COMPLIANCE WITH ALL APPLICABLE INDUSTRY REGULATIONS, LABOR OR EMPLOYMENT LAWS; AND (C) SUBSCRIBER IS SOLELY RESPONSIBLE FOR ITS COMPLIANCE WITH ALL APPLICABLE LAWS RULES AND REGULATIONS.

1.16) Indemnification. 

Prevalent shall defend Subscriber, at Prevalent’s expense, against any claims, demands, suits or proceedings (“Claims”) made or brought against Subscriber by a third party alleging that the use of the Service as contemplated hereunder, and excluding actions based upon Subscriber Data, infringe a  patent, copyright, or trademark of a third party or misappropriates such third party’s trade secrets.  Further, Prevalent shall indemnify and hold Subscriber harmless against all costs (including reasonable attorneys’ fees) finally awarded against Subscriber by a court of competent jurisdiction or an arbitrator, or agreed to in a written settlement agreement signed by Prevalent, in connection with such Claims.  Upon receiving notice of a Claim, Subscriber shall (a) give Prevalent prompt written notice of the Claim; (b) give Prevalent sole control of the defense and settlement of the Claim (provided that Prevalent may not settle or defend any claim unless it unconditionally releases Subscriber of all liability and does not attribute any blame or contributory fault of Subscriber); and (c) provide to Prevalent, at Prevalent’s cost, all reasonable assistance in the defense or settlement of such Claim. Prevalent’s indemnification obligation shall be offset to the extent its ability to defend or settle a claim is jeopardized by Subscriber’s failure to comply with the preceding sentence. Prevalent shall have no indemnification obligation to the extent any infringement claims arising from the combination of the Service with any of Subscriber’s products, services, hardware, data or business processes or use of the Service by Subscriber other than in accordance with this Agreement or Prevalent’s written instructions including any reports or deliverable provided by Prevalent here-under.

If the Service is held or likely to be held infringing, Prevalent shall have the option, at its expense to require Subscriber to replace or modify the Service as appropriate, (ii) obtain a license for Subscriber to continue using the Service, (iii) replace the Service with a functionally equivalent service; or (iv) terminate the applicable Service and refund any fees applicable to the infringing Service based upon the unused portion the Service subscription.  This Section 1.16 states Prevalent’s entire liability and Subscriber’s exclusive remedy for any claim of intellectual property infringement.

1.17)  BACKGROUND CHECKS

As permitted and as may be required by law, Prevalent Employees and Subcontractors with access to Subscriber Data must pass a background check, which can be performed by Prevalent or by a contractor that is authorized by Prevalent to perform background checks.  If Prevalent performs the background check, Prevalent will provide verification to Subscriber upon request that it performed such background screenings for all existing Prevalent Employees involved with access to Subscriber Data at the time such employees were hired by Prevalent or at some subsequent time that is prior to their involvement in the provision of Services to Subscriber.  Background screenings pursuant to this section must be updated at least every seven (7) years.

  1. Background screenings under this Section will be conducted in accordance with applicable local, state and federal law and at a minimum shall include the following:
    • Verification of identification, citizenship and Social Security Number;
    • or a series of repeated convictions a criminal history search to identify felony convictions conducted in the employee’s current county of residence and prior county of residence (if applicable) for the immediate preceding seven year period; an adverse result may include a felony conviction in the last seven years for job related crimes, typically characterized as crimes of violence, dishonesty, theft, drugs,; and
    • Patriot Act check.

(d)   Federal Search:

– National Criminal Records

– International Criminal Records

– State-specific Sex Offender Records

(e)   Felonies: No years limit

– SSN Trace

– Credit Report (for mutually agreed Positions of Trust)

– Motor Vehicle Report

-Watches and Sanctions:

  • Denied Persons List
  • Excluded Parties List
  • FBI Most Wanted Terrorist List
  • FDA Debarment List
  • Specially Designated Nationals & Blocked Persons List
    (include OFAC)

A failure to pass a background screening or confirmed felony conviction must be reported to Subscriber prior to involvement in the provisions of Services.  Furthermore, any confirmed felony conviction or any alleged offense involving illegal drugs, violence, or a breach of fiduciary duty after the background screening has been completed must be reported to Subscriber before such Prevalent Employee can continue any involvement in the provisions of Services.

1.18)  License by Subscriber to Use Feedback.

Subscriber grants Prevalent a worldwide, perpetual, irrevocable, royalty-free license to use and incorporate into the Services any suggestion, enhancement request, recommendation, correction or other feedback provided by Subscriber or Users relating to the operation of the Services but on an anonymized basis and without identification or attribution to Subscriber.

1.19)       Non-Prevalent Applications and Subscriber Data.

If Subscriber installs or enables an application program not provided by Prevalent (“Non-Prevalent Application”) for use with a Service, Subscriber grants Prevalent permission to allow the provider of that Non-Prevalent Application to access Subscriber Data as required for the interoperation of that Non-Prevalent Application with the Service.   Prevalent is not responsible for any disclosure, modification or deletion of Subscriber Data resulting from access by a Non-Prevalent Application.

1.20)  Integration with Non-Prevalent Applications. 

The Services may contain features designed to interoperate with Non-Prevalent Applications.  To use such features, Subscriber may be required to obtain access to Non-Prevalent Applications from their providers, and may be required to grant Prevalent access to Subscriber’s account(s) on the Non-Prevalent Applications.  If the provider of a Non-Prevalent Application ceases to make the Non-Prevalent Application available for interoperation with the corresponding Service features on reasonable terms, Prevalent may cease providing those Service features without entitling Subscriber to any refund, credit, or other compensation.

2.) CUSTOM SERVICES

2.1)  Custom Service.

Estimated charges for any customized service Subscriber may request will be set forth in a mutually agreed upon SOW and any associated Change Order to that SOW the parties may subsequently agree upon will also be mutually agreed upon in writing.

2.2) Intellectual Property.

  1. “Intellectual Property” means all intellectual property rights (“IPR“), including patents, trademarks, design rights, copyrights, database rights, trade secrets and all rights of an equivalent nature anywhere in the world. “Deliverables” means tangible work product specified in this Agreement or any SOW hereunder. Prevalent is granted a worldwide, irrevocable, royalty-free, transferable, sublicensable, perpetual license, without a right to accounting, to copy, modify and use in any form or media it may chose to incorporate into the Software or Service or otherwise use any suggestions or enhancement requests, recommendations or other feedback Prevalent receives from Subscriber.
  2. Each party retains its own pre-existing IPR, and any enhancements, modifications, derivatives thereto or improvements thereof.
  3. Prevalent owns all IPR developed pursuant to this Agreement. Subscriber owns all Subscriber data and advisory reports prepared by Prevalent under this Agreement. Prevalent grants to Subscriber a royalty-free, non-exclusive and non-transferable license to use the Services for its internal use only during the term of the Service, subject to any other express supplemental license terms otherwise applicable to the Deliverable, such as a third party software license.  Subscriber may not: (i) make copies of Deliverables, other than for archival purposes; or (ii) modify, decompile or reverse-engineer Deliverables.
  4. Subscriber recognizes that any unauthorized use of Prevalent’s IPR will result in irreparable harm to Prevalent for which damages would not be an adequate remedy. Therefore Subscriber acknowledges that the appropriateness of injunctive relief and waives any requirement that Prevalent post a bond as a condition for such injunctive relief.

III GENERAL TERMS AND CONDITIONS

3.1) Invoices and Payment.  Subscriber shall pay all invoices within 30 days of receipt of the invoice; thereafter unpaid balances which are not the basis of a good faith dispute shall accrue interest at a rate of 1.5% per month.  Any Subscriber prepayment or any credits earned must be used within 15 months of the time that they are purchased, earned or awarded or they will expire without notice. If Subscriber fails to pay all invoices or charges for referencing these Terms within five (5) business days of Prevalent’s notice to Subscriber that payment is past due or delinquent in addition to Prevalent’s other remedies, Prevalent may suspend or terminate access to and use of the Service by Subscribers.

3.2) Upgrades. If Subscriber chooses to upgrade a Service or increase the number of authorized Subscribers during the Subscription Term (a “Subscription Upgrade”), any incremental Subscription Charges associated with such Subscription Upgrade will be prorated over the remaining period of Subscriber’s then current Subscription Term and will be due and payable upon implementation of such Subscription Upgrade. In any future Subscription Term, no refunds or credits for Subscription Charges or other fees or payments will be provided to Subscriber if Subscriber elects to downgrade their Service Plan.

3.3) Expenses. Travel and expenses are not included in the Service installation and configuration that appears on the quote.  These fees are separate and will be added to the invoice along with any additional service exceeding what is outlined on this statement that might be required.

3.4) Equitable Relief. Subscriber acknowledges that any use or disclosure of the Software in a manner inconsistent with the terms of this Agreement, or breach of confidentiality may cause Prevalent irreparable damage for which other remedies may be inadequate, and Subscriber agrees not to oppose any request to a court of competent jurisdiction by Prevalent for injunctive or other equitable relief seeking to restrain such use or disclosure. Subscriber waives any right it may have to require Prevalent post a bond or other form of security as a precondition to any such injunctive relief.

3.5) Amendments. Prevalent may amend this agreement at any time. Such amendments shall be effective as of the date of notice to Subscriber. Notice to Subscriber may include requiring Subscriber to renew its acceptance and agreement to the terms of this Agreement by selecting the “Accept” option after logging in to the Software with a registered user ID and password.

3.6) Severability. If any provision of this Agreement shall be held to be invalid or unenforceable, the remainder of this Agreement shall remain in full force and effect. To the extent any express or implied restrictions are not permitted by applicable laws, these express or implied restrictions shall remain in force and effect to the maximum extent permitted by such applicable laws.

3.7) Confidential Information.  “Confidential Information” means any information one party discloses to the other under this Agreement which is identified as confidential or proprietary.  Confidential Information does not include information which: is rightfully obtained by the recipient without breaching any confidentiality obligations; is or becomes known to the public through no act or omission of the recipient; the recipient develops independently without using Confidential Information; or is disclosed in response to a valid court or governmental order if the recipient notifies the disclosing party and assists in any objections.  The recipient may use Confidential Information only for the purposes for which it was provided under this Agreement, and shall treat it with the same degree of care as it does its own similar information, but with no less than reasonable care.  This section shall not affect any other confidential disclosure agreement between the parties.

3.8) Limitation of Liability.  Except for breach of Subscriber’s payment obligations or situations arising as a result of either party’s gross negligence or willful misconduct, or a breach of confidentiality or indemnity provisions granted hereunder, each party’s aggregate liability to the other for claims arising out of or relating to this Agreement, whether for breach or in tort, is limited to the price charged to Subscriber for the Servicesup to a maximum of US $50,000.00 or its local currency equivalent.  NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, PUNITIVE, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT (INCLUDING, WITHOUT LIMITATION, LOSS OF BUSINESS, REVENUE, PROFITS, GOODWILL, USE, DATA OR OTHER ECONOMIC ADVANTAGE) HOWEVER THEY ARISE, WHETHER IN BREACH OF CONTRACT, BREACH OF WARRANTY, OR IN TORT, INCLUDING NEGLIGENCE, AND EVEN IF THAT PARTY HAS PREVIOUSLY BEEN ADVISED OF, OR COULD REASONABLY HAVE FORESEEN, THE POSSIBILITY OF SUCH DAMAGES.  LIABILITY FOR DAMAGES WILL BE LIMITED AND EXCLUDED, EVEN IF ANY EXCLUSIVE REMEDY PROVIDED ABOVE FAILS OF ITS ESSENTIAL PURPOSE.

3.9) Hiring of Personnel.  Subscriber will not recruit any personnel Prevalent assigns to perform Services until one year after completion of the applicable Services, including initiating personal contact for the purpose of hiring but not including responding to unsolicited applications.  If Subscriber hires personnel in violation of this provision, Subscriber will immediately pay Prevalent, as liquidated damages, an amount equal to the hired employee’s total compensation for the six months preceding the date of hiring.

3.10) TERMINATION

  • EVENTS CONSTITUTING TERMINATION The Service provided herein shall terminate at such time Subscriber fails to cure any breach of this Agreement within thirty (30) days of written notice from Prevalent specifying such breach.
  • OBLIGATIONS UPON TERMINATION Upon termination of this Agreement or the License granted herein, Subscriber shall discontinue use of the Service.
  • SURVIVAL UPON TERMINATION The other rights and obligations of the parties pursuant to Articles 1.2, Third Party Data; 1.5, Restrictions on Transfer; 1.8, Indemnification for Subscriber Data; 1.9, Legal Compliance; 1.14, Transition Services; 1.15, Limited Warranty; 1.16, Indemnification; 1.18, License by Subscriber to use Feedback; 2.2, Intellectual Property ; 3.7, Confidential Information; 3.8, Limitation of Liability; 3.9, Hiring Personnel; and 3.10, Termination, of this Agreement shall survive and continue after any termination of this Agreement.

3.12) Headings. Headings of sections in this Agreement are inserted for convenience only, and are in no way intended to limit or define the scope and/or interpretation of this Agreement.

3.13) THIRD PARTY RIGHTS.   Where Prevalent’s rights to any of the products or services licensed or sold hereunder arise under an agreement with a third party supplier, such supplier shall have the benefit of Prevalent’s rights, as set forth in this Agreement, and may enforce such rights directly.

3.14) WAIVER &   SEVERABILITY. Failure on the part of either party to give notice of default, or delay in exercising any right or remedy hereunder, shall not operate as a waiver of any such right or remedy except as otherwise expressly stated in this Agreement.  In the event that any provision of this Agreement is held invalid, illegal or unenforceable, the remaining provisions shall be enforced to the maximum extent permitted by applicable law.

3.15) FORCE MAJEURE.  Except for Subscriber’s payment obligations, neither party will be liable for any delay in performance hereunder if such delay is due to causes beyond the reasonable control of such party.  Such causes will include, without limitation, fires, floods, strikes or other labor disputes, war, criminal disturbances, power failure, acts of God and restrictions imposed by any governmental agency.  In the event such delay or nonperformance extends beyond thirty (30) days, either party may, at its option, cancel any portion of this Agreement  and/or extend any date upon which any performance is due, and neither party will assess any damages against the delaying party in such event.

3.16) Third-Party Beneficiaries.  Prevalent’s licensors  and third party content providers shall have the benefit of Prevalent’s rights and protections hereunder with respect to the applicable Service.  There are no other third-party beneficiaries under this Agreement.

3.17) Assignment.  Neither party may assign or otherwise transfer any of its rights, duties or obligations under this Agreement without the prior written consent of the other party.  Such consent may not be unreasonably withheld or delayed.

3.18) GENERAL.

  1. Disputes will be governed by the laws of the State of New Jersey, excluding its conflict of laws rules. The exclusive venue for any litigation arising out of or relating to this Agreement will be Somerset County, NJ; and the parties waive any claims of forum inconvenience.
  2. This Agreement, together with its Attachments constitutes the entire agreement between the parties relating to the Services, and supersedes all prior or contemporaneous oral or written communications, proposals, conditions, representations and warranties, and prevails over any conflicting or additional terms contained in any quote, purchase order, order document, acknowledgment, or other communication between the parties relating to the Services, even if Prevalent uses such order documents for invoicing purposes.

Attachment A

Service Level Agreement

SERVICE LEVELS

Service Level Agreement

INTRODUCTION

This Attachment A  sets forth certain levels of service that Provider is required to meet in performing the Services during the Term (“Services Levels”).  As used herein “Provider” means Prevalent, Inc. and “Company” means ____________________________________.

  1. GENERAL PROVISIONS
    • Measurement and Reporting.
      1. Except as otherwise agreed upon by the Parties, Provider will monitor its actual performance of the Services against the Service Levels. Provider will provide automated tools, collect and provide to Company the data reasonably made available to it by such tools, and be responsible for measuring performance against the Service Levels. Provider’s failure to properly measure performance with respect to any particular Service Level for any month will be a Service Level Default with respect to such Service Level for such month.
      2. Provider will provide Company with a set of hard- and soft-copy reports to verify Provider’s performance and compliance with the Service Levels. Detailed supporting information for all reports will be provided to Company in spreadsheet form, or such other form as reasonably requested by Company. The raw data, detailed supporting information, and other data produced or derived from measurement of the Services will be Company Data, and may be accessed by Company on-line and in real time, where feasible, at any time during the Term.
  1. DEFINITIONS

All capitalized terms used but not defined in this Attachment A   have the meanings assigned to them in the Agreement. For purposes of this Attachment A, the following terms have the following meanings:

  • “Actual Uptime” means the aggregate amount of time within Scheduled Uptime when Services are actually available for normal business use by Company or users, as applicable (i.e., Actual Uptime = Scheduled Uptime – Outage). Services are actually available for normal business if they can be used in accordance with its intended functionality, with the required database files and tables being accessible with current data.
  • “Availability” means the Actual Uptime expressed as a percentage of the Scheduled Uptime (i.e., Availability % = (Actual Uptime)/Scheduled Uptime x 100%).
  • “Downtime” means an Outage that continues for a period of more than ten (10) minutes.
  • “Monthly Charge” means the amount Provider invoices Company for the Services for a given month.
  • “Outage” means any interruption of five (5) minutes or more during which ten percent (10%) or more of Company or users are unable to access the System or their access to the System is substantially impaired (including through significant logon delay).
  • “Service Level Default” means an occurrence of Provider’s failure to meet any Service Level.
  • “Scheduled Uptime” means the period of time (days of the week and hours per day) the Services are expected to be available to Company for normal business use. Scheduled Uptime excludes maintenance windows for the Services.
  1. SERVICE LEVEL PROCESS
    • Reevaluation of Service Levels. Attachment 1 to this Attachment A identifies the Service Levels that apply during the Term, subject to the following:
      1. The numerical values associated with such Service Levels (e.g., Availability of 99.8%) will be subject to Company’s and Provider’s mutual reevaluation three (3) months after the Effective Date. The purpose of such reevaluation is to confirm or change the numerical value based upon the average performance of Provider with respect to the applicable Service Level during such three (3) month period. Company and Provider may agree to adjust the Service Levels at this time.
      2. The Parties agree that the Service Levels confirmed or changed in accordance with Section 3.1A above will not be less than those levels reasonably and consistently achievable with the systems and environments used to provide the Services if used in accordance with the practices and standards used in well-managed operations performing services similar to the Services
    • Additions/Modifications to Service Levels. The Parties will cooperate to identify additional Service Levels in furtherance of the objective of having a comprehensive set of Service Levels that provide a fair, accurate, and consistent measurement of Provider’s performance of the Services. In response to changes in Company’s business needs or to reflect changes in or evolution of the Services, Company and Provider will, at least once per year, review and assess any changes and agree to add or substitute new Service Levels to meet such objective(s) as may be redefined from time to time during the Term.
    • Company may add or delete Service Levels by sending written notice to Provider at least thirty (30) days prior to the date that such changes are to be effective. Company may not send such a notice (which may contain multiple changes) more than once every three (3) months.
  2. SERVICE LEVELS
    Provider must meet or exceed the Service Levels described in this Attachment A , including Attachment 1.
  • System Availability and Performance. Provider must maintain availability and performance of the System to users so as to meet or exceed the Service Levels set forth in Attachment 1.
  • System Capacity. Provider must provide sufficient hosting capacity to target the Service Levels, availability and performance objectives in Attachment 1. Company will work with Provider to forecast and anticipate unexpected increases in System usage due to any unusual events that could change the rate of System usage typically observed in normal site operation.
  • Content Upload. Provider must upload all Company Data, including updates, to the System within two (2) business days of delivery to Provider unless content results in technical changes to the System (i.e., beyond text or graphics).
  • Response Time. Provider must manage equipment, bandwidth, and network response times to target Service Levels and performance objectives stated in Attachment 1.
  1. SERVICE LEVEL DEFAULTS
    • Provider recognizes that a Service Level Default may have a material adverse impact on the business and operations of Company and that the damage from such Service Level Default is not susceptible to precise determination. Accordingly, if Provider fails to meet any Service Level for reasons other than a Force Majeure Event, then, Company may as an exclusive remedy recover a corresponding Service Level credit in the amount of 5% for the 1st month’s failure; 10% if two (2) consecutive months or two (2) out of any three (3) contiguous months; 15% for more than three (3) consecutive month’s failure to achieve the SLA performance metrics. The SLA credits are calculated as a % of the Monthly Charge owed by Company for the month during which the Service Level Default occurs.
  1. Service Level: System Availability.

Provider will provide the Application Services 24 hours per day, 365 days per year with an Availability of 99.8%, excluding scheduled maintenance, which will not be performed during Company’s normal business hours of operation from 7:00 AM to 6:00 PM (ET). Provider will provide Company with its maintenance schedule and will notify Company in advance of any non-scheduled maintenance. Provider will keep and maintain a back-up environmental redundancy system to ensure Availability of the Application Services for Company.

  1. Service Level: Monitoring and Response Time.

Provider will respond to and resolve System faults based on the severity levels detailed below. The time clock will restart any time a severity level is changed. “Response” means the time Provider takes from its receipt of a problem report until it begins work to resolve the problem.

SEVERITY LEVEL FAULT DESCRIPTION RESPONSE FIX
Severity 1 Total inability to use any material part of the Application Services, and/or Company operations or objectives are severely restricted. 1 hour 4 hours
Severity 2 Ability to use the Application Services, but Company operation is moderately restricted or users notice degraded system performance. 4 hours 1 business day
Severity 3 Ability to use the Application Services with minor faults that cause little disruption to service or use. 1 business day ASAP
  1. Service Level: Security.
    1. Physical and Technical Security. Provider will provide appropriate and adequate physical and technical security for the Application Services, including, but without limitation, the following:
      1. Provider will have Representatives capable of identifying, categorizing, and responding to a security incident on duty 24X365.
      2. Provider will implement a security fix across the infrastructure in accordance with Provider’s regular update process.
      3. Provider will shut down ALL access to the System, or any component of it associated with the Application Services, within sixty (60) minutes of responding to a request by Company’s security manager.
      4. Provider will not directly or indirectly subcontract, assign, or transfer, permit, or allow any portion of the Services, related support, or other activities under the Agreement offshore, meaning outside the continental United States, without the express prior written consent of the Company.
      5. Provider will require all permitted subcontractors and/or third party service providers utilized either directly or indirectly by Provider in the performance of Services (“Third Party Service Provider”) to adhere to, and with all requirements of the Agreement, including, but not limited to, the Company security requirements set forth in the Agreement.
      6. Provider will conduct annual independent security reviews and audits by a reputable and nationally known independent audit agency to ensure that Provider is meeting all of the physical and technical security requirements of the Agreement. Provider’s audit agency will prepare a written audit report detailing audit findings. Provider will not store or transmit Company Data as clear text. Provider will store and transmit Company Data only in a secure and encrypted mode.
      7. Provider will institute and maintain a separation of duties between application development, quality assurance, testing, and production environments.
    2. Host Security. Provider will have three security components in place for Internet facing servers: (i) “hardened” operating system (OS) builds; (ii) on-host security monitors; and (iii) a secure audit log repository. Provider’s data center will comply with the requirements for SSAE 16 and SOC 2 as set forth in Section 1.6 (Security) of the Agreement.
    3. Secure Audit Repository. Provider will log the following information to a secure audit repository:
  • Any OS patch or OS configuration changes and the user and IP address making them;
  • Account creation, deletions, and modifications (OS not application);
  • Failed attempt to access data;
  • Failed login;
  • Start/stop of server; and
  • Changes to firewall configuration files.
  1. Service Level: Provider Audits

Provider will comply with the audit requirements set forth in Section 1.16 (Security) of the Agreement. In the event Provider hosts or processes Company Data, or otherwise perform any process for Company that impacts Company’s internal control over financial reporting, Provider will provide Company, annually and as requested by Company from time to time, copies of Provider’s SSAE 16 and SOC 2 reports (“Provider Reports”) on Provider’s data processing operations and related internal controls. Each Provider Report must cover a minimum of six (6) months of the calendar year covered by Company’s financial statements. Provider must furnish copies of Provider’s Reports at no cost or expense to Company. Provider agrees to make Representatives available to respond to Company’s questions arising from Provider Audits.

Attachment B

Third Party Data License Agreement (the “Data License”)

Prevalent is acting, on behalf of its Third Party Data suppliers (“Prevalent”):

  1. RESTRICTED LICENSE. Prevalent hereby grants to _______________________ (“Subscriber”) a license to use the specified Third Party Data both currently existing and as may become available in the future, subject to the restrictions and limitations set forth below:

(i)            Generally.  Prevalent on behalf of its third party content providers hereby grants to Subscriber a restricted license to use the Prevalent Services in conjunction with third party data sources as integrated with the Service by Prevalent, solely for Subscriber’s own internal business purposes.  Subscriber represents and warrants that all of Subscriber’s use of the Prevalent Services shall be for only legitimate purposes relating to its business and as otherwise governed by the Agreement.  Subscriber shall not use the Prevalent Services for marketing purposes or resell or broker the Prevalent Services to any third party. Subscriber agrees that if Prevalent determines or reasonably suspects that Subscriber is engaging in marketing activities, reselling or brokering the Prevalent Services’ information, programs, computer applications, or data, or is otherwise violating any provision of this Agreement, or any of the laws, regulations, or rules described herein, Prevalent may take immediate action, including terminating the delivery of, and the license to use, the Prevalent Services.  Subscriber may not use data to create a competing product.  Subscriber shall comply with all laws, regulations and rules which  govern the use of the Prevalent Services and information provided therein.

(ii)           Copyrighted Materials.  Subscriber shall not remove or obscure the copyright notice or other notices contained on materials accessed through the Prevalent Services.

(iii)          Use of Services.    Subscriber certifies that it will use the third party data and/or information obtained through the Services solely in connection with present or prospective credit, financial, or risk management transactions with the business entities to which the Subscribers’ inquiries relate.  Subscriber also certifies that it will not use any of the information it receives through the Prevalent Services for any of the following purposes:  (1) in establishing a consumer’s eligibility for credit or insurance to be used primarily for personal, family or household purposes or in connection with the review or collection of an existing credit account of a consumer; (2) for employment purposes; (3) in connection with a determination of a consumer’s eligibility for a license or other benefit granted by a government agency; (4) as a potential investor or servicer, or current insurer, in connection with a valuation of, or assessment of credit or prepayment risks associated with, an existing credit obligation; or, (5)  for any other purpose deemed to be a permissible purpose under the Fair Credit Reporting Act.

(iv)          Disputes.  Subscriber shall refer all third parties who have questions or disputes about information in the Prevalent Services to Prevalent.

  1. SECURITY. Subscriber shall (a) restrict access to Prevalent Services to those employees who have a need to know as part of their official duties; (b) ensure that none of its employees (i) obtain and/or use any information from the Prevalent Services for personal reasons, or (ii) transfer any information received through the Prevalent Services to any third party except as permitted hereunder or required by law; (c) immediately notify Prevalent to deactivate the user identification number of any employee who no longer has a need to know, or terminated employees on or prior to the date of termination; (d) keep all user identification numbers confidential and prohibit the sharing of user identification numbers; (e) in addition to any obligations contained herein, take all commercially reasonable measures to prevent unauthorized access to, or use of, the Prevalent Services or data received therefrom, whether the same is in electronic form or hard copy, by any person or entity; (f) be capable of receiving the Prevalent Services where the same are provided utilizing so-called ‘secure socket layer’, or such other means of secure transmission deemed reasonable by Prevalent; and (g) not access and/or use the Prevalent Services via mechanical, programmatic, robotic, scripted or other automated search means, other than through batch or machine-to-machine applications approved by Prevalent.
  2. PERFORMANCE. Prevalent will use reasonable efforts to deliver the Prevalent Services requested by Subscriber and to compile information gathered from selected public records and other sources used in the provision of the Prevalent Services; provided, however, that Subscriber accepts all information “AS IS.” Subscriber acknowledges and agrees that Prevalent obtains their data from third-party sources, which may or may not be completely thorough and accurate, and that Subscriber shall not rely on Prevalent for the accuracy or completeness of information supplied through the Prevalent Services. Prevalent reserves the right to add materials and features to, and to discontinue offering any of the materials and features that are currently a part of, the Prevalent Services.
  3. DISCLAIMER OF WARRANTIES/LIMITATION OF LIABILITY. Subscriber acknowledges that Prevalent maintains several databases updated on a periodic basis, and that Prevalent does not undertake a separate investigation for each inquiry or request for Services made by Subscriber. Subscriber also acknowledges that the prices Prevalent charges for the Services are based upon Prevalent’s expectation that the risk of any loss or injury that may be incurred by use of the Services will be borne by Subscriber and not PrevalentSubscriber therefore agrees that it is responsible for determining that the Services are in accordance with the obligations set forth under this Agreement. If Subscriber reasonably determines that the Services do not meet Prevalent’s obligations under this Agreement, Subscriber shall so notify Prevalent in writing within ten (10) days after receipt of the Services in question. Subscriber’s failure to so notify Prevalent shall mean that Subscriber accepts the Services as is. If Subscriber so notifies Prevalent within ten (10) days after receipt of the Services, then, unless Prevalent reasonably disputes Subscriber’s claim, Prevalent shall, at its option, either re-perform the Services in question or issue Subscriber a credit for the amount Subscriber paid to Prevalent for the nonconforming Services. PREVALENT’S REPERFORMANCE OF THE NONCONFORMING SERVICES OR THE CREDIT FOR ANY FEES SUBSCRIBER HAS PAID FOR SUCH NONCONFORMING SERVICES SHALL CONSTITUTE SUBSCRIBER’S SOLE REMEDY AND PREVALENT’S MAXIMUM LIABILITY UNDER THIS AGREEMENT. Prevalent does not make and hereby disclaims any warranty, express or implied, with respect to the Prevalent Services provided hereunder. Prevalent does not guarantee or warrant the correctness, completeness, merchantability, or fitness for a particular purpose of the Prevalent Services or information provided therein. In no event shall Prevalent be liable for any indirect, incidental, or consequential damages, however arising, incurred by Subscriber from receipt or use of information delivered hereunder or the unavailability thereof.
  4. INDEMNIFICATION. Subscriber hereby agrees to protect, indemnify, defend, and hold harmless Prevalent from and against any and all costs, claims, demands, damages, losses, and liabilities (including attorneys’ fees and costs): (i) breach of this license; or (ii) based upon the negligence or willful misconduct of Subscriber arising from or in any way related to use of information received by Subscriber (or any third party receiving such information from or through Subscriber) furnished by or through Prevalent.

Attachment C

Vendor Risk Manager

Software Service Description

VRM: Prevalent Vendor Risk Manager (VRM) is a Software as a Service (SaaS) offering that automates many of the tasks associated with the vendor risk management process, including evidence collection, evidence risk analysis, email notifications, and scheduling. VRM offers security, compliance, and risk management professionals a platform to manage and automate the vendor risk assessment process. VRM enables organizations to evaluate vendors based on vendor tiers determined by their importance or potential risk to the organization. VRM enables the creation of standard tier structure for the organization, a standardized assessment workflow, Shared Assessment content, evidence collection, risk scoring, and reporting.  The VRM SaaS manages each vendor independently, providing the ability to understand the impact of doing business with a particular vendor.  Each VRM license shall allow for the assessment, management and reporting for one third party vendor per license for the license term.

Vendor Threat Monitor

Software Service Description

VTM: Prevalent Vendor Threat Monitor (VTM) is a Software as a Service (SaaS) offering that enables organizations to continuously monitor key relationship risk areas, including: Data Risk, Operational Risk, Financial Risk, Brand Risk, Regulatory Risk and Geographic Risk. Organizations using Prevalent VRM SaaS to assess vendors and service providers can opt to configure VTM to monitor for potential risk areas identified by Prevalent VRM.  Prevalent VTM will notify the risk manager associated with the relationship to determine whether the risk poses an actual threat to the organization.  Data types that are part of this analysis include external data breach notifications, IP reputation data, malware for known domains, financial analysis, phishing attacks, regulatory issues and other publicly available information.  Each VTM license shall allow for the monitoring of threat intelligence and reporting for one third party vendor per license for the license term.

Acceptable Use Policy

This Acceptable Use Policy (this “Policy”) describes prohibited uses of the web services offered by Prevalent Inc. and its affiliates (the “Services”) and the associated Prevalent cloud based website. (the “Site”). The examples described in this Policy are not exhaustive. We may modify this Policy at any time by posting a revised version on the Site. By using the Services or accessing the Site, you agree to the latest version of this Policy. If you violate the Policy or authorize or help others to do so, we may suspend or terminate your use of the Services.

No Illegal, Harmful, or Offensive Use or Content

You may not use, or encourage, promote, facilitate or instruct others to use, the Services or Site for any illegal, harmful or offensive use, or to transmit, store, display, distribute or otherwise make available content that is illegal, harmful, or offensive. Prohibited activities or content include:

  • Illegal Activities.Any illegal activities, including advertising, transmitting, or otherwise making available gambling sites or services or disseminating, promoting or facilitating child pornography.
  • Harmful or Fraudulent Activities.Activities that may be harmful to others, our operations or reputation, including offering or disseminating fraudulent goods, services, schemes, or promotions (e.g., make-money-fast schemes, ponzi and pyramid schemes, phishing, or pharming), or engaging in other deceptive practices.
  • Infringing Content.Content that infringes or misappropriates the intellectual property or proprietary rights of others.
  • Offensive Content.Content that is defamatory, obscene, abusive, invasive of privacy, or otherwise objectionable, including content that constitutes child pornography, relates to bestiality, or depicts non-consensual sex acts.
  • Harmful Content.Content or other computer technology that may damage, interfere with, surreptitiously intercept, or expropriate any system, program, or data, including viruses, Trojan horses, worms, time bombs, or cancelbots.

No Security Violations

You may not use the Services to violate the security or integrity of any network, computer or communications system, software application, or network or computing device (each, a “System”). Prohibited activities include:

  • Unauthorized Access.Accessing or using any System without permission, including attempting to probe, scan, or test the vulnerability of a System or to breach any security or authentication measures used by a System.
  • Monitoring of data or traffic on a System without permission.
  • Falsification of Origin.Forging TCP-IP packet headers, e-mail headers, or any part of a message describing its origin or route. This prohibition does not include the use of aliases or anonymous remailers.

No Network Abuse

You may not make network connections to any users, hosts, or networks unless you have permission to communicate with them. Prohibited activities include:

  • Monitoring or Crawling.Monitoring or crawling of a System that impairs or disrupts the System being monitored or crawled.
  • Denial of Service (DoS).Inundating a target with communications requests so the target either cannot respond to legitimate traffic or responds so slowly that it becomes ineffective.
  • Intentional Interference.Interfering with the proper functioning of any System, including any deliberate attempt to overload a system by mail bombing, news bombing, broadcast attacks, or flooding techniques.
  • Operation of Certain Network Services.Operating network services like open proxies, open mail relays, or open recursive domain name servers.
  • Avoiding System Restrictions.Using manual or electronic means to avoid any use limitations placed on a System, such as access and storage restrictions.

No E-Mail or Other Message Abuse

You will not distribute, publish, send, or facilitate the sending of unsolicited mass e-mail or other messages, promotions, advertising, or solicitations (like “spam”), including commercial advertising and informational announcements. You will not alter or obscure mail headers or assume a sender’s identity without the sender’s explicit permission. You will not collect replies to messages sent from another internet service provider if those messages violate this Policy or the acceptable use policy of that provider.

Our Monitoring and Enforcement

We reserve the right, but do not assume the obligation, to investigate any violation of this Policy or misuse of the Services or Site. We may:

  • investigate violations of this Policy or misuse of the Services or Site; or
  • remove, disable access to, or modify any content or resource that violates this Policy or any other agreement we have with you for use of the Services or the Site.

We may report any activity that we suspect violates any law or regulation to appropriate law enforcement officials, regulators, or other appropriate third parties. Our reporting may include disclosing appropriate customer information. We also may cooperate with appropriate law enforcement agencies, regulators, or other appropriate third parties to help with the investigation and prosecution of illegal conduct by providing network and systems information related to alleged violations of this Policy.

Reporting of Violations of this Policy

If you become aware of any violation of this Policy, you will immediately notify us and provide us with assistance, as requested, to stop or remedy the violation.