Prevalent – VRM Subscription Agreement

PREVALENT  SOFTWARE AS A SERVICE (SaaS) SUBSCIPTION AGREEMENT  (“Agreement”)

BACKGROUND: Prevalent will provide to Subscriber its software application and/or certain monitoring services as part of the Prevalent Cloud Service offerings as referred to in the Prevalent Sales Quote. In addition, Customer may seek certain additional services at a separate cost as reflected in an associated Prevalent Sales Quote and that for the purposes of this Agreement both may be jointly or individually referred to as “Service”). Those Services may contain access to certain licensed third party data that is used in conjunction with the Service which will be governed by separate terms provided as a click through within the Service. (“Third Party Data”). For the purpose of clarity, the parties acknowledge that the Services include software applications that are governed by the terms of this License and that Service and Software may be jointly referred to throughout this Agreement as Software.  With regard to all Services, Prevalent performance is conditional upon Subscriber fulfilling its obligations set forth in this Agreement or later expressly agreed to in writing.

DEFINITIONS: The terms referenced in this Agreement have the following meaning:

  1. “Prevalent Cloud Services” are certain specified services that are run on the Prevalent Cloud Services Environment and made commercially available by Prevalent under the terms of this Agreement.
  2. “Prevalent Cloud Services Environment” refers to the combination of hardware and software owned, licensed, subscribed to, or managed by Prevalent to which Prevalent grants the Subscriber and users access as part of the Cloud Services that are described in the Prevalent Sales Quote.
  3. “Prevalent Portal” means that portion of the Prevalent Cloud Service Environment that Prevalent makes available to Subscriber and their Users.
  4. “Prevalent Sales Quote” is a formal Prevalent offer for the sale of specified products and services pursuant to this Agreement, which shall be effective upon Subscriber’s execution thereof.
  5. “Prevalent Software Service Description” is the formal Prevalent description of the commercial service offering defining the scope and coverage of the service, as referenced in the Prevalent Sales Quote and attached to this Agreement as Exhibit B.
  6. “Services” means, collectively the Cloud Services, Professional Services and Software in the Prevalent Software Service Description referenced on the Prevalent Sales Quote.
  7. “Software” refers to the application software developed and or distributed by Prevalent, as referenced on the Prevalent Sales Quote, and as described in the Prevalent Software Service Description.
  8. “Subscriber” means the Customer named in the Prevalent Sales Quote and/or associated Customer Purchase Order.
  9. “Subscriber Data” means any data, content, code, video, images or other materials of any type that Subscriber uploads, submits or otherwise transmits to or through Services.
  10. “Users” means those employees, contractors, and end users, as applicable, authorized by the Subscriber to use the Services in accordance with this Agreement. For Services that are specifically designed to allow the Subscriber’s customers, suppliers or other third parties to access the Services to interact with the Subscriber, such third parties will be considered “Users” subject to the terms of this Agreement.
  11. “Third Party Data” means data sources provided by a third party license vendor for use with the Service, such as vendor threat monitoring data..
  12. “Third Party Software” means third party software offered by Prevalent Inc. (“Prevalent”) as stated in the Prevalent Sales Quote.

ARTICLE I. SOFTWARE AS A SERVICE (“SaaS”) END USER LICENSE AGREEMENT

1.1) SaaS  End User License The Software provides the functionality as specified in the printed Prevalent Software Service Description and product documentation attached hereto as Attachment B. The Software including any pre-existing data, are the proprietary property of Prevalent and its suppliers and Prevalent retains any and all rights, title and interest in and to the Software, including in all copies, improvements, enhancements, modifications and derivative works of the Software.

1.2) Third Party Data License. The Software includes access to various confidential and proprietary Third Party Data that is utilized along with the Service as a comparative data source in processing the Subscriber Data and generating various reports and reporting data. This information is compiled from third party sources, including but not limited to, public records, user submissions, and other commercially available data sources. These sources may not be accurate or complete, or up-to-date and is subject to ongoing and continual change without notice. Neither Prevalent nor its Third Party Data sources make any representations or warranties regarding the data and assume no responsibility, for the accuracy, completeness, or currency of the data, or any decisions Subscriber makes based in whole or part on this data or information. This data and information is not a substitute for Subscriber’s own judgment, professional advice, or the need to seek additional input and research before making any decisions and should NOT be used alone to make decisions. Subscriber shall use Third Party Data solely in connection with present or prospective credit, financial or risk management transactions with the business vendors to which the Subscriber inquiry relates.  Moreover, Subscriber acknowledges that the Third Party Data will not be used: i) in determining personal, family or household eligibility for obtaining credit or insurance; ii) nor shall it be used for employment purposes (but may be used when evaluating and individual as an independent consultant vendor); nor iii) for any other purpose governed by the Fair Credit Reporting Act. Subscribers will abide by all applicable laws as a condition for continued use of their Third Party Data. Third party data providers of Prevalent are shall be deemed to be 3rd party beneficiaries of this Agreement. Prevalent further represents they will  use reasonable commercial efforts to: (i) help ensure the appropriateness of the Third Party Data before it is selected for use with the Service; (ii) to promptly remove Third Party Data from the Service that is identified as inaccurate data; and (iii) promptly advise Subscriber of known or suspected problems and/or concerns with Third Party Data.

1.3) Software License Grant. Subject to Subscriber’s compliance with the terms and conditions of this Agreement, Prevalent grants to Subscriber a non-exclusive, non-transferable license to use Software solely in Subscriber’s internal business operations during the term of this license (“License”). Subscriber is provided a right to: (i) use the Software within the Prevalent Cloud Services Environment in accordance with the scope and term of the  Agreement as specified below, which is offered as a Service; and (ii) produce reports for their internal use. For the purpose of clarity, no third party may rely in any manner on the reports, results, recommendation work product provided by or generated through the Service, all work is provided for informational purposes solely for the benefit of the Subscriber. Subscriber rights to use the Service shall be limited to those expressly granted in this Agreement. All rights not expressly granted to Subscriber are retained by Prevalent. The Service is protected by copyright laws, trade secret, as well as laws and any applicable regulations and/or treaties related to other forms of intellectual property. Prevalent owns, or has the necessary rights in, all intellectual property rights in the Service. The license to use the Service is subject to these rights and to all the terms and conditions of this Agreement. Subscriber is granted only the non-exclusive, non-transferable right to use the Service and related user documentation solely on the hosted Prevalent Cloud Service Environment during the term of  the License as specified in the Prevalent Sales Quote, and does not acquire any rights of ownership in such materials.

The Subscriber grants Prevalent the right to use, process, collect, copy, store, transmit, modify and create derivative works of Subscriber Data, in each case solely to the extent necessary to provide the applicable Service to Subscriber in accordance with this Agreement, for the duration of the Services period plus any additional post-termination period during which Prevalent provides the Customer with access to retrieve an export file of Subscriber’s content, not to exceed 60 days. The license granted by this Agreement shall apply only for the number of user id’s, or capacity (i.e. number of vendors etc.) provided for pursuant to the associated Prevalent Sales Quote (the “Subscription Agreement”), and shall only be valid for such time as the Subscription Agreement remains in full force and effect; in the event Subscriber terminates or otherwise discontinues their use of the hosted Prevalent Cloud  Service Environment with Prevalent, this license and Subscriber’s right to use the Service shall terminate without further notice. Subscriber shall take reasonable steps, including limiting access to user IDs and passwords, to limit access to the Software to those of its employees who are authorized to use the Software. Except in the case of Prevalent’s negligence or willful misconduct or breach of any of its obligations under this Agreement, Subscriber remains responsible for any and all actions taken using Subscriber accounts and passwords, and Subscriber agrees to immediately notify Prevalent of any unauthorized use of which Subscriber becomes aware, or reasonably suspect.

The Subscriber agrees not to use or permit use of the Services, including by uploading, emailing, posting, publishing or otherwise transmitting any material, including the Subscriber Data, Service generated work product or report, or third party content, for any purpose that may (a) menace or harass any person or cause damage or injury to any person or property, (b) involve the publication of any material that it knows to be false, defamatory, harassing or obscene, (c) violate privacy rights or promote bigotry, racism, hatred or harm, (d) constitute unsolicited bulk e-mail, “junk mail”, “spam” or chain letters; (e) constitute an infringement of intellectual property or other proprietary rights, (f) frame, scrape, link or mirror any content forming a part of the Service, other than Subscriber’s own intranets or otherwise for its own internal use; (g) knowingly upload to the Service or use the Service to send or store viruses, worms, time-bombs, Trojan horses or other harmful or malicious code or (h) otherwise violate applicable laws, ordinances or regulations.  In addition to any other rights afforded to Prevalent under this Agreement, Prevalent reserves the right, but has no obligation, to take remedial action if any material violates the foregoing restrictions, including the removal or disablement of access to such material.  Prevalent shall have no liability to the Subscriber in the event that Prevalent takes such action.  The Subscriber shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness and ownership of all of Subscriber Data.

1.3) Restrictions on Transfer, Use, Alteration and Copying Subscriber may not, without Prevalent’s prior written consent, conduct, cause or permit the: (i) use, copying, modification, rental, lease, sublease, sublicense, or transfer of the Service except as expressly provided in this Agreement; (ii) creation of any derivative works based on the Service or its accompanying documentation including but not limited to translations, (iii) alteration of any files or libraries in any portion of the Service, or reproduction of the database portion or creation of any tables or reports relating to the database portion; (iv) reverse engineering, disassembly, or decompiling of the Service; (v) use of the Service in connection with service bureau, facility management, timeshare, service provider or like activity whereby Subscriber operates or uses the Service for the benefit of a third party;  (vi) use of the Service, including any data, information or reports generated by the Service, by any party other than Subscriber and its subcontractors and agents acting on Subscriber’s behalf and subject to the terms of this Agreement; or (vii) falsely imply any sponsorship or association with Prevalent. Any violation of this section shall result in immediate termination of this Agreement, which termination shall not be exclusive of other remedies available.

Except for the purposes of training, translation, Subscriber’s internal backup, operational support or internal distribution, Subscriber may not copy or allow others to copy any part of the user documentation or other printed material provided with the Service.

1.4) Security. Prevalent implements security procedures to help protect Subscriber Data from security attacks. However, subject to Prevalent’s taking reasonable measures to secure Subscriber data for transport, Subscriber understand that use of the Services necessarily involves transmission of Subscriber Data over networks that are not owned, operated or controlled by Prevalent, and we are not responsible for any of Subscriber Data lost, altered, intercepted or stored across such networks.   Notwithstanding the foregoing, Prevalent  acknowledges and confirms that it has in place and will maintain throughout the term of this Agreement appropriate technical and organizational measures to help secure against the accidental, unauthorized or unlawful processing, destruction, loss, damage or disclosure of Subscriber Data and adequate security programs and procedures to ensure that unauthorized persons or parties do not have access to any equipment used to process such information or data.

1.5) Indemnity for Subscriber Data. Subscriber shall bear sole responsibility for any information uploaded or supplied by Subscriber in connection with use of the Service, including but not limited to ensuring that the use of the Service to store, process and transmit Subscriber Data is compliant with all applicable laws and regulations. IN NO EVENT SHALL PREVALENT BEAR ANY LIABILITY FOR THE USE OR LOSS OF ANY INFORMATION UPLOADED OR SUPPLIED BY LICENSEE IN CONNECTION WITH USE OF THE SERVICE.  Subscriber will defend, indemnify and hold harmless Prevalent from and against any loss, cost, liability or damage, including attorneys’ fees, for which Prevalent becomes liable arising from or relating to any claim relating to Subscriber’s inappropriate use of Subscriber Data in violation of this Agreement, including but not limited to any claim brought by a third party alleging that Subscriber Data, or Subscriber’s use of the Services in breach of this Agreement, infringes or misappropriates the intellectual property rights of a third party or violates applicable law. Prevalent shall not be responsible or liable for the deletion, alteration, destruction, damage, loss or failure to store any Subscriber Data unless, and only to the extent that, such deletion, alteration, destruction, damage, loss or failure to store any Subscriber Data is directly and proximately caused by Prevalent’s action or inaction and subject to any limitations set forth in this Agreement.

1.6) Legal Compliance. Subscriber must ensure that Subscriber’s use of Services and all Subscriber Data is at all times compliant with applicable local, state, federal and international laws and regulations (“Laws”). Subscriber represents and warrants that: (i) Subscriber has obtained all necessary rights, releases and permissions to provide all Subscriber Data to Prevalent and to grant the rights granted to Prevalent in this Agreement and (ii) Subscriber Data and its transfer to and use by Prevalent as authorized by Subscriber under this Agreement do not violate any Laws (including without limitation those relating to export control and electronic communications) or rights of any third party, including without limitation any intellectual property rights, rights of privacy, or rights of publicity, and any use, collection and disclosure authorized herein is not inconsistent with the terms of any applicable privacy policies. Other than its security and confidentiality related obligations set forth in this Agreement or in the Prevalent Privacy Policy, Prevalent assumes no responsibility or liability for Subscriber Data, and Subscriber shall be solely responsible for Subscriber Data and the consequences of using, disclosing, storing, or transmitting it.

1.7) Term of Service Period.  Services provided under this Agreement shall be provided for the Services period defined in the Prevalent Sales Quote, unless earlier suspended or terminated in accordance with this Agreement or the Prevalent Sales Quote

1.8)  Limited Warranty. Prevalent represents and warrants to Subscriber that the Service will in substantial compliance with the printed product information attached hereto as Attachment B. In the event of a breach, Subscriber will promptly notify Prevalent of the non-conformity in writing and Prevalent will use reasonable commercial efforts to repair the Service to operate in compliance with its written description in compliance with the Service Level Agreement set forth in Attachment A. Subscriber’s exclusive remedy for breach of this warranty is for Prevalent to correct or work around the reported malfunction upon request. If the malfunction persists in causing a material failure in Subscriber’s production instances of the Service to conform to the Product documentation without correction or work-around forty-five (45) days after written notice to Prevalent of a warranty claim under this Section 1.8. All limited warranties on the Service are granted only to Subscriber and are non-transferable. This remedy represents Prevalent’s exclusive duty and Subscriber’s sole remedy even in the event that the remedy should fail in its essential purpose.

Prevalent makes no warranty that the Software will meet Subscriber’s requirements or operate under Subscriber’s specific conditions of use. Except as otherwise expressly provided herein, Prevalent makes no warranty that operation of the Service will be secure error free, or free from interruption. EXCEPT AS EXPLICITLY PROVIDED IN THIS AGREEMENT OR OTHERWISE AGREED TO IN WRITING BY PREVALENT, PREVALENT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN FACT OR IN LAW, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OTHER THAN AS SET FORTH IN THIS AGREEMENT. SUBSCRIBER MUST DETERMINE WHETHER THE SERVICE SUFFICIENTLY MEETS  SUBSCRIBER’S REQUIREMENTS FOR SECURITY AND UNINTERRUPTABILITY. EXCEPT TO THE EXTENT ATTRIBUTABLE TO A BREACH OF PREVALENT’S SECURITY OR SERVICE LEVEL OBLIGATIONS HEREUNDER, SUBSCRIBER BEARS SOLE RESPONSIBILITY AND ALL LIABILITY FOR ANY LOSS INCURRED DUE TO FAILURE OF THE SERVICE TO MEET SUBSCRIBER’S REQUIREMENTS. EXCEPT TO THE EXTENT ATTRIBUTABLE TO EITHER PARTY’S GROSS NEGLIGENCE OR WILFULL MISCONDUCT, OR SERVICE LEVEL OBLIGATIONS HEREUNDER, PREVALENT WILL NOT, UNDER ANY CIRCUMSTANCES, BE RESPONSIBLE OR LIABLE FOR THE LOSS OF DATA ON ANY SUBSCRIBER COMPUTER OR INFORMATION STORAGE DEVICE. IN ADDITION, SUBSCRIBER ACKNOWLEDGES AND AGREES THAT (A) THE SERVICE DOES NOT CONSTITUTE THE PROVISION OF LEGAL ADVICE OR SERVICES IN ANY MANNER; (B) THE SERVICE DOES NOT ENSURE SUBSCRIBER’S COMPLIANCE WITH ALL APPLICABLE INDUSTRY REGULATIONS AND LAWS; AND (C) SUBSCRIBER IS SOLELY RESPONSIBLE FOR ITS COMPLIANCE WITH  APPLICABLE LAWS RULES AND REGULATIONS

1.9) Indemnification.  Prevalent shall defend Subscriber, at Prevalent’s expense, against any claims, demands, suits or proceedings (“Claims”) made or brought against Subscriber by a third party alleging that the use of the Service as contemplated hereunder, and excluding actions based upon Subscriber Data, infringe a patent, copyright, trademark, or other intellectual property right of a third party or misappropriates such third party’s trade secrets.  Further, Prevalent shall indemnify and hold Subscriber harmless against all costs (including reasonable attorneys’ fees) to the extent arising out of or  in connection with such Claims.  Upon receiving notice of a Claim, Subscriber shall (a) give Prevalent prompt written notice of the Claim; (b) give Prevalent sole control of the defense and settlement of the Claim (provided that Prevalent may not settle or defend any claim unless it unconditionally releases Subscriber of all liability and does not attribute any blame or contributory fault to Subscriber); and (c) provide to Prevalent, at Prevalent’s cost, all reasonable assistance in the defense or settlement of such Claim. This Section 1.9 states Prevalent’s entire liability and Subscriber’s exclusive remedy for any claim of intellectual property infringement under this Section 1.9.

1.10)  License by Subscriber to Use Feedback. Subscriber grants Prevalent a worldwide, perpetual, irrevocable, royalty-free license to use and incorporate into the Services any suggestion, enhancement request, recommendation, correction or other feedback provided by Subscriber or Users relating to the operation of the Services but on an anonymized basis and without identification or attribution to Subscriber.

II GENERAL TERMS AND CONDITIONS

2.1) Fees, Invoices and Payment.  Subject to performance of the Services in accordance with the Agreement, Subscriber shall pay Prevalent the fees for the Services set forth in the Prevalent Sales Quote (the “Fees”).  The Fees include all charges associated with the Services including all incidental costs except for taxes and expenses.  Prevalent shall submit invoices for Services delivered in accordance with the payment schedule set forth in the Prevalent Sales Quote.  Subscriber shall pay all invoices within 30 days of receipt of the invoice; thereafter unpaid balances which are not the basis of a good faith dispute shall accrue interest at a rate of 1.5% per month.  Any Subscriber prepayment or any credits earned must be used within 15 months of the time that they are purchased, earned or awarded or they will expire without notice. If Subscriber fails to pay all invoices or charges for referencing these Terms within thirty (30) business days of Prevalent’s notice to Subscriber that payment is past due or delinquent in addition to Prevalent’s other remedies, Prevalent may suspend or terminate access to and use of the Service by Subscribers.

2.2) Upgrades. If Subscriber chooses to upgrade a Service or increase the number of authorized Subscribers during the Subscription Term (a “Subscription Upgrade”), any incremental Subscription Charges associated with such Subscription Upgrade will be prorated over the remaining period of Subscriber’s then current Subscription Term and will be due and payable upon implementation of such Subscription Upgrade. In any future Subscription Term, no refunds or credits for Subscription Charges or other fees or payments will be provided to Subscriber if Subscriber elects to downgrade their Service Plan.

2.3) Expenses. Travel and expenses are not included in the Service installation and configuration that appears in the Prevalent Sales Quote.  Prevalent will be reimbursed for those expenses that have been incurred in accordance with this Agreement and itemized on its invoice and accompanied by adequate, supporting documentation.  Unless otherwise agreed to in advance, all expenses shall be invoiced in arrears after Prevalent has incurred the Expense and after Subscriber has provided prior written approval for reimbursement.

2.4) Equitable Relief. Subscriber acknowledges that any use or disclosure of the Software in a manner inconsistent with the terms of this Agreement, or breach of confidentiality may cause Prevalent irreparable damage for which other remedies may be inadequate, and Subscriber agrees not to oppose any request to a court of competent jurisdiction by Prevalent for injunctive or other equitable relief seeking to restrain such use or disclosure. Subscriber waives any right it may have to require Prevalent post a bond or other form of security as a precondition to any such injunctive relief.

2.6) Severability. If any provision of this Agreement shall be held to be invalid or unenforceable, the remainder of this Agreement shall remain in full force and effect. To the extent any express or implied restrictions are not permitted by applicable laws, these express or implied restrictions shall remain in force and effect to the maximum extent permitted by such applicable laws.

2.7) Confidential Information.  “Confidential Information” means any information one party discloses to the other under this Agreement which is identified as confidential or proprietary.  Confidential Information does not include information which: is rightfully obtained by the recipient without breaching any confidentiality obligations; is or becomes known to the public through no act or omission of the recipient; the recipient develops independently without using Confidential Information; or is disclosed in response to a valid court or governmental order if the recipient notifies the disclosing party and assists in any objections.  The recipient may use Confidential Information only for the purposes for which it was provided under this Agreement, and shall treat it with the same degree of care as it does its own similar information, but with no less than reasonable care.  This section shall not affect any other confidential disclosure agreement between the parties.

2.8) Limitation of Liability.  Except for breach of Subscriber’s payment obligations or situations arising as a result of either party’s gross negligence or willful misconduct, or a breach of confidentiality or indemnity provisions granted hereunder, each party’s aggregate liability to the other for claims arising out of or relating to this Agreement, whether for breach or in tort, is limited to the price charged to Subscriber for the Services.  EXCEPT IN THE CASE OF GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, BREACH OF CONFIDENTIALITY, OR INDEMNIFICATION OBLIGATIONS, NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, PUNITIVE, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT (INCLUDING, WITHOUT LIMITATION, LOSS OF BUSINESS, REVENUE, PROFITS, GOODWILL, USE, DATA OR OTHER ECONOMIC ADVANTAGE) HOWEVER THEY ARISE, WHETHER IN BREACH OF CONTRACT, BREACH OF WARRANTY, OR IN TORT, INCLUDING NEGLIGENCE, AND EVEN IF THAT PARTY HAS PREVIOUSLY BEEN ADVISED OF, OR COULD REASONABLY HAVE FORESEEN, THE POSSIBILITY OF SUCH DAMAGES.  LIABILITY FOR DAMAGES WILL BE LIMITED AND EXCLUDED, EVEN IF ANY EXCLUSIVE REMEDY PROVIDED ABOVE FAILS OF ITS ESSENTIAL PURPOSE.

2.9) BACKGROUND CHECKS

As permitted and as may be required by law, Prevalent Employees and Subcontractors with access to Subscriber Data must pass a background check, which can be performed by Prevalent or by a contractor that is authorized by Prevalent to perform background checks.  If Prevalent performs the background check, Prevalent will provide verification to Subscriber upon request that it performed such background screenings for all existing Prevalent Employees involved with access to Subscriber Data at the time such employees were hired by Prevalent or at some subsequent time that is prior to their involvement in the provision of Services to Subscriber.  Background screenings pursuant to this section must be updated at least every seven (7) years.

  1. Background screenings under this Section will be conducted in accordance with applicable local, state and federal law and at a minimum shall include the following:
    1. Verification of identification, citizenship and Social Security Number;
    2. or a series of repeated convictions a criminal history search to identify felony convictions conducted in the employee’s current county of residence and prior county of residence (if applicable) for the immediate preceding seven year period; an adverse result may include a felony conviction in the last seven years for job related crimes, typically characterized as crimes of violence, dishonesty, theft, drugs,; and
    3. Patriot Act check
    4. Federal Search:
      1. National Criminal Records
      2. International Criminal Records
      3. State-specific Sex Offender Records
    5. Felonies: No years limit
      1. SSN Trace
      2. Credit Report (for mutually agreed Positions of Trust)
      3. Motor Vehicle Report
      4. Watches and Sanctions:
        1. Denied Persons List
        2. Excluded Parties List
        3. FBI Most Wanted Terrorist List
        4. FDA Debarment List
        5. Specially Designated Nationals & Blocked Persons List
          (include OFAC)

A failure to pass a background screening or confirmed felony conviction must be reported to Subscriber prior to involvement in the provisions of Services.  Furthermore, any confirmed felony conviction or any alleged offense involving illegal drugs, violence, or a breach of fiduciary duty after the background screening has been completed must be reported to Subscriber before such Prevalent Employee can continue any involvement in the provisions of Services.

2.10) Hiring of Personnel.  Subscriber will not recruit any personnel Prevalent assigns to perform Services until one year after completion of the applicable Services, including initiating personal contact for the purpose of hiring.

2.11) Termination:

  • EVENTS CONSTITUTING TERMINATION Either party may terminate this Agreement if the breaching party fails to cure any breach of this Agreement within thirty (30) days of written notice from the non-breaching party specifying such breach.
  • OBLIGATIONS UPON TERMINATION Upon termination of this Agreement, Subscriber shall discontinue use of the Service and Prevalent shall return to Subscriber all Subscriber Data
  • SURVIVAL UPON TERMINATION The other rights and obligations of the parties pursuant to Articles; 1.3, Restrictions on Transfer; 1.5, Indemnification for Subscriber Data; 1.6, Legal Compliance; 1.8, Limited Warranty; 1.9, Indemnification; 2.7, Confidential Information; 2.8, Limitation of Liability; 2.9, Hiring Personnel; and 2.10, Termination of this Agreement shall survive and continue after any termination of this Agreement.


2.12) Audit.
  Upon reasonable notice to either party, and during normal business hours, will have the right to audit the other party to ensure compliance with the terms of this Agreement.  Such audit shall be no more than one such audit in any twelve (12) month period during the Term (unless otherwise required by regulators or applicable law). The party requesting the audit will: (i) schedule each audit at a mutually agreeable time to the other party; (ii) will be responsible for all time and materials costs of its own or third party auditors retained to conduct he  audit; and (iii) abide by the other party’s reasonable security policies and practices.

2.13) Headings. Headings of sections in this Agreement are inserted for convenience only, and are in no way intended to limit or define the scope and/or interpretation of this Agreement.

2.14) Waiver & Severability. Failure on the part of either party to give notice of default, or delay in exercising any right or remedy hereunder, shall not operate as a waiver of any such right or remedy except as otherwise expressly stated in this Agreement.  In the event that any provision of this Agreement is held invalid, illegal or unenforceable, the remaining provisions shall be enforced to the maximum extent permitted by applicable law.

2.15) Force Majure.  Neither party will be liable for any delay in performance hereunder if such delay is due to causes beyond the reasonable control of such party in the event Prevalent is the party unable to perform, Prevalent shall provide Subscriber with a pro-rata refund of fees paid upon any such termination.

2.16) Assignment. 

Except in the case of merger or sale of all or substantially all of a party’s assets, neither party may assign or otherwise transfer any of its rights, duties or obligations under this Agreement without the prior written consent of the other party.  Such consent may not be unreasonably withheld.

2.17) General.

a.) Disputes will be governed by the laws of the State of New Jersey, excluding its conflict of laws rules.  The exclusive venue for any litigation arising out of or relating to this Agreement will be Somerset County, NJ; and the parties waive any claims of forum inconvenience.

b.) This Agreement, together with its Attachments  constitutes the entire agreement between the parties relating to the Services, and supersedes all prior or contemporaneous oral or written communications, proposals, conditions, representations and warranties, and prevails over any conflicting or additional terms contained in any quote, purchase order, order document, acknowledgment, or other communication between the parties relating to the Services, even if Prevalent uses such order documents for invoicing purposes.

 

Attachment A
Service Level Agreement
SERVICE LEVELS
Service Level Agreement

 INTRODUCTION

This Attachment A sets forth certain levels of service that Provider is required to meet in performing the Services during the Term (“Services Levels”).  As used herein “Provider” means Prevalent, Inc. and “Company” means ________________________.

  1. GENERAL PROVISIONS
    • Measurement and Reporting.
      1. Except as otherwise agreed upon by the Parties, Provider will monitor its actual performance of the Services against the Service Levels. Provider will provide automated tools, collect and provide to Company the data reasonably made available to it by such tools, and be responsible for measuring performance against the Service Levels. Provider’s failure to properly measure performance with respect to any particular Service Level for any month will be a Service Level Default with respect to such Service Level for such month.
      2. Provider will provide Company with a set of hard- and soft-copy reports to verify Provider’s performance and compliance with the Service Levels. Detailed supporting information for all reports will be provided to Company in spreadsheet form, or such other form as reasonably requested by Company. The raw data, detailed supporting information, and other data produced or derived from measurement of the Services will be Company Data, and may be accessed by Company on-line and in real time, where feasible, at any time during the Term.
  1. DEFINITIONS

All capitalized terms used but not defined in this Attachment A have the meanings assigned to them in the Agreement. For purposes of this Attachment A, the following terms have the following meanings:

  • “Actual Uptime” means the aggregate amount of time within Scheduled Uptime when Services are actually available for normal business use by Company or users, as applicable (i.e., Actual Uptime = Scheduled Uptime – Outage). Services are actually available for normal business if they can be used in accordance with its intended functionality, with the required database files and tables being accessible with current data.
  • “Availability” means the Actual Uptime expressed as a percentage of the Scheduled Uptime (i.e., Availability % = (Actual Uptime)/Scheduled Uptime x 100%).
  • “Downtime” means an Outage that continues for a period of more than ten (10) minutes.
  • “Monthly Charge” means the amount Provider invoices Company for the Services for a given month.
  • “Outage” means any interruption of five (5) minutes or more during which ten percent (10%) or more of Company or users are unable to access the System or their access to the System is substantially impaired (including through significant logon delay).
  • “Service Level Default” means an occurrence of Provider’s failure to meet any Service Level.
  • “Scheduled Uptime” means the period of time (days of the week and hours per day) the Services are expected to be available to Company for normal business use. Scheduled Uptime excludes maintenance windows for the Services.
  1. SERVICE LEVEL PROCESS
    • Reevaluation of Service Levels. Section 5.1 of this Attachment A Error! Reference source not found. identifies the Service Levels that apply during the Term, subject to the following:
      A.  The numerical values associated with such Service Levels (e.g., Availability of 99.8%) will be subject to Company’s and Provider’s mutual reevaluation three (3) months after the Effective Date. The purpose of such reevaluation is to confirm or change the numerical value based upon the average performance of Provider with respect to the applicable Service Level during such three (3) month period. Company and Provider may agree to adjust the Service Levels at this time.
      B.  The Parties agree that the Service Levels confirmed or changed in accordance with Section 3.1A above will not be less than those levels reasonably and consistently achievable with the systems and environments used to provide the Services if used in accordance with the practices and standards used in well-managed operations performing services similar to the Services
    • Additions/Modifications to Service Levels. The Parties will cooperate to identify additional Service Levels in furtherance of the objective of having a comprehensive set of Service Levels that provide a fair, accurate, and consistent measurement of Provider’s performance of the Services. In response to changes in Company’s business needs or to reflect changes in or evolution of the Services, Company and Provider will, at least once per year, review and assess any changes and agree to add or substitute new Service Levels to meet such objective(s) as may be redefined from time to time during the Term.
  2. SERVICE LEVELS
    Provider must meet or exceed the Service Levels described in this Attachment A, including Section 5.1.
  • System Availability and Performance. Provider must maintain availability and performance of the System to users so as to meet or exceed the Service Levels set forth in Section 5.1.
  • System Capacity. Provider must provide sufficient hosting capacity to target the Service Levels, availability and performance objectives in Section 5.1. Company will work with Provider to forecast and anticipate unexpected increases in System usage due to any unusual events that could change the rate of System usage typically observed in normal site operation.
  • Content Upload. Provider must upload all Company Data, including updates, to the System within two (2) business days of delivery to Provider unless content results in technical changes to the System (i.e., beyond text or graphics).
  • Response Time. Provider must manage equipment, bandwidth, and network response times to target Service Levels and performance objectives stated in Section 5.1.
  1. SERVICE LEVEL DEFAULTS

Credits. Provider recognizes that a Service Level Default may have a material adverse impact on the business and operations of Company and that the damage from such Service Level Default is not susceptible to precise determination. Accordingly, if Provider fails to meet any Service Level for reasons other than a Force Majeure Event, then, Company may as an exclusive remedy recover a corresponding Service Level credit in the amount of 5% for the 1st month’s failure; 10% if two (2) consecutive months or two (2) out of any three (3) contiguous months; 15% for more than three (3) consecutive month’s failure to achieve the SLA performance metrics. The SLA credits are calculated as a % of the Monthly Charge owed by Company for the month during which the Service Level Default occurs.  Where Prevalent fails to attain the 99.8% service level, rather than the Service Credit set forth above Subscriber may elect to demand a pro-rata refund  based upon the number of days outside of the Service the 99.8% service level and the refund will be determined on a pro rata basis using the annual Service Subscription fee stated in the Prevalent sales Quote. The refund will be paid at the end of the calendar quarter; this represents Prevalent’s sole liability for that Service level breach and Subscriber’s sole remedy.

1. Service Level: System Availability.

Provider will provide the Application Services 24 hours per day, 365 days per year with an Availability of 99.8%, excluding scheduled maintenance, which will not be performed during Company’s normal business hours of operation from 7:00 AM to 6:00 PM (ET). Provider will provide Company with its maintenance schedule and will notify Company in advance of any non-scheduled maintenance. Provider will keep and maintain a back-up environmental redundancy system to ensure Availability of the Application Services for Company.

2. Service Level: Monitoring and Response Time.

Provider will respond to and resolve System faults based on the severity levels detailed below. The time clock will restart any time a severity level is changed. “Response” means the time Provider takes from its receipt of a problem report until it begins work to resolve the problem.

SEVERITY LEVEL FAULT DESCRIPTION RESPONSE FIX
Severity 1 Total inability to use any material part of the Application Services, and/or Company operations or objectives are severely restricted. 1 hour 4 hours
Severity 2 Ability to use the Application Services, but Company operation is moderately restricted or users notice degraded system performance. 4 hours 1 business day
Severity 3 Ability to use the Application Services with minor faults that cause little disruption to service or use. 1 business day ASAP

3. Service Level: Security.

  1. Physical and Technical Security. Provider will provide appropriate and adequate physical and technical security for the Application Services, including, but without limitation, the following:
    1. Provider will have Representatives capable of identifying, categorizing, and responding to a security incident on duty 24X365.
    2. Provider will implement a security fix across the infrastructure in accordance with Provider’s regular update process.
    3. Provider will shut down ALL access to the System, or any component of it associated with the Application Services, within sixty (60) minutes of responding to a request by Company’s security manager.
    4. Provider will not directly or indirectly subcontract, assign, or transfer, permit, or allow any portion of the Services, related support, or other activities under the Agreement offshore, meaning outside the continental United States, without the express prior written consent of the Company.
    5. Provider will require all permitted subcontractors and/or third party service providers utilized either directly or indirectly by Provider in the performance of Services (“Third Party Service Provider”) to adhere to, and with all requirements of the Agreement, including, but not limited to, the Company security requirements set forth in the Agreement.
    6. Provider will conduct annual independent security reviews and audits by a reputable and nationally known independent audit agency to ensure that Provider is meeting all of the physical and technical security requirements of the Agreement. Provider’s audit agency will prepare a written audit report detailing audit findings. Provider will not store or transmit Company Data as clear text. Provider will store and transmit Company Data only in a secure and encrypted mode.
    7. Provider will institute and maintain a separation of duties between application development, quality assurance, testing, and production environments.
  2. Host Security. Provider will have three security components in place for Internet facing servers: (i) “hardened” operating system (OS) builds; (ii) on-host security monitors; and (iii) a secure audit log repository. Provider’s data center will comply with the requirements for SSAE 16 and SOC 2 as set forth in Section 1.4 (Security) of the Agreement.
  3. Secure Audit Repository. Provider will log the following information to a secure audit repository:
  • Any OS patch or OS configuration changes and the user and IP address making them;
  • Account creation, deletions, and modifications (OS not application);
  • Failed attempt to access data;
  • Failed login;
  • Start/stop of server; and
  • Changes to firewall configuration files.

 

Attachment B
Vendor Risk Manager
Software Service Description 

VRM: Prevalent Vendor Risk Manager (VRM) is a Software as a Service (SaaS) offering that automates many of the tasks associated with the vendor risk management process, including evidence collection, evidence risk analysis, email notifications, and scheduling. VRM offers security, compliance, and risk management professionals a platform to manage and automate the vendor risk assessment process. VRM enables organizations to evaluate vendors based on vendor tiers determined by their importance or potential risk to the organization. VRM enables the creation of standard tier structure for the organization, a standardized assessment workflow, Shared Assessment content, evidence collection, risk scoring, and reporting.  The VRM SaaS manages each vendor independently, providing the ability to understand the impact of doing business with a particular vendor.  Each VRM license shall allow for the assessment, management and reporting for one third party vendor per license for the license term.

 

Vendor Threat Monitor
Software Service Description

 VTM: Prevalent Vendor Threat Monitor (VTM) is a Software as a Service (SaaS) offering that enables organizations to continuously monitor key relationship risk areas, including: Data Risk, Operational Risk, Financial Risk, Brand Risk, Regulatory Risk and Geographic Risk. Organizations using Prevalent VRM SaaS to assess vendors and service providers can opt to configure VTM to monitor for potential risk areas identified by Prevalent VRM.  Prevalent VTM will notify the risk manager associated with the relationship to determine whether the risk poses an actual threat to the organization.  Data types that are part of this analysis include external data breach notifications, IP reputation data, malware for known domains, financial analysis, phishing attacks, regulatory issues and other publicly available information.  Each VTM license shall allow for the monitoring of threat intelligence and reporting for one third party vendor per license for the license term. VTM features to use of various third party subscription data subject to a third-party data click through license.