CALLYPSO INC.
SERVICES TERMS AND CONDITIONS

Last Updated: November 16, 2022

These Callypso Inc. Services Terms and Conditions (these “Terms”) are entered into between Callypso Inc., a Delaware corporation (“Callypso”), and the customer set forth in the Order (defined below) (“Customer”). These Terms include, and incorporate by this reference, (a) any ordering document between Callypso and Customer referencing these Terms, if any (an “Order” and together with these Terms, the “Agreement”) and (b) all amendments and addenda to the Agreement. Callypso and Customer are sometimes referred to collectively as the “Parties” and individually as a “Party”.

THE AGREEMENT TAKES EFFECT WHEN CUSTOMER CLICKS THE [“I ACCEPT”/[OTHER NAME OF BUTTON]] BUTTON BELOW AND/OR BY ACCESSING OR USING THE SERVICES (the “Effective Date”). BY ACCESSING AND/OR USING THE SERVICES AFTER THE EFFECTIVE DATE, CUSTOMER (A) ACKNOWLEDGES THAT CUSTOMER HAS READ AND UNDERSTANDS THE AGREEMENT; (B) REPRESENTS AND WARRANTS THAT CUSTOMER HAS THE RIGHT, POWER, AND AUTHORITY TO ENTER INTO THE AGREEMENT AND, IF ENTERING INTO THE AGREEMENT FOR AN ORGANIZATION, THAT CUSTOMER HAS THE LEGAL AUTHORITY TO BIND THAT ORGANIZATION; AND (C) ACCEPTS THE AGREEMENT AND AGREES THAT CUSTOMER IS LEGALLY BOUND BY ITS TERMS.

IF CUSTOMER DOES NOT ACCEPT THESE TERMS, CUSTOMER MAY NOT ACCESS OR USE THE SERVICES.

Callypso and Customer agree as follows:

Section 1             Definitions. Capitalized words used but not defined in these Terms have the following meanings:

    “Account” means a single user electronic account permitting Customer or Authorized Users to access and use the Services.

    “Confidential Information” means any information that is proprietary or confidential to the Discloser or that the Discloser is obligated to keep confidential (e.g., pursuant to a contractual or other obligation owing to a third party). Confidential Information may be of a technical, business or other nature, including, but not limited to, information which relates to the Discloser’s technology, research, development, products, services, pricing of products and services, employees, contractors, marketing plans, finances, contracts, legal affairs, business affairs, or Intellectual Property Rights.

    “Customer Data” means, except for Feedback, any data, content or information provided by Customer or any Authorized User to Callypso. This includes sensitive, confidential, or personally identifiable information that is transmitted by, processed in some way, or stored in electronic media.

    “Discloser” means a Party that discloses any of its Confidential Information to the other Party.

    “Documentation” means the documentation relating to the Callypso Services furnished or made available by Callypso to Customer from time to time.

    “Feedback” means information and feedback (including, without limitation, questions, comments, suggestions, or the like), whether given through the functionality of the Services or otherwise, regarding the performance, accuracy, features, functionality and overall Customer experience with the Services.

    “Intellectual Property Rights” means any patent, copyright, trademark, service mark, trade name, trade secret, know-how, moral right or other intellectual property right under the laws of any jurisdiction, whether registered, unregistered, statutory, common law or otherwise.

    “IP Dispute” means any dispute, cause of action, claim, or controversy relating to Customer’s or Callypso’s Intellectual Property Rights.

    “Recipient” means a Party that receives any Confidential Information of the other Party.

    “Callypso Marks” means any trademarks, service marks, service or trade names, logos, and other designations of Callypso and its affiliates.

    “Callypso Parties” means Callypso and its affiliates, independent contractors and service providers, and each of their respective members, directors, officers, employees and agents.

    “Callypso Servers” means the Callypso Internet servers and networks used in the performance of the Services.

    “Callypso Platform” means the software as a service platform for account management provided by Callypso under the Agreement (if ordered by Customer through an Order) along with any improvements, updates, bug fixes or upgrades thereto.

    “Services” means the Callypso Platform and/or any other professional services to which the Parties may agree in an Order.

    “Unauthorized Use” means any use, reproduction, modification, distribution, disposition, possession, examination, inspection, viewing, disclosure or other activity involving the Services or Documentation of Callypso that is not expressly authorized under the Agreement or otherwise in writing by Callypso.

Section 2         Access to the Services; Restrictions

    2.1 Access to the Services. Subject to Customer’s compliance with the Agreement, Callypso hereby grants to Customer a limited, nonexclusive, nontransferable, nonsublicensable, revocable right during the Services Term to:

    (a) access and use of the Services, as specified in an Order solely for Customer’s internal business operations; and

    (b) if Customer has ordered the Callypso Platform through an Order, invite and enable up to the additional number of Customer’s employees or other designees specified in such Order (“Authorized Users”) to create an Account and access and use the Callypso Platform solely for or on behalf of Customer for Customer’s internal business operations.

    The rights granted in the foregoing clauses may not be sublicensed without Callypso’s prior written consent. Customer is responsible for all Authorized Users’ compliance with the Agreement.

    2.2 Service Plans.

    (a) Callypso makes available the Services through paid plans (“Paid Plans”) and trial plans (“Trial Plans”). Current plans are described at callypso.co/pricing and Customer’s specific plan will be identified in the Order. Customer’s permitted scope of use depends on the plan that Customer selects and will be specified on the applicable Order.

    (b) Paid Plans are provided for the Services Term designated on the applicable Order and, unless otherwise specified on the Order, each Services Term will automatically renew for the same period as the then-current Services Term unless either party gives the other written notice of termination at least 60 days prior to expiration of the then-current Services Term (e.g., monthly Paid Plans will automatically roll over month-to-month and annual Paid Plans will automatically renew for additional 12-month periods).

    (c) Under Trial Plans, Customer may use the Services solely to determine whether to purchase a Paid Plan, and the Services Term will be 30 days unless otherwise specified in the Order. If Customer does not upgrade from a Trial Plan to a Paid Plan at the end of the Services Term of that Trial Plan, then Customer’s access to the Services may be limited or suspended (to be determined at Callypso’s sole discretion) until such time as Customer terminates the Agreement or converts to a Paid Plan.

    (d) Trial Plans may not include all features or functionality offered as part of Paid Plans, and Callypso reserves the right to add or subtract any features or functionality at any time for such plans. Callypso has the right to suspend or terminate a Trial Plan at any time for any reason.

    2.3 Beta Releases.

    (a) Customer may receive access to a Service (or Service features) as an alpha, beta or early access offering (“Beta Releases”). Callypso identifies all Beta Releases as such and any usage by Customer is optional. With respect to any Beta Release that Callypso makes available to Customer from time to time, at its sole discretion, Callypso grants Customer a non-transferable and non-exclusive license to use the Beta Release solely for Customer’s internal evaluation and to provide Callypso with Feedback regarding Customer’s experiences with the installation and operation of the Beta Release, during the period designated by Callypso (or if not designated, 30 days). The Beta Release may be subject to additional terms provided by Callypso and agreed by Customer. Callypso may suspend or terminate Customer’s access to Beta Releases at any time for any reason. Beta Releases may be inoperable, incomplete or include features that Callypso may never release, and their features and performance information are Callypso’s Confidential Information.

    (b) Notwithstanding anything in the Agreement to the contrary, Callypso has no obligation to provide support, maintenance, upgrades, modifications, or new releases for a Beta Release. Owing to the experimental nature of the Beta Release, Customer is advised not to rely exclusively on the Beta Release for any reason. CUSTOMER AGREES THAT THE BETA RELEASE AND RELATED DOCUMENTATION ARE BEING DELIVERED “AS IS” WITHOUT WARRANTIES OF ANY KIND, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT WILL CALLYPSO BE LIABLE TO CUSTOMER OR ANY OTHER PERSON FOR DAMAGES, DIRECT OR INDIRECT, OF ANY NATURE OR EXPENSES INCURRED BY CUSTOMER IN CONNECTION WITH THE BETA RELEASE. CUSTOMER’S SOLE AND EXCLUSIVE REMEDY WILL BE TO TERMINATE ITS USE OF THE BETA RELEASE AND THIS LICENSE BY WRITTEN NOTICE TO CALLYPSO.

    2.4 Restrictions; Limitations.

    (a) Customer may not use the Services in any manner or for any purpose other than as expressly permitted by the Agreement. Customer’s use of any Services may be subject to any additional terms and conditions or limitations as may be set forth or referenced in the Order.

    (b) Without limiting the foregoing, the rights granted under this Section 2 do not include or authorize (unless otherwise set forth in an Order): (i) modifying, disassembling, decompiling, reverse engineering or otherwise making any derivative use of the Services or using or accessing the or Services to build a competitive product or service; (ii) using any data mining, robots or similar data gathering or extraction methods except as provided by the Services; (iii) performing or disclosing any benchmarking or performance testing of the Services; (iv) selling, licensing, renting, leasing, assigning, distributing, displaying, hosting, disclosing, outsourcing or otherwise exploiting the Services; or (v) using the Services other than for their intended use. The rights granted under this Section 2 are conditioned on Customer’s continued compliance with the Agreement (including, without limitation, Authorized Users’ compliance with the Agreement), and may, at Callypso’s sole discretion, immediately and automatically terminate if Customer does not comply with any material term or condition of the Agreement.

    (c) Customer will promptly notify Callypso if it discovers or otherwise suspects any security breaches related to the Services, including any unauthorized use or disclosure of access credentials of a third party.

    2.5 Changes to Services; Terms. Callypso may change the features, functionality or other aspects of the Services without notice to the Customer, provided that such changes do not materially reduce the functionality of the Services.

    2.6 Suspension of Services. Notwithstanding Section 6.3 to the contrary, Callypso may, in its sole discretion, immediately suspend access to or use of the Services by Customer or any Authorized User if Customer or any Authorized User violates a material restriction or obligation of Customer or Authorized Users in the Agreement, or if in Callypso’s reasonable judgment, the Services or any components thereof are (a) being used for discriminatory purposes or in a manner that is harmful to others, or (b) about to suffer a significant threat to security or functionality. Callypso may, but is not required to, provide advance notice to Customer of any such suspension based on the nature of the circumstances giving rise to the suspension. Callypso will use reasonable efforts to re- establish the affected Services promptly after Callypso determines that the situation giving rise to the suspension has been cured. Callypso may terminate access to the Services if any of the foregoing causes of suspension are not cured within 30 days after Callypso’s initial notice thereof. Any suspension or termination by Callypso under this Section 2.6 will not excuse Customer from its obligation to make payment(s) under the Agreement. Any suspension under this Section will remain in effect until the applicable breach, if curable, is cured.

    2.7 No Unauthorized Warranties. Callypso’s warranty obligations to Customer and Authorized Users are limited to those specified in these Terms. Customer will not make or extend on behalf of Callypso any written or oral warranty with respect to the Services.

Section 3         Eligibility; Registration; Data Practices; Callypso Responsibilities

    3.1 Eligibility. Customer represents and warrants that it and all Authorized Users are not: (a) a resident of any country subject to a United States embargo or other similar United States export restrictions; (b) on the United States Treasury Department’s list of Specifically Designated Nationals; (c) on the United States Department of Commerce’s Denied Persons List or Entity List; or (d) on any other United States export control list.

    3.2 Registration. Customer and, if applicable, each Authorized User, will need to register for an Account with Callypso. Each Authorized User Account may only be used by one person. Customer and, if applicable, each Authorized User that is invited to register for an Account will: (a) provide accurate, current and complete information when creating an Account; (b) maintain and promptly update all Account information; (c) do not share passwords with others and restrict access to the Account and their computer or mobile device; (d) promptly notify Callypso if Customer or any Authorized User discovers or otherwise suspects any security breaches related to Customer’s or such Authorized User’s Account; and (e) accept responsibility for all Unauthorized Use and activities that occur under Customer’s or such Authorized User’s Account..

    3.3 Violations. Customer is responsible for all activity that occurs under its and Authorized Users’ Accounts, its and Authorized Users’ compliance with the Agreement and any use, misuse or Unauthorized Use (including by third parties) of Accounts, and Callypso reserves the right to terminate the Account of Customer or any Authorized User for any such Unauthorized Use. The acts or omissions of any Authorized User or third party under Customer’s Account (including any Authorized User’s Account) are considered the Customer’s acts or omissions, as applicable.

Section 4         Performance of Services

    4.1 Performance. Callypso will use commercially reasonable efforts to provide to Customer the Services that are described in each Order agreed upon by the Parties during the Services Term.

    4.2 Changes. Either Party may propose changes in the Services to be performed under the Agreement. If any agreed-upon change in the Services or levels of Services causes an increase or decrease in the time required for the performance of any Services or in Callypso’s costs to perform any Services, then the schedules for performance of such Services and the compensation payable to Callypso will be equitably adjusted. If the Parties agree upon any such change and related adjustments, the Parties will prepare, agree upon and sign an amendment to the applicable Order or other written instrument evidencing such agreement.

Section 5         Fees, Payments and Taxes

    5.1 Fees. Customer will pay the fees for the Services set forth on an Order (collectively, the “Fees”).

    5.2 Invoiced Payment.

    (a) Invoicing schedule. The invoicing schedule varies based on the type of Service to which Customer is signing up, and is set forth in the applicable Order.

    (b) Payment terms. Unless otherwise set forth in an Order, Customer will pay invoiced Fees not otherwise subject to good faith dispute at the address or account for Callypso set forth on the applicable invoice within 30 days of Customer’s receipt of the corresponding invoice. If Customer fails to make any such payment when due, without limiting Callypso’s other rights and remedies: (i) Callypso may charge interest on the past due amount (not otherwise subject to good faith dispute) at the rate of 1% per month calculated daily and compounded monthly or, if lower, the highest rate permitted under applicable law; (ii) Customer will reimburse Callypso for all reasonable costs incurred by Callypso in collecting any late payments or interest, including attorneys’ fees, court costs, and collection agency fees; and (iii) if such failure continues for 30 days or more, Callypso may suspend Customer’s and its Authorized Users’ access to any portion or all of the Services until such amounts are paid in full.

    (c) Claims. If Customer believes that Callypso has invoiced Customer incorrectly, Customer must contact Callypso no later than 60 days after the date of the invoice in which the claimed error or problem appeared, in order to receive an adjustment or credit, if any. Inquiries should be directed to michael@callypso.co.

    5.3 Pricing and Availability. All prices are shown in U.S. dollars and applicable taxes and other charges, if any, are additional. Callypso reserves the right to change the Fees or applicable charges and to institute new charges and Fees upon 30 days’ prior notice to Customer (which may be sent by email).

    5.4 Taxes. Customer is responsible for any sales, duty or other governmental taxes or fees due with respect to the Services. Callypso will collect, and Customer will pay, applicable sales tax if Callypso determines that it has a duty to collect sales tax.

Section 6         Services Term and Termination

    6.1 Term. The term of the Agreement will commence on the Effective Date and will continue for the subscription term set forth in the applicable Order together with the renewal terms (if any) set forth in Section 2.2, unless and until terminated pursuant to the Agreement (the “Services Term”).

    6.2 Termination. Customer may terminate its access to a Service upon at least 30 days’ notice to Callypso by contacting Callypso at michael@callypso.co and specifying the Service it desires to terminate and its desired termination date within such 30 day period. Customer will be responsible for all charges (including any applicable taxes and other charges) incurred with respect to Fees processed prior to the effective date of Customer’s termination. Customer will not receive a refund for any partial or renewal periods of service, as applicable, that occur during the 30-day notice period.

    6.3 Termination for Material Breach. Either Party may terminate the Agreement, effective on written notice to the other Party, if the other Party materially breaches the Agreement, and such breach: (a) is incapable of cure; or (b) being capable of cure, remains uncured 30 days after the non-breaching Party provides the breaching Party with written notice of such breach.

    6.4 Updates. These Terms are operational in nature and may be modified at any time by Callypso. Callypso will take appropriate measures to inform Customer of modifications and will provide Customer the right and a 30- day window of time from the date of Callypso’s notice of such modifications to review any proposed change, discuss it with Callypso, and terminate the Customer relationship without penalty if all parties cannot abide by the revisions. Once such 30-day period has expired, unless otherwise terminated, the modified Terms will apply to Customer’s use of and access to the Services.

    6.5 Effect of Termination. In the event of any termination of the Services Term:

    (a) all of Customer’s and each Authorized User’s rights under the Agreement will immediately terminate (including the rights granted in Section 2.1) and Customer and all Authorized Users will immediately cease any access or use of the Services.

    (b) if Callypso terminates the Agreement for material breach by Customer under Section 6.3, then Customer will remain responsible for the remaining balance of the Fees in Customer’s Order and Customer must pay within 30 days all such amounts, as well as all sums remaining unpaid for other Orders under the Agreement plus related taxes and expenses; and

    (c) Sections 1, 2.4, 3.3, 5, 6.5, 7, 8, 9.3 and 10 through 12 of these Terms, together with any other provisions that by their nature are intended to survive, will continue to apply in accordance with their terms.

If Customer terminates the Agreement for material breach by Callypso under Section 6.3, then Callypso will refund to Customer within 30 days of the effective date of termination any unused pre-paid Fees on a pro rata basis for the remaining Services Term.

Section 7         Indemnification

    7.1 By Customer. Customer will defend, indemnify, and hold harmless the Callypso Parties from and against all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising out of or relating to any third party or Authorized User claim concerning: (a) Customer’s or Authorized Users’ Unauthorized Use of the Services, including any use of the Services other than as permitted under the Agreement; (b) any Customer Data or other data or content related to Customer or Authorized Users which Customer provides, uploads, or inputs into the Services; or (c) the combination of the Customer Data with other applications, content or processes. If Callypso is obligated to respond to a third-party subpoena or other compulsory legal order or process described above, Customer will also reimburse Callypso for reasonable attorneys’ fees, as well as the time and materials spent by Callypso’s employees and contractors responding to the third party subpoena or other compulsory legal order or process at Callypso’s then-current hourly rates.

    7.2 By Callypso. Callypso will defend, indemnify, and hold harmless Customer from and against all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising out of or relating to any third party claim that alleges that Callypso has suffered a security breach as a result of its failure to meet its security obligations under the Agreement and such breach resulted in a loss of sensitive, confidential, or personally identifiable Customer Data. Callypso’s indemnity obligations under this Section 7.2 do not apply to any claim resulting from: (a) Customer’s use of a Beta Release; (b) Customer or any Authorized User acts or omissions; (c) use not in accordance with the Agreement; (d) modifications, damage, misuse or other action of Customer or any third party; or (e) any failure of Customer to comply with the Agreement.

    7.3 Procedure. For any claims under this Section 7, the indemnifying party will: (a) give the indemnified party prompt written notice of the claim; (b) provide such assistance in connection with the defense and settlement of the claim as the indemnified party may reasonably request; (c) obtain the indemnified party’s written consent prior to (i) selecting and retaining counsel to defend against any claim under this Section 7 and (ii) agreeing to any settlement; and (d) comply with any settlement or court order made in connection with the claim.

Section 8         Ownership; Use of Customer Data

    8.1 The Services. As between Callypso and Customer, Callypso owns all right, title, and interest in and to the Services, together with all Intellectual Property Rights therein or thereto. Except as otherwise specified in Section 2.1 and 6.5(a), Customer does not obtain any rights under the Agreement from Callypso to the Services, including any related Intellectual Property Rights.

    8.2 Feedback. Customer and Authorized Users may voluntarily provide Callypso with Feedback and may make designees available to Callypso on a reasonable basis for this purpose. Customer will not, and will ensure such designees do not, provide any such Feedback to any third party without Callypso’s prior written consent in each instance. Callypso will own, and Customer and such Customer designees hereby assign, all exclusive rights, including, without limitation, all Intellectual Property Rights, in and to Feedback and Callypso will be entitled to the unrestricted use and dissemination of Feedback for any purpose without acknowledgment or compensation to Customer or any such designees.

    8.3 Trademarks. As between Callypso and Customer, Callypso owns all right, title and interest in and to the Callypso Marks and any goodwill arising out of the use of the Callypso Marks will remain with and belong to Callypso and its licensors. The Callypso Marks may not be copied, imitated or used without the prior written consent of Callypso or the applicable trademark holder.

    8.4 Privacy. To the extent Callypso collects, processes, or stores Customer Data which is Personal Data (defined in Attachment 1) on behalf of Customer both parties will comply with the Data Processing Addendum attached hereto as Attachment 1

Section 9         Limited Warranties and Remedies

    9.1 Warranties. Callypso represents and warrants that:

    (a) it will provide the Services with commercially reasonable care and skill and in material compliance with applicable laws, and each of the personnel furnished to perform Services hereunder will have the proper skill and training so as to be able to perform Services to which he/she is assigned in the above referenced manner, and that Callypso has sufficient number of personnel to provide all Services contemplated;

    (b) it is a corporation validly organized and in good standing under the laws of the State of Delaware;

    (c) Callypso is the exclusive owner of the Callypso Platform, or otherwise has the right to provide access to the same to Customer;

    (d) there exists no agreement or restriction that would interfere with or prevent Callypso from entering into the Agreement or rendering Services described herein; and

    (e) the Services are regularly scanned for viruses, worms, Trojan horses or similar software, hardware, system, or combinations thereof with the potential to corrupt, interfere, or otherwise affect access to the Services.

    9.2 Remedy. Callypso’s sole obligation with respect to a breach of the warranties in Section 9.1 will be to use commercially reasonable efforts to correct any nonconformance of the Services.

    9.3 DISCLAIMER. EXCEPT AS SET FORTH IN SECTION 9.1: (A) TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, THE SERVICES ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, AND CALLYPSO HEREBY DISCLAIMS, AND CUSTOMER HEREBY WAIVES AND RELEASES CALLYPSO FROM, ALL OTHER WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE REGARDING THE SERVICES OR RESULTS OF THE SERVICES INCLUDING ANY WARRANTY THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR FREE OR FREE OF HARMFUL COMPONENTS, OR THAT ANY MATERIALS OR CUSTOMER DATA PROVIDED BY CUSTOMER OR A THIRD PARTY WILL BE SECURE OR NOT OTHERWISE LOST OR DAMAGED; AND (B) EXCEPT TO THE EXTENT PROHIBITED BY LAW, CALLYPSO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT AND ANY WARRANTIES ARISING OUT OF ANY COURSE OF DEALING OR USAGE OR TRADE PRACTICE. THIS SECTION DOES NOT APPLY TO BETA RELEASES, FOR WHICH A SEPARATE DISCLAIMER IS SET FORTH IN SECTION 2.3.

Section 10         Limitations of Liability

    10.1 Force Majeure. Neither Party will be liable for, or be considered to be in, breach of or default under the Agreement on account of, any delay or failure to perform as required by the Agreement as a result of any cause or condition beyond such Party’s reasonable control (including, without limitation, any act or failure to act by the other Party). This paragraph will not apply to any payment obligation of either Party.

    10.2 Limitation of Liability. IN NO EVENT WILL ANY OF THE CALLYPSO PARTIES BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY OTHER DAMAGES OF ANY KIND, INCLUDING BUT NOT LIMITED TO LOSS OF USE, LOSS OF PROFITS OR LOSS OF DATA, WHETHER IN AN ACTION IN CONTRACT, TORT (INCLUDING BUT NOT LIMITED TO NEGLIGENCE) OR OTHERWISE, ARISING OUT OF OR IN ANY WAY CONNECTED WITH (A) THE USE OF OR INABILITY TO USE THE SERVICES, INCLUDING THE INFORMATION, CONTENT AND MATERIALS CONTAINED THEREIN, OR (B) THE PERFORMANCE OF SERVICES. IN NO EVENT WILL THE AGGREGATE LIABILITY OF ANY OF THE CALLYPSO PARTIES, WHETHER IN CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE, WHETHER ACTIVE, PASSIVE OR IMPUTED), PRODUCT LIABILITY, STRICT LIABILITY OR OTHER THEORY, ARISING OUT OF OR RELATING TO THE AGREEMENT EXCEED THE COMPENSATION PAID BY CUSTOMER, IF ANY, TO CALLYPSO IN THE 12 MONTHS PRIOR TO THE DATE OF THE EVENT GIVING RISE TO LIABILITY. THIS SECTION DOES NOT APPLY TO BETA RELEASES, FOR WHICH A SEPARATE LIMITATION IS SET FORTH IN SECTION 2.3.

Section 11         Confidential Information

    Each Party reserves any and all right, title and interest (including any Intellectual Property Rights) that it may have in or to any Confidential Information that it may disclose to the other Party under the Agreement. The Recipient will protect Confidential Information of the Discloser against any unauthorized use or disclosure to the same extent that the Recipient protects its own Confidential Information of a similar nature against unauthorized use or disclosure, but in no event will use less than a reasonable standard of care to protect such Confidential Information. The Recipient will use any Confidential Information of the Discloser solely for the purposes for which it is provided by the Discloser. This Section 11 will not be interpreted or construed to prohibit any use or disclosure of information: (a) that was known to Recipient prior to receiving the same from the Discloser in connection with the Agreement; (b) that is independently developed by the Recipient; (c) that is acquired by the Recipient from another source without restriction as to use or disclosure; (d) that is necessary or appropriate in connection with the Recipient’s performance of its obligations or exercise of its rights under the Agreement; (e) that is required by applicable law (e.g., pursuant to applicable securities laws or legal process), provided that the Recipient uses reasonable efforts to give the Discloser reasonable advance notice thereof (e.g., so as to afford the Discloser an opportunity to intervene and seek an order or other appropriate relief for the protection of its Confidential Information from any unauthorized use or disclosure); or (f) that is made with the written consent of the Discloser. In the event of any breach or threatened breach by the Recipient of its obligations under this paragraph, the Discloser will be entitled to injunctive and other equitable relief to enforce such obligations.

    Upon expiration of the Services Term or termination of the Agreement for any reason, the Recipient will, upon request of the Discloser, return to the Discloser, or destroy (with written certification of the same), all copies of the Discloser’s Confidential Information, except for archival and back-up copies on back-up tapes and if, and to the extent, the receiving party is required to retain such material under applicable laws or regulations.

Section 12         Miscellaneous

    12.1 Independent Contractors. Each Party is an independent contractor and not a partner or agent of the other. The Agreement will not be interpreted or construed as creating or evidencing any partnership or agency between the Parties or as imposing any partnership or agency obligations or liability upon either Party. Further, neither Party is authorized to, and will not, enter into or incur any agreement, contract, commitment, obligation or liability in the name of or otherwise on behalf of the other Party.

    12.2 Reference Program. Customer grants Callypso the right to use its name, logo, and a description of its use case to refer to it on Callypso’s website, earnings release and calls, marketing or promotional materials, subject to Customer’s standard trademark usage guidelines that Customer provides to Callypso from time-to-time. Customer may opt out of the foregoing right upon 30 days’ written notice to Callypso. Customer may voluntarily consult with Callypso and work in good faith to agree on quotes and statements about Customer’s experience with the Services. If Customer or an Authorized User volunteers such quotes or statements, Callypso may, at its option, use such quotes and statements in connection with its sales and marketing activities.

    12.3 No Third-Party Beneficiaries. The Agreement does not create any third-party beneficiary rights in any individual or entity that is not a Party to the Agreement.

    12.4 Assignment. Neither Party may assign the Agreement or any right, interest or benefit under the Agreement without prior written consent of the other Party; provided that either party may assign the Agreement or any right, interest or benefit under the Agreement without such prior written consent to an entity that acquires all or substantially all of the business or assets of such party to which the Agreement pertains, whether by merger, reorganization, acquisition, sale or otherwise. Any attempted assignment in violation of the foregoing will be void. Subject to the foregoing, the Agreement will be fully binding upon, inure to the benefit of and be enforceable by any permitted assignee.

    12.5 Nonwaiver. The failure of either Party to insist upon or enforce performance by the other Party of any provision of the Agreement, or to exercise any right or remedy under the Agreement or otherwise by law, will not be construed as a waiver or relinquishment of such Party’s right to assert or rely upon the provision, right, or remedy in that or any other instance; rather the provision, right or remedy will be and remain in full force and effect.

    12.6 Severability. If any provision of the Agreement is deemed unlawful, void or for any reason unenforceable, then that provision will be deemed severable from the Agreement and will not affect the validity and enforceability of any remaining provisions.

    12.7 Applicable Law. The Agreement will be interpreted, construed and enforced in all respects in accordance with the laws of the State of Oregon without reference to its choice of law principles to the contrary. The 1980 UN Convention on Contracts for the International Sale of Goods or its successor will not apply to the Agreement. Subject to Section 12.6, Customer hereby consents to the jurisdiction and venue of the state and federal courts located in Jackson County, Oregon with respect to any claim arising under or by reason of the Agreement.

    12.8 Entire Agreement. The Agreement, together with any agreement, Order, or other policy or guideline referenced in the Agreement or these Terms, constitutes the complete and exclusive statement of all mutual understandings between the Parties with respect to the subject matter hereof, superseding all prior or contemporaneous proposals, communications and understandings, oral or written. In the event of any inconsistency between the contents of the Agreement and any other documents or terms that form part of the Agreement, the following order of precedence governs: (a) first, the Order; (b) second, the Data Processing Addendum; (c) third, these Terms; and (d) any other documents incorporated by reference into these Terms.

    12.9 US Government Rights. Each of the software components that constitute the Services and the Documentation is a “commercial item” as that term is defined at 48 C.F.R. § 2.101, consisting of “commercial computer software” and “commercial computer software documentation” as such terms are used in 48 C.F.R. § 12.212. Accordingly, if Customer is an agency of the US Government or any contractor therefor, Customer receives only those rights with respect to the Services and Documentation as are granted to all other end users, in accordance with (a) 48 C.F.R. § 227.7201 through 48 C.F.R. § 227.7204, with respect to the Department of Defense and their contractors, or (b) 48 C.F.R. § 12.212, with respect to all other US Government customers and their contractors.

Attachment 1

CALLYPSO INC.

Data Processing Addendum

This Data Processing Addendum (“DPA”) is entered into by and between Callypso Inc. (“Company”) and Customer. This DPA amends and forms part of the Services Terms and Conditions or other written agreement between Company and Customer that incorporates this DPA by reference (“Agreement”. This DPA applies where Company Processes Customer Personal Data as a Processor on behalf of Customer, the Controller, in connection with providing the Services. This DPA will be effective as of the effective date of the Agreement. This DPA will terminate automatically upon termination of the Agreement or as earlier terminated pursuant to the terms of this DPA.

1. DATA PROCESSING AND PROTECTION

    1.1. Limitations on Use. Company will Process Customer Personal Data only: (a) in a manner consistent with Customer’s documented instructions as specified under Section 1.2 (Instructions), including with regard to transfers of Customer Personal Data to a third country; and (b) as required by applicable laws, provided that Company will inform Customer (unless prohibited by law) of the applicable legal requirement before Processing pursuant to such law. Without limiting the instructions under Section 1.2, Company will not: (x) retain, use, or disclose the Customer Personal Data (i) outside of the direct business relationship between the parties or (ii) for any purpose other than for the specific purpose of performing the Services, including retaining, using, or disclosing the Customer Personal Data for a commercial purpose other than providing the Services; (y) sell or share (as defined by Data Protection Law) the Customer Personal Data; or (z) combine Customer Personal Data with Personal Data Company receives from individuals or other customers, except as permitted by Data Protection Law.

    1.2. Instructions. Customer instructs Company to Process Customer Personal Data as necessary to provide the Services and as otherwise authorized or permitted under this DPA and the Agreement, including as specified in Attachment 2 (Scope of Processing). This DPA, the Agreement, and any instructions provided by Customer through configuration tools made available by Company constitute Customer’s documented instructions regarding Company’s Processing of Customer Personal Data. Additional instructions provided by Customer (if any) require prior written agreement by Customer and Company, including agreement on any additional fees to carry out such instructions. Customer will not instruct Company to perform any Processing of Customer Personal Data that violates any Data Protection Law. Company may suspend Processing based upon any Customer instructions that Company reasonably suspects violate Data Protection Law, provided Company will promptly inform Customer if, in Company’s opinion, an instruction infringes Data Protection Law.

    1.3. Compliance. Each party will comply with its obligations under Data Protection Law. Company shall notify Customer within 5 business days of determining that it cannot meet its obligations under Data Protection Law. Upon receiving written notice from Customer that Company has Processed Customer Personal Data without authorization, Company will take reasonable and appropriate steps to stop and remediate such Processing.

    1.4 Confidentiality. Company will ensure that persons authorized by Company to Process any Customer Personal Data are subject to appropriate confidentiality obligations.

    1.5 Security. Company will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against Security Incidents and provide the level of protection required by Data Protection Law in accordance with Attachment 3 (Data Security Exhibit). Company may amend the technical and organizational measures, provided the new measures do not reduce the level of security provided by Attachment 3 (Data Security Exhibit).

    1.6 Disposal. At the choice of Customer, Company will (or will enable Customer via the Services to) delete (and will delete existing copies of) all Customer Personal Data after the end of the provision of Services (unless Data Protection Law requires the storage of such Customer Personal Data by Company, in which case Company will only further retain and Process such Customer Personal Data for the limited duration and purposes required by such Data Protection Law). The certification of deletion contemplated by Section 8.5 of the SCCs shall be provided on Customers’ written request.

    1.7. Deidentified Data. Customer authorizes Company to Process Deidentified Data to improve the Services. Company will (a) take reasonable measures to ensure the Deidentified Data cannot be associated with a Data Subject and (b) publicly commit to maintain and use Deidentified Data in deidentified form and not attempt to reidentify Deidentified Data except to assess the sufficiency of the deidentification process.

2. DATA PROCESSING ASSISTANCE

    2.1 Data Subject Rights Assistance. Customer shall be responsible for responding to requests from Data Subjects to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure, data portability, object to the Processing, the right not to be subject to an automated individual decision making, the right to opt out of sales, sharing/targeted advertising, or the processing of sensitive Personal Data, or other Data Subject rights under Data Protection Law relating to Customer Personal Data (each a “Data Subject Request”). Customer will inform Company of any Data Subject request that Company must comply with and provide the information necessary for Company to comply with the request. Company will, to the extent permitted by Data Protection Law, notify Customer without undue delay if Company receives a Data Subject Request. To the extent Customer, in its use of the Services, does not have the ability to address the Data Subject Request, Company will, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent the response to such Data Subject Request is required under Data Protection Law.

    2.2. Security Assistance. Taking into account the nature of Processing and the information available to Company, Company will provide commercially reasonable efforts to assist Customer in Customer’s efforts to comply with Customer’s obligations to secure Customer Personal Data by providing the information and assistance described in Section 4 (Audits).

    2.3. Security Incident Notice and Assistance. Company will notify Customer without undue delay after becoming aware of a Security Incident. Company will further take commercially reasonable steps to mitigate the effects and minimize any impact from the Security Incident. Taking into account the nature of Processing and the information available to Company, Company will assist Customer in ensuring compliance with Customer’s notification obligations imposed under Data Protection Law in connection with any Security Incident.

    2.4. Data Processing Impact Assessment (“DPIA”) and Prior Consultation Assistance. Taking into account the nature of Processing and the information available to Company, Company will provide commercially reasonable efforts to assist Customer in ensuring compliance with the obligations related to DPIAs and consulting with regulatory authorities.

3. AUDITS

    3.1. General Assistance. Subject to Section 3.3 (Customer Audits), Company will make available to Customer information necessary to demonstrate compliance with its obligations in this DPA. Any such information or results of audits will be deemed the confidential information of Company under the Agreement.

    3.2. Company Reports. Company may procure summaries of independent audits by third parties to assess Company’s adherence to the following standards or requirements: (a) SOC 2 Type II (or reports or other documentation describing the controls implemented by Company that replace or are substantially equivalent to SOC 2 Type II); (b) ISO 27001 (or certifications or other documentation evidencing compliance with such alternative standards as are substantially equivalent to ISO 27001); and/or (c) PCI DSS Service Provider Level 1 (or certifications or other documentation evidencing compliance with such alternative standards as are substantially equivalent to PCI DSS) (collectively, “Reports”). Subject to the confidentiality obligations set forth in the Agreement, Company will provide Customer with a copy of Company’s then-current Reports as reasonably requested. If the Agreement does not include a provision protecting Company’s confidential information, then the Reports will be made available to Customer subject to a mutually agreed upon non-disclosure agreement covering the Reports.

    3.3. Customer Audits. Customer agrees to exercise its audit rights by first requesting the Reports as described in Section 3.2 (Company Reports). Customer will only request additional information or an on-site audit of Company to the extent the information provided by Company is not reasonably sufficient to enable Customer to evaluate Company’s compliance with this DPA and/or Data Protection Law. Except in the event of a Security Incident or regulatory investigation, Customer will provide no less than 30 days' advance notice of its request for an on-site audit and will cooperate in good faith with Company to schedule any such audit on a mutually agreed upon date and time (such agreement not to be unreasonably withheld by either party). Any such on-site audit must occur during Company’s normal business hours and be conducted by Customer or a nationally recognized independent auditor. If Customer relies on a third-party auditor, Customer will be responsible for ensuring that the auditor will: (a) comply with reasonable and applicable on-site policies and procedures provided by Company, (b) sign a standard confidentiality agreement with Company, and (c) not unreasonably interfere with Company’s business activities. Customer will provide a written summary of any audit findings to Company, and the results of the audit will be the confidential information of Company.

4. SUBPROCESSORS

    4.1. Appointment of Subprocessors. Customer authorizes Company to use subcontractors to Process Customer Personal Data in connection with providing the Services (each, a “Subprocessor”). Customer specifically consents to Company’s appointment of the Subprocessors identified on Attachment 4 (the “Subprocessor List”).

    4.2. Objection Right for New Subprocessors.

        4.2.1. Company will notify Customer of its intent to update the Subprocessor List at least 15 days prior to engaging a new Subprocessor. Customer may object to Company’s use of a new Subprocessor within 10 days of receiving such notice by sending an e-mail to michael@callypso.co clearly indicating its desire to object to any such change.

        4.2.2. If Customer objects to the change in Subprocessors, Company and Customer will cooperate in good faith to resolve Customer’s objection. If the parties unable to resolve Customer’s objection within 10 days, then either party may terminate the Agreement only with respect to those Services that Company indicates cannot be provided without the objected-to Subprocessor.

    4.3. Liability. Company will impose data protection obligations upon any Subprocessor that are no less protective of Customer Personal Data than those included in this DPA. Company will remain liable to Customer for any breach of such obligations by its Subprocessors as it would for its own acts and omissions.

5. DATA TRANSFERS

    5.1. Overview. The transfer of EEA, UK, and Swiss residents’ Customer Personal Data to a country not subject to an adequacy decision (a “Data Transfer”) will be subject to the SCCs, which are incorporated by this reference. If an alternative transfer mechanism for legitimizing Data Transfers (an “Alternative Mechanism”) becomes available during the term of this DPA, and Company notifies Customer that Data Transfers can be conducted in compliance with Data Protection Law pursuant to the Alternative Mechanism, the parties will rely on the Alternative Mechanism to legitimize Data Transfers instead of the provisions that follow.

    5.2. SCCs. The parties agree to comply with the general clauses and with Module 2 (Controller to Processor) of the SCCs (which are deemed executed as of the effective date of this DPA) with Customer as the “data exporter” and Company as the “data importer.”

    5.3. Transfers Subject to Swiss Data Protection Law. If any Customer Personal Data subject to the Swiss Federal Act on Data Protection of 19 June 1992 (the “FADP”) is subject to a Data Transfer, the parties will conduct such transfer pursuant to the SCCs with the following modifications: the competent supervisory authority in Annex I.C under Clause 13 shall be the Federal Data Protection and Information Commissioner insofar as the data transfer is governed by the FADP; references to a “Member State” and “EU Member State” will not be read to prevent data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland); and references to “GDPR” in the SCCs will be understood as references to the FADP.

    5.4. Transfers Subject to the UK GDPR. Any Customer Personal Data that is subject to the UK GDPR and a Data Transfer will be subject to the UK IDTA, which is incorporated by this reference. The information needed to complete the Tables to the UK IDTA is provided in the Attachments to this DPA.

6. LIMITATION OF LIABILITY

Each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability in the Agreement. Nothing in this Section 6 is intended to restrict the rights of data subjects under Data Protection Law.

7. MISCELLANEOUS

To the extent there is any conflict between the terms of this DPA, on the one hand, and the applicable SCCs or UK IDTA, on the other hand, the SCCs or UK IDTA, as appropriate, will control. Except as specifically amended and modified by this DPA, the terms and provisions of the Agreement remain unchanged and in full force and effect. Except as expressly stated in the SCCs and the UK IDTA, the governing law clause and forum selection clause of the Agreement will apply to any disputes arising out of this DPA. No supplement, modification, or amendment of this DPA will be binding unless executed in writing by each party to this DPA.

Attachment 1: Definitions

    For purposes of this DPA, the following terms will have the meaning ascribed below:

“CCPA” means the California Consumer Privacy Act of 2018, including (a) as amended by the California Consumer Privacy Rights Act of 2020 or otherwise and (b) any regulations promulgated thereunder.

“Controller” means “controller” and “business” (and analogous variations of such terms) under Data Protection Law.

“Customer Personal Data” means Personal Data that Company Processes on behalf of Customer in connection with providing the Services as described in Attachment 2.

“Data Protection Law” means the GDPR, the UK GDPR, the FADP, the CCPA, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, the Virginia Consumer Data Protection Act, the Utah Consumer Privacy Act, and any other state, federal, or international data protection or privacy laws that apply to Company’s Processing of Customer Personal Data.

“Deidentified Data” means information that cannot reasonably be linked to or associated with Customer or any Data Subject.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Personal Data” means “personal data” and “personal information” (and analogous variations of such terms) under Data Protection Law.

“Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, extending further to such operation or operations under Data Protection Law.

“Processor” means “processor” and “service provider” (and analogous variations of such terms) under Data Protection Law.

“SCCs” means Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance), available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914, as may be replaced or superseded by the European Commission. The parties make the following choices for implementing the SCCs:

  •     In Clause 7, the optional docking clause will apply.
  •     The audits contemplated by Section 8.9 shall be conducted according to Section 3 of this DPA.
  •     In Clause 9, Option 2 will apply and the time period for notice of Subprocessor changes will be as set forth in Section 4.2.1 of this DPA.
  •     In Clause 11 the optional language will not apply to the SCCs or the UK IDTA.
  •     In Clause 15.1(a), given that Company lacks a direct relationship with Data Subjects, Company will notify Customer if it receives a government access request and Customer shall be solely responsible for notifying affected Data Subjects.
  •     In Clause 17, the SCCs shall be governed by the laws of Ireland.
  •     In Clause 18(b), the parties agree to resolve disputes arising from the SCCs in the courts of Ireland.
  •     The information needed to complete Annex I of the SCCs is included in Attachment 2 to this DPA.
  •     The information needed to complete Annex II of the SCCs is included in Attachment 3 to this DPA.
  •     The information needed to complete Annex III of the SCCs is included in Attachment 4 to this DPA.

“Security Incident” means “personal data breach” and “security incident” (and analogous variations of such terms) under Data Protection Law.

“Services” means the services provided by Company pursuant to the Agreement.

“UK GDPR” means the GDPR as incorporated into United Kingdom law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (each as amended, superseded, or replaced).

“UK IDTA” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf. Neither party can terminate the UK IDTA pursuant to Table 4 and Section 19 thereof without the written consent of the other.

Attachment 2 - Scope of Processing

Data exporter

Customer

Data importer

Company

Subject-Matter and Duration of Processing

Company Processes Customer Personal Data if and when provided by Customer in the course of providing the Services in accordance with the Agreement and until the Agreement terminates or expires.

Nature and Purpose of Processing

Processing of Customer Personal Data in connection with and for the purpose of Company providing the Services to Customer pursuant to the Agreement. Specifically, the Customer Personal Data will, if and to the extent Customer provides it, be subject to storage and analysis, among other Processing activities.

Types of Customer Personal Data

Customer may submit Customer Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion. This may include, but is not limited to the following categories of data:

  • Direct identifying information (e.g., name, email address, telephone)
  • Indirect identifying information (e.g., gender, date of birth)
  • Device identification data and traffic data (e.g., IP addresses, MAC addresses, web logs)
  • Any other Personal Data supplied by users

Categories of Data Subjects

The data subjects will include Customer’s suppliers and end-users.

Special Categories of Data (as applicable)

The Services are not designed for special categories of Personal Data. Company does not anticipate that Customer will submit special categories to the Services. To the extent that such data is submitted to the Services, it is determined and controlled by Customer in its sole discretion.

Frequency of Transfers

Company will import Customer Personal Data on a continuous basis.

Period of Data Retention

Company will retain the Personal Data until the termination of the Agreement, unless otherwise agreed to by the parties.

Attachment 3 - Data Security Exhibit

Attachment 3 - Data Security Exhibit

1. Program. Company will implement and maintain a comprehensive written information security program, which contains administrative, technical, and organizational safeguards appropriate to the risks posed that comply with this Attachment 3 and that: (a) protect against any Security Incident; and (b) meet or exceed prevailing industry standards and requirements under Data Protection Law. As part of this program, Company will designate a qualified employee responsible for overseeing, implementing and enforcing its information security program.

2. Risk Assessments. Company will periodically conduct risk assessments that identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Personal Data that could result in a Security Incident and assesses the sufficiency of any safeguards in place to control those risks.

3. Access Controls. Company will implement and periodically review appropriate access controls, including by: (a) authenticating and permitting access only to authorized users; (b) abiding by the “principle of least privilege,” pursuant to which Company will permit access to Personal Data by its personnel solely on a need-to-know basis; (c) promptly terminating its personnel’s access to Personal Data when such access is no longer required for performance under the Agreement; and (d) being responsible for any Processing of Personal Data by its personnel.

4. Account Management. Company will effectively manage the creation, use, and deletion of all account credentials used to access the Company systems, including by implementing: (a) a segregated account with unique credentials for each user and multi-factor authentication; (b) strict management of administrative accounts; (c) password best practices, including the use of strong passwords and secure password storage; and (d) periodic audits of accounts and credentials.

5. Asset Management. Company will identify in writing and manage the data, personnel, devices, systems, and facilities that enable it to perform its Services and Process any Personal Data.

6. Change Management. Company will implement appropriate change management procedures, including to address appropriate methods for requesting, approving, validating, and logging changes to Company systems.

7. Vulnerability Management. Company will: (a) use automated vulnerability scanning tools to scan Company’s products; (b) log vulnerability scan reports; (c) conduct periodic reviews of vulnerability scan reports over time; (d) use patch management and software update tools for the Company systems; (e) prioritize and remediate vulnerabilities by severity; and (f) use compensating controls if no patch or remediation is immediately available.

8. Data Segmentation. Company will keep all Personal Data compartmentalized or otherwise logically distinct from, and in no way commingled with, other information of Company or its personnel, suppliers, customers, or other third parties.

9. Security Segmentation. Company will monitor, detect and restrict the flow of information on a multilayered basis within the Company systems using tools such as firewalls, proxies, and network-based intrusion detection systems.

10. Data Loss Prevention. Company will use data loss prevention measures to identify, monitor, and protect Personal Data in use, in transit and at rest.  Such data loss prevention processes and tools will include: (a) use of certificate-based security; and (b) secure key management policies and procedures.

11. Encryption. Company will encrypt, using industry standard encryption tools, all Personal Data that Company: (a) transmits or sends wirelessly across external networks or within the Company systems; (b) stores on laptops or storage media; and (c) stores on portable devices or otherwise within the Company System. Company will safeguard the security and confidentiality of all encryption keys associated with encrypted Personal Data.

12. Pseudonymization. Company will, where possible and consistent with the Services, use industry standard and appropriate pseudonymization techniques to protect Personal Data.

13. Secure Software Development. Company represents and warrants that any software used in connection with the Processing of Personal Data is or has been developed using secure software development practices, including by: (a) segregating development and production environments; (b) filtering out potentially malicious character sequences in user inputs; (c) using secure communication techniques, including encryption; (d) using sound memory management practices; (e) using web application firewalls to address common web application attacks such as cross-site scripting, SQL injection, and command injection; (f) implementing the OWASP Top Ten recommendations, as applicable; (g) patching of software; (h) testing object code and source code for common coding errors and vulnerabilities using code analysis tools; (i) testing of web applications for vulnerabilities using web application scanners; and (j) testing software for performance under denial of service and other resource exhaustion attacks.

14. Secure Deletion. Company will implement measures to securely destroy any Personal Data whenever deletion of Personal Data is required by this DPA.

15. Physical Safeguards. Company will maintain physical access controls that secure relevant Company systems used to Process any Personal Data, including an access control system that enables Company to monitor and control physical access to each Company facility.

16. Administrative Safeguards. Prior to providing access to Personal Data to any of its personnel, Company will: (a) ensure the reliability of such personnel, including by performing background screening (to the extent permitted by Data Protection Law); and (b) provide appropriate security training to such personnel to ensure such personnel comply with the obligations in this Attachment 3.  Company will periodically provide additional training to its personnel as appropriate to help ensure that Company’s information security program meets or exceeds prevailing industry standards.

Attachment 4 - Subprocessor List

Subprocessor NameServices PerformedCountries where Subprocessor will Process Customer Personal DataCross-Border Data Transfer Mechanism
DigitalOceanData infrastructureUnited StatesNone