Master Subscription Agreement Terms and Conditions

Agreement” means this Software (SaaS) Master Subscription Agreement together with any Order Form and/or Proposal to which it is appended, and any Appendices executed by Identity Automation and the Customer or incorporated herein by reference. 

Anniversary Date” means each anniversary date of the Effective Date of this Agreement or related Appendix. 

Applicable Privacy Laws” means all applicable data protection legislation, regulations and rules related to data security, data integrity and the safeguarding of personal information and those data protection laws applicable to Identity Automation and Customer within the United States of America. 

Contentmeans: i) information obtained or developed by Identity Automation related to the Service and provided to Customer, including all products specified and agreed upon pursuant to this Agreement; (ii) the Documentation, as defined within this Agreement; and (iii) Updates. 

Documentationmeans, collectively, technical information and materials, in written or electronics form, delivered with the Service by Identity Automation to Customer and that are intended for use in connection with the Service. 

Effective Datemeans the last date executed on an Order Form or Proposal. 

Fees” means the fees and charges specified in an Order Form and/or Proposal, including both recurring and one-time charges. “GDPR” means EU General Data Protection Regulation 2016/679. 

Modification” means a change to the Service that changes the delivered source code or an enhancement to the Service that is made using Identity Automation tools, software or utilizing or incorporating Identity Automation Proprietary Information. 

Order Form” means any validly executed Order Form and/or Proposal between Identity Automation and the Customer. 

Proprietary Information” means confidential or proprietary information of a Party relating to that party’s business or operations and with respect to Customer includes Customer Data and details of Customer’s internal operating environment and, in the case of Identity Automation, includes the technology underlying the Service, the Software Documentation (including any complete or partial copies thereof), the Service Concepts, third-party databases, and any benchmark or survey results. 

Service” means (i) all products and services specified and agreed upon in this Agreement and Appendices hereto, to be delivered by Identity Automation to Customer hereunder, including the Content, but excluding any third-party database and third- party products. 

Service Concepts” means the concepts, techniques, ideas, and know-how embodied and expressed in any computer programs included in the Service, including their structure, sequence and organization. 

Customer Data” means any data, information or material provided or submitted by Customer or Users to the Service in the course of using the Service, together with any Customer output resulting from Customer’s usage of the Service. Customer Data is at all times owned by Customer. 

Term” has the meaning given in Section 7.1. 

Updates” means all upgrades, modified versions, or updates, to the Service whether provided to the Customer by Identity Automation through maintenance and support services or otherwise at any time. 

Use” means to directly or indirectly load, execute, access, employ, utilize, store, or display the Service. 

User(s)” means an individual (and any contractors of Customer for whom access is requested by Customer) who are authorized to Use the Service, for whom a subscription has been purchased, and have been supplied user identifications and passwords by Customer (or by Identity Automation at Customer’s request). 

  1. LICENSE GRANT, SERVICE ACCESS & SERVICES 

2.1 Subject to the terms and conditions of this Agreement (including the obligation to pay the Fees) Identity Automation hereby grants Customer a limited, non-exclusive, non-transferable, worldwide right to Use the Service during the Term, solely for Customer’s provision of identity and access management services to its end users, in accordance with the terms and conditions set forth in this Agreement. Customer’s use of the Service is limited to the number of Users for which Customer has paid the applicable fees. All rights not expressly granted to Customer are reserved by Identity Automation. 

2.2 The Service shall be made available to Customer after the environment has been configured by Identity Automation.

2.3 Identity Automation will provide certain services as set out in a mutually agreed estimate or statement of work incorporated by reference into this Agreement and which sets out the Customer’s project-specific activities, together with the associated deliverables, work effort, resources and costs. Expiration or termination of this Agreement shall result in the automatic termination of all estimates or statements of work then in effect. 

  1. RESTRICTIONS ON USE 

3.1 Customer is responsible for all activity occurring under its user accounts to the Service and shall abide by all applicable local, state, national and foreign laws, treaties and regulations in connection with Use of the Service, including those related to Applicable Privacy Laws, international communications and the transmission of technical or personal data. 

3.2 Customer acknowledges that the Service and its structure, organization and source code constitute valuable trade secrets of Identity Automation. Accordingly, Customer agrees: 

(a) Not to modify, adapt, alter, translate, or create derivative works from the Service (except as expressly permitted by the Documentation); 

(b) Not to merge the Service with any other Service or software; or sublicense, lease, rent, loan, or otherwise transfer the Service to any third party; 

(c) To not reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code for the Service; 

(d) Not to provide services to third parties using the Service (e.g. business process outsourcing, Service Bureau applications or third-party training) or otherwise Use or copy the Service; 

(e) To notify Identity Automation immediately of any unauthorized Use of any password or account or any other known or suspected breach of security; 

(f) To report to Identity Automation immediately and use reasonable efforts to stop immediately any copying or distribution of Content that is known or suspected by Customer or Customer’s Users; 

(g) To not remove, alter, or obscure any proprietary notices (including copyright notices) of Identity Automation incorporated with the Service; and not provide false identity information to gain access to or Use the Service; 

(h) To not use the Service in any way that would subject the software product, in whole or in part, to a Copyleft License; 

3.3 Customer shall not license, sublicense, sell, resell, transfer, assign, distribute or otherwise commercially exploit or make available to (i) any third party the Service in any way; or (ii) “frame” or “mirror” any Content on any other server or wireless or Internet-based device; or (iii) reverse engineer or access the Service in order to: 

(a) build a competitive product or Service; 

(b) build a product using similar ideas, features, functions or graphics of the Service; or 

(c) copy any ideas, features, functions or graphics of the Service. 

3.4 User licenses cannot be shared or used by more than one individual User, but may be reassigned from time to time to new Users who are replacing former Users who have terminated employment, or otherwise changed job status or function and no longer Use the Service. 

3.5 In the event that Identity Automation determines that, at any time during the Term, Customer is using a quantity of named user licenses within the Service which exceeds the number of named user licenses specified within the Order Form, Identity Automation shall have the right to invoice Customer for any such excess usage. 

3.6 Customer may use the Service only for internal business purposes and shall not knowingly: (i) send spam or otherwise duplicative or unsolicited messages in violation of applicable laws; (ii) send or store infringing, obscene, threatening, libelous, or otherwise unlawful or tortious material, including material harmful to children or that violates any third party privacy rights; (iii) send or store material containing software viruses, worms, Trojan horses or other harmful computer code, files, scripts, agents or programs; (iv) interfere with or disrupt the integrity or performance of the Service or the data contained therein; or (v) attempt to gain unauthorized access to the Service or its related systems or networks. 

  1. IDENTITY AUTOMATION PROPRIETARY RIGHTS; CUSTOMER DATA SECURITY AND DATA BACKUPS. 

4.1 Identity Automation alone shall own all right, title and interest, including all related intellectual property rights, in and to the Service (specifically excluding all Customer Data) and any suggestions, ideas, enhancement requests, feedback, recommendations or other information provided by Customer or any other Party relating to the Service. This Agreement is not a sale and does not convey to Customer any rights of ownership in or related to the Service or the intellectual property rights owned by Identity Automation. The Identity Automation name, logo, and product names associated with the Service are trademarks of Identity Automation or, and no right or license is granted to Use them. 

4.2 Identity Automation, in its discretion, reserves the right to supply an Update to the Service to Customer whenever a future Update provides improved functionality. Other than as specified herein, any software tools licensed with or included in the Service may not be copied, in whole or in part, without the express written consent of Identity Automation. 

4.3 Customer Data Backups. Identity Automation will maintain daily backups of all Customer Data for a period of six (6) months. Customer Data that is backed up can be recovered within four (4) hours of the next business day following the date of request. 

4.4 Loss of Data. In the event of any act, error or omission, negligence, misconduct, or breach that compromises or is suspected to compromise the security, confidentiality, or integrity of Customer Data or the physical, technical, administrative, or organizational safeguards put in place by Identity Automation that relate to the protection of the security, confidentiality, or integrity of Customer Data, Identity Automation shall, as applicable: (a) notify Customer as soon as practicable but no later than forty-eight (48) hours of becoming aware of such occurrence; and (b) reasonably cooperate with Customer in investigating the occurrence, including making available all relevant records, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by Customer; (c) perform or take any other actions reasonably required to comply with applicable law as a result of the occurrence; (d) use commercially reasonable efforts to recreate lost Customer Data, wherever possible and without charge to Customer; and, (e) following receipt of a written request from Customer, provide to Customer a plan describing the measures Identity Automation will undertake to prevent a future occurrence. 

  1. CONFIDENTIALITY 

5.1 During the Term and for a period of three (3) years thereafter, each Party shall keep confidential, shall not use for itself or the benefit of others, and shall not copy or allow to be copied, in whole or in part, any Proprietary Information other than as reasonably necessary to fulfill the terms of this Agreement or as permitted under the Applicable Privacy Laws. Neither Party shall, without the other Party’s prior written consent, disclose, provide, or make available any of the Proprietary Information of the other Party in any form to any person, except to its bona fide employees, officers, or directors whose access is necessary to enable such Party to exercise its rights hereunder. 

5.2 Each Party agrees to take all reasonable steps and the same protective precautions to protect the Proprietary Information of the other Party from disclosure to third parties as with its own proprietary and confidential information. 

5.3 The obligations of confidentiality imposed upon the parties by the foregoing paragraph shall not apply with respect to any alleged Proprietary Information which: 

(a) is known to the recipient thereof prior to receipt thereof from the other Party hereto; 

(b) is disclosed to said recipient by a third party who has the contractual right to make such disclosure; 

5.4 is or becomes a part of the public domain or public knowledge through no fault of said recipient; 

5.5 is independently developed by the recipient without reference to the disclosing Party’s Proprietary Information; or 

5.6 is required to be disclosed under operation of law, as long as the Party affected has the opportunity to apply to the applicable legal entity for a protective order. 

5.7 Each Party will use the same degree of care to protect the other’s Proprietary Information as it uses to protect its own Proprietary Information of like nature, but in no circumstances less than reasonable care. In accordance with the Applicable Privacy Laws, Identity Automation shall implement appropriate physical, organizational, and technological measures to ensure the security and confidentiality of all Customer Data in its possession from time to time, including, protecting against any anticipated threats or hazards to the security or integrity of the Customer Information, and protecting against unauthorized access to or use of the Customer Data that could result in substantial harm or inconvenience to the Customer. Each Party will take appropriate action to address incidents of unauthorized access to the other’s Proprietary Information, including promptly notifying the other of the unauthorized access. 

5.8 Upon the expiration or termination of the Agreement, or on completion of a Party’s obligations under the Agreement, each Party shall use its commercially reasonable best efforts to return, or destroy, or cause to be returned or destroyed, in a prompt manner, all materials in any medium that contain, refer or relate to the Proprietary Information of the other Party. 

  1. PAYMENT, TAXES AND RENEWALS. 

6.1 Customer shall pay all fees or charges to Customer’s account in accordance with the Fees, charges, and billing terms set forth in the Order Form and/or Proposal hereto. Unpaid balances are subject to monthly interest at a rate equal to the lesser of: (a) two percent (2%) per month compounded monthly; or (b) the highest rate allowed by law, until paid in full. 

6.2 Customer is responsible for paying for all User licenses ordered for the entire Term, whether or not such User licenses are actively used. Customer may add additional named user licenses at any time by executing an additional written Order Form. 

6.3 Customer shall pay all applicable federal, state and municipal/county taxes on the Fees, including duties and tariffs, imposed upon this Agreement, the possession or use of the Service, and the Service provided hereunder. All Fees are exclusive of taxes. If applicable laws require the withholding of taxes under this Agreement, Identity Automation shall notify Customer, make the applicable withholding and remit the required tax to the appropriate government authority. Customer agrees to provide Identity Automation with complete and accurate billing and contact information. This information includes Customer’s legal name, street address, e-mail address, and name and telephone number of an authorized billing contact. Customer agrees to update this information and to notify Identity Automation of any change within thirty (30) days of any change of address. 

  1. TERM AND TERMINATION 

7.1 Subscriptions shall start on the Effective Date and continue for an initial term of three (3) years (the “Initial Term”). At the end of the Initial Term, this Agreement and applicable subscriptions shall be automatically renewed for additional one (1) year terms (each a “Renewal”) subject to the current version of this Agreement then in effect. Collectively the Initial Term and any Renewals constitutes the “Term”. During the Initial Term or any Renewal Term, Identity Automation may increase the subscription fees for the Service up to 5% per year on each annual billing cycle. 

7.2 Either Party may elect to not renew this Agreement by giving at least ninety (90) days’ written notice to the other Party prior to the end of the then-current Term. 

7.3 Identity Automation may terminate this Agreement at any time (or, at its sole direction, choose to suspend both the Customer’s access to the Service, as well as to suspend the performance of all or part of its obligations under this Agreement without cost or penalty) prior to the expiration of the then-current Term if: 

(a) Customer defaults in any payment due to Identity Automation and such default continues unremedied for at least fifteen (15) business days after receipt by Customer of written notice thereof; 

(b) Customer is in default with respect to any other provision of this Agreement and such failure or default continues unremedied for at least thirty (30) days after receipt of written notice; or 

(c) The Customer has breached (and has failed to cure said breach) within thirty (30) calendar days following receipt of written notice from Identity Automation, any obligation related to Sections 2 -5 or its obligations related to the protection of Identity Automation’s Proprietary Information as provided for here. In such instance, Identity Automation, in its sole discretion, may terminate Customer’s password, account or Use of the Service. Notwithstanding the foregoing, nothing in this Section 7.3 c) shall in any way limit the continued access rights that Customer shall have to retrieve its data, as provided for within Section 7.6 below. 

7.4 The Customer may terminate this Agreement at any time prior to the expiration of the then-current Term if: 

(a) Identity Automation is in default with respect to any provision of this Agreement and such failure or default continues unremedied for at least thirty 30) days after receipt of written notice, Identity Automation has breached (and has failed to cure said breach within thirty (30) days after receipt of written notice), any obligation related to the protection of Customer’s Proprietary Information as provided for herein. 

7.5 This Agreement terminates automatically, with no further action by either Party, if: 

(a) A receiver is appointed for either Party or its property; 

(b) Either Party makes an assignment for the benefit of its creditors; 

(c) Any proceedings are commenced by, for, or against either Party under any bankruptcy, insolvency, or debtor’s relief law for the purpose of seeking a reorganization of such Party’s debts, and such proceeding is not dismissed within 90 calendar days of its commencement; or 

(d) Either Party is liquidated or dissolved; 

7.6 Upon termination of this Agreement, Customer’s license to Use the Service shall be revoked and subject to the limited access rights described below, Customer shall immediately cease Use of the Service. Termination of this Agreement shall not relieve Customer from its obligations arising hereunder before termination, including but not limited to the responsibility for paying previously accrued Fees. Following any termination of this Agreement, Customer shall have seven (7) calendar days to access the Service solely to retrieve the Customer Data and after such 7-day period, Identity Automation will have no obligation to maintain or provide any Customer Data, and will thereafter delete or destroy all copies of Customer Data within the Service or otherwise within our possession or control, unless legally prohibited. 

7.7 Termination of this Agreement shall not relieve either Party from its obligations arising hereunder before termination relating to the other Party’s Proprietary Information. 

7.8 Customer agrees and acknowledges that Identity Automation has no obligation to retain the Customer Data, and may delete such Customer Data, if Customer has materially breached this Agreement, and such breach has not been cured within thirty (30) days of notice of such breach; however, and for avoidance of doubt, Customer shall, in the event of any termination, including termination for uncured breach, have the right to retrieve any and all Customer Data, as provided for within Section 7.6 above. 

  1. INDEMNIFICATION 

8.1 Customer shall defend and hold Identity Automation, and, its parent organizations, subsidiaries, affiliates, officers, directors, employees, and agents (the “Identity Automation Indemnified Parties”) harmless from and against any and all third party claims, and shall indemnify the Identity Automation Indemnified Parties against any and all costs, damages, losses, liabilities and expenses (including attorneys’ fees and costs) agreed in a settlement by Customer or awarded by a court of competent jurisdiction to the third party claimant where the claim is arising out of or in connection with: (i) a third party claim alleging that use of the Customer Data infringes the rights of, or has caused harm to, a third party; (ii) a third party claim, which if true, would constitute a violation by Customer of Customer’s representations and warranties; provided in any such case that Identity Automation (a) gives written notice of the claim promptly to Customer; (b) gives Customer sole control of the defense and settlement of the claim (provided that Customer may not settle or defend any claim unless Customer unconditionally releases Identity Automation of all liability and such settlement does not affect Identity Automation’s business or Service); (c) provides to Customer all available information and assistance; and (d) has not compromised or settled such claim. 

8.2 Identity Automation shall defend and hold Customer, its officers, directors, employees, and agents (the “Customer Indemnified Parties”) harmless from and against any and all third party claims, and shall indemnify the Customer Indemnified Parties against any and all costs, damages, losses, liabilities and expenses (including attorneys’ fees and costs) agreed in a settlement by Identity Automation or awarded by a court of competent jurisdiction to the third party claimant where the claim is arising out of or in connection with: (i) a third party claim alleging that the Service infringes a United States copyright, any patent issued as of the Effective Date, or a trademark of a third party; (ii) a third party claim, which if true, would constitute a violation by Identity Automation of its representations or warranties; provided that Customer; (a) promptly gives written notice of the claim to Identity Automation; (b) give Identity Automation sole control of the defense and settlement of the claim (provided that Identity Automation may not settle or defend any claim unless it unconditionally releases Customer of all liability); (c) provides to Identity Automation all available information and assistance; and (d) have not compromised or settled such claim. Identity Automation shall have no indemnification obligation, and Customer shall indemnify Identity Automation pursuant to this Agreement, for claims arising from any infringement arising from the combination of the Service with any of Customer’s Customer Data, products, Service, and hardware or business process not intended by Identity Automation. 

8.3 Should the Service or any part thereof become or, in Identity Automation’s opinion, be likely to become, the subject of a claim of infringement, Identity Automation may, at its own expense and option, either: 

(a) procure for Customer the right to continue using such Service; or 

(b) replace the same with non-infringing components or modify the Service so that it becomes non-infringing. If neither of these options is commercially reasonable, Identity Automation may terminate this Agreement and require that use of the Service be terminated and, refund to Customer all pro-rated, prepaid Fees associated with the remaining unused portion of the then-current Term. Identity Automation shall have no obligation for any such claim based on Customer modification of the Service, its combination, operation, or use with equipment, data, or Service not approved by Identity Automation or as a result of any combination with or use of the Customer Data. This paragraph states Identity Automation’s entire obligation regarding infringement or the like, and the indemnification provisions of this Section 8 shall be the sole and exclusive right and remedy of each Party. 

  1. REPRESENTATIONS AND WARRANTIES 

9.1 Identity Automation represents and warrants that: 

(a) it has title to the Service or has acquired the right to license portions of the Service from third parties and Identity Automation has full power and authority to grant to the Customer the rights granted hereunder; 

(b) it has not placed, nor is Identity Automation aware of, any disabling code or any viruses in the Service which would alter, destroy, or inhibit the Service, or its use by Customer; 

(c) to its knowledge, the Service does not infringe upon any United States copyright, registered patent, trademark, software mark or trade name owned by a United States third party; and 

9.2 Identity Automation personnel will exercise due care in the provision of any services. Customer represents, warrants to Identity Automation as follows: (i) Customer exists under the laws of its own jurisdiction and is not under any contractual obligation that would preclude it from entering into this Agreement or would interfere with the use of the Customer Data provided under this Agreement; (ii) Customer owns or has properly licensed all rights in the Customer Data at all times during the Term; (iii) the Customer Data is not, nor will be, in violation of any United States laws or third party intellectual property rights; (iv) all Customer Data and Customer’s use of the Service does and will comply with all applicable United States laws, including Applicable Privacy Laws; (v) no Customer Data entered into the Service by any Customer User will at any time consist of or contain any personally identifiable information that may be subject to GDPR; and (vi) neither this Agreement nor the performance of or exercise of rights under this Agreement will violate, conflict with, or result in the breach of any term, condition, or provision of any agreement or legal obligation (whether or not existing at the effective date) to which Customer is a party or by which it may be bound, or constitute a default thereunder. 

9.3 THE EXPRESS REPRESENTATIONS AND WARRANTIES SET FORTH IN THIS SECTION ARE LIMITED WARRANTIES AND ARE THE ONLY WARRANTIES MADE BY IDENTITY AUTOMATION WITH RESPECT TO THE SERVICE AND ANY PART THEREOF. IDENTITY AUTOMATION MAKES NO OTHER REPRESENTATIONS OR WARRANTIES, WHETHER EXPRESS, IMPLIED OR STATUTORY, AND EXPRESSLY DISCLAIMS ALL OTHER WARRANTIES, INCLUDING WITHOUT LIMITATION, 

WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IDENTITY AUTOMATION DOES NOT REPRESENT OR WARRANT THAT THE SERVICE WILL OPERATE CONTINUOUSLY OR WILL BE UNINTERRUPTED OR ERROR- FREE, BUT DOES REPRESENT TO USE ITS COMMERCIALLY REASONABLE BEST EFFORTS TO CORRECT AND REMEDY ALL ERRORS, IN ACCORDANCE WITH APPENDIX A. IDENTITY AUTOMATION DOES NOT GUARANTEE ANY RESULTS FROM THE SERVICES AND ACCEPTS NO RESPONSIBILITY OR LIABILITY IN RESPECT OF RESULTS OF THE SERVICES. 

  1. The representations and warranties set forth in Section 9.1 of this Agreement shall not apply if the Service is not used in accordance with the Documentation. 
  2. LIMITATION OF LIABILITY 

11.1 IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY LOSS OF PROFITS, LOSS OF BUSINESS OR GOODWILL, LOSS OF USE OR DATA, INTERRUPTION OF BUSINESS, OR FOR INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND, EVEN IF SUCH PARTY RECEIVED ADVANCE NOTICE OF THE POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM BY ANY THIRD PARTY (EXCEPT AND EXPRESSLY STATED HEREIN), WHETHER OR NOT ANY OF THE MATTERS AFORESAID ARISES IN CONTRACT OR TORT (INCLUDING NEGLIGENCE) OR MISREPRESENTATION OR BREACH OF STATUTORY DUTY OR ANY DUTY UNDER GENERAL LAW OR ANY OTHER LEGAL THEORY. 

11.2 IDENTITY AUTOMATION’S TOTAL AGGREGATE LIABILITY UNDER THIS AGREEMENT, REGARDLESS OF WHETHER THE CLAIM FOR SUCH DAMAGES IS BASED IN CONTRACT OR TORT (INCLUDING NEGLIGENCE) OR MISREPRESENTATION OR BREACH OF STATUTORY DUTY OR ANY DUTY UNDER GENERAL LAW OR ANY OTHER LEGAL THEORY, (EXCEPT FOR IDENTITY AUTOMATION’S DUTY TO INDEMNIFY AGAINST INFRINGEMENT AS PROVIDED IN SECTION 8.2) WILL NOT EXCEED THE SOFTWARE SUBSCRIPTION FEES PAID TO IDENTITY AUTOMATION IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM. 

  1. NOTICE 

12.1 Identity Automation may give notice by means of a general notice on the Service; electronic mail to Customer’s e- mail address on record in Identity Automation’s account information, or by written communication sent by first class mail or pre-paid post to Customer’s address. Such notice shall be deemed to have been given upon the expiration of 48 hours after mailing or posting (if sent by first class mail or pre-paid post). Customer may give notice to Identity Automation (such notice shall be deemed given when received by Identity Automation) at any time by any of the following: letter delivered by nationally recognized overnight delivery service or first class postage prepaid mail to Identity Automation at the following addresses: 7102 N. Sam Houston Pkwy W, STE 300, Houston, TX 77064 addressed to the attention of: CFO

  1. DISPUTE RESOLUTION 

13.1 Any controversy or claim arising out of or relating to this Agreement or involving any dispute regarding the interpretation or breach of this Agreement shall be resolved as follows: 

(a) Upon written request of either Party, both parties shall appoint a designated representative whose task it will be to meet for the purpose of resolving such dispute. 

(b) Formal proceedings for the resolution of a dispute may not be commenced until the earlier of: 

(i) The designated representatives concluding in good faith that amicable resolution through continued negotiations does not appear likely; 

(ii) The expiration of the 30-day period immediately following the initial request to negotiate the Dispute. 

13.2 In the event the parties are unable to resolve a dispute, a Party shall commence arbitration and each Party hereto agrees to be bound by the decision of the arbitrators. Judgment upon the award of the arbitrators may be entered in any court of competent jurisdiction. Arbitrations shall take place in the City of Dover in the State of Delaware and the language of the arbitration shall be in English. The costs of arbitration shall be awarded by the arbitrator based on the success of each Party of the arbitration. 

  1. GENERAL 

14.1 Amendments. Identity Automation may amend this Agreement in writing. 

14.2 Assignment. This Agreement may not be assigned by Customer or by operation of law to any other person, persons, firms, or corporations without the express written approval of Identity Automation, which consent shall not unreasonably be withheld. 

14.3 Governing Law. This Agreement shall be governed by and construed in accordance with the substantive laws of the State of Texas and the federal laws of the United States of America applicable therein. This Agreement shall be governed without regard to conflict of laws provisions and without regard to the United Nations Convention on Contracts for the International Sale of Goods and shall exclude the application of the Uniform Computer Information Transactions Act. The parties attorn to the non- exclusive jurisdiction of the courts of Texas in respect of any disputes arising under this Agreement. 

14.4 Force Majeure. Neither Party shall be responsible for delays or failure of performance resulting from acts beyond the reasonable control of such Party. Such acts shall include, but not be limited to, acts of God, strikes, walkouts, riots, acts of war, terrorism, epidemics, failure of suppliers to perform, governmental regulations, power failure, earthquake, or other disasters. If the anticipated or actual delay or non-performance exceeds thirty (30) calendar days, the other Party may immediately terminate the Agreement by giving notice of termination and such termination will be in addition to the other rights and remedies of the terminating Party under the Agreement, at law or in equity. 

14.5 No Harassment. Identity Automation Solutions is committed to providing a work environment for all of its employees in which all employees are treated with respect and dignity. Workplace Harassment will not be tolerated by Identity Automation Solutions by or toward any person in the workplace, regardless of whether it occurs at Identity Automation’s office(s) or at the Customer’s office(s). For the purposes of this Agreement, “Workplace Harassment” means engaging in a course of vexatious comment or conduct against a worker in a workplace that is known or ought reasonably to be known to be unwelcome, and includes without limitation Workplace Sexual Harassment. “Workplace Sexual Harassment” means: 

(a) engaging in a course of vexatious comment or conduct against a worker in a workplace because of sex, sexual orientation, gender identity or gender expression, where the course of comment or conduct is known or ought reasonably to be known to be unwelcome, or 

(b) making a sexual solicitation or advance where the person making the solicitation or advance is in a position to confer, grant or deny a benefit or advancement to the worker and the person knows or ought reasonably to know that the solicitation or advance is unwelcome. 

(c) Each Party hereby covenants and undertakes to ensure that no employee, contractor or agent is made subject to any Workplace Harassment by any person for which either Party is responsible or vicariously liable, either while present at Customer’s location, Identity Automation’s location, or otherwise. Without limiting any other obligation or right under law, in the event that any claim of Workplace Harassment (“Workplace Harassment Claim”) is alleged against either a Identity Automation employee, contractor or agent or a Customer employee, contractor or agent, the Parties agree to notify each other promptly, and the Parties will meet at a mutually agreed time to: a) discuss the allegations; and b) each use best efforts to agree to, and to implement, the appropriate corrective measures to be undertaken so as to eliminate any such further conduct. Any information provided about an incident or about a complaint will not be disclosed except as necessary to protect workers, to investigate the complaint or incident, to take corrective action or as otherwise required by law. 

(d) Each Party expressly reserves the right to suspend the performance of all or part of its obligations under this Agreement without cost or penalty, and without refund, in the event that the Party who is subject to a Workplace Harassment Claim fails to take all steps reasonably required by the other Party in relation to such Workplace Harassment Claim, until such time as the Party who is subject to a Workplace Harassment Claim has complied with the required steps. 

14.6 Survival of Certain Provisions. The obligation to pay all accrued Fees, each Party’s proprietary rights, limitation of liability and the confidentiality obligations set forth in the Agreement shall survive the termination of the Agreement by either Party for any reason. 

14.7 Headings. The titles and headings of the various sections and paragraphs in this Agreement are intended solely for convenience of reference and are not intended for any other purpose whatsoever or to explain, modify, or place any construction on any of the provisions of this Agreement. 

14.8 Entire Agreement. This Agreement, forms the entire agreement between the parties and supersedes all previous communications, oral or written, and all other communications between them relating to the subject matter hereof. No representations or statements of any kind made by either Party that are not expressly stated herein shall be binding on such Party. No provisions in the Customer’s purchase orders or other business forms will supersede the terms and conditions of this Agreement. 

14.9 Waiver. The waiver by either Party of a breach of any provisions of this Agreement by the other Party shall not operate or be construed as a waiver of any subsequent breach by such Party. 

14.10 Compliance with Laws. By accessing the Service, Customer confirms that this Agreement and the performance of any rights and obligations hereof: 

(a) are not restricted by or contrary to any law or regulation applicable to the Customer; do not require registration or approval under the applicable laws governing Customer; and 

(b) will not require termination payments or compulsory licensing under the applicable laws of Customer. 

  1. COUNTERPARTS

Any Order Form or other document relating to this Agreement may be executed in counterparts, each of which may be original or electronic and shall together constitute one and the same binding instrument. 

Appendix A 

SUPPORT AND SERVICE LEVEL AGREEMENT 

This Support and Service Level Agreement is subject to the terms of the Master Subscription Agreement (“Agreement”) as agreed by and between Identity Automation and Customer and is effective as of the Effective Date, and shall continue and thereafter renew on an annual basis subject to the terms set forth herein. Identity Automation and Customer may hereinafter be referred to collectively as the “Parties,” or individually as each “Party. 

In this Support Agreement, the following definitions have the meanings set forth below: 

  1. DEFINED TERMS 

In addition to the terms defined above, the following terms shall have the following meanings whenever used in this Agreement with initial letters capitalized. Any capitalized term used in this Agreement that is not defined herein shall have the meaning attributed to such term as set forth in the Agreement: 

(a) Help Desk Support” shall mean the Identity Automation department which initially processes questions and issues raised by authorized users or Customer Contact(s) regarding the availability or functionality of the Service. 

(b) “Service” or “System” shall mean the Identity Automation software suite and platform. 

(c) “Customer Contact” shall mean that individual(s) authorized by Customer to be the primary interface with Identity Automation regarding the Service, and Customer shall provide Identity Automation with the necessary contact information for this individual 

  1. HELP DESK SUPPORT.

Identity Automation personnel will be available to help Customer Contact(s) by email or the Customer Support portal to answer questions regarding the use of the Service and to help identify, verify, and resolve problems with the Service. Email and Web support are available Monday through Friday, 8:00 a.m. to 5:00 p.m., Central time, excluding Holidays. 

Upon receipt of notice of an error, Identity Automation will assign a severity level according to the following criteria: 

  • Level 1 Emergency – entire system is down and all users are impacted. 
  • Level 2 Critical – a large subset of users are impacted; 
  • Level 3 Major – a small subset of users are impacted; 
  • Level 4 Minor – a single user is impacted. 

Identity Automation will use commercially reasonable efforts to correct reported errors or provide a work-around solution for each severity level subject to the following response times: 

Level 1 – within ten (10) business hours of being notified of a Level 1 defect, Identity Automation shall acknowledge its receipt of such notice to Customer, and will use its commercially reasonable efforts to resolve all Level 1 defects as soon as possible. 

Level 2 – within two (2) business days of being notified of a Level 2 defect, Identity Automation shall acknowledge its receipt of such notice to Customer, will use its commercially reasonable efforts to resolve all Level 2 defects as soon as possible.

Level 3 – within three (3) business days of being notified of a Level 3 defect, Identity Automation shall acknowledge its receipt of such notice to Customer, will use its commercially reasonable efforts to resolve all Level 3 defects as soon as possible. 

Level 4 – within five (5) business days of being notified of a Level 4 defect, Identity Automation shall acknowledge its receipt of such notice to Customer, will use its commercially reasonable efforts to resolve all Level 4 defects as soon as possible. 

 

  1. SERVICE LEVEL AGREEMENT. 

General Service Commitment 

Identity Automation will use commercially reasonable efforts to make the Service each available with a Monthly Uptime Percentage of at least 99.9% during any monthly service period (the “Service Commitment”). Commercially reasonable measures include maintaining a highly available configuration that ensures during normal operations that a customer’s environment includes more than one compute and storage node. Measures include automatic fail-over. 

This Service Commitment does not apply to: 

(a) Scheduled Maintenance 

(b) Service Interruptions 

  • Emergency Maintenance 
  • Factors outside our control, such as natural disasters, pandemics, accident, strike, external infrastructure failure, or negligent or malicious acts of a third party 

In the event any of the Services do not meet the Service Commitment, you will be eligible to receive a Service Credit as described below. 

Monthly Uptime Percentage  Service Credit Percentage
Less than 99.9% but equal to or greater than 99.0%  5% of the monthly subscription fees calculated as the annual subscription fees divided by 12
Less than 99% but equal to to or greater than 95%  10% of the monthly subscription fees calculated as the annual subscription fees divided by 12
Less than 95%  15% of the monthly subscription fees calculated as the annual subscription fees divided by 12

 

We will apply any Service Credits only against future payments for the applicable Service otherwise due from you. Service Credits will not entitle you to any refund or other payment from Identity Automation. A Service Credit will be applicable and issued only if the credit amount for the applicable monthly billing cycle is greater than one dollar ($1 USD). We will not be obligated to issue a Service Level Credit if the unavailability was cause by (i) your data,(ii) your improper use of the Service or software, or(ii) your use of software we didn’t supply. If we have to do work to resolve an unavailability caused by one of the things in previous clause, then we will invoice you for the hours we worked at our then-current professional services rates. Service Credits may not be transferred or applied to any other account. 

  1. CREDIT REQUEST AND PAYMENT PROCEDURES 

To receive a Service Credit, you must submit a claim by opening a case in the Identity Automation Support Center. To be eligible, the credit request must be received by us by the end of the second billing cycle after which the incident occurred and must include: 

(a) the words “SLA Credit Request” in the subject line; 

(b) the dates, times, and affected account for each Unavailability incident that you are claiming; 

(c) the account ID for the affected Included Service ; and 

(d) your request logs that document the errors and corroborate your claimed outage (any confidential or sensitive information in these logs should be removed or replaced with asterisks). 

If the Monthly Uptime Percentage of such a request is confirmed by us and is less than the Service Commitment, then we will issue the Service Credit to you within one month following the month in which your request is confirmed by us. Your failure to provide the request and other information as required above will disqualify you from receiving a Service Credit. Unless otherwise provided in the Agreement, this SLA sets forth your sole and exclusive remedies. 

Security & Compliance 

Each customer’s data is segregated from other customer data using mechanisms such as logical access control and encryption. For US customers, customer data is stored completely in the United States. For US customers, the solution shall maintain compliance with FERPA and COPPA as it pertains to student data privacy. In addition, the solution will maintain annual SOC 2 reports available upon request. 

Scheduled Maintenance 

Scheduled maintenance is defined as 11pm-4am CT for customers in North & South America. For customers in Europe, the Middle East, Africa and Asia scheduled maintenance is defined as Noon-6pm CT. For an event to count as schedule the customer must be notified 72 hours in advance of the maintenance window as the service must only be unavailable during the aforementioned times. 

Breach Notification Procedure 

Identity Automation defines a breach as: 

As noted by NIST – “An incident that involves sensitive, protected, or confidential information being copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so…” 

Data Loss: “The exposure of proprietary, sensitive, or classified information through either data theft or data leakage.” 

In the event of a security breach and/or data loss, Identity Automation will locate and follow “Your” entities Attorney General’s required timeframes for “Your” state and local municipality. This means making notification to “You” the entity and “Your” state’s Attorney General’s office. In the event that a notification procedure does not exist or is not timely, as defined by NIST requirement, Identity Automation will make notification to “You” within 48 business hours of any confirmed breach or incident resulting in a confirmed breach impacting “Your” environment. Notification will include information pertaining to; the type of breach, information or potential information impacted, if any, remediation applied to “Your” environment(s) and methods introduced to prevent future incidence or breach of a similar type. 

Data Retention Policy for RapidIdentity

Automatic Purging of Application Log Data 

Application generated system data (as presented in Identity Automation’s Audit Log) as well as reporting based on log data older than 3 months is automatically removed. 

Automatic Purging of Backup Data 

The system automatically backs up customer data every 24 hours. Service backup data is automatically purged 6 months after it is first generated. 

Retrieval of Customer Data 

Upon request by Customer made prior to the effective date of expiration or termination of Customer’s subscription, Identity Automation will make available to Customer, at no cost, for thirty (30) days following such expiration or termination for download a file of Customer Data (other than personal confidential information such as, but not limited to, User passwords may not be included except in hash format) in comma separated value (.csv) format. After such 30-day period, Identity Automation shall have no obligation to maintain or provide any Customer Data and shall thereafter, unless legally prohibited, be entitled to delete all Customer Data by deletion of Customer’s unique instance of the Service; provided, however, that Identity Automation will not be required to remove copies of the Customer Data from its backup media and servers until such time as the backup copies are scheduled to be deleted in the normal course of business; provided further that in all cases Identity Automation will continue to protect the Customer Data in accordance with these Terms. Additionally, during the Subscription Term, Customer may extract Customer Data from the Service using Identity Automation’s standard web services. 

Statistical Usage Data and De-Identified Data Usage

Identity Automation owns, without restriction, the statistical usage data derived from the operation of the Service, including data

regarding web applications utilized in connection with the Service, configurations, audit data, log data, and the performance results for the Service (“Usage Data”). If Identity Automation provides Usage Data to third parties, such Usage Data shall be de-identified and aggregated so that it will not disclose the identity of Customer or any User(s). 

Legal Hold 

The customer is responsible for implementing any legal hold activities that may be necessary in the course of operating their business. This would include, but is not limited to ensuring that relevant audit logs are preserved and retained via export capabilities. 

Data Retention Policy for PhishID

Data Collected

User identification data is collected when a URL represents a phishing attack.  User data collected is URL, HTML, screenshot, browser data, including browser version, screen resolution and timestamp, computer name, machine ID, device serial number, IP address, operating system, user’s email address, and user ID of the registered user.

Purging of PhishID Data

Service captured data is automatically removed ninety (90) days after the expiration or termination of Customer’s subscription.  Further, Identity Automation shall have no obligation to maintain or provide any Customer Data and shall thereafter, unless legally prohibited, be entitled to delete all Customer Data by deletion of Customer’s unique instance of the Service; provided, however, that Identity Automation will not be required to remove copies of the Customer Data from its backup media and servers until such time as the backup copies are scheduled to be deleted in the normal course of business; provided further that in all cases Identity Automation will continue to protect the Customer Data in accordance with these Terms.  Additionally, during the Subscription Term, Customer may extract Customer Data from the Service using Identity Automation’s PhishID standard export functions.

Version Control 

Date  Changes  Author
06/01/2020  Initial Version  Chris Honeycutt
03/16/2021  Updated SLA to 99.9% added 

maintenance hours 

Michael Webb
05/14/2021  Corrected 99.5% to 99.9%, clarified 

backup and data security procedures. 

Michael Webb
07/28/2022 Changed Breach notification from 72 hours to 48 hours Michael Webb
11/14/2023 Introduced PhishID elements Michael Webb