Master Service Agreement
This Master Service Agreement (the "Agreement"), effective as of the date of execution of the Order Form (the "Effective Date"), is by and between QEVLAR AI INC., a Delaware corporation with offices located at 1411 Broadway, FL16, New York NY 10018, United States of America ("Provider"), and the customer identified in the Order Form ("Customer"). Provider and Customer may be referred to herein collectively as the "Parties" or individually as a "Party."
WHEREAS, Provider provides access to the Services to its customers; and
WHEREAS, Customer desires to access the Services, and Provider desires to provide Customer access to the Services, subject to the terms and conditions of this Agreement.
NOW, THEREFORE, in consideration of the mutual covenants, terms, and conditions set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:
1. Definitions
"Affiliate" means any entity which controls, is controlled by, or under common control with a Party, where "control" means direct or indirect, ownership or control of more than 50% of the voting interest in the subject entity.
"Alert" means data, information, or notifications received from Customer’s deployed Security Tools regarding a potential or actual threat to Customer’s IT network, environment, systems, devices, applications, or data, which are processed by the Services to generate an Investigation Report.
"Aggregated Statistics" means data and information related to Customer’s use of the Services that is used by Provider in an aggregate and anonymized manner, including to compile statistical and performance information related to the provision and operation of the Services.
"API" means any application programming interface made available by Provider for the transmission, processing, or receipt of Alerts, Customer Data, Investigation Reports, or other information in connection with the Services.
"Authorized User" means Customer’s employees, consultants, contractors, and agents (i) who are authorized by Customer to access and use the Services under the rights granted to Customer pursuant to this Agreement and (ii) for whom access to the Services has been purchased hereunder.
"Confidential Information" has the meaning given in Section 6 of this Agreement.
"Customer Data" means, other than Aggregated Statistics, information, data, and other content, in any form or medium, that is submitted, posted, or otherwise transmitted by or on behalf of Customer or an Authorized User through the Services.
"Data Processing Agreement" means the Qevlar AI Data Processing Agreement available at www.qevlar.com/legal/agreements/dpa.
"Documentation" means Provider’s user manuals, handbooks, and guides relating to the Services available on the Platform.
"End Customer" means any third-party customer or client of an MSSP Customer to which MSSP Customer is expressly authorized to provide Managed Services using the Services. End Customer does not include MSSP Customer, any Affiliate of MSSP Customer, any Authorized User, or any Hosting Provider.
"Error" means a substantial failure of the Services to meet the functional or technical specifications expressly made known by Provider in writing (or, if the Services include customizations, the specifications expressly agreed in writing), provided that an Error exists only if it is demonstrable and reproducible.
"Fees" means the fees and charges (i) specified on an applicable Order Form, (ii) accrued through Customer’s usage of the Services, or (iii) otherwise payable to the Provider under the Agreement.
"Investigation Report" means the report, output, data, analysis, Score, suggested remediation action, or other result generated by the Services in connection with the analysis of an Alert.
"Managed Services" means the managed security, monitoring, detection, response, threat-investigation, advisory, or related information-security services that an MSSP Customer is expressly authorized to provide to End Customers using the Services, including the use of the Services on the MSSP Tenant to remotely monitor, analyze, and manage End Customers' IT networks, environments, systems, devices, applications, or data on behalf of, and for the benefit of, the relevant End Customers. For the avoidance of doubt, Managed Services do not include any resale, distribution, sublicensing, or transfer of the Services or any subscription thereto, which is permitted only under a separate Reseller Agreement executed by the Parties.
"Order Form" or "Order" means an ordering document executed by Customer and Provider that references this Agreement and specifies the Services subscribed, the Usage Limit, the Fees, the Subscription Term, and any other deal-specific commercial terms. Each Order Form is incorporated into and governed by this Agreement; in the event of any conflict between an Order Form and this Agreement, the Order prevails.
"Personal Data" has the meaning set forth in the Data Processing Agreement.
"Platform" means the online platform operated or made available by Provider through which Customer and Authorized Users access and use the Services.
"Provider IP" means the Services, the Documentation, and any and all intellectual property provided to Customer or any Authorized User in connection with the foregoing or owned by the Provider, such as trademarks, patents, copyrights, trade secrets, and trade dress, whether registered or not. For the avoidance of doubt, Provider IP includes Aggregated Statistics and any information, data, or other content derived from Provider’s monitoring of Customer’s access to or use of the Services but does not include Customer Data.
"Score" means the severity classification or similar rating assigned by the Services to an Alert and included in an Investigation Report.
"Security Tool" means any third-party security, monitoring, detection, logging, alerting, or similar tool used by Customer in connection with the Services, including any tool that generates Alerts for processing by the Services.
"Service Level Agreement" means the Qevlar AI Service Availability commitment available at www.qevlar.com/legal/agreements/sla.
"Services" means the Provider’s proprietary cybersecurity solution, algorithms for machine learning and APIs, including any updates, revisions, modifications, fixes, additions, and enhancements to it provided through Maintenance, for the provision of Investigation Reports and any related deliverables generated by the Services. "Maintenance" means any correction, update, patch, fix, enhancement, or new version of the Services made available by Provider from time to time.
"Subscription Term" or "Term" means the start date and end date of Customer’s subscription to the Services as indicated on the Order Form.
2. Access and Use
2.1. Provision of Access.
Subject to and conditioned on Customer’s payment of Fees and compliance with the terms and conditions of this Agreement, Provider hereby grants Customer a non-exclusive, non-transferable (except in compliance with Section 12(g)) right to access and use the Services during the Term, solely by Authorized Users in accordance with the terms and conditions herein. Such use is limited to Customer’s internal use. Provider shall provide to Customer the necessary passwords and network links or connections to allow Customer to access the Services. Provider may use third-party contractors to provide the Services, as well as support, training, and other services, provided Provider will remain responsible for the acts and omissions of its contractors described above. Provider reserves the right to make changes to the Services from time to time, subject to prior written notice to Customer in the event of a change to the Service that has a material adverse impact on Customer’s use of the Service. Unless expressly authorized in an Order Form, Customer may use the Services solely for Customer’s internal business purposes and may not use the Services to provide managed security services, outsourced security services, service bureau services, or other services to any third party, including any Affiliate of Customer.
Notwithstanding the foregoing, where the Order expressly designates Customer as a managed security service provider (an "MSSP Customer"), the following additional terms apply in lieu of the internal-use restriction in the immediately preceding sentence: Provider grants MSSP Customer a non-exclusive, non-transferable, non-sublicensable, non-resellable right, for the Subscription Term only, to access and use the Services solely by Authorized Users employed or engaged by MSSP Customer and solely for the purpose of delivering the Managed Services to the End Customers, including the use of the Services to remotely monitor, analyze, and manage End Customers’ IT systems through a tenant operated by MSSP Customer for that purpose (the "MSSP Tenant"). MSSP Customer shall not (A) permit any End Customer or any other third party to access, directly or indirectly, the Services, the Platform, the MSSP Tenant, or any Authorized User credentials; (B) deliver to any End Customer any raw Investigation Report, Alert, or Score, except as summarized, reformatted, or otherwise incorporated by MSSP Customer into MSSP Customer’s own deliverable to such End Customer in the ordinary course of providing the Managed Services; or (C) resell, distribute, sublicense, or otherwise make available the Services or any subscription thereto to any End Customer or third party, except under a separate written distribution or reseller agreement executed by the Parties (any such agreement, the "Reseller Agreement"), which Reseller Agreement is and shall remain distinct from this Agreement; (iii) the Parties acknowledge and agree that any hosting, cloud, infrastructure, or co-location provider used by MSSP Customer or any End Customer in connection with the Managed Services (each, a "Hosting Provider") acts solely as an infrastructure provider, shall have no direct access to or rights in the Services, the Platform, or any Provider IP, and is not authorized to perform any function of an Authorized User; and (iv) MSSP Customer remains primarily and fully liable to Provider for all access to and use of the Services by Authorized Users and (whether or not permitted hereunder) by End Customers and Hosting Providers, and shall ensure that each End Customer has entered into a written agreement with MSSP Customer that (1) imposes confidentiality, data-protection, and use-restriction obligations no less protective of Provider than those set forth in this Agreement, (2) disclaims any claim, right, title, or interest of the End Customer in or to the Services or Provider IP, and (3) names Provider as an intended third-party beneficiary entitled to enforce such obligations directly against the End Customer.
2.2 Documentation License.
Subject to the terms and conditions contained in this Agreement, Provider hereby grants to Customer a non-exclusive, non-sublicensable, non-transferable (except in compliance with Section 12(g)) license to use the Documentation during the Term solely for Customer’s internal business purposes in connection with its use of the Services.
2.3 Excess Usage.
The Services are licensed on an Alert-based basis. The maximum number of Alerts that may be submitted to the Services during the applicable subscription period , measured in aggregate across all Authorized Users ("Usage Limit"), is set forth in the Order Form. An Alert is counted each time it is submitted to the Services for processing, regardless of the resulting Investigation Report or Score. Customer is responsible for monitoring its usage and for requesting an upgrade before exceeding the applicable Usage Limits. Provider may monitor Customer's use of the Services to verify compliance with the Usage Limits. If Customer exceeds any Usage Limit, Provider may invoice Customer for the excess usage at Provider’s then-current list price as of the date of regularization, and if Customer exceeds the Usage Limit by more than ten percent (10%), Provider may, on written notice, suspend Customer’s and any Authorized User’s access to the Services until Customer has purchased an upgrade or otherwise reduced its usage to within the Usage Limit, with any such suspension constituting a Service Suspension for purposes of Section 2(f). Customer shall reimburse Provider for the reasonable costs of verification incurred in connection with any breach of the Usage Limits. Customer shall not, and shall procure that no Authorized User shall, make unreasonable or excessive use of the Services or otherwise use the Services in a manner that affects the stability, safety, security or quality of the Services or the underlying infrastructure.
2.4 Use Restrictions.
Customer shall not use the Services for any purposes beyond the scope of the access granted in this Agreement. Customer shall not at any time, directly or indirectly, and shall not permit any Authorized Users to: (i) copy, modify, or create derivative works of the Services or Documentation, in whole or in part; (ii) rent, lease, lend, sell, license, sublicense, assign, distribute, publish, transfer, or otherwise make available the Services or Documentation; (iii) reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to any software component of the Services, in whole or in part; (iv) remove any proprietary notices from the Services or Documentation; (v) bypass or breach any security protocol, security requirement, metering system, or other protection of the Service, or otherwise work around any technical limitation; (vi) use the Services or Documentation in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of Provider or any third party , or that violates any applicable law; (vii) use the Services for benchmarking, competitive analysis, or publication of performance, comparison, or evaluation results, or disclose to any third party any benchmark, performance, comparison, or evaluation results relating to the Services, without Provider’s prior written consent; or (viii) transmit to the Services any Alert, Customer Data, or other material that contains malicious code, violates applicable law, infringes Provider’s or any third-party rights, or is not authorized to be transmitted to or processed by Provider.
2.5 Reservation of Rights.
Provider reserves all rights not expressly granted to Customer in this Agreement. Except for the limited rights and licenses expressly granted under this Agreement, nothing in this Agreement grants, by implication, waiver, estoppel, or otherwise, to Customer or any third party any intellectual property rights or other right, title, or interest in or to the Provider IP.
2.6 Suspension.
Notwithstanding anything to the contrary in this Agreement, Provider may temporarily suspend Customer’s and any Authorized User’s access to any portion or all of the Services if: (i) Provider reasonably determines that (A) there is a threat or attack on any of the Provider IP; (B) Customer’s or any Authorized User’s use of the Provider IP disrupts or poses a security risk to the Provider IP or to any other customer or vendor of Provider; (C) Customer, or any Authorized User, is using the Provider IP for fraudulent or illegal activities; (D) subject to applicable law, Customer has ceased to continue its business in the ordinary course, made an assignment for the benefit of creditors or similar disposition of its assets, or become the subject of any bankruptcy, reorganization, liquidation, dissolution, or similar proceeding; or (E) Provider’s provision of the Services to Customer or any Authorized User is prohibited by applicable law; (ii) any vendor of Provider has suspended or terminated Provider’s access to or use of any third-party services or products required to enable Customer to access the Services; or (iii) as a result of Customer’s failure to pay undisputed amounts when due and after Provider provides written notice and a reasonable opportunity to cure (any such suspension described in subclause (i), (ii), or (iii), or under Section 4(g), a "Service Suspension"). Provider shall use commercially reasonable efforts to provide written notice of any Service Suspension to Customer and to provide updates regarding resumption of access to the Services following any Service Suspension. Provider shall use commercially reasonable efforts to resume providing access to the Services as soon as reasonably possible after the event giving rise to the Service Suspension is cured. Provider will have no liability for any damage, liabilities, losses (including any loss of data or profits), or any other consequences that Customer or any Authorized User may incur as a result of a Service Suspension.
2.7 Aggregated Statistics.
Notwithstanding anything to the contrary in this Agreement, Provider may monitor Customer’s use of the Services and collect and compile Aggregated Statistics. As between Provider and Customer, all rights, title, and interest in Aggregated Statistics, and all intellectual property rights therein, belong to and are retained solely by Provider. Customer acknowledges that Provider may compile Aggregated Statistics based on Customer Data input into the Services. Customer agrees that Provider may (i) make Aggregated Statistics publicly available in compliance with applicable law, and (ii) use Aggregated Statistics to the extent and in the manner permitted under applicable law; provided that such Aggregated Statistics do not identify Customer or Customer’s Confidential Information.
3. Customer Responsibilities
3.1 General.
Customer is responsible and liable for all uses of the Services and Documentation resulting from access provided by Customer, directly or indirectly, whether such access or use is permitted by or in violation of this Agreement. Without limiting the generality of the foregoing, Customer is responsible for all acts and omissions of Authorized Users, and any act or omission by an Authorized User that would constitute a breach of this Agreement if taken by Customer will be deemed a breach of this Agreement by Customer. Customer shall use reasonable efforts to make all Authorized Users aware of this Agreement’s provisions as applicable to such Authorized User’s use of the Services and shall cause Authorized Users to comply with such provisions. Authorized Users will be provided with passwords, login credentials, and shall keep such materials and tools confidential. Customer is responsible for ensuring that its systems and infrastructure used in connection with the Services satisfy and continue to satisfy Provider’s minimum requirements (as communicated by Provider from time to time) and for providing adequate maintenance of such systems and infrastructure. Customer is responsible for all activity occurring under the passwords, login credentials, and account administration tools issued to Authorized Users. Customer must ensure the systems and any applications to be accessed by Provider in performing the Services are accessible, available, maintained and updated in order to support the Services, and shall provide ready access to all appropriate computing platforms, software, documentation, training material, premises and personnel necessary for Provider’s performance of the Services throughout the duration of the Agreement. Customer shall adequately secure its systems and infrastructure and maintain active antivirus software protection at all times. Customer shall provide such information to Provider upon request.
3.2 Customer Materials.
Customer shall supply information requested by Provider as reasonably necessary to perform the Services contemplated under this Agreement ("Customer Materials"). Customer hereby grants to Provider the right and limited license to use such Customer Materials solely as necessary to provide Services. Customer shall be solely responsible for the accuracy, quality, integrity, completeness, non-infringement, legality, reliability, and appropriateness of the Customer Materials and all Customer-approved information contained therein. To the extent that any Customer Materials include Personal Data, the processing of the same by Provider shall be subject to the provisions of the Data Processing Agreement.
3.3 Security Tools; Alerts.
Customer is solely responsible, at its own cost, for obtaining, maintaining, configuring, and operating all Security Tools and other third-party products or services necessary for Customer to use the Services. Customer is responsible for ensuring that all Alerts and other data transmitted to the Services comply with the Documentation and applicable specifications. Provider is not responsible for any failure, delay, error, inaccurate Investigation Report, or inability to provide the Services to the extent caused by Customer’s Security Tools, systems, configurations, credentials, or failure to provide complete and accurate Alerts or Customer Data. Customer acknowledges that the Services may process Alerts and related Customer Data, including Authorized User identification and contact details, login and usage data, network traffic, logs, device and application data, Security Tool outputs, and other data contained in Alerts or Customer Data, for the purpose of providing the Services, generating Investigation Reports, maintaining and supporting the Services, and performing Provider’s obligations under this Agreement. Customer is responsible for ensuring that it has all necessary rights, notices, consents, and authorizations for Provider to process such Alerts and Customer Data in accordance with this Agreement and the Data Processing Agreement.
4. Service Levels; Support; Changes
4.1 Service Levels.
Customer acknowledges that Provider does not guarantee that the Services will function without restrictions, interruptions, defects, or malfunctions at all times. Provider will provide the applicable service levels and technical support in accordance with the Service Level Agreement in www.qevlar.com/legal/agreements/sla.
4.2 Support.
The access rights granted hereunder entitle Customer to the support services described in www.qevlar.com/legal/agreements/support-policy. Provider will handle properly substantiated support requests submitted in accordance with the Qevlar AI Support Policy by emailing support@qevlar.com within a reasonable time. Support services shall be performed on work days during business hours. For purposes of this Section 4(b), "work days" means Monday through Friday excluding local public holidays and "business hours" means 9:00 a.m. to 6:00 p.m. local time at the registered office of the contracting Provider entity. Provider does not guarantee the accuracy, completeness, or timeliness of replies or support offered.
4.3 Error Report.
Customer shall report any Errors in reasonable detail. Following receipt of such report, Provider shall use reasonable efforts to correct Errors and/or implement improvements in later versions in accordance with its usual procedures and version/release policy, and Provider may implement temporary solutions, workarounds, or problem-avoiding limitations. Customer shall reasonably cooperate with maintenance activities, including temporarily ceasing use of the Services if reasonably requested and making backups of its data. Customer remains responsible for its own operation, configuration, parameterization and tuning and for the use of results arising from operating the Services.
4.4 New Versions.
From the time a new version of the Services can be made available, Provider may cease fixing Errors in, and providing maintenance and support for, prior versions. Provider may incorporate functionality from a prior version in unaltered form but does not guarantee that each new version includes the same functionality, and Provider is not obliged to maintain, modify, or add features specifically for Customer. Provider may require Customer to modify its systems if necessary for proper functioning of a new version.
4.5 Additional Services.
If, at Customer’s request (or with Customer’s prior written consent), Provider performs any services, supplies, deliverables, or other work that is outside the scope of the Services and support expressly included in this Agreement and the Order Form, including, without limitation, configuration, implementation, setup, custom development, training, and integrations with Security Tools or other third-party systems not expressly included in the Documentation or Order Form (collectively, "Additional Services"), Customer shall pay Provider for such Additional Services in accordance with Provider’s then-current standard rates. Provider is not obligated to perform any Additional Services and may require that the Parties enter into a separate written statement of work, change order, or other written agreement before performing any Additional Services.
4.6 No Waiver.
Provider’s failure to enforce this Section 4 in any instance will not constitute a waiver of Provider’s right to enforce this Section 4 or any other provision of this Agreement.
5. Fees and Payment
5.1 Fees.
Customer shall pay Provider the Fees as set forth in the Order Form without offset or deduction within thirty (30) calendar days after Customer’s receipt of an invoice. Unless otherwise set forth in an Order, Fees are invoiced annually in advance and are non-refundable except as expressly set forth in this Agreement. Customer shall make all payments hereunder in US dollars on or before the due date set forth in the Order Form. If Customer fails to make any payment when due, without limiting Provider’s other rights and remedies: (i) Provider may charge interest on the past due amount at the rate of 1.5% per month calculated daily and compounded monthly or, if lower, the highest rate permitted under applicable law; (ii) Customer shall reimburse Provider for all costs incurred by Provider in collecting any late payments or interest, including attorneys’ fees, court costs, and collection agency fees; and (iii) if such failure continues for thirty (30) days or more, Provider may suspend Customer’s and its Authorized Users’ access to any portion or all of the Services until such amounts are paid in full.
5.2 Taxes.
All Fees and other amounts payable by Customer under this Agreement are exclusive of taxes and similar assessments. Customer is responsible for all sales, use, and excise taxes, and any other similar taxes, duties, and charges of any kind imposed by any federal, state, or local governmental or regulatory authority on any amounts payable by Customer hereunder, other than any taxes imposed on Provider’s income.
6. Confidential Information.
From time to time during the Term, either Party may disclose or make available to the other Party information about its business affairs, products, confidential intellectual property, trade secrets, third-party confidential information, and other sensitive or proprietary information, whether orally or in written, electronic, or other form or media, and whether or not marked, designated, or otherwise identified as "confidential" (collectively, "Confidential Information"). Confidential Information does not include information that, at the time of disclosure is: (a) in the public domain; (b) known to the receiving Party at the time of disclosure; (c) rightfully obtained by the receiving Party on a non-confidential basis from a third party; or (d) independently developed by the receiving Party. The receiving Party shall not disclose the disclosing Party’s Confidential Information to any person or entity, except to the receiving Party’s employees who have a need to know the Confidential Information for the receiving Party to exercise its rights or perform its obligations hereunder. Notwithstanding the foregoing, each Party may disclose Confidential Information to the limited extent required (i) in order to comply with the order of a court or other governmental body, or as otherwise necessary to comply with applicable law, provided that the Party making the disclosure pursuant to the order shall first have given written notice to the other Party and made a reasonable effort to obtain a protective order; or (ii) to establish a Party’s rights under this Agreement, including to make required court filings. On the expiration or termination of the Agreement, the receiving Party shall promptly return to the disclosing Party all copies, whether in written, electronic, or other form or media, of the disclosing Party’s Confidential Information, or destroy all such copies and certify in writing to the disclosing Party that such Confidential Information has been destroyed. Each Party’s obligations of non-disclosure with regard to Confidential Information are effective as of the Effective Date and will expire five years from the date first disclosed to the receiving Party; provided, however, with respect to any Confidential Information that constitutes a trade secret (as determined under applicable law), such obligations of non-disclosure will survive the termination or expiration of this Agreement for as long as such Confidential Information remains subject to trade secret protection under applicable law. Provider may refer to Customer as a Provider customer and may use Customer’s (brand) names and/or logos/figurative marks in Provider’s sales, marketing, investor and analyst materials (including Provider’s website).
7. Intellectual Property Ownership; Feedback
7.1 Provider IP.
Customer acknowledges that, as between Customer and Provider, Provider owns all rights, title, and interest, including all intellectual property rights, in and to the Provider IP.
7.2 Customer Data.
Provider acknowledges that, as between Provider and Customer, Customer owns all rights, title, and interest, including all intellectual property rights, in and to the Customer Data. Customer hereby grants to Provider a non-exclusive, royalty-free, worldwide license to reproduce, distribute, and otherwise use and display the Customer Data and perform all acts with respect to the Customer Data as may be necessary for Provider to provide the Services to Customer, and a non-exclusive, perpetual, irrevocable, royalty-free, worldwide license to reproduce, distribute, modify, and otherwise use and display Customer Data (i) incorporated within the Aggregated Statistics and (ii) as part of Provider’s Internal AI Use as defined and authorized in Section 7(e). To the extent that any Customer Data includes Personal Data, the processing of the same by Provider shall be subject to the provisions of the Data Processing Agreement.
7.3 Feedback.
If Customer or any of its employees or contractors sends or transmits any communications or materials to Provider by mail, email, telephone, or otherwise, suggesting or recommending changes to the Provider IP, including without limitation, new features or functionality relating thereto, or any comments, questions, suggestions, or the like ("Feedback"), Provider is free to use such Feedback irrespective of any other obligation or limitation between the Parties governing such Feedback. Customer hereby assigns to Provider on Customer’s behalf, and on behalf of its employees, contractors, and/or agents, all right, title, and interest in, and Provider is free to use, without any attribution or compensation to any party, any ideas, know-how, concepts, techniques, or other intellectual property rights contained in the Feedback, for any purpose whatsoever, although Provider is not required to use any Feedback.
7.4 Customer Materials; Non-Infringement.
Customer represents and warrants that any Customer Data, Alerts, Security Tool outputs, materials, data, designs, specifications, credentials, configurations, or other information made available by Customer or Authorized Users for use, maintenance, processing, installation, integration, or analysis in connection with the Services do not infringe any rights of third parties, violate applicable law, or constitute an unlawful processing or transfer of Personal Data. Provider is not obliged to perform any data conversion unless expressly agreed in writing.
7.5 Use of Customer Data for AI Model Development; No Third-Party Model Training
(i) Provider's Internal AI Use.
In addition to the rights granted in Section 7(b), Provider may use Customer Data (including in pseudonymized or non-anonymized form) to develop, train, fine-tune, test, validate, evaluate, secure, monitor, and improve the Services, the Provider IP, and Provider's proprietary artificial intelligence and machine-learning models, and to generate Aggregated Statistics, derivative datasets, embeddings, signatures, threat-intelligence, and model weights from such data ("Provider's Internal AI Use"). Provider's Internal AI Use is subject to the confidentiality obligations in Section 6 and to the security and data-protection commitments in the Data Processing Agreement. Provider may retain and continue to use models, weights, signatures, and other artifacts resulting from Provider's Internal AI Use after expiration or termination of this Agreement, provided that Provider does not retain Customer Data in identifiable form except as permitted by Section 6 of the Data Processing Agreement.
(ii) No third-party model training.
Notwithstanding anything to the contrary in this Agreement, Provider shall not transmit, disclose, license, or otherwise make available any Customer Data to any third party for the purpose of training, fine-tuning, evaluating, or otherwise developing such third party's large language models, foundation models, or other artificial intelligence or machine-learning models for that third party's own benefit, and Provider shall not authorize any Sub-processor or other third party to do so. For the avoidance of doubt, this Section 7(e)(ii) does not restrict (A) Provider's use of third-party infrastructure (including third-party hosted models accessed via API) to perform inference on Customer Data on Provider's behalf in the course of providing the Services, or (B) Provider's use of third-party providers for analytics, observability, or operational support, in each case subject to the Sub-processor commitments in the Data Processing Agreement and on terms that contractually prohibit the third party from training its models on Customer Data.
8. Limited Warranty; Disclaimers
8.1 Disclaimers.
THE SERVICES ARE PROVIDED "AS IS" AND PROVIDER HEREBY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. PROVIDER SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT, AND ALL WARRANTIES ARISING FROM COURSE OF DEALING, USAGE, OR TRADE PRACTICE. PROVIDER MAKES NO WARRANTY OF ANY KIND THAT THE PROVIDER IP, OR ANY PRODUCTS OR RESULTS OF THE USE THEREOF, WILL MEET CUSTOMER’S OR ANY OTHER ENTITY’S REQUIREMENTS, OPERATE WITHOUT INTERRUPTION, ACHIEVE ANY INTENDED RESULT, BE COMPATIBLE OR WORK WITH ANY SOFTWARE, SYSTEM, OR OTHER SERVICES, OR BE SECURE, ACCURATE, COMPLETE, FREE OF HARMFUL CODE, OR ERROR FREE.
8.2 No Advice; No Third-Party Reliance.
Any advice, recommendations, guidance, statements, or other information that Provider may provide to Customer (including in connection with consultancy, education, training, or workshops), whether or not as part of the Services, is provided for Customer’s internal informational purposes only and does not constitute professional advice. Customer acknowledges that any use of such advice, recommendations, guidance, statements, or information (including any report or other output provided by Provider) is at Customer’s sole risk and is based on information provided by Customer. Customer shall not disclose any such advice, report, or associated data to any third party or otherwise make the foregoing available to any third party without Provider’s prior written consent, and then only if (i) Customer has paid all fees due to Provider for such advice or report, and (ii) Customer enters into a written agreement with such third party providing that Provider owes no duty to, and assumes no liability with respect to, such third party arising from or relating to such advice, report, or its contents. Customer acknowledges that Investigation Reports, Scores, suggested remediation actions, and any other outputs generated by the Services are provided for Customer’s internal informational and security-assessment purposes only. They are generated through automated, agentic, and artificial-intelligence-based analysis and are indicative only. To the extent that any feature of the Services performs automated or autonomous actions on or in connection with Customer’s systems, networks, endpoints, identities, applications, or data (including, without limitation, blocking, isolating, quarantining, terminating, modifying, disabling, restoring, or otherwise remediating any activity, file, process, account, asset, or configuration), Customer expressly authorizes such actions, acknowledges that they are performed on a commercially reasonable best-efforts basis pursuant to Customer’s configuration, Customer’s instructions, and the then-current rule sets, models, and policies of the Services, and accepts sole responsibility for the consequences of such actions, including any disruption to Customer’s operations or impact on third parties. Customer is responsible for reviewing and configuring the scope of autonomous action permitted within its environment and for maintaining its own oversight, monitoring, and rollback capabilities. Customer is solely responsible for reviewing, validating, and determining whether and how to rely on any Investigation Report, Score, suggested remediation action, or other output, and for implementing any remediation, mitigation, escalation, or other security measures. Provider does not warrant that the Services will identify all threats, vulnerabilities, incidents, malicious activity, or other security issues; correctly classify the severity of any Alert; prevent any security incident; remediate any vulnerability or threat; or produce outputs that are complete, accurate, current, or appropriate for Customer’s particular systems, environment, or risk profile.
9. Indemnification
9.1 Provider Indemnification.
(i) Provider shall indemnify, defend, and hold harmless Customer from and against any and all losses, damages, liabilities, costs (including reasonable attorneys’ fees) ("Losses") incurred by Customer resulting from any third-party claim, suit, action, or proceeding ("Third-Party Claim") that the Services developed by Provider itself, or any use of the Services in accordance with this Agreement, infringes or misappropriates such third party’s intellectual property rights, provided that Customer promptly notifies Provider in writing of such Third-Party Claim, cooperates with Provider, and allows Provider sole authority to control the defense and settlement of such Third-Party Claim.
(ii) If a Third-Party Claim is made or appears possible, Customer agrees to permit Provider, at Provider’s sole discretion, to (A) modify or replace the Services, or component or part thereof, to make it non-infringing, (B) obtain the right for Customer to continue use, or (C) provide functional equivalents of the affected Services. If Provider determines that neither alternative is reasonably available, Provider may terminate this Agreement, in its entirety or with respect to the affected component or part, effective immediately on written notice to Customer.
(iii) This Section 9(a) will not apply to the extent that the alleged infringement arises from: (A) use of the Services in combination with data, software, hardware, equipment, or technology not provided by Provider or authorized by Provider in writing; (B) modifications to the Services not made by Provider; or (C) Customer Data.
9.2 Customer Indemnification.
Customer shall indemnify, hold harmless, and, at Provider’s option, defend Provider from and against any Losses resulting from any Third-Party Claim that the Customer Data, or any use of the Customer Data in accordance with this Agreement, infringes or misappropriates such third party’s intellectual property rights and any Third-Party Claims based on Customer’s or any Authorized User’s (i) negligence or willful misconduct; (ii) use of the Services in a manner not authorized by this Agreement; (iii) use of the Services in combination with data, software, hardware, equipment, or technology not provided by Provider or authorized by Provider in writing; or (iv) modifications to the Services not made by Provider, provided that Customer may not settle any Third-Party Claim against Provider unless Provider consents to such settlement, and further provided that Provider will have the right, at its option, to defend itself against any such Third-Party Claim or to participate in the defense thereof by counsel of its own choice. Customer’s indemnification obligations include Third-Party Claims arising from or relating to Security Tools, Alerts, Customer systems, Customer’s instructions, or any allegation that Provider’s receipt, access, use, processing, or analysis of Customer Data or Alerts in accordance with this Agreement violates applicable law or infringes, misappropriates, or otherwise violates any third-party right.
9.3 Sole Remedy.
THIS SECTION 9 SETS FORTH CUSTOMER’S SOLE REMEDIES AND PROVIDER’S SOLE LIABILITY AND OBLIGATION FOR ANY ACTUAL, THREATENED, OR ALLEGED CLAIMS THAT THE SERVICES INFRINGE, MISAPPROPRIATE, OR OTHERWISE VIOLATE ANY INTELLECTUAL PROPERTY RIGHTS OF ANY THIRD PARTY.
10. Limitations of Liability
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL: (i) EITHER PARTY BE LIABLE TO THE OTHER OR TO ANY THIRD PARTY FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, LOSS OF DATA, LOSS OF GOODWILL, OR BUSINESS INTERRUPTION ARISING OUT OF OR RELATED TO THE AGREEMENT, CUSTOMER’S INABILITY TO USE THE SERVICES, DOCUMENTATION, OR ADDITIONAL SERVICES IN ACCORDANCE WITH AND SUBJECT TO THE AGREEMENT; AND (ii) EITHER PARTY’S AGGREGATE LIABILITY TO THE OTHER FOR ALL LOSSES, CLAIMS AND DAMAGES (EXCEPT FOR FEES OWED UNDER THE AGREEMENT) EXCEED THE TOTAL AMOUNT OF FEES PAID OR PAYABLE BY CUSTOMER FOR THE APPLICABLE SERVICES UNDER THE AGREEMENT IN THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT FIRST GIVING RISE TO THE LIABILITY. All limitations and exclusions of liability in the Agreement will apply even if the above stated remedies fail of their essential purpose and regardless of the form or source of claim or loss, whether the claim or loss was foreseeable, and whether Provider and its Affiliates have been advised of the possibility of the claim or loss.
11. Term and Termination
11.1 Term.
The term of this Agreement begins on the Effective Date and, unless terminated earlier pursuant to this Agreement’s express provisions, will continue as set forth in the Order Form. Upon expiration of the Term, this Agreement will not automatically renew, and any renewal or extension will require the Parties’ prior written agreement regarding the terms applicable to such renewal or extension.
11.2 Termination.
In addition to any other express termination right set forth in this Agreement:
(i) Provider may terminate this Agreement, effective on written notice to Customer, if Customer: (A) fails to pay any amount when due hereunder, and such failure continues more than thirty (30) days after Provider’s delivery of written notice thereof; or (B) breaches any of its obligations under Section 2(d) or 6;
(ii)either Party may terminate this Agreement, effective on written notice to the other Party, if the other Party breaches this Agreement, and such breach: (A) is incapable of cure; or (B) being capable of cure, remains uncured for thirty (30) days after the non-breaching Party provides the breaching Party with written notice of such breach; or
(iii) either Party may terminate this Agreement, effective immediately upon written notice to the other Party, if the other Party: (A) becomes insolvent or is generally unable to pay, or fails to pay, its debts as they become due; (B) files a petition for voluntary bankruptcy or has filed against it a petition for involuntary bankruptcy, which is not withdrawn or denied within thirty (30) days, or otherwise becomes subject, voluntarily or involuntarily, to any proceeding under any domestic or foreign bankruptcy or insolvency law; (C) makes or seeks to make a general assignment for the benefit of its creditors; or (D) applies for or has appointed a receiver, trustee, custodian, or similar agent appointed by order of any court of competent jurisdiction to take charge of or sell any material portion of its property or business.
11.3 Effect of Expiration or Termination.
Upon expiration or earlier termination of this Agreement, Customer shall immediately discontinue use of the Provider IP and, without limiting Customer’s obligations under section 6, Customer shall delete, destroy, or return all copies of the Provider IP and certify in writing to the Provider that the Provider IP has been deleted or destroyed. No expiration or termination will affect Customer’s obligation to pay all Fees that may have become due before such expiration or termination or entitle Customer to any refund. Customer is solely responsible for exporting and backing up Customer Data, Alerts, and Investigation Reports during the Term. Following expiration or termination of this Agreement, Customer’s access to the Services, Alerts, and Investigation Reports will terminate, and Alerts and Investigation Reports may no longer be available through the Services, except as expressly required under the DPA or applicable law. Provider shall have no obligation to provide migration, conversion, transition, or other professional services following expiration or termination unless separately agreed in writing by the Parties or required under applicable law. Amounts invoiced by Provider prior to termination for Services properly provided before the effective date of termination remain payable in full.
11.4 Survival.
This Section 11(d) and Sections 1, 2(c), 2(d), 2(f), 2(g), 3, 4(e), 4(f), 5, 6, 7, 8, 9, 10, 11(c), and 12 survive any termination or expiration of this Agreement. No other provisions of this Agreement survive the expiration or earlier termination of this Agreement.
12. Miscellaneous
12.1 Entire Agreement.
This Agreement constitutes the sole and entire agreement of the Parties with respect to the subject matter hereof and supersedes all prior and contemporaneous understandings, agreements, and representations and warranties, both written and oral, with respect to such subject matter.
12.2 Notices.
All notices, requests, consents, claims, demands, waivers, and other communications hereunder (each, a "Notice") must be in writing and addressed to the Parties at the addresses set forth on the first page of this Agreement (or to such other address that may be designated by the Party giving Notice from time to time in accordance with this Section). All Notices must be delivered by personal delivery, nationally recognized overnight courier (with all fees pre-paid), email (with confirmation of transmission), or certified or registered mail (in each case, return receipt requested, postage pre-paid). Except as otherwise provided in this Agreement, a Notice is effective only: (i) upon receipt by the receiving Party; and (ii) if the Party giving the Notice has complied with the requirements of this Section.
12.3 Force Majeure.
In no event shall Provider be liable to Customer, or be deemed to have breached this Agreement, for any failure or delay in performing its obligations under this Agreement, if and to the extent such failure or delay is caused by any circumstances beyond Provider’s reasonable control, including but not limited to (i) acts of God; (ii) flood, fire, earthquake, explosion, epidemic, pandemic or other public health issue; (iii) war, invasion, hostilities (whether war is declared or not), terrorist threats or acts, riot or other civil unrest; (iv) government order, law, or actions; (v) embargoes or blockades in effect on or after the date of this Agreement; (vi) national or regional emergency; (vii) strikes, labor stoppages or slowdowns, or other industrial disturbances; and (viii) shortage of adequate power or transportation facilities. If a force majeure situation persists for more than sixty (60) days, either Party may terminate this Agreement in writing. In such case, performance already rendered shall be paid for on a pro-rata basis and the Parties shall not be deemed to have satisfied their respective obligations under this Agreement.
12.4 Amendment and Modification; Waiver.
No amendment to or modification of this Agreement is effective unless it is in writing and signed by an authorized representative of each Party. Provider may update the Documentation, policies, and standard technical or operational requirements applicable to the Services from time to time; provided that no such update will materially reduce Customer’s rights or Provider’s obligations under this Agreement during the then-current Term unless Customer agrees in writing. No waiver by any Party of any of the provisions hereof will be effective unless explicitly set forth in writing and signed by the Party so waiving. Except as otherwise set forth in this Agreement, (i) no failure to exercise, or delay in exercising, any rights, remedy, power, or privilege arising from this Agreement will operate or be construed as a waiver thereof, and (ii) no single or partial exercise of any right, remedy, power, or privilege hereunder will preclude any other or further exercise thereof or the exercise of any other right, remedy, power, or privilege.
12.5 Severability.
If any provision of this Agreement is invalid, illegal, or unenforceable in any jurisdiction, such invalidity, illegality, or unenforceability will not affect any other term or provision of this Agreement or invalidate or render unenforceable such term or provision in any other jurisdiction. Upon such determination that any term or other provision is invalid, illegal, or unenforceable, the Parties shall negotiate in good faith to modify this Agreement so as to affect their original intent as closely as possible in a mutually acceptable manner in order that the transactions contemplated hereby be consummated as originally contemplated to the greatest extent possible.
12.6 Governing Law; Submission to Jurisdiction.
This Agreement is governed by and construed in accordance with the internal laws of the State of New York without giving effect to any choice or conflict of law provision or rule that would require or permit the application of the laws of any jurisdiction other than those of the State of New York. Any legal suit, action, or proceeding arising out of or related to this Agreement or the licenses granted hereunder may be instituted exclusively in the federal courts of the United States or the courts of the State of New York in each case located in the city of New York and County of New York, and each Party irrevocably submits to the exclusive jurisdiction of such courts in any such suit, action, or proceeding.
12.7 Assignment.
Customer may not assign any of its rights or delegate any of its obligations hereunder, in each case whether voluntarily, involuntarily, by operation of law or otherwise, without the prior written consent of Provider; provided that, on prior written notice to Provider and subject to (A) the assignee not being a competitor of Provider, (B) the assignee assuming all of Customer’s obligations under this Agreement, and (C) Customer remaining liable as primary obligor in the case of an assignment to an Affiliate, Customer may assign this Agreement (1) to a wholly-owned Affiliate of Customer, or (2) in connection with a merger, consolidation, reorganization, sale of substantially all of its assets, or other change of control of Customer. Any purported assignment or delegation in violation of this Section will be null and void. No assignment or delegation will relieve the assigning or delegating Party of any of its obligations hereunder. This Agreement is binding upon and inures to the benefit of the Parties and their respective permitted successors and assigns.
12.8 Export Regulation.
Customer shall comply with all applicable export laws, regulations, and rules, and complete all required undertakings (including obtaining any necessary export license or other governmental approval), that prohibit or restrict the export or re-export of the Services or any Customer Data.
12.9 Equitable Relief.
Each Party acknowledges and agrees that a breach or threatened breach by such Party of any of its obligations under section 6 or, in the case of Customer, Section 2(c), would cause the other Party irreparable harm for which monetary damages would not be an adequate remedy and agrees that, in the event of such breach or threatened breach, the other Party will be entitled to equitable relief, including a restraining order, an injunction, specific performance, and any other relief that may be available from any court, without any requirement to post a bond or other security, or to prove actual damages or that monetary damages are not an adequate remedy. Such remedies are not exclusive and are in addition to all other remedies that may be available at law, in equity, or otherwise.
