Master Subscription Agreement
COVER PAGE FOR BONTERMS CLOUD TERMS
This Master Subscription Agreement ("Agreement") sets forth the terms and conditions governing Customer's use of Provider's Cloud Service. The Agreement incorporates the Bonterms Cloud Terms (Version 1.0), which is available at https://bonterms.com/forms/bonterms-cloud-terms-v1/ and a reference copy of which is attached as Attachment 3. An explainer on the Bonterms Cloud Terms is available here: https://bonterms.com/resources/cloud-terms-explainer. The Agreement includes the contents of this document, including the Key Terms, Attachments and any Additional Terms below. By executing an Order that references this Agreement, Customer and Provider agree to be bound by the terms herein. Capitalized terms not defined in this document have the meanings given in the Bonterms Cloud Terms.
Key Terms
Effective Date means the effective date of the first Order executed by the parties that references this Agreement.
Governing Law means the laws of the state of California.
Courts means a federal court in the County of San Francisco, California.
Order means any documented order pursuant to which Customer orders the Cloud Service that is signed by both parties and references this Agreement.
Attachments
The following attachments are incorporated into the Agreement by this reference:
- Attachment 1: Security Measures
- Attachment 2: Data Protection Addendum
- Attachment 3: Reference Copy of Bonterms Cloud Terms
Additional Terms
The following additions to or modifications of the Bonterms Cloud Terms are agreed by the parties and control in the event of any conflicts between these additional terms and any other provision of the Bonterms Cloud Terms:
1. Definitions
The following terms shall have the following meanings:
Customer Data means all email, calendar and related content and information (excluding Users' Contacts derived from their Personal Emails) provided or submitted by, or on behalf of, Customer or its Users, or imported from Third-Party Platforms at the direction of Customer or its Users, in connection with the use of the Cloud Service.
Data Protection Laws has the meaning given in the DPA.
Email Body Data means any content in the message bodies of emails included in the Customer Data and does not include information in email headers or signatures.
Personal Accounts means Users' personal email accounts and email accounts controlled by the User individually or by organizations other than Customer.
Personal Data has the meaning given in the DPA.
Platform means Provider's proprietary relationship management platform, which is used to provide the Cloud Service, as may be updated or improved by Provider from time to time.
Privacy Policy means Provider's privacy policy available at https://www.ctd.ai/privacy-policy, as may be updated by Provider from time to time in accordance with its terms.
Processing has the meaning given in the DPA.
TOS means Provider's terms of service available at https://www.ctd.ai/terms-of-use and as may be updated by Provider from time to time in accordance with its terms.
Usage Data means Provider's technical logs, account and login data, data and learnings about Users' use of the Platform and the Cloud Service (e.g., frequency of logins, volume of Customer Data processed). Usage Data is not Customer Data.
User means an individual who obtains credentials for an individual Provider account, has agreed to the Provider Terms of Service and Privacy Policy, and is an employee, agent or independent contractor that is authorized to access the Platform pursuant to Customer's rights under this Agreement.
Users' Contacts means information about Users' contacts derived from signature information and headers (i.e., in the date, from, to, cc and bcc, and subject fields) in the emails of Users (a) associated with their Personal Accounts or (b) associated with Customer-controlled accounts and included in Customer Data. Users' Contacts do not include Email Body Data or any signature information that does not pertain to an email sender or recipient listed in header metadata.
2. Cloud Service Updates; Beta Features
Provider may update, modify and improve the Cloud Service and the Platform from time to time with or without notifying Customer provided that such updates do not materially degrade the functionality of the Platform or the Cloud Service. From time to time, Provider may make "beta" or other experimental features or tools available to Customer. Such features or tools are offered solely for experimental purposes and without any warranty of any kind, and may be modified or discontinued at Provider's sole discretion.
3. Users
Each User will create unique account credentials associated with their Customer-controlled email account to access the Cloud Service. All activities undertaken using a User's account credentials will be treated as if authorized by said User. Customer acknowledges and agrees that Customer is responsible for setting applicable access rights of Users with respect to the Cloud Service.
4. Users' Contacts
The Platform is designed to enable users to keep track of and utilize information about their interactions with both their personal and professional contacts. If a User's employment relationship with Customer concludes, the User may retain access to their Contacts, including name, email address and email signature and certain metadata from emails including date/time, From/To/CC/Bcc and Subject unless Customer removes such access. In no case will the User be allowed to retain Email Body Data. Customer shall not have any ability to control information contained within a User's Personal Account(s). Customer acknowledges that the Cloud Service may misclassify signature information of unrelated parties appearing in email body data as pertaining to authorized users' contacts.
5. Privacy
The parties shall comply with all Data Protection Laws in the performance of their respective obligations under this Agreement with respect to the Processing of Personal Data and their respective obligations under the DPA. Provider shall Process Users' Contacts as described in the Privacy Policy.
Customer shall ensure that Customer Data does not include any social security numbers or other government-issued identification numbers, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; health insurance information; biometric information; passwords for online accounts; credentials to any financial accounts; tax return data; credit reports or consumer reports; any payment card information subject to the Payment Card Industry Data Security Standard; information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act or the regulations promulgated under either such law; information subject to restrictions under Applicable Data Protection Laws governing personal information of children, including all information about children under 13 years of age; or any information classified as "sensitive" or "special categories of data" under Data Protection Laws (collectively, "Prohibited Data"). Customer shall not provide, and Provider shall have no liability directly or indirectly arising from Prohibited Data.
6. Customer Data Responsibility
Customer and its Users will have access to the Customer Data and will be responsible for all changes to and/or deletions of Customer Data and the security of all account credentials and passwords required in order to access the Platform and the Cloud Service. Upon request to Customer's account manager, Provider may facilitate for Customer the ability to export Customer Data from the Platform. Provider is not obligated to back up any Customer Data; the Customer is solely responsible for creating backup copies of any Customer Data at Customer's sole cost and expense.
7. Third-Party Platforms
In order to provide the Cloud Service, the Platform integrates with Third-Party Platforms, including email hosting providers. Customer is responsible for enabling the integration of each Third-Party Platform and by doing so, Customer acknowledges that it is instructing Provider to share the Customer Data (including, to the extent necessary, any Personal Data) with the providers of such Third-Party Platforms in order to facilitate the integration. Customer is responsible for notifying such Third-Party Platforms provider of the integration. Such Third-Party Platforms are not under the control of Provider and Provider is not responsible for any Third-Party Platforms. Customer's use of the Third-Party Platforms is governed by the Customer's agreement with, and all applicable terms and policies including privacy and data gathering practices of, providers of the Third-Party Platforms.
8. AI Features
The Cloud Service may include computer artificial intelligence, including but not limited to a set of technologies that enable computers to perform a variety of advanced functions, including the ability to see, understand and translate spoken and written language, analyze data and make recommendations ("AI") features that utilize third party AI companies' technology ("Third Party AI Providers") and/or Provider's proprietary machine learning technology (collectively, "AI Features"), which are governed by the terms set out below. Provider reserves the right to update the list of AI Features from time to time.
8.1 Subprocessors. Third Party AI Providers act as sub-processor of any Customer Data, including personal data contained in Input (as defined below). All Customer Data and personal data processing activities by Third Party AI Providers will be governed by any DPA in place between Provider and Customer.
8.2 Input and Output. Any customer data, content and information (in any format) submitted to the Provider workspace by or on behalf of Customer, including, but not limited to, help center content and conversation data (including any personal data contained therein) ("Input") and results (in any format) generated by an AI Product based on such Input ("Output") are deemed Customer Data under the Agreement and subject to the rights, restrictions and obligations applicable thereto. Customer will only provide and/or instruct Provider to use Input and Output where the Customer is authorized to provide such content to Provider for the purposes set out in the Agreement. Third parties may submit information or materials to an AI Product that generate results that are identical or similar to Output ("Third-Party Results"), and Customer acknowledges it has no right, title or interest in or to any Third-Party Results.
8.3 Accuracy. Output may contain material inaccuracies and may not reflect correct, current or complete information. Customer will not rely, or encourage others to rely, on any Output without independently evaluating its accuracy and appropriateness of use, including, without limitation, by using human review. Provider makes no representations or warranties and provides no indemnities pursuant to this Agreement with respect to Output. The AI Features and Output are not intended to substitute for the services of properly trained and licensed individuals.
8.4 Transparency. Customer will ensure that: (i) Customer personnel who use the AI Features are informed that they are interacting with an AI system, and (ii) Output is not falsely represented as being human-generated by Customer.
8.5 Rights to Use. Customer permits Third Party AI Provider to use the Input to deliver Output solely in connection with the Cloud Service, comply with applicable Laws and enforce its respective policies.
8.6 Restrictions on Use. In addition to any general obligations and restrictions pertaining to Customer's use of Services under the Agreement, Customer represents and warrants that Customer will not use the AI Features:
- in a manner that violates applicable laws or regulations of any jurisdiction, including laws or regulations governing use of AI, or the rights of any third party;
- for the purposes of, or in a manner that has the effect of, discriminating against or harming individuals or groups based on any protected classification under applicable law, online or offline social behavior, or known or predicted personal or personality characteristics;
- for a purpose, or in a manner that could result in the AI Features being classified as, prohibited; high-risk; or in a similar manner under applicable AI laws or regulations, including use of AI Features for manipulation or deception; exploitation of vulnerabilities (e.g., age, disability, social/economic status); law enforcement or criminal risk assessment; biometric identification or classification; emotional recognition; critical infrastructure or product safety; determining access to education or vocational training; creditworthiness assessment or scoring; underwriting or pricing insurance; or evaluating eligibility for essential services;
- for decisions regarding recruitment or employment (provided that Customer may use AI Features as part of its search process for possible recruitment candidates), or worker monitoring;
- to develop any models that compete with Provider or any Third Party AI Providers; or
- in relation to providing services that are required to be provided by licensed professionals; or
- in violation of any relevant third party terms, policies or other agreements applicable to your use of the AI Features (as set out below and incorporated herein), which may be updated from time to time, including, without limitation:
- OpenAI Sharing and Publication Policy
- OpenAI Usage Policies
- OpenAI Service Terms
8.7 Customer Responsibility. Customer will be fully responsible for use of an AI Feature (including any and all Inputs submitted) by any User or other person as if performed by Customer. Customer will indemnify, defend, and hold harmless Provider from and against any third party claim arising from or relating to Customer's use of the AI Features in a manner that violates Third Party AI Providers' Policies or other requirements of this Section 8.
9. Support
Section 7.1 of Bonterms Cloud Terms shall be replaced in its entirety with the following provision:
Provider makes Cloud Service support available via email at support@ctd.ai. The support alias is monitored between the hours of 2am \- 6pm Eastern Time USA, Monday through Friday. Any email sent during this time will be responded to within 2 business hours. If an inquiry is made outside of support hours, then a response will be provided within 2 hours of the resumption of support hours. Provider will endeavor to resolve such support request as promptly as commercially reasonable.
10. Service Level Agreement
Section 7.2 of Bonterms Cloud Terms is replaced in its entirety with the following provision:
The Cloud Service shall be available 99.5% of each calendar month during the Order Term, excluding portions thereof during which the Cloud Service is undergoing Scheduled Maintenance. "Scheduled Maintenance" means the performance by Provider of regularly scheduled maintenance of the Cloud Services, with respect to which Provider shall provide no fewer than forty eight (48) hours prior written notice. Provider will use commercially reasonable efforts to perform Scheduled Maintenance during non-core business hours.
Attachment 1: Security Measures
- Organizational management and dedicated staff responsible for the development, implementation and maintenance of the Provider's information security program.
- Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Provider's organization, monitoring and maintaining compliance with Provider's policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
- Data security controls which include, at a minimum, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available industry standard encryption technologies for Customer Personal Data that is transmitted over public networks (i.e. the Internet) or when transmitted wirelessly or at rest or stored on portable or removable media (i.e. laptop computers, CD/DVD, USB drives, back-up tapes).
- Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
- Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that the Provider's passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on the Provider's computer systems; (iii) must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.
- System audit or event logging and related monitoring procedures to proactively record user access and system activity.
- Physical and environmental security of data centers, server room facilities and other areas containing Customer Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of the Provider's facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
- Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from the Provider's possession.
- Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to the Provider's technology and information assets.
- Incident management procedures designed to allow Provider to investigate, respond to, mitigate and notify of events related to the Provider's technology and information assets.
- Network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
- Vulnerability assessment, patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
- Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters.
Attachment 2: Data Protection Addendum
This DPA Setup Page is incorporated into the Agreement by reference. By executing an Order that references the Agreement, Customer and Provider enter into the Bonterms Data Protection Addendum (DPA) (Version 1.0) (available at https://bonterms.com/forms/data-protection-addendum-v1/) by this reference. The DPA includes the contents of this DPA Setup Page, including the Key Terms and Schedules set forth below. Capitalized terms not defined in this DPA Setup Page have the meanings given in the Bonterms Data Protection Addendum.
KEY TERMS
Agreement means the Agreement to which this DPA is attached.
Cloud Service has the meaning given in the Agreement.
DPA Effective Date means the date Customer first used the Cloud Service.
Subprocessor List means the list available at https://ctd.ai/subprocessors or such other web page as Provider may make available to Customer from time to time, as updated by Provider from time to time.
ADDITIONAL TERMS
The following additions to or modifications of the Bonterms Data Protection Addendum are agreed by the parties and control in the event of any conflicts between these additional terms and any other provisions of the Bonterms Data Protection Addendum.
1. Definitions. The following terms shall have the following meanings:
Cloud Service and Customer Data have the meanings given in the Agreement.
Specified Notice Period is the later of 2 business days or 72 hours.
2. Scope. The terms of this DPA apply solely with respect to Provider's Processing of Customer Personal Data subject to Data Protection Laws expressly requiring data protection terms to be included in contracts, including contracts with Processors or Service Providers (as defined in the CCPA).
3. User's Contacts. Customer acknowledges and agrees that Provider is a Controller of Authorized Users' Contacts.
4. Customer Personal Data Deletion. Provider will comply with Customer's instruction to delete Customer Personal Data upon expiration or termination of the Agreement as soon as reasonably practicable and no later than 180 days after such expiration or termination, unless Data Protection Laws require storage. Customer may choose to request a copy of such Customer Personal Data from Provider for an additional charge by requesting it in writing at least 30 days prior to expiration or termination of the Agreement. Upon the parties' agreement to such charge pursuant to an Order or other amendment to the Agreement, Provider will provide such copy of such Customer Personal Data before it is deleted in accordance with this clause.
SCHEDULES
The following schedules form part of this DPA:
- Schedule 1: Subject Matter and Details of Processing
- Schedule 2: Technical and Organizational Measures
- Schedule 3: Cross-Border Transfer Mechanisms
- Schedule 4: Region-Specific Terms
Schedule 1: Subject Matter and Details of Data Processing
Name, contact details for data protection, and main address: As set out in the signature block of the applicable Order Form.
Activities: See the Customer/Data Exporter website associated with the email domain identified in the Order and the Provider/Data Importer website at ctd.ai for descriptions of their respective activities.
Role: Customer is Data Exporter and Controller and Provider is Data Importer and Processor.
Categories of Data Subjects: Users
Categories of Customer Personal Data: Users' emails and data derived from them, such as Users' correspondents' contact details and the strength of Users' connections to their correspondents based on frequency of email.
Sensitive/Special Categories of Data and additional associated restrictions/safeguards: N/A
Frequency of transfer: Continuous
Nature of the Processing: Provision of digital relationship analytics platform.
Purpose of the Processing: Customer Personal Data will be processed: (i) as necessary to provide the Services as initiated by Customer in its use thereof, and (ii) to comply with any other reasonable instructions provided by Customer in accordance with the terms of this DPA.
Duration of Processing / retention period: Duration of the term of the Agreement.
Transfers to Subprocessors: To Subprocessors identified in Subprocessor List in the DPA Setup Page.
Schedule 2: Technical and Organizational Measures
The Security Measures (as defined in the Agreement) are incorporated into this Schedule 2 by this reference.
Schedule 3: Cross-Border Transfer Mechanisms
1. Definitions. Capitalized terms not defined in this Schedule are defined in the DPA.
1.1. "EU Standard Contractual Clauses" or "EU SCCs" means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.
1.2. "UK International Data Transfer Agreement" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force as of March 21, 2022.
1.3. In addition:
- Designated EU Governing Law means Laws of Ireland
- Designated EU Member State means Ireland
2. EU Transfers. Where Customer Personal Data is protected by EU GDPR and is subject to a Restricted Transfer, the following applies:
2.1. The EU SCCs are hereby incorporated by reference as follows:
(a) Module 2 (Controller to Processor) applies where Customer is a Controller of Customer Personal Data and Provider is a Processor of Customer Personal Data;
(b) Module 3 (Processor to Processor) applies where Customer is a Processor of Customer Personal Data (on behalf of a third-party Controller) and Provider is a Processor of Customer Personal Data;
(c) Customer is the "data exporter" and Provider is the "data importer"; and
(d) by entering this DPA, each party is deemed to have signed the EU SCCs (including their Annexes) as of the DPA Effective Date.
2.2. For each Module, where applicable the following applies:
(a) the optional docking clause in Clause 7 does not apply;
(b) in Clause 9, Option 2 will apply, the minimum period for prior notice of Subprocessor changes shall be as set out in Section 4.3 of this DPA, and Provider shall fulfill its notification obligations by notifying Customer of any Subprocessor changes in accordance with Section 4.3 of this DPA;
(c) in Clause 11, the optional language does not apply;
(d) in Clause 13, all square brackets are removed with the text remaining;
(e) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Designated EU Governing Law;
(f) in Clause 18(b), disputes will be resolved before the courts of the Designated EU Member State;
(g) Schedule 1 (Subject Matter and Details of Processing) to this DPA contains the information required in Annex 1 of the EU SCCs; and
(h) Schedule 2 (Technical and Organizational Measures) to this DPA contains the information required in Annex 2 of the EU SCCs.
2.3. Where context permits and requires, any reference in this DPA to the EU SCCs shall be read as a reference to the EU SCCs as modified in the manner set forth in this Section 2.
3. Swiss Transfers. Where Customer Personal Data is protected by the FADP and is subject to Restricted Transfer, the following applies:
3.1. The EU SCCs apply as set forth in Section 2 (EU Transfers) of this Schedule 3 with the following modifications:
(a) in Clause 13, the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner;
(b) in Clause 17 (Option 1), the EU SCCs will be governed by the laws of Switzerland;
(c) in Clause 18(b), disputes will be resolved before the courts of Switzerland;
(d) the term Member State must not be interpreted in such a way as to exclude Data Subjects in Switzerland from enforcing their rights in their place of habitual residence in accordance with Clause 18(c); and
(e) all references to the EU GDPR in this DPA are also deemed to refer to the FADP.
4. UK Transfers. Where Customer Personal Data is protected by the UK GDPR and is subject to a Restricted Transfer, the following applies:
4.1. The EU SCCs apply as set forth in Section 2 (EU Transfers) of this Schedule 3 with the following modifications:
(a) each party shall be deemed to have signed the "UK Addendum to the EU Standard Contractual Clauses" ("UK Addendum") issued by the Information Commissioner's Office under section 119(A) of the Data Protection Act 2018;
(b) the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of Customer Personal Data;
(c) in Table 1 of the UK Addendum, the parties' key contact information is in Schedule 1 (Subject Matter and Details of Processing) to this DPA;
(d) in Table 2 of the UK Addendum, information about the version of the EU SCCs, modules and selected clauses which this UK Addendum is appended to are located above in this Schedule 3;
(e) in Table 3 of the UK Addendum:
(i) the list of parties is in Schedule 1 (Subject Matter and Details of Processing) to this DPA;
(ii) the description of transfer is in Schedule 1 (Subject Matter and Details of Processing) to this DPA;
(iii) Annex II is in Schedule 2 (Technical and Organizational Measures) to this DPA; and
(iv) the list of Subprocessors is in Schedule 1 (Subject Matter and Details of Processing) to this DPA.
(f) in Table 4 of the UK Addendum, both the Importer and the Exporter may end the UK Addendum in accordance with its terms (and the respective box for each is deemed checked); and
(g) in Part 2: Part 2 — Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with section 119(A) of the Data Protection Act 2018 on 2 February 2022, as it is revised under section 18 of those Mandatory Clauses.
5. Data Privacy Framework. For clarity, a transfer of Customer Personal Data from the EU, UK or Switzerland to Provider in the United States subject to the EU-U.S. Data Privacy Shield Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and/or the Swiss-U.S. Data Privacy Shield Framework, as applicable (collectively, the "DPF"), shall not constitute a Restricted Transfer so long as Provider maintains an active certification to the DPF and certification to the DPF remains a legal basis for transfer of Personal Data to the United States under the GDPR, UK GDPR or FADP, as applicable.
Schedule 4: Region-Specific Terms
A. CALIFORNIA
1. Definitions
1.1. CCPA and other capitalized terms not defined in this Schedule are defined in the DPA.
1.2. "business purpose", "commercial purpose", "personal information", "sell", "service provider" and "share" have the meanings given in the CCPA.
1.3. The definition of "Data Subject" includes "consumer" as defined under the CCPA.
1.4. The definition of "Controller" includes "business" as defined under the CCPA.
1.5. The definition of "Processor" includes "service provider" as defined under the CCPA.
2. Obligations.
2.1. Customer is providing the Customer Personal Data to Provider under the Agreement for the limited and specific business purposes of providing the Cloud Service as described in Schedule 1 (Subject Matter and Details of Processing) to this DPA and otherwise performing under the Agreement.
2.2. Provider will comply with its applicable obligations under the CCPA and provide the same level of privacy protection to Customer Personal Data as is required by the CCPA.
2.3. Provider acknowledges that Customer has the right to: (i) take reasonable and appropriate steps under Section 9 (Audits) of this DPA to help to ensure that Provider's use of Customer Personal Data is consistent with Customer's obligations under the CCPA, (ii) receive from Provider notice and assistance under Section 7 (Data Subject Requests) of this DPA regarding consumers' requests to exercise rights under the CCPA and (iii) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.
2.4. Provider will notify Customer promptly after it determines that it can no longer meet its obligations under the CCPA.
2.5. Provider will not retain, use or disclose Customer Personal Data: (i) for any purpose, including a commercial purpose, other than the business purposes described in Section 2.1 of this Section A (California) of Schedule 4 or (ii) outside of the direct business relationship between Provider with Customer, except, in either case, where and to the extent permitted by the CCPA.
2.6. Provider will not sell or share Customer Personal Data received under the Agreement.
2.7. Provider will not combine Customer Personal Data with other personal information except to the extent a service provider is permitted to do so by the CCPA.
Attachment 3: Reference Copy of Bonterms Cloud Terms
Bonterms Cloud Terms (Version 1.0)
1. The Agreement. The Bonterms Cloud Terms are standardized terms for use of cloud services. To use the Bonterms Cloud Terms, Customer and Provider complete and execute a Cover Page that specifies Key Terms, Attachments (such as a Support Policy or Data Protection Addendum) and any Additional Terms. Collectively, the Bonterms Cloud Terms, Cover Page and any Orders form the parties' agreement ("Agreement"). Conflicts between parts of the Agreement are governed by Section 22.5 (Order of Precedence). Capitalized terms are defined in context or in Section 23 (Definitions).
2. Cloud Service. Subject to this Agreement, Customer may use the Cloud Service for its own business purposes during each Subscription Term ("Permitted Use"). This includes the right to copy and use the Provider Software (if any) and Documentation as part of Customer's Permitted Use. Customer will comply with the Documentation in using the Cloud Service.
3. Users. Customer may permit Users to use the Cloud Service on its behalf. Customer is responsible for provisioning and managing its User accounts, for its Users' actions through the Cloud Service and for their compliance with this Agreement. Customer will ensure that Users keep their login credentials confidential and will promptly notify Provider upon learning of any compromise of User accounts or credentials.
4. Affiliates. Customer's Affiliates may serve as Users under this Agreement. Alternatively, Customer's Affiliates may enter into their own Orders as mutually agreed with Provider, which creates a separate agreement between each such Affiliate and Provider incorporating this Agreement with the Affiliate treated as "Customer". Neither Customer nor any Customer Affiliate has any rights under each other's separate agreement with Provider, and breach or termination of any such separate agreement affects only that agreement.
5. Data.
5.1. Use of Customer Data. Subject to this Agreement, Provider will access and use Customer Data solely to provide and maintain the Cloud Service, Support and Professional Services under this Agreement ("Use of Customer Data"). Use of Customer Data includes sharing Customer Data as Customer directs through the Cloud Service, but Provider will not otherwise disclose Customer Data to third parties except as permitted in this Agreement.
5.2. Security. Provider will implement and maintain the Security Measures identified on the Cover Page. If no Security Measures are identified, Provider will use appropriate technical and organizational measures designed to prevent unauthorized access, use, alteration or disclosure of Customer Data.
5.3. DPA. The parties will adhere to the Data Protection Addendum (DPA), if any, identified on the Cover Page.
5.4. Usage Data. Provider may collect Usage Data and use it to operate, improve and support the Cloud Service and for other lawful business purposes, including benchmarking and reports. However, Provider will not disclose Usage Data externally unless it is (a) de-identified so that it does not identify Customer, its Users or any other person and (b) aggregated with data across other customers.
6. Mutual Compliance with Laws. Each party will comply with all Laws that apply to its performance under this Agreement.
7. Support and SLA.
7.1. Support. Provider will provide Support for the Cloud Service as described in the Support Policy on the Cover Page. If no Support Policy is identified, Provider will provide Support for the Cloud Service consistent with industry-standards and its general business practices.
7.2. SLA. Provider will adhere to the Service Level Agreement (SLA) identified on the Cover Page. If no SLA is identified, Provider will use commercially reasonable efforts to make the Cloud Service available for Customer's use 99.9% of the time in each month.
8. Warranties.
8.1. Mutual Warranties. Each party represents and warrants that:
(a) it has the legal power and authority to enter into this Agreement, and
(b) it will use industry-standard measures to avoid introducing Viruses into the Cloud Service.
8.2. Additional Provider Warranties. Provider warrants that:
(a) the Cloud Service will perform materially as described in the Documentation and Provider will not materially decrease the overall functionality of the Cloud Service during a Subscription Term (the "Performance Warranty"), and
(b) any Professional Services will be provided in a professional and workmanlike manner (the "Professional Services Warranty").
8.3. Warranty Remedy. Provider will use reasonable efforts to correct a verified breach of the Performance Warranty or Professional Services Warranty reported by Customer. If Provider fails to do so within 30 days after Customer's warranty report ("Fix Period"), then either party may terminate the Order as relates to the non-conforming Cloud Service or Professional Services, in which case Provider will refund to Customer any pre-paid, unused fees for the terminated portion of the Subscription Term (for the Performance Warranty) or for the non-conforming Professional Services (for the Professional Services Warranty). To receive these remedies, Customer must report a breach of warranty in reasonable detail within 30 days after discovering the issue in the Cloud Service or 30 days after delivery of the relevant Professional Services ("Claim Period"). These procedures are Customer's exclusive remedies and Provider's sole liability for breach of the Performance Warranty or Professional Services Warranty.
8.4. Disclaimers. Except as expressly set out in this Agreement, each party disclaims all warranties, whether express, implied, statutory or otherwise, including warranties of merchantability, fitness for a particular purpose, title and noninfringement. Provider's warranties in this Section 8 do not apply to issues arising from Third Party Platforms or misuse or unauthorized modifications of the Cloud Service. These disclaimers apply to the full extent permitted by Law.
9. Usage Rules.
9.1. Compliance. Customer (a) will comply with any Acceptable Use Policy (AUP) identified on the Cover Page and (b) represents and warrants that it has all rights necessary to use Customer Data with the Cloud Service and grant Provider the rights to Customer Data specified in this Agreement, without violating third-party intellectual property, privacy or other rights. Between the parties, Customer is responsible for the content and accuracy of Customer Data.
9.2. High Risk Activities & Sensitive Data. Customer:
(a) will not use the Cloud Service for High Risk Activities,
(b) will not submit Sensitive Data to the Cloud Service, and
(c) acknowledges that the Cloud Service is not designed for (and Provider has no liability for) use prohibited in this Section 9.2.
9.3. Restrictions. Customer will not and will not permit anyone else to: (a) sell, sublicense, distribute or rent the Cloud Service (in whole or part), grant non-Users access to the Cloud Service or use the Cloud Service to provide a hosted or managed service to others, (b) reverse engineer, decompile or seek to access the source code of the Cloud Service, except to the extent these restrictions are prohibited by Laws and then only upon advance notice to Provider, (c) copy, modify, create derivative works of or remove proprietary notices from the Cloud Service, (d) conduct security or vulnerability tests of the Cloud Service, interfere with its operation or circumvent its access restrictions or (e) use the Cloud Service to develop a product that competes with the Cloud Service.
10. Third-Party Platforms. Customer may choose to enable integrations or exchange Customer Data with Third-Party Platforms. Customer's use of a Third-Party Platform is governed by its agreement with the relevant provider, not this Agreement, and Provider is not responsible for Third-Party Platforms or how their providers use Customer Data.
11. Professional Services. Provider will perform Professional Services as described in an Order or Statement of Work, which may identify additional terms or milestones for the Professional Services. Customer will give Provider timely access to Customer Materials reasonably needed for Professional Services, and Provider will use the Customer Materials only for purposes of providing Professional Services. Subject to any limits in an Order or Statement of Work, Customer will reimburse Provider's reasonable travel and lodging expenses incurred in providing Professional Services. Customer may use code or other deliverables that Provider furnishes as part of Professional Services only in connection with Customer's authorized use of the Cloud Service under this Agreement.
12. Fees.
12.1. Payment. Customer will pay the fees described in the Order. Unless the Order states otherwise, all amounts are due within 30 days after the invoice date (the "Payment Period"). Late payments are subject to a charge of 1.5% per month or the maximum amount allowed by Law, whichever is less. All fees and expenses are non-refundable except as expressly set out in this Agreement.
12.2. Taxes. Customer is responsible for any sales, use, GST, value-added, withholding or similar taxes or levies that apply to its Orders, whether domestic or foreign ("Taxes"), other than Provider's income tax. Fees and expenses are exclusive of Taxes.
12.3. Payment Disputes. If Customer disputes an invoice in good faith, it will notify Provider within the Payment Period and the parties will seek to resolve the dispute over a 15-day discussion period. Customer is not required to pay disputed amounts during the discussion period, but will timely pay all undisputed amounts. After the discussion period, either party may pursue any available remedies.
13. Suspension. Provider may suspend Customer's access to the Cloud Service and related services due to a Suspension Event, but where practicable will give Customer prior notice so that Customer may seek to resolve the issue and avoid suspension. Provider is not required to give prior notice in exigent circumstances or for a suspension made to avoid material harm or violation of Law. Once the Suspension Event is resolved, Provider will promptly restore Customer's access to the Cloud Service in accordance with this Agreement. "Suspension Event" means (a) Customer's account is 30 days or more overdue, (b) Customer is in breach of Section 9 (Usage Rules) or (c) Customer's use of the Cloud Service risks material harm to the Cloud Service or others.
14. Term and Termination.
14.1. Subscription Terms. Each Subscription Term will last for an initial 12-month period unless the Order states otherwise. Each Subscription Term will renew for successive periods unless (a) the parties agree on a different renewal Order or (b) either party notifies the other of non-renewal at least 30 days prior to the end of the current Subscription Term.
14.2. Term of Agreement. This Agreement starts on the Effective Date and continues until the end of all Subscription Terms, unless sooner terminated in accordance with its terms. If no Subscription Term is in effect, either party may terminate this Agreement for any or no reason with notice to the other party.
14.3. Termination. Either party may terminate this Agreement (including all Subscription Terms) if the other party (a) fails to cure a material breach of this Agreement within 30 days after notice, (b) ceases operation without a successor or (c) seeks protection under a bankruptcy, receivership, trust deed, creditors' arrangement, composition or comparable proceeding, or if such a proceeding is instituted against that party and not dismissed within 60 days.
14.4. Data Export & Deletion.
(a) During a Subscription Term, Customer may export Customer Data from the Cloud Service (or Provider will otherwise make the Customer Data available to Customer) as described in the Documentation.
(b) After termination or expiration of this Agreement, within 60 days of request, Provider will delete Customer Data and each party will delete any Confidential Information of the other in its possession or control.
(c) Nonetheless, the recipient may retain Customer Data or Confidential Information in accordance with its standard backup or record retention policies or as required by Law, subject to Section 5.2 (Security), Section 18 (Confidentiality) and any DPA.
14.5. Effect of Termination.
(a) Customer's right to use the Cloud Service, Support and Professional Services will cease upon any termination or expiration of this Agreement, subject to this Section 14.
(b) The following Sections will survive expiration or termination of this Agreement: 5.4 (Usage Data), 8.4 (Disclaimers), 9 (Usage Rules), 12.1 (Payment) (for amounts then due), 12.2 (Taxes), 14.4 (Data Export & Deletion), 14.5 (Effect of Termination), 15 (Intellectual Property), 16 (Limitations of Liability), 17 (Indemnification), 18 (Confidentiality), 19 (Required Disclosures), 22 (General Terms) and 23 (Definitions).
(c) Except where an exclusive remedy is provided, exercising a remedy under this Agreement, including termination, does not limit other remedies a party may have.
15. Intellectual Property.
15.1. Reserved Rights. Neither party grants the other any rights or licenses not expressly set out in this Agreement. Except for Provider's express rights in this Agreement, as between the parties, Customer retains all intellectual property and other rights in Customer Data and Customer Materials provided to Provider. Except for Customer's express rights in this Agreement, as between the parties, Provider and its licensors retain all intellectual property and other rights in the Cloud Service, Professional Services deliverables and related Provider technology.
15.2. Feedback. If Customer gives Provider feedback regarding improvement or operation of the Cloud Service, Support or Professional Services, Provider may use the feedback without restriction or obligation. All feedback is provided "AS IS" and Provider will not publicly identify Customer as the source of feedback without Customer's permission.
16. Limitations of Liability.
16.1. General Cap. Each party's entire liability arising out of or related to this Agreement will not exceed the General Cap.
16.2. Consequential Damages Waiver. Neither party will have any liability arising out of or related to this Agreement for indirect, special, incidental, reliance or consequential damages or damages for loss of use, lost profits or interruption of business, even if informed of their possibility in advance.
16.3. Exceptions and Enhanced Cap. Sections 16.1 (General Cap) and 16.2 (Consequential Damages Waiver) will not apply to Enhanced Claims or Uncapped Claims. For all Enhanced Claims, each party's entire liability will not exceed the Enhanced Cap.
16.4. Nature of Claims. The waivers and limitations in this Section 16 apply regardless of the form of action, whether in contract, tort (including negligence), strict liability or otherwise and will survive and apply even if any limited remedy in this Agreement fails of its essential purpose.
16.5. Liability Definitions. The following definitions apply unless modified on the Cover Page.
"Enhanced Cap" means three times (3x) the General Cap.
"Enhanced Claims" means Provider's breach of Section 5.2 (Security) or either party's breach of Section 5.3 (DPA).
"General Cap" means amounts paid or payable by Customer to Provider under this Agreement in the 12 months immediately preceding the first incident giving rise to liability.
"Uncapped Claims" means (a) the indemnifying party's obligations under Section 17 (Indemnification), (b) either party's infringement or misappropriation of the other party's intellectual property rights, (c) any breach of Section 18 (Confidentiality), excluding breaches related to Customer Data and (d) liabilities that cannot be limited by Law.
17. Indemnification.
17.1. Indemnification by Provider. Provider, at its own cost, will defend Customer from and against any Provider-Covered Claims and will indemnify and hold harmless Customer from and against any damages or costs awarded against Customer (including reasonable attorneys' fees) or agreed in settlement by Provider resulting from the Provider-Covered Claims.
17.2. Indemnification by Customer. Customer, at its own cost, will defend Provider from and against any Customer-Covered Claims and will indemnify and hold harmless Provider from and against any damages or costs awarded against Provider (including reasonable attorneys' fees) or agreed in settlement by Customer resulting from the Customer-Covered Claims.
17.3. Indemnification Definitions. The following definitions apply unless modified on the Cover Page.
"Customer-Covered Claim" means a third-party claim arising from Customer's breach or alleged breach of Section 9.1 (Compliance) or 9.2 (High-Risk Activities & Sensitive Data).
"Provider-Covered Claim" means a third-party claim that the Cloud Service, when used by Customer as authorized in this Agreement, infringes or misappropriates a third party's intellectual property rights.
17.4. Procedures. The indemnifying party's obligations in this Section 17 are subject to receiving from the indemnified party: (a) prompt notice of the claim (but delayed notice will only reduce the indemnifying party's obligations to the extent it is prejudiced by the delay), (b) the exclusive right to control the claim's investigation, defense and settlement and (c) reasonable cooperation at the indemnifying party's expense. The indemnifying party may not settle a claim without the indemnified party's prior approval if settlement would require the indemnified party to admit fault or take or refrain from taking any action (except regarding use of the Cloud Service when Provider is the indemnifying party). The indemnified party may participate in a claim with its own counsel at its own expense.
17.5. Mitigation. In response to an infringement or misappropriation claim, if required by settlement or injunction or as Provider determines necessary to avoid material liability, Provider may: (a) procure rights for Customer's continued use of the Cloud Service, (b) replace or modify the allegedly infringing portion of the Cloud Service to avoid infringement, without reducing the Cloud Service's overall functionality or (c) terminate the affected Order and refund to Customer any pre-paid, unused fees for the terminated portion of the Subscription Term.
17.6. Exceptions. Provider's obligations in this Section 17 do not apply to claims resulting from (a) modification or unauthorized use of the Cloud Service, (b) use of the Cloud Service in combination with items not provided by Provider, including Third-Party Platforms or (c) Provider Software other than the most recent release, if Provider made available (at no additional charge) a newer release that would avoid infringement.
17.7. Exclusive Remedy. This Section 17 sets out the indemnified party's exclusive remedy and the indemnifying party's sole liability regarding third-party claims of intellectual property infringement or misappropriation covered by this Section 17.
18. Confidentiality.
18.1. Use and Protection. As recipient, each party will (a) use Confidential Information only to fulfill its obligations and exercise its rights under this Agreement, (b) not disclose Confidential Information to third parties without the discloser's prior approval, except as permitted in this Agreement and (c) protect Confidential Information using at least the same precautions recipient uses for its own similar information and no less than a reasonable standard of care.
18.2. Permitted Disclosures. The recipient may disclose Confidential Information to its employees, agents, contractors and other representatives having a legitimate need to know (including, for Provider, the subcontractors referenced in Section 22.10), provided it remains responsible for their compliance with this Section 18 and they are bound to confidentiality obligations no less protective than this Section 18.
18.3. Exclusions. These confidentiality obligations do not apply to information that the recipient can document (a) is or becomes public knowledge through no fault of the recipient, (b) it rightfully knew or possessed, without confidentiality restrictions, prior to receipt from the discloser, (c) it rightfully received from a third party without confidentiality restrictions or (d) it independently developed without using or referencing Confidential Information.
18.4. Remedies. Breach of this Section 18 may cause substantial harm for which monetary damages are an insufficient remedy. Upon a breach of this Section, the discloser is entitled to seek appropriate equitable relief, including an injunction, in addition to other remedies.
19. Required Disclosures. The recipient may disclose Confidential Information (including Customer Data) to the extent required by Laws. If permitted by Law, the recipient will give the discloser reasonable advance notice of the required disclosure and reasonably cooperate, at the discloser's expense, to obtain confidential treatment for the Confidential Information.
20. Publicity. Neither party may publicly announce this Agreement without the other party's prior approval or except as required by Laws.
21. Trials and Betas. Provider may offer optional Trials and Betas. Use of Trials and Betas is permitted only for Customer’s internal evaluation during the period designated by Provider on the Order (or if not designated, 30 days). Either party may terminate Customer’s use of Trials and Betas at any time for any reason. Trials and Betas may be inoperable, incomplete or include features never released. Notwithstanding anything else in this Agreement, Provider offers no warranty, indemnity, SLA or Support for Trials and Betas and its liability for Trials and Betas will not exceed US$1,000.
22. General Terms.
22.1. Assignment. Neither party may assign this Agreement without the prior consent of the other party, except that either party may assign this Agreement, with notice to the other party, in connection with the assigning party's merger, reorganization, acquisition or other transfer of all or substantially all of its assets or voting securities. Any non-permitted assignment is void. This Agreement will bind and inure to the benefit of each party's permitted successors and assigns.
22.2. Governing Law and Courts. The Governing Law governs this Agreement and any action arising out of or relating to this Agreement, without reference to conflict of law rules. The parties will adjudicate any such action in the Courts and each party consents to the exclusive jurisdiction and venue of the Courts for these purposes.
22.3. Notices.
(a) Except as set out in this Agreement, notices, requests and approvals under this Agreement must be in writing to the addresses on the Cover Page and will be deemed given: (1) upon receipt if by personal delivery, (2) upon receipt if by certified or registered U.S. mail (return receipt requested), (3) one day after dispatch if by a commercial overnight delivery or (4) upon delivery if by email. Either party may update its address with notice to the other.
(b) Provider may also send operational notices through the Cloud Service.
22.4. Entire Agreement. This Agreement is the parties' entire agreement regarding its subject matter and supersedes any prior or contemporaneous agreements regarding its subject matter. In this Agreement, headings are for convenience only and "including" and similar terms are to be construed without limitation. Excluding Orders, terms in business forms, purchase orders or quotes used by either party will not amend or modify this Agreement; any such documents are for administrative purposes only. This Agreement may be executed in counterparts (including electronic copies and PDFs), each of which is deemed an original and which together form one and the same agreement.
22.5. Order of Precedence. First any Additional Terms and then Attachments will control in any conflict with these Bonterms Cloud Terms. An Order may not modify any other part of the Agreement unless the Order specifically identifies the provisions that it supersedes.
22.6. Amendments. Any amendments to this Agreement must be in writing and signed by each party's authorized representatives.
22.7. Operational Changes. With notice to Customer, Provider may modify the Support Policy, SLA or Security Measures to reflect new features or changing practices, but the modifications may not be retroactive or materially decrease Provider's overall obligations during a Subscription Term.
22.8. Waivers and Severability. Waivers must be signed by the waiving party's authorized representative and cannot be implied from conduct. If any provision of this Agreement is held invalid, illegal or unenforceable, it will be limited to the minimum extent necessary so the rest of this Agreement remains in effect.
22.9. Force Majeure. Neither party is liable for a delay or failure to perform this Agreement due to a Force Majeure. If a Force Majeure materially adversely affects the Cloud Service for 15 or more consecutive days, either party may terminate the affected Order(s) upon notice to the other and Provider will refund to Customer any pre-paid, unused fees for the terminated portion of the Subscription Term. However, this Section does not limit Customer's obligations to pay fees owed.
22.10. Subcontractors. Provider may use subcontractors and permit them to exercise its rights and fulfill its obligations, but Provider remains responsible for their compliance with this Agreement and for its overall performance under this Agreement. This does not limit any additional terms for subprocessors under a DPA.
22.11. Independent Contractors. The parties are independent contractors, not agents, partners or joint venturers.
22.12. No Third-Party Beneficiaries. There are no third-party beneficiaries to this Agreement.
22.13. Open Source. Provider Software distributed to Customer (if any) may include third-party open source software ("Open Source") as listed in the Documentation or by Provider upon request. If Customer elects to use the Open Source on a stand-alone basis, that use is subject to the applicable Open Source license and not this Agreement.
22.14. Export. Each party (a) will comply with all export and import Laws in performing this Agreement and (b) represents and warrants that it is not listed on any U.S. government list of prohibited or restricted parties or located in (or a national of) a country subject to a U.S. government embargo or designated by the U.S. government as a "terrorist supporting" country. Customer will not submit to the Cloud Service any data controlled under the U.S. International Traffic in Arms Regulations.
22.15. Government Rights. To the extent applicable, the Cloud Service is "commercial computer software" or a "commercial item" for purposes of FAR 12.212 for and DFARS 227.7202. Use, reproduction, release, modification, disclosure or transfer of the Cloud Service is governed solely by the terms of this Agreement, and all other use is prohibited.
23. Definitions.
"Acceptable Use Policy" or "AUP" is defined in Section 9.1 (Compliance).
"Additional Terms" means any additions to or modifications of these Bonterms Cloud Terms that the parties specify on the Cover Page.
"Affiliate" means an entity controlled, controlling or under common control with a party, where control means at least 50% ownership or power to direct an entity's management.
"Agreement" has the meaning given in Section 1 (The Agreement).
"Attachments" means any attachments, policies or documents that the parties specify on the Cover Page.
"Bonterms Cloud Terms" means these Bonterms Cloud Terms (Version 1.0).
"Cloud Service" means Provider's proprietary cloud service, as identified in the relevant Order and as modified from time to time. The Cloud Service includes the Provider Software and Documentation but not Professional Services deliverables or Third-Party Platforms.
"Confidential Information" means information disclosed by or on behalf of one party (as discloser) to the other party (as recipient) under this Agreement, in any form, which (a) the discloser identifies to recipient as "confidential" or "proprietary" or (b) should be reasonably understood as confidential or proprietary due to its nature and the circumstances of its disclosure. Provider's Confidential Information includes technical or performance information about the Cloud Service, and Customer's Confidential Information includes Customer Data. Information on the Cover Page is each party's Confidential Information.
"Cover Page" means a Bonterms cover page or other document that (a) incorporates these Bonterms Cloud Terms by reference, (b) specifies the Key Terms and any Additional Terms and incorporates any Attachments and (c) is signed by Customer and Provider.
"Customer" means the party identified as "Customer" on the Cover Page.
"Customer Data" means any data, content or materials that Customer (including its Users) submits to its Cloud Service accounts, including from Third-Party Platforms.
"Customer Materials" means materials and resources that Customer makes available to Provider in connection with Professional Services.
"Data Protection Addendum" or "DPA" is defined in Section 5.3 (DPA).
"Documentation" means Provider's standard usage documentation for the Cloud Service.
"Force Majeure" means an unforeseen event beyond a party's reasonable control, such as a strike, blockade, war, pandemic, act of terrorism, riot, third-party Internet or utility failure, refusal of government license or natural disaster, where the affected party takes reasonable and customary measures to avoid or mitigate such event's effects.
"High Risk Activities" means activities where use or failure of the Cloud Service could lead to death, personal injury or environmental damage, including life support systems, emergency services, nuclear facilities, autonomous vehicles or air traffic control.
"Key Terms" means Effective Date, Governing Law, Courts or other terms specified by the parties as "Key Terms" on the Cover Page.
"Laws" means all laws, regulations, rules, court orders or other binding requirements of a government authority that apply to a party.
"Order" means an order for Customer's access to the Cloud Service, Support, Professional Services or related services that is executed by the parties and references this Agreement.
"Personal Data" means Customer Data relating to an identified or identifiable natural person.
"Professional Services" means training, migration or other professional services that Provider furnishes to Customer related to the Cloud Service.
"Provider" means the party identified as "Provider" on the Cover Page.
"Provider Software" means any proprietary apps or software that Provider distributes to Customer as part of the Cloud Service.
"Sensitive Data" means (a) patient, medical or other protected health information regulated by the Health Insurance Portability and Accountability Act (as amended and supplemented) ("HIPAA"), (b) credit, debit, bank account or other financial account numbers, (c) social security numbers, driver's license numbers or other government ID numbers and (d) special categories of data enumerated in European Union Regulation 2016/679, Article 9(1) or any successor legislation.
"Service Level Agreement" or "SLA" is defined in Section 7.2 (SLA).
"Statement of Work" means a statement of work for Professional Services that is executed by the parties and references this Agreement.
"Subscription Term" means the term for Customer's use of the Cloud Service as identified in an Order.
"Support" means support for the Cloud Service as described in Section 7.1 (Support).
"Support Policy" is defined in Section 7.1 (Support).
"Third-Party Platform" means any product, add-on or platform not provided by Provider that Customer uses with the Cloud Service.
"Usage Data" means Provider's technical logs, data and learnings about Customer's use of the Cloud Service, but excluding Customer Data.
"User" means anyone that Customer allows to use its accounts for the Cloud Service, who may include (a) employees, advisors and contractors of Customer and its Affiliates and (b) others if permitted in this Agreement, the Documentation or an Order.
"Virus" means viruses, malicious code or similar harmful materials.