NTREPID SUBSCRIPTION SERVICES
LAST UPDATED: May 17, 2023, v1.11
Ntrepid, LLC, a Florida limited liability company, with its principle place of business at 12801 Worldgate Drive, Suite 800, Herndon, VA 20170 (“Ntrepid”), and the party (“Customer”) named in the Order (as defined below) have entered into an agreement for Ntrepid to provide the Services (as defined below) and agree that the Order, Ntrepid quote, the following terms and conditions (these “Terms of Service”), and to the extent applicable, any Data Protection Addendum and/or Information Security Addendum annexed hereto, constitute the exclusive and binding agreement between them (collectively, the “Agreement”); provided that nothing in the Order shall alter or modify these Terms of Service or any annex hereto unless an authorized Ntrepid representative has agreed in writing to such alterations or modifications. Ntrepid and Customer may be referred to herin as a “Party” or collectively as the “Parties.”
1. DEFINITIONS.
Capitalized terms used in these Terms of Service and not otherwise defined shall have the below meanings. Capitalized terms not defined herein shall be given their common and ordinary meaning.
“Bandwidth” means the monthly average rate of data transfer measured in Megabits per second (Mbps) that is used by Customer as a result of making Requests.
“Customer Data” means data that Customer stores in a Ntrepid’s Hosted Environment in connection with the Services. Customer Data is distinguished from Personal Data as defined herein.
“Data Protection Addendum” means to the extent applicable, an agreement annexed hereto between Ntrepid and Customer that establishes the circumstances under which Ntrepid, as a Service Provider, may Process Personal Data of Customer in accordance with Applicable Law relating to data privacy and data protection laws. For purposes of the preceding sentence, the terms “Process,” “Service Provider,” and “Applicable Law” shall have the meaning set forth in the Data Protection Addendum.
“Documentation” means any user documentation provided to Customer by Ntrepid in connection with its provision of the Services describing the functionality, features, and operating characteristics of the Services, including all replacements, updates, additions and changes thereto from time to time made by Ntrepid, as well as any other third-party documentation relating to the Service
“Hosted Environment” means an environment that is deployed within Ntrepid’s datacenters and supports multiple Customer tenants.
“Information Security Addendum” means an agreement annexed hereto between Ntrepid and Customer that: (i) applies to Services provisioned in a Hosted Environment; and (ii) establishes policies, procedures, and controls, based on prevailing industry standards, that govern the processing, storage, transmission, and security of Confidential Information (as defined in Section 9.2(a)) on Ntrepid Systems. For purposes of the preceding sentence, the term “Ntrepid Systems” shall have the meaning set forth in the Information Security Addendum.
“License Fee” means the fee paid by Customer to access and use the Services pursuant to the Order and these Terms of Service.
“Ntrepid Intellectual Property” means the Software (other than third party software) and Ntrepid’s patents, patent applications, trade secrets, copyrights, trademarks, technology, inventions, methodologies, know-how and proprietary or confidential information.
“Open Source Software” means third party software that is distributed or otherwise made available in connection with the Software as “free software,” “open source software,” or under a similar licensing or distribution model, referenced in Section 8.
“Order” means the contract, purchase order or other binding agreement entered into between Ntrepid and Customer (or Customer and an Ntrepid reseller) that specifies the Services to be provided by Ntrepid, the applicable fees, license term and conditions and limitations on Customer’s use of those Services and shall include any Ntrepid quote to the extent accepted by Customer or otherwise incorporated into a binding agreement between Ntrepid and Customer.
“Personal Data” means, in general, any information relating, directly or indirectly, to an identified or identifiable natural person that Ntrepid obtains or has access to in order to provide the Services and that is subject to applicable data privacy and data protection laws.
“Request” means a single [HTTP or HTTPS] request by Customer for information from a URL over the Internet through the Services.
“Services” means the subscription-based services specified in the Order to be provided by Ntrepid to Customer, which could include, but is not limited to: GeoSites, Mapper, Nfusion, P310, Switchboard, and Switchboard SE.
“Software” means the software, including any client, server, or third party software (e.g., VMWare Horizon) and any Open Source Software incorporated therein, that Ntrepid uses to provide the Services and all modifications, improvements, replacements, enhancements, additions, corrections, upgrades, customizations and other changes thereto.
“Subscribers” means individuals whom Customer has authorized to access and use the Services, or in the case of the “Mapper” service means the number of computers (to include desktops and virtual machines) authorized to access and use the “Mapper” service in the form of a Subscriber-Based license or Bandwidth-Based license as described herein.
“Switchboard Active Connections” means the maximum number of telephone numbers made available for concurrent use with the Switchboard service as specified in the Order.
“Third Party Applications” means optional applications, application program interfaces (APIs), and/or web applications that are provided by an organization other than Ntrepid which Ntrepid makes available in connection with the Services.
2. SERVICES PROVIDED UNDER LICENSE.
The Services are delivered pursuant to the license granted in Section 4 on the terms, conditions and limitations set forth in the Order and subject to these Terms of Service and to the extent applicable, any Data Protection Addendum and/or Information Security Addendum annexed hereto. Customer agrees that its purchase of the Services is not contingent on the incorporation into the Services any future functionality or features or dependent on any oral or written public comments or representations made by Ntrepid regarding future functionality or features. Customer acknowledges that the Services are constantly evolving, the form, nature and features of the Services may change from time to time without prior notice, and any changes to the Services are subject to these Terms of Service.
3. CUSTOMER OBLIGATIONS.
Except as may be specified in the Order, Customer shall at all times provide and maintain in good working order its own Internet access and all network and telecommunications equipment, hardware, software, devices and other materials and equipment necessary to access and use the Services, other than the hardware and software used by Ntrepid to provide the Services. Customer is responsible for the use of the Services, including, but not limited to: (a) designating and managing the administrators of the Services; and (b) authorizing and managing Subscribers accessing and using the Services. Customer shall implement and maintain security policies and procedures to maintain the security and integrity of Customer’s computing and telecommunications environment no less robust than industry standards for similar businesses in Customer’s industry. Customer and its Subscribers are, and shall be, fully responsible for, and shall take all reasonable steps necessary in order to, establish and implement any and all measures needed to limit the control and/or access to the Services, including limiting access to passwords used to access the Services, and Ntrepid shall have no liability to Customer or any third party for Customer’s failure to prevent any unauthorized access or use of the Services.
4. LICENSE GRANT AND RESTRICTIONS.
4.1 License Grant to Use the Services.
Subject to the terms, conditions and limitations set forth in the Order and these Terms of Service, Ntrepid hereby grants to Customer, during the Term (as defined in Section 12.1), a personal, non-exclusive, non-transferable, non-sublicensable, revocable, limited license to access and use: (a) the Services and (b) any Ntrepid Intellectual Property incorporated into the Services or made available to Customer by Ntrepid in connection with the Services to the extent necessary to use the Services in the manner contemplated by the Order and these Terms of Service (the “License”).
4.2 Subscriber-Based Licenses.
(a) Unless Section 4.2(b) below applies, if the Order specifies a maximum number of Subscribers who may access and use the Services but does not limit the number of Subscribers who may access and use the Services at the same time (“Concurrent Subscribers”), Customer shall not authorize more individuals to access and use the Services than the number of Subscribers, which are specified in the Order and for which Customer has paid the applicable License Fee. Permitting more individuals than that number of Subscribers to use or access the Services at any time shall constitute a breach of these Terms of Service, and Ntrepid may, in addition to its other rights and remedies by contract or under law, suspend or terminate Customer’s access to the Services until Customer cures the breach or purchases a license for additional Subscribers. If Concurrent Subscribers or the Nfusion Desktop Annual Subscription Service are specified in the Order, Customer may permit an unlimited number of individuals to access and use the Services; provided, however, that in no event may Customer authorize more individuals to access and use the Services at the same time than the number of Concurrent Subscribers or Nfusion Desktops that are specified in the Order and for which Customer has paid the applicable License Fee, without purchasing a license for additional Concurrent Subscribers or Nfusion Desktops.
(b) If the Order specifies a maximum number of Subscribers who may access and use the “Mapper” service, Customer shall not authorize more computers to include desktops and virtual machines to access the Services than specified in the Order and for which Customer has paid the applicable License Fee. Permitting more computers than that number of Subscribers to use or access the Services at any time shall constitute a breach of these Terms of Service, and Ntrepid may, in addition to its other rights and remedies by contract or under law, suspend or terminate Customer’s access to the Services until Customer cures the breach or purchases a license for additional Subscribers.
4.3 Bandwidth-Based Licenses.
If the Services consist of Ntrepid’s “Mapper” service hosted in Ntrepid’s Hosted Environment, then Customer shall be allocated a maximum amount of three (3) Mbps of Bandwidth per License for making Requests. In the event Customer reaches the three (3) Mbps Bandwidth per License threshold, Customer’s further use of the Services under such License shall be throttled so as not to exceed this Bandwidth limitation but Ntrepid will not cease, or otherwise disrupt, the delivery of Services. Customer may increase the amount of Bandwidth by paying the applicable License Fee for each additional Bandwidth-Based License of three (3) Mbps. If the Services consist of Ntrepid’s “Mapper” service deployed in a dedicated environment, then Ntrepid will not impose a maximum amount of Bandwidth per License that Customer may use in making Requests and the terms and conditions of Section 4.2(b) above for Subscriber-Based Licenses shall apply.
4.4 Active Connection Licenses.
If the Order specifies the Switchboard service, then a maximum number of Switchboard Active Connections are made available for Customer’s concurrent use during a specific period of use of the Services. Each Switchboard Active Connection to be licensed as specified in the Order and for which Customer has paid the applicable License Fee provides for an active connection to a telephone number for use with the Switchboard service during the term of the Order.
4.5 Phone Number-Based Licenses.
(a) If the Order specifies a Switchboard Phone Number License for use with the Switchboard or Switchboard SE services, then a maximum number of telephone numbers are made available for Customer’s use during a specific period of use of the Services, and Customer shall not attempt to provision additional telephone numbers in excess of the number of telephone numbers, which are specified in the Order and for which Customer has paid the applicable License Fee, during that period. Exceeding that number of telephone numbers during that period shall constitute a breach of these Terms of Service, and Ntrepid may, in addition to its other rights and remedies by contract or under law, suspend or terminate Customer’s access to the Services until Customer cures the breach or pays a License Fee for additional telephone numbers.
(b) Additionally, if the Order specifies Phone Number-Based Licenses, Ntrepid may furnish SIM cards for use with the Switchboard or Switchboard SE services. Upon expiration or termination of the Order, Ntrepid may provision the SIM cards to Customer; however, in no event shall Ntrepid be required to furnish the telephone numbers associated with such SIM cards.
4.6 Equipment Licenses.
If the Order specifies the Switchboard SE Appliance Set Annual Fee, Ntrepid hereby grants to Customer, a personal, non-exclusive, non-transferable, non-sublicensable, revocable, limited license to access and use the Switchboard SE Appliance Set Annual Fee in connection with the Switchboard SE service during the Term of the Order.
4.7 Additional Licenses.
Customer may, at any time and from time to time, increase the number of Subscribers, Concurrent Subscribers, Active Connections, Phone Number Licenses, and/or the amount of Bandwidth by paying in advance a License Fee for additional Subscribers, Concurrent Subscribers, Active Connections, Phone Number Licenses, or Bandwidth. The term of any such additional Licenses may be pro-rated so that all Licenses for pre-existing and newly- acquired Subscribers, Concurrent Subscribers, Active Connections, Phone Number Licenses and Bandwidth are conterminous. The term of Licenses for additional Subscribers, Concurrent Subscribers, Active Connections, Phone Number Based Licenses or Bandwidth generally will expire twelve (12) months after grant, and Customer must use all pre-existing and newly-acquired Licenses prior to the expiration of such term. Ntrepid will endeavor to notify Customer if Customer is approaching or has reached or exceeded the amount of Bandwidth for which Customer has paid the applicable License Fee; however, Ntrepid’s failure to give such notice shall not affect Ntrepid’s rights or Customer’s obligations hereunder.
4.8 Software
If required to access and use the Services in the manner contemplated by the Order and these Terms of Service, Customer may download and install the client portion of the Software on the computers that Customer has provided to the Subscribers for access to and use of the Services. Depending upon the terms of the Order, Customer may either: (a) install the server portion of the Software on servers furnished by Customer; (b) install the server portion of the Software on servers made available to Customer by Ntrepid; or (c) access the server portion of the Software in a Hosted Environment provided by Ntrepid.
4.9 Customer Data Retention.
(a) If the Services include Ntrepid’s “Nfusion,” “P310,” “Switchboard,” or “Switchboard SE” service hosted in Ntrepid’s Hosted Environment, Customer Data, including Personal Data, may be retained during the Term of the License unless otherwise agreed with Customer and specified in the Order. Ntrepid may delete or destroy all copies of Customer Data and Personal Data during the Term of such License or following the termination or expiration of such License after making such Customer Data and Personal Data available to Customer for thirty (30) days for export or download in a format specified by Ntrepid. If Customer does not exercise its right to submit a request for Customer Data or Personal Data within this thirty (30) day period, Ntrepid will delete or destroy all copies of Customer Data and Personal Data stored in Ntrepid’s Hosted Environment. Notwithstanding the foregoing, Ntrepid may retain such Customer Data, including Personal Data, if any applicable contractual requirement prohibits its deletion or destruction if Ntrepid is required to retain such data under applicable law, or if retention of the data is necessary for Ntrepid’s defense against or pursuit of legal claims.
(b) Customer acknowledges and understands the rights afforded to Customer in this Section 4.9 and Ntrepid will have no further obligation to notify Customer of these rights unless required by applicable law.
4.10 Limitation on Users.
The License granted herein does not authorize, and Customer shall not permit, use of the Services by or for persons subject to U.S. economic sanctions administered by the U.S. Department of The Treasury, Office of Foreign Assets Control (“OFAC”), including persons located in, and governments and representatives of, embargoed and sanctioned countries and persons listed as Specially Designated Nationals by OFAC. The Software and the Services are subject to U.S. export control laws, which may include the Arms Export Control Act and the associated International Traffic in Arms Regulations (“ITAR”) and the Export Administration Act and the associated Export Administration Regulations (“EAR”), and may be subject to export or import regulations in other countries. Customer agrees to comply strictly with all such regulations and acknowledges that it has the responsibility to ensure that all Subscribers within Customer’s organization or otherwise permitted by Customer are authorized under the applicable export approval and/or authorized under the ITAR to access and use such services prior to permitting their access.
4.11 Restrictions.
Customer agrees that neither Customer nor its employees, contractors, representatives and/or agents shall:
(i) copy, distribute, alter, change, modify, adapt, translate, reverse engineer decompile, disassemble or make derivative works of, or otherwise attempt to derive source code from the Software or Service, in whole or in part, however, in the event Customer reasonably determines the actions specified in this Section 4.11(i) are permitted by law, Customer shall provide Ntrepid with at least 120 days advanced written notice of this determination so that Ntrepid (and/or third party software provider) may evaluate the permissibility of the legal requirements;
(ii) use the Services or any Ntrepid Intellectual Property to create any product or Services that competes with the Services or any component of the Services;
(iii) use the Software, including any third party software, other than in connection with the Services;
(iv) sell, lease, license, sublicense or otherwise transfer, in whole or in part, the Service or Software to any third party or allow any third party to benefit from or access the Services or Ntrepid Intellectual Property on a “service bureau,” hosted application, or other basis. This restriction does not apply to the extent Customer enters into a contract for the Services through a reseller of Ntrepid;
(v) use the Services for the purpose of violating, or in a manner that violates, any applicable foreign, federal, state or local law or regulation;
(vi) export or re-export the Services or Software in violation of any applicable export control laws of the U.S. or other jurisdictions;
(vii) use the Services in a manner that infringes or violates any intellectual property rights, publicity, privacy, confidentiality, contractual or other rights;
(viii) use the Services to transmit information that is defamatory, offensive, misleading, false, harmful to minors, or obscene;
(ix) transmit any viruses or programming routines intended to damage, surreptitiously intercept, or expropriate any system, data or personal information;
(x) disrupt the use of the networks over which the Services is provided;
(xi) modify, destroy or disable any Software or hardware used to provide the Services or otherwise deploy any software or services to circumvent, modify or provide access, permissions, or rights that violate the technical restrictions of the Software;
(xii) share individual logins and passwords for the Services in an attempt to permit a greater number of individuals to access and use the Services than the number of Subscribers for which Customer has paid the applicable License Fee; or
(xiii) use the “Mapper” service to connect more desktops or virtual machines than for the number of Subscribers for which the Customer has paid the applicable License Fee.
4.12 Intellectual Property Rights.
Ntrepid reserves all rights not expressly granted to Customer under the Order and these Terms of Service. Without limiting the generality of the foregoing, Ntrepid retains and reserves sole and exclusive worldwide rights, title, ownership and interest in and to the Services and all Ntrepid Intellectual Property. All patents, copyrights, trademarks, trade secrets and other Ntrepid Intellectual Property, and rights therein, relating to the Services shall remain sole and exclusive property of Ntrepid. Intellectual property rights to third party software shall remain the sole and exclusive property of the third party software provider.
4.13 License to Use Feedback.
Customer grants to Ntrepid a worldwide, perpetual, irrevocable, royalty-free license to use and incorporate into the Services any suggestion, enhancement request, recommendation, correction or other feedback provided by Customer or Subscribers relating to the operation of the Services.
4.14 United States Federal Government End Use Provisions.
Ntrepid provides the Services for ultimate United States federal government end use solely in accordance with the terms and conditions set forth in the Order and these Terms of Service. If the federal government has a need for rights not granted under these Terms of Service, it must negotiate with Ntrepid to determine if there are acceptable terms for granting those rights, and mutually acceptable language specifically granting those rights must be included in the Order. To the extent that any of these Terms of Service are inconsistent with federal law, such term shall not apply to any federal government end user accessing and using the Services. Usage of the Services by federal government end users includes the deployment of Software deemed “commercial computer software” and “commercial computer software documentation” under applicable regulations.
5. EQUIPMENT.
In the event that Customer is going to install the server portion of the Software on a server at Customer’s facility and needs to acquire additional equipment, or Customer requires equipment in order to use and access the Services, and in consideration of the payment of the Appliance Fee set forth in the Order (the “Appliance Fee”), Ntrepid agrees to provide the equipment listed in the Order (the “Equipment”) to Customer for inclusion in Customer’s network so that Customer can access and use the Services. Customer agrees to furnish adequate space at Customer’s facilities for installation of the Equipment and to provide sufficient and appropriate power, heating, cooling, lighting, and security. Except in the event the Order includes the Switchboard SE Appliance Set Annual Fee which is licensed and not sold (as set forth in Section 4.6), title to the Equipment shall transfer to Customer upon the later of delivery of the Equipment to Customer’s facilities or Ntrepid’s receipt of the Appliance Fee. Risk of loss of the Equipment shall transfer to Customer upon delivery of the Equipment to Customer’s facilities. Unless otherwise set forth in the Order, Customer shall be responsible for installing the Equipment, connecting the Equipment to Customer’s network and maintaining the Equipment in good operating condition.
6. INITIAL DEPLOYMENT AT CUSTOMER’S FACILITY.
6.1 Scope of Ntrepid’s Deployment Services.
In the event that Customer is going to install the server portion of the Software on a server at Customer’s facility and in consideration of the payment of the initial deployment fee set forth in the Order if applicable, Ntrepid will make Ntrepid personnel available, at a mutually agreed-upon dates and times, to: (a) assist in installation of server portion of the Software on the Customer-furnished server at Customer’s facility if the Order provides that the server portion of the Software will be installed on a Customer-furnished server and configuring the server portion of the Software; (b) provide on-line or in-person training for Customer’s initial server Software administrator(s), and (iii) provide other initial deployment service described in the Order.
6.2 Travel Expenses.
Unless explicitly stated otherwise in the Order, the initial deployment fee does not cover travel expenses of the Ntrepid personnel who will assist with the initial deployment of the Software. Customer shall be responsible for all reasonable travel expenses of such Ntrepid personnel, which expenses shall be paid by Customer within thirty (30) calendar days after receipt of an invoice therefor accompanied by supporting receipts.
7. SUPPORT AND MAINTENANCE.
7.1 Disruption of Services.
Ntrepid will provide support for any disruption of Services via telephone or e-mail, aa ‘’determined by Ntrepid. Customer will report any suspected disruption in the Services to Ntrepid’s Network Operations Center (“NOC”) through the online ticketing system, by email or by telephone, and Ntrepid will log all such reports into a central tracking database. Ntrepid will use commercially reasonable efforts to respond to support requests and correct any
performance issues with the Services as soon as reasonably practicable. Ntrepid will not be responsible for providing support if any issue with performance of the Services is caused by: (i) malfunction of Customer’s equipment or access to the Internet, (ii) abnormal use; or (iii) any other cause not directly attributable to Ntrepid. To the extent that the source of such disruption is within the exclusive control of Ntrepid, Ntrepid will remedy the disruption within one (1) business day of determining its source. If the source of the disruption is not within the exclusive control of Ntrepid, Ntrepid will notify Customer and attempt to identify the likely source of the disruption, if and to the extent Ntrepid is able to identify the likely source, and will cooperate with attempts by the responsible third party to resolve the source of the disruption as soon as possible. Customer shall cooperate with Ntrepid as reasonably requested to the extent necessary to provide said support services
7.2 Maintenance.
(a) Maintenance of the Services, including system and software updates and upgrades, normally will be performed by Ntrepid during scheduled maintenance windows. Customer administrators will be notified at least twenty-four (24) hours in advance of any regularly scheduled maintenance. Ntrepid reserves the right to perform unscheduled emergency maintenance without advance notice to address critical system issues or major security updates. During maintenance users may not be able to access the Services.
(b) If the Services include Ntrepid’s “Mapper,” “Nfusion,” “P310”, “Switchboard”, or “Switchboard SE” service and Customer wishes to be eligible for maintenance, Customer must remain current with the software updates and at all times be not more than (2) two feature versions behind the current feature version. For example, if Ntrepid issues feature version 2.9, Customer may receive maintenance for feature version 2.7 or 2.8 but not for feature version 2.6 or any older version.
7.3 Support.
If the Services include Ntrepid’s “Mapper,” “Nfusion,” “P310,” “Switchboard,” or “Switchboard SE” service, an Ntrepid account manager will be assigned to Customer as a primary point of contact for all support requests. The account manager will coordinate the fulfillment of support requests submitted by Customer through Ntrepid’s ticketing system and will provide Customer with updates on the status of these requests. The account manager will also serve as a direct line of escalation for urgent requests. The account manager will be available via phone and email during standard business hours, 8:00 A.M. – 5:00 P.M. Eastern Standard Time, Monday through Friday, and will respond to all Customer requests within one (1) business day. In the event that the primary account manager is unavailable, Ntrepid will inform Customer and assign a back-up account manager on a temporary basis. In addition, Customer may contact the NOC as set forth in Section 7.1.
8. OPEN SOURCE SOFTWARE.
The Software may include or incorporate from time to time various Open Source Software. Open Source Software is governed solely by the applicable open source licensing terms, if any, and is provided “AS IS” AND WITHOUT (AND NTREPID SPECIFICALLY DISCLAIMS) ANY GUARANTEE, CONDITION, OR WARRANTY (EXPRESS, IMPLIED, OR OTHERWISE) OF ANY KIND OR NATURE, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, SATISFACTORY QUALITY, TITLE, AND/OR NON-INFRINGEMENT. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THESE TERMS OF SERVICE, AS IT RELATES TO ANY AND ALL CLAIMS ARISING OUT OF OR IN CONNECTION WITH OPEN SOURCE SOFTWARE, NTREPID SHALL HAVE NO LIABILITY FOR ANY DIRECT OR EXCLUDED DAMAGES, HOWSOEVER CAUSED AND/OR OTHERWISE BASED ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF OPEN SOURCE SOFTWARE, EVEN IF NTREPID HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
For all Services, a list of the Open Source Software contained in the Software is set forth in the Documentation.
9. SECURITY AND CONFIDENTIALITY
9.1 Security.
For any Services provided in Ntrepid’s Hosted Environment, Ntrepid will undertake commercially reasonable efforts to implement reasonable administrative, physical, and technical safeguards to protect Customer Data against unauthorized disclosure. Ntrepid makes no representations or warranties whatsoever that such safeguards will in fact prevent against the unauthorized access, acquisition, use, or disclosure of Customer Data or that such safeguards are sufficient for Customer’s particular security needs. Additional information related to security practices and procedures for Ntrepid’s Hosted Environment is set forth in the Information Security Addendum annexed hereto.
9.2 Confidential Information.
(a) Definition of Confidential Information.
For the purposes hereof, “Confidential Information” means all information disclosed by either Party to the other Party, whether orally or in writing, that is designated in writing as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure.
(b) Use, Disclosure, and Protection.
Each Party agrees: (i) not to use any Confidential Information of the other Party for any purpose outside the scope of this Agreement; and (ii) to protect and hold in confidence the Confidential Information of the other Party against unauthorized use or disclosure in the same manner as such Party protects its own similar confidential information, but in no event shall such Party use less than reasonable care to protect the other Party’s Confidential Information from unauthorized use or disclosure. Subject to any restrictions set forth in Annex A, Ntrepid is authorized by Customer to enhance the Services by: (y) using Customer’s Confidential Information (which may include Customer Data) for analytics purposes and appropriate management and administration functions ancillary to providing the Services; and (z) disclosing Customer’s Confidential Information to vendors, subcontractors, and professional advisers (such as legal counsel), provided such third parties agree to maintain the confidentiality of such Confidential Information consistent with this Agreement.
(c) Exclusions.
This Section 9.2 imposes no obligation upon the Parties with respect to Confidential Information which either Party can establish by legally sufficient evidence: (i) was in its possession without an obligation of confidentiality prior to being acquired or received from the other Party; (ii) is or becomes generally known to the public without violation of this Section 9.2; (iii) is obtained in good faith from a third party having the right to disclose it without an obligation of confidentiality or (iv) is developed by it without use of the other Party’s Confidential Information. A Party’s disclosure of the other Party’s Confidential Information shall not be considered a violation of obligations under this Section 9.2 to the extent such disclosure is required pursuant to any law or valid court order, provided that, unless prohibited by law, such Party has given notice to the other Party of the required disclosure so as to afford the other Party a reasonable opportunity to obtain a protective order and provides such reasonable assistance as the other Party may reasonably request.
9.3 Personal Data.
To the extent that Customer provides or otherwise makes available to Ntrepid any Personal Data or instructs Ntrepid to collect Personal Data on its behalf in order to provide the Services, including but not limited to Personal Data regarding Customer’s employees, Customer hereby represents and warrants that Customer has complied with all applicable data privacy and data protection laws relevant to the processing and transfer of such data to Ntrepid in the United States, including having secured all necessary consents and authorizations to provide such Personal Data to Ntrepid and for Ntrepid to use or disclose such Personal Data to third parties consistent with this Agreement.
The parties agree that in providing the Services, to the extent that Ntrepid Processes Personal Data, it is doing so on behalf of Customer, pursuant to any Customer’s instructions, and in accordance with applicable data privacy and data protection laws. To the extent that Personal Data is subject to the California Consumer Privacy Act, the European Union General Data Protection Regulation, or other data protection legislation imposing similar contractual obligations, Ntrepid agrees to process such Personal Data in accordance with Annex A. For purposes of this Section 9.3, the term “Process(es)” shall have the meaning set forth in Annex A.
9.4 Obligations upon Termination or Expiration of the License.
(a) Customer Obligations. To the extent applicable, upon termination or expiration of the License, Customer shall cease using Ntrepid’s Confidential Information and, within thirty (30) calendar days following termination of the License, shall promptly destroy or cause to be destroyed all copies of Ntrepid’s Confidential Information in Customer’s possession and, upon Ntrepid’s request, certify in writing such destruction.
(b) Ntrepid Obligations. Following termination or expiration of the License, Ntrepid will delete or destroy Customer Data, including Personal Data, as provided in Section 4.9 above.
10. PAYMENT TERMS.
After Ntrepid’s receipt of the Order, and upon delivery to Customer’s assigned administrator of the Services identified in the Order, Ntrepid shall invoice Customer, and Customer shall pay Ntrepid, the fees and expenses set forth in the Order. Thereafter Ntrepid shall invoice from time to time other fees and expenses described in these Terms of Service. Except as otherwise provided in the Order, all such fees and expenses shall be due and payable in United States dollars by Customer within thirty (30) calendar days of the date of the invoice. Customer shall be responsible for all applicable sales, use and excise taxes. If at any time any taxing authority assesses a tax on an invoice, Customer shall pay or reimburse Ntrepid for the tax. In the event of late payment by Customer, Ntrepid may in its sole discretion: (i) impose a late payment fee in the amount of five percent (5%) of the amount due, and/or (ii) charge interest, at the rate of the lesser of one and one-half percent (1.5%) per month or the maximum rate allowable under law, commencing as of the payment due date through the date of Ntrepid’s receipt of payment, and/or (iii) suspend the Services to Customer until such fees and expenses are paid in full. Customer shall reimburse Ntrepid for all costs related to any proceedings to collect any amounts owed to Ntrepid including, but not limited to, all reasonable attorneys’ fees.
11. EVENTS BEYOND NTREPID’S CONTROL.
Notwithstanding anything to the contrary contained in the Order or these Terms of Service, Ntrepid shall not be liable for any Services disruption, Services delays, or any other event caused by Customer or its employees’, contractors’ or agents’ negligence, lack of cooperation or failure to comply with the Order or these Terms of Service or factors outside of Ntrepid’s control, including but not limited to, any problems with Customer’s own network infrastructure or other hardware or software, failure of Customer’s telecommunication equipment, or telephone service, electrical outage, Customer’s failure to perform necessary maintenance, failure of Customer to maintain the communications link with Ntrepid, or insufficient bandwidth in the communications link provided by Customer. Without limiting the generality of the foregoing, Ntrepid shall not be held responsible for any internet accessibility issues beyond the control of Ntrepid including but not limited to service outages affecting Customer.
12. TERM AND TERMINATION.
12.1 Term.
Subject to Ntrepid’s receipt of the applicable License Fee set forth in the Order, the term of the License granted to Customer in Section 4 (the “Term”) shall commence on the start date specified in the Order and shall continue until the end date specified in the Order, unless earlier terminated as provided in these Terms of Service or renewed for additional one-year terms upon payment of the then applicable annual License Fee. Ntrepid will notify Customer in writing prior to the end of the initial and each renewal term at which time Customer may choose whether to renew the License.
12.2 Events of Termination.
Customer may terminate the License at any time by providing written notice to Ntrepid and destroying all copies of the Software and Documentation. Ntrepid may terminate the License if: (i) Customer breaches any of its obligations under Section 4 or (ii) Customer materially breaches any other provision of the Agreement which is not cured by Customer within thirty (30) calendar days from receipt of written notice from Ntrepid.
12.3 Effect of Termination or Expiration.
Upon termination or expiration of the Term for any reason: (i) all licenses granted hereunder automatically will terminate; (ii) Customer shall cease using the Services, any Ntrepid Intellectual Property, and the Software; (iii) Ntrepid may immediately disable and discontinue Customer’s access to and use of the Services without additional notice to Customer; and (iv) Customer shall return to Ntrepid or destroy any copies of the Software and Documentation (in printed or electronic format) relating to the Services.
Termination of the License shall not relieve Customer of its obligations to pay any amounts then due Ntrepid and shall not entitle Customer to a refund of any fees or other amounts paid in connection with the Agreement. Any termination shall not release a party from liability for a breach by that party of its obligations under the Agreement prior to or in connection with such termination.
12.4 Survival.
The following provisions of these Terms of Service and the rights and obligations expressed therein shall survive any termination or expiration of Term: (i) Section 1 and any other definitions provided elsewhere in these Terms of Service; and (ii) Sections 4.11, 4.12, 9, 12.3, 12.4, 14, 15, 16, 17, and 18.
13. INDEMNIFICATION.
13.1 Indemnification by Ntrepid.
Ntrepid will defend Customer against any claim, demand, suit or proceeding (a “Claim”) made or brought against Customer by a third party alleging that the Software, excluding Open Source Software, purchased and used by Customer in accordance with these Terms of Service infringes or misappropriates such third party’s intellectual property rights and will indemnify Customer from any damages, attorney fees and costs finally awarded against Customer as a result of, or for amounts paid by Customer under a court-approved settlement of, such Claim, provided Customer: (a) promptly gives Ntrepid written notice of such Claim, (b) gives Ntrepid sole control of the defense and settlement of such Claim (except that Ntrepid may not settle any such Claim unless it unconditionally releases Customer of all liability), and (c) gives Ntrepid all reasonable assistance, at Ntrepid’s expense. If Ntrepid receives information about an infringement or misappropriation claim relating to the Software, Ntrepid may in its discretion and at no cost to Customer: (i) modify the Software so that it no longer infringes or misappropriates; (ii) obtain a license for Customer’s continued use of the Services in accordance with these Terms of Service; or (iii) terminate License for the Services upon thirty (30) calendar days’ written notice and refund to Customer any prepaid License fees covering the remainder of the Term of the terminated License. The above defense and indemnification obligations do not apply to the extent such Claim arises from Customer Data, Customer’s breach of these Terms of Service, or Customer’s use of Third Party Applications.
13.2 Exclusive Remedy.
This Section 13 states Ntrepid’s sole liability to Customer, and Customer’s exclusive remedy against Ntrepid, for any type of Claim described in this Section 13.
13.3 Indemnification by Customer.
Except as set forth in Section 4.14, Customer shall defend Ntrepid and its affiliates, officers, directors, employees, agents, representatives, successors and permitted assigns (collectively, the “Ntrepid Indemnified Parties”) from and against any and all third party Claims arising from or relating to Customer’s violation of these Terms of Service, including, but not limited to: (i) a Claim arising from or relating to Customer Data; or (ii) a Claim of fraudulent or unauthorized access and use of the Services arising from Customer installation and use of Third Party Applications. Customer shall indemnify the Ntrepid Indemnified Parties from any damages, attorney fees and costs finally awarded against the Ntrepid Indemnified Parties as a result of, or for amounts paid by the Ntrepid Indemnified Parties under a court-approved settlement of, such Claim, provided the Ntrepid Indemnified Parties: (i) promptly gives Customer written notice of such Claim; (ii) gives Customer sole control of the defense and settlement of such Claim (except that Customer may not settle any such Claim unless it unconditionally releases the Ntrepid Indemnified Parties of all liability); and (iii) gives Customer all reasonable assistance, at Customer’s expense.
14. INJUNCTIVE RELIEF.
14.1 License Restrictions.
Customer acknowledges and agrees that: (i) money damages are not a sufficient remedy for any breach of Section 4 by Customer; and (ii) any breach of Section 4 by Customer shall cause irreparable harm to Ntrepid. In addition to all other remedies which Ntrepid may have, Ntrepid will be entitled to seek specific performance and injunctive or other equitable relief as a remedy for any such breach without the need to post any bond. Customer shall be responsible for any breach of Section 4 by its officers, directors, employees, legal and financial advisors, accountants and other agents and representatives, whether or not they are acting within their authority or on Customer’s behalf.
14.2 Confidentiality Obligations.
The Parties acknowledge and agree that: (i) money damages are not a sufficient remedy for any breach of Section 9.2; and (ii) any unauthorized use or disclosure of a Party’s Confidential Information will cause irreparable harm to that Party. In addition to all other remedies available to that Party, it will be entitled to seek specific performance and injunctive or other equitable relief as a remedy for any such breach without the need to post any bond. Each Party shall be responsible for any material breach of the provisions of Section 9.2 by its officers, directors, employees, legal and financial advisors, accountants and other agents and representatives.
15. WARRANTY DISCLAIMER.
CUSTOMER ACKNOWLEDGES THAT NTREPID IS MAKING THE SERVICES AND SOFTWARE AVAILABLE “AS IS.” ACCORDINGLY NTREPID DOES NOT WARRANT THAT THE SERVICES OR SOFTWARE WILL BE ERROR FREE OR SECURE; NTREPID MAKES NO WARRANTIES WHATSOEVER, EXPRESS, IMPLIED OR STATUTORY, WHETHER ORAL OR WRITTEN, WITH RESPECT TO THE SERVICES OR SOFTWARE; AND NTREPID EXPRESSLY DISCLAIMS ANY IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
16. LIMITATIONS OF LIABILITY.
In no event shall Ntrepid be liable to Customer for any indirect, special, punitive, exemplary, incidental or consequential damages (including, but not limited to, lost profits, loss of business opportunity, loss or corruption of data, or equipment down-time) of any kind or nature whatsoever, regardless of the legal theory under which such damages are sought (including, but not limited to, contract, warranty, tort or strict liability) arising out of or in connection with the Agreement or Customer’s access and use, or inability to access and use, the Services, even if Ntrepid had been advised of the possibility of such damages or even if such damages were reasonably foreseeable. Notwithstanding anything to the contrary in the Agreement, under no circumstances shall Ntrepid’s total aggregate and cumulative liability exceed one-half of the License Fee paid to Ntrepid for the Services for the twelve months immediately preceding the date that earliest event that gave rise to such liability first occurred.
17. CUSTOMER USE OF THIRD PARTY APPLICATIONS.
At Customer’s option, Ntrepid may allow and, in some cases, facilitate Customer use of Third Party Applications in connection with the Services. Customer’s collection, use, and storage of information and data through Third Party Applications will be subject to the terms, conditions, and privacy policies that are independently determined by the third party organization providing such Third Party Applications. For example, terms and conditions may include, but are not limited to, third party policies on the collection, use, and retention of log data. Customer is encouraged to review the privacy policies and other applicable terms and conditions of the Third Party Applications before deciding whether to install and use such applications in connection with the Services. In the event Customer uses Third Party Applications, Customer agrees to take reasonable precautions to ensure that the installation and use of such applications is fully compliant with applicable laws and does not compromise or otherwise disrupt in any way the functionality, features, and policies of the Services provided by Ntrepid. Ntrepid has no control and assumes no responsibility over the content, privacy policies, functionality, or features of Third Party Applications. To the extent permitted under applicable laws and federal rules, Ntrepid disclaims any liability for loss or damage that may arise from Customer use of or reliance on Third Party Applications. The inclusion of Third Party Applications in connection with the Services does not imply any endorsement by Ntrepid.
18. MISCELLANEOUS PROVISIONS.
18.1 Notices.
Any notice, request, consent, demand, offer or other communication required or permitted to be given or made under the Agreement shall be in writing and either delivered personally or sent by e-mail, facsimile, overnight courier, regular mail or certified mail, postage prepaid and, in all cases, addressed and sent to the respective parties at an address as a party may specify in writing from time to time. The foregoing communications shall be deemed given: (a) if delivered personally or by overnight courier, upon delivery as evidenced by delivery records; (b) if by e-mail or facsimile transmission, upon successful delivery of the transmission as evidenced by transmission records; or (c) if sent by regular mail or certified mail, postage prepaid, five (5) calendar days after the date of mailing.
18.2 Relationship of Parties.
The Parties are independent contractors and will have no power to bind the other Party or to create any obligation or responsibility on behalf of the other Party or in the other Party. The Agreement shall not be construed as creating any partnership, joint venture, agency, or any other form of legal association that would impose liability upon one Party for the act or failure to act of the other Party.
18.3 Assignment.
Neither Party shall, without the prior written consent of the other Party which shall not be unreasonably withheld, assign or transfer the Agreement or any rights arising from the Agreement. Any attempt to assign or transfer the Agreement without first obtaining such written consent shall be void and of no force and effect. Notwithstanding the foregoing, Ntrepid may assign the Agreement by merger, reorganization, consolidation, or sale of all or substantially all its assets. Nothing in the Agreement shall be deemed to create any right or benefit in any person not a party hereto.
18.4 Headings.
The section and subsection headings used in these Terms of Service are for reference and convenience only and shall not be used in the interpretation of the Agreement. Reference in these Terms of Service to a particular numbered or lettered “Section” shall be deemed to be a reference to that numbered or lettered section or subsection of these Terms of Service and all numbered or lettered subsections within the referenced section or subsection.
18.5 No Waiver.
No delay or omission by either Party to exercise any right or power with respect to any of the terms, provisions or conditions of the Agreement will impair any right or power or be construed to be a waiver thereof. A waiver by either Party of any of the terms, provisions or conditions of the Agreement will not be construed to be a waiver of any other term, provision or condition of the Agreement. No waiver of any rights of a Party under the Agreement will be effective unless set forth in a writing signed by such Party.
18.6 Severability.
If any provision of the Agreement is held by a court of competent jurisdiction to be unlawful, invalid, or unenforceable under applicable law, then such provisions shall be limited or eliminated to the minimum extent necessary so that this Agreement shall otherwise remain in full force and effect.
18.7 Force Majeure.
Neither Party will be liable for any failure or delay in performing an obligation under this Agreement that is due to any of the following causes, to the extent beyond its reasonable control: acts of God, accident, riots, war, terrorist act, epidemic, pandemic, quarantine restrictions, civil commotion, breakdown of communication facilities, breakdown of web host, breakdown of internet service provider, cyberattack, natural catastrophes, governmental acts or omissions, changes in laws or regulations (including but not limited to any law, pronouncement or guideline issued by a governmental entity (including the Centers for Disease Control and Prevention or the World Health Organization) providing for business closures, “sheltering-in-place,” “stay-at-home,” or other restrictions that relate to, or arise out of, health conditions (including any public health emergency, epidemic, pandemic or disease outbreak (including but not limited to the COVID-19 virus)), national strikes, fire, explosion, generalized lack of availability of raw materials or energy.
18.8 Governing Law.
Except as set forth in Section 4.13, the Agreement shall be governed by the laws of the Commonwealth of Virginia without regard to the choice of law principles thereof or the United Nations Convention on the International Sale of Goods.
18.9 Entire Agreement.
This Agreement, including the Customer’s selections on the Order, the Customer’s contract or purchase order issued to Ntrepid or a reseller of Ntrepid, and to the extent applicable, any Data Protection Addendum and/or Information Security Addendum annexed hereto, constitutes the entire agreement between the parties and supersedes all prior and contemporaneous agreements, proposals or representations, concerning this subject matter.
Annex A, Terms of Service
NTREPID SUBSCRIPTION SERVICES
DATA PROTECTION ADDENDUM – CALIFORNIA CONSUMER PRIVACY ACT
Ntrepid, LLC, a Florida limited liability company (“Ntrepid”), and the party (“Customer”) named in the Order enter into this Data Protection Addendum (“DPA”) annexed to the Terms of Service between Ntrepid and Customer. The purpose of this DPA is to establish the terms on which Ntrepid, as a Service Provider, shall process the Personal Data of Customer in accordance with the provisions of the CCPA.
1. DEFINITIONS
Any terms that are not defined herein shall have the meaning provided under the Terms of Service, the Order, Applicable Law or otherwise have their ordinary and common meaning. The terms “Consumer,” “Deidentified,” “Sell,” and “Share” shall have the meanings given to them under the CCPA.
“Applicable Law” means all applicable U.S. federal, state, and local laws relating to the privacy or security of Personal Data, including, but not limited to, the CCPA.
“Business Purposes” means the enumerated business purposes set forth in Cal. Civ. Code §1798.140(e)(1)-(8) that are applicable to the Services and that are set forth in the Agreement and namely constitute providing services involving the collection and analysis of open source intelligence and publicly available information for use by commercial and governmental entities in research and investigations.
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended to date (including by the California Privacy Rights Act), and any regulations and guidance that may be periodically issued pursuant to CCPA.
“Order” means the contract, purchase order or other binding agreement entered into between Ntrepid and Customer that specifies the Services to be provided by Ntrepid, the applicable fees, license term and conditions and limitations on Customer’s use of those Services and shall include any Ntrepid quote to the extent accepted by Customer or otherwise incorporated into a binding agreement between Ntrepid and Customer.
“Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer or household that Ntrepid obtains or has access to in order to provide the Services and that is subject to the CCPA.
“Privacy Rights Request” means a communication from a Consumer requesting to exercise their individual privacy rights under Applicable Laws.
“Processing” means any operation or set of operations that are performed on Personal Information or on sets of Personal Information, whether or not by automated means. The definition of Processing shall include, but shall not be limited to “processing” as such term is defined under CCPA. Variations of the term “Processing” such as “Process” shall have the same meaning.
“Services” means the services specified in the Order to be provided by Ntrepid to Customer.
“Service Provider” means a service provider as defined by the CCPA.
2. PROCESSING OF PERSONAL DATA.
2.1 Restrictions.
Ntrepid will Process Personal Data solely for the purposes of performing the Services and in a manner that is reasonably necessary and proportionate to achieve the Business Purposes. Without limiting the generality of the foregoing, Ntrepid is prohibited from:
(a) Selling or Sharing Personal Data;
(b) Retaining, using, or disclosing Personal Data for any purpose other than for the specific Business Purposes of providing the Services or as otherwise permitted by the CCPA;
(c) Retaining, using, or disclosing Personal Data outside of the direct business relationship between Ntrepid and Customer; or
(d) Combining Customer’s Personal Data with Personal Data it receives from, or on behalf of, another person(s), or collects from its own interaction with a Consumer, except where expressly required to perform the Services.
2.2. Obligations.
(a) Certification by Ntrepid. Ntrepid hereby certifies that it understands the restrictions set forth in Section 2.1 of this DPA and will comply with them. Ntrepid shall not provide access to Personal Data to any other entity, unless agreed to or instructed by Customer or required by Applicable Law, except it may use subcontractors to perform the Services, provided (i) Ntrepid provides Customer a reasonable opportunity to reasonably object to the engagement of subcontractors and (ii) such subcontractors agree in writing to substantially the same terms that apply to Ntrepid through this Addendum.
(b) Customer Acknowledgement. Notwithstanding anything herein to the contrary, Customer acknowledges that Ntrepid may retain, use, disclose, or otherwise Process Personal Data in manners permitted of a Service Provider under the CCPA or as otherwise required by Applicable Laws (e.g., to engage subprocessors for subprocessing, for permitted internal uses such as improving products and services, for security and fraud prevention, compliance with legal obligations, etc.) and may create deidentified data and aggregate data from Personal Data subject to subsection (c) of this Section 2.2.
(c) Deidentified Data. To the extent Ntrepid receives, or Ntrepid creates, Deidentified data in connection with this DPA, Ntrepid will: (i) maintain such information as Deidentified and take reasonable measures to ensure that it cannot be associated with an individual or household (including implementing technical safeguards and business processes to prevent reidentification or inadvertent release of the Deidentified data); (ii) publicly commit to maintain and use the information in Deidentified form and not to attempt to reidentify the information; (iii) not attribute Customer as a source of such data; and (iv) contractually obligate any third parties receiving such information from Ntrepid to also commit to subsections (i), (ii), and (iv) of this Section 2.2(c).
(d) Ntrepid will comply with Applicable Law in performing the Services, including by providing the same level of privacy protection for Personal Data as is required of a “business” by the CCPA. Ntrepid shall reasonably assist Customer in meeting its obligations under Applicable Laws and make available to Customer information in Ntrepid’s possession necessary to demonstrate compliance with its obligations under Applicable Laws upon Customer’s reasonable request (subject to time and materials charges at standard rates if material efforts are required).
(e) Ntrepid will notify Customer if it determines it can no longer meet its obligations under the CCPA and will allow Customer to take reasonable and appropriate steps to stop and remediate unauthorized Processing of Customer’s Personal Data and ensure that Personal Data is used in a manner consistent with Customers obligations under Applicable Law.
2.3. Consumer Requests for Personal Data.
Ntrepid acknowledges and agrees that if it receives any Privacy Rights Request from a Consumer regarding Customer’s Personal Data, Ntrepid will inform the requesting Consumer that it cannot respond to the Privacy Rights Request because it is a Service Provider. Ntrepid agrees to reasonably cooperate with Customer to ensure Customer can meet its obligations under Applicable Laws to respond to Privacy Rights Requests to include, without limitation, retrieving, correcting or deleting specific pieces of Personal Data. Ntrepid will also reasonably assist Customer in conducting and documenting data protection audits as required by the CCPA. Ntrepid will promptly inform Customer if it is unable to respond to or assist with a Privacy Rights Request or otherwise comply with its obligations under this section.
2.4. Data Privacy Controls.
As required by Applicable Law, Ntrepid shall maintain reasonable administrative, physical, technical, and organizational safeguards to protect the confidentiality, security, integrity, and availability of Personal Data that are consistent with requirements imposed by Applicable Law.
2.5 Customer Representations and Warranties.
Customer represents and warrants that it has all necessary consents and authorizations to disclose or otherwise make the Personal Data available to Ntrepid in connection with the Services under the Agreement.
2.6 Subprocessors.
As permitted under the CCPA, Ntrepid may subcontract any Processing of Customer’s Personal Data to a subprocessor, provided any such subprocessor agrees in writing to the same obligations that apply to Ntrepid in this DPA.
3. AUDIT.
3.1 Audit Requests.
Upon reasonable request and with at least thirty (30) days’ prior written notice from Customer and no more than once in any twelve (12) month period, Ntrepid will cooperate with reasonable audits by Customer or its designated assessor to evaluate Ntrepid’s compliance with the terms of this DPA. Alternatively, Ntrepid may, with Customer’s consent and at Ntrepid’s expense, arrange for a qualified, independent audit and will provide any associated audit report to Customer upon request. Any such audits will be performed subject to Ntrepid’s privacy, data security and other applicable policies. Customer will maintain the confidentiality of any information and/or reports resulting from such audits in accordance with applicable non-disclosure provisions under the Terms of Service.
4. CONFLICTS; ORDER OF PRECEDENCE
In the event of a conflict regarding the privacy or security of Personal Data as between a provision in this DPA and the Terms of Service, an Order, or any other agreement between the Parties, this DPA shall control. Notwithstanding the foregoing, in the event that another provision in effect between Ntrepid and Customer provides greater protection to Personal Data than provided herein, such other provision will control.
5. SURVIVAL.
This DPA and all provisions herein will survive so long as, and to the extent that, Ntrepid maintains any Personal Data.
6. MODIFICATION
In the event of a change in Applicable Law, Ntrepid and Customer agree to negotiate in good faith a reasonable and appropriate amendment to this DPA.
Annex B – Terms of Service
NTREPID SUBSCRIPTION SERVICES
INFORMATION SECURITY ADDENDUM
Ntrepid, LLC, a Florida limited liability company (“Ntrepid”), and the party (“Customer”) named in the Order enter into this Information Security Addendum (“InfoSec Addendum”) annexed to the Terms of Service between Ntrepid and Customer. This InfoSec Addendum solely applies to Services provisioned in a Hosted Environment as that term is defined in the Terms of Service.
- DEFINITIONS.
Capitalized terms used not defined in this InfoSec Addendum shall have the meaning set forth in the Terms of Service. Capitalized terms not defined herein shall be given their common and ordinary meaning.
“Administrative safeguards” means policies and procedures to manage the selection, development, implementation, and maintenance of security measures for the protection of Customer Confidential Information transmitted or stored on Ntrepid Systems to include access controls for Personnel.
“Customer Confidential Information” means Confidential Information that is owned by, or provided by or on behalf of, Customer.
“Information Security Program” means Ntrepid’s written set of policies, procedures, and controls, based on prevailing industry standards, that govern the processing, storage, transmission, and security of Customer Confidential Information on Ntrepid Systems.
“Ntrepid Systems” means the facilities, systems, equipment, hardware, and software used in connection with Ntrepid’s processing of Customer Confidential Information for Services provisioned in a Hosted Environment.
“Personnel” means Ntrepid’s or its contractors’ or subcontractors’ employees, agents, subcontractors, and other authorized users of Ntrepid systems and network resources.
“Physical safeguards” mean the physical controls designed to protect Customer Confidential Information transmitted and/or stored in Ntrepid Systems, buildings, and equipment from natural and environmental hazards and unauthorized access.
“Security Incident” means, with respect to Ntrepid Systems, a known or reasonably suspected “breach” (or any similar term defined under applicable laws): (i) resulting in the unauthorized or unlawful access, use, disclosure, loss or destruction, modification, or exfiltration of Customer Confidential Information; and (ii) that affects the security, availability, and/or integrity of Customer Confidential Information. The definition of Security Incident includes any malware or ransomware attacks.
“Technical safeguards” mean the technical controls, including access controls, designed to protect Customer Confidential Information transmitted and stored on Ntrepid Systems.
- INFORMATION SECURITY PROGRAM.
2.1 Ntrepid will maintain an Information Security Program.
2.2 Ntrepid has sole discretion to periodically review and update the Information Security Program in order to address new and evolving security threats, changes to applicable regulations and industry standard practices, and new security technologies.
2.3 Any update performed by Ntrepid under Section 2.2 herein shall not materially reduce the commitments, security, or overall level of Services provided to Customer.
- ADMINISTRATIVE, PHYSICAL, AND TECHNICAL SAFEGUARDS.
The Information Security Program shall consist of Administrative, Physical, and Technical Safeguards identified in this section.
3.1 Administrative Safeguards. Before providing access to Customer Confidential Information to any Personnel, Ntrepid will:
(a) Perform background screening (to the extent permitted by applicable laws) on such Personnel;
(b) Require such Personnel to sign and return a Non-Disclosure Agreement as a condition of employment with Ntrepid; and
(c) Require Personnel attend initial and periodic refresher training to ensure compliance with the Information Security Program and this InfoSec Addendum. Training shall meet or exceed prevailing industry standards.
3.2 Physical Safeguards.
(a) Ntrepid will maintain physical access controls that are designed to secure Ntrepid facilities which store Customer Confidential Information.
(b) Data Centers: Physical safeguards for Ntrepid data centers (owned by third parties) shall include the following:
i. An access control system that enables Ntrepid to monitor and control physical access to each Ntrepid data center; and
ii. Physical security monitoring systems that operate twenty-four (24) hours a day, seven (7) days a week; and
iii. Utilization of trained and experienced security guards.
(c) Physical Media: Processes for the destruction of physical media shall include the following:
i. Destruction methods for Customer Confidential Information that meet or exceed prevailing industry standards;
ii. Secure storage of damaged hard disks and other physical media prior to physical destruction; and
iii. Physical destruction of all decommissioned hard disks and other physical media used to store Customer Confidential Information.
3.3 Technical Safeguards.
(a) Access Controls. Consistent with the “principle of least privilege,” Ntrepid will permit access to Customer Confidential Information only to Personnel who have a need to know. Ntrepid will be responsible for any processing of Customer Confidential Information by Personnel within the scope of the Services.
(b) Account Management. Ntrepid will undertake reasonable measures to manage the creation, use, and protection of all account credentials used to access Ntrepid Systems by using tools that include, but are not limited to:
i. Segregated accounts with unique credentials for each user to include Customer administrators;
ii. Strict procedures for the management of administrative accounts;
iii. Adoption of password best practices, including the use of strong passwords, secure password storage, and mandatory password resets at fixed intervals;
iv. Periodic reviews of entitlements and credentials; and
v. De-activation of accounts after sustained periods of inactivity.
3.4 Security Segmentation.
(a) Ntrepid will undertake reasonable measures to monitor, detect and restrict the flow of Customer Confidential Information on a multi-layered basis in Ntrepid Systems by using tools that include, but are not limited to, firewalls, proxies, and network-based intrusion detection systems.
(b) Ntrepid will continuously apply prevailing industry standards for firewall protection for Ntrepid Systems.
3.5 Change Management. Ntrepid will assess changes to Ntrepid Systems, including production infrastructure, in order to minimize risk, and as needed, follow Ntrepid’s change management policy.
3.6 Application and Systems Logging.
(a) Ntrepid will typically retain application and system logs (comprised of user activity and audit logs) for up to ninety (90) days subject to available disk space. Ntrepid maintains discretion on whether to purge these logs more frequently.
(b) Ntrepid will implement technical controls for application and system logs that include, but are not limited to:
i. Protecting logging facilities and log files from tampering and unauthorized access;
ii. Collecting, managing, retaining, and analyzing audit logs in order to detect, investigate, and recover from any unauthorized activity on Ntrepid Systems that may affect Customer Confidential Information; and
iii. Generating, monitoring and retaining event logs, including logs pertaining to administrator and operator usage, recording access, activities, exceptions, faults and Security Incidents.
- SECURITY AND PRIVACY RISK MANAGEMENT PROCESSES.
Ntrepid will maintain formal processes for security and privacy risk identification, assessment, mitigation, and management.
- ASSET MANAGEMENT.
5.1 Ntrepid will maintain a documented inventory of information security assets.
5.2 Ntrepid will implement appropriate asset management controls for Ntrepid Systems that include, but are not limited to:
(a) Identifying and managing assets associated with the handling, processing, storage, or transmission of Customer Confidential Information;
(b) Before removal from secure premises, wiping (e.g., through high-intensity re-formatting):
i. Any Customer Confidential Information from all storage media used in connection with the Services; and
ii. Licensed software associated with the provision of Services;
(c) Ensuring retention of records that document secure disposal of any storage media; and
(d) Ensuring that all Personnel, before departure from employment with Ntrepid, return any Customer Confidential Information or assets provided by Ntrepid.
- ENDPOINT SECURITY.
Ntrepid will maintain suitably-designed endpoint security controls for Ntrepid Systems, that include but are not limited to:
6.1 Processes for provisioning, and hardening, in addition to anti-virus/anti-malware software and patching updates to the same;
6.2 Encryption of all Ntrepid System hard drives (e.g., desktops, laptops, workstations, servers, mobile devices) that contain Customer Confidential Information;
6.3 Encryption of Customer Confidential Information that Ntrepid transmits or sends wirelessly or across public networks, using prevailing industry standards for encryption while in transit and at rest;
6.4 Safeguards for all encryption keys associated with Customer Confidential Information; and
6.5 Management of security configurations of Ntrepid Systems based on prevailing industry standards to protect Customer Confidential Information from a Security Incident.
- INCIDENT MANAGEMENT.
7.1 Ntrepid will provide Customer with a written summary of a Security Incident without undue delay, and no later than the time required by applicable law or as set forth in any Order.
7.2 The Security Incident written summary will document the following:
(a) Facts giving rise to the Security Incident;
(b) Risks posed to the security, availability, and integrity of Customer Confidential Information;
(c) Corrective actions taken in response to Security Incident; and
(d) Any actual compromise of Customer Confidential Information and any supporting details related to the scope of such compromise.
7.3 Ntrepid may provide the contents of the written summary to Customer on an incremental basis.
7.4 Ntrepid will not be required to release information in the written summary, if in Ntrepid’s sole discretion, such release presents a security or legal risk to Ntrepid.
7.5 To the extent the Security Incident is not at least partially attributable to the actions of Customer, Customer’s employees, Customer’s agents, or Customer’s affiliates or authorized users of the Services, Ntrepid will reasonably assist Customer with any dispute, inquiry, internal investigation or claim concerning the Security Incident.
- VULNERABILITY SCANS AND SECURITY ASSESSMENTS
Ntrepid represents and warrants the adoption of processes to identify and mitigate system, device, and application vulnerabilities through patches, updates, bug fixes, or other modifications to maintain the security, availability, and integrity of Customer Confidential Information. In furtherance of this representation:
8.1 Ntrepid will continuously perform vulnerability scans of Ntrepid Systems that process Customer Confidential Information. On an annual basis, Ntrepid will retain an internationally-recognized third party to perform an independent security assessment of Ntrepid Systems that process and store Customer Confidential Information;
8.2 Ntrepid will maintain a process to mitigate all “critical/severe,” “high,” and “medium” rated vulnerabilities identified in the vulnerability scan and penetration testing; and
8.3 Upon Customer request, Ntrepid will provide a report of pertinent findings from the latest vulnerability scan for Ntrepid Systems that process Customer Confidential Information. Additionally, Ntrepid will provide pertinent information from the latest third party, independent security assessment report of Ntrepid Systems that process and store Customer Confidential Information. Customer shall treat such results as Confidential Information as that term is applied under the Terms of Service.
- SOFTWARE DEVELOPMENT.
Ntrepid will ensure that all software developed or maintained in connection with the Services follows a Software Development Life Cycle (“SDLC”) process to report and mitigate any known “critical/severe,” “high,” and “medium” rated application security “vulnerabilities” (as defined by prevailing industry standards). The SDLC process shall consist of the following:
9.1 Adhering to established security principles for software engineering that are documented, maintained, and applied to any information system implementation efforts and that include:
(a) Segregating development and production environments;
(b) Filtering out potentially malicious character sequences in user inputs;
(c) Using secure communication techniques, including encryption;
(d) Using sound memory management practices;
(e) Implementing the latest, applicable Open Web Application Security Project (“OWASP”) Top Ten recommendations; and
(f) Patching of software.
9.2 Ensuring adequate physical and/or logical separation between development, testing, and production environments to prevent unauthorized or unintended changes to the production environment;
9.3 Tracking, recording, and review of any changes to production systems. Any change will not materially reduce the current level of security; and
9.4 Conducting security reviews covering all aspects of the Services including custom code, components, products, and system configuration.
- TECHNOLOGY ERRORS AND OMISSIONS INSURANCE.
10.1 Ntrepid will maintain a technology errors and omissions insurance to cover certain losses related to cybersecurity incidents.
10.2 Not more than once annually and upon written request by Customer, Ntrepid will provide a certificate of insurance for technology errors and omissions.
- CUSTOMER RIGHT TO AUDIT.
11.1 Not more than once annually and upon written request by Customer, Ntrepid will make available to Customer a written statement of compliance with all requirements of this InfoSec Addendum in addition to a written overview of Ntrepid’s administrative, physical, and technical safeguards.
11.2 Not more than once annually and/or after a Security Incident, Customer may submit a reasonable written request for information related to Ntrepid’s Information Security Program.
11.3 Ntrepid will not be required to release any information under this section if, in Ntrepid’s sole discretion, such release presents a security or legal risk to Ntrepid or other Ntrepid customers.
12. SUBCONTRACTORS.
12.1 To the extent that Ntrepid retains subcontractors or other third parties who access Customer Confidential Information, Ntrepid will require each subcontractor or third party to adhere to security obligations commensurate with the subcontractor’s scope of work.
12.2 Ntrepid will perform due diligence on subcontractors and third parties to confirm compliance with information security obligations.
- CONFLICTS; ORDER OF PRECEDENCE.
In the event of a conflict between this InfoSec Addendum and the Terms of Service, an Order, or any other agreement entered into between the Parties, this terms and conditions of this InfoSec Addendum shall control.