Subscription Service Agreement

SUBSCRIPTION SERVICE AGREEMENT

This Subscription Service Agreement (including the Subscription Service Guide, attached hereto) (“Agreement”) is made between the Report Zero entity (“Report Zero”) and the customer entity (“Customer”) on the ordering document and becomes effective on the last signature date of the ordering document issued by Report Zero (“Effective Date”).

The Agreement is deemed to include the General Terms and Conditions below, the Subscription Service Guide attached as Exhibit A.1 (which includes Exhibit A.2 – Customer Support Policy, Exhibit A.3 – Upgrades and Updates, Exhibit A.4 – Data Processing Addendum, and Exhibit A.5 – Data Security Guide), and any other terms expressly referenced herein or in other incorporated documents, all of which are expressly deemed incorporated in the Agreement by this reference. The Subscription Service Guide is posted on https://www.ReportZero.net/schedulesand incorporated herein by reference.

Pursuant to a separate transaction between Customer and Report Zero’s authorized reseller (“Reseller”), Customer has purchased from Reseller certain services to be delivered by Report Zero. This Agreement specifies the terms and conditions under which those services will be provided, apart from price, payment and other terms specified in the separate agreement between Customer and Reseller.

GENERAL TERMS AND CONDITIONS

1. DEFINITIONS

1.1 “Affiliates” means any person or entity directly or indirectly Controlling, Controlled by, or under common Control with a party, where “Control” means the legal power to direct or cause the direction of the general management of the company, partnership, or other legal entity. 

1.2 “Ancillary Software” means software licensed by Report Zero to Customer that is deployed on machines operated by or for Customer to facilitate operation of the Subscription Service or interoperation of the Subscription Service with other software, hardware, or services. Ancillary Software may include code that is licensed under third-party license agreements, including open source made available or provided with the Ancillary Software. 1.3 “Claim” means any third-party suit, claim, action, or demand.

1.4 “Confidential Information” means: (a) Report Zero Core Technology (which is Confidential Information of Report Zero); (b) Customer Data and Customer Technology (which is Confidential Information of Customer); (c) any information of a party that is disclosed in writing or orally and is designated as Confidential or Proprietary at time of disclosure (and, for oral disclosures, summarized in writing within 30 days of initial disclosure and delivered in written summary form to the receiving party), or that, due to the nature of the information or circumstances of disclosure, receiving party would understand it to be disclosing party’s confidential information; and (d) the specific terms of this Agreement, any Use Authorization, any SOW, and any amendment or attachment to any of these, between the parties (which will be deemed Confidential Information of both parties). Confidential Information excludes any information that: (i) is or becomes generally known to the public through no fault or breach of this Agreement by receiving party; (ii) was already rightfully in receiving party’s possession, without restriction on use or disclosure, when receiving party received it under this Agreement; (iii) is independently developed by receiving party without use of disclosing party’s Confidential Information; or (iv) was or is rightfully obtained by receiving party, without restriction on use or disclosure, from a third party not under a duty of confidentiality to disclosing party.

1.5 “Customer Data” means electronic data uploaded by or for Customer or Customer’s agents, employees, or contractors, and processed in the Subscription Service, excluding Report Zero Core Technology.

1.6 “Customer Technology” means software, methodologies, templates, business processes, documentation, or other material originally authored, invented, or otherwise created by Customer (or on Customer’s behalf, other than by Report Zero or at Report Zero’s direction) for use with the Subscription Service, excluding Report Zero Core Technology.

1.7 “Deliverable” means anything that is created by or on behalf of Report Zero for Customer in the performance of Professional Services.

1.8 “Documentation” means the then-current Report Zero product documentation relating to the operation and use of the Subscription Service or Ancillary Software published by Report Zero at https://docs.Report Zero.net or its successor website. Documentation includes technical program or interface documentation, user manuals, operating instructions, and release notes.

1.9 “Intellectual Property Rights” means all intellectual property or other proprietary rights worldwide, including patents, copyrights, trademarks, moral rights, trade secrets, and any other intellectual or industrial property, including registrations, applications, renewals, and extensions of such rights.

1.10 “Law” means any applicable law, rule, statute, decree, decision, order, regulation, judgment, code, and requirement of any government authority (federal, state, local, or international) having jurisdiction.

1.11 “Newly Created IP” means Intellectual Property Rights in the inventions or works of authorship that are made by Report Zero specifically for Customer in the course of performing Professional Services for Customer that are expressly identified as “Newly Created IP” in an SOW, excluding Report Zero Core Technology.

1.12 “Product Overview” means Report Zero’s published description of its products and their functionalities, solely to the extent attached to or expressly referenced in a Use Authorization.

1.13 “Professional Services” means any consulting, development, or educational services provided by or on behalf of Report Zero pursuant to an agreed SOW or Service Description.

1.14 “Service Description” means the written description for a packaged Professional Service, attached to or referenced in a Use Authorization.

1.15 “Report Zero Core Technology” means: (a) the Subscription Service, Ancillary Software, Documentation, and technology and methodologies (including products, software tools, hardware designs, algorithms, templates, software (in source and object forms), architecture, class libraries, objects, and documentation) created by or for, or licensed to, Report Zero; and (b) updates, upgrades, improvements, configurations, extensions, and derivative works of the foregoing and related technical or end user documentation or manuals.

1.16 “Report Zero Products” means, collectively, the Subscription Service, Ancillary Software, Documentation, and Deliverables.

1.17 “SOW” means a statement of work that describes scoped Professional Services.

1.18 “Subscription Service” means the Report Zero software-as-a-service offering ordered by Customer under a Use Authorization.

1.19 “Subscription Term” means the period of authorized access to and use of the Subscription Service, as set forth in a Use Authorization.

1.20 “Use Authorization” means a written document provided to Customer specifying the services that Customer has purchased, along with the term and scope of the authorized use thereof.

2. ACCESS AND USE RIGHTS; RESTRICTIONS; PROVISION OF PROFESSIONAL SERVICES

2.1 ACCESS AND USE RIGHTS. For each Subscription Term, Report Zero grants the access and use rights set forth in this Section 2 for the Report Zero Core Technology described in that Use Authorization.

2.2 SUBSCRIPTION SERVICE. Subject to the terms of this Agreement, Report Zero authorizes Customer to access and use the Subscription Service during the Subscription Term stated in the applicable Use Authorization, solely for its internal business purposes in accordance with the Documentation. Customer will not otherwise access or use the Subscription Service in a manner that exceeds Customer’s authorized access and use rights as set forth in this Agreement and the applicable Use Authorization.

2.3 ANCILLARY SOFTWARE. Report Zero grants Customer a limited, personal, worldwide, non-sublicensable, non-transferable (except as set forth in Section 12.1 (Assignment)), non-exclusive, royalty-free license during the Subscription Term to install and execute Ancillary Software on machines operated by or for Customer, solely to facilitate Customer’s authorized access to and use of the Subscription Service.

2.4 RESTRICTIONS. With respect to the Report Zero Core Technology, Customer will not (and will not permit others to): (a) use it in excess of contractual usage limits (including as set forth in a Use Authorization), or in a manner that circumvents usage limits or technological access control measures; (b) license, sub-license, sell, resell, rent, lease, transfer, distribute, time share, or otherwise make any of it available for access by third-parties, except as may otherwise be expressly stated in a Use Authorization; (c) access it for the purpose of developing or operating products or services for third-parties in competition with the Report Zero Core Technology; (d) disassemble, reverse engineer, or decompile it; (e) copy, create derivative works based on, or otherwise modify it, except as may be otherwise expressly stated in this Agreement; (f) remove or modify a copyright or other proprietary rights notice in it; (g) use it to reproduce, distribute, display, transmit, or use material protected by copyright or other Intellectual Property Right (including the rights of publicity) without first obtaining permission of the owner; (h) use it to create, use, send, store, or run viruses or other harmful computer code, files, scripts, agents, or other programs, or otherwise engage in a malicious act or disrupt its security, integrity, or operation; or (i) access or disable any Report Zero or third-party data, software, or network (other than Customer’s instance of the Subscription Service under this Agreement). Before Customer engages in any of the foregoing acts that it believes it may be entitled to, it will provide Report Zero with 30-days’ prior notice to privacy@ReportZero.net, and reasonably requested information to allow Report Zero to assess Customer’s claim. Report Zero may, in its discretion, provide alternatives that reduce adverse impacts on Report Zero’s Intellectual Property Rights or other rights.

2.5 PROVISION OF PROFESSIONAL SERVICES. Customer and Report Zero may enter into one or more SOWs or Use Authorizations subject to this Agreement, and which may incorporate one or more Service Descriptions for the provision of Professional Services. Report Zero will perform the Professional Services, subject to the fulfillment of any responsibilities and payments due from Customer, as stated in the SOW or the Use Authorization.

3. ORDERING

3.1 RESELLER ORDERS. Customer shall order and purchase the Subscription Service and Professional Services directly from Reseller pursuant to a separate agreement specifying price, payment and other commercial terms. Report Zero is not a party to such separate agreement but will provide the purchased services pursuant to this Agreement. For each order, Reseller or Report Zero will provide Customer with a Use Authorization for Customer to sign and return to Report Zero. Report Zero will have no obligation to provide services unless and until it has received a Use Authorization signed by Customer. Reseller is not authorized to make any changes to this Agreement (including any Use Authorizations issued hereunder) or bind Report Zero to any additional or different terms or conditions. Additional orders for Report Zero products or services may be placed either through Reseller or Report Zero, provided that if Customer places an order directly through Report Zero, Customer shall sign an addendum to this Agreement setting forth pricing, payment and other commercial terms between Customer and Report Zero.

3.2 USE VERIFICATION. Report Zero or Reseller may remotely review Customer’s use of the Subscription Service, and on Report Zero or Reseller’s written request, Customer will provide reasonable assistance to verify Customer’s compliance with the Agreement, and access to and use of the Subscription Service. If Report Zero or Reseller determines that Customer has exceeded its permitted access and use rights to the Subscription Service, Report Zero will notify Customer and within 30 days thereafter Customer shall either: (a) disable any unpermitted use, or (b) purchase additional subscriptions commensurate with Customer’s actual use.

4. INTELLECTUAL PROPERTY

4.1 REPORT ZERO OWNERSHIP. As between the parties, Report Zero and its licensors exclusively own all right, title, and interest in and to all Intellectual Property Rights in the Report Zero Core Technology, notwithstanding anything in this Agreement purportedly to the contrary. Except for the access and use rights, and licenses expressly granted in Section 2 (Access and Use Rights; Restrictions; Provision of Professional Services) of this Agreement, Report Zero, on behalf of itself and its licensors, reserves all rights in the Report Zero Core Technology and does not grant Customer any rights (express, implied, by estoppel, through exhaustion, or otherwise). Any Report Zero Core Technology delivered to Customer or to which Customer is given access shall not be deemed to have been sold, even if, for convenience, Report Zero makes reference to words such as “sale” or “purchase” in the applicable Use Authorization or other documents.

4.2 CUSTOMER OWNERSHIP. As between the parties, Customer and its licensors will retain all right, title, and interest in and to all Intellectual Property Rights in Customer Data and Customer Technology. Customer hereby grants to Report Zero a royalty-free, fully-paid, non-exclusive, non-transferrable (except as set forth in Section 12.1 (Assignment)), worldwide, right to use Customer Data and Customer Technology solely to provide and support the Report Zero Products. 

4.3 FEEDBACK. Report Zero encourages Customer to provide suggestions, proposals, ideas, recommendations, or other feedback regarding improvements to the Report Zero Products (collectively, “Feedback”). If Customer provides such Feedback, Customer grants to Report Zero a royalty-free, fully paid, sublicensable, transferable (notwithstanding Section 12.1 (Assignment)), non-exclusive, irrevocable, perpetual, worldwide right and license to use, license, and commercialize Feedback (including by incorporation of such Feedback into Report Zero Core Technology) without restriction. 

4.4 PROFESSIONAL SERVICES. Subject to this Section 4.4, Report Zero assigns (and in the future is deemed to have assigned) to Customer any Newly Created IP upon payment in full by Customer for the Professional Service under which the Newly Created IP was created. If any Report Zero Core Technology is incorporated into a Deliverable, Report Zero grants to Customer a non-exclusive, royalty-free, non-transferable (except as set forth in Section 12.1 (Assignment)), non-sublicensable worldwide license to use the Report Zero Core Technology incorporated into the Deliverable in connection with the Subscription Service as contemplated under this Agreement during the applicable Subscription Term. Nothing in this Agreement shall be deemed to restrict or limit Report Zero’s right to perform similar Professional Services for any other party or to assign any employees or subcontractors to perform similar Professional Services for any other party or to use any information incidentally retained in the unaided memories of its employees providing Professional Services.

5. WARRANTIES; DISCLAIMER OF WARRANTIES

5.1 LIMITED SUBSCRIPTION SERVICE WARRANTY. Report Zero warrants that, during the Subscription Term, Customer’s production instance of the Subscription Service will materially conform to the Product Overview. To submit a warranty claim under this Section 5.1, Customer will submit a support request to resolve the non-conformity as provided in the Subscription Service Guide. If the non-conformity persists without relief more than 30 days after notice of a warranty claim provided to Report Zero under this Section 5.1, then Customer may terminate the affected Subscription Service, and submit to Reseller a claim for refund to Customer for any prepaid subscription fees covering that part of the applicable Subscription Term for the affected Subscription Service remaining after the effective date of termination. Notwithstanding the foregoing, this warranty will not apply to any non-conformity due to a modification of or defect in the Subscription Service that is made or caused by any person other than Report Zero or a person acting at Report Zero’s direction. This Section 5.1 sets forth Customer’s exclusive rights and remedies (and Report Zero’s sole liability) in connection with this warranty.

5.2 LIMITED PROFESSIONAL SERVICES WARRANTY. Report Zero warrants that the Professional Services will be performed in a competent and workmanlike manner, in accordance with accepted industry standards and practices and all material requirements set forth in the SOW or Service Description. Customer will notify Report Zero of any breach within 30 days after performance of the non-conforming Professional Services. On receipt of such notice, Report Zero, at its option, will either use commercially reasonable efforts to re-perform the Professional Services in conformance with these warranty requirements or will terminate the affected Professional Services, whereupon Customer may submit to Reseller a claim for a refund of any amounts paid for the nonconforming Professional Services. This Section 5.2 sets forth Customer’s exclusive rights and remedies (and Report Zero’s sole liability) in connection with this warranty.

5.3 DISCLAIMER OF WARRANTIES. Except for the warranties expressly stated in this Section 5, to the maximum extent allowed by Law, Report Zero disclaims all warranties of any kind (express, implied, statutory, or otherwise, oral or written, including warranties of merchantability, accuracy, title, noninfringement, or fitness for a particular purpose, and any warranties arising from usage of trade, course of dealing, or course of performance). Without limiting the foregoing, Report Zero specifically does not warrant that the Report Zero Products will meet the requirements of Customer or others or will be accurate or operate without interruption or error. Customer acknowledges that in entering this Agreement, it has not relied on any promise, warranty, or representation not expressly set forth in this Agreement.

6. CONFIDENTIAL INFORMATION

6.1 CONFIDENTIALITY OBLIGATIONS. The recipient of Confidential Information will: (a) at all times protect it from unauthorized disclosure with the same degree of care that it uses to protect its own confidential information, and in no event use less than reasonable care; and (b) not use it except to the extent necessary to exercise rights or fulfil obligations under this Agreement. Each party will limit the disclosure of the other party’s Confidential Information to those of its employees and contractors and the employees and contractors of its Affiliates with a need to access such Confidential Information for a party’s exercise of its rights and obligations under this Agreement, and then only to employees and contractors subject to binding disclosure and use restrictions at least as protective as those in this Agreement. Each party’s obligations under this Section 6 will remain in effect during, and for three years after termination of, this Agreement. Receiving party will, at disclosing party’s request, return all originals, copies, reproductions, and summaries of Confidential Information and other tangible materials and devices provided to receiving party as Confidential Information, or at disclosing party’s option, certified destruction of the same. Provisions for return of Customer Data are set forth in Section 11.2 (Return of Customer Data). 

6.2 THIRD PARTY REQUESTS. This Agreement will not be construed to prevent receiving party from disclosing the disclosing party’s Confidential Information to a court, or governmental body pursuant to a valid court order, Law, subpoena, or regulation, provided that the receiving party: (a) gives prompt notice (or the maximum notice permitted under Law) before making the disclosure, unless prohibited by Law; (b) provides reasonable assistance to disclosing party in any lawful efforts by disclosing party to resist or limit the disclosure of such Confidential Information; and (c) discloses only that portion of disclosing party’s Confidential Information that is legally required to be disclosed. In addition, receiving party will cooperate and assist disclosing party, at disclosing party’s cost, in relation to any such request and any response to any such communication.

7. INDEMNIFICATION

7.1 BY REPORT ZERO.

7.1.1. REPORT ZERO OBLIGATION. Subject to the limitations in this Section 7, Report Zero will: (a) defend Customer, and its and their officers, directors, and employees against any Claim: (i) to the extent alleging that any Report Zero Core Technology accessed or used in accordance with this Agreement infringes any third party patent, copyright, or trademark, or misappropriates any third-party trade secret; or (ii) to the extent alleging that Report Zero’s personnel when onsite at Customer’s premises caused death, bodily harm, or damage to tangible personal property due to their negligence or willful misconduct; and (b) pay any settlement amount or any courtordered award of damages, under the forgoing subsections (a)(i) and (ii) to the extent arising from such Claim.

7.1.2. MITIGATION. To the extent any Claim alleges any part of the Report Zero Core Technology infringes any third-party patent, copyright, or trademark, or misappropriates any third-party trade secret, Report Zero may: (a) contest the Claim; (b) obtain permission from the claimant for Customer’s continued use of its instance of the Subscription Service or any applicable Report Zero Core Technology; (c) avoid such Claim by replacing or modifying Customer’s access to and use of its instance of the Subscription Service or any applicable Report Zero Core Technology as long as Report Zero provides a substantially similar Subscription Service; or, if Report Zero determines the foregoing (a), (b), and (c) are not commercially practicable, then (d) terminate Customer’s access to and use of the affected Subscription Service on 60-days’ prior notice, whereupon Customer may submit to Reseller a claim for a refund of any prepaid subscription fees covering any prepaid subscription fees covering that part of the applicable Subscription Term for such Subscription Service remaining after the effective date of termination.

7.1.3. LIMITATIONS. Notwithstanding the above, Report Zero will have no obligation or liability for any Claim under Section 7.1.1(a)(i) to the extent arising in whole or in part from: (a) any access to or use of any Report Zero Core Technology not expressly authorized under this Agreement, to the extent the Claim would have been avoided without such unauthorized access or use; (b) Customer Data or Customer Technology; or (c) access to or use of the Report Zero Core Technology: (i) in violation of Law; (ii) after termination under Section 7.1.2(d); (iii) as modified to Customer’s specifications or by anyone other than Report Zero or its contractors, if the Claim would have been avoided but for such modifications; or (iv) combined with anything not provided by Report Zero, if the Claim would have been avoided but for such combination.

7.2 CUSTOMER OBLIGATION. Customer will: (a) defend Report Zero and Report Zero Affiliates, and its and their officers, directors, and employees against any Claim to the extent alleging that Customer Data, Customer Technology, or a modification to any Report Zero Core Technology made to Customer’s specifications or otherwise made by or on behalf of Customer by any person other than Report Zero or a person acting at Report Zero’s direction (but only if the Claim would have been avoided by use of the unmodified Report Zero Core Technology), infringes any patent, copyright, or trademark, misappropriates any third-party trade secret, or violates any thirdparty privacy rights; and (b) pay any settlement amount or any court-ordered award of damages, under the foregoing subsection (a) to the extent arising from such Claim.

7.3 PROCESS. The obligations of Report Zero and Customer under Sections 7.1 and 7.2 are conditioned on the indemnified party (a) notifying the indemnifying party promptly in writing of any actual or threatened Claim, (b) the indemnified party giving the indemnifying party sole control of the defense of such Claim and of any related settlement negotiations, and (c) the indemnified party cooperating and, at the indemnifying party’s reasonable request and expense, assisting in such defense. Neither party will stipulate, acknowledge, or admit fault or liability on the other’s part without the other’s prior, written consent. The indemnifying party will not publicize any settlement without the indemnified party’s prior, written consent. To the extent the parties perform as required, this Section 7 states each party’s entire liability and the other party’s exclusive remedy for third-party claims and third-party actions.

8. LIMITED LIABILITY

Report Zero shall have no liability for any refund that, in accordance with the terms of this Agreement, is to be paid by Reseller. To the extent permitted by Law, each party’s total, cumulative liability arising out of or related to this Agreement and the products and services provided under it, whether based on contract, tort (including negligence), or any other legal or equitable theory, will be limited to the amounts paid by Customer for use of the products or provision of the services giving rise to the claim during the 12-month period preceding the first event giving rise to liability. The existence of more than one claim will not enlarge this limit. The foregoing limitation of liability shall not apply to: (a) Customer’s obligation to pay for products, services or taxes; (b) a party’s obligations in Section 7 (Indemnification); and (c) infringement by a party of the other party’s Intellectual Property Rights. 

9. EXCLUDED DAMAGES

To the extent permitted by Law, neither Report Zero nor Customer will be liable to the other or any third party for lost profits (direct or indirect) or loss of use or data or for any incidental, other consequential, punitive, special, or exemplary damages (including damage to business, reputation, or goodwill), or indirect damages of any type however caused, whether by breach of warranty, breach of contract, in tort (including negligence), or any other legal or equitable cause of action, even if such party has been advised of such damages in advance or if such damages were foreseeable. The foregoing exclusions shall not apply to: (a) payments to a third party arising from a party’s obligations under Section 7 (Indemnification); and (b) infringement by a party of the other party’s Intellectual Property Rights.

10. GROSS NEGLIGENCE; WILLFUL MISCONDUCT

As provided by Law, nothing herein shall be intended to limit a party’s liability in an action in tort, separate and distinct from a cause of action for breach of this Agreement, for the party’s gross negligence or wilful misconduct.

11. TERM AND TERMINATION

11.1 TERMINATION. This Agreement begins on the Effective Date and continues until terminated under its terms. Each party may terminate this Agreement in its entirety: (a) on 90 days’ prior notice to the other, if at the time of notice there are no Use Authorizations in effect; (b) immediately on notice if the other party becomes the subject of a petition in bankruptcy or any proceeding related to its insolvency, receivership, or liquidation, in any jurisdiction, that is not dismissed within 60 days of its commencement or an assignment for the benefit of creditors; or (c) immediately on notice if the other party materially breaches this Agreement and does not cure such breach within 30 days after the other party’s receipt of notice of the breach. Either party may terminate a Use Authorization or SOW on notice if the other party materially breaches this Agreement or the applicable Use Authorization or SOW for the affected service and does not cure the breach within 30 days after receiving notice of the breach from the non-breaching party. Professional Services are separately ordered from the Subscription Service and are not required for use of the Subscription Service. A breach by a party of its obligations with respect to Professional Services shall not by itself constitute a breach by that party of its obligations with respect to the Subscription Service even if the services are enumerated in the same Use Authorization.

11.1.1. EFFECT OF TERMINATION OF SUBSCRIPTION SERVICE. On termination or expiration of the Subscription Service, Customer will stop accessing and using, and Report Zero will stop providing, the Subscription Service and all related rights granted to Customer in this Agreement will terminate immediately, automatically, and without notice. Customer, within 30 days after the effective date of termination by Customer for Report Zero’s breach, submit to Reseller a claim for refund for any prepaid fees paid to Reseller covering that part of the Subscription Term for the affected Subscription Service, if any, remaining after the effective date of termination. Within 30 days after the effective date of termination by Report Zero for Customer’s breach, Customer shall pay all remaining amounts for the Subscription Term applicable to the Subscription Service covering the remainder of the Subscription Term regardless of the due dates specified in an applicable ordering document between Reseller and Customer.

11.2 RETURN OF CUSTOMER DATA. After termination or expiration of this Agreement or the applicable Subscription Service, upon Customer’s written request, Report Zero will provide any Customer Data in the Subscription Service to Customer in Report Zero’s standard database export format at no additional charge. Customer must submit such request to Report Zero within 45 days after termination or expiration of this Agreement or the Subscription Service. Report Zero is not obligated to maintain or provide any Customer Data after such 45day period and will, unless legally prohibited, delete all Customer Data in its systems or otherwise in its possession or under its control, and delete Customer’s instances of the Subscription Service.

11.3 SURVIVAL. Sections 2.2 (Restrictions), 4 (Intellectual Property), 5 (Warranties; Disclaimer of Warranties) (solely in accordance with its terms), 6 (Confidential Information) through 10 (Gross Negligence; Wilful Misconduct), 11 (Term and Termination) (solely in accordance with its terms), and 12 (General Provisions), together with any other terms required for their construction or enforcement, will survive termination or expiration of this Agreement.

12. GENERAL PROVISIONS

12.1 ASSIGNMENT. Neither party may assign or novate its rights or obligations under this Agreement, by operation of law or otherwise (any of the foregoing, “Assign”), without the other party’s prior written consent. Notwithstanding the foregoing, on notice and without the other’s consent: (a) either party may in connection with a merger, reorganization, or sale of all or substantially all of such party’s assets or equity, Assign this Agreement in its entirety to such party’s successor; and (b) Report Zero may Assign this Agreement in its entirety to any Report Zero Affiliate. Any attempted or purported Assignment in violation of this Section 12.1 will be null and void. Subject to the foregoing, this Agreement will bind and inure to the benefit of the parties, their respective successors, and permitted assigns.

12.2 COMPLIANCE WITH LAWS. Report Zero will comply with all Laws applicable to its provision under the Agreement of the Report Zero Products, including those applicable to privacy and security of personal information (including mandatory trans-border data transfers and mandatory data breach notification requirements), but excluding Laws specifically applicable to Customer and its industry not generally applicable to information technology service providers regardless of industry. Customer will comply with all Laws applicable to its use of the Report Zero Products, including those applicable to collection and processing of Customer Data in Report Zero systems through the Subscription Service. Customer agrees to provide any required disclosures to and obtain any required consents for the transfer of Customer Data to Report Zero. 

12.3 EXPORT COMPLIANCE. Each party will comply with local and foreign export control Laws, including U.S. export control Laws. Customer is responsible for complying with any local Laws that may impact Customer’s right to import, export, or use Report Zero Products or any of them.

12.4 NOTICE. Except as otherwise provided in this Agreement, all notices will be in writing and deemed given on: (a) personal delivery; (b) when received by the addressee if sent by a recognized overnight courier (receipt requested); (c) the third business day after mailing; or (d) the first business day after sending by email with confirmation of receipt, except that email will not be sufficient for notices regarding a Claim or alleged breach. Notices will be sent as set forth on the first page of this Agreement or as subsequently updated in writing.

12.5 FORCE MAJEURE. Report Zero is not, and may not be construed to be, in breach of this Agreement for any failure or delay in fulfilling or performing the Subscription Service or any Professional Services, when and to the extent such failure or delay is caused by or results from acts beyond Report Zero’s reasonable control, including: strikes, lock-outs, or other industrial disputes; trespass, sabotage, theft or other criminal acts export bans, sanctions, war, terrorism, riot, civil unrest, or government action; failure of Internet connectivity or backbone or other telecommunications failures, in each case outside of Report Zero’s local network; breakdown of plant or machinery; nuclear, chemical, or biological contamination; fire, flood, natural disaster, extreme adverse weather, or other acts of God (each a “Force Majeure Event”). Report Zero will use reasonable efforts to mitigate the effects of such Force Majeure Event.

12.6 HIGH RISK ACTIVITY. The Report Zero Products are not designed for any purpose requiring fail-safe performance, including stock trading, financial transaction processing, operation of nuclear facilities, aircraft navigation or communication systems, air traffic control, direct life support machines, weapons systems, or other management or operation of hazardous facilities or applications for which failure could result in death, personal injury, or severe physical, property, or environmental damage (each, a “High Risk Activity”). Report Zero, its licensors, and suppliers expressly disclaim all warranties of fitness for any such use.

12.7 EXECUTION. This Agreement may be executed in counterparts, by electronic means to accurately send images, such as via email, or by electronic signature service. Neither party will contest the Agreement’s validity solely because a signature was faxed or sent through other permitted electronic means. Each party will deliver to the other an original executed copy of the Agreement promptly after execution.

12.8 WAIVER AND AMENDMENT. Failure by a party to enforce any part of this Agreement will not be deemed a waiver of future enforcement of that or any other provision. A waiver of any right is effective only if in a writing signed by an authorized representative of the waiving party. Any modification of this Agreement must be in writing and signed by authorized representatives of both parties.

12.9 SEVERABILITY. If any term of this Agreement is held invalid, unenforceable, or void by a court of competent jurisdiction, such term will be enforced to the maximum extent permissible, such holding will not affect the remaining terms, and the invalid, unenforceable, or void term will be deemed amended or replaced by a valid, legal, and enforceable term that matches the intent of the original language as closely as possible.

12.10 RELATIONSHIP. The parties are independent contractors. Nothing in this Agreement will be construed to create a partnership, joint venture, agency, or other relationship. Neither party has any right or authority to assume or create any obligation of any kind, express or implied, in the other party’s name or on its behalf. No third-party is a third-party beneficiary of, or liable under, this Agreement, and no third-party is responsible for any obligations or liability arising out of Customer’s use of the Report Zero Core Technology.

12.11 GOVERNING LAW; JURISDICTION AND VENUE. If Customer is located in the United States, Canada, or Mexico this Agreement will be governed by the Laws of the State of California, without regard to its conflict of laws principles. The parties irrevocably consent to the exclusive jurisdiction of, and venue in, any federal or state court of competent jurisdiction located in Santa Clara County, California, for the purposes of adjudicating any dispute arising out of or related to this Agreement. Each party expressly consents to service of process by registered mail. To the extent permitted by Law, choice of law rules and the United Nations Convention on Contracts for the International Sale of Goods will not apply. Notwithstanding the foregoing, either party may at any time seek and obtain appropriate legal or equitable relief in any court of competent jurisdiction for claims regarding such party’s Intellectual Property Rights.

12.12 COUNTRY SPECIFIC PROVISIONS. For any Customer domiciled outside the United States, Canada, or Mexico, the country-specific provisions following this Section 12 shall replace or supplement the equivalent provisions of the Agreement depending on the following: (a) if Customer is executing its Use Authorization with Report Zero Nederland B.V., then “the Netherlands” provisions apply; (b) if Customer is executing its Use Authorization with Report Zero UK Ltd., then the “United Kingdom” provisions apply; and (c) if Customer is domiciled in Australia, then the “Australia” provisions apply.

12.13 EQUITABLE REMEDIES. The receiving party’s disclosure of Confidential Information except as provided in this Agreement, or a party’s infringement or misappropriation of the other party’s Intellectual Property Rights may result in irreparable injury for which a remedy in money damages may be inadequate. In the event of such actual or threatened disclosure, infringement or misappropriation, disclosing party may be entitled to seek an injunction to prevent the breach or threatened breach without the necessity of proving irreparable injury or the inadequacy of money damages, in addition to remedies otherwise available to disclosing party at law or in equity.

12.14 CONSTRUCTION. Report Zero is obligated to provide Report Zero Products only in the English language, unless otherwise agreed in writing. The parties have expressly requested that this Agreement and all related documents be drafted in English. Les parties confirment avoir expressément exigé que le présent contrat et les documents de Report Zero qui y sont attachés soient rédigés en anglais. Section headings are for convenience only and are not to be used in interpreting this Agreement. This Agreement has been negotiated by the parties and their respective legal team and will be interpreted fairly in accordance with its terms and without any strict construction in favour of or against either party. Lists of examples following “including”, “e.g.”, “such as”, or “for example” are interpreted to include “without limitation”, unless qualified by words such as “only” or “solely.” Unless stated or context requires otherwise: (a) all internal references are to this Agreement, its parties, and its Exhibits; (b) “days” means calendar days; (c) “may” means that the applicable party has a right, but not a concomitant duty; (d) all monetary amounts are expressed and, if applicable, payable, in U.K. pounds; (e) “current” or “currently” means “as of the Effective Date” but “then-current” means the present time when the applicable right is exercised or performance rendered or measured; (f) the word “or” will be deemed to be an inclusive “or”; (g) URLs are understood to also refer to successor URLs, URLs for localized content, and information or resources linked from within the websites at such URLs; (h) a writing is “signed” when it has been hand-signed (i.e., with a pen) or electronically signed using an electronic signature service by duly authorized representatives of both parties; (i) a party’s choices, elections, and determinations under this Agreement are in its sole discretion; (j) the singular includes the plural and vice versa; (k) a reference to a document includes any amendment, replacement, or novation of it; and (m) a reference to a thing includes a part of that thing (i.e., is interpreted to include “in whole or in part”).

12.15 ENTIRETY. This Agreement (together with the Use Authorizations, Product Overviews, SOWs, and Service Descriptions, all of which are also deemed incorporated by this reference) is the parties’ entire agreement regarding its subject matter and supersedes all prior or contemporaneous oral or written agreements, representations, understandings, undertakings, negotiations, letters of intent, and proposals, with respect to such subjects. The terms of this Agreement apply to the exclusion of any other terms Customer seeks to impose or incorporate, or that may be implied by trade, custom, practice, or course of dealing. Customer acknowledges it has not relied on any statement, promise, or representation made or given by or on behalf of Report Zero that is not expressly stated in this Agreement. Customer’s orders are not contingent, and Customer has not relied, on the delivery of any future functionality regardless of any verbal or written communication about Report Zero’s possible future plans.

THE NETHERLANDS

1. The following language shall replace Section 12.12 of the General Terms and Conditions:

If Customer is executing its Use Authorization with Report Zero Nederland B.V., this Agreement shall be governed by the laws of The Netherlands without regard to its conflict of laws principles. The parties hereby irrevocably consent to the nonexclusive jurisdiction of, and venue in, any court of competent jurisdiction located in Amsterdam, The Netherlands for the purposes of adjudicating any dispute arising out of this Agreement. Each party hereto expressly consents to service of process by registered mail. To the extent permitted by law, choice of law rules and the United Nations Convention on Contracts for the International Sale of Goods shall not apply. Notwithstanding the foregoing, either party may at any time seek and obtain appropriate legal or equitable relief in any court of competent jurisdiction for claims regarding such party’s intellectual property rights.

UNITED KINGDOM

1. The following language shall replace Section 12.12 of the General Terms and Conditions:

If Customer is executing its Use Authorization with Report Zero UK Ltd., this Agreement shall be governed by the laws of the England and Wales without regard to its conflict of laws principles. The parties hereby irrevocably consent to the nonexclusive jurisdiction of, and venue in, any court of competent jurisdiction located in London, England for the purposes of adjudicating any dispute arising out of this Agreement. Each party hereto expressly consents to service of process by registered mail. To the extent permitted by law, choice of law rules and the United Nations Convention on Contracts for the International Sale of Goods shall not apply. Notwithstanding the foregoing, either party may at any time seek and obtain appropriate legal or equitable relief in any court of competent jurisdiction for claims regarding such party’s intellectual property rights.

AUSTRALIA

1. The following language shall be added as a new Section 5.4 of the General Terms and Conditions: COMPLIANCE WITH CONSUMER LAWS. To the extent, if any, that the terms and conditions of the Competition and Consumer Act 2010 (Cth), including the Australian Consumer Law, or other statutory Law prevents Report Zero from excluding certain liability as set forth in the Agreement, such liability will be limited to the extent permitted by such Law to one or more of the following: (a) in respect of a supply of services, to: (i) the supplying of the services again, or (ii) the payment of the cost of having the services supplied again; and (b) in respect of a supply of goods, to: (i) the replacement of the goods or the supply of equivalent goods, (ii) the repair of the goods, (iii) the payment of the cost of replacing the goods or of acquiring equivalent goods, or (iv) the payment of the cost of having the goods repaired. Notwithstanding any other provision of this Agreement or any Use Authorization or Order Form to the contrary, nothing therein will derogate from any requirement to provide a refund under the Australian Consumer Law. If Customer is acquiring goods or services as a “consumer” for the purposes of the Australian Consumer Law, the benefits given any warranties that are a “warranty against defects” (as such term is defined in the Australian Consumer Law) are in addition to any other rights and remedies available to Customer under a law in relation to the goods or services to which such warranty relates and, in such case, “Our goods come with guarantees that cannot be excluded under the Australian Consumer Law. You are entitled to a replacement or refund for a major failure and compensation for any other reasonably foreseeable loss or damage. You are also entitled to have the goods repaired or replaced if the goods fail to be of acceptable quality and the failure does not amount to a major failure.”
2. The following language shall replace section 12.12 of the General Terms and Conditions:

GOVERNING LAW; JURISDICTION AND VENUE. This Agreement shall be governed by the laws of the state of New South Wales, Australia without regard to its conflict of laws principles. The parties hereby irrevocably consent to the exclusive jurisdiction of, and venue in, any federal or state court of competent jurisdiction located in New South Wales, Australia for the purposes of adjudicating any dispute arising out of this Agreement. Each party hereto expressly consents to service of process by registered mail. To the extent permitted by law, choice of law rules and the United Nations Convention on Contracts for the International Sale of Goods shall not apply. Notwithstanding the foregoing, either party may at any time seek and obtain appropriate legal or equitable relief in any court of competent jurisdiction for claims regarding such party’s intellectual property rights.

EXHIBIT A.1 – SUBSCRIPTION SERVICE GUIDE

1. SUPPORT

Report Zero will provide support for the Subscription Service as set forth in the Customer Support Policy attached to this Subscription Service Guide as Exhibit A.2 and incorporated herein by reference. The Customer Support Policy may be updated periodically.

2. UPGRADES AND UPDATES

Report Zero will provide upgrades and updates to the Subscription Service as described in Exhibit A.3 Upgrades and Updates attached to this Subscription Service Guide and incorporated herein by reference. The Upgrade and Update exhibit may be updated periodically.

3. DATA PROCESSING ADDENDUM

The parties’ agreement with respect to the processing of personal information submitted to the Subscription Service is described in the Data Processing Addendum attached to this Subscription Service Guide as Exhibit A.4 and incorporated herein by reference. The Data Processing Addendum may be updated periodically.

4. DATA SECURITY GUIDE

Report Zero will implement and maintain security procedures and practices appropriate to information technology service providers designed to protect Customer Data from unauthorized access, destruction, use, modification, or disclosure, as described in the Data Security Guide attached to this Subscription Service Guide as Exhibit A.5 and incorporated herein by reference. The Data Security Guide may be updated periodically.

5. INSURANCE

Report Zero agrees to maintain in effect during the Subscription Term, at Report Zero’s expense, the following minimum insurance coverage:

5.1 Workers’ Compensation Insurance, in accordance with applicable statutory, federal, and other legal requirements;

5.2 Employers’ Liability Insurance covering Report Zero’s employees in an amount of not less than UK£1,000,000 for bodily injury by accident and UK£1,000,000 each employee for bodily injury by disease;

5.3 Commercial General Liability Insurance written on an occurrence form and including coverage for bodily injury, property damage, products and completed operations, personal injury, and advertising injury arising out of the products or services provided by Report Zero under this Agreement, with minimum limits of UK£1,000,000 per occurrence/UK£2,000,000 aggregate;

5.4 Commercial Automobile Liability Insurance providing coverage for hired and non-owned automobiles used in connection with this Agreement in an amount of not less than UK£1,000,000 per accident, combined single limit for bodily injury and property damage;

5.5 Combined Technology Errors’ & Omissions Policy with a UK£1,000,000 per claim limit, including: (a) Professional Liability Insurance providing coverage for the services and software in this Agreement (which coverage will be maintained for at least two years after termination of this Agreement); and (b) Privacy, Security, and Media Liability Insurance providing liability coverage for unauthorized access or disclosure, security breaches, and system attacks, as well as infringements of copyright and trademark that might result from this Agreement; and

5.6 Excess Liability over Employers’ Liability, Commercial General Liability, and Commercial Automobile Liability, with a UK£1,000,000 aggregate limit.

For the purpose of this Section 5, a “claim” means a written demand for money or a civil proceeding which is commenced by service of a complaint or similar pleading.

6. AVAILABILITY SERVICE LEVEL

6.1 DEFINITIONS.

6.1.1 “Available” means that the Subscription Service can be accessed by authorized users in accordance with their rights of access.

6.1.2. “Excused Downtime” means: (a) Maintenance Time of up to eight hours per month; and (b) any time the Subscription Service is not Available due to circumstances beyond Report Zero’s control, including modifications of the Subscription Service by any person other than Report Zero or a person acting at Report Zero’s direction, a Force Majeure Event, general Internet outages, failure of Customer’s infrastructure or connectivity (including direct connectivity and virtual private network (“VPN”) connectivity to the Subscription Service), computer and telecommunications failures and delays, and network intrusions or denial-of-service or other criminal attacks.

6.1.3 “Infrastructure Modification” means any repairs, maintenance, improvements, or changes to the cloud infrastructure used by Report Zero to operate and deliver the Subscription Service.

6.1.4 “Maintenance Time” means the time the Subscription Service is not Available due to an Infrastructure Modification, Upgrade, and Update.

6.1.5 “Availability SLA” means that the production instances of the Subscription Service will be Available at least 90% of the time during a calendar month, excluding Excused Downtime.

6.2 AVAILABILITY. If Customer’s production instances of the Subscription Service fall below the Availability SLA during a calendar month, Customer’s exclusive remedy for failure of the Subscription Service to meet the Availability SLA is to request that either: (a) the affected Subscription Term be extended for the number of minutes the Subscription Service was not Available in the month in accordance with the Availability SLA; or (b) Report Zero issue a service credit to Customer for the dollar value of the number of minutes the Subscription Service was not Available in the month in accordance with the Availability SLA (determined at the deemed per minute rate Report Zero charges to Customer for Customer’s use of the affected Subscription Service), which Customer may request Report Zero apply to the next invoice for subscription fees.

6.3 REQUESTS. Customer must request all service credits or extensions in writing to Reseller within 30 days of the end of the month in which the Availability SLA was not met, identifying the support requests relating to the period Customer’s production instances of the Subscription Service was not Available. The total amount of service credits for any month may not exceed the subscription fee for the affected Subscription Service for that month and has no cash value. Report Zero may delay issuing service credits until such amounts reach $1,000 USD or equivalent currency specified in the applicable Order Form.

6.4 NOTICE. Report Zero will give Customer 10 days’ prior notice of an Infrastructure Modification if Report Zero, in its reasonable judgment, believes that the Infrastructure Modification will impact Customer’s use of its production instances of the Subscription Service, unless, in the reasonable judgment of Report Zero, the Infrastructure Modification is necessary to: (a) maintain the availability, security, or performance of the Subscription Service; (b) comply with Law; or (c) avoid infringement or misappropriation of third-party Intellectual Property Rights.

EXHIBIT A.2 – CUSTOMER SUPPORT POLICY

This Customer Support Policy governs the support that Report Zero will provide for its Subscription Service (“Customer Support”).

1. SCOPE

The purpose of Customer Support is to resolve defects that cause a nonconformity in the Subscription Service as compared to the Product Overview. A resolution to a defect may consist of a fix, workaround, or other relief, as Report Zero deems reasonable. Customer Support does not include performing the following services:

• implementation services;
• configuration services;
• integration services;
• customization services or other custom software development;
• training; or
• assistance with administrative functions. 

Customer Support is not required to provide resolutions for immaterial defects or defects due to modifications of the Subscription Service made by any person other than Report Zero or a person acting at Report Zero’s direction, or defects on any instance of the Subscription Service not in conformance with Exhibit A.3 – Upgrades and Updates.

2. BUSINESS HOURS

Customer Support is available 8 hours a day, 5 days a week, including all holidays.

3. ACCESS CONTACTS

Report Zero’s Customer Support portal (“Support Portal”) is located at https://reportzero.net/. Customer may get login access to the Support Portal by contacting its Report Zero administrator. Report Zero’s Customer Support may be reached by emails using support@reportzero.net.

4. INCIDENT PRIORITY

Incident priority for a defect is determined using the guidelines below.

Priority	Definition
P1	Any defect that causes an instance not to be Available.
P2	Any defect that causes a critical function to fail.
P3	Any defect that significantly impedes work or progress.
P4	Any defect that does not significantly impede work or progress.

5. RESPONSE TIMES AND LEVEL OF EFFORT

Customer may submit an incident with Report Zero via the Support Portal or phone. Response times are not affected by the manner of contact. All support requests are tracked in the Support Portal and can be viewed by Customer’s authorized contacts. Report Zero will use reasonable efforts to meet the target response times and target level of effort stated in the table below.

Priority	Target Response Times	Target Level of Effort
P1	3 hours	8 hours per day, 5 days per week (normal UK business hours)
P2	7 hours	8 hours per day, 5 days per week (normal UK business hours)
P3	2 business day’s	As appropriate during normal business hours
P4	N/A	Varies

6. CUSTOMER RESPONSIBILITIES

Customer’s obligations with respect to Customer Support are as follows:

6.1 Customer will receive from Report Zero communications via email, phone, or through the Support Portal regarding the Subscription Service.

6.2 Customer will appoint no more than 10 contacts (“Customer Authorized Contacts”) to engage Customer Support for questions and technical issues.

6.2.1. Customer must maintain the following Customer Authorized Contacts:

• Primary Business Contact;
• Secondary Business Contact;
• Technical Contact;
• Support Contact;
• Primary Customer Administrator; and Security Contact.

6.2.2. Customer will maintain current information for all Customer Authorized Contacts in the Support Portal.

6.2.3. Only Customer Authorized Contacts will contact Customer Support.

6.2.4. Customer will train all Customer Authorized Contacts on the use and administration of the Subscription Service.

6.3 Customer will cooperate to enable Report Zero to deliver the Subscription Service and Customer Support.

6.4 Customer is solely responsible for the use of the Subscription Service by its users.

EXHIBIT A.3 – UPGRADES AND UPDATES

1. DEFINITIONS

1.1 “Upgrades” are Report Zero’s releases of the Subscription Service for enhancements or new features (including a new Release Family) applied by Report Zero to Customer’s instances of the Subscription Service at no additional fee during the Subscription Term.

1.2 “Updates” are Report Zero’s releases (including patches and hotfixes) of the Subscription Service applied by Report Zero to Customer’s instances of the Subscription Service at no additional fee during the Subscription Term that provide problem fixes, but do not generally include new functionality, and are released as needed.

1.3 “Release Family” is an Upgrade that is a complete solution with new features or enhancements, including previously released Updates if applicable to the features included in the Upgrade. For example, Report Zero’s “Scotland” Upgrade established the “Scotland Release Family”.

1.4 “Critical Upgrade” is an Upgrade that in Report Zero’s reasonable judgment is critical to maintaining the availability, security or performance of the Subscription Service; comply with applicable laws or to avoid infringement or misappropriation of a third-party Intellectual Property Right.

1.5 “Critical Update” is an Update that in Report Zero’s reasonable judgment is critical to maintaining the availability, security or performance of the Subscription Service; comply with applicable laws or to avoid infringement or misappropriation of a third-party Intellectual Property Right.

1.6 “Supported Release Family” at a particular time means the then-current Release Family and the prior 2 Release Families.

2. UPGRADES AND UPDATES

Report Zero shall determine, in its sole discretion: (a) whether and when to develop, release and apply any Update or Upgrade to Customer’s instances of the Subscription Service; and (b) whether a particular release is an Update, Upgrade or new service offering that is available separately for purchase.

3. NOTICE

Report Zero shall: (a) give Customer 10 days’ notice of any Upgrade to the Subscription Service; and (b) use reasonable efforts to give Customer 2 days’ notice of any Update to the Subscription Service. Notwithstanding the foregoing, Report Zero may provide Customer with shorter notice or no notice before the application of a Critical Upgrade or a Critical Update.

4. SUPPORTED AND NON-SUPPORTED RELEASE FAMILIES

Customer acknowledges that the current Release Family is the version of the Subscription Service containing the most current features, availability, performance and security. Within a Supported Release Family, the most recent Update is the version of the Subscription Service for that Release Family that contains the most current problem fixes, availability, performance and security. A Customer using a Supported Release Family may be required to apply a Critical Update within the Supported Release Family. A Customer that has not Upgraded to a Supported Release Family may experience defects, for which Customer hereby agrees that Report Zero is not responsible, including without limitation those that affect the features, availability, performance and security of the Subscription Service, that are fixed in the most current version of the Subscription Service. A Customer who is not using a Supported Release Family may be required to apply an Upgrade to a Supported Release Family.

EXHIBIT A.4 – DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) is deemed to include Sections 1 through 9 below, including the attached Appendix 1, and the Data Security Guide, all of which are expressly deemed incorporated in the Agreement by this reference.

In the event of any conflict between the terms of this DPA and the terms of the Agreement with respect to the subject matter herein, this DPA shall control. Any data processing agreements that may already exist between parties as well as any earlier version of the Data Security Guide to which the parties may have agreed are superseded and replaced by this DPA in their entirety. All capitalized terms not defined in this DPA will have the meaning given to them in other parts of the Agreement.

1. DEFINITIONS

1.1 “Affiliates” means any person or entity directly or indirectly Controlling, Controlled by or under common Control with a party to the Agreement, where “Control” means the legal power to direct or cause the direction of the general management of the company, partnership, or other legal entity.

1.2 “Agreement” means the Order Form or Use Authorization or other signed ordering document, as applicable, between Report Zero and Customer and the signed master agreement (if any) for the purchase of the Subscription Service.

1.3 “Data Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of Processing of Personal Data. For purposes of this DPA, Data Controller is Customer and, where applicable, its Affiliates either permitted by Customer to submit Personal Data to the Subscription Service or whose Personal Data is Processed in the Subscription Service.

1.4 “Data Processor” means the natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Data Controller. For purposes of this DPA, Data Processor is the Report Zero entity that is a party to the Agreement.

1.5 “Data Protection Laws” means all applicable laws and regulations regarding the Processing of Personal Data and includes GDPR. 

1.6 “Data Subject” means an identified or identifiable natural person.

1.7 “GDPR” means the European Union’s General Data Protection Regulation (2016/679) and UK’s General Data Protection Regulation.

1.8 “Instructions” means Data Controller’s documented data Processing instructions issued to Data Processor in compliance with this DPA.

1.9 “Personal Data” means any information relating to a Data Subject uploaded by or for Customer or Customer’s agents, employees, or contractors to the Subscription Service as Customer Data.

1.10 “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction. 

1.11 “Professional Services” means any consulting or development services provided by or on behalf of Report Zero pursuant to an agreed Statement of Work or Service Description described or referenced in a signed ordering document.

1.12 “Sub-Processor” means any legal person or entity engaged in the Processing of Personal Data by Data Processor.

1.13 “Subscription Service” means the Report Zero software-as-a-service offering ordered by Customer under a Use Authorization, Use Authorization or other signed ordering document between Report Zero and Customer.

1.14 “Subscription Term” means the term of authorized use of the Subscription Service as set forth in the Order Form, Use Authorization, or other ordering document signed by Customer and Report Zero.

2. SCOPE OF THE PROCESSING

2.1 COMMISSIONED PROCESSOR. Data Controller appoints Data Processor to Process Personal Data on behalf of Data Controller to the extent necessary to provide the Subscription Service described in the Agreement and in accordance with the Instructions. 

2.2 INSTRUCTIONS. The Agreement constitutes Data Controller’s written Instructions to Data Processor for Processing of Personal Data. Data Controller may issue additional or alternate Instructions provided that such Instructions are: (a) consistent with the purpose and the scope of the Agreement; and (b) confirmed in writing by Data Controller. For the avoidance of doubt, Data Controller shall not use additional or alternate Instructions to alter the scope of the Agreement. Data Controller is responsible for ensuring its Instructions to Data Processor comply with Data Protection Laws.

2.3 NATURE, SCOPE AND PURPOSE OF THE PROCESSING. Data Processor shall only Process Personal Data in accordance with Data Controller’s Instructions and to the extent necessary for providing the Subscription Service and the Professional Services, each as described in the Agreement. Data Controller acknowledges that all Personal Data it instructs Data Processor to Process for the purpose of providing the Professional Services must be limited to the Customer Data Processed within the Subscription Service. 

2.4 CATEGORIES OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS. Data Controller may submit Personal Data to the Subscription Service as Customer Data, the extent of which is determined and controlled by Data Controller in its sole discretion and is further described in Appendix 1.

3. DATA CONTROLLER

3.1 COMPLIANCE WITH DATA PROTECTION LAWS. Data Controller shall comply with all of its obligations under Data Protection Laws when Processing Personal Data.

3.2 SECURITY RISK ASSESSMENT. Data Controller agrees that in accordance with Data Protection Laws and before submitting any Personal Data to the Subscription Service, Data Controller will perform an appropriate risk assessment to determine whether the security measures within the Subscription Service provide an adequate level of security, taking into account the nature, scope, context and purposes of the processing, the risks associated with the Personal Data and the applicable Data Protection Laws. Data Processor shall provide Data Controller reasonable assistance by providing Data Controller with information requested by Data Controller to conduct Data Controller’s security risk assessment. Data Controller is solely responsible for determining the adequacy of the security measures within the Subscription Service in relation to the Personal Data Processed. As further described in Section 7.1 (Product Capabilities) of the Data Security Guide, the Subscription Service includes, without limitation, column level encryption functionality and role-based access control, which Data Controller may use in its sole discretion to ensure a level of security appropriate to the risk of the Personal Data. For clarity, Data Controller may influence the scope and the manner of Processing of its Personal Data by its own implementation, configuration (i.e., different types of encryption) and use of the Subscription Service, including any other products or services offered by Report Zero and third-party integrations.

3.3 CUSTOMER’S AFFILIATES. The obligations of Data Processor set forth herein will extend to Customer’s Data Controller Affiliates to which Customer provides access to the Subscription Service or whose Personal Data is Processed within the Subscription Service, subject to the following conditions:

3.3.1. COMPLIANCE. Customer shall at all times be liable for its Affiliates’ compliance with this DPA and all acts and omissions by a Data Controller Affiliate are considered acts and omissions of Customer; and

3.3.2. CLAIMS. Customer’s Data Controller Affiliates will not bring a claim directly against Data Processor. In the event a Data Controller Affiliate wishes to assert a valid legal action, suit, claim or proceeding against Data Processor (a “Data Controller Affiliate Claim”): (i) Customer must bring such Data Controller Affiliate Claim directly against Data Processor on behalf of such Data Controller Affiliate, unless Data Protection Laws require that Data Controller Affiliate be party to such Data Controller Affiliate Claim; and (ii) all Data Controller Affiliate Claims will be considered claims made by Customer and are at all times subject to any aggregate limitation of liability set forth in the Agreement. 

3.3.3. DATA CONTROLLER AFFILIATE ORDERING. If a Data Controller Affiliate purchased a separate instance of the Subscription Service under the terms of the signed master agreement between Report Zero and Customer, then such Data Controller Affiliate will be deemed a party to this DPA and shall be treated as Customer under the terms of this DPA.

3.4 COMMUNICATION. Unless otherwise provided in this DPA, all requests, notices, cooperation, and communication, including Instructions issued or required under this DPA (collectively, “Communication”), must be in writing and between Customer and Report Zero only and Customer shall inform the applicable Data Controller Affiliate of any Communication from Report Zero pursuant to this DPA. Customer shall be solely responsible for ensuring that any Communications (including Instructions) it provides to Report Zero relating to Personal Data for which a Customer Affiliate is Data Controller reflect the relevant Customer Affiliate’s intentions.

4. DATA PROCESSOR

4.1 DATA CONTROLLER’S INSTRUCTIONS. Data Processor will have no liability for any harm or damages resulting from Data Processor’s compliance with Instructions received from Data Controller. Where Data Processor believes that compliance with Data Controller’s Instructions could result in a violation of Data Protection Laws or is not in the ordinary course of Data Processor’s obligations in operating the Subscription Service or delivering Professional Services, Data Processor shall promptly notify Data Controller thereof. Data Controller acknowledges that Data Processor is reliant on Data Controller’s representations regarding the extent to which Data Controller is entitled to Process Personal Data.

4.2 DATA PROCESSOR PERSONNEL. Access to Personal Data by Data Processor will be limited to personnel who require such access to perform Data Processor’s obligations under the Agreement and who are bound by obligations to maintain the confidentiality of such Personal Data at least as protective as those set forth herein and in the Agreement.

4.3 DATA SECURITY MEASURES. Without prejudice to Data Controller’s security risk assessment obligations under Section 3.2 (Security Risk Assessment) above, Data Processor shall maintain appropriate technical and organizational safeguards to protect the security, confidentiality, and integrity of Customer Data, including any Personal Data contained therein, as described in Section 2 (Physical, Technical, and Administrative Security Measures) of the Data Security Guide. Such measures are designed to protect Customer Data from loss, alteration, unauthorized access, acquisition, use, disclosure, or accidental or unlawful destruction, and include:

4.3.1. SERVICE ACCESS CONTROL. The Subscription Service provides user and role-based access

controls. Data Controller is responsible for configuring such access controls within its instance.

4.3.2. LOGGING AND MONITORING. The production infrastructure log activities are centrally

collected and are secured in an effort to prevent tampering and are monitored for anomalies by a trained security team.

4.3.3. DATA SEPARATION. Customer Data shall be maintained within a logical single-tenant

architecture on multi-tenant cloud infrastructure that is logically and physically separate from Report Zero’s corporate infrastructure.

4.3.4. SERVICE CONTINUITY. The production database servers are replicated in near real time to a

mirrored data center in a different geographic region.

4.3.5. TESTING. Data Processor regularly tests, assess and evaluates the effectiveness of its

information security program and may periodically review and update such program to address new and evolving security technologies, changes to industry standard practices, and changing security threats.

4.4 DELETION OF PERSONAL DATA. Upon termination or expiration of the Agreement, Data Processor shall return and delete Customer Data, including Personal Data contained therein, as described in the Agreement.

4.5 DATA CENTERS. Data Processor will host Data Controller’s instances of the Subscription Service in public cloud provider data centers located in the geographic regions specified on the Order Form, Use Authorization, or other signed ordering document between Report Zero and Customer.

4.6 DATA PROTECTION IMPACT ASSESSMENTS (DPIA). Data Processor will, on request, provide Data Controller with reasonable information required to fulfil Data Controller’s obligations under GDPR to carry out data protection impact assessments, if any, for Processing of Personal Data within the Subscription Service.

4.7 PRIOR CONSULTATION. Data Processor shall provide reasonable assistance (at Data Controller’s expense) in connection with any prior consultation Data Controller is required to undertake with a supervisory authority under Data Protection Laws with respect to Processing of Personal Data in the Subscription Service.

4.8 DATA PROCESSOR ASSISTANCE. Data Processor will assist Data Controller in ensuring compliance with Data Controller’s obligations pursuant to Articles 32 to 36 of GDPR taking into account the nature of Processing by providing Data Controller with reasonable information requested pursuant to the terms of this DPA, including information required to conduct Data Controller’s security risk assessment and respond to Data Subject Requests (defined below). For clarity, Data Controller is solely responsible for carrying out its obligations under GDPR and this DPA. Data Processor shall not undertake any task that can be performed by Data Controller. 

4.9 DATA PROTECTION CONTACT. Report Zero and its Sub-Processor Affiliates (defined below) will maintain a dedicated data protection team to respond to data protection inquiries throughout the duration of this DPA and can be contacted at privacy@ReportZero.net.

5. REQUESTS MADE FROM DATA SUBJECTS AND AUTHORITIES

5.1 REQUESTS FROM DATA SUBJECTS. During the Subscription Term, Data Processor shall provide Data Controller with the ability to access, correct, rectify, erase, or block Personal Data, or to transfer or port such Personal Data, within the Subscription Service, as may be required under Data Protection Laws (collectively, “Data Subject Requests”).

5.2 RESPONSES. Data Controller will be solely responsible for responding to any Data Subject Requests, provided that Data Processor shall reasonably cooperate with the Data Controller to respond to Data Subject Requests to the extent Data Controller is unable to fulfill such Data Subject Requests using the functionality in the Subscription Service. Data Processor will instruct the Data Subject to contact the Customer in the event Data Processor receives a Data Subject Request directly.

5.3 REQUESTS FROM AUTHORITIES. In the case of a notice, audit, inquiry, or investigation by a government body, data protection authority, or law enforcement agency regarding the Processing of Personal Data, Data Processor shall promptly notify Data Controller unless prohibited by applicable law. Data Controller shall keep records of the Personal Data Processed by Data Processor and shall cooperate and provide all necessary information to Data Processor in the event Data Processor is required to produce such information to a data protection authority.

5.2 COOPERATION WITH SUPERVISORY AUTHORITIES. In accordance with Data Protection Laws, Data Controller and Data Processor shall cooperate, on request, with a supervisory authority in the performance of such supervisory authority’s task.

6. BREACH NOTIFICATION

6.1 NOTIFICATION. Data Processor will report to Data Controller any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data (“Breach”) that it becomes aware of without undue delay following determination by Report Zero that a Breach has occurred.

6.2 REPORT. The initial report will be made to Data Controller’s security or privacy contact(s) designated in Report Zero’s customer support portal (or if no such contact(s) are designated, to the primary contact designated by Customer). As information is collected or otherwise becomes available, Data Processor shall provide without undue delay any further information regarding the nature and consequences of the Breach to allow Data Controller to notify relevant parties, including affected Data Subjects, government agencies and data protection authorities in accordance with Data Protection Laws. The report will include the name and contact information of the Data Processor contact from whom additional information may be obtained. Data Processor shall inform Customer of the measures that it will adopt to mitigate the cause of the Breach and to prevent future Breaches.

6.3 DATA CONTROLLER OBLIGATIONS. Data Controller will cooperate with Data Processor in maintaining accurate contact information in the customer support portal and by providing any information that is reasonably requested to resolve any security incident, including any Breaches, identify its root cause(s), and prevent a recurrence. Data Controller is solely responsible for determining whether to notify the relevant supervisory or regulatory authorities and impacted Data Subjects and for providing such notice.

7. CUSTOMER MONITORING RIGHTS

7.1 REMOTE SELF-ASSESSMENTS. Data Processor shall enable remote self-serve assessments of its Security Program (as defined in the Data Security Guide) by granting Data Controller, at all times and at no additional costs, access to the Data Processor self-access documentation portal (“Report Zero CORE”). The information available on Report Zero CORE will include documentation evidencing Data Processor’s policies, procedures and security measures, as well as copies of the certifications and attestations listed in Section 7.2 (Audit) below.

7.2 AUDIT. No more than once per year and upon written request by Data Controller, Customer shall have the right directly or through its representative(s) (provided however, that such representative(s) shall enter into written obligations of confidentiality directly with Data Processor), to access all reasonable and industry recognized documentation evidencing Data Processor’s policies and procedures governing the security of Customer Data (“Audit”). Such Audit shall include a written summary report of any assessment performed by an independent third-party of Data Processor’s information security management system supporting the Subscription Service against the objectives stated in ISO 27001, ISO 27018, SSAE 18 / SOC 1 and SOC 2 Type 2 (or equivalent or successor standards). Data Processor reserves the right to refuse to provide Customer (or its representatives) with any information which would pose a security risk to Data Processor or its customers, or which Data Processor is prohibited to provide or disclose under applicable law or contractual obligation.

7.3 OUTPUT. Upon completion of the Audit, Data Processor and Customer may schedule a mutually convenient time to discuss the output of the Audit. Data Processor may in its sole discretion, consistent with industry and Data Processor’s standards and practices, make commercially reasonable efforts to implement Customer’s suggested improvements noted in the Audit to improve Data Processor’s Security Program. The Audit and the results derived therefrom are Confidential Information of Data Processor.

7.4 DATA CONTROLLER EXPENSES. Any expenses incurred by Data Controller in connection with the Audit shall be borne exclusively by Data Controller.

8. SUB-PROCESSORS

8.1 USE OF SUB-PROCESSORS. Data Controller authorizes Data Processor to engage Sub-Processors appointed in accordance with this Section 8 to support the provision of the Subscription Service and to deliver Professional Services as described in the Agreement.

8.1.1. REPORT ZERO AFFILIATES. As of the Effective Date, Data Processor engages, as applicable, the following Report Zero Affiliates as Sub-Processors: Report Zero Ltd. (United Kingdom) (collectively, “Sub-Processor Affiliates”). Data Processor will notify Data Controller of changes regarding such Sub-Processor Affiliates through Data Processor’s customer support portal (or other mechanism used to notify its general customer base). Each Sub-Processor Affiliate shall comply with the obligations of the Agreement in the Processing of the Personal Data.

8.1.2. NEW SUB-PROCESSORS. Prior to Data Processor or a Data Processor Affiliate engaging a Sub-Processor, Data Processor shall: (a) notify Data Controller by email to Customer’s designated contact(s) or by notification within the customer support portal (or other mechanism used to notify its customer base); and (b) ensure that such Sub-Processor has entered into a written agreement with Data Processor (or the relevant Data Processor Affiliate) requiring that the Sub-Processor abide by terms no less protective than those provided in this DPA. Upon written request by Data Controller, Data Processor shall make a summary of the data processing terms available to Data Controller. Data Controller may request in writing reasonable additional information with respect to SubProcessor’s ability to perform the relevant Processing activities in accordance with this DPA.

8.2 RIGHT TO OBJECT. Data Controller may object to Data Processor’s proposed use of a new SubProcessor by notifying Data Processor within 10 days after receipt of Data Processor’s notice if Data Controller reasonably determines that such Sub-Processor is unable to Process Personal Data in accordance with the terms of this DPA (“Controller Objection Notice”). Data Processor shall notify Data Controller within 30 days from receipt of the Controller Objection Notice if Data Processor intends to provide the applicable Professional Service or Subscription Service with the use of the Sub-Processor at issue, and Customer may terminate the applicable Order Form(s), Use Authorization(s) or other signed ordering document between Report Zero and Customer with respect to the Professional Service or Subscription Service that require use of the Sub-Processor at issue upon written notice to Report Zero within 45 days of the date of Controller Objection Notice and, as Customer’s sole and exclusive remedy, Report Zero will refund to Customer any unused prepaid fees.

8.3 LIABILITY. Use of a Sub-Processor will not relieve, waive, or diminish any obligation Data Processor has under the Agreement, and Data Processor is liable for the acts and omissions of any Sub-Processor to the same extent as if the acts or omissions were performed by Data Processor.

9. INTERNATIONAL DATA TRANSFERS

9.1 STANDARD CONTRACTUAL CLAUSES AND ADEQUACY. Where required under Data Protection Laws, Data Processor or Data Processor’s Affiliates shall require Sub-Processors to abide by (a) the Standard Contractual Clauses for Data Processors established in third countries; or (b) another lawful mechanism for the transfer of Personal Data as approved by the European Commission.

9.2 PRIVACY SHIELD. Report Zero, Inc. shall comply with the EU-U.S. and Swiss-U.S. Privacy Shield Framework set forth by the United States Department of Commerce with respect to the Processing of Personal Data transferred from the European Economic Area and Switzerland to the United States.

APPENDIX 1 DETAILS OF PROCESSING

Nature and Purpose of Processing

Data Processor will Process Personal Data as required to provide the Subscription Service and Professional Services and in accordance with the Agreement.

Duration of Processing 

Data Processor will Process Personal Data for the duration of the Agreement and in accordance with Section 4 (Data Processor) of this DPA.

Data Subjects

Data Controller may submit Personal Data to the Subscription Service, the extent of which is solely determined by Data Controller, and may include Personal Data relating to the following categories of Data Subjects:

• clients and other business contacts;
• employees and contractors;
• subcontractors and agents; and
• consultants and partners. 

Categories of Personal Data

Data Controller may submit Personal Data to the Subscription Service, the extent of which is solely determined by Data Controller, and may include the following categories:

• communication data (e.g. telephone, email); 
• business and personal contact details; and
• other Personal Data submitted to the Subscription Service.

Special Categories of Personal Data

Data Controller may submit Special Categories of Personal Data to the Subscription Service, the extent of which is solely determined by Data Controller in compliance with Data Protection Law, and may include the following categories, if any:

• racial or ethnic origin;
• political opinions;
• religious or philosophical beliefs;
• trade union membership;
• genetic data or biometric data;
• health information; and
• sex life or sexual orientation.

Processing Operations

The personal data transferred will be subject to the following basic processing activities:

• All activities necessary for the performance of the Agreement.

EXHIBIT A.5 – DATA SECURITY GUIDE

This Data Security Guide forms a part of the Agreement and describes the measures Report Zero takes to protect Customer Data.

In the event of any conflict between the terms of this Data Security Guide and the terms of the Agreement with respect to the subject matter herein, this Data Security Guide shall control. All capitalized terms not defined in this Data Security Guide will have the meaning given to them in other parts of the Agreement.

1. SECURITY PROGRAM

While providing the Subscription Service, Report Zero will maintain a written information security program of policies, procedures and controls governing the processing, storage, transmission and security of Customer Data (the “Security Program”). The Security Program includes industry-standard practices designed to protect Customer Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Report Zero regularly tests, assesses, and evaluates the effectiveness of the Security Program and may periodically review and update the Security Program to address new and evolving security technologies, changes to industry standard practices, and changing security threats, although no such update will materially reduce the commitments, protections or overall level of service provided to Customer as described herein.

2. PHYSICAL, TECHNICAL, AND ADMINISTRATIVE SECURITY MEASURES

2.1 PHYSICAL SECURITY MEASURES.

2.1.1. Data Centre Facilities. (a) Physical access restrictions and monitoring that will be provided by the public cloud provider and in accordance with the public cloud providers standards.

2.1.2. SYSTEMS, MACHINES AND DEVICES. (a) Physical protection mechanisms; and (b) entry controls to limit physical access that will be provided by the public cloud provider and in accordance with the public cloud providers standards.

2.1.3. MEDIA. (a) Industry standard destruction of sensitive materials before disposition of media; (b) secure safe for storing damaged hard disks prior to physical destruction; and (c) physical destruction of all decommissioned hard disks storing Customer Data. These services will be provided by the public cloud provider and in accordance with the public cloud providers standards.

2.2 TECHNICAL SECURITY MEASURES.

2.2.1. ACCESS ADMINISTRATION. Access to the Subscription Service by Report Zero employees and contractors is protected by authentication and authorization mechanisms. User authentication is required to gain access to production and sub-production instances. Access privileges are based on job requirements and are revoked upon termination of employment or consulting relationships. Production infrastructure includes appropriate user account and password controls (e.g., the required use of VPN connections, complex passwords with expiration dates, and a two-factored authenticated connection) and is accessible for administration.

2.2.2. SERVICE ACCESS CONTROL. The Subscription Service provides user and role-based access controls. Customer is responsible for configuring such access controls within its instance.

2.2.3. LOGGING AND MONITORING. The production infrastructure log activities are centrally collected and are secured in an effort to prevent tampering and are monitored for anomalies by a trained security team.

2.2.4. FIREWALL SYSTEM. An industry-standard firewall is installed and managed to protect Report Zero systems by residing on the network to inspect all ingress connections routed to the Report Zero environment.

2.2.5. VULNERABILITY MANAGEMENT. Report Zero conducts periodic independent security risk evaluations to identify critical information assets, assess threats to such assets, determine potential vulnerabilities, and provide for remediation. When software vulnerabilities are revealed and addressed by a vendor patch, Report Zero will obtain the patch from the applicable vendor and apply it within an appropriate timeframe in accordance with Report Zero’s then-current vulnerability management and security patch management standard operating procedure and only after such patch is tested and determined to be safe for installation in all production systems. These services will be provided by the public cloud provider and in accordance with the public cloud providers standards.

2.2.6. ANTIVIRUS. Report Zero updates antivirus, anti-malware, and anti-spyware software on regular intervals and centrally logs events for effectiveness of such software. These services will be provided by the public cloud provider and in accordance with the public cloud providers standards.

2.2.7. CHANGE CONTROL. Report Zero ensures that changes to platform, applications, and production infrastructure are evaluated to minimize risk and are implemented following Report Zero’s standard operating procedure.

2.2.8. DATA SEPARATION. Customer Data shall be maintained within a logical single-tenant architecture on multi-tenant public cloud infrastructure that is logically separate from Report Zero’s corporate infrastructure.

2.3 ADMINISTRATIVE SECURITY MEASURES.

2.3.1. SECURITY AWARENESS AND TRAINING. Report Zero maintains a security awareness program that includes appropriate training of Report Zero personnel on the Security Program. Training is conducted at time of hire and periodically throughout employment at Report Zero.

2.3.2. VENDOR RISK MANAGEMENT. Report Zero maintains a vendor risk management program that assesses all vendors that access, store, process, or transmit Customer Data for appropriate security controls and business disciplines.

3. SERVICE CONTINUITY

3.1 DATA MANAGEMENT; DATA BACKUP. Report Zero will host Customer’s access to and use of purchased instances of the Subscription Service in the public cloud in a redundant architecture. Report Zero backs up all Customer Data in accordance with Report Zero’s standard operating procedure.

4. MONITORING AND INCIDENT MANAGEMENT

4.1 MONITORING, MANAGEMENT AND NOTIFICATION.

4.1.1. INCIDENT MONITORING AND MANAGEMENT. Report Zero will monitor, analyse, and respond to security incidents in a timely manner in accordance with Report Zero’s standard operating procedure. Report Zero’s security group will escalate and engage response teams as may be necessary to address an incident.

4.1.2. BREACH NOTIFICATION. Report Zero will report to Customer any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data (a “Breach”) without undue delay following determination by Report Zero that a Breach has occurred.

4.1.3. REPORT. The initial report will be made to Customer security or privacy contact(s) designated in Report Zero’s customer support portal (or if no such contact(s) are designated, to the primary contact designated by Customer). As information is collected or otherwise becomes available, Report Zero shall provide without undue delay any further information regarding the nature and consequences of the Breach to allow Customer to notify relevant parties, including affected Data Subjects, government agencies, and data protection authorities in accordance with Data Protection Laws. The report will include the name and contact information of the Report Zero contact from whom additional information may be obtained. Report Zero shall inform Customer of the measures that it will adopt to mitigate the cause of the Breach and to prevent future Breaches.

4.1.4. CUSTOMER OBLIGATIONS. Customer will cooperate with Report Zero in maintaining accurate contact information in the customer support portal and by providing any information that is reasonably requested to resolve any security incident, including any Breaches, identify its root cause(s), and prevent a recurrence. Customer is solely responsible for determining whether to notify the relevant supervisory or regulatory authorities and impacted Data Subjects and for providing such notice.

5. USE OF AGGREGATE DATA. Report Zero may collect, use, and disclose quantitative data derived from Customer’s use of the Subscription Service for industry analysis, benchmarking, analytics, marketing, and other business purposes in support of the provision of the Subscription Service. Any such data will be in aggregate form only and will not contain Customer Data.
6. COOKIES. When providing the Subscription Service, Report Zero uses cookies to: (a) track session state; (b) route a browser request to a specific node when multiple nodes are assigned; and (c) recognize a user upon returning to the Subscription Service. Customer shall be responsible for providing notice to, and collecting any necessary consents from, its authorized users of the Subscription Service for Report Zero’s use of cookies.

7. PENETRATION TESTS

7.1 BY A THIRD-PARTY. Report Zero contracts with third-party vendors to perform a penetration test on the Report Zero application per family release to identify risks and remediation that help increase security.

7.2 BY CUSTOMER. No more than once per calendar year Customer may request to perform, at its own expense, an application penetration test of a sub-production instance of the Subscription Service. Customer shall notify Report Zero in advance of any test by submitting a request to schedule an application penetration test using Report Zero’s customer support portal per Report Zero’s then-current penetration testing policy and procedure, including entering into Report Zero’s penetration test agreement. Report Zero and Customer must agree on a mutually acceptable time for the test; and Customer shall not perform a penetration test without Report Zero’s express written authorization. The test must be of reasonable duration, but in no event longer than 14 days and must not interfere with Report Zero’s day-to-day operations. Promptly on completion of the penetration test, Customer shall provide Report Zero with the test results including any detected vulnerability. Upon such notice, Report Zero shall, consistent with industry-standard practices, use all commercially reasonable efforts to promptly make any necessary changes to improve the security of the Subscription Service. Customer shall treat the test results as Confidential Information of Report Zero subject to the confidentiality requirements in the Agreement.

8. SHARING THE SECURITY RESPONSIBILITY

8.1 PRODUCT CAPABILITIES. The Subscription Service has the capabilities to: (a) authenticate users before access; (b) encrypt passwords; (c) allow users to manage passwords; and (d) prevent access by users with an inactive account. Customer manages each user’s access to and use of the Subscription Service by assigning to each user a credential and user type that controls the level of access to the Subscription Service. Customer shall be responsible for implementing encryption and access control functionalities available within the Subscription Service for protecting all Customer Data containing sensitive data, including credit card numbers, social security and other government-issued identification numbers, financial and health information, Personal Data, and any Personal Data deemed sensitive or “special categories of personal data” under Data Protection Laws. Customer is solely responsible for its decision not to encrypt such data and Report Zero will have no liability to the extent that damages would have been mitigated by Customer’s use of such encryption measures. Customer is responsible for protecting the confidentiality of each user’s login and password and managing each user’s access to the Subscription Service.

8.2 CUSTOMER COOPERATION. Customer shall promptly apply any Upgrade or Update that Report Zero determines is necessary to maintain the security, performance, or availability of the Subscription Service.

8.3 LIMITATIONS. Notwithstanding anything to the contrary in this Data Security Guide or other parts of the Agreement, Report Zero’s obligations extend only to those systems, networks, network devices, facilities, and components over which Report Zero exercises control. This Data Security Guide does not apply to: (a) information shared with Report Zero that is not Customer Data; (b) data in Customer’s VPN or a third-party network; (c) any data processed by Customer or its users in violation of the Agreement or this Data Security Guide; or (d) Integrated Products. For the purposes of this Data Security Guide, “Integrated Products” shall mean Report Zero-provided integrations to third-party products or any other third-party products that are used by Customer in connection with the Subscription Service. Customer agrees that its use of such Integrated Products will be: (i) in compliance with all Laws, including but not limited to, Data Protection Laws; and (ii) in accordance with its contractual agreement with the provider of such Integrated Products. Any Personal Data populated from the Integrated Products to the Subscription Service must be collected, used, disclosed and, if applicable, internationally transferred in accordance with Customer’s privacy policy, which will adhere to Data Protection Laws.