THESE SAAS SUBSCRIPTION AND SERVICES TERMS (THE “AGREEMENT”) ARE HEREBY INCORPORATED INTO A) THE ORDER FORM AND/OR STATEMENT OF WORK EXECUTED BY THE COMPANY IDENTIFIED AS THE “SUBSCRIBER” THEREIN (“SUBSCRIBER” OR “YOU”) AND ICERTIS, INC. (“ICERTIS”), OR B) THE MICROSOFT MARKETPLACE PRIVATE OFFER OR PRIVATE PLAN OFFER; PURSUANT TO WHICH THE SUBSCRIBER RECEIVED THE RIGHT TO USE SAAS AND/OR PROFESSIONAL SERVICES SUBJECT TO THIS AGREEMENT. BY EXECUTING SUCH SOW, ORDER FORM, MICROSOFT MARKETPLACE PRIVATE OFFER, OR MICROSOFT MARKETPLACE PRIVATE PLAN OFFER (INDIVIDUALLY OR COLLETIVELY AN “ORDER” AS APPLICABLE), YOU AGREE TO BE BOUND BY THIS AGREEMENT. THIS AGREEMENT WILL FORM A MASTER AGREEMENT BETWEEN YOU AND ICERTIS AND GOVERN YOUR CURRENT AND ALL FUTURE ORDERS AND MAY NOT BE AMENDED WITHOUT THE WRITTEN CONSENT OF BOTH PARTIES. THIS AGREEMENT AND THE ORDERS TOGETHER FORM A BINDING AGREEMENT BETWEEN SUBSCRIBER AND ICERTIS, EFFECTIVE AS OF THE EFFECTIVE DATE OF THE ORDER.

This Agreement is effective as of the effective date of the Offer (“Effective Date”), which is the date the Subscriber accepted the first Private Offer or Private Plan under the terms of the Agreement or the parties signed the first Order Form or SOW subject to the terms of this Agreement.

1.DEFINITIONS

1.1 “Affiliate” means any entity that, directly or indirectly, controls, is controlled by or is under common control with such entity (but only for so long as such control exists), where “control” means the ownership of more than 50% of the outstanding shares or securities representing the right to vote in the election of directors or other managing authority of such entity.

1.2 “Authorized Users” means individuals who are employees or contractors of Subscriber or its Affiliates and who will use the SaaS in order to perform their obligations to Subscriber or its Affiliates.

1.3 “Confidential Information” means non-public business information, know-how, and trade secrets in any form, including information regarding a party’s product plans and any other information a reasonable person should understand to be confidential, which is disclosed by or on behalf of either party or its Affiliates (“Disclosing Party”) to the other party or its Affiliates (“Receiving Party”). Confidential Information includes this Agreement and its terms, and the SaaS and Documentation, and all software and infrastructure used to provide the SaaS. “Confidential Information” excludes information that (a) was publicly known and made generally available in the public domain prior to the time of disclosure by the Disclosing Party; (b) becomes publicly known and made generally available after disclosure by the Disclosing Party to the Receiving Party through no action or inaction of the Receiving Party; (c) is already in the possession of the Receiving Party at the time of disclosure by the Disclosing Party, as shown by the Receiving Party’s files and records; (d) is obtained by the Receiving Party from a third party without a breach of the third party’s obligations of confidentiality; or (e) is independently developed by the Receiving Party without use of or reference to the Disclosing Party’s Confidential Information, as shown by documents and other competent evidence in the Receiving Party’s possession.

1.4 “Documentation” means operation manuals and other user manuals relating to the SaaS made available by Icertis to Subscriber.

1.5 “Order Form” means an Order Form executed by Icertis and Subscriber and includes (unless the context implies otherwise) a transaction of SaaS procured via Microsoft Marketplace (.i.e. a Private Offer or a Private Plan).

1.6 “Professional Services” means any consulting, implementation, configuration, and other professional services described in a Statement of Work (“SOW”) that are performed by Icertis for Subscriber related to the SaaS.

1.7 “SaaS” means the cloud-based software identified on an Order Form as made available by Icertis to Subscriber hereunder in a hosted, software-as-a-service format, and including all Fixes and Upgrades to the SaaS that Icertis makes available for general release at no additional charge to its subscribers.

1.8 “Subscriber Data” means all data, information and other content submitted by Subscriber for processing by the SaaS, and the output of the processing of such data, information and content by the SaaS.

1.9 “Support Services” means the technical support services for the SaaS, as described in Exhibit A to this Agreement.

2.THE SERVICES

2.1 Order Forms & Statements of Work.  Subscriber may order one or more subscriptions to use the SaaS pursuant to an Order Form and engage Icertis for certain Professional Services by the execution of a SOW. Once executed by both parties, each Order Form and SOW will be a unique agreement that incorporates the terms of this Agreement and otherwise stands alone. If there is a conflict between the terms of this Agreement and the terms of a SOW or Order Form, the terms of the Order Form or SOW will prevail. The parties agree that Subscriber’s Affiliates may, as a contracting party, execute an Order Form or SOW under this Agreement, in which event such Affiliate will be bound by the terms of this Agreement as if such Affiliate was a Subscriber.

2.2 Use of the SaaS.  Subject to the terms and conditions of this Agreement, Icertis grants to Subscriber a limited, nontransferable (except in connection with the transfer of this Agreement pursuant to Section11.6), nonexclusive license, without the right to sublicense, to the SaaS for the term defined in the Order Form, solely for Subscriber’s internal business use by Authorized Users. Subscriber’s use rights, including the number of Authorized Users permitted to use the SaaS, are subject to any limitations on number or type that may be set forth in the Order Form. Icertis will use reasonable efforts to improve and enhance its offerings overall, and will from time-to-time provide Upgrades to Subscriber of the SaaS as and when made generally available.

2.3  Use of the Documentation.  Subject to the terms and conditions of this Agreement, Icertis grants to Subscriber a limited, nontransferable (except in connection with the transfer of this Agreement pursuant to Section11.6), nonexclusive license, without right of sublicense, for the term defined in the Order Form to reproduce, without modification, and internally use a reasonable number of copies of the Documentation solely in connection with Subscriber’s use of the SaaS in accordance with this Agreement.

2.4  Restrictions.  Authorized User accounts cannot be used by more than one individual. Subscriber is responsible for the accuracy, quality and legality of the Subscriber Data, as well as for determining access privileges and rights for Authorized Users. Except as otherwise explicitly provided in this Agreement, Subscriber will not, and will not permit or authorize third parties to: (a) reproduce, modify, translate, enhance, decompile, disassemble, reverse engineer, or create derivative works of the SaaS or Documentation, unless expressly permitted by applicable law; (b) rent, lease, or sublicense the SaaS or Documentation or otherwise provide unauthorized access thereto; (c) circumvent or disable any technological or security features or measures in the SaaS, or (d) use the SaaS: (i) to violate the rights of others; (ii) to try to gain unauthorized access to or disrupt any service, device, data, account or network; (iii) to spam or distribute malware; (iv) in a way that could harm the SaaS or impair anyone else’s use of it. Subscriber will only use the SaaS and Documentation in compliance with all applicable laws and regulations.

3. COMPENSATION

3.1  Fees.  Other than amounts disputed in good faith, Subscriber will pay the fees and any other amounts owing under this Agreement and all applicable Order Forms and SOWs, plus any applicable taxes (the “Fees”).

3.2  Travel.  Subscriber will reimburse reasonable travel and related expenses incurred by Icertis in connection with onsite visits, including direct out of pocket expenses and economy class air fares. Icertis will give Subscriber prior written notice of any travel expenses not specified in an Order Form or SOW.

3.3 Payment.  Without limiting Icertis payment rights, Subscriber will make payments directly to Microsoft (acting as a payment agent) for purchases through the Microsoft Marketplace.  When purchasing directly from Icertis Subscriber will pay all amounts hereunder within thirty (30) days of the date of the applicable invoice. If Subscriber disputes any directly invoiced amount, Subscriber will notify Icertis in detail in writing as to the nature of the disputed charges and the reason for Subscriber’s disagreement prior to the due date of the payment, but Subscriber will pay all charges on the applicable invoice by their due date to the extent not disputed in good faith. Any undisputed amount not paid when due will be subject to finance charges equal to one and one-half percent (1.5%) per month or the highest rate permitted by applicable usury law, whichever is less, determined and compounded daily from the date due until the date paid. If the right to use the SaaS is not limited by the number of Authorized Users, Subscriber will notify Icertis of any inorganic growth which is likely to or does result in a more than de-minimus increase in Authorized Users; upon which the parties will revisit the Fee for such actual or likely increase in good faith and may adjust as a result.

3.4  Taxes.  Other than net income and gross receipt taxes imposed on Icertis, Subscriber will bear all taxes, duties, and other governmental charges (collectively, “taxes”) resulting from this Agreement and reflected on invoices properly due from Icertis.

4. TERM AND TERMINATION

4.1 Term.  This Agreement will commence on the Effective Date and will continue until the earlier of this Agreement being terminated in accordance with the terms of this Agreement, or until there are no longer any then-effective SOWs or Order Forms. For the avoidance of doubt, the termination of this Agreement shall also result in the immediate termination of any then-outstanding SOW or Order Forms and the Services thereunder. Each Order Form and SOW will commence on the specified effective date and will terminate on the end date specified therein, unless earlier terminated in accordance with the terms of this Agreement.

4.2 Notice of Material Breach.  If either party commits a material breach of this Agreement or of any of its obligations under any Order Form or SOW, the other party may give the breaching party written notice of the breach (including a statement of the facts relating to the breach, the applicable provisions of this Agreement or the applicable Order Form or SOW, and the action required to cure the breach) and its intent to terminate this Agreement or the applicable Order Form or SOW pursuant to this Section 4.2.

4.3 Notice of Suspension.  Without limitation, any failure by Subscriber to timely pay to Microsoft or Icertis (as applicable) any undisputed amounts when due will constitute a material breach of this Agreement, and Icertis may, without limitation of any of Icertis’ other rights and remedies available, suspend performance of any or all SaaS, Professional Services and Support Services under any Order Form or SOW then in progress during any time that Subscriber is in default of such amounts owed to Icertis following ten (10) days of notice of suspension.

4.4 Notice of Termination.  If a party fails to cure any material breach specified in any notice under Section 4.2 within thirty (30) days after the date of the receipt of the written notice (or a later date as may be specified in the notice), then the non-breaching party may terminate this Agreement or the applicable Order Form or SOW with respect to which the breach or default occurred by giving the breaching party written notice of termination.

4.5 Effects of Termination.  Upon the expiration or termination of this Agreement, Icertis will provide a reasonable amount of information, cooperation and assistance to Subscriber if and as Subscriber may reasonably request such assistance at Icertis’ then-current list rates. Upon written request, Icertis will return Subscriber Data (in its then-current format and condition) at no additional fee. If not so requested by Subscriber within five (5) days of the effective date of termination, Icertis may destroy Subscriber Data. If an Order Form or SOW is terminated for any reason, any and all payment liabilities accrued prior to the effective date of the termination will survive. If this Agreement is terminated by Subscriber for an uncured material breach by Icertis, Icertis will refund any amounts prepaid directly to Icertis by the Subscriber for Services to be provided following the effective date of such termination.

4.6 Survival.  The parties’ respective rights and obligations under Sections 1,3, 4, 5, 7, 10.1-10.3 and 11 of this Agreement, and any and all liabilities accrued prior to the effective date of termination of this Agreement, will survive the termination of this Agreement.

5. PROPRIETARY RIGHTS

5.1  Services and Documentation.  Notwithstanding any other provision in this Agreement, as between Subscriber and Icertis, Icertis exclusively owns all right, title and interest in and to the SaaS and Documentation and all portions thereof, as well as all improvements, enhancements, modifications, configurations, and derivative works thereto, together with all intellectual property rights therein, including all copyrights, patent and trade secret rights. Icertis reserves all rights to the SaaS and Documentation not expressly granted to Subscriber under this Agreement.

5.2 Subscriber Data.  Icertis acknowledges that, as between Icertis and Subscriber, Subscriber owns all intellectual property and other proprietary rights in and to the Subscriber Data. Subject to the rights granted by Subscriber under this Agreement, Icertis acquires no right, title or interest from Subscriber or Subscriber’s licensors under this Agreement in or to Subscriber Data. Subscriber hereby grants to Icertis a worldwide, nonexclusive, fully-paid up and non-transferable (except in connection with the transfer of this Agreement pursuant to Section 11.6) license to use the Subscriber Data to perform its obligations hereunder, including the obligation to improve and enhance its offerings overall as set forth in Section 2.2. Icertis may direct an Icertis computer algorithm to “read” Subscriber Data to generally inform machine learning capabilities in the Icertis solution, and may also use Subscriber Data to generate industry relevant analysis. In any such use, Subscriber Data will never be shared with third parties and Subscriber will remain anonymous and never be publicly associated with any such efforts.

5.3 Feedback.  Icertis welcomes any feedback that Subscriber may provide Icertis concerning improvements to the SaaS (“Feedback”). For clarification, Feedback excludes Subscriber Data and Subscriber’s proprietary information. By providing Feedback to Icertis, Subscriber hereby grants Icertis a worldwide, fully paid-up, perpetual, irrevocable and transferable license to use the Feedback (including by incorporation of such Feedback into the SaaS).

6. DATA SECURITY; SERVICE AVAILABILITY; SUPPORT SERVICES

6.1  Security and Data Protection.  Icertis has implemented and will maintain reasonable administrative, physical and technical security measures consistent with current prevailing security practices in the United States software-as-a-service industry and intended to protect against the loss, misuse, unauthorized access, alteration or disclosure of Subscriber Data. Such measures will include compliance with Icertis’ Security Framework attached hereto as Exhibit B. Icertis will comply with all applicable law concerning privacy, data transfer and security.

Subscriber will notify Icertis if the European Union General Data Protection Regulation (“GDPR”) will be applicable to Subscriber’s use of the SaaS (i.e. if Subscriber will be including personal data of data subjects residing in the European Union or the UK into the SaaS). If the parties process such personal data, the Data Protection Addendum – Standard Contractual Clauses – on the Icertis website (www.icertis.com/foundation) will apply.

Subscriber must immediately notify Icertis of any suspected security breach at [email protected], followed by contacting Subscriber’s customer relationship manager.

6.2 Malicious Code.  Icertis will use measures consistent with prevailing practices in the United States software-as-a-service industry to screen the SaaS for the purpose of avoiding the introduction of any Malicious Code into Subscriber Data or Subscriber’s computer hardware and software systems or software. For the purposes of this Agreement, “Malicious Code” means software designed to (a) permit unauthorized access to and/or copying of Subscriber’s data, hardware or software; or (b) damage, delete, delay, disable, erase, interfere with, modify, shut-down or otherwise harm Subscriber’s data, hardware or software, including, but not limited to, components that are commonly referred to as “back doors,” “bots”, “drop dead devices”, “malware”, “time bombs,” “Trojan Horses,” “viruses”, and “worms”. In the event Icertis introduces Malicious Code into Subscriber Data or Subscriber’s computer hardware or software systems or software, Icertis will reasonably assist Subscriber in removing such virus and/or Malicious Code at no additional charge.

6.3 Service Availability.  Icertis incorporates database and system maintenance operations and processes designed to address data consistency, indexing, and integrity requirements and to help improve system performance. Icertis also uses an industry-leading hosting infrastructure to provide the SaaS and has implemented and will maintain commercially reasonable business resumption and contingency plans intended to avoid unplanned SaaS interruptions. In the event of an unplanned SaaS interruption, Subscriber may contact Icertis for Support Services. Icertis will comply with the Service Level Standards set forth in Exhibit C to this Agreement.

6.4 Support Services.  Icertis will provide Subscriber with Support Services set forth in Exhibit A with respect to the SaaS so long as Subscriber is current in payment of the Fees. Icertis will only be obligated to support the then-current commercially available version of the SaaS and the immediately prior major release (the “Supported Versions”). Warranty and SLA commitments herein will not apply to the extent a nonconformity is due to use of a version other than a Supported Version.

7. CONFIDENTIALITY

7.1  Mutual Confidentiality.  The Receiving Party agrees to take reasonable steps, at least substantially equivalent to the steps it takes to protect its own proprietary information, but not less than reasonable care, to prevent the unauthorized duplication or use of the Disclosing Party’s Confidential Information and the disclosure of the Disclosing Party’s Confidential Information to third parties without the Disclosing Party’s prior written consent. The Receiving Party may disclose the Disclosing Party’s Confidential Information to the Receiving Party’s employees or agents who reasonably need to have access to such information to perform the Receiving Party’s obligations under this Agreement, and who will treat such Confidential Information under the terms of this Agreement. Icertis may disclose this Agreement (but not any of Subscriber’s other Confidential Information) to actual and potential investors and funding sources who agree to hold it in confidence.

7.2 Exceptions.  The Receiving Party may disclose the Disclosing Party’s Confidential Information as required by applicable law or regulation or as may be required to comply with a court order compelling such disclosure; provided that, unless legally prohibited from doing so, the Receiving Party gives the Disclosing Party prompt written notice of the requirement prior to the disclosure and reasonable assistance in limiting disclosure or obtaining an order protecting the information from public disclosures.

7.3 Publicity.  Subscriber agrees that upon request by Icertis, provided that Icertis does not otherwise disclose Subscriber’s Confidential Information Icertis may identify Subscriber by name and logo as a customer on public facing customer lists and in other marketing collateral. Further, Icertis may issue a press release which features multiple Icertis customers, including Subscriber.

8. REPRESENTATIONS, WARRANTIES AND DISCLAIMER

8.1 Mutual Representations and Warranties.  Each party represents and warrants to the other that: (a) this Agreement has been duly executed and delivered and constitutes a valid and binding agreement enforceable against such party in accordance with its terms; (b) no authorization or approval from any third party is required in connection with such party’s execution, delivery, or performance of this Agreement; and (c) the execution, delivery, and performance of this Agreement does not violate the laws of any jurisdiction or the terms or conditions of any other agreement to which it is a party or by which it is otherwise bound.

8.2 Icertis Representations and Warranties.  Icertis represents and warrants to Subscriber that:

(a) Icertis has sufficient right, title and interest in the SaaS to license the SaaS to Subscriber in accordance with this Agreement, and that entering into and carrying out the terms and conditions of this Agreement will not violate or constitute a breach of any agreement binding upon Icertis;

(b) Subscriber’s use of the SaaS in accordance with this Agreement will not infringe, misappropriate or otherwise violate any third party intellectual property or other proprietary rights;

(c) the Support Services and Professional Services will be performed in a professional and workmanlike manner and will be of a grade, nature, and quality that meets prevailing standards in the software-as-a-service industry; and

(d) at all times during the applicable subscription term the SaaS, as operating in a production environment, will materially conform to the Documentation.

8.3  Icertis Warranty Remedies.  If Icertis receives a written notice and description of a breach of the warranty for SaaS in Section 8.2(d) during the applicable subscription term, or receives a written notice and description of a breach of the warranty for Professional Services in Section 8.2(c) within sixty (60) days after performance of the non-conforming Professional Services, then Icertis will endeavor to correct such non-conformity at no additional charge. At any time, Subscriber may terminate this Agreement, the applicable Order Form and/or its related SOW (in whole or in part) in conformity with Section 4.2 for a material breach of this warranty. Any efforts to cure the material non-conformity will be performed at no additional cost to Subscriber. Upon any such termination, Icertis will promptly provide a refund to Subscriber of amounts prepaid for Services to be provided following the effective date of such termination.

8.4 Disclaimer.  EXCEPT FOR THE EXPRESS REPRESENTATIONS AND WARRANTIES STATED IN THIS SECTION 8, ICERTIS MAKES NO ADDITIONAL REPRESENTATION OR WARRANTY OF ANY KIND WHETHER EXPRESS, IMPLIED (EITHER IN FACT OR BY OPERATION OF LAW), OR STATUTORY, AS TO ANY MATTER WHATSOEVER, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

9. INDEMNITY

9.1 Indemnity.  Icertis will defend and indemnify Subscriber, its employees and Affiliates (collectively, the “Indemnitees”) from and against any and all claims, proceedings, or suits brought by a third party against an Indemnitee (a “Claim”) and all related settlements or court-awarded liabilities that arise out of or are based on a Claim, (i) that Subscriber’s use of the SaaS in accordance with this Agreement infringes, misappropriates or violates such third party’s intellectual property rights, (ii) made by any subcontractor or independent contractor of Icertis or by any personnel of Icertis, in each case in connection with or arising from such person’s or entity’s role as subcontractor, contractor or personnel of Icertis, including (as an example) alleging that any Indemnitee should be deemed the “employer” or “joint employer” of any of Icertis’ personnel, or (iii) resulting from any grossly negligent act or omission by Icertis or its personnel that results in personal injury or death, or damage to tangible personal property. Icertis’ obligations under subsection (i) shall not extend to Claims where the actual or allegedly offending SaaS would not so infringe, misappropriate or violate such third party’s intellectual property or other rights if other, non-offending data, reports, statistics or other information were used in place of the Subscriber Data.

9.2  Indemnification Procedures.  If an Indemnitee seeks indemnification under this Agreement, the Indemnitee will: (i) give prompt notice to Icertis concerning the existence of the indemnifiable event; (ii) grant authority to Icertis to defend or settle any related action or claim; and, (iii) provide such information, cooperation and assistance to Icertis as may be reasonably necessary for Icertis to defend or settle the claim or action. An Indemnitee’s failure to give prompt notice shall not constitute a waiver of the Indemnitee’s right to indemnification and shall affect Icertis’ indemnification obligations only to the extent that Icertis’ rights are materially prejudiced by such failure or delay. Notwithstanding anything to the contrary set forth herein, (i) an Indemnitee may participate, at its own expense, in any defense and settlement directly or through counsel of its choice, and (ii) Icertis will not enter into any settlement agreement on terms that would diminish the rights provided to the Indemnitee or increase the obligations assumed by the Indemnitee under this Agreement, without the prior written consent of the Indemnitee.

10. LIMITATIONS OF LIABILITY; INSURANCE

10.1  Disclaimer of Consequential Damages.  NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED IN THIS AGREEMENT, TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY WILL, UNDER ANY CIRCUMSTANCES, BE LIABLE TO THE OTHER OR ANY THIRD PARTY FOR CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE OR EXEMPLARY DAMAGES OR LOST PROFITS, LOSS OF BUSINESS, LOSS OF GOODWILL OR DAMAGE TO REPUTATION ARISING OUT OF OR RELATED TO THE TRANSACTIONS CONTEMPLATED UNDER THIS AGREEMENT, WHETHER CAUSED BY BREACH OF WARRANTY, BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR ANY OTHER LEGAL OR EQUITABLE CAUSE OF ACTION, EVEN IF THE LIABLE PARTY IS APPRISED OF THE LIKELIHOOD OF SUCH DAMAGES OCCURRING.

10.2   Cap on Liability.  WITH THE EXCEPTION OF FEES DUE UNDER THIS AGREEMENT, TO THE MAXIMUM EXTENT PERMITTED BY LAW, UNDER NO CIRCUMSTANCES WILL EITHER PARTY’S TOTAL LIABILITY OF ALL KINDS ARISING OUT OF OR RELATED TO THIS AGREEMENT (INCLUDING BUT NOT LIMITED TO WARRANTY CLAIMS), REGARDLESS OF THE FORUM AND REGARDLESS OF WHETHER ANY ACTION OR CLAIM IS BASED ON CONTRACT, TORT, OR OTHERWISE, EXCEED THE TOTAL AMOUNT RECEIVED BY ICERTIS UNDER THIS AGREEMENT WITHIN THE PRECEDING 12 MONTH PERIOD (DETERMINED AS OF THE DATE OF THE EVENT GIVING RISE TO THE CLAIM).

10.3 Independent Allocations of Risk.  EACH PROVISION OF THIS AGREEMENT THAT PROVIDES FOR A LIMITATION OF LIABILITY, DISCLAIMER OF WARRANTIES, OR EXCLUSION OF DAMAGES IS TO ALLOCATE THE RISKS OF THIS AGREEMENT BETWEEN THE PARTIES. THIS ALLOCATION IS REFLECTED IN THE PRICING OFFERED BY ICERTIS TO SUBSCRIBER AND IS AN ESSENTIAL ELEMENT OF THE BASIS OF THE BARGAIN BETWEEN THE PARTIES. EACH OF THESE PROVISIONS IS SEVERABLE AND INDEPENDENT OF ALL OTHER PROVISIONS OF THIS AGREEMENT. THE LIMITATIONS IN THIS SECTION 10.3 WILL APPLY NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY IN THIS AGREEMENT.

10.4 Liability Insurance.  Icertis agrees to obtain from an insurance carrier with a minimum AM Best rating of A-, and maintain during the term of this Agreement and for one (1) year thereafter: (a) comprehensive general liability insurance in an amount not less than $1,000,000 per occurrence and $2,000,000 in the aggregate; (b) technology errors and omissions insurance, including cyber liability coverage, in an amount not less than $5,000,000 in the aggregate; (c) automobile liability insurance in an amount not less than $1,000,000 per occurrence; (d) umbrella liability insurance in an amount not less than $5,000,000; (e) employer’s liability insurance in an amount not less than $1,000,000 per occurrence; and (f) worker’s compensation insurance coverage sufficient to meet the statutory requirements of every state in which Icertis personnel are performing SaaS, Support Services or Professional Services on behalf of Subscriber. Icertis will provide Subscriber with a certificate of insurance upon request.

11. MISCELLANEOUS

11.1 Independent Contractor & Subcontractors.  It is the express intention of the parties that Icertis performs all of the services as an independent contractor. Without limiting the generality of the foregoing, Icertis is not authorized to bind Subscriber to any liability or obligation or to represent that Icertis has any such authority. Icertis may use a subcontractor or other third party in carrying out its obligations under this Agreement; however, Icertis remains responsible for all of its obligations under this Agreement and for any breach of this Agreement by any such subcontractor or other third party.

11.2 Governing Law; Venue.  This Agreement will be interpreted, construed, and enforced in all respects in accordance with the local laws of the State of Washington, U.S.A, without reference to its choice of law rules and not including the provisions of the 1980 U.N. Convention on Contracts for the International Sale of Goods. The parties agree that any action arising out of or in connection with this Agreement will be heard in the federal, state, or local courts in King County, Washington, U.S.A., and each party hereby irrevocably consents to the exclusive jurisdiction and venue of these courts.

11.3  Notices.  Any notice required or permitted under the terms of this Agreement or required by law must be in writing and must be: (a) delivered in person or (b) sent by overnight air courier with some form of tracking mechanism, in each case properly posted and fully prepaid to the appropriate address. The initial address for notices for each party is set forth in Section 11.10, but either party may change its address for notices by notice to the other party given in accordance with this Section 11.3. Notices will be deemed given at the time of actual delivery in person or one day after delivery to an overnight air courier service.

11.4 Force Majeure.  Neither party will be liable for, or be considered to be in breach of or default under this Agreement on account of, any delay or failure to perform as required by this Agreement (other than payment of Fees) as a result of any cause or condition beyond such party’s reasonable control (e.g. natural disaster, earthquake, flood, severe storms, , fire, explosion, war, riots, acts of terrorism (incl. cyber terrorism) or  civil or military authority, government action power blackout, strike, embargo, labor disputes), so long as such party uses all commercially reasonable efforts to avoid or remove such causes of non-performance.

11.5  Waiver & Severability.  Any waiver of the provisions of this Agreement or of a party’s rights or remedies under this Agreement must be in writing to be effective. Failure, neglect, or delay by a party to enforce the provisions of this Agreement or its rights or remedies at any time, will not be construed as a waiver of the party’s rights under this Agreement and will not in any way affect the validity of the whole or any part of this Agreement or prejudice the party’s right to take subsequent action. If any term, condition, or provision in this Agreement is found to be invalid, unlawful, or unenforceable to any extent, the parties will endeavor in good faith to agree to amendments that will preserve, as far as possible, the intentions expressed in this Agreement. If the parties fail to agree on an amendment, the invalid term, condition, or provision will be severed from the remaining terms, conditions, and provisions of this Agreement, which will continue to be valid and enforceable to the fullest extent permitted by law.

11.6 Assignment.  Neither party will assign or otherwise transfer this Agreement, or such party’s rights and obligations hereunder, either voluntarily, by operation of law or otherwise, absent the other party’s prior written consent, which consent shall not be unreasonably withheld, delayed or conditioned. Notwithstanding the foregoing, either party may, upon fifteen (15) days’ prior written notice to the other party, assign all of its rights and delegate all of its duties under this Agreement to: (a) the surviving entity in a merger, sale, consolidation, or combination; or (b) an entity that acquires all or substantially all of the assigning party’s assets related to this Agreement.

11.7  Export Compliance.  As required by the laws of the United States and other relevant countries, Subscriber represents that it: (a) understands that the SaaS may be subject to export controls under the U.S. Commerce Department’s Export Administration Regulations (“EAR”) or export controls of other relevant countries; (b) is not located (including the Authorized Users or its Affiliates) in a prohibited destination country under the EAR or U.S. or other relevant country sanctions regulations; (c) will not export, re-export, or transfer or allow the use of the SaaS to any prohibited destination or persons or entities on the U.S. Bureau of Industry and Security Denied Parties List or Entity List, or the U.S. Office of Foreign Assets Control list of Specially Designated Nationals and Blocked Persons, or any similar lists maintained by other countries, without the necessary export license(s) or authorization(s); (d) will not use (including the Authorized User or its Affiliates) or transfer the SaaS in connection with any nuclear, chemical or biological weapons, missile technology, or military end-uses where prohibited by an applicable arms embargo, unless authorized by the relevant government agency by regulation or specific license; and (e) understands that countries including the United States may restrict the import, use, or export of encryption products (which may include the SaaS) and agrees that Subscriber will be solely responsible for compliance with any such import, use, or export restrictions.  Icertis will provide reasonable assistance to Subscriber in determining compliance with Section 11.7.

11.8  Counterparts.  This Agreement may be executed in counterparts, each of which will be deemed to be an original and together will constitute one and the same agreement. This Agreement may also be executed and delivered by facsimile and such execution and delivery will have the same force and effect of an original document with original signatures.

11.9 Integration.  This Agreement and all exhibits and addenda, as well as all Order Forms and SOWs, contain the entire agreement of the parties with respect to the subject matter of this Agreement and supersede all previous communications, representations, understandings, and agreements, either oral or written, between the parties with respect to said subject matter. No terms, provisions, or conditions of any purchase order, acknowledgement, or other business form that either party may use in connection with the transactions contemplated by this Agreement will have any effect on the rights, duties, or obligations of the parties under, or otherwise modify, this Agreement, regardless of any failure of a receiving party to object to these terms, provisions, or conditions. This Agreement may not be amended, except by a writing signed by both parties.

11.10  Address for Notice. Subscriber’s address for notice is the address mentioned in the Order Form. Icertis address for notice is 14711 NE 29th Place, Suite 100, Bellevue, WA 98007, USA.

EXHIBIT A
Support Services

The following describes the support services (“Support Services”) Icertis will provide the support level applicable to Subscriber (“Support Level”) as stated on the Order Form. If nothing is stated on the Order Form, Icertis will provide Standard support to the extent that subscriber has a paid-for subscription to a SaaS offering from Icertis. The following terms may be updated from time to time, however, for each Order Form, the terms effective as of the execution of the Order Form will apply for the duration of the applicable Subscription Term. The definitions are set out at the bottom of this Support Services Exhibit.

Support Service & Levels

Icertis will provide the applicable Support Services within the scope, access and availability parameters set forth below.

Support Service Standard Gold Platinum
Support Hours and Availability 24×5 (the work week within Subscriber’s local time zone) 24×7 24×7
Support Team Engagement Model General Support Named Support Named Support and Platinum Support Champion
Number of Authorized Support Contacts 2 6 9
Ticket Support Interface Support Portal + Email Support Portal + Email Support Portal + Email + Phone
Customer Support Reviews Not Applicable Quarterly Monthly
Request Ticket Support Not Applicable Up to 5 per month Up to 10 per month


Support Model

Subscriber will be permitted to access the Support Services via its own authorized support contacts. The number of such contacts the Subscriber is permitted is set forth above. Issues and requests are logged via the support interface available to the Subscriber, either [email protected] or the portal within the product, or via a provided phone number if applicable. Support Services will be provided via “named” or “champion” support engagement models at the Gold and Platinum levels. Subscribers that enjoy named support will have access to a named group of specialized resources with knowledge of that Subscriber’s specific implementation. Subscribers with access to a “champion” will additionally have a named and designated support point of contact that that can serve as a single point of contact for the Subscriber for matters related to the Support Service such as Support ticket updates, escalations, follow-ups, support service quality and efficiency review meetings, general product guidance and future release/update planning.

Request Tickets

Request Tickets are any tickets logged by the Subscriber that require a change to a data value within the Subscriber’s production database and are not caused by any error or gap in functionality of the SaaS.  Request Tickets also include tickets for which a user-interface based approach is available to the Subscriber to achieve the same desired outcome as sought by the Request Ticket.  Request Tickets above the limits set forth in the table above based on  the Subscriber’s Support Level will be computed and invoiced to the Subscriber on a quarterly basis at a rate set forth in the applicable Order Form.

Error Response, Communication and Resolution

Ticket requests made at the correct interface shall be responded to within the timeframes set forth in the table below, at which time, in each instance, a call tracking/ticket number shall be assigned. Each Error shall be assigned one of four severity classifications by Icertis based on the Error descriptions below: Critical, High, Medium or Low. This classification determines the target response and resolution time as provided below. ”Business Day” means Monday to Friday unless public holiday in the time zone where the Subscriber logged the support request.

Error Classification Standard Gold Platinum
Critical Initial Response: 2 hours
Ongoing Communication: Once every four hours
Target Resolution or Workaround: 2 Business Days
Initial Response: 1.5 hours
Ongoing communication: Once every hour
Target Resolution or Workaround: 1 Business Day
Initial Response: 1 hour
Ongoing Communication: Once every hour
Target Resolution or Workaround: 8 hours
High Initial Response: 1 Business Day
Ongoing Communication: Once every 2 Business Days
Target Resolution or Workaround: 5 Business Days
Initial Response: 4 hours
Ongoing Communication: Once every 6 hours
Target Resolution or Workaround: 2 Business Days
Initial Response: 1 hour
Ongoing Communication: Once every 6 hours
Target Resolution or Workaround: 1 Business Day
Medium Initial Response: 2 Business Days
Ongoing Communication: Once every week for non-defects and 4 weeks for product defects that are not yet resolved or slated for an Upgrade
Target Resolution or Workaround: 10 Business Days
Initial Response: 1 Business Day
Ongoing Communication: Once every 3 Business Days for non-defects and 2 weeks for product defects that are not yet resolved or slated for an Upgrade
Target Resolution or Workaround: 5 Business Days
Initial Response: 2 hours
Ongoing Communication: Once every 3 Business Days for non-defects and 2 weeks for product defects that are not yet resolved or slated for an Upgrade
Target Resolution or Workaround: 3 Business Days
Low Initial Response: 2 Business Days
Ongoing Communication: Once every week for non-defect s and 4 weeks for product defects that are not yet resolved or slated for an Upgrade
Target Resolution or Workaround: 20 Business Days
Initial Response: 1 Business Day
Ongoing Communication: Once every week for non-defects and 3 weeks for product defects that are not yet resolved or slated for an Upgrade
Target Resolution or Workaround: 10 Business Days
Initial Response: 3 hours
Ongoing Communication: Once every week for non-defect and 3 weeks for product defects that are not yet resolved or slated for an Upgrade
Target Resolution or Workaround: 7 Business Days


The Target Resolution or Workaround commitment is met if and when Icertis provides Subscriber with a Workaround or Plan for resolving the Error; however, the actual Fix for the Error may be included in the next planned Upgrade or such other scheduled Upgrade as timing and planning permits. Icertis’ Workaround and Target Resolution time commitments above are contingent on Subscriber meeting its assistance obligations set forth below.

Icertis is not required to provide resolutions for immaterial defects or defects due to modifications of the SaaS made by anyone other than Icertis (or anyone acting at Icertis’ direction). Support Services do not include the following nor extend to the following: Professional Services, implementation change requests, , integration or customization of a SaaS or custom software development, training or assistance with administrative functions.  Additional Professional Services may be required for Subscriber specific change requests, data changes, or modifications and updates to technical configurations or customizations.

Icertis is not required to correct any errors in uploaded legacy contract data, relationships, files or mappings.  Subscriber is obligated to verify the completeness and accuracy of such data and files before they are loaded into the product.

Subscriber Obligations.

                              Support Contacts.  Subscriber must initiate all requests for Support Services through their designated support contact(s), and Subscriber must notify Icertis in writing of any changes to the designated members. The Subscriber will be responsible for (a) obtaining, maintaining, installing and configuring hardware and third party software meeting requirements provided by Icertis for proper use and access to the SaaS, (b) providing support for the SaaS directly to Authorized Users, (c) validating critical failures by testing that they are reproducible and providing Icertis with all necessary documentation (such as screen shots and database query outputs), and (d) providing Icertis with remote access to Subscriber’s physical computers or virtual machines/workloads in the cloud, as needed, for providing Support Services.

                              Reasonable Assistance and Access.  Subscriber must provide Icertis with reasonable access to all necessary personnel and information and promptly answer all questions regarding Errors and other problems reported to Icertis, and Icertis will have the right to access the production instance of Subscriber’s SaaS for purposes of issue reproduction and validation, implementing Fixes and Upgrades and supporting the SaaS. For Critical and High severity tickets, Subscriber is expected to be available during the workaround/resolution time to provide information as needed (even if it is afterhours for Subscriber).

Definitions.

Error” means a failure of the production instance of the SaaS to operate in material conformance with their Documentation and applicable specifications but does not include failures that result from a disaster that requires a disaster recovery response.

Fix” means a temporary software patch designed to mitigate the impact of an Error, notwithstanding that the Error still exists.

Plan” means a description of the steps being taken by Icertis to resolve the Error which includes: (i) a description of the skill sets of the Icertis staff that have been assigned to work on the Error, (ii) a high level description of the actions those staff are taking as part of the effort to resolve the Error, and; (iii) a preliminary technical plan for how the Error will be resolved.

Upgrade” means upgrades, updates, patch fixes, improvements or changes to the SaaS designed to enhance operating performance without changing the basic functions of the SaaS and as made generally available by Icertis at no additional charge to its licensees of the SaaS.

Workaround” means a feasible change in operating procedures whereby an end-user can avoid the deleterious effects of an Error without material inconvenience.

Error Classification Description
Critical Error that results in the loss of all capability of the SaaS and for which there is no suitable then-existing Workaround.
High Error that disables major fundamental functions from being performed and therefore affects the normal operations of the SaaS and for which there is no suitable then-existing Workaround.
Medium Error that disables only certain non-essential functions but that does not affect the normal operation of the SaaS.
Low Intermittent Errors that do not materially affect normal operation of the SaaS.

EXHIBIT B
Security Framework

Area Icertis Contract Intelligence (ICI) Platform
Risk Management Icertis has identified and classified assets based on the criticality. Security risks related to the ICI instance, internal personnel, assets, and external parties (such as contractors, customers, and vendors) are identified and addressed via the ISO 27001: 2013 framework and applicable controls. Risk management is a continuous process adapted at Icertis.
Information security policies and framework, compliances The ICI Platform is hosted on the Microsoft Azure cloud platform and available as a SaaS offering to subscribers. The ICI Platform is developed using Microsoft technologies like .NET, ASP.NET MVC, SQL Server, etc. These services provided to Icertis by Microsoft follows industry practices and security measures towards ensuring high availability, confidentiality, integrity, and privacy of the cloud based services we provide to the Subscriber. For Azure data center compliance, please refer to https://azure.microsoft.com/en-in/overview/trusted-cloud/

Icertis is an ISO 27001, ISO 27017, and 27018 certified organization. Icertis also complies with ITAR and has SOC2 (Type1, type2) certifications.

Human resource security All employees working on the ICI Platform are subject to background verification, and are bound by contractual obligations of confidentiality. Employees go through various training sessions necessary to perform their duties, including training regarding information security covering specific topics such as  GDPR and HIPAA.
Asset management Icertis maintains the assets in its cloud infrastructure, which are managed, and monitored by an internal cloud operations team.
Physical and environmental security The ICI Platform is hosted on the Microsoft Azure cloud.  For Azure data center compliance, please refer to https://azure.microsoft.com/en-in/overview/trusted-cloud/
Communication and Ops management The ICI Platform is hosted on the Microsoft Azure cloud with VNET, which are protected by various Azure security features such as DDoS protection, intrusion detection/intrusion prevention systems (IDS/IPS), web filtering, network antimalware. Access to all other infrastructure components is deterred from outside Azure VNET because each subnet is protected by a NSG (Network Security Group). Web endpoints of the ICI Platform application are exposed using HTTPS.
Application security IT senior management ensures that any business-critical changes at the application level are pre-approved and go through thorough security review. This is induced from architecture designing, specification defining phase to the deployment and testing phase.
Icertis has adopted the Microsoft security development lifecycle. Icertis commissions regular third party vulnerability assessments and penetration testing for the application. All builds, including nightly builds go through the security scanning.
The ICI Platform can integrate with a subscriber identity provider for user authentication using industry-standard protocols like SAML2. OAuth\Open ID, WS-Fed. If Multi-Factor authentication is enabled on the identity provider side, the ICI Platform by default, supports it. Active threat monitoring and prevention using the Azure Security Center is configured. Audits logs are maintained and monitored at a specific frequency. Microsoft Azure services to Icertis to support the ICI offering include a high availability and disaster recovery capability.
All data at rest is encrypted using AES 256-bit encryption, which is provided by underlying Azure services. Encryption keys are managed by Microsoft Azure. If required, Icertis can manage the encryption keys in the Azure Key Vault.
For data in transit, data encryption is done using the certificate.
Icertis has detailed audit logs in the system. The transaction audit log is captured in the history of the transaction. The ICI Platform captures all user actions on the user record with date and time stamp.
Access Control Strict role-based access control is implemented in the ICI Platform. Icertis understands that the management of authentication (the user’s identity) and authorization (the user’s permissions) is critical to an application’s overall security posture. The ICI Platform supports various kinds of authentication mechanisms. Authorization is generally implemented using various authorization features provided within the ICI Platform.
BCP and DR Icertis is hosted on and stores data in a Microsoft Azure data center.  The particular Microsoft Azure data center may be selected by the Subscriber at the outset of the subscription. Regular backups are performed for production data as per Azure’s frequency and backups are stored on the geo replicated Azure BLOB storage.
Security Incident communication management Icertis will notify the Subscriber in case of violation or breach of security resulting in a loss or unauthorized disclosure of Subscriber Data. A formal information security incident management process is followed. Incidents are reported by an observer or internal teams monitoring activities and are acted upon immediately.  The incident is contained first, to minimize impact, and then resolved. A root cause analysis is then performed and documented. Mitigation or resolution actions are performed and documented. Internal escalations are performed as needed. The entire incident is documented for generating a knowledge base.
Data Security and Privacy Icertis treats data provided by Subscribers to the ICI Platform as confidential. Icertis has implemented technical and organizational measure to protect the data, including PII.

EXHIBIT C

Service Level Standards

  1. SaaS Availability Service Icertis will provide 99.5% System Availability over one- month periods as measured and monitored by Icertis or it will make the Service Level Availability (“SLA”) Credits available as provided below . System Availability will be calculated on a monthly basis as follows: (Actual Availability divided by Total Availability) multiplied by 100 (“System Availability”).
    The following definitions shall apply:
  1. Actual Availability” means Total Availability minus Downtime, in
  2. Downtime” means the time (in minutes) that Subscriber may not access the production environment of the SaaS and such environment is not otherwise actively processing a Subscriber-initiated request, in all cases due to failure or malfunction of the SaaS. Downtime does not include any unavailability of the SaaS due to the Exclusions listed in Section 2
  3. Force Majeure Event” Is as defined in the agreement between the parties and as provided below.
  4. Planned Downtime” means time (in minutes) that the SaaS are not accessible to Subscriber (i) for the purpose of reasonably updating, upgrading or maintaining the SaaS or its underlying infrastructure (for example, without limitation, operating system upgrades, hardware repairs, database backups, data center moves, or the like); (ii) during the then current maintenance windows (ask your Icertis representative for the current windows, but which will in any event occur outside of the Subscriber’s local working hours); and (iii) in each such instance, with Icertis’ reasonable efforts to provide notice (email or in-product) to Subscriber at least 24 hours in advance.
  5. Total Availability” means 7 days per week, 24 hours per
  1. The following are excluded from the definition of Downtime and as such no SLA Credits will be provided for:
  • Planned Downtime;
  • Unavailability attributable to Subscriber’s equipment, software or network, or by actions of Subscriber or Subscriber’s personnel or agents (unless that action was undertaken at the express direction of Icertis), or inaction by Subscriber following reasonable instruction; or
  • Unavailability attributable to Force Majeure Event, including general Internet services (e.g. DNS, internet backbone, ) outage.
  1. SLA Credits. If Icertis fails to meet the System Availability requirements, Subscriber will not be eligible to claim a refund of fees paid (e.g. by claiming a payment reduction) but instead will be eligible to request a credit calculated as follows (the “SLA Credits”):
    1. SLA Credit for Service Level Availability Failure. If the System Availability during any given month falls below 99.5% and Subscriber requests an SLA Credit within 30 days of the end of that month, Icertis will provide Subscriber with a SLA Credit equal to the greater of:
    • Five percent (5%) of the subscription fees set forth in the applicable order form for the applicable SaaS for that calendar month; or
    • The actual unavailability rate for that calendar month as a percentage of the applicable subscription fees for that calendar month, not to exceed a credit of fifty percent (50%) in any given month. As an example, if the SaaS has an uptime availability of 85% during a calendar month, then the service credit will be fifteen percent (15%).

    Each SLA Credit will be paid by Icertis to Subscriber by way of a credit on the next invoice submitted by Icertis to Subscriber, unless no further invoices are issued by Icertis after the date on which the SLA Credit becomes payable, in which case Icertis will promptly pay such SLA Credit to Subscriber.