1. AGREEMENT/SERVICE ORDERS
During the Term (as defined in Section 2.1) and subject to the terms and conditions of this Agreement (as defined below), NTT Security AppSec Solutions Inc. dba WhiteHat Security (“WhiteHat”) shall provide to Customer (as defined in the applicable Service Order) a limited, non-exclusive, non-transferable license to use and access (i) the application vulnerability scanning services that includes access to WhiteHat’s hosted software application (the “Services”) for the Applications (as that term is defined in Section 3.1), (ii) the computer-based training and onsite training provided by WhiteHat (together, the “Training”), (iii) any online information, product descriptions, technical specifications, manuals and materials made available to the Customer, relating to the use of the Services (the “Documentation”), or (iv) any training materials and handouts provided to Customer as part of the Training, including, but not limited to, documents, data, drawings, models, code, applications and reports, and associated software and materials, including any modifications or improvements thereof, that may include third party materials licensed to WhiteHat (the “Training Materials”), each as described in an applicable Service Order. For the purposes of this Agreement, a “Service Order” shall be a duly executed quote with corresponding purchase order, statement of work, order form or service order, etc. A Service Order is an integral part of this Agreement and is fully incorporated herein. The license grant in this Section 1 for the Training Materials is provided solely for Customer’s internal use to further expand and improve the knowledge base of its employees who have a need to know such information, and expressly prohibits use of the Training Materials for production or commercial purposes.
For a Service Order to be valid, it must be executed by both the Customer and WhiteHat or its authorized reseller (“Reseller”), except where a Customer has executed a final quote issued by WhiteHat or Reseller. Unless otherwise specified in the Service Order, the terms of this General Terms of Contract for Services will govern the Service Order (together herein referred to as the “Agreement”). The Agreement shall take precedence over any other agreements, contracts or general terms that Customer may have entered into with a Reseller as it relates to the Services and/or Training only.
2. TERM AND TERMINATION
2.1 Term. This Agreement shall commence upon the Effective Date listed on the applicable Service Order and shall continue for one (1) year, or such longer period of time as set forth in such Service Order (the “Initial Term”). Unless otherwise specified in the Service Order, this Agreement shall automatically renew for additional, successive one (1) year terms unless either party notifies the other party in writing of its intent not to renew the Agreement at least thirty (30) days prior to the end of the then current term. The Initial Term and each renewal pursuant to this Section 2.1 shall together be referred to herein as the Term.
2.2 Termination. Either party may terminate this Agreement immediately if the other party fails to cure a material breach within fifteen (15) days after receipt of written notice thereof.
2.3 Effect of Termination. Following the termination or non-renewal of this Agreement, WhiteHat will cease providing the Services and/or the Training.
3. APPLICATIONS. For the purposes of this Agreement, the terms “Application” or “Applications” shall mean individually or collectively, a (i) Web Application, (ii) Source Application – Single Branch, (iii) Source Application – Multiple Branch and (iv) Mobile Application, each as defined in this Section 3.
3.1 Web Application. A “Web Application” is defined as a group of related host names and one set of user login credentials. Customer will provide to WhiteHat in writing the host names representing the Web Applications to be tested by the Services.
3.2 Source Application – Single Branch. A “Source Application – Single Branch” is defined as one main branch with one version of the same application.
3.3 Source Application – Multiple Branch. A “Source Application – Multiple Branch” is defined as multiple branches of up to five (5) versions of the same application. Applications must share at least 80% of their code base to be considered versions of the same application.
4. HOST NAME CHANGE
4.1 Host Name Change Policy. Customer may not change the host names that represent a given Web Application during the Term unless Customer has purchased the PreLaunch (PL) Enterprise Edition (described below).
4.2 PreLaunch Enterprise Edition. If Customer has purchased the PreLaunch Enterprise Edition, Customer may replace or substitute the host names comprising the Web Applications identified in the applicable Service Order with different host names during the term of the Service Order. The host name changes may be initiated at any time. WhiteHat and Customer agree that additions, deletions, or changes to the host names identified in this Agreement may be modified through electronic mail or Customer Support tickets. When Customer elects to replace the host names for a Web Application, all historical vulnerability data for such Web Application comprised of the replaced host names will no longer be available to Customer, and it is Customer’s responsibility to download any necessary data and/or reports prior to replacing any host names.
5. STANDARD SUPPORT
The following terms describe WhiteHat’s standard support offering. Additional support and service level agreements may be procured by Customer as described in a Service Order.
5.1 Customer Support. Customer may contact WhiteHat customer support, using WhiteHat’s Customer Support Web Portal, which will be provided to Customer during the onboarding process. From the Customer Support Web Portal, Customer will have the ability to log and track all of its service support requests. Customer will also be able to review a continually updated knowledge base containing service manuals, FAQs, and other web security information. After the Effective Date, Customer will receive an email from WhiteHat with a URL link to set up Customer’s password for the Customer Support Web Portal. Customer may also contact customer support via email at email@example.com or by calling (408) 343-8340 (Monday through Friday 6:00 a.m. – 7:00 p.m. Pacific time, excluding any U.S. federal holidays).
5.2 System Upgrades. WhiteHat may periodically schedule a maintenance window to conduct upgrades to the Services, during which the Services will be unavailable to Customer. WhiteHat will use commercia
lly reasonable efforts to inform Customer of the date, time and duration of such maintenance window at least twenty-four (24) hours in advance of the commencement of such maintenance. WhiteHat shall take into consideration minimizing the disruption to Customer’s use of the Services when scheduling regular maintenance windows.
5.3 Service Availability and Credits.
(a) Service Uptime. Subject to the terms of this Agreement, including but not limited to Section 5.3(c), during the Term the Services for each Application shall be Available to Customer not less than 99.5% of the time each calendar month. For the purposes of this Agreement, “Available” means that Customer is able to log on to the WhiteHat Sentinel website.
(b) Credits. If the Services for an Application are Available less than 99.5% of the time in a particular month as measured by WhiteHat over any calendar month during the Term, and WhiteHat is unable to provide the Services via mutually agreeable alternative methods, WhiteHat will issue to Customer a credit equal to 1/(365*24) multiplied by the annual subscription fee for that Application for each hour that the Services for an Application were not Available to Customer during such calendar month. Such credit will be applied against the next invoice (provided by WhiteHat or the applicable Reseller, as appropriate) for the applicable Application(s). In order to obtain a credit under this Section 5.3(b), Customer must provide WhiteHat with written notice of its credit request that identifies the affected Application(s) within fourteen (14) days after the date of an availability violation. Credits under this Section 5.3(b) are WhiteHat’s sole liability, and Customer’s sole and exclusive remedy, for breach of the availability commitment contained in this Section 5.3.
(c) Exclusions. Customer shall not receive any credits in connection with any failure or deficiency of Services availability to the extent caused by or associated with: (i) a Force Majeure Event (as defined in Section 13.8); (ii) regularly scheduled or emergency maintenance and upgrades (including, but not limited to the system upgrades described in Section 5.2 above); (iii) any causes attributable to Customer or its contractors, (iv) software or hardware not provided or controlled by WhiteHat; and (v) outages elsewhere on the Internet, including but not limited to interruptions at any Customer or third party data center or internet service provider, that hinder Customer’s access to the Services.
6. PROPRIETARY RIGHTS
6.2 Restrictions. Customer shall not: (a) copy or otherwise reproduce, whether in whole or in part, the Services (or software associated therewith), Documentation, Training or Training Materials; (b) modify or create any derivative work of the Services (or software associated therewith), Documentation, Training or Training Materials; (c) sell, rent, loan, license, sublicense, distribute, assign or otherwise transfer the Services (or software associated therewith), Documentation, Training or Training Materials; (d) cause or permit the disassembly, decompilation or reverse engineering of the Services (or software associated therewith), Documentation, Training or Training Materials or otherwise attempt to gain access to the source code of the Services (or software associated therewith); or (e) cause or permit any third party to do any of the foregoing.
6.3 Reservation of Rights. Each party reserves all rights not expressly granted in this Agreement and no licenses are granted by either party to the other party under this Agreement except as expressly stated in this paragraph, whether by implication, estoppel or otherwise. WhiteHat or its licensors own and retain all right, title and interest (including all intellectual property rights) in and to the Services, Training, Documentation, Training Materials and associated software, including any modifications or improvements thereof and to all remedial measures or source code recommended by WhiteHat that may address vulnerabilities found during the performance of the Services (the “Source Code Recommendations”). Subject to the terms of the Agreement, (i) Customer shall own all right, title and interest to all data reports generated by the Services that contain the results of the tests performed by the Services (the “Scan Data”) and (ii) WhiteHat hereby grants Customer a non-exclusive, irrevocable, perpetual, royalty free right and license to use the WhiteHat intellectual property contained in the Source Code Recommendations for any legal purpose. Customer hereby grants an irrevocable, perpetual, royalty free, right and license to use the Scan Data for the sole purpose of disclosing such data (notwithstanding the confidentiality obligations described in Section 10 below) in an aggregate and anonymous format where data concerning individual customers may not be identified or derived. Customer may revoke this right at any time upon written request to WhiteHat; however, certain Services functionality related to such aggregated underlying data will then be unavailable to the Customer.
7. CUSTOMER RESPONSIBILITIES. Customer acknowledges and agrees that (i) it is Customer’s sole responsibility to update and maintain the Application(s), including without limitation, fixing any security vulnerability revealed by the Services and Scan Data, (ii) the Scan Data and Source Code Recommendations are not guaranteed by WhiteHat to contain all vulnerabilities and (iii) it is Customer’s sole responsibility to test, vet and confirm that any remedial measures contained in the Source Code Recommendations are appropriate for Customer’s purposes. Customer further acknowledges and agrees that Customer’s use of the Services does not render or guarantee that the Applications will be invulnerable or free from unauthorized access. Customer further acknowledges and agrees that Customer’s use of the Services starts on the Effective Date and the Customer is responsible for providing all configuration data (host names, user accounts, etc.) needed to perform the Services. Failure to provide configuration data does not release Customer from any responsibility in the Agreement. Customer acknowledges and agrees that Customer’s and its users’ use of the Services and Training may be dependent upon access to telecommunications and Internet services. Customer shall be solely responsible for acquiring and maintaining all telecommunications and Internet services and other hardware and software required for its access and use of the Services and/or Training, including, without limitation, any and all costs, fees, expenses, and taxes of any kind related to the foregoing. WhiteHat shall not be responsible for any loss or corruption of data, lost communicatio
ns, or any other loss or damage of any kind arising from any such telecommunications and Internet services.
8. PAYMENT TERMS. WhiteHat or the Reseller will invoice Customer for the fees set forth in the applicable Service Order immediately following the Effective Date.
9. LIMITATION OF LIABILITY. IN NO EVENT SHALL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER PARTY OR ANY THIRD PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, EXEMPLARY OR CONSEQUENTIAL DAMAGES OR ANY LOST OPPORTUNITY, DATA OR PROFITS, OR THE COSTS OF PROCUREMENT OR SUBSTITUTE GOODS OR SERVICES, ARISING OUT OF THIS AGREEMENT, OR ANY EXHIBIT, SERVICE ORDER, SCHEDULE OR ADDENDUM THERETO, UNDER ANY CAUSE OF ACTION OR THEORY OF LIABILITY (INCLUDING NEGLIGENCE OR OTHER TORT), WHETHER OR NOT A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL EITHER PARTY’S AGGREGATE LIABILITY HEREUNDER FOR ANY CAUSE OF ACTION OR THEORY OF LIABILITY EXCEED THE AMOUNTS PAID BY CUSTOMER TO WHITEHAT HEREUNDER DURING THE PRECEDING TWELVE (12) MONTH PERIOD PRIOR TO THE DATE THE CAUSE OF ACTION AROSE. THESE LIMITATIONS ARE AN ESSENTIAL BASIS OF THE BARGAIN AND SHALL APPLY NOTWITHSTANDING ANY FAILURE OF THE ESSENTIAL PURPOSE OF ANY REMEDY.
10.1 Definition of Confidential Information. By virtue of this Agreement, the parties may have access to each other’s Confidential Information. “Confidential Information,” as used in this Agreement, means any written, machine-reproducible and/or visual materials that are clearly labeled as proprietary, confidential, or with words of similar meaning, and all information that is orally or visually disclosed, if not so marked, if it is identified as proprietary or confidential at the time of its disclosure or in a writing provided to the receiving party within thirty (30) days after disclosure. Confidential Information does not include information that: (a) is now, or hereafter becomes, through no act or failure to act on the part of the receiving party, generally known or available to the public; (b) was acquired by the receiving party before receiving such information from the disclosing party and without restriction as to use or disclosure; (c) is hereafter rightfully furnished to the receiving party by a third party, without restriction as to use or disclosure; or (d) is information which the receiving party can document was independently developed by the receiving party without use of the disclosing party’s Confidential Information.
10.2 Use of Confidential Information. Neither party shall disclose any of the other party’s Confidential Information to any third party or use such Confidential Information for any purpose other than to (i) perform its obligations or exercise its rights under this Agreement; or (ii) as otherwise required by law. Each party shall use the same measures to protect the Confidential Information of the other party as it uses with respect to its own confidential information of like importance, but in no event shall it use less than reasonable care, including, instructing its employees, vendors, agents, consultants and independent contractors of the foregoing and requiring them to be bound by appropriate confidentiality agreements. If a party is required to disclose by law the Confidential Information of the other party, such party shall use best efforts to give the other party reasonable advance notice of such required disclosure. WhiteHat reserves the right to disclose the terms and conditions of this Agreement, in confidence, (a) to accountants, banks and financing sources and their advisors for the purpose of securing financing; and (b) in connection with an actual or proposed merger or acquisition or similar transaction. Upon termination or expiration of this Agreement the receiving party will promptly return to the disclosing party or destroy, at the disclosing party’s option, all tangible items containing or consisting of the disclosing party’s Confidential Information.
11. LIMITED WARRANTIES.
11.1 WhiteHat Warranties.
(a) WhiteHat warrants that the Services will substantially conform in all material respects in accordance with the Documentation. Customer will provide prompt written notice of any non-conformity and provide WhiteHat a reasonable opportunity, not to exceed thirty (30) days, to remedy such non-conformity. WhiteHat may modify the Documentation in its sole discretion, provided the functionality of the Services will not be materially decreased during the Term.
(b) WhiteHat warrants that the Services will meet the requirements set forth in Section 5.3 (Service Availability). In the event of a breach of the foregoing warranty, as Customer’s sole and exclusive remedy, WhiteHat will provide the remedy set forth in Section 5.3.
(c) The Services and the Training do not contain any computer code that is intended to (i) disrupt, disable, harm, or otherwise impede in any manner, the operation of Customer’s software, firmware, hardware, computer systems or network (sometimes referred to as “viruses” or “worms”), (ii) permit unauthorized access to Customer’s network and computer systems (sometimes referred to as “traps”, “access codes” or “trap door” devices), or any other similar harmful, malicious or hidden procedures, routines or mechanisms which could cause such programs to cease functioning or to damage or corrupt data, storage media, programs, equipment or communications, or otherwise interfere with Customer’s operations.
(d) EXCEPT AS PROVIDED IN THIS SECTION 11, WHITEHAT PROVIDES THE SERVICES AND TRAINING “AS IS” AND MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, WITH RESPECT TO THE SERVICES, TRAINING, SCAN DATA, SOURCE CODE RECOMMENDATIONS, DOCUMENTATION, TRAINING MATERIALS OR ANY OTHER RELATED DATA, AND SPECIFICALLY DISCLAIMS ANY WARRANTY OF AVAILABILITY, ACCURACY, RELIABILITY, USEFULNESS, ANY IMPLIED WARRANTY OF MERCHANTABILITY, NONINFRINGEMENT, TITLE OR FITNESS FOR A PARTICULAR PURPOSE AND ANY CONDITION OR WARRANTY ARISING FROM COURSE OF PERFORMANCE, DEALING OR USAGE OF TRADE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES IN CERTAIN CIRCUMSTANCES. ACCORDINGLY, SOME OF THE LIMITATIONS SET FORTH ABOVE MAY NOT APPLY. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THE TRAINING OR TRAINING MATERIALS AS A CITATION AND/OR AS A POTENTIAL SOURCE FOR FURTHER INFORMATION DOES NOT MEAN THAT WHITEHAT ENDORSES THE INFORMATION SUCH ORGANIZATION OR WEBSITE MAY PROVIDE OR THE RECOMMENDATIONS IT MAY MAKE.
11.2 Customer Warranties.
(a) Customer represents and warrants that (i) it understands and acknowledges that the knowledge, tools and skills that Customer attendees may learn from attending the onsite training and/or from the Training Materials may enable such attendee(s) to gain the ability to cause significant harm and destruction to computer systems, web sites and URLs; (ii) it understands and acknowledges that in most countries, attacking a computer system without the permission of the owner of such computer system is unlawful; (iii) it will be fully responsible for the acts or omissions of its employees, agents, contractors or other individuals as it relates to their use of the information provided in the Training and Training Materials, which includes, but is not limited to, attacking computer systems or web sites, or attempting to gain unauthorized access to computer systems or web sites, even if the objective is to
cause no actual harm to the computer system or web site.
(b) Customer acknowledges and agrees that (i) Customer vulnerability data Customer allows the instructor to view during onsite training may be highly sensitive and (ii) WhiteHat shall have no liability for any disclosure, misuse or misappropriation of such vulnerability data by Customer.
12. INTELLECTUAL PROPERTY INDEMNIFICATION
12.1 Subject to the terms of this Section 12, WhiteHat shall, at its sole cost and expense, defend (or at its sole option settle), indemnify and hold harmless Customer and the directors, officers, employees and agents of the foregoing (“Customer Indemnitees”) from and against any third party claim that the Services and/or the Training, when used in accordance with this Agreement, infringe any United States patent, copyright or trademark of a third party (a “Claim”).
12.2 WhiteHat’s obligations of indemnification shall be subject to the following: (a) Customer shall notify WhiteHat of any such Claim promptly after it obtains knowledge of such Claim, (b) Customer shall provide WhiteHat with reasonable assistance, information, and cooperation in defending the lawsuit or proceeding, at WhiteHat’s sole cost and expense, (c) Customer shall give WhiteHat full control and sole authority over the defense and settlement of such Claim, provided settlement fully releases the Customer Indemnitees and is solely for monetary damages and does not admit any liability on behalf of the Customer. Notwithstanding the following, Customer may join in defense and settlement discussions directly or through counsel of Customer’s choice at Customer’s own cost and expense.
12.3 Following notice of a Claim or upon any facts which in WhiteHat’s sole opinion are likely to give rise to such Claim, WhiteHat shall in its sole discretion and at its sole option elect to (a) procure for Customer the right to continue to use the Services or the Training, at no additional cost to Customer or Customer Indemnitees, (b) replace the Services or the Training so that it becomes non-infringing but functionally equivalent, (c) modify the Services or Training to avoid the alleged infringement but in a manner so that it remains functionally equivalent, or (d) terminate this Agreement and provide a refund to Customer of all amounts prepaid by Customer to WhiteHat for Services or Training that have not yet been provided.
12.4 Notwithstanding anything contrary contained herein, WhiteHat shall have no obligation to indemnify, defend or hold harmless the Customer hereunder to the extent a Claim is caused by or results from: (a) Customer’s combination or use of the Services or the Training with software, services or products developed by Customer or other third parties, unless specifically contemplated by this Agreement, (b) modification of the Services or the Training by anyone other than WhiteHat or its agents without WhiteHat’s express approval, (c) Customer’s continued allegedly infringing activity after being notified thereof or after being provided modifications that would have avoided the alleged infringement, (d) Customer’s use of the Services or the Training in a manner not contemplated by this Agreement, the Documentation or the Training Materials, or (e) Customer’s negligence, recklessness or intentional misconduct or its failure to abide by all laws, rules, regulations or orders applicable to the Services and/or the Training.
The foregoing states the sole and exclusive liability and sole remedy of WhiteHat for any infringement of intellectual property rights.
13.1 Entire Agreement. This Agreement constitutes the entire understanding and agreement of the parties hereto with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, representations and understandings between the parties regarding the subject matter hereof, including any terms contained in any purchase order or invoice issued by either party in connection with any transaction covered by this Agreement are null and void. Where there is a conflict between a Service Order and the General Terms of Contract for Services, the terms contained in a Service Order will take precedence relating to the matter for which there was a conflict. All headings herein are not to be considered in the construction or interpretation of any provision of this Agreement.
13.2 Amendment and Waiver. Any term or provision of this Agreement may be amended in writing by both parties to this Agreement. The observance of any term of this Agreement may be waived, only by a writing signed by the party to be bound.
13.3 Severability. If any provision of this Agreement is found to be invalid or unenforceable, such provision shall be severed from the Agreement and the remainder of this Agreement shall be interpreted so as best to reasonably affect the intent of the parties hereto.
13.4 Independent Contractors. The parties are independent contractors, and neither party will have the power to bind the other or to incur obligations on the other’s behalf without such other party’s prior written consent.
13.5 Governing Law. This Agreement shall be governed by the laws of the State of California, without reference to its conflict of laws principles. The parties consent to exclusive jurisdiction and venue in state and federal courts sitting in and for Santa Clara County, California.
13.6 Injunctive Relief. Each party reserves the right to seek injunctive relief due to the other party’s actual or threatened breach of this Agreement.
13.7 Force Majeure. Neither party shall be responsible for any non-performance or delay (except for delay in payment) attributable in whole or in part to any cause beyond its reasonable control (a “Force Majeure Event”), including but not limited to acts of God, government actions including changes in applicable law, war, civil disturbance, sabotage, terrorist acts, failure or delay in provision of services by subcontractors or the other party’s fault or negligence.
13.8 Assignment. Neither party may assign this Agreement without prior written consent of the other party, except that either party may assign this Agreement to any successor to substantially all of its business or assets to which this Agreement relates, upon written notice to the other party. This Agreement shall inure to the benefit of and be binding on the respective successors and assigns of the parties.
13.9 Notice. Any notice required under this Agreement shall be in writing and shall be delivered by hand or by overnight express mail to the contact name and address set forth on a Service Order, or as otherwise described in this Agreement.
13.10 Survival. The following provisions shall survive the termination or expiration of this Agreement: Sections 6.2, 6.3, 7, 8, 9, 10, 11 and 13.