NTT Security AppSec Solutions Inc. dba WhiteHat Security
Updated November 2016
1. LICENSE. During the Term (as defined below) and subject to the terms and conditions in these General Terms, WhiteHat shall provide to the customer listed in an order for WhiteHat’s application and API security testing, vulnerability management and benchmarking, and related services (including associated software and access to WhiteHat’s hosted software application) (“Services”) a limited, non-exclusive, non-transferable license to use and access the Services described in the order, which may be entered into from time to time by the parties.
2. TERM AND TERMINATION
2.1 Term. These General Terms shall become effective upon the effective date listed on the customer’s first order and continue for a period of one year or longer if the term of any of the customer’s orders extends beyond such one-year period, including any renewals thereof. A customer order and these General Terms shall together comprise an “Agreement.”
2.2 Termination. Either party may terminate an Agreement immediately if the other party fails to cure a material breach (including the customer failing to comply with Section 7) within 15 days after receipt of written notice thereof, and WhiteHat may terminate an Agreement with commercially reasonable advance notice in connection with Services and/or Training no longer being offered by WhiteHat.
2.3 Effect of Termination. Following the termination or non-renewal of an Agreement, WhiteHat will cease providing the applicable Services and/or Training.
3. CERTAIN DEFINITIONS
3.1 Web Application means a group of related host names and one set of user login credentials.
3.3 Source Application means the smallest single unit of source code in a single environment (e.g. development, staging, production, etc.) in which such source code is housed when scanned by the Services (“Environment“) that can run independently on a server or mobile device, the code base of which does not change more than 20% between Service scans. WhiteHat Services for Source Applications are available for:
(a) Extra-Small Source Applications (less than either 4MB in the size of the uncompressed source code in megabytes as measured by WhiteHat based on the average of up to the last 20 scans (“Uncompressed Source File Size“) or 100,000 lines of source code containing any characters (excluding comments and white spaces) as measured by WhiteHat based on the average of up to the last 20 scans (“Lines of Code“)),
(a) Small Source Applications (less than either 10MB in Uncompressed File Size or 250,000 Lines of Code,
(b) Medium Source Applications (less than either 20MB in Uncompressed File Size or 500,000 Lines of Code),
(c) Large Source Applications (less than either 60MB in Uncompressed File Size or 1,500,000 Lines of Code),
(d) Extra-Large Source Applications (less than either 120MB in Uncompressed File Size or 3,000,000 Lines of Code),
(e) Double-Extra Large Source Applications (less than either 200MB in Uncompressed File Size or 5,000,000 Lines of Code),
(f) a combination of the foregoing.
3.4 Application means a (i) Web Application, (ii) Source Application, and/or (iii) Mobile Application.
3.5 API means a web service that is accessed via a URL; and is described using the web services description language (WSDL) (limited to simple object access protocol (SOAP) or hypertext transfer protocol (HTTP)) or a representational state transfer (RESTful) API (limited to HTTP).
3.6 Operation means a discrete function accessed via a combination of its API’s base URL, the Operation’s name, and a request payload.
3.7 Documentation means any product descriptions, technical specifications, manuals, materials, and information made available to the customer in any form relating to the use of the Services.
3.8 Training means any computer-based training or onsite training offered by WhiteHat.
3.9 Training Materials means any training materials and handouts provided to the customer as part of the Training, which may include third-party materials licensed to WhiteHat.
4. STANDARD SUPPORT
The following terms describe WhiteHat’s standard support offering. Additional support and service level agreements may be procured by the customer as described in an order.
4.1 Customer Support. The customer may contact WhiteHat customer support using WhiteHat’s Customer Support Web Portal, which will be made available to the customer during the onboarding process. From the Customer Support Web Portal, the customer will have the ability to log and track all of its service support requests. The customer will also be able to review a support portal dedicated to documentation relevant to the Services such as service manuals, user guides, and other web security information. After the effective date of the customer’s initial order, the customer will receive an email from WhiteHat with a URL link to set up the customer’s password for the Customer Support Web Portal. The customer may also contact WhiteHat Customer Support via email to [email protected] or by calling (408) 343-8340 (Monday through Friday, 6:00 a.m. – 7:00 p.m. Pacific time, excluding any WhiteHat-observed holidays).
4.2 System Upgrades. WhiteHat may periodically schedule a maintenance window to conduct upgrades to the Services, during which the Services will not be Available (meaning that WhiteHat customers are able to log on to WhiteHat Sentinel website as measured at http://stats.pingdom.com/86tj5dh0uwp4/113541 and/or http://stats.pingdom.com/86tj5dh0uwp4/1667403, as applicable). WhiteHat will use commercially reasonable efforts to inform the customer of the date, time and duration of such maintenance window at least 24 hours in advance of the commencement of such maintenance. WhiteHat shall take into consideration minimizing the disruption to the customer’s use of the Services when scheduling regular maintenance windows.
4.3 Service Availability and Credits
(a) Service Uptime. Subject to the terms of an applicable Agreement, including but not limited to this Section 4.3(c), during the term of an applicable Service Order, the Services for each applicable Application or API shall be Available not less than 99.5% of the time each calendar month.
(b) Credits. If the Services for an Application or API are Available less than 99.5% of the time in a particular calendar month during the term of an applicable Service Order as measured by WhiteHat and WhiteHat is unable to provide such Services via mutually agreeable alternative methods, WhiteHat will issue to the customer a credit equal to 1/(365*24) multiplied by the then-applicable subscription fee for such Application or API for each hour that the Services for such Application or API were not
Available during such calendar month. Such credit will be applied against the next invoice for such Application. In order to obtain a credit under this Section 4.3(b), the customer must provide WhiteHat with written notice of its credit request that identifies the affected Application or API within 14 days after the date of an availability violation. Credits under this Section 4.3(b) are WhiteHat’s sole liability, and the customer’s sole and exclusive remedy, for WhiteHat’s failure to meet any service uptime levels.
(c) Exclusions. The customer shall not receive any credits in connection with any failure or deficiency of Services availability to the extent caused by or associated with: (i) a force majeure event; (ii) regularly scheduled or emergency maintenance and upgrades; (iii) any causes attributable to the customer or its contractors, (iv) software or hardware not provided or controlled by WhiteHat; and (v) outages elsewhere on the Internet, including but not limited to interruptions at any customer or third-party data center or ISP, that hinder the customer’s access to the Services.
5. PROPRIETARY RIGHTS
5.2 Restrictions. The customer shall not: (a) copy or otherwise reproduce, whether in whole or in part, the Services (or software associated therewith), Documentation, Training, or Training Materials; (b) modify or create any derivative work of the foregoing; (c) sell, rent, loan, license, sublicense, distribute, assign or otherwise transfer the foregoing; (d) cause or permit the disassembly, decompilation or reverse engineering of the foregoing or otherwise attempt to gain access to the source code of the foregoing; or (e) cause or permit any third party to do any of the foregoing.
5.3 Reservation of Rights. Each party reserves all rights not expressly granted in an Agreement and no licenses are granted by either party to the other party under an Agreement except as expressly stated therein, whether by implication, estoppel or otherwise. WhiteHat and its licensors own and retain all right, title and interest (including all intellectual property rights) in and to the Services, Training, Documentation, Training Materials, and associated software and materials, as applicable, including any modifications or improvements thereof. Subject to the terms of the applicable Agreement, the customer shall own all right, title and interest to all WhiteHat data reports generated by the Services for the Application(s) and/or API(s) that contain the results of the tests performed by the Services (“Reports”).
6. CUSTOMER RESPONSIBILITIES. The customer acknowledges and agrees that (i) as between the customer and WhiteHat it is the customer’s sole responsibility to update and maintain the Application(s) and/or API(s), including without limitation, fixing any security vulnerabilities; (ii) the Reports are not guaranteed to show all vulnerabilities in the Application(s) and/or API(s); (iii) it is the customer’s sole responsibility to test, vet and confirm that any proposed remedial measures referenced in the Reports or otherwise referenced by WhiteHat to the customer are appropriate for the customer’s purposes; and (iv) the customer’s use of the Services does not render or guarantee that the Application(s) and/or API(s) will be invulnerable or free from unauthorized access. The customer further acknowledges and agrees that the customer’s use of the Services starts on the effective date listed on the applicable order and the customer is responsible for providing to WhiteHat all configuration data (hostnames, user accounts, API documentation, etc.) needed to perform the Services. Failure to provide configuration data does not release the customer from any responsibility in an Agreement. The customer acknowledges and agrees that the customer’s and its users’ use of the Services and Training may be dependent upon access to telecommunications and Internet services. The customer shall be solely responsible for acquiring and maintaining all telecommunications and Internet services and other hardware and software required for its access and use of the Services and/or Training, including, without limitation, any and all costs, fees, expenses, and taxes of any kind related to the foregoing. WhiteHat shall not be responsible for any loss or corruption of data, lost communications, or any other loss or damage of any kind arising from any such telecommunications and Internet services.
7. PAYMENT TERMS. Promptly following the effective date of an order: WhiteHat (or if applicable the customer’s reseller) will invoice the customer for the fees set forth in an order; the customer shall provide a purchase order or clearly communicate that no purchase order is required; and the customer shall pay the fees set forth in an order in advance or otherwise as stated on the order.
8. LIMITATION OF LIABILITY. IN NO EVENT SHALL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER PARTY OR ANY THIRD PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, EXEMPLARY OR CONSEQUENTIAL DAMAGES OR ANY LOST OPPORTUNITY, DATA OR PROFITS, OR THE COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, ARISING OUT OF AN AGREEMENT, OR ANY EXHIBIT, ORDER, SCHEDULE OR ADDENDUM THERETO, UNDER ANY CAUSE OF ACTION OR THEORY OF LIABILITY (INCLUDING NEGLIGENCE OR OTHER TORT), WHETHER OR NOT A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. EXCEPT WITH RESPECT TO A PARTY’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL EITHER PARTY’S AGGREGATE LIABILITY HEREUNDER FOR ANY CAUSE OF ACTION OR THEORY OF LIABILITY EXCEED THE AMOUNTS PAID BY THE CUSTOMER TO WHITEHAT HEREUNDER DURING THE PRECEDING 12 MONTH PERIOD PRECEDING THE DATE THE CAUSE OF ACTION AROSE. THESE LIMITATIONS ARE AN ESSENTIAL BASIS OF THE BARGAIN AND SHALL APPLY NOTWITHSTANDING ANY FAILURE OF THE ESSENTIAL PURPOSE OF ANY REMEDY.
9.1 Definition of Confidential Information. By virtue of an Agreement, the parties may have access to each other’s Confidential Information. “Confidential Information,” as used in an Agreement, means any written, machine-reproducible and/or visual materials that are clearly labeled as proprietary, confidential, or with words of similar meaning, and all information that is orally or visually disclosed, if not so marked, if it is identified as proprietary or confidential at the time of its disclosure or in a writing provided within thirty (30) days after disclosure. Confidential Information does not include information that: (a) is now, or hereafter becomes, through no act or failure to act on the part of the receiving party, generally known or available to the public; (b) was acquired by the receiving party before receiving such information from the disclosing party and without restriction as to use or disclosure; (c) is here
after rightfully furnished to the receiving party by a third party, without restriction as to use or disclosure; or (d) is information which the receiving party can document was independently developed by the receiving party without use of the disclosing party’s Confidential Information.
9.2 Use of Confidential Information. Neither party shall disclose any of the other party’s Confidential Information to any third party or use such Confidential Information for any purpose other than to (i) perform its obligations or exercise its rights under an Agreement; or (ii) as otherwise required by law. Each party shall use the same measures to protect the Confidential Information of the other party as it uses with respect to its own confidential information of like importance, but in no event shall it use less than reasonable care, including, instructing its employees, vendors, agents, consultants and independent contractors of the foregoing and requiring them to be bound by appropriate confidentiality agreements. If a party is required to disclose by law the Confidential Information of the other party, such party shall use best efforts to give the other party reasonable advance notice of such required disclosure. WhiteHat reserves the right to disclose the terms and conditions of any Agreement, in confidence, (a) to accountants, banks and financing sources and their advisors for the purpose of securing financing; and (b) in connection with an actual or proposed merger or acquisition or similar transaction. Upon termination or expiration of all Agreements the receiving party will promptly return to the disclosing party or destroy, at the disclosing party’s option, all tangible items containing or consisting of the disclosing party’s Confidential Information.
10. LIMITED WARRANTIES.
10.1 Conformance with Documentation. WhiteHat warrants that the Services will substantially conform in all material respects in accordance with the Documentation. The customer will provide prompt written notice of any non-conformity and provide WhiteHat a reasonable opportunity, not to exceed thirty (30) days, to remedy such non-conformity. WhiteHat may modify the Documentation in its sole discretion, provided the functionality of the Services is not materially decreased during the Term.
10.2 Service Availability. WhiteHat warrants that the Services will meet the requirements set forth in Section 4.3 (Service Availability). In the event of a breach of the foregoing warranty, as the customer’s sole and exclusive remedy, WhiteHat will provide the remedy set forth in Section 4.3.
10.3 No Viruses. WhiteHat warrants that the Services and the Training do not contain any computer code that is intended to (i) disrupt, disable, harm, or otherwise impede in any manner, the operation of the customer’s software, firmware, hardware, computer systems or network (sometimes referred to as “viruses” or “worms”), (ii) permit unauthorized access to the customer’s network and computer systems (sometimes referred to as “traps”, “access codes” or “trap door” devices), or any other similar harmful, malicious or hidden procedures, routines or mechanisms which could cause such programs to cease functioning or to damage or corrupt data, storage media, programs, equipment or communications, or otherwise interfere with the customer’s operations.
10.4 Disclaimer of Warranty. EXCEPT AS PROVIDED IN THIS SECTION 10, WHITEHAT PROVIDES THE SERVICES AND TRAINING “AS IS” AND MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, WITH RESPECT TO THE SERVICES, TRAINING, REPORTS, DOCUMENTATION, TRAINING MATERIALS, OR ANY OTHER RELATED DATA, AND SPECIFICALLY DISCLAIMS ANY WARRANTY OF AVAILABILITY, ACCURACY, RELIABILITY, USEFULNESS, ANY IMPLIED WARRANTY OF MERCHANTABILITY, NONINFRINGEMENT, TITLE OR FITNESS FOR A PARTICULAR PURPOSE AND ANY CONDITION OR WARRANTY ARISING FROM COURSE OF PERFORMANCE, DEALING OR USAGE OF TRADE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES IN CERTAIN CIRCUMSTANCES. ACCORDINGLY, SOME OF THE LIMITATIONS SET FORTH ABOVE MAY NOT APPLY. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THE TRAINING OR TRAINING MATERIALS AS A CITATION AND/OR AS A POTENTIAL SOURCE FOR FURTHER INFORMATION DOES NOT MEAN THAT WHITEHAT ENDORSES THE INFORMATION SUCH ORGANIZATION OR WEBSITE MAY PROVIDE OR THE RECOMMENDATIONS IT MAY MAKE.
11. INTELLECTUAL PROPERTY INDEMNIFICATION
11.1 Subject to the terms of this Section 11, WhiteHat shall, at its sole cost and expense, defend (or at its sole option settle), indemnify and hold harmless the customer and its directors, officers, employees and agents (“Customer Indemnitees“) from and against any third-party claim that the Services or the Training, when used in accordance with the applicable Agreement and Documentation, infringe any United States patent, copyright, or trademark of such third party (“Claim“).
11.2 WhiteHat’s obligations of indemnification shall be subject to the following: (a) the customer shall notify WhiteHat of any such Claim promptly after it obtains knowledge of such Claim, (b) the customer shall provide WhiteHat with reasonable assistance, information, and cooperation in defending the lawsuit or proceeding, at WhiteHat’s sole cost and expense, (c) the customer shall give WhiteHat full control and sole authority over the defense and settlement of such Claim, provided settlement fully releases the Customer Indemnitees and is solely for monetary damages and does not admit any liability on behalf of the customer. Notwithstanding the foregoing, the customer may join in defense and settlement discussions directly or through counsel of Customer’s choice at the customer’s own cost and expense
11.3 Following notice of a Claim or upon any facts which in WhiteHat’s sole opinion are likely to give rise to such Claim, WhiteHat shall in its sole discretion and at its sole option elect to (a) procure for the customer the right to continue to use the Services or Training, at no additional cost to the customer or Customer Indemnitees, (b) replace the Services or Training so that it becomes non-infringing but functionally equivalent, (c) modify the Services or Training to avoid the alleged infringement but in a manner so that it remains functionally equivalent, or (d) terminate the applicable Agreement and provide a refund to the customer of all amounts prepaid by the customer to WhiteHat for Services or Training that have not yet been provided.
11.4 Notwithstanding anything contrary contained herein, WhiteHat shall have no obligation to indemnify, defend or hold harmless the customer hereunder to the extent a Claim is caused by or results from: (a) the customer’s combination or use of the Services or Training with software, services or products developed by the customer or other third parties, unless specifically contemplated by an Agreement, (b) modification of the Services or Training by anyone other than WhiteHat or its agents without WhiteHat’s express approval, (c) the customer’s continued allegedly infringing activity after being notified thereof or after being provided modifications that would have avoided the alleged infringement, (d) the customer’s use of the Services or Training in a manner not contemplated by an Agreement, the Documentation or the Training Materials, or (e) the customer’s negligence, recklessness or intentional misconduct or its failure to abide by all laws, rules, regulations or orders applicable to the Services and/or the Training.
The foregoing states the sole and exclusive liability and sole remedy of WhiteHat for any infringement of intellectual property rights.
12. GENERAL. An Agreement constitutes the entire understanding and agreement of the parties hereto with respect to the subject matter he
reof and supersedes all prior and contemporaneous agreements, representations and understandings between the parties regarding the subject matter hereof. Any terms contained in a purchase order or invoice issued by either party in connection with a transaction covered by an Agreement are null and void. Where there is a conflict between an order and these General Terms, the terms contained in such order will take precedence relating to the matter for which there was a conflict. Any term or provision of an Agreement may be amended, and the observance of any term of an Agreement may be waived, only by a writing signed by the party to be bound; provided that WhiteHat reserves the right to unilaterally amend these General Terms from time to time so long as the customer’s use of the Services is not materially detrimentally impacted. If any provision of an Agreement is found to be invalid or unenforceable, such provision shall be severed from such Agreement and the remainder of such Agreement shall be interpreted so as best to reasonably affect the intent of the parties hereto. All headings in an Agreement are not to be considered in the construction or interpretation of any provision of any Agreement. The parties are independent contractors, and neither party will have the power to bind the other or to incur obligations on the other’s behalf without such other party’s prior written consent. All Agreements shall be governed by the laws of the State of California, without reference to its conflict of laws principles. The parties consent to exclusive jurisdiction and venue in state and federal courts sitting in and for Santa Clara County, California. Each party reserves the right to seek injunctive relief due to the other party’s actual or threatened breach of an Agreement. Neither party shall be responsible for any non-performance or delay (except for delay in payment) attributable to any cause beyond its reasonable control (force majeure). Neither party may assign any Agreement without prior written consent of the other party, except that each party may assign all Agreements to any successor to substantially all of its assets and liabilities to which this Agreement relates upon written notice to the other party. All Agreements shall inure to the benefit of and be binding on the respective successors and assigns of the parties. The following provisions shall survive the termination or expiration of an Agreement: Sections 5.2, 5.3, 6, 7, 8, 9, 10, 11 and 12. Any notice shall be in writing and shall be delivered by hand, confirmed email, or overnight express mail to the order’s signatories at the address set forth on the order. Any executable Service Orders may be executed in one or more counterparts, each of which shall constitute one and the same instrument. For the purpose of executing Service Orders under these General Terms, the parties hereto agree that .pdf signatures sent via email shall serve as original signatures.