NTT Application Security
General Terms of Contract (online version)
(Applicable to Customers purchasing direct or via reseller)
Updated June 2017
THIS NTT SECURITY APPSEC SOLUTIONS INC. DBA NTT APPLICATION SECURITY (“NTT APP SEC”) MASTER SOFTWARE AS A SERVICE AGREEMENT (THE “MSSA”) APPLIES TO CUSTOMERS THAT PURCHASE NTT APPSEC SERVICES DIRECTLY FROM NTT APPSEC OR THROUGH A RESELLER (DEFINED BELOW), AS IDENTIFIED ON (I) THE APPLICABLE SERVICE ORDER (DEFINED BELOW) OR (II) ANY OTHER ORDER DOCUMENT OR QUOTE BETWEEN A CUSTOMER AND A RESELLER (“CUSTOMER”). CUSTOMERS ARE ADVISED TO READ THIS MSSA CAREFULLY BEFORE PURCHASING OR USING NTT APPSEC SERVICES. IF CUSTOMER DOES NOT AGREE TO BE BOUND BY TERMS OF THIS MSSA, THEN IT MUST NOT PURCHASE OR USE THE NTT APPSEC SERVICES BEING SOLD OR OFFERED BY NTT APPSEC OR THE RESELLER. THIS MSSA IS EFFECTIVE UPON THE EARLIER OF (A) CUSTOMER’S ACCEPTANCE OF THIS MSSA (EITHER BY CLICKING A BOX TO INDICATE ACCEPTANCE OR BY EXECUTING AN ORDERING DOCUMENT WITH NTT APPSEC THAT REFERENCES THIS MSSA), OR (B) CUSTOMER’S ACCEPTANCE OF THIS MSSA BY EXECUTING AN ORDER THROUGH A RESELLER THAT REFERENCES THE TERMS OF THIS MSSA. IF YOU ARE ACTING ON BEHALF OF A CUSTOMER ENTITY, YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO ENTER INTO THIS MSSA ON BEHALF OF SUCH CUSTOMER ENTITY.
1.1 “Claim” means any third party claim that the Services or the Training, when used in accordance with this MSSA, infringe any United States patent, copyright or trademark of a third party.
1.2 “Confidential Information” means any written, machine-reproducible and/or visual materials that are clearly labeled as proprietary, confidential, or with words of similar meaning, and all information that is orally or visually disclosed, if not so marked, if it is identified as proprietary or confidential at the time of its disclosure or in a writing provided to the receiving party within thirty (30) days after disclosure.
1.3 “Customer Indemnitees” means Customer and its directors, officers, employees and agents.
1.4 “Documentation” means any online information, product and service descriptions, technical specifications, manuals and materials made available to the Customer, relating to the use of the Services.
1.5 “Fees” means the fees for Services or Training described on an applicable Service Order.
1.6 “Force Majeure Event” has the meaning set forth in Section 12.7 of this MSSA.
1.7 “MSSA” means this Master Software as a Service Agreement, including any amendments, addenda, attachments, exhibits or schedules hereto entered into by NTT AppSec and Customer, and all Service Orders by and between NTT AppSec and the Customer that incorporate this MSSA by reference, which govern all Services provided by NTT AppSec to Customer.
1.8 “Reports” means data reports that contain the results of the tests performed by the Services.
1.9 “Reseller” means any of NTT AppSec’s authorized resellers.
1.10 “Service Order” means any (i) duly executed service order or NTT AppSec quote, (ii) duly executed statement of work, (iii) duly executed order form or (iv) NTT AppSec quote with corresponding purchase order incorporating a reference to the NTT AppSec quote number, provided for the purpose of acquiring the Services and/or the Training and that incorporates this MSSA by reference, and contains a description of the Services and/or Training ordered by Customer and the applicable Fees and term of the Service Order. For clarity, a Service Order may include the ordering document from which the Customer procures Services from a Reseller.
1.11 “Services” means the application and API security testing services (including (i) the associated software and (ii) access to NTT AppSec’s hosted software application) for the Applications and/or APIs, provided on a subscription basis, as further described on an applicable Service Order.
1.12 “Term” means one (1) year from the Effective Date of this MSSA or longer as described in Section 3.1 and shall include any auto-renewals pursuant to Section 3.1 of this MSSA.
1.13 “Training” means any computer-based training or onsite training provided by NTT AppSec.
1.14 “Training Materials” means any training materials and handouts provided to Customer as part of the Training, including, but not limited to, documents, data, drawings, models, code, applications and reports, and associated software and materials, including any modifications or improvements thereof. Training Materials may include third party materials licensed to NTT AppSec.
1.15 Additional definitions applicable to the performance of the Services can be found here: https://www.whitehatsec.com/terms-conditions/service-definitions/ (“Service Definitions”), and such definitions are incorporated by reference herein.
During the Term and subject to the terms and conditions of this MSSA, NTT AppSec shall provide to Customer a limited, non-exclusive, non-transferable license to use and access the (i) Services for the number of Applications and/or API Operations set forth in a Service Order; (ii) the Training; and (iii) the associated Documentation and Training Materials; subject to any additional terms and conditions required by any third party providers, as described in a Service Order. Such license grant for any software associated with the Services that must be downloaded by Customer shall include the right to make one copy for internal use in accordance with the Documentation, and such license grant for the Training Materials is provided solely for Customer’s internal use to further expand and improve the knowledge base of its employees who have a need to know such information, and expressly prohibits use of the Training Materials for production or commercial purposes. Unless otherwise specified in a Service Order, the terms of this MSSA will govern the Service Order and any Services provided by NTT AppSec to Customer whether procured directly from NTT AppSec or through a Reseller. This MSSA shall take precedence over any other agreements, contracts or general terms that Customer may have entered into with a Reseller as it relates to the Services and/or Training only. A Service Order is an integral part of this MSSA and is fully incorporated herein.
3. TERM AND TERMINATION
3.1 Term. This MSSA shall commence upon the Effective Date and shall continue for the duration of the Term. Each Service Order shall commence as set forth in such Service Order. Unless terminated in accordance with this Section 3 prior to the end of the Term, this MSSA shall automatically renew for additional, successive one (1) year terms, unless either party notifies the other party in writing of its intent not to renew at least thirty (30) days prior to the end of the Term. Notwithstanding any notice of non-renewal provided by a party to this MSSA, or other expiration or termination of this MSSA, the Term of this MSSA will continue in effect until all Service Orders entered into pursuant to this MSSA have expired or been terminated.
3.2 Termination. Either party may terminate this MSSA or a Service Order immediately if the other party fails to cure a material breach (which in the case of Customer includes failure to follow the requirements of Section 7) within fifteen (15) days after receipt of written notice thereof.
3.3 Effect of Termination. Following the termination or non-renewal of this MSSA, NTT AppSec will cease providing the Services and/or the Training.
4. SUPPORT SERVICES
A description of the support services provided by NTT AppSec along with the Services are described here: https://www.whitehatsec.com/terms-conditions/support-terms/ (“Support Terms”). Customer may procure additional support as set forth in an applicable Service Order.
5. PROPRIETARY RIGHTS
5.2 Restrictions. Customer shall not: (a) copy or otherwise reproduce, whether in whole or in part, the Services (or software associated therewith), Documentation, Training or Training Materials; (b) modify or create any derivative work of the Services (or software associated therewith), Documentation, Training, or Training Materials; (c) sell, rent, loan, license, sublicense, distribute, assign or otherwise transfer the Services (or software associated therewith), Documentation, Training or Training Materials; (d) cause or permit the disassembly, decompilation or reverse engineering of the Services (or software associated therewith), Documentation, Training or Training Materials, or otherwise attempt to gain access to the source code of the Services or software associated therewith; or (e) cause or permit any third party to do any of the foregoing.
5.3 Reservation of Rights. Each party reserves all rights not expressly granted in this MSSA and no licenses are granted by either party to the other party under this MSSA except as expressly stated in a Service Order, whether by implication, estoppel or otherwise. NTT AppSec or its licensors own and retain all right, title and interest (including all intellectual property rights) in and to the Services, Training, Documentation, Training Materials, and associated software, as applicable, including any modifications or improvements thereof. Subject to the terms of this MSSA, Customer shall own all right, title and interest to all Reports.
6. CUSTOMER RESPONSIBILITIES. Customer further acknowledges and agrees that (i) as between Customer and NTT AppSec it is Customer’s sole responsibility to update and maintain the Application(s) and/or API(s), including without limitation, fixing any security vulnerabilities; (ii) the Reports are not guaranteed to show all vulnerabilities in the Application(s) and/or API(s); (iii) it is Customer’s sole responsibility to test, vet and confirm that any proposed remedial measures referenced in the Reports or otherwise referenced by NTT AppSec to Customer are appropriate for Customer’s purposes; and (iv) Customer’s use of the Services does not render or guarantee that the Application(s)s and/or API(s) will be invulnerable or free from unauthorized access. Customer further acknowledges and agrees that Customer’s use of the Services starts on the effective date of the Service Order applicable to such Services and the Customer is responsible for providing to NTT AppSec all configuration data (hostnames, user accounts, API documentation, etc.) needed to perform the Services. Failure to provide configuration data does not release Customer from any responsibility in this MSSA. Customer acknowledges and agrees that Customer’s and its users’ use of the Services and Training may be dependent upon access to telecommunications and Internet services. Customer shall be solely responsible for acquiring and maintaining all telecommunications and Internet services and other hardware and software required for its access and use of the Services and/or Training, including, without limitation, any and all costs, fees, expenses, and taxes of any kind related to the foregoing. NTT AppSec shall not be responsible for any loss or corruption of data, lost communications, or any other loss or damage of any kind arising from any such telecommunications and Internet services.
7. PAYMENT TERMS. Promptly following the Effective Date of a Service Order or otherwise as stated on a Service Order: NTT AppSec or (if applicable) the Reseller will invoice Customer for the Fees; Customer shall provide a purchase order or clearly communicate that no purchase order is required (email acceptable); and Customer shall pay the Fees as set forth on such Service Order in advance or otherwise as stated on a Service Order.
8. LIMITATION OF LIABILITY. IN NO EVENT SHALL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER PARTY OR ANY THIRD PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, EXEMPLARY OR CONSEQUENTIAL DAMAGES OR ANY LOST OPPORTUNITY, DATA OR PROFITS, OR THE COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, ARISING OUT OF THIS MSSA, OR ANY EXHIBIT, SERVICE ORDER, SCHEDULE OR ADDENDUM THERETO, UNDER ANY CAUSE OF ACTION OR THEORY OF LIABILITY (INCLUDING NEGLIGENCE OR OTHER TORT), WHETHER OR NOT A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. EXCEPT WITH RESPECT TO A PARTY’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL EITHER PARTY’S AGGREGATE LIABILITY HEREUNDER FOR ANY CAUSE OF ACTION OR THEORY OF LIABILITY EXCEED THE AMOUNTS PAID BY CUSTOMER TO NTT APPSEC HEREUNDER DURING THE TWELVE (12) MONTH PERIOD PRECEDING THE DATE THE CAUSE OF ACTION AROSE. THESE LIMITATIONS ARE AN ESSENTIAL BASIS OF THE BARGAIN AND SHALL APPLY NOTWITHSTANDING ANY FAILURE OF THE ESSENTIAL PURPOSE OF ANY REMEDY.
9.1 Definition of Confidential Information. By virtue of this MSSA, the parties may have access to each other’s Confidential Information. Confidential Information does not include information that: (a) is now, or hereafter becomes, through no act or failure to act on the part of the receiving party, generally known or available to the public; (b) was acquired by the receiving party before receiving such information from the disclosing party and without restriction as to use or disclosure; (c) is hereafter rightfully furnished to the receiving party by a third party, without restriction as to use or disclosure; or (d) is information which the receiving party can document was independently developed by the receiving party without use of the disclosing party’s Confidential Information.
9.2 Use of Confidential Information. Neither party shall disclose any of the other party’s Confidential Information to any third party or use such Confidential Information for any purpose other than to (i) perform its obligations or exercise its rights under this MSSA; or (ii) as otherwise required by law. Each party shall use the same measures to protect the Confidential Information of the other party as it uses with respect to its own confidential information of like importance, but in no event shall it use less than reasonable care, including, instructing its employees, vendors, agents, consultants and independent contractors of the foregoing and requiring them to be bound by appropriate confidentiality agreements. If a party is required to disclose by law the Confidential Information of the other party, such party shall use best efforts to give the other party reasonable advance notice of such required disclosure. NTT AppSec reserves the right to disclose the terms and conditions of this MSSA, in confidence, (a) to accountants, banks and financing sources and their advisors for the purpose of securing financing; and (b) in connection with an actual or proposed merger or acquisition or similar transaction. Upon termination or expiration of this MSSA the receiving party will promptly return to the disclosing party or destroy, at the disclosing party’s option, all tangible items containing or consisting of the disclosing party’s Confidential Information.
10. LIMITED WARRANTIES.
10.1 Conformance with Documentation. NTT AppSec warrants that the Services will substantially conform in all material respects in accordance with the Documentation. Customer will provide prompt written notice of any non-conformity and provide NTT AppSec a reasonable opportunity, not to exceed thirty (30) days, to remedy such non-conformity. NTT AppSec may modify the Documentation in its sole discretion, provided the functionality of the Services is not materially decreased during the Term.
10.2 Service Availability. NTT AppSec warrants that the Services will be Available as described under the Service Availability and Credits section of the Support Terms. In the event of a breach of the foregoing warranty, as Customer’s sole and exclusive remedy, NTT AppSec will provide the remedy set forth in the Support Terms.
10.3 No Viruses. NTT AppSec warrants that the Services and the Training do not contain any computer code that is intended to (i) disrupt, disable, harm, or otherwise impede in any manner, the operation of Customer’s software, firmware, hardware, computer systems or network (sometimes referred to as “viruses” or “worms”), (ii) permit unauthorized access to Customer’s network and computer systems (sometimes referred to as “traps”, “access codes” or “trap door” devices), or any other similar harmful, malicious or hidden procedures, routines or mechanisms which could cause such programs to cease functioning or to damage or corrupt data, storage media, programs, equipment or communications, or otherwise interfere with Customer’s operations.
10.4 Warranty Disclaimer. EXCEPT AS PROVIDED IN THIS SECTION 10, NTT APPSEC PROVIDES THE SERVICES AND TRAINING “AS IS” AND MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, WITH RESPECT TO THE SERVICES, TRAINING, REPORTS, DOCUMENTATION, TRAINING MATERIALS OR ANY OTHER RELATED DATA, AND SPECIFICALLY DISCLAIMS ANY WARRANTY OF AVAILABILITY, ACCURACY, RELIABILITY, USEFULNESS, ANY IMPLIED WARRANTY OF MERCHANTABILITY, NONINFRINGEMENT, TITLE OR FITNESS FOR A PARTICULAR PURPOSE AND ANY CONDITION OR WARRANTY ARISING FROM COURSE OF PERFORMANCE, DEALING OR USAGE OF TRADE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES IN CERTAIN CIRCUMSTANCES. ACCORDINGLY, SOME OF THE LIMITATIONS SET FORTH ABOVE MAY NOT APPLY. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THE TRAINING OR TRAINING MATERIALS AS A CITATION AND/OR AS A POTENTIAL SOURCE FOR FURTHER INFORMATION DOES NOT MEAN THAT NTT APPSEC ENDORSES THE INFORMATION SUCH ORGANIZATION OR WEBSITE MAY PROVIDE OR THE RECOMMENDATIONS IT MAY MAKE.
11. INTELLECTUAL PROPERTY INDEMNIFICATION
11.1 Subject to the terms of this Section 11, NTT AppSec shall, at its sole cost and expense, defend (or at its sole option settle), indemnify and hold harmless Customer and the Customer Indemnitees from and against any Claims.
11.2 NTT AppSec’s obligations of indemnification shall be subject to the following: (a) Customer shall notify NTT AppSec of any such Claim promptly after it obtains knowledge of such Claim, (b) Customer shall provide NTT AppSec with reasonable assistance, information, and cooperation in defending the lawsuit or proceeding, at NTT AppSec’s sole cost and expense, (c) Customer shall give NTT AppSec full control and sole authority over the defense and settlement of such Claim, provided settlement fully releases the Customer Indemnitees and is solely for monetary damages and does not admit any liability on behalf of the Customer. Notwithstanding the foregoing, Customer may join in defense and settlement discussions directly or through counsel of Customer’s choice at Customer’s own cost and expense.
11.3 Following notice of a Claim or upon any facts which in NTT AppSec’s sole opinion are likely to give rise to such Claim, NTT AppSec shall in its sole discretion and at its sole option elect to (a) procure for Customer the right to continue to use the Services or Training, at no additional cost to Customer or Customer Indemnitees, (b) replace the Services or Training so that it becomes non-infringing but functionally equivalent, (c) modify the Services or Training to avoid the alleged infringement but in a manner so that it remains functionally equivalent, or (d) terminate this MSSA and provide a refund to Customer of all amounts prepaid by Customer to NTT AppSec for Services or Training that have not yet been provided.
11.4 Notwithstanding anything contrary contained herein, NTT AppSec shall have no obligation to indemnify, defend or hold harmless the Customer hereunder to the extent a Claim is caused by or results from: (a) Customer’s combination or use of the Services or Training with software, services or products developed by Customer or other third parties, unless specifically contemplated by this MSSA, (b) modification of the Services or Training by anyone other than NTT AppSec or its agents without NTT AppSec’s express approval, (c) Customer’s continued allegedly infringing activity after being notified thereof or after being provided modifications that would have avoided the alleged infringement, (d) Customer’s use of the Services or Training in a manner not contemplated by this MSSA, the Documentation or the Training Materials, or (e) Customer’s negligence, recklessness or intentional misconduct or its failure to abide by all laws, rules, regulations or orders applicable to the Services and/or the Training.
The foregoing states the sole and exclusive liability and sole remedy of NTT AppSec for any infringement of intellectual property rights.
12.1 Entire Agreement. This MSSA and all Service Orders that incorporate the terms of this MSSA by reference constitute the entire understanding and agreement of the parties hereto with respect to the subject matter hereof and supersede all prior and contemporaneous agreements, representations and understandings between the parties regarding the subject matter hereof. Any terms contained in a purchase order or invoice issued by either party in connection with a transaction covered by this MSSA are null and void. Where there is a conflict between a Service Order and this MSSA, the terms contained in a Service Order will take precedence solely relating to the matter for which there was a conflict. All headings herein are not to be considered in the construction or interpretation of any provision of this MSSA.
12.2 Amendment and Waiver. Any term or provision of this MSSA may be amended in writing by both parties to this MSSA. The observance of any term of this MSSA may be waived only by a writing signed by the party to be bound; provided that NTT AppSec reserves the right to unilaterally amend the terms of this MSSA from time to time so long as the Customer’s use of the Services is not materially detrimentally impacted.
12.3 Severability. If any provision of this MSSA is found to be invalid or unenforceable, such provision shall be severed from this MSSA and the remainder of this MSSA shall be interpreted so as best to reasonably affect the intent of the parties hereto.
12.4 Independent Contractors. The parties are independent contractors, and neither party will have the power to bind the other or to incur obligations on the other’s behalf without such other party’s prior written consent.
12.5 Governing Law. This MSSA shall be governed by the laws of the State of California, without reference to its conflict of laws principles. The parties consent to exclusive jurisdiction and venue in state and federal courts sitting in and for Santa Clara County, California.
12.6 Injunctive Relief. Each party reserves the right to seek injunctive relief due to the other party’s actual or threatened breach of this MSSA.
12.7 Force Majeure. Neither party shall be responsible for any non-performance or delay (except for delay in payment) attributable in whole or in part to any cause beyond its reasonable control (a “Force Majeure Event”), including but not limited to acts of God, government actions including changes in applicable law, war, civil disturbance, sabotage, terrorist acts, failure or delay in provision of services by subcontractors or the other party’s fault or negligence.
12.8 Assignment. Neither party may assign this MSSA without the prior written consent of the other party, except that either party may assign this MSSA to any successor to substantially all of its business or assets to which this MSSA relates, upon written notice to the other party. This MSSA shall inure to the benefit of and be binding on the respective successors and assigns of the parties.
12.9 Notice. Any notice required under this MSSA shall be in writing and shall be delivered by hand, confirmed email, or by overnight express mail to the contact name and address set forth on a Service Order, or as otherwise described in this MSSA.
12.10 Survival. The following provisions shall survive the termination or expiration of this MSSA: Sections 5.2, 5.3, 6, 7, 8, 9, 10, 11 and 12.