Traceable Subscription
License Agreement
THIS SUBSCRIPTION LICENSE AGREEMENT (“AGREEMENT”) IS ENTERED INTO BETWEEN TRACEABLE INC. (“TRACEABLE”) AND THE CUSTOMER IDENTIFIED ON THE ORDER FORM THAT INCORPORATES THIS AGREEMENT BY REFERENCE (THE “ORDER FORM”, AND SUCH CUSTOMER, “CUSTOMER”), AND IS EFFECTIVE AS OF THE EFFECTIVE DATE OF SUCH ORDER FORM (THE “EFFECTIVE DATE”). THE INDIVIDUAL ACCEPTING THIS AGREEMENT ON BEHALF OF CUSTOMER REPRESENTS THAT IT HAS THE AUTHORITY TO BIND CUSTOMER TO THIS AGREEMENT.
1. SOFTWARE LICENSE AND PLATFORM ACCESS.
1.1 LICENSE GRANT. Subject to the terms and conditions of this Agreement, Traceable hereby grants to Customer, during the License Term (as defined below) under the Order Form, a limited, revocable, non-exclusive, non-transferable, non-sublicensable right and license (“Subscription License”) to access and use Traceable’s application security software product (whether deployed on a software-as-a-service (“SaaS”) basis or in an on-premise installation) (collectively, the “Software”) for internal business purposes only for the number of license units as specifically designated in the Order Form (“License Units”). For purposes hereof, the “License Term” of the Order Form is the term of the Order Form as specifically designated in such Order Form (unless earlier terminated in accordance with this Agreement). For the avoidance of doubt, Customer’s affiliates (and employees, contractors and agents thereof) shall not use the Software without Traceable’ prior written consent. Any references in the Order Form to an “Agreement” or other similar term shall be deemed to refer to this Agreement.
1.2 PLATFORM ACCESS. Traceable will make its online platform available to Customer through its website located at www.traceable.ai (the “Platform”, and together with the Software, the “Service”) pursuant to this Agreement and the applicable Order Form, and hereby grants Customer a non-exclusive right to access and use the Platform during the License Term. Customer shall be responsible for maintaining the security of Customer accounts, passwords (including but not limited to administrative and user passwords) and files, and for all uses of Customer account with or without Customer’s knowledge or consent.
Customer may enable or log in to the Service via various online third party services, such as Okta (“Login Services”). As part of such integration, the Login Services may provide us with access to certain information that Customer has provided to such Login Services, and we will use, store and disclose such information in accordance with this Agreement. However, the manner in which Login Services use, store and disclose Customer information is governed solely by the policies of such third parties, and Traceable shall have no liability or responsibility for the privacy practices or other actions of any third party site or service that may be enabled within the Service. In addition, Traceable is not responsible for the accuracy, availability or reliability of any information, content, goods, data, opinions, advice or statements made available in connection with Login Services. As such, Traceable is not liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such Login Services. Traceable enables these features merely as a convenience and the integration or inclusion of such features does not imply an endorsement or recommendation.]
1.3 RESTRICTIONS ON USE. Except as otherwise expressly provided in this Agreement, Customer shall not (and shall not permit any third party to): (a) sublicense, sell, resell, transfer, assign, distribute, share, lease, rent, make any external commercial use of, outsource, use on a timeshare or service bureau basis, or use in an application service provider or managed service provider environment, or otherwise generate income from the Service; (b) copy the Software onto any public or distributed network, except for an internal and secure cloud computing environment; (c) cause or permit the decompiling, disassembly, or reverse engineering of any portion of the Service, or attempt to discover any source code or underlying algorithms or other operational mechanisms of the Service (except where such restriction is expressly prohibited by law without the possibility of waiver, and then only upon prior written notice to Traceable); (d) modify, adapt, translate or create derivative works based on all or any part of the Service; (e) use any Third Party Software (as defined below) provided with the Service other than with the Service; (f) modify any proprietary rights notices that appear in the Service or components thereof; (g) publish the results of any benchmarking tests run on any Third Party Software; (h) use the Service in violation of any applicable laws or regulations (including any export laws, restrictions, national security controls and regulations) or outside of the license scope set forth in Section 1.1 (License Grant); (i) use the Service in support of any nuclear proliferation, chemical weapon, biological weapon or missile proliferation activity; (j) configure the Service to collect any (1) social security numbers or other government- issued identification numbers, (2) health information, biometric data, genetic data, or payment/financial information, (3) any data relating to a person under the age of thirteen (13) years old, or (4) any other data that is subject to regulatory or contractual handling requirements (e.g., PCI, HIPAA, or state and federal data security laws) (collectively, “Prohibited Data”); or (k) create an account, access, or use the Service in order to (1) monitor the Service’s availability, performance, or functionality for competitive purposes, (2) copy ideas, features, functions, or graphics, (3) develop competing products or services, or (4) perform any other form of competitive analysis, as determined by Traceable in its sole discretion. Customer shall not export or re-export, directly or indirectly, any Software or technical data or any copy, portions or direct product thereof (i) in violation of any applicable laws and regulations, (ii) to any country for which the United States or any other government, or any agency thereof, at the time of export requires an export license or other governmental approval, including Cuba, Libya, North Korea, Iran, Iraq, or Rwanda or any other Group D:1 or E:2 country (or to a national or resident thereof) specified in the then current Supplement No. 1 to part 740 of the U.S. Export Administration Regulations (or any successor supplement or regulations, without first obtaining such license or approval) or (ii) to anyone on the U.S. Treasury Department’s list of Specially Designated Nationals or the U.S. Commerce Department’s Table of Denial Orders. Customer shall, at its own expense, obtain all necessary customs, import, or other governmental authorizations and approvals.
1.4 UNAUTHORIZED USE. Customer shall notify Traceable promptly of any unauthorized use or access of the Service (including unauthorized users or unauthorized disclosure of any password or account), or any other known or suspected breach of security or misuse of the Service. Customer is responsible for use of the Service (and all other acts or omissions) by its employees, contractors, affiliates or other users that it allows to use or access the Service.
1.5 SUPPORT. Subject to Customer’s payment of all fees set forth in the Order Form, Traceable will provide reasonable technical support for the Service during the Term in accordance with Traceable’ standard practice. All fees for such support are included in the fees for the Service. Further, notwithstanding anything herein to the contrary, Customer agrees to facilitate any connections and access necessary for Traceable to (i) deliver, deploy and provide the Service as provided hereunder and (ii) to perform its obligations hereunder (including its support obligations).
2. FEES.
2.1 PRICING. Customer will be invoiced for those amounts and at those prices set forth in the Order Form (an “Invoice”). All fees shall be invoiced and pre-paid on an annual basis, unless otherwise specified in the Order Form. Fees do not include any customization of the Service (nor support for any such customizations, unless otherwise agreed in writing). If Customer’s usage of the Service is in excess of the usage limitations or License Units set forth in the Order Form, Customer will be billed for those overages at a pro-rated amount for the remainder of the applicable License Term under the Order Form, based on Traceable’ then-current standard pricing. If Traceable believes in good faith that Customer’s usage of the Service exceeds the usage limitations set forth on the Order Form, Customer agrees to allow Traceable to audit Customer’s use of the Service (not more frequently than twice per calendar year), upon at least twenty-four (24) hours’ notice, in order to determine Customer’s actual Service use, using a commercially reasonable auditing procedure. Customer acknowledges that purchases made under this Agreement are neither contingent on the delivery of any future functionality or features of the Service nor dependent on any oral or written public comments made by Traceable regarding future functionality or features of the Service.
2.2 PAYMENTS. Customer shall pay Invoices under the Order Form within thirty (30) days of the invoice date, unless otherwise specified in the Order Form (the “Invoice Due Date”). If Customer reasonably disputes any Invoice, (i) Customer shall provide Traceable with written notice of such dispute, including the grounds therefor (a “Dispute Notice”) prior to the Invoice Due Date, (ii) Customer and Traceable shall, for a period of fifteen (15) days following Traceable’ receipt of such Dispute Notice, negotiate in good faith to resolve the dispute, and (iii) if such dispute remains unresolved at the end of such period, the parties shall retain all of their respective rights under this Agreement (including, without limitation, any action for non-payment of the fees set forth herein). All payment obligations are non-cancelable and all amounts paid are non-refundable, except (a) for amounts paid in error that are not actually due under this Agreement, and (b) as set forth in Sections 6.1 (Limited Warranty) and 7.1 (Indemnification by Traceable). The fees paid by Customer are exclusive of all taxes, levies, or duties imposed by taxing authorities, if any, and Customer shall be responsible for payment of all such taxes, levies, or duties, excluding taxes based on Traceable’ income. Customer represents and warrants that the billing and contact information provided to Traceable is complete and accurate, and Traceable shall have no responsibility for any Invoices that are not received due to inaccurate or missing information provided by Customer. Customer shall pay interest on all payments not received by the Invoice Due Date at a rate of one percent (1%) per month or the maximum amount allowed by law, whichever is less. All amounts due under this Agreement and the Order Form shall be paid by Customer in full without any set-off, counterclaim, deduction or withholding (other than any deduction or withholding of tax as required by law). If requested by Traceable, Customer will obtain and furnish to Traceable tax receipts or other certificates issued by the competent taxation office showing the payments of the withholding tax within a reasonable time after payment. Following written notice, Traceable shall be entitled to suspend Customer’s use of and access to the Service if payments are not received within thirty (30) days of the Invoice Due Date.
3. CONFIDENTIALITY.
3.1 SCOPE AND RESTRICTIONS. “Confidential Information” means all information of a party (“Disclosing Party”) disclosed to the other party (“Receiving Party”) that is designated in writing or identified as confidential at the time of disclosure or should be reasonably known by the Receiving Party to be confidential due to the nature of the information disclosed and the circumstances surrounding the disclosure. The terms of this Agreement, the terms of the Order Form, the Service, any technical or other documentation relating to the Service, logins, passwords and other access codes and any and all information regarding Traceable’ business, products and services are the Confidential Information of Traceable. The Receiving Party will: (i) not use the Disclosing Party’s Confidential Information for any purpose outside of this Agreement; (ii) not disclose such Confidential Information to any person or entity, other than its affiliates, employees, consultants, agents and professional advisers who have a “need to know” for the Receiving Party to exercise its rights or perform its obligations hereunder, provided that such employees, consultants, and agents are bound by agreements or, in the case of professional advisers, ethical duties respecting such Confidential Information in accordance with the terms of this Section 3; and (iii) use reasonable measures to protect the confidentiality of such Confidential Information. If the Receiving Party is required by applicable law or court order to make any disclosure of such Confidential Information, it will first give written notice of such requirement to the Disclosing Party, and, to the extent within its control, permit the Disclosing Party to intervene in any relevant proceedings to protect its interests in its Confidential Information, and provide full cooperation to the Disclosing Party in seeking to obtain such protection. Further, this Section 3 will not apply to information that the Receiving Party can document: (i) was rightfully in its possession or known to it prior to receipt without any restriction on its disclosure; (ii) is or has become public knowledge or publicly available through no fault of the Receiving Party; (iii) is rightfully obtained by the Receiving Party from a third party without breach of any confidentiality obligation; or (iv) is independently developed by employees of the Receiving Party who had no access to such information.
3.2 EQUITABLE RELIEF. The Receiving Party acknowledges that unauthorized disclosure of the Disclosing Party’s Confidential Information could cause substantial harm to the Disclosing Party for which damages alone might not be a sufficient remedy and, therefore, that upon any such disclosure by the Receiving Party the Disclosing Party will be entitled to seek appropriate equitable relief in addition to whatever other remedies it might have at law or equity.
4. PROPRIETARY RIGHTS. Traceable owns and shall retain all proprietary rights, including all copyright, patent, trade secret, trademark and all other intellectual property rights, in and to the Service (and all derivatives, improvements or enhancements thereto). Customer acknowledges that the rights granted under this Agreement do not provide Customer with title to or ownership of the Service, in whole or in part. Certain “free” or “open source” based software (the “FOSS Software”) and third party software included with the Service (the “Third Party Software”) is shipped with the Service but is not considered part of the Service hereunder. A list of the FOSS Software and Third Party Software is set forth on the webpage located at https://Traceable.ai/open-source-third-party-software/ (the “FOSS Webpage”). With respect to Third Party Software included with the Service, such Third Party Software suppliers are third party beneficiaries of this Agreement. Customer’s use of such FOSS Software is subject to the terms of the licenses set forth on the FOSS Webpage. The Service and Third Party Software may only be used and accessed by Customer as prescribed by the Traceable documentation located at http://docs.Traceable.ai/, as may be updated from time to time by Traceable (the “Documentation”).
5. TERM AND TERMINATION. The term of this Agreement begins on the Effective Date and will remain in effect until the Order Form has expired or terminated, or until this Agreement is otherwise terminated in accordance with the terms hereof, whichever occurs first (the “Term”). Upon completion of the initial term, each Order Form will automatically renew for successive renewal terms of one (1) year, unless either party provides the other party with written notice of non-renewal at least sixty (60) days prior to the end of the then-current subscription term. Unless earlier terminated in accordance with this Agreement, the initial License Term of the Order Form commences on the Order Form Effective Date (as defined in such Order Form) and continues for the duration of the License Term as expressly specified therein. If either party commits a material breach of this Agreement, and such breach has not been cured within thirty (30) days after receipt of written notice thereof, the non-breaching party may terminate this Agreement, except that Traceable may immediately terminate this Agreement and/or Customer’s Subscription License(s) under Order Form to the Service upon Customer’s breach of Section 1.2 (Restrictions on Use). Either party may also terminate this Agreement upon written notice if the other party suspends payment of its debts or experiences any other insolvency or bankruptcy-type event. Upon expiration or termination of this Agreement for any reason, (i) all rights granted to Customer shall terminate and Customer shall destroy any copies of the Service and Documentation within Customer’s possession and control; and (ii) each Receiving Party will return or destroy, at the Disclosing Party’s option, the Disclosing Party’s Confidential Information in the Receiving Party’s possession or control. All fees that have accrued as of such expiration or termination, and Sections 1.2, 1.3, 1.4, 2, 3, 4, 5, 6.2 and 7 through 11, will survive any expiration or termination hereof.
6. WARRANTIES.
6.1 LIMITED WARRANTY. Traceable warrants that during the License Term under the Order Form, the Software will, in all material respects, conform to the functionality described in the then-current Documentation for the applicable version of the Software. Traceable’ sole and exclusive obligation, and Customer’s sole and exclusive remedy, for a breach of this warranty shall be that Traceable will use commercially reasonable efforts to repair or replace the Software to conform in all material respects to the Documentation, and if Traceable is unable to materially restore such functionality within ninety (90) days from the date of written notice of breach of this warranty by Customer, Customer shall be entitled to terminate the Subscription License to the affected Service under the Order Form upon written notice to Traceable, and Traceable shall promptly provide a pro-rata refund of the Subscription License fees under such Order Form that have been paid in advance for the remainder of the License Term under such Order Form (beginning on the date of termination). To be eligible for the foregoing remedy, Customer must notify Traceable in writing of any warranty breaches within such warranty period, and Customer must have installed and configured the Software in accordance with the Documentation.
6.2 WARRANTY DISCLAIMER. EXCEPT AS EXPRESSLY PROVIDED IN THIS SECTION 6, ALL SERVICES, DOCUMENTATION, MAINTENANCE AND SUPPORT ARE PROVIDED “AS IS,” AND TRACEABLE AND ITS SUPPLIERS EXPRESSLY DISCLAIM ANY AND ALL OTHER REPRESENTATIONS AND WARRANTIES, EITHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT THERETO, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, OR THE CONTINUOUS, UNINTERRUPTED, ERROR-FREE, VIRUS-FREE, OR SECURE ACCESS TO OR OPERATION OF THE SERVICE. TRACEABLE EXPRESSLY DISCLAIMS ANY WARRANTY AS TO THE ACCURACY OR COMPLETENESS OF ANY INFORMATION OR DATA ACCESSED OR USED IN CONNECTION WITH THE SERVICE, DOCUMENTATION, MAINTENANCE OR SUPPORT.
7. INDEMNIFICATION.
7.1 BY TRACEABLE. Traceable agrees to defend, at its expense, Customer against (or, at Traceable’ sole option, settle), any third party claim to the extent such claim alleges that the Software (when use by Customer as authorized by this Agreement) infringes or misappropriates any patent, copyright, trademark or trade secret of a third party, and Traceable shall indemnify and pay all costs and damages finally awarded against Customer by a court of competent jurisdiction (or amounts agreed in settlement) as a result of any such claim. In the event that the use of the Software is, or in Traceable’ sole opinion is likely to become, subject to such a claim, Traceable, at its option and expense, may (a) replace the applicable Software with functionally equivalent non-infringing technology, (b) obtain a license for Customer’s continued use of the applicable Software, or (c) terminate the applicable Subscription License and provide a pro-rata refund of the Subscription License fees under the Order Form that have been paid in advance for the remainder of the License Term under such Order Form (beginning on the date of termination). The foregoing indemnification obligation of Traceable will not apply: (1) if the Software is or has been modified by Customer or its agent; (2) if the Software is combined with other non-Traceable products, applications, or processes, but solely to the extent the alleged infringement is caused by such combination; or (3) to any unauthorized use of the Software. The foregoing shall be Customer’s sole remedy with respect to any claim of infringement of third party intellectual property rights.
7.2 BY CUSTOMER. Customer agrees to defend, at its expense, Traceable and its affiliates, its suppliers and its resellers against any third party claim to the extent such claim arises from or is made in connection with (i) Customer’s breach of Section 1 (Software License and Platform Access), (ii) breach of Section 10 (Data Collection), or (iii) Customer’s negligence or willful misconduct, and Customer shall pay all costs and damages finally awarded against Traceable by a court of competent jurisdiction (or amounts agreed in settlement) as a result of any such claim.
7.3 INDEMNIFICATION REQUIREMENTS. In connection with any claim for indemnification under this Section 7, the indemnified party must promptly provide the indemnifying party with notice of any claim that the indemnified party believes is within the scope of the obligation to indemnify, provided, however, that the failure to provide such notice shall not relieve the indemnifying party of its obligations under this Section 7, except to the extent that such failure materially prejudices the indemnifying party’s defense of such claim. The indemnified party may, at its own expense, assist in the defense if it so chooses, but the indemnifying party shall control the defense and all negotiations related to the settlement of any such claim. Any such settlement intended to bind either party shall not be final without the other party’s written consent, which consent shall not be unreasonably withheld, conditioned or delayed; provided, however, that Customer’s consent shall not be required when Traceable is the indemnifying party if the settlement involves only the payment of money by Traceable.
8. LIMITATION OF LIABILITY. The limits below will not apply to the extent prohibited by applicable law.
8.1 Exclusion of Damages. NEITHER PARTY WILL BE LIABLE FOR ANY LOSS OF PROFITS, GOODWILL OR BUSINESS INTERRUPTION, LOSS OF ANTICIPATED SAVINGS, LOSS OF USE, COST OF SUBSTITUTE GOODS OR SERVICES, WORK STOPPAGE OR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, INCLUDING DAMAGES FOR LOSS OF REVENUES OR PROFITS, LOSS OF USE, BUSINESS INTERRUPTION, OR LOSS OF DATA, WHETHER IN AN ACTION IN CONTRACT OR TORT, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
8.2 Limitation of Liability. A PARTY’S AGGREGATED CUMULATIVE LIABILITY FOR ALL DIRECT DAMAGES ARISING OUR OF OR RELATED TO THIS AGREEMENT OR THE SERVICE PROVIDED HEREUNDER WILL NOT EXCEED AN AMOUNT EQUAL TO THE TOTAL FEES PAID (PLUS FEES PAYABLE) TO TRACEABLE FOR THE SERVICE DURING THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE CLAIM GIVING RISE TO SUCH DAMAGES. THESE LIMITATIONS SHALL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY. THE EXISTENCE OF MORE THAN ONE CLAIM WILL NOT EXPAND THIS LIMIT. THE LIABILITY LIMITATIONS ON THIS SECTION 8.2 WILL NOT APPLY TO (A) CUSTOMER’S FAILURE TO PAY FEES DUE UNDER THIS AGREEMENT, (B) CUSTOMER’S BREACH OF SECTION 1.3 (RESTRICTIONS ON USE), (C) EITHER PARTY’S BREACH OF SECTION 3 (CONFIDENTIALITY) OR (C) AMOUNTS FINALLY DETERMINED UNDER SECTION 7 (INDEMNIFICATION).
9. FORCE MAJEURE. Except for payment obligations, neither party hereto will be liable for defaults or delays due to acts of God, or the public enemy, acts or demands of any government or governmental agency, fires, earthquakes, floods, disease, pandemics, accidents, or other unforeseeable causes beyond its reasonable control and not due to its fault or negligence.
10. DATA
10.1 DATA COLLECTION. Customer understands, acknowledges and agrees that Traceable’s Service stores, in encrypted form, sensitive data components involved in the operation and security of Customer’s applications and systems. In addition, Traceable captures and uploads to Traceable cloud monitoring data that may include API request and response data of Customer’s information systems, which are used to identify threats and calculate metrics on Customer system activity. Limited user information is captured for the purposes of account management.
10.2 DATA PROTECTION. Traceable will maintain administrative, technical and physical safeguards designed to protect the security, confidentiality, and integrity any content, data information submitted by Customer to the Service (“Customer Data”) (excluding Usage Data described in Section 10.3 below). Where Customer’s use of the Service includes the processing of personally identifiable information (“personal data”) subject to applicable data protection laws, it will be governed by the Traceable Data Processing Addendum provided at Exhibit B attached hereto.
10.3 USAGE DATA Notwithstanding anything herein to the contrary, Traceable shall have the right collect and analyze data and other information relating to the provision, use and performance of various aspects of the Services, Software and related systems and technologies (including, without limitation, information concerning Customer and data derived therefrom) (collectively “Usage Data”), and Traceable will be free (during and after the term hereof) to (i) use such Usage Data to improve and enhance the Services and Software and for other development, diagnostic and corrective purposes in connection with the Services, Software and other Traceable offerings, and (ii) disclose such Usage Data solely in aggregate or other de-identified form in connection with its business. Traceable will employ physical and electronic safeguards for all data in its possession and control according to industry standards.
11. MISCELLANEOUS. This Agreement shall be governed by and construed under the laws of the State of California, U.S.A. All disputes arising under or in connection with this Agreement shall be submitted to JAMS or a successor organization for binding arbitration by a single arbitrator in San Francisco County, California, provided that a party may also seek injunctive relief as provided in Section 3.2 in a court of competent jurisdiction. The arbitrator shall be selected by JAMS in an impartial manner determined by it. The arbitration hearing will be commenced within one hundred eighty (180) days of the filing of an arbitration demand with JAMS by any party hereto, and a decision shall be rendered by the arbitrator within thirty (30) days of the conclusion of the hearing. The arbitrator shall have complete authority to render any and all relief, legal and equitable, appropriate under this Agreement. The arbitrator shall award costs of the proceeding, including reasonable attorney’s fees, to the party determined to have substantially prevailed. The parties consent to the exclusive jurisdiction and venue of the courts located in and serving San Francisco, California for the enforcement of arbitral awards or injunctive relief in accordance with Section 3.2. Failure by either Party to exercise any of its rights under, or to enforce any provision of, this Agreement will not be deemed a waiver or forfeiture of such rights or ability to enforce such provision. If any provision of this Agreement is held by a court of competent jurisdiction to be illegal, invalid or unenforceable, such provision will be amended to achieve as nearly as possible the same economic effect of the original provision and the remainder of this Agreement will remain in full force and effect. This Agreement, together with the Order Form and any statements of work incorporating or referencing this Agreement, if applicable, represent the entire agreement between the parties and supersede any previous or contemporaneous oral or written agreements or communications regarding the subject matter of this Agreement. The person signing or otherwise accepting this Agreement for Customer represents that s/he is duly authorized by all necessary and appropriate corporate action to enter this Agreement on behalf of Customer. Any modification to this Agreement must be in writing and signed by a duly authorized agent of both parties. This Agreement shall control over additional or different terms of any purchase order, confirmation, invoice, statement of work or similar document (other than the Order Form, which will take precedence), even if accepted in writing by both parties, and waivers and amendments to this Agreement shall be effective only if made by non-pre-printed agreements clearly understood by both parties to be an amendment or waiver to this Agreement. For purposes of this Agreement, “including” means “including without limitation.” The rights and remedies of the parties hereunder will be deemed cumulative and not exclusive of any other right or remedy conferred by this Agreement or by law or equity. No joint venture, partnership, employment, or agency relationship exists between the parties as a result of this Agreement or use of the Service. Traceable reserves the right to perform its obligations from locations and/or through use of affiliates, contractors and subcontractors, worldwide, provided that Traceable will be responsible for such parties. Customer may not assign this Agreement without the prior written consent of Traceable, and any purported assignment in violation of this Section 11 shall be void, provided, however, that Customer may assign this Agreement without Traceable’s written consent to any entity with which Customer merges or consolidates or to which Customer sells all or substantially all of its assets. Traceable may assign, transfer or subcontract this Agreement in whole or in part without Customer’s consent. Upon any assignment of this Agreement by Customer that is approved by Traceable, if the Order Form contains a Subscription License for an “unlimited” amount of Licensee Units, such Subscription License will, with respect to Customer or the successor entity, as applicable, be capped at the number of authorized Licensee Units in use immediately prior to such assignment. Customer agrees that Traceable may refer to Customer by its trade name and logo, and may briefly describe Customer’s business, in Traceable’ marketing materials and website. Traceable may give notice to Customer by electronic mail to Customer’s email address as provided by Customer on the Order Form or on record in Customer’s account information, or by written communication sent by first class mail or pre-paid post to Customer’s address as provided by Customer on the Order Form or on record in Customer’s account information. Customer may give notice to Traceable at any time by any letter delivered by nationally recognized overnight delivery service or first class postage prepaid mail to Traceable at the following address or such other address as may be notified to Customer from time to time: Traceable, 625 Market Street, Suite 500 San Francisco, CA 94105, Attn.: Legal Department. Notice under this Agreement shall be deemed given when received, if personally delivered; when receipt is electronically confirmed, if transmitted by email; the day after it is sent, if sent for next-day delivery by a recognized overnight delivery service; and upon receipt, if sent by certified or registered mail, return receipt requested.
Exhibit B
TRACEABLE DATA PROCESSING ADDENDUM
This Data Processing Addendum (including all Schedules attached hereto, the “DPA”) is incorporated into, and is subject to the terms and conditions of, the Subscription License Agreement or other written or electronic agreement (“Agreement”) between Traceable, Inc. (“Traceable”) and the entity identified as “Customer” in the Agreement (“Customer”). This DPA applies to the extent Traceable’s Processing of Customer Personal Data is subject to the Data Protection Laws. This DPA shall be effective for the term of the Agreement.
1. Definitions
1.1. For this DPA:
1.1.1. “CCPA” means the California Consumer Privacy Act, including as modified by the California Privacy Rights Act (“CPRA”) once the CPRA takes effect, together with any implementing regulations;
1.1.2. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data;
1.1.3. “Customer Personal Data” means the Personal Data described under Schedule 1 to this DPA;
1.1.4. “Data Protection Laws” means all laws relating to data protection and privacy applicable to Traceable’s Processing of Customer Personal Data, including without limitation, the CCPA, the GDPR and member state laws implementing the GDPR, the United Kingdom’s Data Protection Act 2018, and applicable privacy and data protection laws of any other jurisdiction, each as amended, repealed, consolidated or replaced from time to time;
1.1.5. “Data Subjects” means the individuals identified in Schedule 1;
1.1.6. “EU SCCs” means the Standard Contractual Clauses approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, supplemented, updated or replaced from time to time;
1.1.7. “GDPR” means the General Data Protection Regulation (EU) 2016/679 together with any national implementing laws in any member state of the EEA (“EU GDPR”) and the EU GDPR as incorporated into the laws of the United Kingdom (“UK GDPR”);
1.1.8. “Personal Data”, “Personal Data Breach” and “Processing” will each have the meaning given to them in the Data Protection Laws. The term “Personal Data” includes “personal information,” “personally identifiable information,” and equivalent terms as such terms may be defined by the Data Protection Laws. The term “Personal Data Breach” includes equivalent terms as defined by the Data Protection Laws;
1.1.9. “Processor” means the entity which Processes Personal Data on behalf of the Controller;
1.1.10. “Sell” has the meaning given in the Data Protection Laws; and
1.1.11. “UK SCCs” means the Standard Contractual Clauses for controller to processor transfers set forth in the European Commission’s decision (C(2010)593) of 5 February 2010.
1.2. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
2. Processing of Customer Personal Data
2.1. The parties acknowledge and agree that Customer is the Controller or Processor of Customer Personal Data and Traceable is a Processor of Customer Personal Data. Traceable will only Process Customer Personal Data as a Processor on behalf of and in accordance with Customer’s prior written instructions, including any instructions provided through Customer’s use of the Service. Traceable is hereby instructed to Process Customer Personal Data to the extent necessary to provide the Service as set forth in the Agreement and this DPA. Traceable shall not (1) retain, use, or disclose Customer Personal Data other than as provided for in the Agreement, as needed to provide the Service, or as otherwise permitted by Data Protection Laws; (2) combine Customer Personal Data with Personal Data Traceable receives from other customers or individuals (except as permitted by the CCPA); or (3) Sell Customer Personal Data. Traceable shall notify Customer if it determines that it cannot meet its obligations under the CPRA. Upon receiving written notice from Customer that Traceable has Processed Customer Personal Data without authorization, Traceable will stop and remediate such Processing.
2.2. Traceable will immediately inform Customer if, in its opinion, an instruction from Customer infringes the Data Protection Laws.
2.3. The details of Traceable’s Processing of Customer Personal Data are described in Schedule 1.
2.4. If applicable laws preclude Traceable from complying with Customer’s instructions, Traceable will inform Customer of its inability to comply with the instructions, to the extent permitted by law.
2.5. Each of Customer and Traceable will comply with their respective obligations under the Data Protection Laws.
3. Cross-Border Transfers of Personal Data
3.1. With respect to Customer Personal Data originating from the European Economic Area (“EEA”) or Switzerland that is transferred from Customer to Traceable, the parties agree to comply with the general clauses and with “Module Two” (Controller to Processor) of the EU SCCs, which are incorporated herein by reference, with Customer as the “data exporter” and Traceable as the “data importer.”
3.2. For purposes of the EU SCCs the parties agree that:
3.2.1. In Clause 7, the optional docking clause will not apply;
3.2.2. In Clause 9, Option 2 will apply and the time period for prior notice of Sub-Processor changes will be as set forth in Section 5.1 of this DPA;
3.2.3. In Clause 11, the optional language will not apply;
3.2.4. For the purposes of Clause 15(1)(a), Traceable shall notify Customer (only) and not the Data Subject(s) in case of government access requests and Customer shall be solely responsible for promptly notifying the affected Data Subjects as necessary;
3.2.5. In Clause 17, the EU SCCs shall be governed by the laws of Ireland;
3.2.6. In Clause 18(b), the parties agree to submit to the jurisdiction of the courts of Ireland;
3.2.7. In Annex I, Section A (List of Parties), (i) the data exporter’s and the data importer’s identity and contact details and, where applicable, information about their respective data protection officer and/or representative in the EEA are those set forth in the Agreement or as otherwise communicated by each party to the other party; (ii) Customer is a Controller or Processor, and Traceable is a Processor; (iii) the activities relevant to the data transferred under the EU SCCs relate to the provision of the Services pursuant to the Agreement; and (iv) entering into this DPA shall be treated as each party’s signature of Annex I, Section A, as of the effective date of this DPA;
3.2.8. In Annex I, Section B (Description of Transfer): (i) Schedule 1 to this DPA describes Traceable’s Processing of Customer Personal Data; (ii) the frequency of the transfer is continuous (for as long as Customer uses the Services); (iii) Customer Personal Data will be retained in accordance with Clause 8.5 of the EU SCCs and this DPA; (iv) Traceable uses sub-Processors to support the provision of the Services.
3.2.9. In Annex I, Section C (Competent Supervisory Authority), the competent supervisory authority identified in accordance with Clause 13 of the EU SCCs is the competent supervisory authority communicated by Customer to Traceable. Unless and until Customer communicates a competent supervisory authority to Traceable, the competent supervisory authority shall be the Irish Data Protection Commission.
3.2.10. In Annex II, data importer has implemented and will maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of Customer Personal Data as described in Schedule 2.
3.3. If the transfer of Customer Personal Data is subject to the Swiss Federal Act on Data Protection, the parties agree to rely on the EU SCCs with the following modifications: (i) the Federal Data Protection and Information Commissioner (FDPIC) will be the competent supervisory authority under Clause 13 of the EU SCCs; (ii) the parties agree to abide by the GDPR standard in relation to all Processing of Customer Personal Data that is governed by the Swiss Federal Act on Data Protection; (iii) the term ‘Member State’ in the EU SCCs will not be interpreted in such a way as to exclude Data Subjects who habitually reside in Switzerland from initiating legal proceedings in Switzerland in accordance with Clause 18(c) of the EU SCCs; and (iv) references to the ‘GDPR’ in the EU SCCs will be understood as references to the Swiss Federal Act on Data Protection insofar as the transfer of Customer Personal Data is subject to the Swiss Federal Act on Data Protection.
3.4. With respect to transfers from Customer to Traceable of Customer Personal Data originating from the United Kingdom, the parties agree to comply with the UK SCCs, which are incorporated herein by reference. The parties agree that, for the UK SCCs: (i) Customer is the “data exporter”, and Traceable is the “data importer”; (ii) all references to the “Directive 95/46/EC” and its provisions shall be deemed to refer to the relevant provisions of the UK GDPR and the Data Protection Act 2018 of the United Kingdom; (iii) all references to the “Commission” shall be deemed to refer to the Information Commissioner; (iv) all references to the “European Economic Area” or the “European Union” shall be deemed to refer to the United Kingdom; (v) for Appendix 1 to the UK SCCs, information about the exporter and importer, the categories of Data Subjects, types of Personal Data and type of Processing operations are as set out in Schedule 1 to this DPA; and (vi) for Appendix 2 to the UK SCCs, the security measures are as described in Schedule 2. The parties acknowledge that the Information Commissioner’s Office has not yet approved new standard contractual clauses under the UK GDPR. The UK SCCs will apply only until such time as the Information Commissioner’s Office issues new standard contractual clauses under the UK GDPR. If the Information Commissioner’s Office approves the EU SCCs for transfers from the UK, the parties agree to adopt the EU SCCS as the mechanism to legitimize such transfers. Where necessary, the parties shall work together, in good faith, to enter into an updated version of the UK SCCs or negotiate an alternative solution to enable transfers of Customer Personal Data in compliance with Data Protection Laws.
4. Confidentiality and Security
4.1. Traceable will require Traceable’s personnel who access Customer Personal Data to commit to protect the confidentiality of Customer Personal Data.
4.2. Traceable will implement commercially reasonable technical and organisational measures, as further described in Schedule 2, that are designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
4.3. To the extent required by Data Protection Laws, Traceable will provide Customer with reasonable assistance as necessary for the fulfilment of Customer’s obligations under Data Protection Laws to maintain the security of Customer Personal Data.
5. Sub-Processing
5.1. Customer agrees that Traceable may engage Sub-Processors to Process Customer Personal Data on Customer’s behalf. Traceable will inform Customer of any intended changes concerning the addition or replacement of Sub-Processors and Customer will have an opportunity to object to such changes on reasonable grounds within seven days after being notified. If the parties are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party.
5.2. Traceable will impose on its Sub-Processors substantially the same obligations that apply to Traceable under this DPA. Traceable will be liable to Customer for breaches of its Sub-Processors’ obligations as it would be for its own.
5.3. The parties agree that the copies of the Authorized Sub-Processor agreements that must be provided by Traceable to Customer pursuant to Clause 9(c) of the EU SCCs and Clause 5 of the UK SCCs, if applicable, may have commercial information or clauses unrelated to the EU or UK SCCs removed by Traceable beforehand; and, that such copies will be provided by Traceable, in a manner to be determined in its discretion, only upon Customer’s written request.
6. Data Subject Rights
Customer is responsible for responding to any Data Subject requests relating to Customer Personal Data (“Requests”). If Traceable receives any Requests during the term, Traceable will advise the Data Subject to submit the request directly to Customer or the appropriate Controller. Traceable will provide Customer with self-service functionality or other reasonable assistance to permit Customer to respond to Requests.
7. Personal Data Breaches
Upon becoming aware of a Personal Data Breach affecting Customer Personal Data, Traceable will (i) promptly take measures designed to remediate the Personal Data Breach and (ii) notify Customer without undue delay. Customer is solely responsible for complying with Personal Data Breach notification requirements applicable to Customer. At Customer’s request, Traceable will reasonably assist Customer’s efforts to notify Personal Data Breaches to the competent data protection authorities and/or affected Data Subjects, if Customer is required to do so under the Data Protection Laws. Traceable’s notice of or response to a Personal Data Breach under this Section 7 will not be an acknowledgement or admission by Traceable of any fault or liability with respect to the Personal Data Breach.
8. Data Protection Impact Assessment; Prior Consultation
Taking into account the nature of the Processing and the information available to Traceable, Traceable will reasonably assist Customer in conducting data protection impact assessments and consultation with data protection authorities if Customer is required to engage in such activities under applicable Data Protection Laws and such assistance is necessary and relates to the Processing by Traceable of Customer Personal Data.
9. Deletion of Customer Personal Data
Customer instructs Traceable to delete Customer Personal Data within 90 days of the termination of the Agreement and delete existing copies unless applicable law requires otherwise. The parties agree that the certification of deletion described in Clause 8.5 of the EU SCCs and Clause 12 of the UK SCCs, if applicable, shall be provided only upon Customer’s written request. Notwithstanding the foregoing, Traceable may retain Customer Personal Data to the extent and for the period required by applicable laws provided that Traceable maintains the confidentiality of all such Customer Personal Data and Processes such Customer Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage.
10. Audits
10.1. Customer may audit Traceable’s compliance with its obligations under this DPA up to once per year. In addition, Customer may perform more frequent audits (including inspections) in the event: (1) Traceable suffers a Personal Data Breach affecting Customer Personal Data; (2) Customer has genuine, documented concerns regarding Traceable’s compliance with this DPA or the Data Protection Laws; or (3) where required by the Data Protection Laws, including where mandated by regulatory or governmental authorities with jurisdiction over Customer Personal Data. Traceable will contribute to such audits by providing Customer or Customer’s regulatory or governmental authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Service, as described below.
10.2. To request an audit, Customer must submit a detailed proposed audit plan to legal@traceable.ai at least one month in advance of the proposed audit start date. The proposed audit plan must describe the proposed scope, duration, start date of the audit, and the identity of any third party Customer intends to appoint to perform the audit. Traceable will review the proposed audit plan and provide Customer with any concerns or questions (for example, Traceable may object to the third party auditor as described in Section 10.3, provide an Audit Report as described in Section 10.4, or identify any requests for information that could compromise Traceable confidentiality obligations or security, privacy, employment or other relevant policies). The parties will negotiate in good faith to agree on a final audit plan at least two weeks in advance of the proposed audit start date. Nothing in this Section 10 shall require Traceable to breach any duties of confidentiality.
10.3. Traceable may object to third party auditors that are, in Traceable’s reasonable opinion, not suitably qualified or independent, a competitor of Traceable, or otherwise manifestly unsuitable. Customer will appoint another auditor or conduct the audit itself if the parties cannot resolve the objection after negotiating in good faith.
10.4. If the requested audit scope is addressed in an SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor on Traceable’s systems that Process Customer Personal Data (“Audit Reports”) within twelve (12) months of Customer’s audit request and Traceable confirms there are no known material changes in the controls audited, Customer agrees to accept the Audit Report in lieu of requesting an audit of the controls covered by the Audit Report.
10.5. The audit must be conducted at a mutually agreeable time during regular business hours at the applicable facility, subject to the agreed final audit plan and Traceable’s health and safety or other relevant policies and may not unreasonably interfere with Traceable business activities.
10.6. Any audits are at Customer’s expense and Customer will promptly disclose to Traceable any perceived non-compliance or security concerns discovered during the audit, together with all relevant details.
10.7. The parties agree that the audits described in Clause 8.9 of the EU SCCs and Clause 5(f) of the UK SCCs, if applicable, shall be performed in accordance with this Section 10.
11. Analytics Data
Customer acknowledges and agrees that Traceable may create and derive from Processing related to the Service anonymized and/or aggregated data that does not identify or relate to Customer or any Data Subject (“Analytics Data”), and use, publicize or share with third parties such Analytics Data to improve the Service and for Traceable’s other legitimate business purposes.
12. Liability
12.1. Each party’s liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement.
12.2. Customer acknowledges that Traceable is reliant on Customer for direction as to the extent to which Traceable is entitled to Process Customer Personal Data on behalf of Customer in performance of the Service. Consequently, Traceable will not be liable under the Agreement for any claim brought by a Data Subject arising from (a) any action or omission by Traceable in compliance with Customer’s instructions or (b) from Customer’s failure to comply with its obligations under the Data Protection Laws.
13. General Provisions
With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail. In the event of inconsistencies between the DPA and the EU or UK SCCs, the EU OR UK SCCs will prevail.
SCHEDULE 1
Details of Processing
1. Categories of Data Subjects. This DPA applies to Traceable’s Processing of Customer Personal Data relating to Customer’s employees, contractors, and other authorized users of the Service together with Customer’s customers, where such data are not explicitly redacted or obfuscated by Customer (“Data Subjects”).
2. Types of Personal Data. The extent of Customer Personal Data Processed by Traceable is determined and controlled by Customer in its sole discretion and may include, email addresses, postal addresses, billing details, product information, order information, and any other Personal Data that may be part of API requests and responses in connection with the Service that are not explicitly redacted or obfuscated by Customer.
3. Subject-Matter and Nature of the Processing. Customer Personal Data will be subject to the Processing activities that Traceable needs to perform in order to provide the Service pursuant to the Agreement.
4. Purpose of the Processing. Traceable will Process Customer Personal Data for purposes of providing the Service as set out in the Agreement.
5. Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 9 of the DPA.
SCHEDULE 2
Security Measures
1. Information Security Program.
Traceable will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) help Customer secure Customer Data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorised access to the Traceable Network, and (c) minimise security risks, including through risk assessment and regular testing. Traceable will designate one or more employees to coordinate and be accountable for the information security program. The data processing is conducted utilizing the public cloud resources of the Google Cloud Platform which certifies the compliance and controls to include security and privacy with regards to Network Security, Physical Access Control, Limited human facility access and Physical Security Protections. All the Google facilities that are utilized by the Traceable are certified against ISO 27001 and 27017 standards: https://cloud.google.com/files/GCP_ISO_27017_2017.pdf
https://static.googleusercontent.com/media/privacy.google.com/en//businesses/static/pdf/final-eycp-2020-google-cloud-platform-iso-27001-certificate.pdf
2. Continued Evaluation.
Traceable will conduct periodic reviews of the security of its platform provider and adequacy of its information security program as measured against industry security standards and its policies and procedures. Traceable will continually evaluate the security of its platform provider and associated Services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.