This Agreement is the entire agreement of the parties regarding the Services (as defined below), superseding all other agreements with respect to the Services between Company and UserLeap, whether oral or written. In the event of a conflict between the terms and conditions of the Cover Page and the Terms, the Terms will govern. Capitalized terms utilized but not defined in the Terms are defined in the Cover Page.
1.1 Grants. Subject to the Terms, UserLeap grants to Company a limited, non-transferable, non-exclusive and non-sublicenseable right, during the term of this Agreement, to use the services described on the Cover Page (the “Services”) solely for Company’s internal business purposes (the “License”).
1.2 Delivery. Upon UserLeap’s receipt of the Subscription Fees (as defined below), UserLeap will provide (a) Company with an email address to which to send a list of individuals to be authorized with log-in rights to access to Services for use in accordance with the Terms (collectively, the “End Users” and each, an “End User”), (b) each of the End Users with log-in credentials to access and use the Services, and (c) Company with log-in credentials to use the Services and access data resulting from End Users’ use of the Services as described on the Cover Page.
- Support, Security, and Additional Obligations.
2.1 Support and Service Level Standards. UserLeap will use commercially reasonable efforts to provide telephone technical maintenance and support services for the Services from 9AM to 5PM Pacific Standard Time. Further, UserLeap will use commercially reasonable efforts to meet the service level standards set forth in Exhibit A (“Service Level Standards”).
2.2 Security. UserLeap will use commercially reasonable efforts to meet the security requirements set forth in Exhibit B (the “Security Standards”).
- Fees and Payment Terms.
- Fees. In exchange for the Services, Company will pay the fees set forth below:
- Subscription Fee. Company shall pay a Subscription Fee for the Initial Term and for each successive Renewal Term. For the Initial Term, the Subscription Fee shall be paid within thirty (30) days of the Effective Date. For each successive Renewal Term, the Subscription Fee shall be paid within thirty (30) days of the expiration of the Initial Term or the previous Renewal Term.
- Monthly Fees. Company understands and agrees that Company may incur the additional monthly fees (the “Monthly Fees”) depending on Company’s usage of the Services (each level of usage, a “Tier”), as described on the Cover Page. Each Tier shall have the Monthly Fee listed on the Cover Page. If Company incurs Monthly Fees, UserLeap shall invoice Company within ten (10) days of the end of the month during which Company incurred the Monthly Fees (the “Invoice Date”), and Company shall pay the Monthly Fees within ten (10) days of the Invoice Date.
- Additional Services. If Company elects to receive Additional Services, the fees for the Additional Services are set forth in the applicable SOWs, and Company will pay such fees in accordance with the terms set forth in such SOWs.
- Pricing Changes. UserLeap, at its sole discretion, may modify its pricing during at any time during the Term, and such pricing changes will be effective as of the directly subsequent Renewal Term.
- Interest and Taxes. Interest on any late payments will accrue at the rate of 1.5% per month, or the highest rate permitted by law, whichever is lower, from the date such amount is due until the date such amount is paid in full. Company will be responsible for, and will pay all sales and similar taxes, and all similar fees levied upon the provision of the Services excluding only taxes based solely on UserLeap’s net income. Company will indemnify and hold UserLeap harmless from and against any and all such taxes and related amounts levied upon the provision of the Services and any costs associated with the collection or withholding thereof, including penalties and interest.
- Definition. “Confidential Information” means all information disclosed (whether in oral, written, or other tangible or intangible form) by one party (the “Disclosing Party”) to the other party (the “Receiving Party”) concerning or related to this Agreement or the Disclosing Party (whether before, on or after the Effective Date) that is marked “Confidential” or “Proprietary” or with similar designation by the Disclosing Party, at the time of initial disclosure to the Receiving Party or, if the Disclosing Party makes an oral disclosure, the Disclosing Party, within 10 days of such oral disclosure, notifies the Receiving Party in writing that the information disclosed by the Disclosing Party should be treated as confidential/proprietary to the Disclosing Party. Confidential Information includes, but is not limited to, the Terms, the Services, the components of the business plans, financial plans, know-how, customer information, strategies, and other similar information. Confidential Information will not include information that: (a) is in or enters the public domain without breach of this Agreement through no fault of the Receiving Party; (b) the Receiving Party can reasonably demonstrate was in its possession prior to first receiving it from the Disclosing Party; (c) the Receiving Party can demonstrate was developed by the Receiving Party independently, and without use of or reference to, the Confidential Information; (d) the Receiving Party receives from a third party without restriction on disclosure and without breach of a nondisclosure obligation; or (e) is required to be disclosed by law (provided that, to the extent permitted by law, the Receiving Party shall notify the Disclosing Party as soon as reasonably practicable in writing prior to any disclosure pursuant to a legal requirement to allow the Disclosing Party a reasonable opportunity to seek a protective order or similar relief).
- Obligations. The Receiving Party will maintain in confidence the Confidential Information during the term of this Agreement and for the two-year period commencing upon the effective date of termination of this Agreement, and will not use such Confidential Information for any purpose other than carrying out the Receiving Party’s obligations under this Agreement. The Receiving Party will use the same degree of care in protecting the Confidential Information as the Receiving Party uses to protect its own confidential and proprietary information from unauthorized use or disclosure, but in no event less than reasonable care. In addition, the Receiving Party will only disclose Confidential Information to its directors, officers, employees and/or contractors (collectively, “Agents”) who have a need to know such Confidential Information in order to perform their duties under this Agreement, and if such Agents have executed a non-disclosure agreement with the Receiving Party with terms no less restrictive than the non-disclosure obligations contained in this Section 4.2. Although the Terms are Confidential Information, each party may disclose the Terms in connection with an actual or proposed merger, acquisition, or similar transaction. Any suggestions, comments or other feedback provided by Company to UserLeap with respect to UserLeap or the Services (collectively, “Feedback”) will constitute Confidential Information of UserLeap, and UserLeap shall own all right, title and interest in and to the Feedback.
- Remedies. The Receiving Party acknowledges that any unauthorized disclosure of Confidential Information will result in irreparable injury to the Disclosing Party, which injury could not be adequately compensated by the payment of money damages. In addition to any other legal and equitable remedies that may be available, the Disclosing Party will be entitled to seek and obtain injunctive relief against any breach or threatened breach by the Receiving Party of the confidentiality obligations hereunder, from any court of competent jurisdiction, without being required to show any actual damage or irreparable harm, prove the inadequacy of its legal remedies, or post any bond or other security.
- Privacy and Data.
5.1 UserLeap. UserLeap will comply with all applicable laws and regulations in its handling of Company Data (as defined below). If UserLeap uses the Services to process personal data from data subjects in the European Union, for purposes of such Company Data, UserLeap will act as a data processor, and Company will act as a data controller. Company will process Company Data from data subjects in the European Union or Switzerland in accordance with terms set forth in Exhibit C (“European Union Data Processing Addendum”).
- Representations, Warranties and Remedies.
- Representations and Warranties. UserLeap represents and warrants that (a) the Services will conform, in all material respects, to the applicable specifications set forth in the Cover Page, and (b) it will perform the Additional Services, if any, in a professional and workmanlike manner. Company represents and warrants that Company: (a) will use the Services only in compliance with this Agreement and all applicable laws and regulations; and (b) shall not infringe upon any third party’s trade secrets, trademarks, copyright, patent rights or other proprietary rights in its use of the Services, including but not limited to any Feedback or any Company Data provided by Company or End Users.
- Disclaimer. EXCEPT FOR THE REPRESENTATIONS AND WARRANTIES SET FORTH IN SECTIONS 6.1 AND 6.2, USERLEAP DISCLAIMS ANY AND ALL REPRESENTATIONS OR WARRANTIES (EXPRESS OR IMPLIED, ORAL OR WRITTEN) WITH RESPECT TO THIS AGREEMENT, SERVICES AND ANY THIRD-PARTY SERVICES, WHETHER ALLEGED TO ARISE BY OPERATION OF LAW, BY REASON OF CUSTOM OR USAGE IN THE TRADE, BY COURSE OF DEALING OR OTHERWISE, INCLUDING ANY AND ALL: (A) WARRANTIES OF MERCHANTABILITY; (B) WARRANTIES OF FITNESS OR SUITABILITY FOR ANY PURPOSE (WHETHER OR NOT USERLEAP KNOWS, HAS REASON TO KNOW, HAS BEEN ADVISED, OR IS OTHERWISE AWARE OF ANY SUCH PURPOSE); OR (C) WARRANTIES OF NONINFRINGEMENT OR CONDITION OF TITLE. NOTWITHSTANDING ANY TERMS TO THE CONTRARY IN THIS AGREEMENT, COMPANY ACKNOWLEDGES AND AGREES THAT USERLEAP MAY MODIFY THE FEATURES OF THE SERVICES FROM TIME-TO-TIME AT USERLEAP’S SOLE DISCRETION.
- Indemnification Obligations.
- UserLeap Indemnity. UserLeap, at its sole expense, will defend Company from and against any and all third-party claims, suits, actions or proceedings (each a “Claim”), and indemnify Company from any related damages, payments, deficiencies, fines, judgments, settlements, liabilities, losses, costs and expenses, including, but not limited to, reasonable attorneys’ fees, costs, penalties, interest and disbursements (collectively, “Damages”) resulting from or arising in connection with the exercise of any of the rights granted to Company under Section 1.1 with respect to the Services infringing any intellectual property rights of any third party. In the event of a Claim pursuant to this Section 7.1, UserLeap may, at UserLeap’s option and at UserLeap’s expense (a) obtain for Company the right to continue to exercise the rights granted to Company under this Agreement; (b) substitute the allegedly infringing component for an equivalent non-infringing component; (c) modify the Services to make them non-infringing; or (d) if (a), (b), or (c) is not obtainable on commercially reasonable terms, UserLeap may terminate this Agreement, effective immediately, by written notice to Company. Upon a termination of this Agreement pursuant to this Section 7.1, Company must cease using the Services and UserLeap will refund the amount Company paid to UserLeap for the Services for the then-current Subscription Period adjusted pro-rata for any period during such then-current Subscription Period when any of the Services were provided to Company. UserLeap’s indemnification obligations do not extend to Claims arising from or relating to: (i) any negligent or willful misconduct of Company or any of Company’s employees, contractors and/or service providers (collectively, the “Company Indemnitees”) or any third party; (ii) any combination of the Services (or any portion thereof) by any of the Company Indemnitees or any third party in combination with any equipment, software, data or any other materials; (iii) any modification to the Services by any of the Company Indemnitees or any third party; (iv) the use of the Services by any of the Company Indemnitees or any third party in a manner contrary to the terms of this Agreement where the infringement would not have occurred but for such use; (v) the continued use of the Services after UserLeap has provided substantially equivalent non-infringing software or service; (vi) any Company services or products; or (vii) any act or omission of any of the Company Indemnitees.
- Company Indemnity. Company, at its sole expense, will defend UserLeap and its directors, officers, employees and agents (“UserLeap Indemnitees”) from and against any Claims and indemnify UserLeap Indemnitees from any related Damages arising from or relating to (a) any Company products or services, (b) any recklessness, negligence or willful misconduct or omissions by Company or a party acting on its behalf, (c) any alleged or actual breach of Company’s obligations under this Agreement (including, but not limited to, any alleged or actual breach of any of Company’s representations or warranties), or (d) any violation by Company, any End User, or any of Company’s employees, contractors, and/or service providers of any federal, state, local, or foreign law or regulation.
- Limitation of Liability.
8.1 Consequential Damages Waiver. EXCEPT FOR (A) EACH PARTY’S BREACH OF ITS CONFIDENTIALITY OBLIGATIONS AS SET FORTH IN SECTION 4, (B) INFRINGEMENT, MISAPPROPRIATION OR VIOLATION OF ANY INTELLECTUAL PROPERTY RIGHT OF A PARTY, OR (C) EACH PARTY’S INDEMNIFICATION OBLIGATIONS AS SET FORTH IN SECTION 7, NEITHER PARTY WILL BE LIABLE FOR ANY LOSS OF PROFITS OR ANY INDIRECT, SPECIAL, INCIDENTAL, RELIANCE OR CONSEQUENTIAL DAMAGES OF ANY KIND, REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, EVEN IF INFORMED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE. IN NO EVENT WILL USERLEAP’S MAXIMUM AGGREGATE LIABILITY UNDER THIS AGREEMENT EXCEED THE TOTAL AMOUNT ACTUALLY PAID BY COMPANY IN CONNECTION WITH THIS AGREEMENT, REGARDLESS OF THE LEGAL THEORY OR FORM OF ACTION.
8.2 Liability Cap. EXCEPT FOR (A) EACH PARTY’S BREACH OF ITS CONFIDENTIALITY OBLIGATIONS AS SET FORTH IN SECTION 4, (B) INFRINGEMENT, MISAPPROPRIATION OR VIOLATION OF ANY INTELLECTUAL PROPERTY RIGHT OF A PARTY, OR (C) EACH PARTY’S INDEMNIFICATION OBLIGATIONS AS SET FORTH IN SECTION 7, EACH PARTY’S ENTIRE LIABILITY TO THE OTHER PARTY WILL NOT EXCEED THE SUBSCRIPTION FEES ACTUALLY PAID BY COMPANY TO USERLEAP DURING THE SUBSCRIPTION PERIOD WITHIN WHICH THE DAMAGES OCCURRED. FURTHER, NOTWITHSTANDING ANY TERMS TO THE CONTRARY IN THIS AGREEMENT, (A) THE SOLE AND EXCLUSIVE REMEDY FOR ANY FAILURE OF ANY SERVICE LEVEL STANDARDS ARE THE CREDITS PROVIDED UNDER THIS AGREEMENT UNLESS SUCH FAILURE IS DUE TO USERLEAP’S WILLFUL MISCONDUCT, AND (B) USERLEAP WILL NOT BE LIABLE FOR ANY DISCLOSURE OF, UNAUTHORIZED USE OF AND/OR UNAUTHORIZED ACCESS TO ANY COMPANY DATA OR OTHER DATA UNLESS SUCH DISCLOSURE, UNAUTHORIZED USE OF AND/OR UNAUTHORIZED ACCESS SOLELY AND DIRECTLY RESULTS FROM USERLEAP’S FAILURE TO MEET THE SECURITY STANDARDS.
8.3 Failure of Essential Purpose. MULTIPLE CLAIMS WILL NOT EXPAND THIS LIMITATION. THIS SECTION 8 WILL BE GIVEN FULL EFFECT EVEN IF ANY REMEDY SPECIFIED IN THIS AGREEMENT IS DEEMED TO HAVE FAILED OF ITS ESSENTIAL PURPOSE.
- Term, Termination and Effect of Termination.
- Term and Termination. Unless earlier terminated as set forth in this Agreement, this Agreement commences upon the Effective Date and continues for a period of twelve (12) months (the “Initial Term”). After the expiration of the Initial Period, this Agreement shall automatically renew for additional successive twelve (12) month terms unless either party terminates this Agreement with no less than 60 days’ advance written notice prior to the close of the then-current term (each such term, a “Renewal Term,” and, collectively with the Initial Term, the “Term”). In addition to UserLeap’s right to terminate this Agreement pursuant to Section 7.1, either party may terminate this Agreement, for cause, if the other party: (a) breaches this Agreement and does not remedy such failure within 20 days after its receipt of written notice of such breach; or (b) terminates its business activities or becomes insolvent, admits in writing to inability to pay its debts as they mature, makes an assignment for the benefit of creditors, or becomes subject to direct control of a trustee, receiver or similar authority. Further, if Company uses the Services in any unauthorized manner, UserLeap may immediately terminate this Agreement.
- Effect of Termination. Upon any termination of this Agreement (a) all rights and licenses granted to Company under this Agreement will immediately cease, (b) Company will immediately pay to UserLeap all amounts due and payable up to the effective date of termination of this Agreement, and (c) each party will promptly return to the other party all Confidential Information of such other party then in its possession or destroy all copies of Confidential Information of such other party, at such other party’s sole discretion and direction. Notwithstanding any terms to the contrary in this Agreement, this sentence and Sections 3, 4, 6.3, 7, 8, 10, and 12 will survive any termination of this Agreement, and no refunds will be issued upon any termination of this Agreement.
- Restrictions. Except as expressly authorized by this Agreement, Company may not (a) modify, disclose, alter, translate or create derivative works of the Services (or any components thereof), (b) license, sublicense, resell, distribute, lease, rent, lend, transfer, assign or otherwise dispose of the Services (or any components thereof), (c) use the Services to store or transmit any viruses, software routines or other code designed to permit unauthorized access, to disable, erase or otherwise harm software, hardware or data, or to perform any other harmful actions, (d) copy, frame or mirror any part or content of the Services, (e) build a competitive product or service, or copy any features or functions of the Services, (f) interfere with or disrupt the integrity or performance of the Services, (g) attempt to gain unauthorized access to the Services or their related systems or networks, (h) disclose to any third party any performance information or analysis relating to the Services, (i) use the software components of the Services, or allow the transfer, transmission, export or re-export of such software components or any portion thereof in violation of any export control laws or regulations administered by the U.S. Commerce Department, OFAC, or any other government agency, (j) remove, alter or obscure any proprietary notices in or on the Services including copyright notices, (k) disclose or make available Passwords that UserLeap has provided to Company or the End Users or that are generated in connection with Company’s or End Users’ use of the Services, other than to Company or the End Users, or (l) cause or permit any End User or third party to do any of the foregoing. Company will use best efforts to prevent unauthorized access to, and use of, the Passwords and the Services, and will immediately notify UserLeap in writing of any unauthorized use of the Services that comes to Company’s attention.
- Responsibilities. Company shall be responsible for: (a) obtaining and maintaining any equipment and ancillary services needed to connect to, access or otherwise use the Services; (b) maintaining the security of Company’s infrastructure, equipment, accounts, passwords (including but not limited to administrative and user passwords) and files; and (c) providing UserLeap and its personnel with support and system access needed to perform the Services.
- General Provisions.
- Entire Agreement. This Agreement, including all exhibits to this Agreement, all of which are incorporated herein by reference, sets forth the entire agreement and understanding of the parties relating to the subject matter hereof, and supersedes all prior or contemporaneous agreements, proposals, negotiations, conversations, discussions and understandings, written or oral, with respect to such subject matter and all past dealing or industry custom.
- Independent Contractors. Neither party will, for any purpose, be deemed to be an agent, franchisor, franchise, employee, representative, owner or partner of the other party, and the relationship between the parties will only be that of independent contractors. Neither party will have any right or authority to assume or create any obligations or to make any representations or warranties on behalf of any other party, whether express or implied, or to bind the other party in any respect whatsoever.
- Governing Law and Venue. This Agreement will be governed by and construed in accordance with the laws of the State of California applicable to agreements made and to be entirely performed within the State of California, without resort to its conflict of law provisions. The state or federal court in San Francisco County, California will be the jurisdiction in which any suits should be filed if they relate to this Agreement. Prior to the filing or initiation of any action or proceeding relating to this Agreement, the parties must participate in good faith mediation in San Francisco County, California. If a party initiates any proceeding regarding this Agreement, the prevailing party to such proceeding is entitled to reasonable attorneys’ fees and costs for claims arising out of this Agreement.
- Ownership. No provision of this Agreement shall be construed as an assignment or transfer of ownership of any copyrights, patents, trade secrets, trademarks, or any other intellectual property rights from UserLeap to Company or End Users. UserLeap shall own and retain all right, title and interest in and to: (a) the Services and all improvements, enhancements or modifications thereto; (b) any software, applications, inventions or other technology developed in connection with the Services; and (c) all intellectual property rights related to any of the foregoing. UserLeap only grants Company the License, subject to the terms of this Agreement.
- Analytics. Company acknowledges and agrees that UserLeap may monitor, collect, use and store anonymous and aggregate statistics regarding use of the Services and/or any individuals/entities that interact with the Services (collectively, “UserLeap Analytic Data”). Company grants UserLeap, and each of UserLeap’s respective subsidiaries, affiliates, successors, and assigns, an unlimited, perpetual, and irrevocable license to use the UserLeap Analytic Data.
- Publicity. Company consents to UserLeap’s use of Company’s name and logo on the UserLeap website, identifying Company as a customer of UserLeap and describing Company’s use of the Services notwithstanding any terms to the contrary in this Agreement. Company agrees that UserLeap may issue a press release identifying Company as customer of UserLeap.
- Third-Party Services. Company acknowledges and agrees that UserLeap uses third-party hosting infrastructures in connection with the Services (“Third-Party Services”), and UserLeap disclaims any liability with respect to the Third-Party Services. Company agrees to abide by the terms and conditions provided by UserLeap with respect to the Third-Party Services.
- Assignment. Neither this Agreement nor any right or duty under this Agreement may be transferred, assigned or delegated by Company, by operation of law or otherwise, without the prior written consent of UserLeap, and any attempted transfer, assignment or delegation without such consent will be void and without effect. UserLeap may freely transfer, assign or delegate this Agreement or its rights and duties under this Agreement. Subject to the foregoing, this Agreement will be binding upon, will inure to the benefit of the parties and their respective representatives, heirs, administrators, successors and permitted assigns.
- Amendments and Waivers. No modification, addition or deletion, or waiver of any rights under this Agreement will be binding on a party unless clearly understood by the parties to be a modification or waiver and signed by a duly authorized representative of each party. No failure or delay (in whole or in part) on the part of a party to exercise any right or remedy hereunder will operate as a waiver thereof or effect any other right or remedy. All rights and remedies hereunder are cumulative and are not exclusive of any other rights or remedies provided hereunder or by law. The waiver of one breach or default or any delay in exercising any rights will not constitute a waiver of any subsequent breach or default.
- Notices. Any notice or communication required or permitted to be given hereunder must be in writing, signed or authorized by the party giving notice, and may be delivered by hand, deposited with an overnight courier, sent by confirmed email, sent by confirmed facsimile, or mailed by registered or certified mail, return receipt requested, postage prepaid, in each case to the address of the receiving party as identified on this Agreement or at such other address as may hereafter be furnished in writing by either party to the other party. Such notice will be deemed to have been given as of the date it is delivered. Notice is effective on the earlier of 10 days from being deposited for delivery or the date on the confirmed facsimile, confirmed email or courier receipt.
- Severability. If any provision of this Agreement is invalid, illegal, or incapable of being enforced by any rule of law or public policy, all other provisions of this Agreement will nonetheless remain in full force and effect so long as the economic and legal substance of the transactions contemplated by this Agreement is not affected in any manner adverse to any party. Upon such determination that any provision is invalid, illegal, or incapable of being enforced, the parties will negotiate in good faith to modify this Agreement so as to effect the original intent of the parties as closely as possible in an acceptable manner to the end that the transactions contemplated hereby are fulfilled.
- Counterparts. This Agreement may be executed: (a) in two or more counterparts, each of which will be deemed an original and all of which will together constitute the same instrument; and (b) by the parties by exchange of signature pages by mail, facsimile or email (if email, signatures in Adobe PDF or similar format).
- Force Majeure. Except for payments due under this Agreement, neither party will be responsible for any failure to perform or delay attributable in whole or in part to any cause beyond its reasonable control including, but not limited to, acts of God (fire, storm, floods, earthquakes, etc.), acts of terrorism, civil disturbances, disruption of telecommunications, disruption of power or other essential services, interruption or termination of any services provided by any service providers used by UserLeap, labor disturbances, vandalism, cable cut, computer viruses or other similar occurrences, or any malicious or unlawful acts of any third party (a “Force Majeure Event”).
- Construction. This Agreement shall be deemed to be the product of all of the parties hereto, and no ambiguity shall be construed in favor of or against any one of the Parties hereto.
SERVICE LEVEL STANDARDS
UserLeap will use commercially reasonable efforts to make the Services available 99.9% or more of the time during any calendar month. Subject to the exclusions set forth below, an outage will be defined as any time where the Services are not available due to a cause within the control of UserLeap. The availability standard does not apply to any feature of the Services that UserLeap identifies as a “beta” feature or service.
If UserLeap fails to achieve the availability percentage above, Company will be eligible to receive a credit (“Service Credit”) calculated as a percentage of the Subscription Fees. The Service Credits increase is based on the amount of aggregate outage as set forth below.
Service Availability Service Credit
Less than 99.99% 1%
Less than 99.9% 4%
Less than 99% 8%
Less than 98% 10%
Service Credits are non-transferable and will be issued in U.S. dollars. To receive a Service Credit, Company must contact UserLeap in writing within 30 days following the outage and demonstrate to UserLeap’s reasonable satisfaction that Company’s use of the Service was adversely affected as a result of the outage. Any validated Service Credits will be applied against the next open invoice due to UserLeap by Company.
UserLeap does not include in its calculation of downtime any time the Services are not provided due to:
- Planned maintenance windows where notice of planned unavailability has been given, via email, at least two business days prior to the outage, unless in the case of emergency changes;
- Force Majeure Events;
- Actions or inactions on Company’s part;
- Events arising from Company’s systems or any Company websites;
- ISP or Internet outages outside of UserLeap’s control; or
- Outages reasonably deemed necessary by UserLeap.
Notwithstanding any terms to the contrary in this Agreement, the Service Credits are Company’s sole and exclusive remedy for any outage of the Services.
Protecting customer data is a top priority at UserLeap. We understand you are trusting us with your data and we take the responsibility of securing it extremely seriously.
1.1 System architecture. UserLeap’s architecture is designed to be secure and reliable. We use an n-tier architecture with firewalls between each tier and additionally within certain tiers between services. Services are accessible only by other services that require access. Access keys are rotated regularly and stored separately from our code and data.
1.2 Failout and disaster recovery. UserLeap is built with fault tolerance capability. Each of our services is fully redundant with replication and failover. Services are distributed across multiple AWS availability zones. These zones are hosted in physically separate data centers, protecting services against single data center failures.
1.3 Data Centers. Our application is hosted and managed within Amazon Web Services (AWS) secure data centers. These data centers have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 - Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
1.4 Vulnerability scans. UserLeap uses security tools to continuously scan for vulnerabilities. Additionally, vulnerabilities in third-party libraries and tools are monitored and software is patched or updated promptly when new issues are reported.
1.5 Firewall. Our servers are protected by firewalls and not directly exposed to the Internet.
1.6 Corporate Network. UserLeap runs a zero-trust corporate network. There are no corporate resources or additional privileges from being on UserLeap’s corporate network.
2.1 Data storage. UserLeap data stores are accessible only by servers that require access. Access keys are stored separately from our source code repository and only available to the systems that require them. Additionally, production environments are sandboxed from testing environments.
2.2 Backups. We maintain secure encrypted backups of important data for a minimum of 30 days. We do not retroactively remove deleted data from backups as we may need to restore it, if removed accidentally. Backup data is fully expunged after 90 days.
2.3 Logs. We aggregate logs to secure encrypted storage. All sensitive information (including passwords, API keys, and security questions) is filtered from our server logs. Log data is fully expunged after 90 days.
3.1 Passwords. We never store passwords in a form that can be retrieved. Instead, we store an irreversible cryptographic hash using a function specifically designed for this purpose. Authentication sessions are invalidated when users change key information and sessions automatically expire after a period of inactivity.
3.2 Monitoring. We monitor and rate limit authentication attempts on all accounts.
3.3 User roles. We provide multiple user roles with different permissions levels within the product. Roles vary from account owners, to admins, users, and roles that limit visibility of Personally Identifiable Information (PII).
4.1 HTTPS. All UserLeap web traffic is served over HTTPS. We force HTTPS for all web resources, including our REST API, web app and public website. We also use HSTS to ensure that browsers communicate with our services using HTTPS exclusively. Additionally, we use only strong cipher suites.
4.2 Encryption. Our primary databases, including backups are fully encrypted at rest. In addition, all archives and logs are fully encrypted at rest. We use industry standard encryption algorithms.
5.1 Policies. UserLeap has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with employees.
5.2 Incident response. UserLeap has a defined protocol for responding to security events.
5.3 Security training. All employees complete security training when they join and are continually refreshed.
5.4 Employee vetting. UserLeap performs background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for US employees.
5.5 Confidentiality. All employees have signed confidentiality agreement with UserLeap.
5.6 Disclosure. If you have any concerns or discover a security issue, please email us at firstname.lastname@example.org and we will quickly investigate. We request that you do not publicly disclose any issue you discovered until after we have addressed it.
EUROPEAN UNION DATA ADDENDUM
This Data Processing Addendum (“DPA”) applies to the extent that Data Protection Legislation applies to the processing of personal data under this Agreement, including if (a) the processing is in the context of the activities of an establishment of either Party in the European Economic Area (“EEA”) and/or (b) the personal data relates to data subjects who are in the EEA and the processing relates to the offering to them of services or the monitoring of their behavior in the EEA by or on behalf of a Party. All capitalized terms not otherwise defined in this DPA will have the meaning given to them in this Agreement. If there is any inconsistency or conflict between this DPA and any Agreement, then as it relates to data protection, this DPA will govern and will survive termination of this Agreement.
“Company Personal Data” means personal data processed by UserLeap on behalf of Company or the Data Subject in provision of the Services.
“Data Subject” means the identifiable, natural person to whom Company Personal Data relates.
“Data Protection Legislation” means as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).
“GDPR” means the General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, and any amendment or replacement to it.
“Security Breach” or “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Company Personal Data transmitted, stored or otherwise processed.
“Controller to Processor Standard Clauses” in relation to the processing of Company Personal Data pursuant to this Agreement means the standard clauses for the transfer of personal data to processors established in third countries as updated, amended replaced or superseded from time to time by the European Commission, the approved version of which in force at present is that set out in the European Commission's Decision 2010/87/EU of 5 February 2010, available at: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087.
For clarity, the terms “controller”, “data subject”, “personal data”, “processing”, “processor”, and “supervisory authority” as used in this DPA will have the meanings ascribed to them in the GDPR.
PROCESSING OF DATA.
2.1. Purpose of Processing. The purpose of data processing under this Agreement is the provision of the Services pursuant to this agreement.
2.2. Processor and Controller Responsibilities. The parties acknowledge and agree that: (a) UserLeap is a processor of Company Personal Data under the Data Protection Legislation; (b) Company is a controller of Company Personal Data under the Data Protection Legislation; and (c) each party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the processing of Company Personal Data.
2.4. Company Instructions. Company instructs UserLeap to process Company Personal Data: (a) in accordance with this agreement and any applicable Order Form; and (b) to comply with other reasonable written instructions provided by Company where such instructions are consistent with the terms of this agreement. Company will ensure that its instructions for the processing of Company Personal Data will comply with the Data Protection Legislation. Company will have sole responsibility for the accuracy, quality, and legality of Company Personal Data and the means by which Company obtained the personal data.
2.5. UserLeap’s Compliance with Company Instructions. UserLeap will only process Company Personal Data in accordance with Company’s instructions. UserLeap may process Company Personal Data other than on the written instructions of Company if it is required under applicable law to which UserLeap is subject. In this situation, UserLeap will inform Company of such requirement before UserLeap processes the Company Personal Data unless prohibited by applicable law.
SECURITY; PRIVACY IMPACT ASSESSMENTS.
3.1. UserLeap Personnel. UserLeap will ensure that its personnel engaged in the processing of Company Personal Data are informed of the confidential nature of the Company Personal Data, and are subject to obligations of confidentiality and such obligations survive the termination of that individual’s engagement with UserLeap.
3.2. Security. UserLeap will implement appropriate technical and organizational measures to safeguard Company Personal Data taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
3.3 Data Privacy Impact Assessments. UserLeap will take reasonable measures to cooperate and assist Company in conducting a data protection impact assessment and related consultations with any supervisory authority, if Company is required to conduct such assessment under Data Protection Legislation.
DATA SUBJECT RIGHTS.
4.1. Assistance with Company’s Obligations. To the extent Company, in its use or receipt of the Services, does not have the ability to correct, amend, restrict, block or delete Company Personal Data, as required by Data Protection Legislation, UserLeap will promptly comply with reasonable requests by Company to facilitate such actions to the extent UserLeap is legally permitted and able to do so.
4.2. Notification Obligations. UserLeap will, to the extent legally permitted, promptly notify Company if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the processing of Company Personal Data relating to such individual. UserLeap will not respond to any such data subject request relating to Company Personal Data without Company’s prior written consent except to confirm that the request relates to Company. UserLeap will provide Company with commercially reasonable cooperation and assistance in relation to handling of a Data Subject request, to the extent legally permitted and to the extent Company does not have the ability to address such Company Personal Data through its use or receipt of the Services.
5.1. General Authorization. Company generally authorizes the use of subprocessors to process Company Personal Data in connection with fulfilling UserLeap’s obligations under this agreement and/ or this DPA.
5.2 New Subprocessors. When UserLeap engages any new subprocessor to process Company Personal Data, UserLeap will, at least ten (10) days before the new subprocessor processes any Company Personal Data, inform Company of the engagement via email to the email address on file for Company’s account and give Company the opportunity to object to such subprocessor within five (5) days of UserLeap giving notice. If Company objects to a new subprocessor, and such objection is not resolved within twenty (20) days of UserLeap receiving the objection, UserLeap may terminate this agreement with Company.
5.3. UserLeap Obligations. UserLeap will remain liable for the acts and omissions of its subprocessors to the same extent UserLeap would be liable if performing the services of each subprocessor directly under the terms of this DPA. UserLeap will contractually impose data protection obligations on its subprocessors that are at least equivalent to those data protection obligations imposed on UserLeap under this DPA.
Transfers of Company Personal Data collected pursuant to this agreement outside of the EEA or Switzerland will be governed by the Controller to Processor Standard Clauses, incorporated herein by reference. For purposes of the Controller to Controller Standard Clauses, (i) Company, the party transferring from the EEA or Switzerland, will be referred to as the “Data Exporter” and (ii) UserLeap will be referred to as the “Data Importer.” Annex 1 to this DPA will apply as Appendix 1 of the Controller to Processor Standard Clauses. Annex 2 to this DPA will apply as Appendix 2 of the Controller to Processor Standard Clauses.
7.1. Notification Obligations. In the event UserLeap becomes aware of any Security Breach, UserLeap will notify Company of the Security Breach without undue delay. The obligations in this Section 7 do not apply to incidents that are caused by Company or Company's personnel or end users or to unsuccessful attempts or activities that do not compromise the security of Company Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
7.2. Manner of Notification. Notification(s) of Security Breaches, if any, will be delivered to one or more of Company’s business, technical or administrative contacts by any means UserLeap selects, including via email. It is Company’s sole responsibility to ensure it maintains accurate contact information on UserLeap’s support systems at all times.
TERM AND TERMINATION.
8.1. Term of DPA. This DPA will remain in effect until, and automatically expire upon, the return or deletion of all Company Personal Data as described in this DPA.
8.2. Deletion of Company Data. UserLeap will delete or return Company Personal Data to Company after the end of the provision of Services under this agreement and will delete all existing copies thereof, except to the extent that UserLeap is required under applicable law to keep a copy of the Company Personal Data.
9.1. Information Rights. UserLeap has obtained the third-party certification and audits demonstrating its compliance with the security measures set forth in Annex 2, including ISO/IEC 27001:2013 certification. Upon Company’s written request no more than once per year, UserLeap will provide a copy of UserLeap’s then most recent third-party audits or certifications (the “Audit Reports”), as applicable, or any summaries thereof, that UserLeap makes available to its customers. Audit requests must be sent to email@example.com. UserLeap may satisfy such audit request by providing Company with a confidential copy of an Audit Report in order that Company may reasonably verify UserLeap’s compliance with the technical and organizational measures as required under this Agreement. If Company is not satisfied with the above certifications and audits, UserLeap will allow Company or a mutually agreed upon independent auditor appointed by Company to conduct an audit (including inspection), no more than once per year upon eight weeks’ notice sent to the above email address. Any independent auditor appointed must commit to a duty of confidentiality. UserLeap will contribute to such audits whose sole purpose will be to verify UserLeap’s compliance with its obligations under this Agreement.
9.2. Separate Service. Any request for UserLeap to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required by law. Company will reimburse UserLeap for any time spent for any such audit at rates mutually agreed to by the parties, taking into account the resources expended by UserLeap. Company will promptly notify UserLeap with information regarding any non-compliance discovered during the course of an audit. UserLeap will reasonably cooperate with Company, at Company’s expense, to assist Company in ensuring compliance with Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to UserLeap.