Upbound Master Services Agreement

This Upbound Master Services Agreement is by and between Upbound Inc. (“Company”) and the entity described below (“Customer”). Company and Customer may be referred to individually as “party” and collectively as “parties.” This Master Services Agreement, collectively with: (a) all Service Order Forms agreed to by the parties in writing and (b) any other materials specifically incorporated by reference herein, is referred to herein as the “Agreement.” This Agreement becomes binding and effective on Customer upon the earliest of: (1) when Customer accesses or uses the Services, or (2) when Customer enters into a Service Order Form (as defined below) with Upbound (“Effective Date”). Capitalized terms in the Agreement have the meaning set forth in Exhibit A or elsewhere in the Agreement.

  1. SERVICES AND SUPPORT
    1. This Agreement sets forth the terms pursuant to which Customer may access and use the Services in connection with one or more Service Order Forms.
    2. Subject to the terms of this Agreement, Company will use commercially reasonable efforts to provide Customer the Services in accordance with the Uptime terms attached hereto as Exhibit B. As part of the registration process, Customer will identify an administrative username and password for Customer’s Company account. Company reserves the right to refuse registration of or cancel passwords it deems inappropriate.
    3. Subject to the terms hereof, Company will provide Customer with reasonable technical support services in accordance with the terms set forth in Exhibit C.
    4. Each of Customer’s Affiliates may enter into Service Order Forms with Company and shall be responsible for all of its obligations related thereto and shall be considered “Customer” with respect to that Service Order Form. Each Affiliate will pay for all Services rendered pursuant to a Service Order Form entered into by that Affiliate. The rights and interests which are granted hereunder include the right of Customer and an Affiliate to purchase and use the Services provided that, in each case, each Affiliate complies with the terms of this Agreement. Customer shall be fully liable for any and all actions or inactions of any current or future Affiliate, and its employees, agents and contractors.
  2. RESTRICTIONS AND RESPONSIBILITIES
    1. Customer will not, directly or indirectly: reverse engineer, decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas, know-how or algorithms relevant to the Services or Software; modify, translate, or create derivative works based on the Services or any Software (except to the extent expressly permitted by Company or authorized within the Services); use the Services or any Software for time sharing or service bureau purposes or otherwise for the benefit of a third; or remove any proprietary notices or labels.
    2. Further, Customer may not remove or export from the United States or allow the export or re-export of the Services, Software or anything related thereto, or any direct product thereof in violation of any restrictions, laws or regulations of the United States Department of Commerce, the United States Department of Treasury Office of Foreign Assets Control, or any other United States or foreign agency or authority. As defined in FAR section 2.101, the Software and documentation are “commercial items” and according to DFAR section 252.227‑7014(a)(1) and (5) are deemed to be “commercial computer software” and “commercial computer software documentation.” Consistent with DFAR section 227.7202 and FAR section 12.212, any use modification, reproduction, release, performance, display, or disclosure of such commercial software or commercial software documentation by the U.S. Government will be governed solely by the terms of this Agreement and will be prohibited except to the extent expressly permitted by the terms of this Agreement.
    3. Customer represents, covenants, and warrants that Customer will use the Services only in compliance with Company’s standard published policies then in effect (the “Policy”) and all Applicable Laws. Customer hereby agrees to indemnify and hold harmless Company and its Affiliates, and their officers, employees, agents, and successors and assigns from and against any damages, losses, liabilities, settlements and expenses (including without limitation costs and reasonable attorneys’ fees) in connection with any claim, action, inquiries, demand or proceeding that arises from or relates to an alleged violation of the foregoing or otherwise from either Customer’s use of Services or Customer Data. Although Company has no obligation to monitor Customer’s use of the Services, Company may do so and may prohibit any use of the Services it believes may be (or alleged to be) in violation of the foregoing.
    4. Customer shall be responsible for obtaining and maintaining any equipment and ancillary services needed to connect to, access or otherwise use the Services, including, without limitation, modems, hardware, servers, software, operating systems, networking, web servers and the like (collectively, “Equipment”). Customer shall also be responsible for maintaining the security of the Equipment, Customer account, passwords (including but not limited to administrative and user passwords) and files, and for all uses of Customer account or the Equipment with or without Customer’s knowledge or consent.
    5. Any use of the Service in breach of this Agreement, Documentation or Order Forms by Customer or Users that in Upbound's judgment threatens the security, integrity or availability of the Service may result in Okta’s immediate suspension of Customer’s access to the Service; however, Upbound will use commercially reasonable efforts under the circumstances to provide Customer with notice and an opportunity to remedy such violation or threat prior to such suspension.
  3. CONFIDENTIALITY; PROPRIETARY RIGHTS
    1. Each party (the “Receiving Party”) understands that the other party (the “Disclosing Party”) has disclosed or may disclose Proprietary Information of the Disclosing Party. The Receiving Party agrees: (i) to take reasonable precautions to protect such Proprietary Information, and (ii) not to use (except in performance of the Services or as otherwise permitted herein) or divulge to any third person any such Proprietary Information.
    2. Customer shall own all right, title and interest in and to the Customer Data. Client, not Company, has sole responsibility for ensuring the accuracy, quality, integrity, legality, security, reliability, appropriateness, and Intellectual Property Rights to use all Customer Data. Company shall own and retain all right, title and interest in and to (a) the Services and Software, all improvements, enhancements or modifications thereto, (b) any software, applications, inventions or other technology developed in connection with Implementation Services or support, and (c) all intellectual property rights related to any of the foregoing. The Agreement is not a sale and does not convey to Customer any rights of ownership in or related to the Services, or any Intellectual Property Rights owned by Company.
    3. To the extent the performance of its obligations entails the access to, or use of, Customer Data, Company shall implement and follow the security controls, practices and procedures set forth in Exhibit D.
    4. Notwithstanding anything to the contrary, Company shall have the right collect and analyze data and other information relating to the provision, use and performance of various aspects of the Services and related systems and technologies (including, without limitation, information concerning Customer Data and data derived therefrom), and Company will be free (during and after the term hereof) to (i) use such information and data to improve and enhance the Services and for other development, diagnostic and corrective purposes in connection with the Services and other Company offerings, and (ii) disclose such data solely in aggregate or other de-identified form in connection with its business. No rights or licenses are granted except as expressly set forth herein.
    5. At Company’s written request no more frequently than quarterly, Customer will furnish Company with a certification signed by a Customer’s authorized representative verifying that Customer has not exceeded the Service Capacity. In its notice, Customer will include any Users that exceed the Service Capacity set forth in an applicable Service Order Form, and the date(s) on which such Users were first utilized. Company will invoice Customer for such additional usage charges at the rates set forth in the applicable Service Order Form and Customer will pay the invoice no later than thirty (30) days from the date of receipt.
  4. PAYMENT OF FEES
    1. Customer will pay Company the then applicable fees described in the Service Order Form for the Services and Implementation Services in accordance with the terms therein (the “Fees”). If Customer’s use of the Services exceeds the Service Capacity set forth on the Order Form (including by usage of more than set forth in the Order Form) or otherwise requires the payment of additional fees (per the terms of this Agreement), Customer shall be billed for such usage and Customer agrees to pay the additional fees in the manner provided herein. If Customer believes that Company has billed Customer incorrectly, Customer must contact Company no later than 60 days after the closing date on the first billing statement in which the error or problem appeared, in order to receive an adjustment or credit. Inquiries should be directed to the Company's customer support department.
    2. Company may choose to bill through an invoice, in which case, full payment for invoices issued in any given month must be received by the Company thirty (30) days after the mailing date of the invoice. Unpaid amounts are subject to a finance charge of 1.5% per month on any outstanding balance, or the maximum permitted by law, whichever is lower, plus all expenses of collection and may result in immediate termination of Service. Customer shall be responsible for all federal, state, local, sales, use, value added, excise, or other taxes, fees, or duties arising out of this Agreement or the transactions contemplated by this Agreement (other than U.S. taxes based on the Company's net income). To the extent that Company is or becomes required to collect and withhold such taxes from Company, these will be added to Company invoices if and when applicable.
  5. Purchasing Through an Upbound Partner

    This Agreement specifies the terms and conditions under which Upbound products and services will be provisioned by Upbound to Customer, whether purchased directly through Upbound or indirectly through a Partner. Purchases through a Partner will be placed through a separate agreement or ordering document between Customer and an Upbound Partner (the “Partner Sales Agreement”) which shall address, as between Customer and Partner, any terms and conditions relating to the quantity of products and services purchased, fees, payment (including any applicable refunds), taxes, and renewals. The Partner Sales Agreement is between Customer and the Upbound Partner and is not binding on Upbound, and any disputes related to the Partner Sales Agreement shall be handled directly between Customer and the Upbound Partner. In the event of any conflict between this Agreement and a Partner Sales Agreement, this Agreement shall govern as between Upbound and Customer. Customer understands and agrees that certain Upbound products or services purchased through a Partner are subject to additional product specific term.

  6. TERM AND TERMINATION
    1. Subject to earlier termination as provided below, this Agreement is for the Initial Service Term as specified in a Service Order Form and shall be renewed for additional periods upon mutual agreement of a renewal period and fees as set forth in a separately executed Service Order Form (collectively, the “Term”).
    2. In addition to any other remedies it may have, either party may also terminate this Agreement upon thirty (30) days’ written notice (or without notice in the case of nonpayment), if 1) the other party materially breaches any of the terms or conditions of this Agreement and such default continues un-remediated through the notice period or (2) immediately in the event the other party ceases to operate in the ordinary course, makes an assignment for the benefit of creditors, or becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors.. In addition, Company may also terminate a free or trial account at any time in its sole discretion. Customer will pay in full for the Services up to and including the last day on which the Services are provided. Any usage of the Services outside of the Term will be charged at the then-current list price. All sections of this Agreement which by their nature should survive termination will survive termination, including, without limitation, accrued rights to payment, confidentiality obligations, warranty disclaimers, and limitations of liability.
  7. WARRANTIES AND DISCLAIMERS

    Company shall use reasonable efforts consistent with prevailing industry standards to maintain the Services in conformance to and materially function as described in the respective Documentation and shall perform the Implementation Services in a professional and workmanlike manner. Services may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, either by Company or by third-party providers, or because of other causes beyond Company’s reasonable control, but Company shall use reasonable efforts to provide advance notice in writing or by e-mail of any scheduled service disruption. COMPANY AND ITS OWNERS, EMPLOYEES, AGENTS, AFFILIATES, AND LICENSORS MAKE NO REPRESENTATION, WARRANTY, OR GUARANTEE THAT THE SERVICES WILL BE UNINTERRUPTED OR ERROR FREE; NOR DO THEY MAKE ANY REPRESENTATION, WARRANTY OR GUARANTEE AS TO THE RELIABILITY, QUALITY, PERFORMANCE, SUITABILITY, RESULTS, TRUTH, AVAILABILITY, ACCURACY OR COMPLETENESS OF THE SERVICES. EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION, THE SERVICES AND IMPLEMENTATION SERVICES ARE PROVIDED “AS IS” AND COMPANY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

  8. LIMITATION OF LIABILITY

    NOTWITHSTANDING ANYTHING TO THE CONTRARY, EXCEPT FOR BODILY INJURY OF A PERSON, COMPANY AND ITS SUPPLIERS (INCLUDING BUT NOT LIMITED TO ALL EQUIPMENT AND TECHNOLOGY SUPPLIERS), OFFICERS, AFFILIATES, REPRESENTATIVES, CONTRACTORS AND EMPLOYEES SHALL NOT BE RESPONSIBLE OR LIABLE WITH RESPECT TO ANY SUBJECT MATTER OF THIS AGREEMENT OR TERMS AND CONDITIONS RELATED THERETO UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY: (A) FOR ERROR OR INTERRUPTION OF USE OR FOR LOSS OR INACCURACY OR CORRUPTION OF DATA OR COST OF PROCUREMENT OF SUBSTITUTE GOODS, SERVICES OR TECHNOLOGY OR LOSS OF BUSINESS; (B) FOR ANY INDIRECT, EXEMPLARY, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES; (C) FOR ANY MATTER BEYOND COMPANY’S REASONABLE CONTROL; OR (D) FOR ANY AMOUNTS THAT, TOGETHER WITH AMOUNTS ASSOCIATED WITH ALL OTHER CLAIMS, EXCEED THE FEES PAID BY CUSTOMER TO COMPANY FOR THE SERVICES UNDER THIS AGREEMENT IN THE 12 MONTHS PRIOR TO THE ACT THAT GAVE RISE TO THE LIABILITY, IN EACH CASE, WHETHER OR NOT COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

  9. MISCELLANEOUS

    If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable. This Agreement is not assignable, transferable or sublicensable by Customer except with Company’s prior written consent. Company may transfer and assign any of its rights and obligations under this Agreement without consent. This Agreement is the complete and exclusive statement of the mutual understanding of the parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement, and that all waivers and modifications must be in a writing signed by both parties, except as otherwise provided herein. No agency, partnership, joint venture, or employment is created as a result of this Agreement and the Customer does not have any authority of any kind to bind the Company in any respect whatsoever. In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover costs and reasonable attorneys’ fees. All notices under this Agreement will be in writing and will be deemed to have been duly given when received, if personally delivered; when receipt is electronically confirmed, if transmitted by facsimile or e-mail; the day after it is sent, if sent for next day delivery by recognized overnight delivery service; and upon receipt, if sent by certified or registered mail, return receipt requested. This Agreement shall be governed by the laws of the State of Delaware without regard to its conflict of laws provisions. If either party brings against the other party any proceeding in connection with this Agreement, that party may bring that proceeding only in the United States District Court for the Western District of Washington or, only if there is no federal subject matter jurisdiction, in the Superior Court for the County of King, and each party submits to the exclusive jurisdiction of those courts for purposes of any such proceeding. Company may use the Customer's logo on its website during the Term and will remove it upon expiration or termination of the Agreement. The parties shall work together in good faith to issue at least one mutually agreed upon press release within 90 days of the Effective Date, and the Customer otherwise agrees to reasonably cooperate with the Company to serve as a reference account upon request. Company shall not be liable for any delay or failure in performance of any part of this Agreement to the extent that such delay is caused by a Force Majeure Event. Nothing in this Agreement will preclude or limit Company from providing the Services to other customers. If this Agreement or a Service Order Form is terminated for any reason, Sections 2.3, 3.1, 3.2, 4, 6-8 of this Agreement (as the same are incorporated into each Order Form) will survive such termination

Exhibit A - Definitions

This Exhibit A to the Master Services Agreement between Company and Customer (the “Agreement”) forms part of the Agreement and is subject to the terms and conditions of the Agreement. Any capitalized terms not defined in this Exhibit A have the meaning indicated elsewhere in the Agreement (including its exhibits or Service Order Forms).

The following definitions apply to the Agreement:

  1. Affiliate” means an Entity that controls, is controlled by, or under common control with Company or Customer, as applicable. An Entity has “Control” when it possesses, directly or indirectly, the power to direct management through the ownership of fifty percent (50%) or more of its voting or equity securities, contract, voting trust or otherwise. “Entity” means a corporation, limited liability company, partnership, sole proprietorship, trust, association, or any other legally recognized entity or organization.

  2. Applicable Laws” means any and all governmental laws, rules, directives, regulations or orders that are applicable to a particular Party’s performance under this Agreement.

  3. Company Technology” means Company’s proprietary technology (including software, hardware, products, processes, algorithms, user interfaces, APIs, know-how, techniques, designs and other tangible or intangible technical material or information) made available to Customer by Company in connection with providing the Service.

  4. Proprietary Information” means information and tangible materials disclosed by the Disclosing Party to the Receiving Party in connection with the Parties’ relationship under the Agreement that business, technical or financial information relating to the Disclosing Party’s business. Proprietary Information of Company includes non-public information regarding features, functionality and performance of the Service. Proprietary Information of Customer includes Customer Data. “Proprietary Information” will not, however, include information or materials the Receiving Party can prove through verifiable, objective evidence:
    (a) became part of the public domain without breach of the Agreement;
    (b) was known to the Receiving Party prior to its receipt from the Disclosing Party;
    (c) was rightfully received from a third-party that did not acquire or disclose such information or materials by a wrongful or tortious act or in breach of any confidentiality obligation to the Disclosing Party; or
    (d) was developed independently by or for the Receiving Party without use of or reference to any Confidential Information of the Disclosing Party.

  5. Customer Data” means: any data, information, materials or multimedia content relating to Customer, Affiliates, or a User that Customer provides or submits in the course of using the Software and Services.

  6. Documentation” means Company’s standard user manuals, guides, specifications, technical documentation, “best practices” materials, or other documentation provided by Company in connection with Customer’s access to and use of the Service, and any related documentation as may be modified by or on behalf of Company from time to time.

  7. Force Majeure Event” means reason of acts of God, wars, revolution, civil commotion, acts of public enemy, embargo, acts of government in its sovereign capacity, pandemic, or any other circumstances beyond the reasonable control and not involving any fault or negligence of the delayed Party.

  8. Hosting Services” means the specific edition of Company’s cloud hosting platform and associated services provided to Customer, to which Customer subscribes through a Service Order Form, including without limitation the Service, Company Technology, and Documentation, and any other ancillary online or offline products or services provided to Customer). The Hosting Services are developed, operated, and maintained by Company, and accessible via Company’s website, Company APIs, mobile application, and/or any other designated website, venue or IP address.

  9. Implementation Services” means those services performed by Company to bring Customer’s solution to production as outlined in a Statement of Work attached to a Service Order Form.

  10. Intellectual Property Rights” means: (a) unpatented inventions, patent applications, patents, design rights, copyrights, trademarks, service marks, trade names, domain name rights, mask work rights, and all other intellectual property rights, derivatives thereof, and forms of protection of a similar nature anywhere in the world including, without limitation, with respect to all computer software, software design, software code, software architecture, firmware, programming tools, graphic user interfaces, reports, dashboard, business rules, use cases, screens, alerts, notifications, drawings, specifications and databases; and (b) all moral rights; trade secrets and other rights with respect to confidential or proprietary information; know-how; other rights with respect to inventions, discoveries, ideas, improvements, techniques, formulae, algorithms, processes, schematics, testing procedures, technical information and other technology.

  11. Services” means (a) any Company proprietary software and other software programs branded by Company, its affiliates and/or third parties including all modifications, additions or further enhancements thereto, (b) the standard specifications applicable to each type of software, which are made available to Customer by Company, as covered in each applicable Service Order Form, and/or (c) the Hosting Services.

  12. Service Capacity” means the total number of active Users for which Customer has paid the applicable Fees set forth in a Service Order Form.

  13. User” means an employee, agent, representative, consultant, or contractor of Customer or its Affiliates for whom subscriptions to the Software and Services has been purchased pursuant to the terms of the applicable Service Order Form and this Agreement who is authorized to use the Services.

Exhibit B - Uptime

Company shall use commercially reasonable efforts to make the Services available ninety-nine-point nine percent (99.9%), measured on a per-calendar month basis, excluding Scheduled Maintenance. If Customer requests maintenance during these hours, any uptime or downtime calculation will exclude periods affected by such maintenance. Further, any downtime resulting from outages of third-party connections or utilities or other reasons beyond Company’s control will also be excluded from any such calculation. Customer's sole and exclusive remedy, and Company's entire liability, in connection with Service availability shall be that for each period of downtime lasting longer than 4 hours, Company will credit Customer 2% of Services fees for each period of 60 or more consecutive minutes of downtime; provided that no more than one such credit will accrue per day. Downtime shall begin to accrue as soon as Customer (with notice to Company) recognizes that downtime is taking place, and continues until the availability of the Services is restored. In order to receive downtime credit, Customer must notify the Company in writing within twenty-four (24) hours from the time of downtime, and failure to provide such notice will forfeit the right to receive downtime credit. Such credits may not be redeemed for cash and shall not be cumulative beyond a total of credits for one (1) week of Service Fees in any one (1) calendar month in any event. Company will only apply a credit to the month in which the incident occurred. Company’s blocking of data communications or other Service in accordance with its policies shall not be deemed to be a failure of Company to provide adequate service levels under this Agreement.

Exhibit C - Support Terms

Upbound offers a support plan as a part of UpboundCare. Each support ticket you open with the Upbound team will be assigned a severity. The severity can be set by you when you are initially creating the ticket, and this severity directly impacts the response time from the UpboundCare team.

Severity Definitions
SeverityDefinition
Severity 1Any error reported by the customer in production where the majority of users for a particular part of the software are affected, the error has high visibility, there is no workaround, and it is affecting revenue.
Severity 2Any error reported by the customer in production where the majority of users for a particular part of the software are affected, the error has high visibility, a workaround may be available; however, performance may be degraded or functions limited and it is affecting revenue.
Severity 3Any error reported by the customer where the majority of users for a particular part of the software are affected, the error has low to medium visibility, a workaround is available; however, performance may be degraded or functions limited and it is NOT affecting revenue.
Severity 4Any error reported by the customer where a single user is severely affected or completely inoperable or a small percentage of users are moderately affected or partially inoperable and the error has limited business impact.
BasicPremierPriority
# of Allowed Case Submitters24Unlimited
24/7 “Follow the Sun” CoverageN/ASev 1Sev 1-2
12/5 Coverage8/5 coverageSev 2-4Sev 3-4
Initial Response Time TargetsSeverity 1N/A4 hours1 hour
Severity 2N/A4 business hours2 hours
Severity 32 business days8 business hours4 business hours
Severity 44 business days2 business days1 business day
Support Account ManagementN/AN/AIncluded
Private Slack ChannelN/AN/AIncluded
Advanced Support ServicesN/AN/AIncluded
Reporting & Operational ReviewsN/AN/AIncluded
Proactive Oversight & ManagementN/AN/AIncluded
Onsite VisitsN/AN/AAvailable

Exhibit D - Data Security Rider

  1. SECURITY; SYSTEM PROTECTION
    1. Safeguarding Customer Data. Company agrees to safeguard Customer Data in accordance with this Data Security Rider. Company will not disclose, transfer or use any Customer Data for any purpose other than to perform its obligations under this Agreement. Company will promptly overwrite (e.g., with “X”s) any such information upon and pursuant to Customer’s written or email notice.
    2. System Protection & Recovery. Company will protect its computer and operations systems against outages using standard industry methods designed to prevent outages and minimize impacts during any unavoidable service interruptions, including ensuring that (a) its computer system is UPS protected, backed up automatically, and (b) it has implemented and regularly tests a disaster recovery or business continuity plan for its facilities where Customer Data is stored or processed.
  2. CUSTOMER SECURITY POLICY
    1. Basic Security Requirements
      1. Install and maintain a working network firewall to protect data accessible via the Internet.
      2. Keep security patches up-to-date.
      3. Encrypt data sent across open networks.
      4. Use and regularly update anti-virus software.
      5. Don't use supplier-supplied defaults for system passwords and other security parameters.
      6. Mandate the use of “strong passwords” on all systems or, in the absence of a mandatory (system enforced) password quality checker, enforce account lockout after no more than 10 consecutive incorrect password attempts.
      7. For systems containing customer information, mandate use of “strong passwords” with multi-factor authentication.
      8. Regularly test security systems and processes.
      9. Maintain a policy that addresses information security for employees and suppliers.
      10. Restrict physical access to systems containing Customer Data.
      11. Restrict remote access to the entire network and employ remote access controls to verify the identity of users connecting.
      12. Protect on-site and off-site backups from unauthorized access during transit and storage.
      13. In the event that Company needs to revert any data to a backup for the purposes of disaster recovery, all Customer Data contained in the backup that is required to be deleted pursuant to this Agreement will be deleted or overwritten within 24 hours.
    2. Security Audits
      1. If requested by Customer, Company will undergo a security audit.
      2. Customer reserves the right to periodically audit the systems that Company uses to store the Customer Data, upon prior written notice to Company and during Company’ normal business hours; provided, that, no more than one such audit shall be made during any 12 month period during the term of this Agreement; provided further that the foregoing restriction will not apply in the event of any security breach related to or in connection with Customer Data.
    3. Data Transmission
      1. Company agrees to meet industry level standards for protecting the confidentiality and integrity of data transmissions. Approved mechanisms for data transmission may include:
        1. XML/HTTP over SSL, with certificate-based authentication utilizing a 2048-bit (or larger) RSA public key, and 128-bit (or stronger) symmetric encryption.
        2. Digitally signed and encrypted S/MIME messages over HTTP or SMTP, using certificates with a 2048-bit (or larger) RSA public key, and 128-bit (or stronger) symmetric encryption.
        3. Digitally signed and encrypted PGP (Pretty Good Privacy) or GPG (Gnu Privacy Guard) messages over a variety of transports, with 2048-bit (or larger) RSA or DH/DSS public keys, and 128-bit (or stronger) symmetric encryption.
      2. For all message-based encryption schemes employing digital signatures (including PGP and S/MIME), Company will verify the digital signature of the message and reject messages with invalid signatures.
      3. For all encryption schemes employing public key cryptography, Company will ensure the confidentiality of the private component of the public-private key pair, and will promptly notify Customer in the event that the private key is compromised.
      4. In general, the mechanism choice will depend on a number of factors such as technical capability, transaction volume, latency requirements, availability requirements, and will be chosen by mutual agreement.
    4. Data Retention
      1. Customer has no obligation to provide any Customer Data to Company.
      2. Company will retain Customer Data only for as long as is necessary to perform the Services.
      3. Company will delete all live (online or network accessible) instances of the Customer Data within 30 days after completion of the Services or termination or expiration of this Agreement.
    5. Forensic Destruction. Prior to disposing of any hardware, media, or software (including any sale or transfer of such hardware, media, or software, any disposition in connection with any liquidation of Company’ business, or any other disposition) that contains, or has at any time contained, Customer Data, Company will perform a complete forensic destruction of the Customer Data in such hardware or software such that none of such Customer Data can be recovered or retrieved. Such forensic destruction may include: (a) physical destruction, particularly incineration; or (b) secure data wipe.
    6. Security Incidents. Company will notify Customer within 48 hours of detecting any actual or suspected unauthorized access, use, disclosure, acquisition, corruption or loss of Customer Data, or breach of any environment (a) containing Customer Data, or (b) managed by Company with controls substantially similar to those protecting Customer Data (any such incident, a “Security Incident”). Company will remedy any Security Incident in a timely manner and provide Customer written details regarding Company’ internal investigation regarding any Security Incident. Company agrees not to notify any regulatory authority, nor any customer, on behalf of Customer unless Customer specifically requests in writing that Company does so. Company will cooperate and work together with Customer to formulate and execute a plan to rectify all confirmed Security Incidents.