MASTER SERVICE AGREEMENT

This Master Service Agreement (this “Agreement”) is made by and between Permiso Security Inc., a Delaware corporation (“Permiso”), and Customer (as defined below) to govern Customer’s use of the Service (as defined below).

“Customer” means the person or entity that accepts and agrees to this Agreement, whether by clicking a box indicating its acceptance, navigating through a login page where a link to this Agreement is provided, or executing an Order Form that references this Agreement. If Customer and Permiso have executed a written agreement governing Customer’s access to and use of the Service, then the terms of such signed agreement will govern and will supersede this Agreement.

This Agreement is effective as of the earlier of the date that Customer accepts the terms of this Agreement as indicated above or first accesses or uses the Service (the “Effective Date”). Permiso reserves the right to modify or update the terms of this Agreement in its discretion, the effective date of which will be the earlier of (i) 30 days from the date of such update or modification and (ii) Customer’s continued use of the Service.

1.              DEFINITIONS

The definitions of certain capitalized terms used in this Agreement are set forth below. Others are defined in the body of the Agreement or an Order Form.

"Access Point" means the login credentials, API token, or other mechanism by which Customer provides Permiso with access to a Customer Environment.

“Affiliate” means, with respect to an entity, any entity or person which directly or indirectly controls, is controlled by, or is under common control with that entity.

"Beta Features" means any Service features, functionality, or services which Permiso may make available to Customer to try at no additional cost, and which is designated as beta, trial, non-production or another similar designation.

“Connection Data” means Access Point tokens / keys, usernames, IP addresses, IP address-derived geolocation, and user agent data associated with Monitored Identities.

“Control Plane Data” means control plane data regarding the Monitored Environment, such as commands that have been executed to add, modify, or delete settings within the Monitored Environment and excludes, for example, any data packets within the Monitored Environment.

“Customer Data” means Connection Data and Control Plane Data.

"Customer Environment" means a computing environment (such as an AWS instance) owned or controlled by Customer, to which Customer provides Permiso with access via an Access Point so Permiso can provide the Service.

“Documentation” means the written or online documentation regarding the Service made available by Permiso.

"Monitored Identity” means a single human-managed or software-managed user identity within a Customer Environment.

“Order Form” means each order document submitted to Permiso by Customer or a reseller and accepted by Permiso to purchase a Subscription to the Service setting forth the start date and end date of the Subscription Term, the Service being purchased, and agreed upon pricing. Upon execution, each Order Form is incorporated herein by reference.

“Service” means Permiso’s proprietary software-as-a-service solution for use by Customer for the purpose of detecting and understanding cloud security threats. The Service includes the Documentation, and all modifications, updates, and upgrades thereto and derivative works thereof.

“Service Level Agreement” means the Service Level Agreement attached hereto as Exhibit A.

“Subscription” has the meaning ascribed to it in Section 2.1.

“Subscription Term” means the length of the Subscription set forth on the applicable Order Form.

“Support” means the technical support services set forth on Exhibit B.

“Users” means individuals or entities that are authorized by Customer to use the Service.

2.  ACCESS TO AND USE OF SERVICES

2.1 Right to Access and Use Service. Subject to the terms of this Agreement, Permiso grants Customer a royalty-free, nonexclusive, nontransferable, worldwide right during each Subscription Term to use the Service described in the applicable Order Form for up to the number of Monitored Identities and other usage limits identified on the Order Form (together, the “Subscription”).

2.2 Restrictions. Customer will not: (i) access (or allow a third party to access) the Service in order to monitor the availability, security, performance, or functionality of the Service, or benchmark the Service, for any competitive purposes without Permiso’s express written consent; (ii) market, sublicense, resell, lease, loan, transfer, or otherwise commercially exploit or make the Service available to any third party; (iii) modify, create derivative works, decompile, reverse engineer, attempt to gain access to the source code, or copy the Service, or any of their components; (iv) use the Service to conduct any fraudulent, malicious, or illegal activities (each of (i) through (iv), a “Prohibited Use”).

2.3 Access Points. For Permiso to provide the Service, Customer must configure an Access Point to each applicable Customer Environment. It is Customer’s responsibility to properly configure Access Points to provide the minimum access necessary for the Service to function (e.g., read-only access to Control Plane Data). Permiso will not be responsible for misconfigured Access Points.

2.4 Beta Features. Beta Features made available by Permiso are provided to Customer for testing purposes only. Permiso makes no commitments to provide Beta Features in any future versions of the Service. Customer is not obligated to use Beta Features. Permiso may immediately and without notice remove Beta Features for any reason without liability to Customer. Notwithstanding anything to the contrary in this Agreement, Permiso does not provide Support for Beta Features. All Beta Features are provided "AS IS" without warranty of any kind.

3.  PERMISO OBLIGATIONS

3.1 General. Permiso is responsible for providing the Service in conformance with this Agreement, the Order Form(s), and applicable Documentation.

3.2 Availability. Permiso uses its best efforts to ensure that the Service is available in accordance with the terms of the Service Level Agreement set forth in Exhibit A, which sets forth Customer’s remedies for any interruptions in the availability of the Service.

3.3  Support. If Customer experiences any errors, bugs, or other issues in its use of the Service, then Permiso will provide Support as set forth in Exhibit B. The fee for Support is included in the cost of the subscription set forth on the Order Form.

4. TERM AND TERMINATION

4.1  Term. The term of this Agreement will commence on the Effective Date and will continue for as long as there is an active Subscription (the “Term”).

4.2  Termination for Cause. Either party may terminate this Agreement or any active Subscription for cause (i) following written notice to the other party of a material breach if such breach remains uncured 30 days after the date of the notice, or (ii) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors.

4.3  Termination for Convenience. Customer may terminate this Agreement or any active Subscription for any reason or no reason upon 30 days’ written notice to Permiso; however, in such case, Customer will not be entitled to a refund.  

4.4  Effect of Termination. If Customer terminates this Agreement or any active Subscription in accordance with Section 4.2, then Customer will be entitled to a refund equal to the pro rata portion of any prepaid fees allocable to the remaining Subscription Term.

4.5 Survival. The following provisions will survive any expiration or termination of the Agreement: Sections 6; 7; 9; 12; and 14.

5.  FEES AND PAYMENT

5.1  Fees. Customer will pay the fees for the Subscription set forth on the applicable Order Form. Following execution of the Order Form, Permiso will submit an invoice to Customer for the Subscription, and payment will be due within 30 days of the invoice date unless different terms are set forth on the Order Form (the “Due Date”).

5.2  Taxes. The fees payable hereunder are exclusive of any sales taxes (unless included on the invoice), or similar governmental sales tax type assessments, excluding any income or franchise taxes on Permiso (collectively, “Taxes”) with respect to the Service provided to Customer. Unless Customer provides Permiso with a valid exemption certificate, Customer is solely responsible for paying all Taxes associated with or arising from this Agreement.

5.3  Over-subscription. If Customer uses the Service in excess of the number of Monitored Identities or other usage limits specified on the applicable Order Form, and the excess number remains in use for more than 30 days, then Customer will sign an Order Form for, or pay Permiso for, the excess at the per-unit price indicated on the most recent Order Form during each month that the excess remains in use for at least one day.

6.  CONFIDENTIALITY

6.1 Confidential Information. Except as explicitly excluded below, any information of a confidential or proprietary nature provided by a party (the “Disclosing Party”) to the other party (the “Receiving Party”) constitutes the Disclosing Party’s confidential and proprietary information (“Confidential Information”). Permiso’s Confidential Information includes the Service and any information conveyed to Customer in connection with Support. Customer’s Confidential Information includes Customer Data. Confidential Information does not include information which is (i) already known by the Receiving Party without an obligation of confidentiality other than pursuant to this Agreement; (ii) publicly known or becomes publicly known through no unauthorized act of the Receiving Party; (iii) rightfully received from a third party without a confidentiality obligation to the Disclosing Party; or (iv) independently developed by the Receiving Party without access to the Disclosing Party’s Confidential Information.

6.2 Confidentiality Obligations. Each party will use the Confidential Information of the other party only as necessary to perform its obligations under this Agreement, will not disclose the Confidential Information to any third party, and will protect the confidentiality of the Disclosing Party’s Confidential Information with the same standard of care as the Receiving Party uses or would use to protect its own Confidential Information, but in no event will the Receiving Party use less than a reasonable standard of care. Notwithstanding the foregoing, the Receiving Party may share the other party’s Confidential Information with those of its employees, agents and representatives who have a need to know such information and who are bound by confidentiality obligations at least as restrictive as those contained herein (each, a “Representative”). Each party shall be responsible for any breach of confidentiality by any of its Representatives.

6.3 Additional Exclusions. A Receiving Party will not violate its confidentiality obligations if it discloses the Disclosing Party’s Confidential Information if required by applicable laws, including by court subpoena or similar instrument so long as the Receiving Party provides the Disclosing Party with written notice of the required disclosure so as to allow the Disclosing Party to contest or seek to limit the disclosure or obtain a protective order. If no protective order or other remedy is obtained, the Receiving Party will furnish only that portion of the Confidential Information that is legally required, and agrees to exercise reasonable efforts to ensure that confidential treatment will be accorded to the Confidential Information so disclosed.

7.  DATA PROCESSING & PROTECTION

7.1  Data Processing. Permiso uses Customer Data during the Term to develop, maintain, and improve the Service, and to provide the Service to Customer, and Customer grants Permiso a limited license to do so.

7.2 Security & Data Processing. Permiso maintains reasonable physical, technical, and administrative safeguards in order to protect Customer Data and assist Customer with securing its own account in its use of the Service, and will make its most recent SOC 2 Type II report available for Customer’s review upon request. Permiso will process Customer Data only for the purposes set forth in this Agreement.

7.3  Data Retention & Deletion. Except as required by law or legal process, Permiso will delete all Customer Data from its systems within 30 days of, and all reports and analyses generated by Permiso one year after, expiration or termination of the Order Form, unless Customer requests that they be deleted sooner. Requests to retain Customer Data for longer may incur an additional fee to be agreed upon in an addendum or additional Order Form.

8.  OWNERSHIP

8.1  Permiso Property. Permiso owns and retains all right, title, and interest in and to the Service. Except for the limited license granted to Customer in Section 2.1, Permiso does not by means of this Agreement or otherwise transfer any rights in the Service to Customer, and Customer will take no action inconsistent with Permiso’s intellectual property rights in the Service.

8.2 Feedback. Customer may provide comments, suggestions and recommendations to Permiso regarding the Service such as modifications, enhancements, improvements and other changes (collectively, “Feedback”). Permiso may freely use and exploit any such Feedback without any obligation to Customer.

8.3  Customer Property. Customer owns and retains all right, title, and interest in and to the Customer Data, and does not by means this Agreement or otherwise transfer any rights in the Customer Data to Permiso, except for the limited licenses set forth in Section 7.1.

9.  REPRESENTATIONS AND WARRANTIES

9.1  Mutual Representations and Warranties. Each party represents and warrants it has validly entered into this Agreement and has the legal power to do so.

9.2  Limited Warranty. Permiso warrants that the Service will (i) conform with the Documentation, and (ii) be provided in a manner consistent with generally accepted industry standards.

9.3  Disclaimer. WITH THE EXCEPTION OF THE LIMITED WARRANTIES SET FORTH IN THIS SECTION 9, THE SERVICE AND BETA FEATURES ARE PROVIDED “AS IS” TO THE FULLEST EXTENT PERMITTED BY LAW. PERMISO AND ITS LICENSORS EXPRESSLY DISCLAIM ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF PERFORMANCE, MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSES, AND NON-INFRINGEMENT. PERMISO DOES NOT WARRANT THAT THE SERVICE OR BETA FEATURES (A) ARE ERROR-FREE, (B) WILL PERFORM UNINTERRUPTED, OR (C) WILL MEET CUSTOMER’S REQUIREMENTS.

10.  INSURANCE

10.1  Permiso will maintain in full force and effect during the Term:

(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;

(b) Worker’s compensation insurance as required by applicable law; and

(c) Technology Errors & Omissions and Cyber-risk on an occurrence or claims-made form, for limits of not less than $3,000,000 annual aggregate covering liabilities for financial loss resulting or arising from acts, errors or omissions in the rendering of the Service, or from data damage, destruction, or corruption, including without limitation, unauthorized access, unauthorized use, virus transmission, denial of service, and violation of privacy from network security failures in connection with the Service.

10.2  Insurance carriers will be rated A-VII or better by A.M. Best Provider. Permiso’s coverage will be considered primary without right of contribution of Customer’s insurance policies. In no event will the foregoing coverage limits affect or limit in any manner Permiso’s contractual liability for indemnification or any other liability of Permiso under this Agreement.

11.  INDEMNIFICATION

11.1 By Permiso. Permiso will indemnify, defend, and hold Customer, its Affiliates, and their respective owners, directors, members, officers, and employees (collectively, “Customer Indemnitees”) harmless from and against any claim, action, demand, suit or proceeding made or brought by a third party (each a “Claim”) against any of the Customer Indemnitees alleging that Customer’s use of the Service infringes or misappropriates any patent, trademark, copyright, or any other intellectual property of such third party. Permiso will pay any settlement of such Claim, and any damages finally awarded against any Customer Indemnitees by a court of competent jurisdiction as a result of any such Claim, so long as Customer (i) gives Permiso prompt written notice of the Claim, (ii) gives Permiso sole control of the defense and settlement of the Claim (provided that Permiso may not settle any Claim without the Customer Indemnitee’s written consent, which will not be unreasonably withheld), and (iii) provides to Permiso all reasonable assistance, at Permiso’s request and expense. If Customer’s right to use the Service hereunder is, or in Permiso’s opinion is likely to be, enjoined as the result of a Claim, then Permiso may, at Permiso’s sole option and expense procure for Customer the right to continue using the Service under the terms of this Agreement, or replace or modify the Service so as to be non-infringing and substantially equivalent in function to the claimed infringing or enjoined Service. Permiso will have no indemnification obligations under this Section 11.1to the extent that a Claim is based on or arises from: (a) use of the Service in a manner other than as expressly permitted in this Agreement; (b) any alteration or modification of the Service except as expressly authorized by Permiso; (c) the combination of the Service with any other software, product, or services (to the extent that the alleged infringement arises from such combination) not specifically authorized by Permiso or otherwise necessary for the Customer to use the Service; or (d) where the Claim arises out of specifications provided by Customer. This Section 11.1 sets forth Permiso’s sole and exclusive liability, and Customer’s exclusive remedies, for any Claim of infringement or misappropriation of intellectual property.

11.2 By Customer. Customer will indemnify, defend, and hold harmless Permiso, its Affiliates, and their respective owners, directors, members, officers, and employees (together, the “Permiso Indemnitees”) from and against any Claim against the Permiso Indemnitees related to (i) Customer’s or a User’s engaging in a Prohibited Use, and (ii) any grossly negligent acts or omissions of its Users. Customer will pay any settlement of and any damages finally awarded against any Permiso Indemnitee by a court of competent jurisdiction as a result of any such Claim so long as Permiso (a) gives Customer prompt written notice of the Claim, (b) gives Customer sole control of the defense and settlement of the Claim (provided that Customer may not settle any Claim without Permiso’s prior written consent which will not be unreasonably withheld), and (c) provides to Customer all reasonable assistance, at Customer’s request and expense.

12.  LIMITATIONS OF LIABILITY

12.1 NEITHER PARTY, NOR ITS AFFILIATES, NOR THE OFFICERS, DIRECTORS, EMPLOYEES, SHAREHOLDERS, OR REPRESENTATIVES OF ANY OF THEM, WILL BE LIABLE TO THE OTHER PARTY FOR ANY INCIDENTAL, INDIRECT, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES, THAT MAY ARISE OUT OF THIS AGREEMENT, EVEN IF THE OTHER PARTY HAS BEEN NOTIFIED OF THE POSSIBILITY OR LIKELIHOOD AND WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, SERVICES LIABILITY OR OTHERWISE.

12.2 EXCEPT WITH RESPECT TO EXCLUDED CLAIMS AND UNCAPPED CLAIMS, IN NO EVENT WILL THE COLLECTIVE LIABILITY OF EITHER PARTY, OR THEIR RESPECTIVE AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, SHAREHOLDERS, AGENTS AND REPRESENTATIVES, TO THE OTHER PARTY FOR ANY AND ALL DAMAGES, INJURIES, AND LOSSES ARISING FROM ANY AND ALL CLAIMS AND CAUSES OF ACTION ARISING OUT OF, BASED ON, RESULTING FROM, OR IN ANY WAY RELATED TO THIS AGREEMENT, EXCEED THE TOTAL AMOUNT OF FEES PAID OR PAYABLE BY CUSTOMER TO PERMISO FOR USE OF THE SERVICE UNDER THIS AGREEMENT. THE EXISTENCE OF MULTIPLE CLAIMS OR SUITS UNDER OR RELATED TO THIS AGREEMENT WILL NOT ENLARGE OR EXTEND THE LIMITATION OF MONEY DAMAGES.

12.3 “Excluded Claims” means any claim and/or liability associated with any breach by Permiso of Section 7.2 (Security). Permiso’s total, cumulative liability for all Excluded Claims will not exceed two times the total amount of fees paid by Customer to Permiso for use of the Service under this Agreement.

12.4 “Uncapped Claims” means any claim or liability associated with: (a) either party’s breach of confidentiality (but not relating to any liability associated with Permiso’s security obligations with respect to Customer Data which remains subject to the Excluded Claims cap); (b) either party’s respective indemnification obligations under Section 11; or (c) any liability of a party which cannot be limited under applicable law, including gross negligence, recklessness, or intentional misconduct.

13. RESELLER ORDERS

This Section applies to the extent that Customer orders the Service from an authorized reseller pursuant to an agreement with the reseller (a “Reseller Order”). With respect to Reseller Orders: (a) references to “Order Form” in this Agreement mean the applicable Reseller Order; (b) invoicing and payment of fees and taxes will be handled pursuant to the Reseller Order, with fees and taxes, where applicable, paid directly to the reseller; (c) any credits or refunds owed by Permiso will be provided to the reseller and not to the Customer; and (d) Permiso will have no responsibility or liability with respect to the reseller’s failure to make payments to Customer. No additional terms in any Reseller Order will apply to Permiso and this Agreement will prevail in the event of any conflict between it and any Reseller Order.

14. MISCELLANEOUS

This Agreement is the entire agreement between Customer and Permiso and supersedes all prior agreements and understandings concerning the subject matter hereof and may not be amended or modified except by a writing signed by both parties. Customer and Permiso are independent contractors, and this Agreement will not establish any relationship of partnership, joint venture, or agency between Customer and Permiso. Failure to exercise any right under this Agreement will not constitute a waiver. There are no third-party beneficiaries to this Agreement. This Agreement is governed by the laws of California without reference to conflicts of law rules. For any dispute relating to this Agreement, the Parties consent to personal jurisdiction and the exclusive venue of the courts in San Francisco County, California. Any notice to Customer under this Agreement will be in writing and sent by electronic mail to the address on file with Permiso and any notices to Permiso will be emailed to legal-notices@permiso.io. If any provision of this Agreement is found unenforceable, this Agreement will be construed as if it had not been included. Neither party may assign this Agreement without the prior, written consent of the other party, except that either party may assign this Agreement without such consent in connection with an acquisition of the assigning party or a sale of all or substantially all of its assets. This Agreement may be executed in two or more counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument. Facsimile or other electronic copies of such signed copies will be deemed to be binding originals.

EXHIBIT A

SERVICE LEVEL AGREEMENT

1. Definitions. For purposes of this Service Level Agreement (the “Service Level Agreement”), the following terms have the meaning ascribed to each term below:

“Downtime” means if Customer is unable to access the Service by means of a web browser as a result of failure(s) in the Service or architecture, as confirmed by Permiso.

“Monthly Uptime Percentage” means the total number of minutes in a calendar month minus the number of minutes of Downtime suffered in a calendar month, divided by the total number of minutes in a calendar month. 

“Service Credit” means the number of days that Permiso will add to the end of the Term, at no charge to Customer.

2. Service Level Warranty. During the Term, the Service will be available to Customer at least 99.99% of the time in any calendar month (the “Service Level Warranty”). If the Monthly Uptime Percentage does not meet the Service Level Warranty in any calendar month, and if Customer meets its obligations under this Agreement, then Customer will be eligible to receive Service Credit as follows:

3. Customer Must Request Service Credit. In order to receive Service Credit, Customer must notify Permiso within 30 days from the time Customer becomes eligible to receive a Service Credit under the terms of this Agreement. Failure to comply with this requirement will forfeit Customer’s right to receive Service Credit.
4. Maximum Service Credit.The aggregate maximum amount of Service Credit to be issued by Permiso to Customer for all Downtime that occurs in a single calendar month will not exceed 15 days. Service Credit may not be exchanged for, or converted into, monetary amounts.
5. Termination. If Customer receives a Service Credit for the lowest uptime percentage listed in Section 2 above (i.e., < 95.0%) for three consecutive months, or three months in any six consecutive months, then no later than 30 days after receipt of the third such Service Credit, Customer may terminate this Agreement in accordance with Section 4.2 of this Agreement.
6. Exclusions. The Service Level Warranty does not apply to any performance issues that (i) are caused by riots, insurrection, fires, flood, storm, explosions, acts of God, war, terrorism, earthquakes, or any other causes that are beyond Permiso’s reasonable control so long as Permiso uses commercially reasonable efforts to mitigate the effects of such force majeure, (ii) resulted from an Access Point, Customer’s equipment or third party equipment or service (e.g. Customer’s internet connection) or (iii) resulted from Customer’s violation of the Agreement.
7. Exclusive Remedy. This Service Level Agreement sets forth Customer’s sole and exclusive remedy for any failure by Permiso to meet the Service Level Warranty.

EXHIBIT B

SUPPORT SERVICES

This Support Exhibit sets forth the terms on which Permiso provides technical support (“Support”) to Customer (the “Support Exhibit”).

1. Definitions

“Error” means a failure of the Service to conform to the published specifications, resulting in the inability to use, or material restriction in the use of, the Service.

“Escalation” means the process by which Permiso will work continuously, and at multiple levels of its organization, to resolve an Error if not resolved within the specified Resolution Time set forth in Section 4, below

“Start Time” means the time at which Permiso first becomes aware of an Error during Permiso’s regular business hours, following initiation of a Support case by Customer in accordance with Sections 2 and 3, below.

2. During a Subscription Term, Permiso will provide the Support described in this Support Exhibit. Permiso provides Support during normal business hours (9am – 5pm, Pacific time, Monday - Friday).
3. Customer may initiate a Support case by emailing support@permiso.io or contacting Permiso via Slack at a designated channel (e.g. [customer]-permiso-collaboration). Customer may initiate an unlimited number of Support cases.
4. Priority Levels and Timeframes. Permiso will establish the Priority Level of an Error and the corresponding Support case in its sole discretion and will use its best efforts to adhere to the Response Times and Resolution Times set forth below. If an Error is not addressed within the Resolution Time set forth below, Permiso will commence an Escalation.

5. Conditions, Exclusions, and Termination.
   1. Conditions. Permiso’s obligation to provide Support is conditioned upon the following: (i) Customer makes reasonable efforts to solve the Error after consulting with Permiso; (ii) Customer provides Permiso with sufficient information and resources to correct the Error, as well as any and all assistance reasonably requested by Permiso; and (iii) Customer procures, installs, and maintains all equipment, telephone lines, communication interfaces and other hardware necessary to access and operate the Service.
   2. Exclusions. Permiso is not obligated to provide Support in the following situations: (i) the problem is caused by Customer’s negligence, hardware malfunction, or other causes beyond the reasonable control of Permiso; (ii) the problem is with third party software not licensed through Permiso; or (iii) Customer fails to pay any amount that is payable to Permiso within the timeframe for payment specified in the Agreement.
   3. Termination. Permiso reserves the right to conclude its performance of a Support case when, in its reasonable discretion, Permiso determines that it has provided a satisfactory resolution or workaround to the Error.