Pindrop Subscription Agreement for Marketplaces
This Pindrop Subscription Agreement for Marketplaces (the “Agreement”) details the terms and conditions applicable to any Products or Services of Pindrop Security, Inc. (“Pindrop”) that your company (“Company”) obtains via an Approved Marketplace or the related Services that Company obtains from Pindrop via a Direct Order. By entering into an Order, Company agrees to be bound by the terms and conditions in this Agreement. If Company does not agree to the terms and conditions of this Agreement, Company shall not and does not have the right to use any Pindrop Property (as defined below). Pindrop agrees to be bound by the terms of this Agreement upon acceptance of the order(s) it enters into pursuant to the Approved Marketplace relevant to the Marketplace Order(s) or the Direct Orders, as applicable. Capitalized terms have the meaning given in this Agreement.
1. Definitions.
(a) “Approved Marketplace” means the Google Cloud Marketplace, AWS Marketplace and Genesys’ AppFoundry Marketplace and such other comparable marketplaces that Pindrop elects to offer its Products and Services from time to time.
(b) “Authorized Geography” means the state or country, as reflected in an Order, in which Company is authorized to (i) have the Product analyze Calls made by Company’s customers also residing in such state or country. For example, if Company is authorized to access and use the Product in the United States, then the Company Phone Number(s) would be those Company Phone Number(s) that are intended for use by the Company’s United States-based customers as part of the Company’s United States-based business operations.
(c) “Call” means a phone call made to the Company Phone Number that is processed by a Product.
(d) “Call Heuristics” means the duration that a device’s touch keys are held down (i.e., the frequency of a caller pressing a device’s touch keys).
(e) “Call Processing Data” means the data (excluding CPNI) obtained by or from a telecommunications network with respect to a Call that is generally used for call routing purposes. Examples of Call Processing Data include any data used to initiate, route, exchange and complete call traffic that is internal to such network or networks during the call.
(f) “Company Call Center Infrastructure” means Company’s telephony solution with which Company will use a Product, as contemplated in this Agreement and/or Order.
(g) “Company Call Data” means the data and information that are uploaded, transmitted, input or otherwise provided or made available by Company in connection with a Product. The phone number from which a Call originates, audio (i.e., spoken content), signaling and call-related metadata from Company’s telecommunications network (including the Telco Network Call Data) and Digital Signal for a given Call are examples of Company Call Data.
(h) “Company Marketplace Agreement” means the written agreement between Company and the provider of the relevant Approved Marketplace pursuant to which Company orders a subscription to the Products and Services via such Approved Marketplace.
(i) “Company Phone Number” means the then-current phone number(s) designated by Company, where calls made to that number(s) will be analyzed by a Product.
(j) “Company Regulator” means any industry regulatory agency with supervisory authority over Company under applicable Laws.
(k) “Confirmed Fraud Call” means a Call that has been designated by Company through the user interface of the Product as being associated with fraudulent or suspicious activity during the course of Company’s use of Pindrop’s Product known as Pindrop® Protect or any subsequent Product(s) which also has the same functionality, as such functionality is described in the applicable Documentation.
(l) “Consortium Members” means Pindrop customers, government agencies, third party data providers, consumer agencies, credit lenders and other third parties that have themselves provided “fraudulent call data” to Pindrop or its affiliates.
(m) “CPNI” or “Customer Proprietary Network Information” means the data obtained by or from a telecommunications network with respect to a Call that relates to the quality, technical configuration, type, destination, location or amount of use of the voice service about the calls placed from a particular phone number or is the type of call-related data that would customarily appear on the customer’s bill who is purchasing the relevant telecommunications and interconnected VoIP services from a carrier partner. Examples of CPNI include the phone number of the calling party or called party, type of service the customer has ordered or the location of the customer or device.
(n) “Direct Order” means an order that references this Agreement and entered into directly between Company and Pindrop applicable to PS that Pindrop will perform with respect to a Product covered under a Marketplace Order.
(o) “Documentation” means any documentation, user guides and installation instructions provided by Pindrop to Company from time to time.
(p) “Digital Signal” means the digital signal used to transmit audio from the device and/or the telecommunications network.
(q) “DTMF” means the audio sound of the dual tone multiple frequency (i.e., the signal sent when a caller presses a device’s touch keys).
(r) “Feedback” means all ideas, suggestions, or similar information that Company provides or otherwise makes available to Pindrop or its affiliates with respect to the Products, Work Product or Services or any other Pindrop product or service offering.
(s) “Fraudulent Call Data” means the following data for a Confirmed Fraud Call: (i) a phone number; (ii) the timestamp, duration, type of number and geography metadata; (iii) call type (e.g., mobile or VOIP); (iv) the Pindrop Score (i.e., the numerical risk score assigned to the Call); and (v) system labels.
(t) “Laws” means all laws, statutes, regulations and other types of government authority, including without limitation, the laws and regulations governing data privacy or data protection.
(u) “Marketplace Order” means an order or comparable document entered into through the standard offer and order process for the given Approved Marketplace that describes the Product(s) and/or related Services that Pindrop will provide to Company under this Agreement via such Approved Marketplace.
(v) “Marketplace Provider” means the company who operates the Approved Marketplace (e.g., Google, AWS or Genesys).
(w) “Order” means a Marketplace Order or Direct Order, as applicable.
(x) “Outputs” means the data or information portion of a Product that are generated using Pindrop’s proprietary technology and applicable to a Product’s analysis of a particular Call (including, by way of example only, a Pindrop Score, system labels, Proprietary Prints or the audio recording of a Call, as applicable).
(y) “Pindrop-Controlled Systems” has the meaning assigned in Section 1 (Definitions) of Exhibit B (Pindrop Information Security and BCP Programs).
(z) “Pindrop Database” means Pindrop’s proprietary database that includes the Fraudulent Call Data as well as the same or similar data with respect to calls associated with fraudulent or suspicious activity provided by Consortium Members and other information derived from third party data providers and Pindrop’s or its affiliates’ own research efforts.
(aa) “Pindrop Property” has the meaning assigned in Section 7(d) (Pindrop Property) of this Agreement.
(bb) “Pindrop Score” means the scoring metrics, data or reasons for a scoring metric provided by Pindrop’s proprietary processes, including statistical and audio models (e.g., phoneprints), intended to predict the likelihood of a phone transaction being fraudulent or suspicious or from someone other than an authenticated caller, as applicable depending on the features and functionality of a given Product.
(cc) “Pre-GA Offering” means a product or potential new feature or functionality for an existing product for which Company has a subscription that is provided in a Pindrop-managed lab environment and identified as “beta,” “limited availability,” “pre-release” or similar designation or that is otherwise identified by Pindrop as unsupported.
(dd) “Product” means the product(s), including any Pre-GA Offerings, that are ordered by Company under a Marketplace Order or otherwise covered under a Direct Order.
(ee) “Professional Services” or “PS” means the implementation services (which may include installation, configuration, project management, process reviews and associated policy or procedure development, testing or go-live support), training or other optional services ordered by Company under a Direct Order.
(ff) “Project Closure Milestone” means the date on which the PS consisting of Pindrop’s configuration and/or provisioning of the Product or any other mutually agreed upon PS is deemed completed, as detailed in an Order.
(gg) “Proprietary Prints” means the numerical values generated by the Product that are a sequence of floating-point numbers, are not reversible into the original audio, are not composed of an audio wave file, and do not contain any actual recorded conversation. Examples of proprietary prints include: (i) Fakeprints (generic artifacts extracted to detect synthetic or recorded audio – not to identify a person); (ii) Toneprints (unique to device type and carrier – not person); (iii) Phoneprints (unique to device type, carrier and country location – not person; (iv) behaviour heuristics (e.g., keypress patterns on device such as to help detect human vs robotic characteristics); and (v) voice features.
(hh) “Services” means PS or Support Services ordered by Company under an Order.
(ii) “Subscription Start Date” has the meaning or date assigned in an Order, as applicable.
(jj) “Subscription Term” means the time period, starting on the Subscription Start Date, that Company has the right to use a Product and Services under an Order.
(kk) “Supplemental Product Terms” means the terms in Exhibit C (Implementation and Product-Specific Terms) that are relevant to one or more of the Products.
(ll) “Support Services” means Pindrop’s support and maintenance services included in the subscription for a given Product, as detailed in the Support Program Terms.
(mm) “Support Program Terms” means Pindrop’s standard support and maintenance services program applicable to the Products and available here or such other terms a copy of which has been provided to Company, as updated and/or supplemented by Pindrop from time to time upon notice to Company.
(nn) “Support Tools” means (i) software, web analytics tools or other technology used by Pindrop or its affiliates to (1) monitor, maintain or improve the performance, integrity or security of a Product; (2) identify portions of a Product that may require maintenance (including without limitation errors that may require correction); (3) understand user behavior with a given Product (e.g., what feature or functionality is preferred), which may include the recording of a User’s session while logged in to the Product; and (4) manage subscription-related metrics (e.g., quantity of Calls or expiration of a given Subscription Term); or (ii) cookies that are set on a User’s browser and used by Pindrop or its affiliates for the purpose of identifying Users and Company systems interacting with the Product or to logout a User after a period of inactivity, including the general location (e.g., city, state or country) of the IP addresses associated with Users who login into and use a Product.
(oo) “Telco Network Call Data” means, collectively, CPNI and Call Processing Data.
(pp) “User” means an individual who is authorized by Company to use a Product and who has been assigned by Company (or, when applicable, Pindrop or its affiliates at Company’s request), a user identification number and password in to access such Product.
(qq) “Work Product” means any inventions, discoveries, software or other works of authorship (including, without limitation, configuration of a Product, accuracy reports and other documentation), and other proprietary materials or work product developed by or for Pindrop or its affiliates, alone or with others, in the course of Pindrop’s performance of Services, including any and all related and underlying software, databases (including data models, structures, and non-Company specific data contained therein), specifications, technology reports and documentation.
2. Engagement Model.
Except as expressly provided otherwise in this Agreement, (a) as it relates to Marketplace Orders, Company shall look solely to the Marketplace Provider with respect to Company’s rights and obligations for the Products and Services (including payment of any applicable fees), as detailed in the Company Marketplace Agreement and Marketplace Order,; and (b) as it relates to Direct Orders, Company shall look solely to Pindrop with respect to Company’s rights and obligations for the Products and Services (including payment of applicable fees) as detailed in this Agreement and the relevant Direct Order.
3. General Pindrop Responsibilities.
(a) Provision of Products and Services. Pindrop will make the Products and Services available to Company (i) pursuant to this
Agreement and each applicable Order; and (ii) solely for lawful purposes and use.
(b) Protection of Company Data. During the Term of this Agreement and for as long as Pindrop maintains Company’s Confidential Information within the Pindrop-Controlled Systems (as defined in Exhibit B (Pindrop Information Security and BCP Programs)), Pindrop will have and maintain the information security program and safeguards as detailed Exhibit B (Pindrop Information Security and BCP Programs).
(c) Pindrop Personnel. Pindrop will be responsible for the performance of and compliance by its and its affiliates’ personnel
(including employees and contractors) with Pindrop’s obligations under this Agreement and each Order (as applicable), except as
otherwise specified in this Agreement. If Company determines, in its commercially reasonable judgment, that personnel assigned by
Pindrop do not possess suitable knowledge or expertise or have violated Company’s generally applicable working terms or conditions,
Company may request that Pindrop replace such personnel within a reasonable period of time.
4. Use of Products and Services.
(a) Subscriptions. Unless otherwise provided in the applicable Order, the Products and Services are purchased as subscriptions
for the Subscription Term. Company agrees that its purchases are not contingent on Pindrop’s delivery
of any future functionality or features, or dependent on any oral or written comments made by Pindrop regarding future functionality or
features.
(b) Access to and Use of Products and Services. Company has the right to access and use the applicable Products and
Services subject to the terms of the applicable Order, this Agreement and the Documentation.
(c) Support Terms. Unless provided otherwise in a Marketplace Order, (i) Pindrop will provide the Support Services during the Subscription Term, as detailed in the Support Program Terms; and (ii) Pindrop and its affiliates may use Support Tools. Notwithstanding anything to the contrary in this Agreement and subject to the use restrictions below, Company agrees that Pindrop and its affiliates can also collect, analyze, retain and use the usage, statistical, caller phone number, metadata and other log data collected by Support Tools or Product (the “Support Data”) to maintain, develop, manage, administer and improve Pindrop’s and its affiliates products and services, including the Products and Services and the AI Systems and AI Models (the “Product Improvement Purposes”). Except where Pindrop or its affiliates are using the Support Data for Company’s sole benefit in its provision of the Products and Services to Company (such as to respond to trouble tickets), Pindrop and its affiliates will only use the Support Data for Product Improvement Purposes if the Support Data has been aggregated with other comparable data from other customers and then implemented by Pindrop as a general, customer-agnostic improvement to the general usability or efficacy of Pindrop’s or its affiliates’ products and services (i.e., in a manner that does not identify Company or any individual person within Company as the source of that data or any individual or phone number of an individual who called Company for the benefit of other customers). Pindrop shall not and shall take reasonable measures to prevent the use of any Support Data as an input into any publicly available generative artificial intelligence or machine learning models. Company agrees that Pindrop’s and its affiliates’ right to retain and use the Support Data for Product Improvement Purposes shall survive any termination or expiration of this Agreement or any Marketplace Orders. Company is responsible for disclosing to and obtaining consent from its Users to the collection and use of Support Data, as required by applicable Laws.
For purposes of this Agreement, the following definitions apply:
“AI” means a machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations or decisions influencing real or virtual environments. Artificial intelligence systems use machine and human-based inputs to: (i) perceive real and virtual environments; (ii) abstract such perceptions into models through analysis in an automated manner; and (iii) use model inference to formulate options for information or action.
“AI Model” means a component of an information system that implements AI technology and uses computational, statistical, or machine-learning techniques to produce outputs from a given set of inputs.
“AI System” means any data system, algorithm, software, hardware, application, tool, or utility that operates in whole or in part using AI.
“Machine Learning” means a set of techniques that can be used to train AI algorithms.
(d) General Company Responsibilities. Company will (i) be responsible for its Users’ compliance with this Agreement, Documentation and Orders; (ii) be responsible for the accuracy, quality and legality of Company Call Data, including as detailed in Section 8(d) (Company’s Responsibility Statement) of this Agreement; (iii) use commercially reasonable efforts to prevent unauthorized access to and use of the Products and Services, and notify Pindrop promptly of any such unauthorized access or use; (iv) use the Product(s) solely to perform phone number fraud verification and/or authentication for Company’s own products or services based on the features and functionality enabled in a given Product and for no other purpose (e.g., not for credit decisioning purposes or to determine a consumer’s eligibility for credit or insurance, or for any other permissible purpose set forth in the FCRA (as defined below)); and (v) except as expressly provided otherwise in this Agreement, be solely responsible for, and agrees to comply with, all applicable Laws with respect to its access and use of the Products and Services. For clarity, Pindrop is not a consumer reporting agency and none of the information provided through the Products constitutes a “consumer report”, as such term is defined in the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681 et seq.
(e) Restrictions. Company will not: (i) make any Pindrop Property available to anyone other than Company or Users, or use any
Pindrop Property for the benefit of anyone other than Company or its affiliates, unless expressly stated otherwise in this Agreement or
an Order; (ii) sell, resell, sublicense, distribute, rent or lease the Pindrop Property in any manner (including without limitation in any
service bureau or outsource offering); (iii) copy, modify or create derivative works of all or any portion of the Pindrop Property; (iv)
except to the extent permitted by applicable Law, disassemble, reverse engineer or decompile all or any portion of the Pindrop Property
in any manner; (v) frame or mirror any part of the Products, other than framing on Company’s own intranets or otherwise for its own
internal business purposes of as permitted in the Documentation; (vi) manually enter and/or import any Company Call Data into a
Product that would or could violate Payment Card Industry Data Security Standard (PCI DSS), as amended from time to time, including
by way of example only, a credit security validation (CSV) number and a credit card account number (the “PCI Restriction”); (vii)
attempt to gain unauthorized access to the Products or related systems or networks, or permit direct or indirect access to or use of the
Pindrop Property in a way that circumvents contractual usage or security restrictions; (viii) access or use the Pindrop Property to (A)
build a competitive product or service, (B) build a product or service using similar ideas, features, functions or graphics of the Pindrop
Property, or (C) copy any ideas, features, functions or graphics of the Pindrop Property; or (ix) directly or indirectly authorize any third
parties to do any of the foregoing. Any use of the Products in violation of this Agreement, the applicable Order or that in Pindrop’s
commercially reasonable business judgment threatens the security, integrity or availability of the Product to Pindrop’s or its affiliates’
customers, may result in immediate suspension of Company’s access to the Product. However, Pindrop will use commercially
reasonable efforts under the circumstances to provide Company with written notice (email is sufficient) and an opportunity to remedy
such violation or threat prior to suspension. Further, if a breach occurs with respect to the Outputs, Pindrop reserves the right to require
Company to delete and/or destroy the Outputs (as well as any derivative works, benchmarking or competing solution) in Company’s
possession or control.
5. Fees and Payments.
(a) Marketplace Orders – Description of Fees and Invoice Schedule. Company shall pay the fees for Products and Services in
accordance with the applicable Company Marketplace Agreement and Marketplace Order.
(b) Direct Orders – Description of Fees and Invoice Schedule. Company shall pay Pindrop the fees for Services in
accordance with the Direct Order. If an invoice schedule for Services is not specified in the Order, then fees for such Services will be invoiced and
payable upon completion by Pindrop thereof. All fees will be invoiced and payable in U.S. Dollars and are due and payable to
Pindrop within 30 days after the date of invoice to Company for such amounts (the “Due Date”). Company shall promptly reimburse
Pindrop for any reasonable out-of-pocket expenses incurred by Pindrop in connection with providing PS to Company. All such
expenses will be billed as incurred in accordance with Pindrop’s travel and expense policies. Company shall pay all taxes, tariffs and
transportation costs relating to, or incurred under, this Agreement or a Direct Order (including any sales, use, excise or value added
taxes), exclusive of taxes based on or measured by Pindrop’s net income, unless Company is exempt from the payment of such taxes.
To the extent applicable, Company will provide to Pindrop any resale exemption certificate, direct pay permit or other exemption
certificate or information reasonably requested by Pindrop. Company shall promptly notify Pindrop if any such exemption is
subsequently revoked or modified. If Pindrop is required or permitted by applicable Law to charge and collect sales, use, excise, value-
added or similar taxes (but excluding taxes based on or measured by Pindrop’s net income) that are directly imposed on the purchase,
lease or other transfer of taxable Products or Services for a consideration, Pindrop shall separately state such taxes on Company
invoices along with other applicable related charges, including transportation and tariffs. Company shall promptly pay invoiced taxes.
Notwithstanding the foregoing, the failure of Pindrop to properly designate all taxes on an invoice shall not relieve Company of its
obligation to pay all such taxes. To the extent Pindrop fails to designate such taxes on an invoice, Company shall, upon notice and
request by Pindrop, promptly pay or reimburse Pindrop for any taxes that are Company’s responsibility under this Section. If Company
fails to remit an undisputed portion of a payment by the applicable Due Date, Pindrop reserves the right to apply late charges at the
lesser of (i) 1.5% per month of the overdue amount; or (ii) the maximum amount permitted under applicable Law. Disputes arising from
invoices will be handled on a case by case basis. Company must notify Pindrop of any invoice dispute no later than the applicable Due
Date or such invoice will be deemed approved and accepted by Company. Both parties will use their commercially reasonable efforts to
assess and rectify, if applicable, discrepancies found within a disputed invoice as soon as commercially practicable.
6. Confidentiality.
(a) Definition. “Confidential Information” means information designated as confidential or proprietary or that should be
considered as confidential from its nature or from the circumstances surrounding its disclosure. The Pindrop Property constitutes
“Confidential Information” of Pindrop, and the Company Call Data constitutes “Confidential Information” of Company.
(b) Use and Disclosure. With respect to any Confidential Information a party receives (“Receiving Party”) from the other party
(“Disclosing Party”), the Receiving Party shall: (i) keep such information confidential; (ii) use the same degree of care for the
Disclosing Party’s Confidential Information that it uses for its own Confidential Information, but in no event less than reasonable care;
(iii) not use the Confidential Information other than in connection with the performance of this Agreement and each Order; and (iv) not
divulge the Confidential Information to any third party. Receiving Party agrees to use all reasonable steps to ensure that the Disclosing
Party’s Confidential Information is not disclosed by a Receiving Party Representative in violation of this Section. Company also agrees
it shall not disclose the results of benchmark tests or any other evaluation of any Pindrop Property to any third party without Pindrop’s
prior written approval. For purposes of this Section, “third party” excludes the Receiving Party or its affiliates employees, contractors,
subcontractors attorneys, accountants or other professional advisors of the Receiving Party, as long as such representative (1) has a
commercially reasonable need to know and access such Confidential Information in connection with the authorized purposes; and (2) is
under contractual or fiduciary confidentiality obligations substantially equivalent to the terms and conditions of this Section (each a
“Receiving Party Representative”). A Receiving Party is responsible for a breach by the Receiving Party Representative of the
confidentiality obligations to same extent as the Receiving Party itself.
(c) Exclusions. Confidential Information shall not include information that: (i) is or becomes generally known or available to the
public at large other than as a result of a breach by the Receiving Party of any obligation to the Disclosing Party; (ii) was known to the
Receiving Party free of any obligation of confidence prior to disclosure by the Disclosing Party; (iii) is disclosed to the Receiving Party
on a non-confidential basis by a third party who did not owe an obligation of confidence to the Disclosing Party; or (iv) is developed by
the Receiving Party independently of and without reference to any part of the Confidential Information. Confidential Information shall
not be deemed to be in the public domain or generally known or available to the public merely because any part of said information is
embodied in general disclosures or because individual features, components or combinations thereof are now or become known to the
public. During the Term (defined in Section 11(a) (Term of Agreement)), the Receiving Party may publicize the existence of the
relationship between Pindrop and Company in connection with the Products or Services being provided under Order(s) and Pindrop
may list Company’s name on Pindrop’s standard customer lists.
(d) Limited Exceptions. Confidential Information may be disclosed in response to a valid order by a court or other governmental
body of the United States or any political subdivision thereof, as otherwise required by law, or as necessary to establish the rights of
either party under this Agreement, provided that the party making such disclosure must provide written notice to the other party with a
reasonable opportunity to obtain a protective order or otherwise protect the confidentiality of such information.
7. Proprietary Rights and Other Licenses.
(a) Use of Company Call Data. Company grants Pindrop, its affiliates and applicable subcontractors a limited-term license to
collect, use, record, host, transmit and process the Company Call Data as necessary to provide, maintain and support the Product for
Company in accordance with this Agreement each applicable Order and the applicable Documentation.
(b) Company Use Rights. Subject to the terms and conditions of this Agreement, Pindrop hereby grants to Company a limited,
non-exclusive, non-transferable (except as expressly provided in this Agreement with respect to the entire agreement) right (i) during
the applicable Subscription Term to access and use a Product solely within the Authorized Geography; (ii) during and after
expiration of the applicable Order to retain and use the portion of the Outputs that are available via the outbound API
feed(s) from the Product solely for Company’s internal business and recordkeeping purposes; and (iii) during the Subscription Term to retain and use the portion of the Work Product available to Company in connection with or as part of the Services for Company’s internal business purposes in connection with Company’s use of the Product; provided that (A) the Outputs and such Work Product remain the Confidential Information of Pindrop and subject to the obligations of confidentiality and use restrictions set forth in this Agreement; and (B) Company shall not create any derivative works nor use the Outputs or such Work Product to create a competing solution. For clarity, to the extent Company Call Data (such as the phone number of a caller) is contained in an Output or such Work Product, nothing in this Section shall restrict Company’s right to use its own Company Call Data in any manner.
(c) Data Privacy Terms. The terms and conditions in Exhibit A (Data Privacy Terms) of this Agreement shall apply, as
applicable.
(d) Pindrop Property. Subject to the limited rights expressly granted by Pindrop under this Agreement or an Order, Pindrop, its affiliates and its and their licensors and third party providers reserve and retain and own all rights, title and interests the Products (including Outputs, AI Systems and AI Models), the Services (including Work Product) and all updates, upgrades, derivative works, modifications, conversions, improvements or the like made to each of the foregoing, together with all intellectual property rights embodied therein (collectively, the “Pindrop Property”). If Company Call Data (such as the phone number of a caller) is contained in an Output, AI System or AI Model, nothing in this Section shall transfer or otherwise restrict Company’s ownership in or right to use its own Company Call Data in any manner. Company agrees to retain and reproduce all copyright, trademark and other proprietary notices contained on or in the Pindrop Property as delivered to Company on all copies of such Pindrop Property and shall not seek to remove any such notices. Pindrop is an authorized reseller of certain Next Caller products and services. Next Caller is a third party beneficiary of Pindrop’s rights (but not obligations) under this Agreement. Company will look solely to Pindrop and Pindrop is solely responsible to Company for any breach by Next Caller of this Agreement or any VeriCall-related Orders (including any related PS or Support Services).
(e) Company Property. Subject to the limited rights expressly granted by Company under this Agreement or an Order, Company
retains and own all right, title and interest in all intellectual property rights in and to the Company Call Data, Company Phone Number
and Company Call Center Infrastructure.
(f) Feedback. Company may, at its sole election, provide Feedback to Pindrop or its affiliates to help identify ways in which
Pindrop and its affiliates may improve or expand their product and service offerings for its customers. If provided, Company agrees to
assign and hereby assigns to Pindrop all rights, title and interests in and to the Feedback.
(g) Third-Party Software Components. A Product may contain certain Third-Party Software Components (defined below). Company’s right to use the Third-Party Software Components shall be subject to the relevant third-party terms identified within the Product and/or the Product’s associated Documentation applicable to each Third-Party Software Component, but only if and to the extent that Company’s actual access and use of the Product requires Company to agree to different or new terms and conditions than those in this Agreement, or any relevant Order (the “Third Party Terms”). Regardless of whether any Third Party Terms apply or not, the Third-Party Software Components are, however, included within the product warranty and Support Services provided by Pindrop to Company for the Product as detailed in this Agreement and, as applicable, the Order. For purposes of this Agreement, “Third-Party Software Components” means the third-party software bundled with or included the Product for which Pindrop has an obligation to pass-through the applicable open source or proprietary commercial software license terms directly to Company from the applicable third party licensor.
(h) Special Terms for Pre-Ga Offerings. Pindrop may make Pre-GA Offerings available to Company from time to time and Pre-GA Offerings are subject to the same terms and conditions in this Agreement and each relevant Order, except as provided otherwise in this Section or an Order. Pre-GA Offerings are provided on an “as is” basis and are not included in the Support Program Terms or Pindrop’s business continuity program, and may be changed, suspended or discontinued by Pindrop at any time with prior notice to Company. Except as expressly indicated otherwise in a written notice from Pindrop or the Documentation for a given Pre-GA Offering, Company’s access and use of a Pre-GA Offering are limited to the Company’s employees and the Authorized Geography, and is solely for internal evaluation and/or testing purposes, and is subject to any additional terms identified and mutually agreed to by Pindrop and Company in writing, including geography or call traffic (i.e., “test” or production calls) restrictions. Either party may terminate Company’s use of a Pre-GA Offering at any time with written notice to the other party.
8. Warranties and Other Responsibilities.
(a) Project Closure for PS Only. Except as provided otherwise in an Order, the PS and Work Product are deemed completed as
of the Project Milestone Closure. If the Product to which the PS is relevant does not materially comply with the applicable
Documentation after the Project Closure Milestone (each an “Error”), then such Error will be addressed solely pursuant to the warranty
terms in this Agreement or applicable Support Program Terms.
(b) Representations and Warranties by Both Parties. Each party represents that it has validly entered into this Agreement and
each Order and has the legal power to do so.
(c) Pindrop Warranties and Other Responsibilities.
(i) Product Performance. Pindrop warrants that each Product will perform without Errors during the applicable
Subscription Term. Pindrop will use commercially reasonable efforts to correct Errors, excluding those Errors resulting from an
Excused Event, as further defined and described in the Support Program Terms. Company’s exclusive remedies for Pindrop’s failure to
comply with the product warranties in this Section 8(c)(i) shall be to pursue termination pursuant in Section 11(c) (Mutual Rights of
Termination).
(ii) Malicious Code. Pindrop will not intentionally or knowingly either introduce or allow the introduction of any code,
files, scripts, agents or programs intended to do harm, including for example, viruses, worms or Trojan horses (“Malicious Code”) into
the Product delivery environment. If Malicious Code is found to have been introduced into a Product by Pindrop, Pindrop will be
responsible for removing the Malicious Code from such Product. If the Malicious Code that was found to have been introduced by
Pindrop is also found to have been introduced into any Company-Controlled System, Pindrop will reasonably cooperate with Company
by providing relevant information necessary for the Company to mitigate the effects of such Malicious Code.
(iii) BCP Program. Pindrop will maintain and administer a Business Continuity Program (“BCP”) for the Products, as
detailed in Exhibit B (Pindrop Information Security and BCP Programs).
(iv) Professional Services Warranty. Subject to the terms and conditions hereunder, Pindrop will perform the PS in a
professional manner in accordance with industry standards.
(d) Company’s Responsibility Statement. Company warrants, acknowledges and agrees that (i) Company will, on behalf of
itself and Pindrop as its service provider, provide all required consumer notices and disclosures and, where required, secure consents
in compliance with all applicable Laws with respect to the Outputs and Company Call Data; and (ii) it will have and maintain privacy
policies and terms and conditions with its customers that are compliant with its obligations and applicable Laws and permit the use and
sharing of information processed, analyzed or created by a Product (including the creation of Outputs) and/or contributed to the Pindrop
Database as contemplated in this Agreement or an Order (collectively, the responsibilities under (i) and (ii) shall be referred to as
the “Customer Commitments”). If Company has been designated as a “Financial Institution” in a Marketplace Order, then (A) Company further warrants that its Customer Commitments are also compliant with its obligations as a Financial Institution under the GLBA; and (B) for the duration of Company’s access to and use of the Product(s) and Services, Company hereby appoints Pindrop as a special agent for Company with limited authority to perform functions inherent in the Products and Services as necessary for Company to analyze Calls for the purposes of (1) protecting the Company and Company’s customers from fraud and (2) enhancing security in connection with customer transactions. The limited authority granted above is the “Limited Authority Agency.” Pindrop has no right, power, or authority to bind Company or create any obligation or responsibility on Company’s behalf beyond the Limited Authority Agency. If Pindrop, in its good faith judgement, believes that the Products are being used in a manner that is not compliant with applicable Laws or that such use could result in noncompliance with applicable laws and/or such use could subject Company or Pindrop to a claim for liability for noncompliance, Pindrop reserves the right to modify its Products or Services accessed or used by Company as deemed reasonably necessary to address such noncompliance. Company agrees to cooperate with Pindrop to the extent reasonably necessary to effectuate such modifications.
(e) Limited Warranties. EXCEPT AS PROVIDED OTHERWISE IN THIS AGREEMENT OR AN ORDER, TO THE MAXIMUM EXTENT PERMITTED BY
APPLICABLE LAW, THE PINDROP PROPERTY IS PROVIDED TO COMPANY “AS IS,” AND PINDROP AND ITS AFFILIATES, AND ITS AND THEIR LICENSORS AND THIRD PARTY SERVICE PROVIDERS DISCLAIM ANY AND ALL OTHER PROMISES, REPRESENTATIONS AND WARRANTIES, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, QUIET ENJOYMENT, SYSTEM INTEGRATION AND/OR DATA ACCURACY. PINDROP, ON BEHALF OF ITSELF AND ITS AFFILIATES, AND ITS AND THEIR LICENSORS AND THIRD PARTY SERVICE PROVIDERS, DOES NOT WARRANT THAT THE PINDROP PROPERTY WILL MEET COMPANY’S REQUIREMENTS, THAT THE OPERATION OR USE OF THE FOREGOING WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ALL ERRORS WILL BE CORRECTED. COMPANY ACKNOWLEDGES AND AGREES THAT THE DISCLAIMERS, LIMITATIONS AND EXCLUSIONS OF LIABILITY SET FORTH IN THIS AGREEMENT FORM AN ESSENTIAL BASIS OF THE BARGAIN BETWEEN THE PARTIES, AND THAT, ABSENT SUCH DISCLAIMERS, LIMITATIONS AND EXCLUSIONS, THE TERMS OF THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, THE ECONOMIC TERMS, WOULD BE SUBSTANTIALLY DIFFERENT.
9. Limitation of Liability; Consequential Damages Waiver.
(a) Consequential Damages Waiver. IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY SPECIAL,
INCIDENTAL, PUNITIVE, EXEMPLARY OR CONSEQUENTIAL DAMAGES OF ANY KIND, WHETHER BASED ON DAMAGES, LOSSES OR COSTS INCURRED AS A RESULT OF LOSS OF TIME, LOSS OR CORRUPTION OF APPLICATION OR DATA, LOSS OF PRODUCT OR REVENUE, OR LOSS OF USE OF THE PRODUCTS, REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, NEGLIGENCE, STRICT PRODUCT LIABILITY, OR OTHERWISE, EVEN IF SUCH PARTY HAS BEEN INFORMED OF THE POSSIBILITY OF ANY SUCH DAMAGES IN ADVANCE.
(b) Liability for Direct Damages. THE MAXIMUM AGGREGATE LIABILITY FOR DAMAGES TO A PARTY ARISING FROM OR RELATED TO THIS AGREEMENT OR ANY ORDER OR ANY PINDROP PROPERTY, WHETHER FOR BREACH OF CONTRACT OR WARRANTY, STRICT LIABILITY, NEGLIGENCE OR OTHERWISE, SHALL NOT:
(i) FOR PINDROP EXCEED TWO TIMES THE FEES PAID TO PINDROP DURING THE PRECEDING 12 MONTHS FOR THE
PRODUCT, WORK PRODUCT OR SERVICE UNDER THE ORDER GIVING RISE TO SUCH LIABILITY; AND
(ii) FOR COMPANY EXCEED TWO TIMES THE FEES PAID OR PAYABLE TO PINDROP DURING THE PRECEDING 12
MONTHS, WHICHEVER AMOUNT IS GREATER, FOR THE PRODUCT, WORK PRODUCT OR SERVICE UNDER THE ORDER
GIVING RISE TO SUCH LIABILITY.
(c) Exclusions.
(i) Liability for (1) a breach by a party of its confidentiality obligations under this Agreement; (2) fulfillment by Pindrop of its
obligations and liabilities pursuant to Section 10(a) (Infringement Claims Coverage) and, as a Responsible Party, pursuant to Section
10(c) (Procedural Requirements for Third Party Claims); (3) fulfillment by Company of its obligations and liabilities pursuant to Section
10(b) (Company Coverage for Third Party Claims) and, as a Responsible Party, pursuant to Section 10(c) (Procedural Requirements
for Third Party Claims); and (4) for infringement and misappropriation by one party of the other party’s intellectual property rights are
each excluded from the limitations of liability in Sections 9(a) (Consequential Damages Waiver) and 9(b) (Liability for Direct Damages).
Responsible Party has the meaning assigned in Section 10(c) (Procedural Requirements for Third Party Claims).
(ii) Liability for a breach by Company of Section 8(d) (Company’s Responsibility Statement) and the PCI Restriction shall each be excluded from the limitations of liability in Section 9(b) (Liability for Direct Damages).
10. Responsibility for Third Party Claims.
(a) Infringement Claims Coverage. Pindrop agrees, at its expense, to defend, indemnify, and hold harmless Company from and
against any and all third party claims, actions or demands and legal proceedings, liabilities, damages, losses, and judgments or
authorized settlements, and reasonable costs and expenses as incurred, including without limitation attorney’s fees, where the third
party alleges that a Product furnished to Company and used within the scope of and in compliance with this Agreement infringes a U.S.
copyright or any U.S patent issued as of the Effective Date. Pindrop is not responsible under this Section for any infringement arising
out of or related to: (A) modification of a Product by anyone other than Pindrop, where the Product would not infringe except for that
modification; (B) any infringement arising out of any combination of the Product with other software, hardware, processes or materials
not provided by Pindrop, where the Product would not infringe except for such combination; (C) Third-Party Software Components,
when taken on a stand-alone basis and not in combination with other elements of the applicable Product; (D) Company’s use of a
version of the Product other than the most current release of the Products that results in a claim or action for infringement that could
have been avoided by use of the current release, provided that Pindrop has supplied Company with the most current release at no
additional fee; or (E) any Company Call Data, where the Product would not infringe except for that Company Call Data. If a Product is
held or believed by Pindrop to infringe, Pindrop may, at its sole option and expense, elect to: (w) modify the Product so that it is non-
infringing; (x) replace the Product with non-infringing products which are functionally equivalent or superior in performance; (y) obtain a
license for Company to continue to use and access the Product as provided hereunder; or (z) terminate the license for the infringing
Product and refund any prepaid but unused license fees paid for such Product under the impacted Marketplace Order. THE RIGHTS
GRANTED TO COMPANY UNDER THIS SECTION 10(a) SHALL BE COMPANY’S SOLE AND EXCLUSIVE REMEDY FOR ANY CLAIM OF INFRINGEMENT OR MISAPPROPRIATION RELATED TO THE PRODUCTS AND THE THIRD PARTY CLAIMS DESCRIBED IN THIS SECTION 10(a).
(b) Company Coverage for Third Party Claims. Company agrees, at its expense, to defend, indemnify, and hold harmless Pindrop and its affiliates (each a “Pindrop Party”) from and against any and all third party claims, actions, demands and legal proceedings, liabilities, damages, losses, and judgments or authorized settlements, and reasonable costs and expenses as incurred, including without limitation attorney’s fees, arising out of or in connection with any alleged or actual breach or violation of (i) Section 8(d) (Company’s Responsibility Statement); (ii) other applicable Law requirements for which Company is responsible under this Agreement or an Order in connection with the use of or access to the Products or Services by Company and any Company Users, including the collection, processing, analysis, creation, storage and retention of Company Call Data and Outputs; and (iii) the PCI Restriction.
(c) Procedural Requirements for Third Party Claims. For each party to be responsible for its indemnification obligations under Sections 10(a) (Infringement Claims Coverage) or 10(b) (Company Coverage for Third Party Claims), as applicable (the “Responsible Party”), the other party (the “Covered Party”) shall (i) promptly notify the Responsible Party in writing of its receipt of notice of any claim or when it discovers facts on which the Covered Party intends to base a request for indemnification under such Section(s) (each a “Claim Notice”); (ii) afford the Responsible Party the choice to control the defense and all related settlement negotiations of such claim; provided that the Covered Party can participate at its own expense; and (iii) provide the Responsible Party with reasonable assistance, information and authority necessary to perform its obligations under Sections 10(a) or 10(b) above. Each party, as a Responsible Party, agrees to keep the Covered Party reasonably informed as to the status of the Responsible Party’s efforts in connection with the defense or settlement of claims on behalf of the Covered Party and reasonably consult with the Covered Party (or the Covered Party’s counsel) concerning such efforts.
Notwithstanding anything to the contrary in Section 10(c)(i), a Covered Party’s failure to provide a Claim Notice does not relieve the Responsible Party of its liability to the Covered Party under Sections 10(a) or 10(b), as applicable, unless such delay materially prejudices the Responsible Party’s defense or the scope of the Responsible Party’s liability for the applicable third party claim.
Notwithstanding anything to the contrary in Section 10(c)(ii), the following apply:
(A) The Responsible Party agrees it will not, without the Covered Party’s written approval, make any admission of facts that expose the Covered Party to any liability, require the Covered Party to take or cease to take any action (including without limitation any requirement to make payments), or expose the Covered Party to other claims that are not covered by the obligations for the applicable claim under Section 10. However, if the Responsible Party is required by applicable Law to make an admission, the Responsible Party may proceed in making such admission without the Covered Party’s prior approval; provided the Responsible Party provides written notice to the Covered Party with a reasonable opportunity to obtain a protective order or otherwise address such requirement with the appropriate authority.
(B) If the Responsible Party fails to respond to a Claim Notice or refuses to assume the defense of a claim tendered in good faith within 10 days of its receipt of the Claim Notice from the Covered Party with respect to a claim for which it is seeking indemnification under this Section 10, then the Covered Party may proceed to defend or otherwise settle the claim as the Covered Party deems reasonably appropriate and the Responsible Party agrees to reimburse the Covered Party with respect to all defense costs and expenses or damages incurred with respect to such claim, as incurred.
11. Term and Termination.
(a) Term of Agreement. The term of this Agreement will be for 4 years commencing on the Effective Date (“Initial Term”). This Agreement shall automatically renew for additional 3 year periods, unless one party provides the other party with a minimum of 60 days written notice prior to the expiration of the then-current year (each a “Renewal Term” and together, the Initial Term and Renewal Term shall be referred to as the “Term”). Any Orders that have not yet terminated or expired as of the effective date of termination of this Agreement will continue and remain binding and in full force and effect and the terms and conditions of this Agreement and the applicable Order shall continue to apply with the same effect until any such Order terminates according to its own terms or is terminated earlier for cause in accordance with the below terms. For clarity, a notice of non-renewal of this Agreement shall not in any way modify, impact the validity or terminate any existing Orders.
(b) Term of Orders. The term for each Order shall start and end as described in the Order. For clarity, any termination of this Agreement as a whole shall, subject to the terms and conditions in Section 11(e) (Special Termination Rights and Obligations for Marketplace Orders), immediately terminate all existing Orders.
(c) Mutual Rights of Termination. Either party may terminate this Agreement and/or any Order if the other party materially breaches any section of this Agreement or an Order and fails to cure such breach upon 30 days prior written notice by the non-breaching party (the “Cure Period”) specifying the nature of the breach and the actions required to cure the breach; provided, however, that if such breach does not involve the payment of any amounts to Pindrop and is of a nature that can be cured but not within the Cure Period and the breaching party has commenced significant efforts to cure such breach within the Cure Period, this Agreement or an Order shall not terminate so long as the breaching party continues to diligently pursue the completion of such cure.
(d) Termination For Change in Legal Requirements. If permitted under the Customer Marketplace Agreement, Company may terminate this Agreement or any Marketplace Order upon written notice to Pindrop if, after the Effective Date of this Agreement, an applicable Law becomes effective prohibiting Company from using or being engaged in the use of the Product(s) with its customers or that materially impairs the ability or power of Company to use the Product(s) in compliance with any new applicable Law, either through Pindrop or otherwise; provided that the parties have met and discussed in good faith the impact of the new applicable Law on the Product(s), Company has provided written notice to Pindrop detailing its concerns with Pindrop’s plan or activities to address such change and Company is not reasonably satisfied with Pindrop’s proposed plan or activities for addressing such change.
(e) Special Termination Rights and Obligations for Marketplace Orders. Notwithstanding anything to the contrary in this Agreement, Marketplace Orders may be terminated by Company only as authorized in the Company Marketplace Agreement, subject to any non-cancellable rights or obligations with respect to a given Marketplace Order, as detailed in the impacted Marketplace Order. Where Pindrop rightfully terminates this Agreement or a Marketplace Order pursuant to Section 11(c) (Mutual Rights of Termination), Company acknowledges and agrees that Pindrop can also instruct the Marketplace Provider to immediately terminate the impacted Marketplace Order(s) upon written notice to Company without liability of any kind or nature incurred by either Pindrop or the Marketplace Provider. Where Company terminates this Agreement for any reason authorized under this Agreement, any corresponding rights Company may have to terminate the impacted Marketplace Order(s) shall be subject to and solely pursuant to the terms in Company Marketplace Agreement and any associated orders directly between Company and the applicable Marketplace Provider.
(f) Obligations Upon Termination. Upon the expiration or termination of this Agreement or an Order for any reason, all licenses granted under the impacted Order(s), and all associated rights granted to Company under this Agreement and the impacted Order(s) shall immediately terminate and all relevant Pindrop Property shall, at Pindrop’s sole option, be returned to Pindrop or destroyed by Company. Further, upon request by a Disclosing Party, a Receiving Party agrees to (i) destroy the Disclosing Party’s Confidential Information in its possession or control; and (ii) confirm in writing to the Disclosing Party that it has complied with the destruction instructions with respect to the Disclosing Party’s Confidential Information. However, with respect to any Confidential Information (A) in the Receiving Party’s or its Receiving Party Representatives’ archive (including legal archives and business records generated in the delivery and support of the Products and Services), back-up or other comparable systems or servers; (B) expressly authorized in this Agreement or an Order to be retained; or (C) retained to comply with litigation holds or applicable Law, such Confidential Information is only required to be destroyed in accordance with the Receiving Party’s and its Receiving Party Representative’s then-current data retention policies, litigation hold or applicable Law, whichever is the longest of the retention requirements. The terms in this Section 11(h), all defined terms, rights or obligations that expressly survive termination and the rights and obligations contained in Sections 3(b) (Protection of Company Data) (for the time period stated in such Section), 4(e) (Restrictions) (to the extent applicable), 5 (Fees and Payments), 6 (Confidentiality), 7(b) (Data Privacy Terms), 7(d) (Pindrop Property), 7(e) (Company Property), 7(f) (Feedback), 8(d) (Company Warranties), 8(e) (Limited Warranties), 9 (Limitation of Liability; Consequential Damages Waiver), 10(a) (Infringement Claims Coverage), 10(b) (Company Coverage for Third Party Claims), 10(c) (Procedural Requirements for Third Party Claims), 12 (Audits) (for the time period specified in such Section ) and 14 (General) shall survive any expiration or termination of this Agreement or any Order. For clarity, the obligations in Section 8(d) (Company’s Responsibility Statement) shall survive with respect to the Calls analyzed by a Product during the course of this Agreement and any related Order(s).
12. Audits.
During the Term and for a period of 6 months after the Term, upon reasonable prior written notice to the other party (email is sufficient), a party (an “Auditing Party”) shall have the right, at its expense, to conduct (or have a third party conduct) an audit, assessment, examination or review of relevant documentation, materials or systems of the other party (the “Audited Party”) for the sole purpose of assessing compliance by the Audited Party with the terms and conditions of this Agreement and each Order. The Audited Party shall reasonably cooperate with any such request by providing reasonable access to knowledgeable personnel, systems, documentation, and other reasonably requested information. Company acknowledges and agrees there may be restrictions on Company’s ability to conduct audits on Pindrop’s subcontractors. Audits shall not be conducted more than once per year (unless a material non-compliance is detected in which case an additional audit may be performed to verify that any agreed to corrective actions have been taken). Additionally, audits must be conducted during normal business hours and in a manner not to unreasonably disrupt the Audited Party’s day to day business Any site visit at the Audited Party and/or audit of the Audited Party’s procedures, systems and equipment shall be subject to such reasonable policies and practices of the Audited Party that are in effect for any site visits and audits of the Audited Party to maintain the security of the Audited Party’s site, its systems and equipment and the confidentiality of information which is proprietary and confidential to the Audited Party and that of any of its other customers or vendors. An Audited Party will not be required to give access to or disclose any confidential information of a third party or any attorney-client privileged information. The Auditing Party has no obligation to share any of its audit results with the Audited Party. However, the results of any audit shall constitute Confidential Information of both parties, and in all cases, be subject to the confidentiality obligations under this Agreement with respect to Confidential Information contained in the audit report(s).
13. Publicity.
Each party will be provided with an advance copy of any press release that the other party may wish to release and given an opportunity to reject, or make changes to, such press release prior to publication provided that such party approval shall not be unreasonably withheld or delayed.
14. General.
(a) Export Compliance. The Pindrop Property and derivatives thereof may be subject to export laws and regulations of the United States and other jurisdictions. Pindrop and Company each represents that it is not on any U.S. government denied-party list. Company will not permit any User to access or use any Pindrop Property in a U.S.-embargoed country or region (currently Cuba, Iran, North Korea, Syria or Crimea) or in violation of any U.S. export law or regulation or other equivalent laws of other jurisdictions, as applicable.
(b) Governing Law; Jurisdiction and Attorneys’ Fees. This Agreement will be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of law provisions. With respect to any legal disputes between Company and Pindrop arising out of or related to this Agreement, Company and Pindrop irrevocably consent to the exclusive personal jurisdiction of the federal courts located in Delaware or, if the Federal courts do not have jurisdiction, in the Superior Court of the State of Delaware, and any appellate court from any such state or Federal court. In the event of any dispute arising out of or related to this Agreement, the prevailing party shall be entitled to recover its reasonable attorneys’ fees and costs.
(c) Drafting. The section headings appearing in this Agreement are inserted only as a matter of convenience and in no way define, limit, construe or describe the scope or extent of such section or in any way effect such section. In this Agreement, words importing the singular number include the plural and vice versa and words importing gender include all genders.
(d) Notices. All notices permitted or required under this Agreement shall be in writing and shall be delivered as follows with notice deemed given as indicated (i) by personal delivery when delivered personally; (ii) by commercially established courier service upon delivery or, if the courier attempted delivery on a normal business day and delivery was not accepted, upon attempted delivery; or (iii) by certified or registered mail, return receipt requested, 10 days after deposit in the mail. Notice will be sent to the parties at the addresses below the signature block or at such other address as each party shall notify the other of in writing.
(e) Waivers; Severability. Neither party shall by mere lapse of time without giving notice or taking other action be deemed to have waived any breach by the other party of any of the provisions of this Agreement. Further, the waiver by either party of a particular breach of this Agreement by the other party shall not be construed as, or constitute, a continuing waiver of such breach, or of other breaches of the same or other provisions of this Agreement. If any provision of this Agreement shall be held illegal, unenforceable, or in conflict with any law of a federal, state, or local government having jurisdiction over this Agreement, the validity of the remaining portions or provisions hereof shall not be affected.
(f) Force Majeure. Except for the payment of money due or payable, neither party shall be liable for any failure or delay in performance under this Agreement which might be due to strikes, shortages, riots, insurrection, fires, flood, storm, other weather conditions, explosion, acts of God, war, government action, inability to obtain delivery of parts, supplies or labor, labor conditions (including strikes, lockouts or other industrial disturbances), earthquakes, riots or acts of terrorism, epidemic, pandemic or any other cause which is beyond the reasonable control of such party (each a “force majeure event”). The occurrence of a force majeure event shall not relieve Pindrop of its obligation to implement its disaster recovery plan or provide disaster recovery services with respect to an impacted Product, as contemplated in Section 10 (BCP Program) of Exhibit B (Pindrop Information Security and BCP Program) attached.
(g) Assignment. Each party may, with written notice to the other party, assign this Agreement to any third party who succeeds to substantially all of that party’s assets and business related to the Products covered under this Agreement by merger or purchase, provided that the assignee assumes this Agreement by an instrument in writing. Except as authorized in the preceding sentence, this Agreement may not be assigned or transferred by either party without the prior written consent of the other party. If Company is a financial institution under the GLBA and Company’s assignee is not, then (i) Company must disclose that fact to Pindrop in its written notice of assignment; and (ii) Pindrop reserves the right, in its discretion, to modify any Products and Services accessed or used bysuch assignee, including by way of example only, disabling features or functionality in the Products or Services or as otherwise deemed reasonably necessary to comply with applicable Laws. Notwithstanding the foregoing, if the assignee of Pindrop is unacceptable to Company in its good faith judgement for any legal or regulatory reason(s) or is unable to provide reasonable assurances that it has the financial, technical, or operational resources to fulfill its obligations under this Agreement, if permitted under the terms and conditions of the Company Marketplace Agreement: (A) Company may terminate this Agreement upon written notice to Pindrop (in which case all Orders(s) hereunder shall also immediately terminate) within 1 month of receipt of Pindrop’s notice of such change of control; and (B) in the event of any such termination, Pindrop will promptly refund to Company all prepaid, unused fees for any full year(s) of the Subscription Term remaining under the impacted Marketplace Order(s) (i.e., not for the then-current year of the Subscription Term).
(h) Entire Agreement. This Agreement (i) is the complete agreement between the parties with respect to the subject matter hereof and supersedes any and all prior agreements and understandings; and (ii) unless expressly authorized otherwise in this Agreement, may be amended only in a writing that refers to this Agreement and is signed by both parties. The parties are independent contractors. Except as expressly agreed by the parties, neither party will be deemed to be an employee, agent, partner or legal representative of the other for any purpose and neither will have any right, power or authority to create any obligation or responsibility on behalf of the other. To the extent of any conflict between an Marketplace Order or Direct Order (as applicable)and this Agreement, unless expressly provided otherwise in a Marketplace Order or Direct Order (as applicable), the following shall be the order of priority for control: (i) the Marketplace Order or Direct Order; and (ii) the Agreement. To the extent of any conflict between this Agreement and the Company Marketplace Agreement with respect to the Pindrop Property or Pindrop’s Confidential Information, this Agreement shall control.
(i) Injunctive Relief. Notwithstanding any other provision of this Agreement, any violation by either party of the other party’s intellectual property or proprietary rights will cause irreparable damage for which recovery of money damages would be inadequate, and the aggrieved party will therefore be entitled to seek timely injunctive relief to protect such party’s rights, without the need to post bond.
(j) Government and Public-Sector Users. The following terms shall apply, as applicable:
- (i) US Government User Terms. The Pindrop Property made available under this Agreement is or otherwise contains commercial computer software as that term is defined in 48 C.F.R. 252-227-7014(a)(l). If acquired by or on behalf of a civilian agency, the U.S. Government acquires this commercial computer software and/or commercial computer software documentation and other technical data subject to the terms of this Agreement as specified in 48 C.F.R. 12.212 (Computer Software) and 12.211 (Technical Data) of the Federal Acquisition Regulations (“FAR”) and its successors. If acquired by or on behalf of any agency within the Department of Defense (“DOD”), the U.S. Government acquires this commercial computer software and/or commercial computer software documentation subject to the terms of this Agreement as specified in 48 C.F.R. 227.7202-3 of the DOD FAR Supplement (“DFAR”) and its successors. This U.S. Government Rights clause is in lieu of, and supersedes, any other FAR, DFAR, or other clause or provision that addresses government rights in computer software or technical data under this Agreement.
- (ii) Freedom of Information Act Restrictions. If the Freedom of Information Act, 5 U.S.C. 552 et seq. or a State’s equivalent law (each a “FOI Act”) applies to Company, Company acknowledges that Confidential Information is entitled to be exempt from disclosure under a FOI Act. Company will promptly notify Pindrop of any requests for the disclosure of any Confidential Information under a FOI Act, and will assert to the government or requester, orally and in writing, that such Confidential Information is exempt from disclosure under FOI Act.
(k) Limited Right to Modify Terms. If there is a change in any applicable Law, litigation or the regulatory landscape which affects this Agreement or the activities of either party under this Agreement, and a party reasonably believes in good faith that the change will have a substantial adverse effect on that party’s rights or obligations under this Agreement, then such party may, upon written notice, require the other party to enter into good faith negotiations to renegotiate the terms of this Agreement, with such notice providing reasonable detail as to the nature of any proposed modification.
Exhibit A - Data Privacy Terms
1. Definitions.
(a) “Aggregate Data” means information that relates to a group or category of individuals, from which individual identities have been removed, that is not linked or reasonably linkable to any individual or household.
(b) “Data Protection Law(s)” state or federal privacy or data protection laws to which Company or Pindrop (as a service provider to Company) are subject, including but not limited to, the Gramm-Leach-Bliley Act (GLBA) and its implementing regulations; the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), Cal. Civ. Code 1.81.5, the Utah Consumer Privacy Act (UCPA), Utah Annotated Code §13-61-101, the Virginia Consumer Data Protection Act (VCDPA), Va. Code Ann. §§ 59.1-575 to 59.1-585, and any other legislation which implements any other current or future legal act concerning the protection, privacy, and/or processing of Personal Data, including any amendment or re-enactment of the foregoing.
(c) “Deidentified Data” means information that cannot reasonably identify, related to, described, be capable of being associated with, or linked, directly or indirectly, to a particular individual.
(d) “Personal Data” means any personal”) information as described in the applicable Data Protection Law and relates only to Personal Data, or any part of such Personal Data, in respect of which Pindrop is a processor in connection with the performance of its obligations under the Agreement.
(e) “Process”, “Processing”, or “Processed” means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether automated or not, such as, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
(f) “Processing Purpose” means the purpose for which Pindrop is Processing Personal Data as set forth in Section 2(b) of this Exhibit A.
(g) “sale”, “sell”, or “selling” will have the meaning as ascribed to it under applicable Data Protection Law.
(h) “Business”, “Controller”, “Processor”, and “Service Provider” will have the meaning as ascribed to it or to a similar term under applicable Data Protection Law.
2. Processing Purpose. With respect to Pindrop’s provision of the Products and Services to Company pursuant to this Agreement and each Order (the “Relevant Agreements”):
(a) Pindrop is a Service Provider or Processor (as applicable), with respect to any Personal Data that Pindrop Processes, on behalf of Company, pursuant to the Relevant Agreements (“Personal Data”);
(b) Company has disclosed Personal Data to Pindrop and its affiliates for the Processing Purposes of (1) detecting security incidents and/or utilization by a caller of a non-human voice, and protecting against malicious, deceptive, fraudulent or illegal activity (including, in each case, populating the Pindrop Database); and (2) assisting in the authentication of callers of Company, as well as is reasonably necessary in support of any other valid Processing Purposes that are part of the Products, Services and that are expressly agreed to by the parties in the Relevant Agreements, including and subject to restrictions on use such as those applicable to Fraudulent Call Data;
(c) Pindrop and Company acknowledge and confirm that Pindrop does not receive any Personal Data as consideration for any Products, Services or other items provided under the Relevant Agreements; and
(d) Company hereby instructs and authorizes Pindrop to Process Personal Data in connection with Pindrop’s performance and exercise of its obligations and rights under the Relevant Agreements. Any additional or alternate instructions must be mutually agreed upon in writing.
3. Permitted Use. Pindrop will only collect, use, retain, disclose and otherwise Process Personal Data (a) for its performance of the Relevant Agreements and the Services and provision of the Products, including in support of Pindrop’s and its affiliates internal operations as necessary to the provision of the Products and Services, (b) for its internal use to build or improve the quality of the Products and Services, provided that Pindrop does not use the Personal Data to perform services on behalf of another person; or (c) as otherwise necessary for compliance with applicable Laws. Pindrop will ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data and are subject to a duty of confidentiality with respect to Personal Data.
4. Service Providers. Pindrop may disclose Personal Data to, and permit the Processing of Personal Data by, its service providers who perform services on behalf of Pindrop, in support of the provision of the Products and Services to Company (each a “Service Provider”). Pindrop will ensure that such Service Providers are subject to equivalent contractual requirements with respect to Personal Data that apply to Pindrop under this Exhibit A. Pindrop will be responsible for the actions of its Service Providers that breach the terms of this Exhibit A.
5. Restrictions. Pindrop is prohibited from selling, retaining, using, disclosing, or otherwise Processing Personal Data for any purpose other than for the Processing Purpose or as otherwise set forth in Section 6 (Deidentified Data and Aggregated Data) of this Exhibit A, which, for the avoidance of doubt, also prohibits Pindrop from retaining, using, or disclosing Personal Data outside of its business relationship with Company or for any other Commercial Purpose. Where permitted by Company under the Relevant Agreements, Pindrop may retain use, or otherwise Process certain Personal Data (and combine it with personal data from other clients) as reasonably necessary to detect data security incidents, or protect against fraudulent or illegal activity (e.g., as part of the Pindrop Database). Pindrop certifies that it understands and will comply with the foregoing restrictions set forth in this paragraph.
6. Deidentified Data and Aggregate Data. Pindrop and its affiliates may use Deidentified Information and Aggregate Data relating to Personal Information or derived from the Products and Services, for the purposes of providing the Products and Services, improving its operations, and enhancing the features, functions, and performance of the Products and Services. Pindrop and its affiliates may also, during and after the term of the Agreement, use, maintain, and disclose such Deidentified Data and Aggregate Data for its own product improvement and general purposes. Pindrop will not identify Company or otherwise disclose Company as the source of any such Deidentified Data or Aggregate Data in any manner in connection with any such general use purposes. For clarity, Support Data may, if it meets the criteria set forth in this Section 6, also be used for the purposes authorized in this Section.
7. Audit. Company will have the right to audit Pindrop’s Processing of Personal Data and Pindrop’s compliance with this Exhibit A in accordance with Section 12 (Audits) of the Agreement. Any report, documents, information, or record provided to Company or created pursuant to this Section 7 shall be considered Pindrop Confidential Information.
8. Duration of Processing. Pindrop will only Process Personal Data for the duration of the Relevant Agreements and as otherwise allowed under the Relevant Agreements or permitted under applicable Law. Unless retention of Personal Data is otherwise permitted under the Relevant Agreements, at the termination or expiration of the Relevant Agreements, Personal Data will be returned and/or deleted in accordance with Section 11(f) (Obligations Upon Termination) in the main body of the Agreement.
9. Data Subject Requests. If Pindrop receives a complaint, dispute, or request from a data subject to exercise such data subject’s rights under Data Protection Laws, and Pindrop is able to confirm that such request relates to Company, Pindrop will promptly notify Company of such data subject request. Taking into account the nature of Pindrop’s Processing of Personal Data, Pindrop shall provide reasonable assistance to Company in responding to data subject requests as required by Data Protection Laws and only to the extent commercially feasible. Unless required by applicable Law, Pindrop will not respond to or take any action to comply with a data subject request without Company’s approval.
Exhibit B - Pindrop Information Security and BCP Programs
1. Definitions.
Capitalized terms used in this Exhibit B have the meanings given below or, if not defined below, the meanings given in the main body of this Agreement.
“Company-Controlled System” means: (i) Information Systems that are within Company’s possession or control; and (ii) all On-Premise Appliances.
“In-Scope Subcontractor” means each of Pindrop’s subcontractors who are engaged by Pindrop to deliver component(s) of the Products or Services to Company and will have access to, process, or store Company Call Data.
“Information System” means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.
“On-Premises Appliances” means all appliances (including, without limitation, Pindrop’s or Pindrop-provided Products) that are procured by Company pursuant to an Order and installed within Company’s facilities, Company’s data centers, or Company’s third-party data centers.
“Pindrop-Controlled Systems” means (i) Information Systems that are within Pindrop’s possession or control; and (ii) Amazon Web Services (“AWS”) Information Systems or Google Cloud Platform “GCP”) that meet the following criteria: (a) under Pindrop’s enterprise account with AWS or GCP, as applicable; (b) used by Pindrop to deliver the Products or Services or used by Pindrop for Pindrop’s internal, corporate-level systems; and (c) are AWS Information Systems or GCP Information Systems for which Pindrop solely configures and manages the security controls used by Pindrop to protect the data stored within such AWS Information Systems or GCP Information Systems. The defined term Pindrop-Controlled Systems excludes all Company-Controlled System.
“Security Breach” means a reasonably suspected or confirmed unauthorized disclosure of Company’s Confidential Information within Pindrop’s possession or control; or a reasonably suspected or confirmed unauthorized access by a third party to any Pindrop-Controlled Systems that process, hold, or provide access to Company’s Confidential Information.
2. Governance and Oversight; Security Audits.
(a) Pindrop will have in place a cybersecurity program designed to protect the confidentiality, integrity, and availability of the Pindrop-Controlled Systems, as detailed in this Exhibit B. Such cybersecurity program includes tracking data asset locations and maintaining risk based written security policy or policies that satisfy the requirements set forth in this Exhibit B (the “Security Policy”). Pindrop will not make any change to its Security Policy that will materially degrade the overall level of security described in this Exhibit B.
(b) Pindrop’s Security Policy will be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Company’s Confidential Information within Pindrop’s possession or control that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. The risk assessment will be written and include: (i) criteria for the evaluation and categorization of identified security risks or threats to Company’s Confidential Information within Pindrop’s possession or control; (ii) criteria for the assessment of the confidentiality, integrity, and availability of Company’s Confidential Information within Pindrop’s possession or control, including the adequacy of the existing controls in the context of the identified risks or threats; and (iii) requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the Security Policy will address the risks.
(c) Pindrop will periodically perform additional risk assessments that reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Company’s Confidential Information within Pindrop’s possession or control that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and reassess the sufficiency of any safeguards in place to control these risks.
(d) Pindrop will (i) design and implement safeguards to control the risks identified through the risk assessments it performs; and (ii) evaluate and adjust its information security program in light of the results of the testing and monitoring described in this Exhibit B, any material changes to Pindrop’s operations or business arrangements, and any other circumstances that Pindrop knows or has reason to know may have a material impact on Pindrop’s information security program.
(e) Pindrop will assign an appropriate individual within Pindrop’s Information Security team to maintain responsibility and executive oversight for the Security Policy, including, without limitation, implementation, formal governance and revision management, employee education, and compliance enforcement. The individual assigned by Pindrop to maintain responsibility and executive oversight for the Security Policy will report in writing, regularly and at least annually, to Pindrop’s executive team or board of directors or equivalent governing body. Any such reports will include the following information: (i) the overall status of Pindrop’s information security program; and (ii) material matters related to Pindrop’s information security program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management’s responses thereto, compliance obligations and recommendations for changes in the information security program.
(f) Subject to the terms and conditions in Section 12 (Audits) of the main body of the Agreement, the rights in this Section 2(f) shall apply. If a Company Regulator exercising its supervisory authority makes a request to Company to access the Products or Services, Company will use commercially reasonable efforts to resolve that request directly with the Regulator using alternative methods, including by reviewing the security certifications for the Pindrop-Controlled Systems with the Regulator. If the Company Regulator determines that the information available through these mechanisms is insufficient to verify compliance with applicable Laws then, upon the Company Regulator’s request and Company’s written confirmation that the Company Regulator has the requisite supervisory authority over Company to make such a request, Pindrop will provide the Company Regulator with: (a) information about the Products and Services and the opportunity to discuss the Products and Services operations and controls with Pindrop subject matter experts; and (b) if required, a direct right to examine the Products and Services used by Company, including by conducting an examination on premises. Pindrop may charge Company a fee (based on Pindrop’s reasonable costs) for any such discussion, communication, and examination. Any discussion, communication, or examination requested by the Company Regulator under this subsection will, except in an emergency or crisis situation, be conducted consistent with the terms of Section 12 (Audits) of the main body of the Agreement.
3. Policies and Procedures.
(a) The policies that comprise the Security Policy are commercially reasonable, communicated to relevant Pindrop employees, and designed to: (i) be protective of Company’s Confidential Information within the Pindrop-Controlled Systems; and (ii) support Pindrop’s compliance with its obligations under this Agreement. If requested by Company in writing, Pindrop agrees to provide Company with (i) the title page and table of contents related to the Security Policy or other related policies or procedures applicable to Pindrop’s business operations set forth in this Exhibit B; (ii) an opportunity to discuss Pindrop’s security measures ; (iii) confirmation that penetration testing and vulnerability scanning has been performed; and (iv) independent audit reports applicable to the Products (such as SOC2 Type 2) that Pindrop makes generally available to its customers under confidentiality terms.
(b) Pindrop will review its Security Policy at least annually and amend such Security Policy (or subparts thereof) as Pindrop deems commercially reasonable (e.g., in light of relevant risk assessment findings, relevant changes in applicable Laws or standards, technology advances, changes to Pindrop’s systems or Pindrop’s own changing business operations).
(c) As part of the Security Policy, Pindrop will have security-minded development practices for applications that form any part of the Products or that are used to deliver the Products, and procedures for evaluating and assessing the security of externally developed applications that form any part of the Products or that are used in the delivery of the Products.
(d) Pindrop will maintain and follow employment verification requirements for all new Pindrop employee hires, with such verifications occurring prior to the date of hire. These requirements will include criminal background checks, proof of identity validation, and additional checks as deemed reasonably necessary by Pindrop and as permitted by applicable Law. Such employment verification measures shall be in line with requirements under Industry Standards (as defined below). Each Pindrop local entity is responsible for implementing the foregoing requirements in its hiring process as applicable and permitted under local law. Pindrop will provide verification of the completion of background checks in a satisfactory manner for employees upon Company’s reasonable request; however, Pindrop is not required to provide an actual copy of the background check results.
(e) Pindrop will have a training program that includes conducting security education for its employees annually. The training program will: (i) provide security awareness training that is updated to reflect risks identified by Pindrop’s risk assessments; and (ii) promote the maintenance of current knowledge of changing information security threats and countermeasures.
4. Compliance.
Pindrop-Controlled Systems will be subject to annual certification of compliance with the Payment Card Industry Data Security Standards (PCI-DSS) (with respect to relevant cardholder data environments only), ISO 27001, and SSAE SOC2 or any substantially equivalent or alternative successor standard (the “Industry Standards”). Upon written request from Company, Pindrop will provide evidence of the compliance and accreditation with the Industry Standards as reasonably determined by Pindrop, such as certificates, attestations, or reports resulting from accredited independent third-party audits (accredited independent third-party audits will occur at the frequency required by the relevant standard). Additionally, Pindrop will use commercially reasonable efforts to verify that its In-Scope Subcontractors comply with all Laws applicable to the operation of the In-Scope Subcontractors’ business and all Laws generally applicable to providers of information technology services, in each case, to the extent relevant to the specific products and services being provided by such In-Scope Subcontractor to Pindrop in connection with the Products and Services covered under this Agreement. The verification may be accomplished through Pindrop’s vendor due diligence process. In the event that Pindrop’s vendor due diligence process identifies a non-compliance with the aforementioned Laws, Pindrop will work with the In-Scope Subcontractor to cure such deficiency.
5. Incident Response and Security Breaches.
(a) Pindrop will maintain and follow documented incident response policies consistent with National Institute of Standards and Technology, United States Department of Commerce (NIST) guidelines or equivalent industry standards for computer security incident handling. Pindrop’s written incident response plan will be designed to promptly respond to, and recover from, any event materially affecting the confidentiality, integrity, or availability of Company’s Confidential Information within Pindrop’s possession or control. Such incident response plan shall address the following areas: (i) the goals of the incident response plan; (ii) the internal processes for responding; (iii) the definition of clear roles, responsibilities and levels of decision-making authority; (iv) external and internal communications and information sharing; (v) identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; (vi) documentation and reporting; and (vii) the evaluation and revision as necessary of the incident response plan.
(b) Pindrop will investigate Security Breaches (and security incidents that are not yet Security Breaches but that are reasonably likely to result in Security Breaches) of which Pindrop becomes aware, perform a root-cause analysis of the same and take prompt action designed to contain the Security Breach. Company must notify Pindrop of any suspected vulnerability or security incident by immediately submitting a technical support request to Pindrop.
(c) Pindrop will notify Company within no more than 24 hours after Pindrop becomes aware of a Security Breach that has impacted Company’s Confidential Information. Pindrop will provide Company with reasonably requested information about such Security Breach and the status of any Pindrop containment and service restoration activities.
6. Physical Security and Entry Control.
(a) Pindrop will maintain reasonable physical entry controls, such as barriers, card-controlled entry points, surveillance cameras, and manned reception desks, designed to protect against unauthorized entry into Pindrop-managed facilities (i.e., its headquarter facility) used to provide the Pindrop-Controlled Systems. Auxiliary entry points into such facilities, such as delivery areas and loading docks, will be controlled and isolated from computing resources.
(b) Access to Pindrop-managed facilities and controlled areas within those facilities will be limited by job role and subject to authorized approval. Such access will be logged, and such logs will be retained for not less than one year. Pindrop will revoke access to Pindrop-managed facilities upon separation of an authorized employee. Pindrop will follow formal documented separation procedures that include prompt removal from access control lists and surrender of physical access badges.
(c) Any person granted temporary permission to enter an Pindrop-managed facility or a controlled area within such facility will be registered upon entering the premises and will be escorted by authorized personnel.
(d) Pindrop will take precautions designed to protect the physical infrastructure of Pindrop-managed facilities against environmental threats, both naturally occurring and man-made, such as excessive ambient temperature, fire, flood, humidity, theft, and vandalism.
7. Access, Intervention, Transfer and Separation Control.
(a) Pindrop will maintain measures for Pindrop-Controlled Systems that are designed to logically separate and prevent Company’s Confidential Information stored within Pindrop-Controlled Systems from being exposed to or accessed by unauthorized persons. Pindrop will maintain isolation of its production and non-production environments, and, if Company’s Confidential Information is transferred to a non-production environment, for example to reproduce an error at Company’s request, security and privacy protections in the non-production environment will be equivalent to those in production.
(b) Pindrop will encrypt Company’s Confidential Information that is subject to long-term storage within Pindrop-Controlled Systems and when Company’s Confidential Information is transmitted by Pindrop over public networks. Pindrop will maintain documented procedures for encryption key generation, issuance, distribution, storage, rotation, revocation, recovery, backup, destruction, access, and use. To the extent that encryption is impractical, Pindrop will use compensating controls designed to protect Company’s Confidential Information.
(c) If Pindrop requires access to Company’s Confidential Information that is stored within Pindrop-Controlled Systems, and if such access is managed by Pindrop, Pindrop will deploy measures designed to restrict access to the minimum level required. Such access, including, without limitation, administrative access, will be individual, role-based, and subject to approval and regular validation by authorized Pindrop personnel following the principles of segregation of duties. Pindrop will maintain measures to identify and remove redundant and dormant accounts with privileged access and will promptly revoke such access upon the account owner’s separation or upon the request of authorized Pindrop personnel, such as the account owner’s manager.
(d) For Pindrop-Controlled Systems, Pindrop will:
- (i) monitor and periodically test the Pindrop-Controlled Systems to assess the effectiveness of the Security Policy;
- (ii) maintain technical measures enforcing timeout of inactive sessions, lockout of accounts after multiple sequential failed login attempts, strong password or passphrase authentication, and password change frequency;
- (iii) monitor use of privileged access and maintain security information and event management measures designed to: (1) identify unauthorized access, use or tampering; (2) facilitate a timely and appropriate response, and (3) enable internal and independent third-party audits of compliance with the Security Policy;
- (iv) where practicable for a given Pindrop-Controlled System, use multi-factor authentication designed to protect against unauthorized access to such Pindrop-Controlled System;
- (v) maintain logs in which privileged access and activity are recorded will be retained in compliance with Pindrop’s worldwide records management plan and Security Policy;
- (vi) maintain measures designed to protect against unauthorized access, modification, and accidental or deliberate destruction of the logs described in the prior (v);
- (vii) maintain tools designed to detect and remove Malicious Code from the Pindrop-Controlled Systems;
- (viii) adopt procedures for change management; and
- (ix) develop, implement, and maintain procedures for the secure disposal of Company’s Confidential Information within Pindrop’s possession or control in any format used in connection with the provision of the Product or Service to the Customer to which it relates, unless such information is necessary for business operations or for other legitimate business purposes or as otherwise expressly authorized by Company in this Agreement or an Order, is otherwise required to be retained by law or regulation, as set forth in Section 11(f) (Obligations Upon Termination) in the main body of this Agreement, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
(e) Pindrop will securely sanitize physical media intended for reuse prior to such reuse, and will destroy physical media not intended for reuse, consistent with NIST guidelines for media sanitization. Upon Company’s reasonable request, Pindrop will provide a certificate of destruction certifying the destruction of any of Company’s Confidential Information within Pindrop’s possession or control.
8. Service Integrity and Availability Control.
With respect to Pindrop-Controlled Systems, Pindrop will:
(a) Perform security risk assessments at least annually;
(b) Perform security testing and vulnerability assessments on a periodic basis;
(c) Enlist a qualified testing service to perform penetration testing at least annually;
(d) Perform automated vulnerability scanning against configuration industry standards reasonably designed to identify publicly-known security vulnerabilities in Pindrop-Controlled Systems based on Pindrop’s risk assessment: (i) at least every six months; (ii) whenever there are material changes to Pindrop’s technical operations of the nature that reasonably justify the performance of a scan; and (iii) whenever there are circumstances that Pindrop knows or has reason to know may have a material impact on Pindrop’s information security program of the nature that reasonably justify the performance of a scan;
(e) Follow Pindrop’s policies with respect to the remediation of identified vulnerabilities, based on associated risk, exploitability, and impact;
(f) Take reasonable steps to avoid disruption of the Products and Services when performing its tests, assessments, scans, and execution of remediation activities;
(g) Maintain measures designed to assess, test, and apply security advisory patches. Upon determining that a security advisory patch is applicable and appropriate, Pindrop will implement the patch pursuant to Pindrop’s policies, taking into account associated risk, exploitability, and impact;
(h) Maintain policies and procedures designed to manage risks associated with the application of changes; and
(i) Maintain an inventory of information technology assets.
9. Vendor Management Program.
(a) Pindrop agrees to maintain a formal vendor management program. As part of such program, Pindrop is responsible for conducting due diligence on each of its In-Scope Subcontractors on a periodic basis to assess the extent to which each In-Scope Subcontractor has reasonable security measures designed to protect the Company Call Data in that In-Scope Subcontractor’s possession or control. In conducting In-Scope Subcontractor due diligence, Pindrop may rely upon the information available in an In-Scope Subcontractor’s SOC2 or comparable report or certification (each an “Independent Audit Report”) to make such assessment, even if the Independent Audit Report does not contain the level of detail specified in this Exhibit B. Upon request by Company, Pindrop shall direct Company to the location at which it can obtain copies of an In-Scope Subcontractor’s Independent Audit Report. In the event that Company is unable to obtain such Independent Audit Report, Pindrop shall use reasonable efforts to secure the relevant Independent Audit Report from such In-Scope Subcontractor and provide a copy to Company. Pindrop agrees to provide Company with a minimum of 30 days prior notice if there is a material change in the identity of the In-Scope Subcontractors applicable to the Products or Services covered under an existing Order. If an In-Scope Subcontractor is Processing Company Personal Information, then within 30 days of receiving notice of a new In-Scope Subcontractor, Company may object (in good faith) to such engagement. In the event Company makes an objection within such time period, the parties will work in good faith to resolve the objection. If the parties are not able to come to a mutually agreed to solution, Company’s sole and exclusive remedy is to terminate the applicable Order pursuant to which the new In-Scope Subcontractor is Processing Company Personal Information.
(b) In addition to In-Scope Subcontractors, Company understands and agrees that Pindrop may use other vendor systems and solutions to support its day to day back office business operations where Confidential Information of Company (other than data that’s been input into a Product) may be collected, processed or stored, including by way of example, contract management, billing or other financial transaction-related tools and solutions (each a “Back Office Business System”). Back Office Business Systems are not Pindrop-Controlled Systems, but are subject to the requirements of Sections 9(c) and 9(d) of this Exhibit B.
(c) Pindrop will have a written agreement in place with each In-Scope Subcontractor and each vendor providing a Back Office Business System that contains commercially reasonable confidentiality obligations designed to protect the confidentiality of the Company Call Data in the possession or control of the In-Scope Subcontractor or the confidentiality of the Confidential Information in the possession or control of each vendor providing the Back Office Business System, as applicable.
(d) Pindrop is responsible for any unauthorized disclosure of Company Call Data by an In-Scope Subcontractor and Confidential Information by each vendor providing a Back Office Business System to the same extent as Pindrop itself would be by the terms of this Agreement.
10. BCP Program.
(a) Pindrop’s BCP will include (i) a business impact analysis that includes a risk assessment that documents prioritization of business functions and process, systems, subcontractors, resource requirements and interdependencies that may affect recovery timelines and alternative resource plans; (ii) specifically defined or targeted RTOs (recovery time objective); and (iii) specifically defined or targeted RPOs (recovery point objective). Unless provided otherwise in an Order, Pindrop’s RTO and RPO policy for a single availability zone failure for a Product will not exceed 24 hours.
(b) Pindrop will conduct periodic exercises with respect to its BCP (such as tabletop exercises), but on no less than an annual basis. If an event triggers Pindrop’s BCP (each a “BCP Event Trigger”), Pindrop is responsible for implementing the BCP in accordance with Pindrop’s policies and procedures. Company understands and agrees that if a BCP Event Trigger occurs, depending on the nature and scope of the event and whether Company procure “high availability” Appliances for any Products deployed at Company-managed facilities, the availability and/or ability to recover Company’s Confidential Information, including without limitation, the Company Call Data, in Pindrop’s possession or control may be impacted.
(c) The Products are not designed for and should not be used by Company as an official record or similar, whether for regulatory purposes or otherwise.
(d) Should the Product(s) in use by Company experience an outage, Pindrop will notify Company of such outage and provide periodic status updates until such impact is resolved, as detailed in the Support Program Terms.
(e) Pindrop will provide reasonable prior notice to Company if Pindrop’s BCP is changed in a way that would have a material adverse impact in Pindrop’s ability to deliver the Products or the Services to Company as set forth in this Agreement, each applicable Order.
11. Company Responsibilities.
Company agrees to take commercially reasonable measures designed to detect and prevent the introduction of Malicious Code into Pindrop-Controlled Systems used in the delivery of Products or Services to Company. Company also understands and agrees that Company is responsible for determining whether the Products and Services are suitable for Company’s use and implementing and managing security measures for all components of the Products and Services that Pindrop does not manage or for which Pindrop does not have security obligations under this Exhibit B, with Pindrop’s only security obligations being as set forth in this Exhibit B. Examples of Company responsibilities include, without limitation: (a) securing all Company-Controlled System; and (b) accepting and implementing all security patches provided by Pindrop with respect to any On-Premises Appliances (and all other software distributed by Pindrop to Company in order to enable such security patches), without delay. Company understands and agrees that Pindrop does not manage, and is not responsible for the security of, On-Premises Appliances. Company further agrees that it is Company’s responsibility, and not Pindrop’s responsibility, to ensure adequate backups of any Company Call Data on the Company-Controlled System that are physically and logically separated from the Products and Services being provided by Pindrop under this Agreement. Company agrees that Pindrop shall not be in breach of its obligations under this Exhibit B if and to the extent that Pindrop’s non-compliance is directly caused by Company’s failure to comply with its own security responsibilities under this Agreement.
Exhibit C - Implementation and Product-Specific Terms
1. Call Routing. The Product will be implemented and deployed based on an agreed to architecture for the routing of calls reflected in the Direct Order (the “Approved Architecture”). The Approved Architecture will apply for the duration of the applicable Subscription Term under the Marketplace Order.
2. Pindrop Protect Cloud-Specific Terms.
(a) Pindrop Database. During the term of an Order, the Product will collect, process and analyze Company Call Data. Pindrop and its affiliates are authorized to use and contribute the Fraudulent Call Data to the Pindrop Database for the purpose of identifying, monitoring and tracking phone-based fraud and suspicious transactions or passively authenticating a caller for the benefit of identifying, monitoring and tracking phone-based fraud and suspicious transactions or passively authenticating a caller for the benefit of Company, Pindrop’s and its affiliates’ existing or future customers and the Consortium Members (the “Authorized Use of Fraudster Data”). Pindrop will only identify (i.e., “tag”) that the Fraudulent Call Data was provided by Company on a pseudonymized basis (e.g., using a code name within the Pindrop Database itself). For clarity, neither Company nor any other customer of Pindrop has or will have access to or the ability to view the Pindrop Database or the data stored therein. Company agrees that the Authorized Use of Fraudster Data shall survive any termination or expiration of this Agreement and the applicable Orders.
(b) Call Recording Storage Terms. The following call recording storage and related terms shall apply to the configuration reflected in the applicable Order:
Company Storage of Call Recordings (default configuration unless specified otherwise in the applicable Order)
The default storage option for call recordings created by a Product in the ordinary course of its use is the use of Company’s own Core Hosting Provider (as defined below) instance (i.e., under your own and direct account with the Core Hosting Provider (each a “CHP Instance”). For purposes of this Exhibit C, “Core Hosting Provider” or “CHP” means the third party service provider whom Pindrop uses to host the Products covered under an Order (e.g., AWS or Google), as reflected in the applicable Order.
Company is solely responsible for all aspects of the CHP Instance, including without limitation, the cost of securing and maintaining the CHP Instances for the duration of the Orders as well as the security settings applicable to the CHP Instance.
The CHP Instance will be configured for use with a Product as set forth in the Approved Architecture, which configuration will include, at a minimum, (i) sufficient administrative and access rights for Pindrop to be able to monitor and maintain the call recordings as needed to deliver the Product as contemplated in the Documentation and for Pindrop to provide the maintenance and support for that Product (including sharing your share IAM credentials including access key, secret key and encryption settings with Pindrop until the expiration of the applicable Subscription Term to enable such access); and (ii) the retention of the call recordings for the Calls as established from time to time based on Company’s instructions and the standard features and functionality of the Product (collectively, the “Minimum CHP Configuration Requirements”). Company agrees to maintain the Minimum CHP Configuration Requirements for the CHP Instance for the duration of all Orders applicable to the Product, unless Company and Pindrop mutually agree otherwise in writing.
Upon the expiration or termination of Company’s right to use a Product pursuant to one or more Orders, Company will be responsible for the deletion of any call recordings from the CHP Instance.
Pindrop Storage of Call Recordings
If the parties agree as part of the Approved Architecture that Pindrop, rather than Company, will store the call recordings created by the Product in its ordinary course of use on behalf of Company in Pindrop’s CHP instance (i.e., under Pindrop’s own and direct account with the CHP, such as AWS or Google) (each a “Pindrop CHP Instance”), then the following terms apply:
(i) Pindrop will maintain the call recordings based on the time period(s) configured within the Product as established from time to time based on Company’s instructions and the standard features and functionality of such Product.
(ii) Company’s Named Users will have access to the call recordings through the standard user interface for the Product to enable such Named Users to disposition a given Call as either fraudulent or genuine. No other administrative access will be granted to Company for the Pindrop CHP Instances.
(iii) Upon the expiration or termination of Company’s right to use a Product pursuant to one or more Orders, then Pindrop will delete any remaining call recordings from the Calls from Pindrop’s CHP Instance.
3. Acceptable Use Policy.
With respect to the transmissions of Company Call Data by Company via the Product, Company will comply with Pindrop’s then-current acceptable use policy which is available upon request from Pindrop or at https://pindropstage.wpengine.com/wp-content/uploads/2021/12/Pindrop-Acceptable-Use-Policy-Sept-2018.pdf.
4. CHP Flow-Down Terms. In providing hosting and related cloud platform services (“CHP Services”) to Company and notwithstanding anything to the contrary in this Agreement, Company acknowledges and agrees that (a) the CHP may require that Pindrop notify it of any unauthorized access and/or use by Company of the CHP Services and Company authorizes Pindrop to provide any such required notice to CHP; (b) Company’s receipt of the CHP Services may be subject to legal intercept or monitoring activities by CHP, its suppliers or local authorities in accordance with its standard business practices and applicable Laws; and (c) Company may not use the CHP Services, or any interface(s) provided with the CHP Service, to access or use any other CHP product or service in a manner that violates the terms of service applicable to such other CHP product or service.
5. Tap-To-Cloud Call Capture Terms. If the call capture method for the Product is specified as “tap-to-cloud” in an Order, then the additional terms and conditions in the Supplemental Terms available here shall apply.
6. Managed Service Provider Terms. If Company is authorized pursuant to an Order to bundle a Product as part of Company Managed Services (defined below), the incremental or different terms and conditions in this Section shall apply. To the extent of any conflict between this Section 7 and any other terms of this Agreement, the terms in this Section 7 shall control.
(a) Bundled Offering. Subject to terms and conditions of this Agreement and the Order(s), Pindrop grants to Company a non-exclusive, non-transferable, non-assignable right to bundle the Product solely as a non-severable part of Company Managed Services to Company Customers in the Authorized Geography. Company does not have the right to appoint or otherwise authorize any other third party, directly or indirectly, to perform any activities or exercise any rights granted to Company under this Agreement in connection with the Products and Services under this Agreement or any Order (whether as a sub-service provider or otherwise). Company will not make any false or misleading representations with regard to Pindrop, its affiliates, the Products or Services or any representations, warranties or guarantees with respect to the Products and/or Services that are inconsistent the terms of this Agreement, any Order(s) or Documentation.
(b) Company Customer-Facing Requirements. The Products and Services bundled by Company as part of a Company Managed Service shall be made pursuant to a Company Customer Agreement (defined below), which shall be no less protective of the Pindrop Property than the applicable terms and conditions in this Agreement and each Order. As between Pindrop and Company, Company is solely and exclusively liable for all commitments and terms it agrees to in each Company Customer Agreement. Under no circumstances shall Pindrop be liable to a Company Customer in connection with a Company Customer Agreement. As between Pindrop and Company, (i) Company is solely and exclusively responsible for providing appropriate notices and disclosures to each Company Customer with respect to the Company Call Data and Outputs relative to the Calls applicable to such Company Customer and how such is collected, used, stored and the like (as detailed in this Agreement and each applicable Order); and (ii) Company shall secure and maintain from each Company Customer the necessary rights for Company to grant Pindrop and its affiliates the rights and licenses under this Agreement and each Order, and enable Company to fulfil and comply with its obligations to Pindrop under this Agreement and each Order, including without limitation those terms and conditions applicable to the Company Call Data and Outputs.
(c) Company Responsibilities.
(i) Customer-Unique Identifiers. To enable differentiation of Calls, Company shall ensure that each Company Customer is assigned a unique identifier that is transmitted as part of the Company Call Data to the Product for each Call.
(ii) Company’s Use of Behalf of Company Customers. In its role as a service provider of the Company Managed Services to the Company Customers, Company is only permitted to use a Product solely to perform phone number fraud verification and/or authentication on behalf of and solely for each Company Customer’s own products or services based on the features and functionality enabled in the Product and for no other purpose (e.g., not for credit decisioning purposes or to determine a consumer’s eligibility for credit or insurance, or for any other permissible purpose set forth in the FCRA). For avoidance of doubt, any use or purpose restrictions applicable to Company under this Agreement or the relevant Order shall likewise apply to the Products and Company’s bundling of such Products as part of the Company Managed Services.
(iii) No Company Customer Access or Use. Company acknowledges and agrees that neither a Company Customer nor any of a Company Customer’s personnel shall have access to or use of, either directly or indirectly, the Products or Services, including any Outputs. Company may, however, provide aggregated data with respect to the Calls analyzed by the Products to the applicable Company Customers pursuant to written obligations of confidentiality with each such Company Customer (i.e., quantity of calls analyzed, authenticated or for which fraud was detected, account status and the stand-alone risk score).
(iv) Responsibility for Company Customers. Any act or omission committed by a Company Customer that, if committed by Company (i.e., where Company has a responsibility pursuant to the terms and conditions of this Agreement or an Order) would be deemed a breach of this Agreement or the applicable Order will be considered a breach by Company, as applicable, including by way of example, a breach of the confidentiality obligations or a failure to comply with the obligations in 8(d) (Company’s Responsibility Statement) of the main body of this Agreement. Further, a breach by Company of the restrictions in the last sentence of Section 2 (Bundled Offering) above or its obligations under Section 7(b) (Company Customer-Facing Obligations) above or any claim by a Company Customer that Company failed to comply with the Company Customer Agreement with such Company Customer shall be (x) included within the scope of Company’s obligations to Pindrop in Sections 10(b) (Company Coverage for Third Party Claims) and 10(c) (Procedural Requirements for Third Party Claims) of the main body of this Agreement; and (y) excluded from Company’s limitations of liability for direct damages under Section 9(b)(ii) of the main body of this Agreement.
For purposes of this Section, the following definitions apply:
“Company Customer Agreement” means a written agreement between Company and a Company Customer pursuant to which Company offers Products and Services as bundled with the Company Managed Services in connection with an Order.
“Company Managed Services” means a service whereby Company (a) assumes, performs or provides the one or more of the following (i) responsibility for day-to-day operations and management of all or a portion of the Company Customer’s call center data processing operations; or (ii) facility management, systems integration or similar services for the Customer in connection with the Company Customer’s call center; or (iii) business process outsourcing services to the Customer in connection with its call center services; all regardless of whether the Product is located at the Company Customer’s or a third party location or Company facility, and whether used on the Company Customer’s or third party owned equipment, to the extent applicable, and (b) is accessing and using the Products and Services on behalf of or for the benefit of a given Company Customer.
“Managed Service Customer” means a Company Customer who has entered into a Company Customer Agreement to obtain Company Managed Services from Company.