Pindrop Subscription Agreement for Verizon Resale Customers
This Pindrop Subscription Agreement for Verizon Resale Customers (the “Agreement”) details the terms and conditions applicable to any Products or Services of Pindrop Security, Inc. (“Pindrop”) that your company (“you” or “your”) obtains via an Authorized Reseller. By entering into a Reseller Order, you agree to be bound by the terms and conditions in this Agreement. If you do not agree to the terms and conditions of this Agreement, you shall not and do not have the right to use any Pindrop Property (as defined below). Pindrop agrees to be bound by the terms of this Agreement upon acceptance of the order(s) it enters into with the Authorized Reseller relevant to your Reseller Order(s). Capitalized terms have the meaning given in this Agreement.
1. Definitions.
(a) “Authorized Geography” means the United States only with respect to where you are authorized to (i) access and use a Product; and (ii) have the
Product analyze calls made to Your Phone Number(s) intended for use by your customers also residing in the United States. For example, because
you are authorized to access and use the Product in the United States, then Your Phone Number(s) would be Your Phone Number(s) that are intended for use by your United States-based customers as part of such customers conducting business with your United States-based business operations.
(b) “Authorized Reseller” means an entity that is authorized by Pindrop to resell the Products and Services to end user customers.
(c) “Call” means a phone call made to Your Phone Number that is processed by a Product.
(d) “Call Heuristics” means the duration that a device’s touch keys are held down (i.e., the frequency of a caller pressing a device’s touch keys).
(e) “Call Processing Data” means the data (excluding CPNI) obtained by or from a telecommunications network with respect to a Call that is
generally used by telecommunication service providers for call routing purposes. Examples include data used to initiate, route, exchange and
complete traffic that is internal to the network or networks during the call.
(f) “Confidential Information” means information designated as confidential or proprietary or that should be considered as confidential from its
nature or from the circumstances surrounding its disclosure. The Pindrop Property is Confidential Information of Pindrop.
(g) “Confirmed Fraud Call” means a Call that has been designated by you through the user interface of the Product as being associated with
fraudulent or suspicious activity during the course of your use of Pindrop’s Product known as Pindrop® Protect or any subsequent Product(s) which
also has the same functionality, as described in the applicable Documentation.
(h) “Consortium Members” means Pindrop customers, government agencies, third party data providers, consumer agencies, credit lenders and other third parties that have themselves provided “fraudulent call data” to Pindrop or its affiliates.
(i) “CPNI” or “Customer Proprietary Network Information” means the data obtained by or from a telecommunications network with respect to a
Call routed that relates to the quality, technical configuration, type, destination, location or amount of use of a telecommunications service about the calls placed from a particular phone number or is the type of call-related data that would customarily appear on the customer’s bill who is purchasing the relevant telecommunications and interconnected VoIP services from a telecommunications services provider. Examples include the phone number of the calling party or called party, type of service the customer has ordered or the location of the customer or device.
(j) “Digital Signal” means the digital signal used to transmit audio from the device and/or the telecommunications network.
(k) “Documentation” means any documentation, user guides and installation instructions provided by Pindrop to you from time to time.
(l) “DTMF” means the audio sound of the dual tone multiple frequency (i.e., the signal to the phone company when a caller presses a device’s
touch keys).
(m) “Effective Date” means the date on which you first enter into a Reseller Order for the Products or Services.
(n) “Feedback” means all ideas, suggestions, or similar information that you provide or otherwise make available to Pindrop or its affiliates with respect to the Products, Work Product or Services or any other Pindrop product or service offering.
(o) “Fraudulent Call Data” means the following data for a Confirmed Fraud Call: (i) a phone number; (ii) the timestamp, duration, type of number
and geography metadata; (iii) call type (e.g., mobile or VOIP); (iv) the Pindrop Score (i.e., the numerical risk score assigned to the Call); and (v)
System Labels.
(p) “Laws” means all laws, statutes, regulations and other types of government authority, including without limitation, the laws and regulations
governing export control, unfair competition, anti-discrimination, false advertising, data privacy or data protection, and publicity.
(q) “Media Relay Services” means the services purchased by you from Verizon that enable the copying of the signal handler for a given call so that
the call can be concurrently routed to multiple destinations, such as to the IVR for standard handling of that call (i.e., as if the Product were not in use by you) and the Product for analysis and generation of the Pindrop Score.
(r) “Outputs” means the data or information portion of a Product that are generated using Pindrop’s proprietary technology and applicable to a
Product’s analysis of a particular Call (including by way of example only a Pindrop Score, System Labels, Proprietary Prints or audio recording of a
Call, as applicable).
(s) “Pindrop Database” means Pindrop’s proprietary database that includes the Fraudulent Call Data as well as the same or similar data with respect
to calls associated with fraudulent or suspicious activity provided by Consortium Members and other information derived from third party data
providers and Pindrop’s or its affiliates’ own research efforts.
(t) “Pindrop Property” has the meaning assigned in Section 6(f) (Pindrop Property) of this Agreement.
(u) “Pindrop Score” means the scoring metrics, data or reasons for a scoring metric provided by Pindrop’s proprietary processes, including
statistical and audio models (e.g., phoneprints), intended to predict the likelihood of a phone transaction being fraudulent or suspicious or from
someone other than an authenticated caller, as applicable depending on the features and functionality of a given Product.
(v) “Pre-Ga Offering” means a product or a potential new feature of functionality for an existing Product for which you have a subscription that is
provided in a Pindrop-managed lab environment and identified as “Beta,” “Limited Availability,” “Pre-Release” or similar designation or that is
otherwise identified by Pindrop as unsupported.
(w) “Product” means the Pindrop product(s) ordered by you under a Reseller Order and the Pre-Ga Offerings.
(x) “Professional Services” or “PS” means any implementation services (which may include installation, configuration, project management,
process reviews and associated policy or procedure development, testing or go-live support), training or other optional services provided by Pindrop as a subcontractor to the Authorized Reseller under a Reseller Order.
(y) “Proprietary Prints” means, based on the features and functionality of a given Product and as examples, the Call Heuristics, DTMF, device
features (such as Digital Signal data), Toneprint™, Phoneprint™ and voice features that are derived by the Product after analysis of a Call, as
applicable.
(z) “Reseller Order” means a document entered into between you and the Authorized Reseller pursuant to Your Agreement that describes the
Product(s) and/or related Services that will be provided to you and covered by this Agreement.
(aa) “Services” means PS or Support Services provided to you under a Reseller Order.
(bb) “Subscription Term” means the time period that you have the right to access and use a Product, as reflected in the relevant Reseller Order.
(cc) “Support Services” means the support and maintenance services provided by Pindrop to the Authorized Reseller in connection with a given
Product.
(dd) “Support Tools” means (i) software, web analytics tools or other technology used by Pindrop or its affiliates to (1) monitor, maintain or
improve the performance, integrity or security of a Product; (2) identify portions of a Product that may require maintenance (including without
limitation Errors that may require correction); (3) understand user behavior with a given Product (e.g., what feature or functionality is preferred),
which may include the recording of a user’s session while logged in to the Product; and (4) manage subscription-related metrics (e.g., quantity of
Calls or expiration of a given Subscription Term); or (ii) cookies that are set on a user’s browser and used by Pindrop or its affiliates for the purpose
of identifying Users and your systems interacting with the Product or to logout a user after a period of inactivity, including the general location (e.g.,
city, state or country) of the IP addresses associated with users who login into and use a Product.
(ee) “System Label” means a label(s) automatically assigned to a Call (i) after it is dispositioned by an automated policy (as configured within the
Product) or manually by a User as fraud/genuine and/or authenticated/non-authenticated; or (ii) to indicate it was answered or not answered during
the course of being analysed by a Product, in each case, as applicable based on the features and functionality of the Product.
(ff) “Telco Network Call Data” means, collectively, CPNI and Call Processing Data.
(gg) “User” means an individual who is authorized by you to use a Product and who has been assigned by you (or, when applicable, Pindrop or its
affiliates at your request), a user identification number and password in to access such Product.
(hh) “Work Product” means any inventions, discoveries, software or other works of authorship (including, without limitation, configuration of a
Product), and other proprietary materials or work product developed by or for Pindrop or its affiliates, alone or with others, in the course of Pindrop’s
performance of Services, including any and all related and underlying software, databases (including data models, structures, and non-specific data to you contained therein), specifications, technology reports and documentation.
(ii) “Your Agreement” means the written agreement between you and the Authorized Reseller pursuant to which the Authorized Reseller will make
the Products and Services available to you.
(jj) “Your Call Center Infrastructure” means your telephony solution with which you will use a Product, including the Media Relay Services, as
contemplated in the Reseller Order.
(kk) “Your Call Data” means the data and information that are uploaded, transmitted, input or otherwise provided or made available by you to
Pindrop in connection with a Product. The phone number for the caller, audio (i.e., spoken content), signaling and call-related metadata from your
telecommunications network for a given Call are examples of Your Call Data.
(ll) “Your Phone Number” means the then-current phone number(s) designated by you, where calls made to that number(s) will be analyzed by a
Product.
2. Engagement Model.
Except as expressly provided otherwise in this Agreement, you shall look solely to the Authorized Reseller with respect
to your rights and obligations the Products and Services (including payment of any applicable fees), as such are detailed in Your Agreement and the
Reseller Orders, as applicable.
3. General Pindrop Responsibilities.
(a) Provision of Products and Services. Pindrop will make the Products and Services available to you (i) subject to the terms and conditions of
this Agreement; and (ii) solely for lawful purposes and use.
(b) Protection of Your Call Data. During the term of this Agreement and for as long as Pindrop maintains you Confidential Information within
the Pindrop-Controlled Systems (as defined in Exhibit C (Pindrop Information Security and BCP Programs)), Pindrop will have and maintain the
information security program and safeguards as detailed Exhibit C (Pindrop Information Security and BCP Programs).
(c) BCP Program. Pindrop will maintain and administer a Business Continuity Program (“BCP”) for the Products, as detailed in Exhibit C
(Pindrop Information Security and BCP Programs).
4. Use of Products and Services.
(a) Subscriptions. Unless otherwise provided in the Reseller Order, the Products and Services are purchased as subscriptions for the Subscription
Term stated in such Reseller Order.
(b) Access to and Use of Products and Services. You have the right to access and use the applicable Products and Services subject to the terms of the applicable Reseller Order, this Agreement and the Documentation. The Product may contain certain Third-Party Software Components (defined below). Your right to use the Third-Party Software Components shall be subject to the relevant third-party terms identified within the Product and/or the Product’s associated Documentation applicable to each Third-Party Software Component. For purposes of this Section, “Third-Party Software Components” means the third-party software bundled with or included the Product for which Pindrop has an obligation to pass-through the applicable open source or proprietary commercial software license terms directly to you from the applicable third party licensor.
(c) Your General Responsibilities. You will (i) be responsible for your Users’ compliance with this Agreement, the applicable Documentation
and Reseller Orders; (ii) be responsible for the accuracy, quality and legality of Your Call Data, including as detailed in Section 7 (Your
Responsibility Statement) of this Agreement, and, with respect to the transmissions of Your Call Data via the Product, you will also comply with
Pindrop’s current acceptable use policy available at here; (iii) use commercially reasonable efforts to prevent unauthorized access to and use of the Products and Services, and notify Pindrop promptly of any such unauthorized access or use; (iv) use the Product(s) (including the Outputs) solely to perform phone number fraud verification and/or authentication for your own products or services based on the features and functionality enabled in a given Product and for no other purpose (e.g., not for credit decisioning purposes or to determine a consumer’s eligibility for credit or insurance, or for any other permissible purpose set forth in the FCRA (as defined below)); and (v) except as expressly provided otherwise in this Agreement, be solely responsible for, and agree to comply with, all applicable Laws with respect to your access and use of the Products and Services. For clarity, Pindrop is not a consumer reporting agency and none of the information provided through the Products constitutes a “consumer report”, as such term is defined in the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681 et seq.
(d) Restrictions. You will not: (i) make any Pindrop Property available to anyone other than you or your Users, or use any Pindrop Property for the
benefit of anyone other than you or your affiliates; (ii) sell, resell, sublicense, distribute, rent or lease the Pindrop Property in any manner (including
without limitation in any service bureau or outsource offering); (iii) copy, modify or create derivative works of all or any portion of the Pindrop
Property; (iv) except to the extent permitted by applicable Law, disassemble, reverse engineer or decompile all or any portion of the Pindrop Property in any manner; (v) frame or mirror any part of the Products, other than framing on your own intranets or otherwise for your own internal business purposes of as permitted in the Documentation; (vi) manually enter and/or import any Your Call Data into a Product that would or could violate Payment Card Industry Data Security Standard (PCI DSS), as amended from time to time, including by way of example only, a credit security
validation (CSV) number and a credit card account number (the “PCI Restriction”); (vii) attempt to gain unauthorized access to the Products or
related systems or networks, or permit direct or indirect access to or use of the Pindrop Property in a way that circumvents contractual usage or
security restrictions; (viii) access or use the Pindrop Property to (A) build a competitive product or service, (B) build a product or service using
similar ideas, features, functions or graphics of the Pindrop Property, or (C) copy any ideas, features, functions or graphics of the Pindrop Property;
or (ix) directly or indirectly authorize any third parties to do any of the foregoing. Any use of the Products in violation of this Agreement or the
applicable Reseller Order or that in Pindrop’s commercially reasonable business judgment threatens the security, integrity or availability of the
Product to Pindrop’s or its affiliates’ customers, may result in immediate suspension of your access to the Product. However, Pindrop will use
commercially reasonable efforts under the circumstances to provide you with written notice (email is sufficient) and an opportunity to remedy such
violation or threat prior to suspension. Further, if a breach occurs with respect to the Outputs, Pindrop reserves the right to require you to delete
and/or destroy the Outputs (as well as any derivative works, benchmarking or competing solution) in your possession or control.
(e) Special Terms for Pre-Ga Offerings. Pindrop may make Pre-GA Offerings available to you from time to time and Pre-GA Offerings are
subject to the same terms and conditions in this Agreement and each relevant Reseller Order, except as provided otherwise in this Section or a
Reseller Order. Pre-GA Offerings are provided on an “as is” basis and are not included in the Support Program Terms or Pindrop’s business
continuity program, as detailed in Section 3(c) (BCP Program), and may be changed, suspended or discontinued by Pindrop at any time with prior
notice to you. Except as expressly indicated otherwise in a written notice from Pindrop or the Documentation for a given Pre-GA Offering, your
access and use of a Pre-GA Offering is limited to your employees and the Authorized Geography, is solely for internal evaluation and/or testing
purposes, and is subject to any additional terms identified and mutually agreed to by Pindrop and you in writing, including geography or call traffic
(i.e., “test” or production calls) restrictions. Either party may terminate your use of a Pre-GA Offering at any time with written notice to the other
party.
5. Confidentiality.
(a) Use and Disclosure. With respect to any Confidential Information a party receives (“Receiving Party”) from the other party (“Disclosing
Party”), the Receiving Party shall: (i) keep such information confidential; (ii) use the same degree of care for the Disclosing Party’s Confidential
Information that it uses for its own Confidential Information, but in no event less than reasonable care; (iii) not use the Confidential Information other
than in connection with the performance of this Agreement and each Reseller Order; and (iv) not divulge the Confidential Information to any third
party. Receiving Party agrees to use all reasonable steps to ensure that the Disclosing Party’s Confidential Information is not disclosed by a
Receiving Party Representative (defined below) in violation of this Section. You also agree that you shall not disclose the results of benchmark tests
or any other evaluation of any Pindrop Property to any third party without Pindrop’s prior written approval. For purposes of this Section, “third
party” excludes the Receiving Party or its affiliates employees, contractors, subcontractors attorneys, accountants or other professional advisors of
the Receiving Party, as long as such representative (1) has a commercially reasonable need to know and access such Confidential Information in
connection with the authorized purposes; and (2) is under contractual or fiduciary confidentiality obligations substantially equivalent to the terms and conditions of this Section (each a “Receiving Party Representative”). A Receiving Party is responsible for a breach by the Receiving Party
Representative of the confidentiality obligations to same extent as the Receiving Party itself.
(b) Exclusions. Confidential Information shall not include information that: (i) is or becomes generally known or available to the public at large other than as a result of a breach by the Receiving Party of any obligation to the Disclosing Party; (ii) was known to the Receiving Party free of any obligation of confidence prior to disclosure by the Disclosing Party; (iii) is disclosed to the Receiving Party on a non-confidential basis by a third party who did not owe an obligation of confidence to the Disclosing Party; or (iv) is developed by the Receiving Party independently of and without reference to any part of the Confidential Information. Confidential Information shall not be deemed to be in the public domain or generally known or available to the public merely because any part of said information is embodied in general disclosures or because individual features, components or combinations thereof are now or become known to the public.
(c) Limited Exceptions. Confidential Information may be disclosed in response to a valid order by a court or other governmental body of the
United States or any political subdivision thereof, as otherwise required by law, or as necessary to establish the rights of either party under this
Agreement, provided that the party making such disclosure must provide written notice to the other party prior to such disclosure in order to provide the other party with a reasonable opportunity to obtain a protective order or otherwise protect the confidentiality of such information. During the term of this Agreement, the Receiving Party may publicize the existence of the relationship between Pindrop and you in connection with the Products or Services being provided under Reseller Order(s) and Pindrop may list your name on Pindrop’s standard customer lists.
6. Proprietary Rights and Other Licenses.
(a) Use of Your Call Data. You grant Pindrop, its affiliates and applicable subcontractors a limited-term license to collect, use, record, host,
transmit and process Your Call Data as necessary to provide, maintain and support the Product for you in accordance with this Agreement, each
Reseller Order and the applicable Documentation.
(b) Your Use Rights. Subject to the terms and conditions of this Agreement, Pindrop hereby grants to you a limited, non-exclusive, non-
transferable (except as expressly provided in this Agreement with respect to the entire agreement) right (i) during the applicable Reseller Order to access and use a Product solely within the Authorized Geography; and (ii) during and after expiration of the applicable Subscription Term to retain and use the portion of the Outputs that are available via the outbound API feed(s) or standard export functionality from the Product solely for your internal business and recordkeeping purposes; provided that (A) the Outputs remain the Confidential Information of Pindrop and subject to the
obligations of confidentiality and use restrictions set forth in this Agreement; and (B) you shall not create any derivative works nor use the Outputs to create a competing solution. For clarity, to the extent Your Call Data (such as the phone number of a caller) is contained in an Output, nothing in this Section shall restrict your right to use your own Your Call Data in any manner.
(c) Data Privacy Terms. The terms and conditions in Exhibit A (Data Privacy Terms) of this Agreement shall apply, as applicable.
(d) Support Terms. Pindrop and its affiliates use Support Tools. Notwithstanding anything to the contrary in this Agreement and subject to the
use restrictions below, you agree that Pindrop and its affiliates can also collect, analyze, retain and use the usage, statistical, caller phone number and other log data collected by Support Tools (the “Support Data”) to maintain, develop, manage, administer and improve Pindrop’s and its affiliates’
products and services, including the Products and Services (the “Product Improvement Purposes”). Except where Pindrop or its affiliates are using
the Support Data for your sole benefit in its provision of the Products and Services to you (such as to respond to trouble tickets), Pindrop and its
affiliates will only use the Support Data for Product Improvement Purposes if the Support Data has been aggregated with other comparable data from other customers and then implemented by Pindrop as a general, customer-agnostic improvement to the general usability or efficacy of Pindrop’s or its affiliates’ products and services (i.e., in a manner that does not identify you or any individual person within your company as the source of that data or any individual or phone number of an individual who called you for the benefit of other customers). You agree that Pindrop’s and its affiliates’ right to retain and use the Support Data for Product Improvement Purposes shall survive any termination or expiration of this Agreement or any Reseller Orders. You are responsible for disclosing to and obtaining consent from your Users to the collection and use of Support Data, as required by applicable Laws.
(e) Implementation and Product-Specific Terms. The implementation-related and product-specific terms in Exhibit B (Implementation-Related
Terms) shall apply, as applicable.
(f) Pindrop Property. Subject to the limited rights expressly granted by Pindrop under this Agreement, Pindrop and its affiliates and its and their
licensors and third party providers reserve and retain and own all rights, title and interests the Products (including Outputs), the Services (including
Work Product) and all updates, upgrades, derivative works, modifications, conversions, improvements or the like made to each of the foregoing,
together with all intellectual property rights embodied therein (collectively, the “Pindrop Property”). You agree to retain and reproduce all
copyright, trademark and other proprietary notices contained on or in the Pindrop Property as delivered to you on all copies of such Pindrop Property and shall not seek to remove any such notices.
(g) Your Property. Subject to the limited rights expressly granted by you under this Agreement or a Reseller Order, you retain and own all rights,
title and interests in all intellectual property rights in and to the Your Call Data, Your Phone Number and Your Call Center Infrastructure.
(e) Feedback. You may, at your sole election, provide Feedback to Pindrop or its affiliates to help identify ways in which Pindrop or its affiliates
may improve or expand their product and service offerings for its customers. If provided, you agree to assign and hereby assign to Pindrop all rights,
title and interests in and to the Feedback.
7. Your Responsibility Statement.
You warrant, acknowledge and agree that (i) you will, on behalf of itself and Pindrop and its affiliates as its
service provider(s), provide all required consumer notices and disclosures and, where required, secure consents in compliance with all applicable
Laws with respect to the Outputs and Your Call Data (including Your Personal Information and in relation to the locations where the Outputs and
Your Call Data may be collected, stored and processed by Pindrop as a service provider or its service providers, each as set out in more detail in
Exhibit A (Privacy Terms)); and (ii) you will have and maintain privacy policies and terms and conditions with your customers that are compliant with its obligations and applicable Laws and permit the use and sharing of information processed, analyzed or created by a Product (including the
creation of Outputs) and/or contributed to the Pindrop Database as contemplated in Agreement or a Reseller Order (collectively, the responsibilities
under (i) and (ii) shall be referred to as the “Customer Commitments”). If you are a “Financial Institution” under the Gramm-Leach-Bliley Act (the “GLBA”), then (A) you further warrant that your Customer Commitments are also compliant with your obligations as a Financial Institution under the GLBA; and (B) for the duration of your access to and use of the Product(s) and Services, you hereby appoint Pindrop as a special agent for you with limited authority to perform functions inherent in the Products and Services as necessary for you to analyze Calls for the purposes of (1) protecting you and your customers from fraud and (2) enhancing security in connection with customer transactions. The limited authority granted above is the “Limited Authority Agency.” Pindrop has no right, power, or authority to bind you or create any obligation or responsibility on your behalf beyond the Limited Authority Agency. If Pindrop, in its good faith judgment, believes that the Products are being used in a manner that is not compliant with applicable Laws or that such use could result in noncompliance with applicable Laws and/or such use could subject you or Pindrop to a claim for liability for noncompliance, Pindrop reserves the right to modify its Products or Services accessed or used by you as deemed reasonably necessary to address such noncompliance. You agree to cooperate with Pindrop to the extent reasonably necessary to effectuate such modifications.
8. Limited Warranties.
EXCEPT AS PROVIDED OTHERWISE IN THIS AGREEMENT , TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE
PINDROP PROPERTY IS PROVIDED TO YOU “AS IS,” AND PINDROP AND ITS AFFILIATES, AND ITS AND THEIR LICENSORS AND THIRD PARTY SERVICE PROVIDERS DISCLAIM ANY AND ALL OTHER PROMISES, REPRESENTATIONS AND WARRANTIES, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, QUIET ENJOYMENT, SYSTEM INTEGRATION AND/OR DATA ACCURACY. PINDROP, ON BEHALF OF ITSELF AND AFFILIATES AND ITS AND THEIR LICENSORS AND THIRD PARTY SERVICE PROVIDERS, DOES NOT WARRANT THAT THE PINDROP PROPERTY WILL MEET YOUR REQUIREMENTS, THAT THE OPERATION OR USE OF THE FOREGOING WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ALL ERRORS WILL BE CORRECTED. YOU ACKNOWLEDGE AND AGREE THAT THE DISCLAIMERS, LIMITATIONS AND EXCLUSIONS OF LIABILITY SET FORTH IN THIS AGREEMENT FORM AN ESSENTIAL BASIS OF THE BARGAIN BETWEEN THE PARTIES, AND THAT, ABSENT SUCH DISCLAIMERS, LIMITATIONS AND EXCLUSIONS, THE TERMS OF THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, THE ECONOMIC TERMS, WOULD BE SUBSTANTIALLY DIFFERENT.
9. Limitation of Liability; Consequential Damages Waiver.
(a) Consequential Damages Waiver IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY SPECIAL, INCIDENTAL, PUNITIVE, EXEMPLARY OR CONSEQUENTIAL DAMAGES OF ANY KIND, WHETHER BASED ON DAMAGES, LOSSES OR COSTS INCURRED AS A RESULT OF LOSS OF TIME, LOSS OR CORRUPTION OF APPLICATION OR DATA, LOSS OF PRODUCT OR REVENUE, OR LOSS OF USE OF THE PRODUCTS, REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, NEGLIGENCE, STRICT PRODUCT LIABILITY, OR OTHERWISE, EVEN IF SUCH PARTY HAS BEEN INFORMED OF THE POSSIBILITY OF ANY SUCH DAMAGES IN ADVANCE.
(b) Liability for Direct Damages. THE MAXIMUM AGGREGATE LIABILITY OF EACH PARTY FOR DAMAGES TO THE OTHER ARISING FROM OR RELATED TO THIS AGREEMENT OR ANY PINDROP PROPERTY, WHETHER FOR BREACH OF CONTRACT OR WARRANTY, STRICT LIABILITY, NEGLIGENCE OR OTHERWISE, SHALL NOT:
(i) FOR PINDROP, EXCEED TWO TIMES THE FEES PAID TO PINDROP BY THE AUTHORIZED RESELLER DURING THE
PRECEDING 12 MONTHS FOR THE PRODUCT, WORK PRODUCT OR SERVICE UNDER THE RESELLER ORDER GIVING RISE TO
SUCH LIABILITY; AND
(ii) FOR YOU, EXCEED TWO TIMES THE FEES PAID BY YOU TO THE AUTHORIZED RESELLER DURING THE PRECEDING 12
MONTHS FOR THE PRODUCT, WORK PRODUCT OR SERVICES UNDER THE RESELLER ORDER GIVING RISE TO SUCH LIABILITY.
(c) Exclusions.
(i) Liability for (1) infringement and misappropriation by one party of the other party’s intellectual property rights; (2) a breach by a party
of its confidentiality obligations under this Agreement; (3) fulfillment by Pindrop of its obligations and liabilities pursuant to Section 10(a)
(Infringement Claims Coverage) and, as a Responsible Party, pursuant to Section 10(c) (Procedural Requirements for Third Party Claims); (3)
fulfillment by you of your obligations and liabilities pursuant to Section 10(b) (Your Coverage for Third Party Claims) and, as a Responsible Party,
pursuant to Section 10(c) (Procedural Requirements for Third Party Claims)shall each be excluded from the limitations on liability in Sections 9(a)
(Consequential Damages Waiver) and 9(b) (Liability for Direct Damages). Responsible Party has the meaning assigned in Section 10(c) (Procedural
Requirements for Third Party Claims).
(ii) Liability for a breach by you of Section 7 (Your Responsibility Statement) and the PCI Restriction shall each be excluded from the limitations of liability in Section 9(b) (Liability for Direct Damages).
10. Responsibility for Third Party Claims.
(a) Infringement Claims Coverage. Pindrop agrees, at its expense, to defend, indemnify and hold harmless you from and against any and all third party claims, actions or demands and legal proceedings, liabilities, damages, losses, and judgments or authorized settlements, and reasonable costs and expenses as incurred, including without limitation attorney’s fees, where the third party alleges that a Product furnished to you and used within the scope of and in compliance with this Agreement infringes a U.S. copyright or any U.S patent issued as of the Effective Date. Pindrop is not responsible under this Section for any infringement arising out of or related to: (A) modification of a Product by anyone other than Pindrop, where the Product would not infringe except for that modification; (B) any infringement arising out of any combination of the Product with other software, hardware, processes or materials not provided by Pindrop, where the Product would not infringe except for such combination; (C) Third-Party Software Components, when taken on a stand-alone basis and not in combination with other elements of the applicable Product; (D) your use of a version of the Product other than the most current release of the Products that results in a claim or action for infringement that could have been avoided by use of the current release, provided that Pindrop has supplied you with the most current release at no additional fee; or (E) any Your Call Data, where the Product would not infringe except for that Your Call Data. If a Product is held or believed by Pindrop to infringe, Pindrop may, at its sole option and expense, elect to: (w) modify the Product so that it is non-infringing; (x) replace the Product with non-infringing products which are functionally equivalent or superior in performance; (y) obtain a license for you to continue to use and access the Product as provided hereunder; or (z) terminate the license for the infringing Product and refund any prepaid but unused license fees paid for such Product under the impacted Order. THE RIGHTS GRANTED TO YOU UNDER THIS SECTION 10(a) SHALL BE YOUR SOLE AND EXCLUSIVE REMEDY FOR ANY CLAIM OF INFRINGEMENT OR MISAPPROPRIATION RELATED TO THE PRODUCTS AND THE THIRD PARTY CLAIMS DESCRIBED IN THIS SECTION 10(a).
(b) Your Coverage for Third Party Claims. You agree, at its expense, to defend, indemnify, and hold harmless Pindrop and its affiliates (each a
“Pindrop Party”) and the Authorized Reseller from and against any and all third party claims, actions, demands and legal proceedings, liabilities,
damages, losses, and judgments or authorized settlements, and reasonable costs and expenses as incurred, including without limitation attorney’s
fees, arising out of or in connection with any alleged or actual breach of (i) Section 7 (Your Responsibility Statement) or violation of other applicable
Laws for which you are responsible under this Agreement in connection with your use of or access to the Products or Services by you and any of
Your Authorized Users, including the collection, processing, analysis, creation, storage and retention of Your Call Data and Outputs; and (ii) the PCI
Restriction.
(c) Procedural Requirements for Third Party Claims. For each party to be responsible for its indemnification obligations under Sections
10(a) (Infringement Claims Coverage) or 10(b) (Your Coverage for Third Party Claims), as applicable (the “Responsible Party”), the other party
(the “Covered Party”) shall (i) promptly notify the Responsible Party in writing of its receipt of notice of any claim or when it discovers facts on
which the Covered Party intends to base a request for indemnification under such Section(s) (each a “Claim Notice”); (ii) afford the Responsible
Party the choice to control the defense and all related settlement negotiations of such claim; provided that the Covered Party can participate at its own expense; and (iii) provide the Responsible Party with reasonable assistance, information and authority necessary to perform its obligations under Sections 10(a) or 10(b) above. Each party, as a Responsible Party, agrees to keep the Covered Party reasonably informed as to the status of the Responsible Party’s efforts in connection with the defense or settlement of claims on behalf of the Covered Party and reasonably consult with the Covered Party (or the Covered Party’s counsel) concerning such efforts. Notwithstanding anything to the contrary in Section 10(c)(i), a Covered Party’s failure to provide a Claim Notice does not relieve the Responsible Party of its liability to the Covered Party under Sections 10(a) or 10(b), as applicable, unless such delay materially prejudices the Responsible Party’s defense or the scope of the Responsible Party’s liability for the applicable third party claim. Notwithstanding anything to the contrary in Section 10(c)(ii), the following apply:
(A) The Responsible Party agrees it will not, without the Covered Party’s written approval, make any admission of facts that expose the Covered
Party to any liability, require the Covered Party to take or cease to take any action (including without limitation any requirement to make payments),
or expose the Covered Party to other claims that are not covered by the obligations for the applicable claim under Section 10. However, if the
Responsible Party is required by applicable Law to make an admission, the Responsible Party may proceed in making such admission without the
Covered Party’s prior approval; provided the Responsible Party provides written notice to the Covered Party with a reasonable opportunity to obtain
a protective order or otherwise address such requirement with the appropriate authority.
(B) If the Responsible Party fails to respond to a Claim Notice or refuses to assume the defense of a claim tendered in good faith within 10 days of
its receipt of the Claim Notice from the Covered Party with respect to a claim for which it is seeking indemnification under this Section 10, then the
Covered Party may proceed to defend or otherwise settle the claim as the Covered Party deems reasonably appropriate and the Responsible Party
agrees to reimburse the Covered Party with respect to all defense costs and expenses or damages incurred with respect to such claim, as incurred.
11. Term and Termination.
(a) Term of Agreement. The term of this Agreement shall commence on the Effective Date and continue for the duration of the initial Reseller
Order (“Initial Term”), unless terminated sooner. Any Reseller Orders in effect at the time the Initial Term expires will continue for the duration
specified in such Reseller Orders and the terms and conditions of this Agreement shall continue to apply with the same effect until such Reseller
Order(s) terminate(s) according to its terms or is terminated earlier for cause in accordance with the below terms.
(b) Mutual Rights of Termination. Either party to this Agreement may terminate this Agreement if the other party materially breaches any section
of this Agreement and fails to cure such breach upon 30 days prior written notice by the non-breaching party (the “Cure Period”) specifying the
nature of the breach and the actions required to cure the breach.
(c) For Cause Termination. Where Pindrop rightfully terminates this Agreement pursuant to Section 11(b) (Mutual Rights of Termination), you
acknowledge and agree that Pindrop can also instruct the Authorized Reseller to immediately terminate the impacted Reseller Order(s) upon written
notice to you without liability of any kind or nature incurred by either Pindrop or the Authorized Reseller. Where you rightfully terminate this
Agreement pursuant to Section 11(b) (Mutual Rights of Termination), any corresponding rights you may have to terminate the impacted Reseller
Order(s) shall be pursuant to the terms in Your Agreement and such Reseller Order(s) with the Authorized Reseller.
(d) Obligations Upon Termination. Upon the expiration or termination of this Agreement or a Reseller Order for any reason, all rights and
licenses granted to you under this Agreement and all impacted Reseller Orders shall immediately terminate and all impacted Pindrop Property shall,
at Pindrop’s sole option, be returned to Pindrop or destroyed by you. Further, upon request by a Disclosing Party, a Receiving Party agrees to (i)
destroy the Disclosing Party’s Confidential Information in its possession or control; and (ii) confirm in writing to the Disclosing Party that it has
complied with the destruction instructions with respect to the Disclosing Party’s Confidential Information. However, with respect to any Confidential
Information (1) in the Receiving Party’s or its subcontractors’ archive (including legal archives and business records generated in the delivery and
support of the Products and Services), back-up or other comparable systems or servers; (2) expressly authorized in this Agreement or Reseller Order; or (3) retained to comply with litigation holds or applicable Law, such Confidential Information is only required to be destroyed in accordance with the Receiving Party’s and its subcontractors’ then-current data retention policies, litigation hold or applicable Law, whichever is the longest of the retention requirements. You understand and agree that Pindrop has no obligation to save or otherwise make all or any portion of the Outputs
available after the effective termination date of a Reseller Order. The terms in this Section 11(d), all defined terms, terms which expressly survive
and the rights and obligations contained in Sections 2 (Engagement Model), 3(b) (Protection of Your Call Data), 5 (Confidentiality), 6(d) (Support
Terms), 6(f) (Pindrop Property), 6(g) (Your Property), 6(h) (Feedback), 8 (Limited Warranties), 9 (Limitation of Liability; Consequential Damages
Waiver), 10 (Responsibility for Third Party Claims), 12 (Audits), and 13 (General) shall survive any expiration or termination of this Agreement and
any Reseller Orders.
12. Audits
During the term of this Agreement and for a period of 6 months after the Term, upon reasonable prior written notice to the other party
(email is sufficient), a party to this Agreement (an “Auditing Party”) shall have the right, at its expense, to conduct (or have a third party conduct, or
in the case of Pindrop, may also involve the Authorized Reseller) an audit, assessment, examination or review of relevant documentation, materials
or systems of the other party (the “Audited Party”) for the sole purpose of assessing compliance by the Audited Party with the terms and conditions of this Agreement and any usage rights applicable to the Pindrop Property relevant to each Reseller Order (e.g., quantity of Calls included with the Subscription Term). The Audited Party shall reasonably cooperate with any such request by providing reasonable access to knowledgeable personnel, systems, documentation, and other reasonably requested information. You acknowledge and agree there may be restrictions on your ability to conduct audits on Pindrop’s subcontractors.
Audits shall not be conducted more than once per year (unless a material non-compliance is detected in which case an additional audit may be
performed to verify that any agreed to corrective actions have been taken). Additionally, audits must be conducted during normal business hours and in a manner not to unreasonably disrupt the Audited Party’s day to day business Any site visit at the Audited Party and/or audit of the Audited
Party’s procedures, systems and equipment shall be subject to such reasonable policies and practices of the Audited Party that are in effect for any site visits and audits of the Audited Party to maintain the security of the Audited Party’s site, its systems and equipment and the confidentiality of
information which is proprietary and confidential to the Audited Party and that of any of its other customers or vendors. An Audited Party will not
be required to give access to or disclose any confidential information of a third party or any attorney-client privileged information. The Auditing
Party has no obligation to share any of its audit results with the Audited Party. However, the results of any audit shall constitute Confidential
Information of both parties, and in all cases, be subject to the confidentiality obligations under this Agreement with respect to Confidential
Information contained in the audit report(s).
13. General.
(a) Export Compliance. The Pindrop Property and derivatives thereof may be subject to export laws and regulations of the United States and other
jurisdictions. Each party represents that it is not on any U.S. government denied-party list. You will not permit any User to access or use any Pindrop
Property in a U.S.-embargoed country or region (currently Cuba, Iran, North Korea, Syria or Crimea) or in violation of any U.S. export law or
regulation or other equivalent laws of other jurisdictions, as applicable.
(b) Governing Law; Jurisdiction and Attorneys’ Fees. This Agreement will be governed by and construed in accordance with the laws of the
State of Delaware, without regard to its conflict of law provisions. With respect to any legal disputes between you and Pindrop arising out of or
related to this Agreement, you and Pindrop irrevocably consent to the exclusive personal jurisdiction of the federal courts located in Delaware or, if
the Federal courts do not have jurisdiction, in the Superior Court of the State of Delaware, and any appellate court from any such state or Federal
court. In the event of any dispute arising out of or related to this Agreement, the prevailing party shall be entitled to recover its reasonable attorneys’ fees and costs.
(c) Drafting. The section headings appearing in this Agreement are inserted only as a matter of convenience and in no way define, limit, construe
or describe the scope or extent of such section or in any way effect such section. In this Agreement, words importing the singular number include the plural and vice versa and words importing gender include all genders.
(d) Notices. All notices permitted or required under this Agreement shall be in writing and shall be delivered as follows with notice deemed given
as indicated (i) by personal delivery when delivered personally; (ii) by commercially established courier service upon delivery or, if the courier
attempted delivery on a normal business day and delivery was not accepted, upon attempted delivery; or (iii) by certified or registered mail, return
receipt requested, 10 days after deposit in the mail. Notice will be sent to the parties at the addresses as each party shall notify the other of in writing or, in the case of Pindrop, it can rely on the address on record with the Authorized Reseller for notification purposes. Pindrop’s notice information is as follows: Pindrop Security, Inc., Attn: Legal Department, 1115 Howell Mill Road NW, Suite 700, Atlanta, GA 30318, with copy to:
[email protected].
(e) Waivers; Severability. Neither party shall by mere lapse of time without giving notice or taking other action be deemed to have waived any
breach by the other party of any of the provisions of this Agreement. Further, the waiver by either party of a particular breach of this Agreement by
the other party shall not be construed as, or constitute, a continuing waiver of such breach, or of other breaches of the same or other provisions of this Agreement. If any provision of this Agreement shall be held illegal, unenforceable, or in conflict with any law of a federal, state, or local
government having jurisdiction over this Agreement, the validity of the remaining portions or provisions hereof shall not be affected.
(f) Force Majeure. Neither party shall be liable for any failure or delay in performance under this Agreement which might be due to strikes,
shortages, riots, insurrection, fires, flood, storm, other weather conditions, explosion, acts of God, war, government action, inability to obtain delivery of parts, supplies or labor, labor conditions (including strikes, lockouts or other industrial disturbances), earthquakes, riots or acts of terrorism, epidemic, pandemic or any other cause which is beyond the reasonable control of such party (each a “force majeure event”). The occurrence of a force majeure event shall not relieve Pindrop of its obligation to implement its disaster recovery plan or provide disaster recovery services with respect to an impacted Product, as contemplated in Section 11 (BCP Program) of Exhibit C (Pindrop Information Security and BCP Program) attached.
(g) Assignment. This Agreement may not be assigned or transferred without the prior written consent of Pindrop. Pindrop may assign this
Agreement to any third party who succeeds to substantially all of Pindrop’s assets and business related to the Products by merger or purchase,
provided that the assignee assumes this Agreement by an instrument in writing.
(h) Entire Agreement. This Agreement (i) is the complete agreement between the parties with respect to the subject matter hereof and supersedes
any and all prior agreements and understandings; and (ii) may be amended only in a writing that refers to this Agreement and is signed by both
parties. The parties are independent contractors. Except as expressly agreed by the parties, neither party will be deemed to be an employee, agent,
partner or legal representative of the other for any purpose and neither will have any right, power or authority to create any obligation or
responsibility on behalf of the other. To the extent of any conflict between this Agreement and Your Agreement or any Reseller Order with respect
to the Pindrop Property or Pindrop’s Confidential Information, this Agreement shall control.
(h) Entire Agreement. This Agreement (i) is the complete agreement between the parties with respect to the subject matter hereof and supersedes any and all prior agreements and understandings; and (ii) unless expressly authorized otherwise in this Agreement, may be amended only in a writing that refers to this Agreement and is signed by both parties. The parties are independent contractors. Except as expressly agreed by the parties, neither party will be deemed to be an employee, agent, partner or legal representative of the other for any purpose and neither will have any right, power or authority to create any obligation or responsibility on behalf of the other. To the extent of any conflict between this Agreement and Your Agreement or any Reseller Order with respect to the Pindrop Property or Pindrop’s Confidential Information, this Agreement shall control.
(i) Injunctive Relief. Notwithstanding any other provision of this Agreement, any violation by either party to this Agreement of the other party’s
intellectual property or proprietary rights will cause irreparable damage for which recovery of money damages would be inadequate, and the
aggrieved party will therefore be entitled to seek timely injunctive relief to protect such party’s rights, without the need to post bond.
(k) Limited Right to Modify Terms. If there is a change in any applicable Law, litigation or the regulatory landscape which affects this
Agreement, or the activities of either party under this Agreement, and a party reasonably believes in good faith that the change will have a substantial adverse effect on that party’s rights or obligations under this Agreement, then such party may, upon written notice, require the other party to enter into good faith negotiations to renegotiate the terms of this Agreement, with such notice providing reasonable detail as to the nature of any proposed modification. Pindrop also reserves the right, within Pindrop’s discretion, to modify this Agreement applicable to new features or functionality for the Products or new Services it plans to make available generally commercially available to its customers (each a “Product/Service Update”), provided that such changes shall be effective no sooner than 60 days after email notice to you (the “Product/Service Notice Period”). If Pindrop issues a written notice to you to modify this Agreement under this Section, you agree to notify Pindrop in writing within 30 days of receiving such notice of any objections to the proposed change(s). If you do not object to an Product/Service Update within the Product/Service Notice Period, then the changes are deemed accepted by you. Notwithstanding the foregoing, if Product/Service Update is nonmaterial or beneficial to you, such Product/Service Update will become effective upon notice by Pindrop without the process described above.
Exhibit A - Data Privacy Terms
1. Definitions.
(a) “Aggregate Data” means information that relates to a group or category of individuals, from which individual identities have been removed, that
is not linked or reasonably linkable to any individual or household.
(b) “Data Protection Law(s)” means any and all Laws applicable to Pindrop’s Processing of Personal Information under this Agreement.
(c) “Deidentified Data” means information that cannot reasonably identify, related to, described, be capable of being associated with, or linked,
directly or indirectly, to a particular individual.
(d) “Personal Information” shall have the meaning as ascribed to it, or to a similar term (including, without limitation, “personal data”) under
applicable Data Protection Law.
(e) “Process”, “Processing”, or “Processed” means any operation that is performed on Personal Information, whether or not done by automated
means, or as it or a similar term is otherwise defined under applicable Data Protection Law.
(f) “Processing Purpose” means the purpose for which Pindrop is Processing Your Personal Information as set forth in Section 2(b) of this Exhibit
A.
(g) “sale”, “sell”, or “selling” shall have the meaning as ascribed to it under applicable Data Protection Law.
(h) “Business”, “Controller”, “Processor”, and “Service Provider” shall have the meaning as ascribed to it or to a similar term under applicable Data
Protection Law.
2. Processing Purpose. With respect to Pindrop’s provision of the Products and Services to you pursuant to this Agreement and the related
Reseller Order(s) (the “Relevant Agreements”):
(a) Pindrop is a Service Provider or Processor (as applicable), with respect to any Personal Information that Pindrop Processes, on your behalf,
pursuant to the Relevant Agreements (“Your Personal Information”);
(b) You have disclosed Your Personal Information to Pindrop and its affiliates for the Processing Purposes of (1) detecting security incidents and
protecting against malicious, deceptive, fraudulent or illegal activity (including populating the Pindrop Database); and (2) assisting in the
authentication of your callers , as well as is reasonably necessary in support of any other valid Processing Purposes that are part of the Products or
Services and that are expressly agreed to by the parties in the Relevant Agreements, including and subject to restrictions on use such as those
applicable to Fraudulent Call Data;
(c) You and Pindrop acknowledge and confirm that Pindrop does not receive any of Your Personal Information as consideration for any Products,
Services or other items provided under the Relevant Agreements; and
(d) You hereby instruct and authorize Pindrop to Process Your Personal Information in connection with Pindrop’s performance and exercise of its
obligations and rights under the Relevant Agreements. Any additional or alternate instructions must be mutually agreed upon in writing.
3. Duration of Processing. Pindrop will only Process Your Personal Information for the duration of the Relevant Agreements and as otherwise
allowed under the Relevant Agreements or applicable Law. Unless retention of Your Personal Information is otherwise permitted under the Relevant
Agreements, at the termination or expiration of the Relevant Agreements, Your Personal Information shall be returned and/or deleted in accordance
with Section 11(d) (Obligations Upon Termination) of the Agreement.
4. Permitted Use. Pindrop will only collect, use, retain, disclose and otherwise Process Your Personal Information (i) for its performance of the
Relevant Agreements and the Services and provision of the Products, including in support of Pindrop’s and its affiliates internal operations as
necessary to the provision of the Products and Services, or (ii) as otherwise necessary for compliance with applicable Laws. Pindrop will ensure that its personnel engaged in the Processing of Your Personal Information are informed of the confidential nature of Your Personal Information and are subject to a duty of confidentiality with respect to Your Personal Information. You hereby instruct and authorize Pindrop to process Your Personal Information in connection with Pindrop’s performance and exercise of its obligations and rights under the Relevant Agreements. Any additional or alternate instructions must be mutually agreed upon in writing.
5. Service Providers. Pindrop may disclose Your Personal Information to, and permit the Processing of Your Personal Information by, its service
providers who perform services on behalf of Pindrop, in support of the provision of the Products and Services to you (each a “Service Provider”). Pindrop will ensure that such Service Providers are subject to equivalent contractual requirements with respect to Your Personal Information that apply to Pindrop under this Exhibit A (Data Privacy Terms). Pindrop shall be responsible for the actions of its Service Providers that breach the terms of this Exhibit.
6. Restrictions. Pindrop is prohibited from selling, retaining, using, disclosing, or otherwise Processing Your Personal Information for any
purpose other than for the Processing Purpose or as otherwise set forth in Section 7 (Deidentified Data and Aggregated Data) of this Exhibit A,
which, for the avoidance of doubt, also prohibits Pindrop from retaining, using, or disclosing Your Personal Information outside of its business
relationship with you or for any other Commercial Purpose. Where permitted by you under the Relevant Agreements, Pindrop may retain use, or
otherwise Process certain Your Personal Information (and combine it with Personal Information from other clients) as reasonably necessary to detect data security incidents, or protect against fraudulent or illegal activity (e.g., as part of the Pindrop Database). Pindrop certifies that it understands and will comply with the foregoing restrictions set forth in this paragraph.
7. Deidentified Data and Aggregated Data. You acknowledge and agree that (a) Pindrop and its affiliates may use Aggregate Data and
Deidentified Data relating to Your Personal Information or derived from the Products and Services, for the purpose of providing the Products and
Services, improving its operations, and enhancing the features, functions, and performance of the Products and Services, and (b) Deidentified Data
and Aggregate Data cease to be Your Personal Information for purposes of the Relevant Agreements, and Pindrop and its affiliates may, during and
after the term of the Relevant Agreements, use, maintain, and disclose such Deidentified Data and Aggregate Data for their own product
improvement and general marketing purposes. However, Pindrop and its affiliates shall not identify you or otherwise disclose you as the source of
any such Deidentified Data or Aggregate Data in any manner in connection with any such product improvement or general marketing purpose. For
clarity, Support Data may, if it meets the criteria set forth in this Section 7, also be used for the purposes authorized in this Section.
8. Audit. You shall have the right to audit Pindrop’s Processing of Your Personal Information and Pindrop’s compliance with this Exhibit A in
accordance with Section 12 (Audits) of the main body of the Agreement. Any report, documents, information, or recorded provided to you or created pursuant to this Section 8 shall be considered Pindrop Confidential Information.
9. Data Subject Requests. If Pindrop receives a complaint, dispute, or request from a data subject to exercise such data subject’s rights under
Data Protection Laws, and Pindrop is able to confirm that such request relates to you, Pindrop shall promptly notify you of such data subject request. Taking into account the nature of Pindrop’s Processing of Your Personal Information, Pindrop shall provide reasonable assistance to you in
responding to data subject requests as required by Data Protection Laws and only to the extent commercially feasible. Unless required by applicable Law, Pindrop shall not respond to or take any action to comply with a data subject request without your approval.
Exhibit B - Implementation and Product-Specific Terms
1. Call Routing. The Product will be implemented and deployed based on an agreed to architecture for the routing of calls (the “Approved
Architecture”). The Approved Architecture will apply for the duration of the applicable Subscription Term, unless Pindrop, the Authorized Reseller
and you mutually agree otherwise in writing.
2. Pindrop Protect Cloud-Specific Terms.
(a) Pindrop Database. During the term of a Reseller Order, the Product will collect, process and analyze Your Call Data. Pindrop and its affiliates
are authorized to use and contribute the Fraudulent Call Data to the Pindrop Database for the purpose of identifying, monitoring and tracking phone-based fraud and suspicious transactions or passively authenticating a caller for the benefit of you, Pindrop’s and its affiliates’ existing or future customers and the Consortium Members (the “Authorized Use of Fraudster Data”). Pindrop will only identify (i.e., “tag”) that the Fraudulent Call Data was provided by you on a pseudonymized basis (e.g., using a code name within the Pindrop Database itself). For clarity, neither you nor any other customer of Pindrop has or will have access to or the ability to view the Pindrop Database or the data stored therein. You agree that the Authorized Use of Fraudster Data shall survive any termination or expiration of this Agreement and the applicable Reseller Orders.
(b) Call Recording Storage Terms. The following call recording storage and related terms shall apply to the configuration reflected in the
applicable Reseller Order:
Your Storage of Your Call Recordings (default configuration unless specified otherwise in the applicable Reseller Order)
The default storage option for call recordings created by a Product in the ordinary course of its use is the use of your own Core Hosting Provider (as
defined below) instance (i.e., under your own and direct account with the Core Hosting Provider (each a “CHP Instance”). For purposes of this
Exhibit, “Core Hosting Provider” or “CHP” means the third party service provider whom Pindrop uses to host the Products covered under a Reseller
Order (e.g., AWS or Google), as reflected in the applicable Reseller Order.
You are solely responsible for all aspects of the CHP Instance, including without limitation, the cost of securing and maintaining the CHP Instances
for the duration of the Reseller Orders as well as the security settings applicable to the CHP Instance.
The CHP Instance will be configured for use with a Product as set forth in the Approved Architecture, which configuration will include, at a minimum,
(i) sufficient administrative and access rights for Pindrop to be able to monitor and maintain the call recordings as needed to deliver the Product as
contemplated in the Documentation and for the Authorized Reseller and Pindrop to provide the maintenance and support for that Product (including
sharing your share IAM credentials including access key, secret key and encryption settings with Pindrop until expiration of the applicable
Subscription Term to enable such access); and (ii) the retention of the call recordings for the Calls as established from time to time based on your
instructions and the standard features and functionality of the Product (collectively, the “Minimum CHP Configuration Requirements”). You
agree to maintain the Minimum CHP Configuration Requirements for the CHP Instance for the duration of all Reseller Orders applicable to the
Product, unless you, Pindrop and the Authorized Reseller mutually agree otherwise in writing.
Upon the expiration or termination of your right to use a Product pursuant to one or more Reseller Orders, you will be responsible for the deletion of
any call recordings from the CHP Instance.
Pindrop Storage of Call Recordings
If the parties agree as part of the Approved Architecture that Pindrop, rather than you, will store the call recordings created by the Product in its
ordinary course of use on behalf of you in Pindrop’s CHP instance (i.e., under Pindrop’s own and direct account with the CHP, such as AWS or
Google) (each a “Pindrop CHP Instance”), then the following terms apply:
(i) Pindrop will maintain the call recordings based on the time period(s) configured within the Product as established from time to time based on
your instructions and the standard features and functionality of such Product.
(ii) Your Named Users will have access to the call recordings through the standard user interface for the Product to enable such Named Users to
disposition a given Call as either fraudulent or genuine. No other administrative access will be granted to you for the Pindrop CHP Instance.
(iii) Upon the expiration or termination of your right to use a Product pursuant to one or more Reseller Orders, then Pindrop will delete any remaining
call recordings from the Calls from the Pindrop CHP Instance.
3. CHP Flow-Down Terms. In providing hosting and related cloud platform services (“CHP Services”) to you and notwithstanding
anything to the contrary in the Agreement, the following terms shall apply and govern with respect to the CHP Services.
You acknowledge and agrees that (a) the CHP may require that Pindrop notify it of any unauthorized access and/or use by you of the CHP Services
and you authorize Pindrop to provide any such required notice to CHP; (b) your receipt of the CHP Services may be subject to legal intercept or
monitoring activities by CHP, its suppliers or local authorities in accordance with its standard business practices and applicable Laws; and (c) you may not use the CHP Services, or any interface(s) provided with the CHP Service, to access or use any other CHP product or service in a manner that violates the terms of service applicable to such other CHP product or service.
4. Managed Service Provider Terms. If you are authorized pursuant to a Reseller Order to bundle a Product as part of Your Managed Services
(defined below), the incremental or different terms and conditions in this Section shall apply. To the extent of any conflict between this Section 5 and any other terms of this Agreement, the terms in this Section 5 shall control.
(a) Definitions.
(i) “Your Customer” has the meaning assigned in Section 10(c) (Procedural Requirements for Third Party Claims) of the main body of the
Agreement.
(ii) “Your Customer Agreement” means a written agreement between you and one of Your Customers pursuant to which you offer Products and
Services as bundled with the Your Managed Services in connection with a Reseller Order.
(iii) “Your Managed Services” means a service whereby you (a) assume, perform or provide the one or more of the following (i) responsibility for
day-to-day operations and management of all or a portion of Your Customer’s call center data processing operations; or (ii) your facility
management, systems integration or similar services in connection with Your Customer’s call center; or (iii) your business process outsourcing
services in connection with your call center services; all regardless of whether the Product is located at the Your Customer’s or a third party location
or your facility, and whether used on the Your Customer’s or third party owned equipment, to the extent applicable, and (b) are accessing and using
the Products and Services on behalf of or for the benefit of Your Customer.
(iv) “Managed Service Customer” means each of Your Customers who have entered into Your Customer Agreement to obtain Your Managed
Services from you.
(b) Bundled Offering. Subject to terms and conditions of this Agreement and the Reseller Order(s), Pindrop grants to you a non-exclusive, non-
transferable, non-assignable right to bundle the Product solely as a non-severable part of Your Managed Services to Your Customers in the
Authorized Geography. You do not have the right to appoint or otherwise authorize any other third party, directly or indirectly, to perform any
activities or exercise any rights granted to you under this Agreement in connection with the Products and Services under this Agreement or any
Reseller Order (whether as a sub-service provider or otherwise). You will not make any false or misleading representations with regard to Pindrop,
its affiliates, the Products or Services or any representations, warranties or guarantees with respect to the Products and/or Services that are
inconsistent the terms of this Agreement or Documentation.
(c) Your Customer-Facing Requirements. The Products and Services bundled by you as part of Your Managed Service shall be made pursuant to
Your Customer Agreement, which shall be no less protective of the Pindrop Property than the applicable terms and conditions in this Agreement. As
between Pindrop and you, you are solely and exclusively liable for all commitments and terms it agrees to in each Your Customer Agreement. Under
no circumstances shall Pindrop be liable to each of Your Customers in connection with Your Customer Agreement. As between Pindrop and you, (i)
you are solely and exclusively responsible for providing appropriate notices and disclosures to each of Your Customers with respect to Your Call
Data and Outputs relative to the Calls applicable to each of Your Customers and how such is collected, used, stored and the like (as detailed in this
Agreement); and (ii) you shall secure and maintain from each of Your Customers the necessary rights for you to grant Pindrop and its affiliates the
rights and licenses under this Agreement and each Reseller Order, and enable you to fulfil and comply with your obligations to Pindrop under this
Agreement and each Reseller Order, including without limitation those terms and conditions applicable to the Your Call Data and Outputs.
(d) Your Service Provider Responsibilities.
(i) Customer-Unique Identifiers. To enable differentiation of Calls, you shall ensure that each of Your Customer is assigned a unique identifier
that is transmitted as part of the Company Call Data to the Product for each Call.
(ii) Your Use of Behalf of Your Customers. In your role as a service provider of Your Managed Services to Your Customers, you are only
permitted to use a Product solely to perform phone number fraud verification and/or authentication on behalf of and solely for each of Your
Customers’ own products or services based on the features and functionality enabled in the Product and for no other purpose (e.g., not for credit
decisioning purposes or to determine a consumer’s eligibility for credit or insurance, or for any other permissible purpose set forth in the FCRA). For
avoidance of doubt, any use or purpose restrictions applicable to you under this Agreement and any Reseller Order shall likewise apply to the
Products and your bundling of such Products as part of Your Managed Services.
(iii) No Access or Use by Your Customers. You acknowledge and agree that neither Your Customer nor any of Your Customer’s personnel shall
have access to or use of, either directly or indirectly, the Products or Services, including any Outputs. You may, however, provide aggregated data
with respect to the Calls analyzed by the Products to each of Your Customers pursuant to written obligations of confidentiality with each of Your
Customers (i.e., quantity of calls analyzed, authenticated or for which fraud was detected, account status and the stand-alone risk score).
(iv) Responsibility for Your Customers. Any act or omission committed by Your Customer that, if committed by you (i.e., where you have a
responsibility pursuant to the terms and conditions of this Agreement or a Reseller Order) would be deemed a breach of this Agreement or the
applicable Reseller Order will be considered a breach by you, as applicable, including by way of example, a breach of the confidentiality obligations or a failure to comply with the obligations in 7 (Your Responsibility Statement) of the main body of this Agreement. Further, a breach by you of the
restrictions in the last sentence of Section 5(b) (Bundled Offering) above or your obligations under Setion 5(c) (Your Customer-Facing Obligations)
above or any claim by Your Customer that you failed to comply with Your Customer Agreement with Your Customer shall be (x) included within the
scope of your obligations to Pindrop in Sections 10(b) (Company Coverage for Third Party Claims) and 10(c) (Procedural Requirements for Third
Party Claims) of the main body of this Agreement; and (y) excluded from your limitations of liability for direct damages under Section 9(b) (Liability
for Direct Damages) of the main body of this Agreement.
Exhibit C - Pindrop Information Security and BCP Programs
1. Definitions.
Capitalized terms used in this Exhibit C have the meanings given below or, if not defined below, the meanings given in the main body of this
Agreement.
“In-Scope Subcontractor” means each of Pindrop’s subcontractors who are engaged by Pindrop to deliver component(s) of the Products or Services to you and will have access to, process, or store Your Call Data.
“Information System” means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing,
dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone
switching and private branch exchange systems, and environmental control systems.
“Pindrop-Controlled Systems” means: (i) Information Systems that are within Pindrop’s possession or control; and (ii) Amazon Web Services
(“AWS”) Information Systems or Google Cloud Platform (“GCP”) that meet the following criteria: (a) under Pindrop’s enterprise account with
AWS or GCP, as applicable; (b) used by Pindrop to deliver the Products or Services or used by Pindrop for Pindrop’s internal, corporate-level
systems; and (c) are AWS Information Systems or GCP Information Systems for which Pindrop solely configures and manages the security controls
used by Pindrop to protect the data stored within such AWS Information Systems or GCP Information Systems. The defined term Pindrop-Controlled
Systems excludes all of Your Controlled Systems.
“Regulator” means any industry regulatory agency with supervisory authority over your company under applicable Laws.
“Security Breach” means a reasonably suspected or confirmed unauthorized disclosure of your Confidential Information within Pindrop’s
possession or control; or a reasonably suspected or confirmed unauthorized access by a third party to any Pindrop-Controlled Systems that process, hold, or provide access to your Confidential Information.
“Your Controlled System” means Information Systems that are within your possession or control.
2. Governance and Oversight.
(a) Pindrop will have in place a cybersecurity program designed to protect the confidentiality, integrity, and availability of the Pindrop-Controlled
Systems, as detailed in this Exhibit C. Such cybersecurity program includes tracking data asset locations and maintaining risk based written security
policy or policies that satisfy the requirements set forth in this Exhibit C (the “Security Policy”). Pindrop will not make any change to its Security
Policy that will materially degrade the overall level of security described in this Exhibit C.
(b) Pindrop’s Security Policy will be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security,
confidentiality, and integrity of your Confidential Information within Pindrop’s possession or control that could result in the unauthorized disclosure,
misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. The risk assessment will be written and include: (i) criteria for the evaluation and categorization of identified security risks or threats to your
Confidential Information within Pindrop’s possession or control; (ii) criteria for the assessment of the confidentiality, integrity, and availability of
your Confidential Information within Pindrop’s possession or control, including the adequacy of the existing controls in the context of the identified
risks or threats; and (iii) requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the Security Policy will address the risks.
(c) Pindrop will periodically perform additional risk assessments that reexamine the reasonably foreseeable internal and external risks to the
security, confidentiality, and integrity of your Confidential Information within Pindrop’s possession or control that could result in the unauthorized
disclosure, misuse, alteration, destruction or other compromise of such information, and reassess the sufficiency of any safeguards in place to control these risks.
(d) Pindrop will (i) design and implement safeguards to control the risks identified through the risk assessments it performs; and (ii) evaluate and
adjust its information security program in light of the results of the testing and monitoring described in this Exhibit C, any material changes to
Pindrop’s operations or business arrangements, and any other circumstances that Pindrop knows or has reason to know may have a material impact
on Pindrop’s information security program.
(e) Pindrop will assign an appropriate individual within Pindrop’s Information Security team to maintain responsibility and executive oversight for
the Security Policy, including, without limitation, formal governance and revision management, employee education, and compliance enforcement.
The individual assigned by Pindrop to maintain responsibility and executive oversight for the Security Policy will report in writing, regularly and at
least annually, to Pindrop’s executive team or board of directors or equivalent governing body. Any such reports will include the following
information: (i) the overall status of Pindrop’s information security program; and (ii) material matters related to Pindrop’s information security
program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management’s responses thereto, compliance obligations and recommendations for changes in the information security program.
(f) Subject to the terms and conditions in Section 12 (Audits) of the main body of the Agreement, the rights in this Section 2(f) shall apply. If a
Regulator exercising its supervisory authority makes a request to you to access the Products or Services, you will use commercially reasonable efforts to resolve that request directly with the Regulator using alternative methods, including by reviewing the security certifications for the Pindrop-Controlled Systems with the Regulator. If the Regulator determines that the information available through these mechanisms is insufficient to verify compliance with applicable Laws then, upon the Regulator’s request and your written confirmation that the Regulator has the requisite supervisory authority over your company to make such a request, Pindrop will provide the Regulator with: (i) information about the Products and Services and the opportunity to discuss the Products and Services operations and controls with Pindrop subject matter experts; and (ii) if required, a direct right to examine the Products and Services used by you, including by conducting an examination on premises. Pindrop may charge you a fee (based on Pindrop’s reasonable costs) for any such discussion, communication, and examination. Any discussion, communication, or examination requested by the Regulator under this subsection will, except in an emergency or crisis situation, be conducted consistent with the terms of Section 12 (Audits) of the main body of the Agreement.
3. Policies and Procedures.
(a) The policies that comprise the Security Policy are commercially reasonable, communicated to relevant Pindrop employees, and designed to: (i)
be protective of your Confidential Information within the Pindrop-Controlled Systems; and (ii) support Pindrop’s compliance with its obligations
under the Agreement. If requested by you in writing, Pindrop agrees to provide you with (1) the title page and table of contents related to the
Security Policy or other related policies or procedures applicable to Pindrop’s business operations set forth in this Exhibit C; (2) an opportunity to
discuss Pindrop’s security measures; (3) confirmation that penetration testing and vulnerability scanning has been performed; and (4) independent
audit reports applicable to the Products (such as SOC2 Type 2) that Pindrop makes generally available to its customers under confidentiality terms.
(b) Pindrop will review its Security Policy at least annually and amend such Security Policy (or subparts thereof) as Pindrop deems commercially
reasonable (e.g., in light of relevant risk assessment findings, relevant changes in applicable laws or standards, technology advances, changes to
Pindrop’s systems or Pindrop’s own changing business operations).
(c) As part of the Security Policy, Pindrop will have security-minded development practices for applications that form any part of the Products or
that are used to deliver the Products, and procedures for evaluating and assessing the security of externally developed applications that form any part of the Products or that are used in the delivery of the Products.
(d) Pindrop will maintain and follow employment verification requirements for all new Pindrop employee hires, with such verifications occurring
prior to the date of hire. These requirements will include criminal background checks, proof of identity validation, and additional checks as deemed
reasonably necessary by Pindrop and as permitted by applicable Law. Such employment verification measures shall be in line with requirements
under Industry Standards (as defined in Section 4 (Compliance) below). Each Pindrop local entity is responsible for implementing the foregoing
requirements in its hiring process as applicable and permitted under local law. Pindrop will provide verification of the completion of background
checks in a satisfactory manner for employees upon your reasonable request; however, Pindrop is not required to provide an actual copy of the
background check results.
(e) Pindrop will have a training program that includes conducting security education for its employees annually. The training program will: (i)
provide security awareness training that is updated to reflect risks identified by Pindrop’s risk assessments; and (ii) promote the maintenance of
current knowledge of changing information security threats and countermeasures.
4. Compliance. Pindrop-Controlled Systems will be subject to annual certification of compliance with the Payment Card Industry Data Security
Standards (PCI-DSS) (with respect to relevant cardholder data environments only), ISO 27001, and SSAE SOC 2 or any substantially equivalent or
alternative successor standard (the “Industry Standards”). Upon written request from you, Pindrop will provide evidence of the compliance and
accreditation with the Industry Standards as reasonably determined by Pindrop, such as certificates, attestations, or reports resulting from accredited independent third-party audits (accredited independent third-party audits will occur at the frequency required by the relevant standard). Additionally, Pindrop will use commercially reasonable efforts to verify that its In-Scope Subcontractors comply with all Laws applicable to the operation of the In-Scope Subcontractors’ business and all Laws generally applicable to providers of information technology services, in each case, to the extent relevant to the specific products and services being provided by such In-Scope Subcontractor to Pindrop in connection with the Products and Services covered under the Agreement and a Reseller Order. The verification may be accomplished through Pindrop’s vendor due diligence process. In the event that Pindrop’s vendor due diligence process identifies a non-compliance with the aforementioned Laws, Pindrop will work with the In-Scope Subcontractor to cure such deficiency.
5. Incident Response and Security Breaches.
(a) Pindrop will maintain and follow documented incident response policies consistent with National Institute of Standards and Technology, United
States Department of Commerce (NIST) guidelines or equivalent industry standards for computer security incident handling. Pindrop’s written
incident response plan will be designed to promptly respond to, and recover from, any event materially affecting the confidentiality, integrity, or
availability of your Confidential Information within Pindrop’s possession or control. Such incident response plan shall address the following areas:
(i) the goals of the incident response plan; (ii) the internal processes for responding; (iii) the definition of clear roles, responsibilities and levels of
decision-making authority; (iv) external and internal communications and information sharing; (v) identification of requirements for the remediation
of any identified weaknesses in information systems and associated controls; (vi) documentation and reporting; and (vii) the evaluation and revision
as necessary of the incident response plan.
(b) Pindrop will investigate Security Breaches (and security incidents that are not yet Security Breaches but that are reasonably likely to result in
Security Breaches) of which Pindrop becomes aware, perform a root-cause analysis of the same and take prompt action designed to contain the
Security Breach. You must notify Pindrop of any suspected vulnerability or security incident by immediately submitting a technical support request
to Pindrop.
(c) Pindrop will notify you within no more than 24 hours after Pindrop becomes aware of a Security Breach that has impacted your Confidential
Information. Pindrop will provide you with reasonably requested information about such Security Breach and the status of any Pindrop containment
and service restoration activities.
6. Physical Security and Entry Control.
(a) Pindrop will maintain reasonable physical entry controls, such as barriers, card-controlled entry points, surveillance cameras, and manned
reception desks, designed to protect against unauthorized entry into Pindrop-managed facilities (i.e., its headquarter facility) used to provide the
Pindrop-Controlled Systems. Auxiliary entry points into such facilities, such as delivery areas and loading docks, will be controlled and isolated from
computing resources.
(b) Access to Pindrop-managed facilities and controlled areas within those facilities will be limited by job role and subject to authorized approval.
Such access will be logged, and such logs will be retained for not less than one year. Pindrop will revoke access to Pindrop-managed facilities upon
separation of an authorized employee. Pindrop will follow formal documented separation procedures that include prompt removal from access
control lists and surrender of physical access badges.
(c) Any person granted temporary permission to enter an Pindrop-managed facility or a controlled area within such facility will be registered upon
entering the premises and will be escorted by authorized personnel.
(d) Pindrop will take precautions designed to protect the physical infrastructure of Pindrop-managed facilities against environmental threats, both
naturally occurring and man-made, such as excessive ambient temperature, fire, flood, humidity, theft, and vandalism.
7. Access, Intervention, Transfer and Separation Control.
(a) Pindrop will maintain measures for Pindrop-Controlled Systems that are designed to logically separate and prevent your Confidential
Information stored within Pindrop-Controlled Systems from being exposed to or accessed by unauthorized persons. Pindrop will maintain isolation
of its production and non-production environments, and, if your Confidential Information is transferred to a non-production environment, for
example to reproduce an error at your request, security and privacy protections in the non-production environment will be equivalent to those in
production.
(b) Pindrop will encrypt your Confidential Information that is subject to long-term storage within Pindrop-Controlled Systems and when your
Confidential Information is transmitted by Pindrop over public networks. Pindrop will maintain documented procedures for encryption key
generation, issuance, distribution, storage, rotation, revocation, recovery, backup, destruction, access, and use. To the extent that encryption is
impractical, Pindrop will use compensating controls designed to protect your Confidential Information.
(c) If Pindrop requires access to your Confidential Information that is stored within Pindrop-Controlled Systems, and if such access is managed by
Pindrop, Pindrop will deploy measures designed to restrict access to the minimum level required. Such access, including, without limitation,
administrative access, will be individual, role-based, and subject to approval and regular validation by authorized Pindrop personnel following the
principles of segregation of duties. Pindrop will maintain measures to identify and remove redundant and dormant accounts with privileged access
and will promptly revoke such access upon the account owner's separation or upon the request of authorized Pindrop personnel, such as the account owner’s manager.
(d) For Pindrop-Controlled Systems, Pindrop will:
(i) monitor and periodically test the Pindrop-Controlled Systems to assess the effectiveness of the Security Policy;
(ii) maintain technical measures enforcing timeout of inactive sessions, lockout of accounts after multiple sequential failed login attempts,
strong password or passphrase authentication, and password change frequency;
(iii) monitor use of privileged access and maintain security information and event management measures designed to: (1) identify unauthorized
access and activity; (2) facilitate a timely and appropriate response, and (3) enable internal and independent third-party audits of compliance with the Security Policy;
(iv) where practicable for a given Pindrop-Controlled System, use multi-factor authentication designed to protect against unauthorized access to
such Pindrop-Controlled System;
(v) maintain logs in which privileged access and activity are recorded will be retained in compliance with Pindrop's worldwide records
management plan and Security Policy;
(vi) maintain measures designed to protect against unauthorized access, modification, and accidental or deliberate destruction of the logs
described in the prior (v);
(vii) maintain signature-based malware detection and removal software for the Pindrop-Controlled Systems; and
(viii) where practical with respect to the Pindrop-Controlled Systems, use multifactor authentication designed to protect against unauthorized
access to Pindrop-Controlled Systems.
(e) Pindrop will securely sanitize physical media intended for reuse prior to such reuse, and will destroy physical media not intended for reuse,
consistent with NIST guidelines for media sanitization. Upon your reasonable request, Pindrop will provide a certificate of destruction certifying the
destruction of any of Your Confidential Information within Pindrop’s possession or control.
8. Service Integrity and Availability Control. With respect to Pindrop-Controlled Systems, Pindrop will:
(a) Perform security risk assessments at least annually;
(b) Perform security testing and vulnerability assessments on a periodic basis;
(c) Enlist a qualified testing service to perform penetration testing at least annually;
(d) Perform automated vulnerability scanning against configuration industry standards reasonably designed to identify publicly-known security
vulnerabilities in Pindrop-Controlled Systems based on Pindrop’s risk assessment: (i) at least every six months; (ii) whenever there are material
changes to Pindrop’s technical operations of the nature that reasonably justify the performance of a scan; and (iii) whenever there are circumstances that Pindrop knows or has reason to know may have a material impact on Pindrop’s information security program of the nature that reasonably justify the performance of a scan;
(e) Follow Pindrop’s policies with respect to the remediation of identified vulnerabilities, based on associated risk, exploitability, and impact;
(f) Take reasonable steps to avoid disruption of the Products and Services when performing its tests, assessments, scans, and execution of
remediation activities;
(g) Maintain measures designed to assess, test, and apply security advisory patches. Upon determining that a security advisory patch is applicable
and appropriate, Pindrop will implement the patch pursuant to Pindrop’s policies, taking into account associated risk, exploitability, and impact;
(h) Maintain policies and procedures designed to manage risks associated with the application of changes; and
(i) Maintain an inventory of information technology assets.
9. Malicious Code.
Pindrop will not intentionally or knowingly either introduce or allow the introduction of any code, files, scripts, agents or
programs intended to do harm, including for example, viruses, worms or Trojan horses (“Malicious Code”) into the Product delivery environment. If
Malicious Code is found to have been introduced into a Product by Pindrop, Pindrop will be responsible for removing the Malicious Code from such
Product. If the Malicious Code that was found to have been introduced by Pindrop is also found to have been introduced into Your Controlled
Systems, Pindrop will reasonably cooperate with you by providing relevant information necessary for the you to mitigate the effects of such
Malicious Code.
10. Vendor Management Program.
(a) Pindrop agrees to maintain a formal vendor management program. As part of such program, Pindrop is responsible for conducting due diligence
on each of its In-Scope Subcontractors on a periodic basis to assess the extent to which each In-Scope Subcontractor has reasonable security
measures designed to protect the Your Call Data in that In-Scope Subcontractor’s possession or control. In conducting In-Scope Subcontractor due
diligence, Pindrop may rely upon the information available in an In-Scope Subcontractor’s SOC2 or comparable report or certification (each an
“Independent Audit Report”) to make such assessment, even if the Independent Audit Report does not contain the level of detail specified in this
Exhibit C. Upon your request, Pindrop shall direct you to the location at which you can obtain copies of an In-Scope Subcontractor’s Independent
Audit Report. In the event that you are unable to obtain such Independent Audit Report, Pindrop shall use reasonable efforts to secure the relevant
Independent Audit Report from such In-Scope Subcontractor and provide a copy to you. Pindrop agrees to provide you with a minimum of 30 days’ prior notice if there is a material change in the identity of the In-Scope Subcontractors applicable to the Products or Services covered under an
existing Reseller Order. If an In-Scope Subcontractor is Processing Your Personal Information, then within 30 days of receiving notice of a new In-
Scope Subcontractor, you may object (in good faith) to such engagement. In the event you make an objection within such time period, the parties will work in good faith to resolve the objection. If the parties are not able to come to a mutually agreed to solution, your sole and exclusive remedy will be to terminate the Reseller Order pursuant to the terms in Your Agreement and such Reseller Order(s) with the Authorized Reseller.
(b) In addition to In-Scope Subcontractors, you understand and agree that Pindrop may use other vendor systems and solutions to support its day to day back office business operations where your Confidential Information (other than data that’s been input into a Product) may be collected,
processed or stored, including by way of example, contract management, billing or other financial transaction-related tools and solutions (each a
“Back Office Business System”). Back Office Business Systems are not Pindrop-Controlled Systems, but are subject to the requirements in
Sections 10(c) and 10(d) of this Exhibit C.
(c) Pindrop will have a written agreement in place with each In-Scope Subcontractor and each vendor providing a Back Office Business System
that contains commercially reasonable confidentiality obligations designed to protect the confidentiality of Your Call Data in the possession or
control of the In-Scope Subcontractor or the confidentiality of your Confidential Information in the possession or control of each vendor providing
the Back Office Business System, as applicable.
(d) Pindrop is responsible for any unauthorized disclosure of Your Call Data by an In-Scope Subcontractor and your Confidential Information by
each vendor providing a Back Office Business System to the same extent as Pindrop itself would be by the terms of this Agreement.
11. BCP Program.
(a) Pindrop’s BCP will include (i) a business impact analysis that includes a risk assessment that documents prioritization of business functions and
process, systems, subcontractors, resource requirements and interdependencies that may affect recovery timelines and alternative resource plans; (ii) specifically defined or targeted RTOs (recovery time objective); and (iii) specifically defined or targeted RPOs (recovery point objective). Pindrop’s RTO and RPO policy for a single availability zone failure for a Product will not exceed 24 hours.
(b) Pindrop will conduct periodic exercises with respect to its BCP (such as tabletop exercises), but on no less than an annual basis. If an event
triggers Pindrop’s BCP (each a “BCP Event Trigger”), Pindrop is responsible for implementing the BCP in accordance with Pindrop’s policies and
procedures. You understand and agree that if a BCP Event Trigger occurs, depending on the nature and scope of the event and whether you procure “high availability” Appliances for any Products deployed at your managed facilities, the availability and/or ability to recover Your Confidential
Information, including without limitation, the Your Call Data, in Pindrop’s possession or control may be impacted.
(c) The Products are not designed for and should not be used by you as an official record or similar, whether for regulatory purposes or otherwise.
(d) Should the Product(s) in use by you experience an outage, Pindrop will notify you of such outage and provide periodic status updates until such
impact is resolved.
(e) Pindrop will provide reasonable prior notice to you if Pindrop’s BCP is changed in a way that would have a material adverse impact in
Pindrop’s ability to deliver the Products or the Services to you as set forth in the Agreement and each Reseller Order.
12. Your Responsibilities.
You agree to take commercially reasonable measures designed to detect and prevent the introduction of Malicious Code
into Pindrop-Controlled Systems used in the delivery of Products or Services to you. You further understand and agree that you are responsible for
determining whether the Products and Services are suitable for your use and implementing and managing security measures for all components of the Products and Services that Pindrop does not manage or for which Pindrop does not have security obligations under this Exhibit C, with Pindrop’s
only security obligations being as set forth in this Exhibit C. Examples of your responsibilities include, without limitation: (a) securing all of Your
Controlled Systems; and (b) accepting and implementing all security patches provided by Pindrop with respect to any On-Premises Appliances (and
all other software distributed by Pindrop to you in order to enable such security patches), without delay. You further agree that it is your
responsibility, and not Pindrop’s responsibility, to ensure adequate backups of any of Your Call Data on Your Controlled Systems that are physically
and logically separated from the Products and Services being provided by Pindrop under this Agreement. You agree that Pindrop shall not be in
breach of its obligations under this Exhibit C if and to the extent that Pindrop’s non-compliance is directly caused by your failure to comply with
your own security responsibilities in this Agreement.