Pindrop Subscription Agreement for Enterprise Customers

Last Updated: August 26, 2024

This Pindrop Subscription Agreement for Enterprise Customers (“Agreement”) applies to any Products or Services that Pindrop Security, Inc. (“Pindrop”) provides to your company (“Company”) under an Online Order. By entering into an Online Order, Company agrees to be bound by the terms of this Agreement. If Company does not agree to the terms of this Agreement, Company does not have the right to use any Pindrop Property (as defined below). Pindrop agrees to be bound by the terms of this Agreement upon acceptance of an Online Order. Capitalized terms have the meanings given in this Agreement.

1. Definitions.

(a) “Authorized Geography” means the state or country, as reflected in an Online Order, in which Company is authorized to have the Product analyze Calls made by Company’s customers also residing in that state or country. For example, if Company is authorized to access and use the Product in the United States, then the Company Phone Numbers would be those that are intended for use by the Company’s United States-based customers as part of the Company’s United States-based business operations.

(b) “Call” means a phone call made to the Company Phone Number that is processed by a Product.

(c) “Call Heuristics” means the duration that a device’s touch keys are held down (e.g., the frequency of a caller pressing a device’s touch keys).

(d) “Call Processing Data” means data (excluding CPNI) obtained by or from a telecommunications network for a Call that is generally used for call routing purposes. Examples of Call Processing Data include data used to initiate, route, exchange and complete call traffic that is internal to the network.

(e) “Company Call Center Infrastructure” means the Company telephony solution with which Company will use a Product, as contemplated in this Agreement and/or an Online Order.

(f) “Company Call Data” means the data and information that are uploaded, transmitted, input or otherwise provided or made available by Company in connection with a Product. The phone number from which a Call originates, audio (i.e., spoken content), signaling, and call-related metadata from Company’s telecommunications network (including Telco Network Call Data) and Digital Signal for a Call are examples of Company Call Data.

(g) “Company Phone Number” means a phone number Company designates for Product analysis of incoming Calls.

(h) “Company Regulator” means any industry regulatory agency with supervisory authority over Company under applicable Laws.

(i) “Confirmed Fraud Call” means a Call that Company designates through the user interface of the Pindrop® Protect Product (or any subsequent Product having the same functionality) as being associated with fraudulent or suspicious activity. For clarity, unless the parties expressly agree otherwise in an Order, the functionality to identify a Confirmed Fraud Call and any corresponding Fraudulent Call Data are not used or enabled in Pindrop’s authentication-only solutions (e.g., Pindrop® Passport).

(j) “Consortium Members” means Pindrop customers, government agencies, third party data providers, consumer agencies, credit lenders and other third parties that have themselves provided “fraudulent call data” to Pindrop or its affiliates. For clarity, unless the parties expressly agree otherwise in an Order, Pindrop customers with a subscription to Pindrop’s authentication-only solutions (e.g., Pindrop® Passport) are not and do not become Consortium Members.

(k) “CPNI” or “Customer Proprietary Network Information” means data obtained by or from a telecommunications network about a Call that relates to the quality, technical configuration, type, destination, location, or amount of use of the voice service for calls placed from a particular phone number, or is the type of call-related data that would customarily appear on the customer’s bill who is purchasing the relevant telecommunications and interconnected VoIP services from a carrier partner. Examples of CPNI include the phone number of the calling party or called party, type of service the customer has ordered or the location of the customer or device.

(l) “Documentation” means any Product documentation, user guides and installation instructions Pindrop provides to Company from time to time.

(m) “Digital Signal” means the digital signal used to transmit audio from the device and/or the telecommunications network.

(n) “DTMF” means the audio sound of the dual tone multiple frequency (i.e., the signal sent when a caller presses a device’s touch keys).

(o) “Feedback” means all ideas, suggestions, or similar information that Company provides or otherwise makes available to Pindrop or its affiliates about Products, Work Product, Services, or any other Pindrop product or service offering.

(p) “Fraudulent Call Data” means the following data for a Confirmed Fraud Call: (i) a phone number, (ii) the timestamp, duration, type of number and geography metadata, (iii) call type (e.g., mobile or VOIP), (iv) Pindrop Score (i.e., the numerical risk score assigned to the Call), and (v) System Labels.

(q) “Laws” means all laws, statutes, regulations and other types of government authority, including without limitation, the laws and regulations governing data privacy or data protection.

(r) “Online Order” means an order for Products or Services that references this Agreement and is signed by Company and Pindrop.

(s) “Outputs” means the data or information portion of a Product that are generated using Pindrop’s proprietary technology and relevant to a Product’s analysis of a Call (including, for example, Pindrop Scores, System Labels, Proprietary Prints, or an audio recording of a Call).

(t) “Pindrop-Controlled Systems” has the meaning given in Section 1 (Definitions) of Exhibit B (Pindrop Information Security and BCP Programs).

(u) “Pindrop Database” means Pindrop’s proprietary database that includes the Fraudulent Call Data as well as the same or similar data with respect to calls associated with fraudulent or suspicious activity provided by Consortium Members and other information derived from third party data providers and Pindrop’s or its affiliates’ own research efforts. For clarity, unless the parties expressly agree otherwise in an Order, (i) Pindrop customers with a subscription to Pindrop’s authentication-only solutions (e.g., Pindrop® Passport) do not contribute Fraudulent Call Data to the Pindrop Database and (ii) the Pindrop Database does not contain Proprietary Prints or the audio from Calls.

(v) “Pindrop Property” has the meaning given in Section 6(d) (Pindrop Property) of this Agreement.

(w) “Pindrop Score” means the scoring metrics, data or reasons for a scoring metric provided by Pindrop’s proprietary processes, including statistical and audio models (e.g., phoneprints), intended to predict the likelihood of a phone transaction being fraudulent, suspicious, or from someone other than an authenticated caller, as relevant depending on a given Product’s features and functionality.

(x) “Pre-GA Offering” means a product or potential new feature or functionality for a Product to which Company has an existing subscription that is provided in a Pindrop-managed lab environment and identified as “beta,” “limited availability,” “pre-release” or similar designation or that Pindrop otherwise identifies as unsupported.

(y) “Product” means a Pindrop product, including any Pre-GA Offerings, that Company orders under an Online Order.

(z) “Professional Services” or “PS” means the implementation services (which may include installation, configuration, project management, process reviews and associated policy or procedure development, testing or go-live support), training, consultancy, or other optional services ordered by Company under an Online Order.

(aa) “Project Closure Milestone” means the date on which the PS consisting of Pindrop’s configuration and/or provisioning of the Product or any other mutually agreed upon PS is deemed completed, as detailed in an Online Order.

(bb) “Proprietary Prints” means the numerical values generated by the Product that are a sequence of floating-point numbers, are not reversible into the original audio, are not composed of an audio wave file, and do not contain any actual recorded conversation. Examples of Proprietary Prints include: (i) Fakeprints (generic artifacts extracted to detect synthetic or recorded audio – not to identify a person), (ii) Toneprints (unique to device type and carrier – not person), (iii) Phoneprints (unique to device type, carrier and country location – not person), (iv) behavior heuristics (e.g., keypress patterns on device to help detect human versus robotic characteristics); and (v) voice features. 

(cc) “Services” means PS or Support Services ordered by Company under an Online Order.

(dd) “Subscription Start Date” has the meaning assigned in the relevant Online Order.

(ee) “Subscription Term” means the time period, starting on the Subscription Start Date, that Company has the right to use a Product under an Online Order.

(ff) “Product-Specific Terms” means the terms in Exhibit C (Implementation and Product-Specific Terms) that are relevant to one or more of the Products.

(gg) “Support Services” means Pindrop’s support and maintenance services included in the subscription for a given Product, as detailed in the Support Program Terms. 

(hh) “Support Program Terms” means the terms of Pindrop’s standard Product support and maintenance services program (available here) as updated and supplemented by Pindrop from time to time upon notice to Company.

(ii) “Support Tools” means (i) software, web analytics tools, or other technology used by Pindrop or its affiliates to (1) monitor, maintain or improve Product performance, integrity or security, (2) identify Product errors and maintenance issues, (3) understand user behavior with a given Product (e.g., what feature or functionality is preferred), which may include the recording of a User’s session while logged in to the Product, and (4) manage subscription-related metrics (e.g., quantity of Calls or expiration of a given Subscription Term); or (ii) cookies set on a User’s browser for the purpose of identifying Users and Company systems interacting with the Product or to log a User out after a period of inactivity, including the general location (e.g., city, state or country) of the IP addresses associated with Users who login into and use a Product.

(jj) “System Label” means a label automatically assigned to a Call (i) after it is dispositioned by an automated policy (as configured within the Product) or manually by a User as fraud/genuine or authenticated/non-authenticated; or (ii) to indicate it was answered or not answered during the course of being analyzed by a Product, in each case, as relevant based on the Product’s features and functionality.

(kk) “Telco Network Call Data” means, collectively, CPNI and Call Processing Data.

(ll) “User” means an individual who Company authorizes to use a Product and who has been assigned by Company (or, when relevant, Pindrop or its affiliates at Company’s request), a user identification number and password to access the Product.

(mm) “Work Product” means any inventions, discoveries, software, or other works of authorship (including, without limitation, Product configuration, accuracy reports and other documentation), and other proprietary materials or work product developed by or for Pindrop or its affiliates, alone or with others, in the course of Pindrop’s performance of Services, including any and all related and underlying software, databases (including incorporated data models, structures, and non-Company specific data), specifications, technology reports, and documentation.

2. General Pindrop Responsibilities.

(a) Provision of Products and Services.  Pindrop will make Products and Services available to Company under this Agreement and each relevant Online Order solely for lawful purposes and use.

(b) Protection of Company Data.  During the Term of this Agreement and for as long as Pindrop maintains Company’s Confidential Information within Pindrop-Controlled Systems, Pindrop will have and maintain the information security program and safeguards detailed in Exhibit B (Pindrop Information Security and BCP Programs).

(c) Pindrop Personnel.  Pindrop is responsible for the performance of and compliance by its and its affiliates’ personnel (including employees and contractors) with Pindrop’s obligations under this Agreement and each Online Order, except as otherwise specified in this Agreement.  If Company determines, in its commercially reasonable judgment, that personnel assigned by Pindrop do not possess suitable expertise or have violated Company’s generally applicable working terms or conditions, Company may request that Pindrop replace the personnel within a reasonable period of time. 

3. Use of Products and Services.

(a) Subscriptions.  Unless otherwise provided in the relevant Online Order, Products are purchased as subscriptions for the Subscription Term.Company agrees that its purchases are not contingent on Pindrop’s delivery of any future functionality or features, or dependent on any oral or written comments Pindrop makes regarding future functionality or features.

(b) Access to Products and Services.  Company has the right to access and use the relevant Products and Services subject to the terms of the relevant Online Order, this Agreement (including any relevant Product-Specific Terms), and the Documentation.

(c) Support Terms.  Unless provided otherwise in an Online Order, (i) Pindrop will provide the Support Services during the Subscription Term, as detailed in the Support Program Terms and (ii) Pindrop and its affiliates may use Support Tools.  Notwithstanding anything to the contrary in this Agreement and subject to the use restrictions below, Company agrees that Pindrop and its affiliates can also collect, analyze, retain, and use the usage, statistical, caller phone number, metadata, and other log data collected by Support Tools or Products (“Support Data”) to maintain, develop, manage, administer, and improve Pindrop’s and its affiliates products and services, including the Products and Services and the AI Systems and AI Models (“Product Improvement Purposes”).  Except where Pindrop or its affiliates are using the Support Data for Company’s sole benefit in providing Products and Services to Company (such as to respond to trouble tickets), Pindrop and its affiliates will only use the Support Data for Product Improvement Purposes if the Support Data has been aggregated with comparable data from other customers and then implemented by Pindrop as a general, customer-agnostic improvement to the general usability or efficacy of Pindrop’s or its affiliates’ products and services (i.e., in a manner that does not identify Company or any individual person within Company as the source of that data or any individual or phone number of an individual who called Company for the benefit of other customers). Pindrop will not and will take reasonable measures to prevent the use of any Support Data as an input into any publicly available generative artificial intelligence or Machine Learning models. Company agrees that Pindrop’s and its affiliates’ right to retain and use the Support Data for Product Improvement Purposes survives any termination or expiration of this Agreement or any Online Orders. Company is responsible for disclosing to and obtaining consent from its Users to the collection and use of Support Data as required by applicable Laws.

For purposes of this Agreement:

“AI” means a machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations or decisions influencing real or virtual environments. Artificial intelligence systems use machine and human-based inputs to: (i) perceive real and virtual environments, (ii) abstract the perceptions into models through analysis in an automated manner, and (iii) use model inference to formulate options for information or action.

“AI Model” means a component of an information system that implements AI technology and uses computational, statistical, or machine-learning techniques to produce outputs from a given set of inputs.

“AI System” means any data system, algorithm, software, hardware, application, tool, or utility that operates in whole or in part using AI.

“Machine Learning” means a set of techniques that can be used to train AI algorithms.

(d) General Company Responsibilities.  Company will (i) be responsible for its Users’ compliance with this Agreement, Documentation, and Online Orders, (ii) be responsible for the accuracy, quality, and legality of Company Call Data, including as detailed in Section 7(d) (Company’s Responsibility Statement) of this Agreement, (iii) use commercially reasonable efforts to prevent unauthorized access to Products and Services, and notify Pindrop promptly of any unauthorized access or use, (iv) use the Products solely to perform phone number fraud verification or authentication for Company’s own products or services based on the features and functionality enabled in a given Product and for no other purpose (e.g., not for credit decisioning purposes or to determine a consumer’s eligibility for credit or insurance, or for any other permissible purpose described in the FCRA (as defined below)), and (v) except as expressly provided otherwise in this Agreement, be solely responsible for, and agrees to comply with, all applicable Laws with respect to its access and use of Products and Services.  For clarity, Pindrop is not a consumer reporting agency and none of the information provided through the Products constitutes a “consumer report”, as defined in the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681 et seq. 

(e) Restrictions.  Company will not: (i) make Pindrop Property available to anyone other than Company or Users, or use Pindrop Property for the benefit of anyone other than Company or its affiliates, unless expressly stated otherwise in this Agreement or an Online Order, (ii) sell, resell, sublicense, distribute, rent, or lease Pindrop Property in any manner (including, without limitation, in any service bureau or outsource offering), (iii) copy, modify, or create derivative works of any portion of Pindrop Property, (iv) except to the extent permitted by applicable Law, disassemble, reverse engineer, or decompile any portion of Pindrop Property in any manner, (v) frame or mirror any part of a Product, other than framing on Company’s own intranets or otherwise for its own internal business purposes as permitted in the Documentation, (vi) manually enter or import Company Call Data into a Product that would or could violate Payment Card Industry Data Security Standard (PCI DSS), as amended from time to time, including by way of example only, a credit security validation (CSV) number or a credit card account number (the “PCI Restriction”), (vii) attempt to gain unauthorized access to Products or related systems or networks, or permit direct or indirect access to or use of Pindrop Property in a way that circumvents contractual usage or security restrictions, (viii) access or use Pindrop Property to (A) build a competitive product or service, (B) build a product or service using similar ideas, features, functions, or graphics of the Pindrop Property, or (C) copy any ideas, features, functions, or graphics of Pindrop Property, or (ix) directly or indirectly authorize any third parties to do any of the foregoing.  Any use of the Products in breach of this Agreement, the relevant Online Order, or that in Pindrop’s commercially reasonable business judgment threatens the security, integrity, or availability of a Product to Pindrop’s or its affiliates’ customers, may result in immediate suspension of Company’s access to the Product.  However, Pindrop will use commercially reasonable efforts under the circumstances to provide Company written notice (email is sufficient) and an opportunity to remedy the breach or threat prior to suspension.  Further, if a breach occurs with respect to the Outputs, Pindrop reserves the right to require Company to delete or destroy the Outputs (as well as any derivative works, benchmarking or competing solution) in Company’s possession or control.

4. Fees and Payments.

Company will pay Pindrop fees for Products and Services in accordance with the Online Order.  If an invoice schedule for Services is not specified in the Online Order, then fees for Services will be invoiced and payable upon completion by Pindrop.  All fees will be invoiced and payable in U.S. Dollars and are due and payable to Pindrop within 30 days after the date of invoice (“Due Date”).  Company will promptly reimburse Pindrop for any reasonable out-of-pocket expenses incurred by Pindrop in connection with providing PS to Company. All expenses will be billed as incurred in accordance with Pindrop’s travel and expense policies. Company will pay all taxes, tariffs and transportation costs relating to, or incurred under, this Agreement or an Online Order (including any sales, use, excise, or value added taxes), exclusive of taxes based on Pindrop’s net income, unless Company is exempt from the payment of those taxes.  To the extent relevant, Company will provide to Pindrop any resale exemption certificate, direct pay permit or other exemption certificate or information reasonably requested by Pindrop.   Company will promptly notify Pindrop if any exemption is subsequently revoked or modified.  If Pindrop is required or permitted by applicable Law to charge and collect sales, use, excise, value-added or similar taxes (but excluding taxes based on or measured by Pindrop’s net income) that are directly imposed on the purchase, lease or other transfer of taxable Products or Services for a consideration, Pindrop will separately state the taxes on Company invoices along with other related charges, including transportation and tariffs. Company will promptly pay invoiced taxes.  Notwithstanding the foregoing, the failure of Pindrop to properly designate all taxes on an invoice will not relieve Company of its obligation to pay all the taxes.  To the extent Pindrop fails to designate the taxes on an invoice, Company will, upon notice and request by Pindrop, promptly pay or reimburse Pindrop for any taxes that are Company’s responsibility under this Section.  If Company fails to remit an undisputed portion of a payment by the relevant Due Date, Pindrop reserves the right to apply late charges at the lesser of (i) 1.5% per month of the overdue amount or (ii) the maximum amount permitted under applicable Law.  Invoice disputes will be handled on a case by case basis. Company must notify Pindrop of any invoice dispute no later than the relevant Due Date or the invoice is deemed approved and accepted by Company. Both parties will use commercially reasonable efforts to assess and rectify, if relevant, discrepancies found within a disputed invoice as soon as commercially practicable. 

5. Confidentiality.

(a) Definition.  “Confidential Information” means information designated as confidential or proprietary or that should be considered as confidential from its nature or from the circumstances surrounding its disclosure. Confidential Information does not include information that: (i) is or becomes generally known or available to the public at large other than as a result of Receiving Party’s breach of an obligation to Disclosing Party, (ii) was known to Receiving Party free of any obligation of confidence prior to disclosure by Disclosing Party, (iii) is disclosed to Receiving Party on a non-confidential basis by a third party who did not owe an obligation of confidence to Disclosing Party, or (iv) is developed by Receiving Party independently of and without reference to any part of Disclosing Party‘s Confidential Information.  Confidential Information is not deemed to be in the public domain or generally known or available to the public merely because any part of the information is embodied in general disclosures or because individual features, components, or combinations thereof are now or become known to the public.  For clarity, Pindrop Property is Pindrop’s Confidential Information, and Company Call Data is Company’s Confidential Information.   

(b) Use and Disclosure.  With respect to any Confidential Information a party receives (“Receiving Party”) from the other party (“Disclosing Party”), Receiving Party will: (i) keep the information confidential; (ii) use the same degree of care for the Disclosing Party’s Confidential Information that it uses for its own Confidential Information, but in no event less than reasonable care; (iii) not use the Confidential Information other than in connection with the performance of this Agreement and each Online Order; and (iv) not divulge the Confidential Information to any third party. Receiving Party agrees to use all reasonable steps to ensure that the Disclosing Party’s Confidential Information is not disclosed by a Receiving Party Representative (defined below) in violation of this Section. Company will not disclose the results of benchmark tests or any other evaluation of any Pindrop Property to any third party without Pindrop’s prior written approval.  For purposes of this Section, “third party” excludes Receiving Party’s and its affiliates’ employees, contractors, subcontractors, attorneys, accountants, or other professional advisors, as long as the representative (1) has a commercially reasonable need to know and access the Confidential Information in connection with the authorized purposes; and (2) is under contractual or fiduciary confidentiality obligations substantially equivalent to the terms of this Section (each, a “Representative”). Receiving Party is responsible for its Representatives’ breach of the confidentiality obligations in this Agreement to same extent as the Receiving Party itself.

(c) Limited Exceptions.  Confidential Information may be disclosed in response to a valid order by a court or other governmental body of the United States or any political subdivision thereof, as otherwise required by law, or as necessary to establish the rights of either party under this Agreement, provided that the party making the disclosure must provide written notice to the other party with a reasonable opportunity to obtain a protective order or otherwise protect the confidentiality of the information. During the Term, Receiving Party may publicize the existence of the relationship between Pindrop and Company in connection with the Products or Services provided under an Online Order and Pindrop may list Company’s name on Pindrop’s standard customer lists.

6. Proprietary Rights and Other Licenses.

(a) Use of Company Call Data. Company grants Pindrop, its affiliates, and relevant subcontractors a limited-term license to collect, use, record, host, transmit, and process Company Call Data as necessary to provide, maintain, and support Products and Services for Company in accordance with this Agreement, each relevant Online Order, and the relevant Documentation. 

(b) Company Use Rights.  Subject to the terms of this Agreement, Pindrop hereby grants to Company a limited, non-exclusive, non-transferable (except as expressly provided in this Agreement with respect to the entire agreement) right (i) during the relevant Online Order to access and use the relevant Product solely within the Authorized Geography, (ii) during and after expiration of the relevant Subscription Term to retain and use the portion of the Outputs that are available via the Product‘s outbound API feeds solely for Company’s internal business and recordkeeping purposes, and (iii) during the Subscription Term to retain and use the portion of the Work Product available to Company in connection with the Services for Company’s internal business purposes in connection with Company’s use of the Product, provided that (A) the Outputs and Work Product remain Pindrop’s Confidential Information and subject to the confidentiality obligations and use restrictions in this Agreement and (B) Company will not create any derivative works nor use the Outputs or Work Product to create a competing solution.  For clarity, to the extent Company Call Data (such as a caller phone number) is contained in an Output or Work Product, nothing in this Section restricts Company’s right to use its own Company Call Data in any manner.

(c) Data Privacy Terms.  The terms in Exhibit A (Data Privacy Terms) of this Agreement apply.

(d) Pindrop Property. Subject to the limited rights expressly granted by Pindrop under this Agreement or an Online Order, Pindrop, its affiliates, and their respective licensors and third–party providers reserve, retain, and own all right, title, and interest in and to the Products (including Outputs, AI Systems, and AI Models), the Services (including Work Product), and all updates, upgrades, derivative works, modifications, conversions, improvements or the like made to each of the foregoing, together with all intellectual property rights embodied therein (collectively, “Pindrop Property”). If Company Call Data (such as a caller phone number) is contained in an Output, AI System or AI Model, nothing in this Section transfers or otherwise restricts Company’s ownership in or right to use its own Company Call Data in any manner.  Company agrees to retain and reproduce all copyright, trademark and other proprietary notices on or in the Pindrop Property as delivered to Company on all copies of Pindrop Property and will not remove any notices.

(e) Company Property.  Subject to the limited rights expressly granted by Company under this Agreement or an Online Order, Company retains and owns all right, title, and interest in all intellectual property rights in and to the Company Call Data, Company Phone Numbers, and Company Call Center Infrastructure.

(f) Feedback.  Company may, at its sole election, provide Feedback to Pindrop or its affiliates to help identify ways in which Pindrop and its affiliates may improve or expand their product and service offerings for their customers.  If provided, Company hereby assigns to Pindrop all right, title, and interest in and to the Feedback.

(g) Third-Party Software Components.  A Product may contain certain Third-Party Software Components (defined below).  Company’s right to use Third-Party Software Components is subject to the relevant third-party terms identified within the Product or the Product’s Documentation, but only to the extent that Company’s actual access and use of the Product requires Company to agree to different or new terms than those in this Agreement or the relevant Online Order (“Third Party Terms”).  Regardless of whether Third Party Terms apply, Third-Party Software Components are included within the product warranty and Support Services Pindrop provides to Company for the Product as detailed in this Agreement.  “Third-Party Software Components” means third-party software bundled with or included in a Product for which Pindrop has an obligation to pass-through the open source or proprietary commercial software license terms directly to Company from the relevant third-party licensor.

(h) Special Terms for Pre-Ga Offerings.  Pindrop may make Pre-GA Offerings available to Company from time to time and Pre-GA Offerings are subject to the same terms in this Agreement and each relevant Online Order, except as provided otherwise in this Section or an Online Order.  Pre-GA Offerings are provided on an “as is” basis and are not included in the Support Program Terms or Pindrop’s business continuity program, and may be changed, suspended, or discontinued by Pindrop at any time with prior notice to Company.  Except as expressly indicated otherwise in a written notice from Pindrop or the Documentation for a given Pre-GA Offering, Company’s access and use of a Pre-GA Offering are limited to the Company’s employees and the Authorized Geography, is solely for internal evaluation and testing purposes, and is subject to any additional terms mutually agreed to by Pindrop and Company in writing, including geography or call traffic (i.e., “test” or production calls) restrictions.  Either party may terminate Company’s use of a Pre-GA Offering at any time with written notice to the other party.

7. Warranties and Other Responsibilities.

(a) Project Closure for PS Only.  Except as provided otherwise in an Online Order, the PS and Work Product are deemed completed as of the Project Closure Milestone.  If the Product to which the PS is relevant does not materially comply with the relevant Documentation after the Project Closure Milestone (each, an “Error”), then the Error will be addressed solely under the warranty terms in this Agreement or the Support Program Terms. 

(b) Representations and Warranties by Both Parties. Each party represents that it has validly entered into this Agreement and each Online Order and has the legal power to do so.

(c) Pindrop Warranties and Other Responsibilities. 

(i) Product Performance.  Pindrop warrants that each Product will perform without Errors during the relevant Subscription Term.  Pindrop will use commercially reasonable efforts to correct Errors, excluding those Errors resulting from an Excused Event, as further defined and described in the Support Program Terms.  Company’s exclusive remedies for Pindrop’s failure to comply with the product warranties in this Section 7(c)(i) is to pursue termination under Section 10(c) (Mutual Termination Rights). Products or Services made available to Company on an evaluation only or “early release” basis are subject to the terms of Section 6(h) (Special Terms for Pre-GA Offerings) above.

(ii) Malicious Code.   Pindrop will not intentionally or knowingly either introduce or allow the introduction of any code, files, scripts, agents or programs intended to do harm, including for example, viruses, worms or Trojan horses (“Malicious Code”) into the Product delivery environment. If Malicious Code is found to have been introduced into a Product by Pindrop, Pindrop is responsible for removing the Malicious Code from the Product. If the Malicious Code that was found to have been introduced by Pindrop is also found to have been introduced into any Company-Controlled System, Pindrop will reasonably cooperate with Company by providing relevant information necessary for the Company to mitigate the effects of the Malicious Code.

(iii) BCP Program.  Pindrop will maintain and administer a Business Continuity Program (“BCP”) for the Products, as detailed in Exhibit B (Pindrop Information Security and BCP Programs). 

(iv) Professional Services Warranty.  Subject to the terms hereunder, Pindrop will perform the PS in a professional manner in accordance with industry standards.

(d) Company’s Responsibility Statement. Company warrants, acknowledges, and agrees that (i) Company will, on behalf of itself and Pindrop as its service provider, provide all required consumer notices and disclosures and, where required, secure consents in compliance with all applicable Laws with respect to the Outputs and Company Call Data; and (ii) it will have and maintain privacy policies and terms and conditions with its customers that are compliant with its obligations and applicable Laws and permit the use and sharing of information processed, analyzed or created by a Product (including the creation of Outputs) and/or contributed to the Pindrop Database as contemplated in this Agreement or an Online Order (collectively, the responsibilities under (i) and (ii) are the “Customer Commitments”).  If Company has been designated as a “Financial Institution” in an Online Order, then (A) Company further warrants that its Customer Commitments are also compliant with its obligations as a Financial Institution under the GLBA; and (B) Company hereby appoints Pindrop, for the duration of Company’s access to and use of Products and Services, as Company’s special agent with limited authority to perform functions inherent in the Products and Services as necessary for Company to analyze Calls for the purposes of (1) protecting the Company and Company’s customers from fraud and (2) enhancing the security of customer transactions. Other than the foregoing appointment in (B), Pindrop has no right, power, or authority to bind Company or create obligations on Company’s behalf.  If Pindrop, in its good faith judgement, believes that Products are being used in a manner that is not compliant with applicable Laws, or that could result in noncompliance with applicable Laws, or that could subject Company or Pindrop to a claim for liability for noncompliance, Pindrop reserves the right to modify its Products or Services as deemed reasonably necessary to address the noncompliance. Company agrees to cooperate with Pindrop to the extent reasonably necessary to effectuate the modifications.

(e) Limited Warranties.  EXCEPT AS PROVIDED OTHERWISE IN THIS AGREEMENT OR AN ONLINE ORDER, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE PINDROP PROPERTY IS PROVIDED TO COMPANY “AS IS,” AND PINDROP, ITS AFFILIATES, AND THEIR RESPECTIVE LICENSORS AND THIRD PARTY SERVICE PROVIDERS DISCLAIM ANY AND ALL OTHER PROMISES, REPRESENTATIONS AND WARRANTIES, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, QUIET ENJOYMENT, SYSTEM INTEGRATION AND/OR DATA ACCURACY.  PINDROP, ON BEHALF OF ITSELF AND ITS AFFILIATES, AND ITS AND THEIR LICENSORS AND THIRD PARTY SERVICE PROVIDERS, DOES NOT WARRANT THAT THE PINDROP PROPERTY WILL MEET COMPANY’S REQUIREMENTS, THAT THE OPERATION OR USE OF THE FOREGOING WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ALL ERRORS WILL BE CORRECTED. COMPANY ACKNOWLEDGES AND AGREES THAT THE DISCLAIMERS, LIMITATIONS AND EXCLUSIONS OF LIABILITY DESCRIBED IN THIS AGREEMENT FORM AN ESSENTIAL BASIS OF THE BARGAIN BETWEEN THE PARTIES, AND THAT, ABSENT THE DISCLAIMERS, LIMITATIONS AND EXCLUSIONS, THE TERMS OF THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, THE ECONOMIC TERMS, WOULD BE SUBSTANTIALLY DIFFERENT.

8. Limitation of Liability.

(a) Consequential Damages Waiver.  IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY SPECIAL, INCIDENTAL, PUNITIVE, EXEMPLARY OR CONSEQUENTIAL DAMAGES OF ANY KIND, WHETHER BASED ON DAMAGES, LOSSES OR COSTS INCURRED AS A RESULT OF LOSS OF TIME, LOSS OR CORRUPTION OF APPLICATION OR DATA, LOSS OF PRODUCT OR REVENUE, OR LOSS OF USE OF THE PRODUCTS, REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, NEGLIGENCE, STRICT PRODUCT LIABILITY, OR OTHERWISE, EVEN IF THE PARTY HAS BEEN INFORMED OF THE POSSIBILITY OF THOSE DAMAGES IN ADVANCE. 

(b) Liability for Direct Damages.  THE MAXIMUM AGGREGATE LIABILITY FOR DAMAGES TO A PARTY ARISING FROM OR RELATED TO THIS AGREEMENT OR ANY ONLINE ORDER OR ANY PINDROP PROPERTY, WHETHER FOR BREACH OF CONTRACT OR WARRANTY, STRICT LIABILITY, NEGLIGENCE, OR OTHERWISE, WILL NOT:

(i) FOR PINDROP EXCEED TWO TIMES THE FEES PAID TO PINDROP DURING THE PRECEDING 12 MONTHS FOR THE PRODUCT, WORK PRODUCT, OR SERVICE UNDER THE ONLINE ORDER GIVING RISE TO THE LIABILITY; AND

(ii) FOR COMPANY EXCEED TWO TIMES THE FEES PAID OR PAYABLE TO PINDROP DURING THE PRECEDING 12 MONTHS, WHICHEVER AMOUNT IS GREATER, FOR THE PRODUCT, WORK PRODUCT, OR SERVICE UNDER THE ONLINE ORDER GIVING RISE TO THE LIABILITY. 

(c) Exclusions. 

(i) The limitations of liability in Sections 8(a) (Consequential Damages Waiver) and 8(b) (Liability for Direct Damages) do not apply to (A) a party‘s breach of its confidentiality obligations under this Agreement, (B) Pindrop’s obligations under Section 9(a) (Infringement Claims Coverage) and, as a Responsible Party, under Section 9(c) (Procedural Requirements for Third Party Claims), (C) Company’s obligations under Section 9(b) (Company Coverage for Third Party Claims) and, as a Responsible Party, under Section 9(c) (Procedural Requirements for Third Party Claims), or (D) a party’s infringement or misappropriation of the other party’s intellectual property rights.  “Responsible Party” has the meaning given in Section 9(c) (Procedural Requirements for Third Party Claims).

(ii) The limitation of liability in Section 8(b) (Liability for Direct Damages) does not apply to Company’s breach of Section 7(d) (Company’s Responsibility Statement) or the PCI Restriction. 

9. Responsibility for Third Party Claims.

(a) Infringement Claims Coverage.  Pindrop agrees, at its expense, to defend, indemnify, and hold harmless Company from and against any and all third party claims, actions or demands and legal proceedings, liabilities, damages, losses, and judgments or authorized settlements, and reasonable costs and expenses as incurred, including without limitation attorney’s fees, where the third party alleges that a Product furnished to Company and used within the scope of and in compliance with this Agreement infringes a U.S. copyright or any U.S patent issued as of the Effective Date.  Pindrop is not responsible under this Section for any infringement arising out of or related to: (i) modification of a Product by anyone other than Pindrop, where the Product would not infringe except for that modification, (ii) any infringement arising out of any combination of the Product with other software, hardware, processes or materials not provided by Pindrop, where the Product would not infringe except for the combination, (iii) Third-Party Software Components, when taken on a stand-alone basis and not in combination with other elements of the relevant Product, (iv) Company’s use of a version of the Product other than the most current release of the Products that results in a claim or action for infringement that could have been avoided by use of the current release, provided that Pindrop has supplied Company with the most current release at no additional fee, or (v) Company Call Data, where the Product would not infringe except for that Company Call Data.  If a Product is held or believed by Pindrop to infringe, Pindrop may, at its sole option and expense, elect to: (1) modify the Product so that it is non-infringing, (2) replace the Product with non-infringing products which are functionally equivalent or superior in performance, (3) obtain a license for Company to continue to use and access the Product as provided hereunder, or (4) terminate the license for the infringing Product and refund any prepaid but unused license fees paid for the Product under the impacted Online Order.  THE RIGHTS GRANTED TO COMPANY UNDER THIS SECTION 9(a) ARE COMPANY’S SOLE AND EXCLUSIVE REMEDY FOR ANY CLAIM OF INFRINGEMENT OR MISAPPROPRIATION RELATED TO THE PRODUCTS AND THE THIRD PARTY CLAIMS DESCRIBED IN THIS SECTION 9(a).

(b) Company Coverage for Third Party Claims.  Company agrees, at its expense, to defend, indemnify, and hold harmless Pindrop and its affiliates (each a “Pindrop Party”) from and against any and all third party claims, actions, demands and legal proceedings, liabilities, damages, losses, and judgments or authorized settlements, and reasonable costs and expenses as incurred, including without limitation attorney’s fees, arising out of or in connection with any alleged or actual breach or violation of (i) Section 7(d) (Company’s Responsibility Statement), (ii) other applicable Law requirements for which Company is responsible under this Agreement or an Online Order in connection with the use of or access to the Products or Services by Company and any Company Users, including the collection, processing, analysis, creation, storage and retention of Company Call Data and Outputs, and (iii) the PCI Restriction.    

(c) Procedural Requirements for Third Party Claims.  For each party to be responsible for its indemnification obligations under Sections 9(a) (Infringement Claims Coverage) or 9(b) (Company Coverage for Third Party Claims), as relevant (“Responsible Party”), the other party (“Covered Party”) will (i) promptly notify Responsible Party in writing of its receipt of notice of any claim or when it discovers facts on which Covered Party intends to base a request for indemnification under those Sections (each, a “Claim Notice”); (ii) afford Responsible Party the choice to control the defense and all related settlement negotiations of the claim; provided that Covered Party can participate at its own expense; and (iii) provide Responsible Party with reasonable assistance, information and authority necessary to perform its obligations under Sections 9(a) or 9(b) above.  Each party, as a Responsible Party, agrees to keep Covered Party reasonably informed as to the status of Responsible Party’s efforts in connection with the defense or settlement of claims on behalf of Covered Party and reasonably consult with Covered Party (or Covered Party’s counsel) concerning those efforts.

Notwithstanding anything to the contrary in Section 9(c)(i), a Covered Party’s failure to provide a Claim Notice does not relieve Responsible Party of its liability to Covered Party under Sections 9(a) or 9(b), as relevant, unless the delay materially prejudices Responsible Party’s defense or the scope of Responsible Party’s liability for the relevant third party claim.

Notwithstanding anything to the contrary in Section 9(c)(ii), the following apply:

(A) The Responsible Party agrees it will not, without Covered Party’s written approval, make any admission of facts that expose Covered Party to any liability, require Covered Party to take or cease to take any action (including without limitation any requirement to make payments), or expose Covered Party to other claims that are not covered by the obligations for the relevant claim under Section 9.  However, if Responsible Party is required by applicable Law to make an admission, Responsible Party may proceed in making the admission without Covered Party’s prior approval; provided Responsible Party provides written notice to Covered Party with a reasonable opportunity to obtain a protective order or otherwise address the requirement with the appropriate authority.  

(B) If Responsible Party fails to respond to a Claim Notice or refuses to assume the defense of a claim tendered in good faith within 10 days of its receipt of the Claim Notice from Covered Party with respect to a claim for which it is seeking indemnification under this Section 9, then Covered Party may proceed to defend or otherwise settle the claim as Covered Party deems reasonably appropriate and Responsible Party agrees to reimburse Covered Party with respect to all defense costs and expenses or damages incurred with respect to the claim, as incurred.   

10. Term and Termination.

 (a) Term of Agreement.  The term of this Agreement is 4 years, commencing on the Effective Date (“Initial Term”). This Agreement automatically renews for additional 3 year periods, unless one party provides the other party with at least 60 days written notice prior to the expiration of the then-current year (each, a “Renewal Term”, and together the Initial Term and Renewal Term are the “Term”). This Agreement remains binding in full force and effect and continues to apply to any Online Orders that have not yet terminated or expired as of the effective date of termination of this Agreement until the Online Order expires or terminates according to its own terms.  For clarity, a notice of non-renewal of this Agreement does not in any way modify, impact the validity or terminate any existing Online Orders. 

(b) Term of Online Orders.  The term of each Online Order starts and ends as described in the relevant Online Order.

(c) Mutual Termination Rights.  Either party may terminate this Agreement or any Online Order if the other party materially breaches any section of this Agreement or the relevant Online Order and fails to cure the breach within 30 days of receiving written notice from the non-breaching party (the “Cure Period”) specifying the nature of the breach and the actions required to cure the breach; provided, however, that if the breach does not involve the payment of any amounts to Pindrop and is of a nature that can be cured but not within the Cure Period and the breaching party has commenced significant efforts to cure the breach within the Cure Period, this Agreement or the relevant Online Order will not terminate so long as the breaching party continues to diligently pursue the completion of the cure.  

(d) Termination For Change in Legal Requirements.  Company may terminate this Agreement or any Online Order upon written notice to Pindrop if, after the Effective Date of this Agreement, an applicable Law becomes effective which prohibits or materially impairs Company’s ability to use the Products with its customers in compliance with the new applicable Law, either through Pindrop or otherwise; provided that the parties have met and discussed in good faith the impact of the new applicable Law on the Products, Company has provided written notice to Pindrop detailing its concerns with Pindrop’s plan or activities to address the change, and Company is not reasonably satisfied with Pindrop’s proposed plan or activities for addressing the change.

(e) Obligations Upon Termination.  Upon the expiration or termination of this Agreement or an Online Order for any reason, all licenses granted under the impacted Online Orders, and all associated rights granted to Company under this Agreement and the impacted Online Orders will immediately terminate and Company will, at Pindrop’s sole option, return or destroy all relevant Pindrop Property in its possession or control. Further, at Disclosing Party’s request Receiving Party agrees to (i) destroy Disclosing Party Confidential Information in its possession or control and (ii) confirm to Disclosing Party in writing that Receiving Party has complied with any destruction instructions. However, Confidential Information (A) in Receiving Party’s or its Representatives’ archives (including legal archives and business records generated in the delivery and support of Products and Services) or back-up or other systems, (B) expressly authorized in this Agreement to be retained, or (C) retained to comply with litigation holds or Laws, in each case is required to be destroyed only in accordance with the Receiving Party’s and its Representatives’ data retention policies, litigation hold or Laws, whichever is the longest of the retention requirements. This Section 10(e), all defined terms, rights or obligations that expressly survive termination, and the rights and obligations in Sections 2(b) (Protection of Company Data) (for the time period stated in the Section), 3(e) (Restrictions) (to the extent relevant), 4 (Fees and Payments), 5 (Confidentiality), 6(c) (Data Privacy Terms), 6(d) (Pindrop Property), 6(e) (Company Property), 6(f) (Feedback), 7(d) (Company’s Responsibility Statement), 7(e) (Limited Warranties), 8 (Limitation of Liability), 9(a) (Infringement Claims Coverage), 9(b) (Company Coverage for Third Party Claims), 9(c) (Procedural Requirements for Third Party Claims), 11 (Audits) (for the time period specified in the Section) and 13 (General) survive any expiration or termination of this Agreement or any Online Order. For clarity, the obligations in Section 7(d) (Company’s Responsibility Statement) survive with respect to the Calls analyzed by a Product during the course of this Agreement and any related Online Orders.

11. Audits.

During the Term and for a period of 6 months after the Term, upon reasonable prior written notice to the other party (email is sufficient), each party (“Auditing Party”) has the right, at its expense, to conduct (or have a third party conduct) an audit, assessment, examination or review of relevant documentation, materials or systems of the other party (“Audited Party”) for the sole purpose of assessing Audited Party’s compliance with this Agreement and each Online Order.  Audited Party will reasonably cooperate with the request by providing reasonable access to knowledgeable personnel, systems, documentation, and other reasonably requested information.. Company acknowledges and agrees there may be restrictions on Company’s ability to conduct audits on Pindrop’s subcontractors. Audits will not be conducted more than once per year (unless a material non-compliance is detected in which case an additional audit may be performed to verify that any agreed to corrective actions have been taken).  Audits must be conducted during normal business hours and in a manner not to unreasonably disrupt Audited Party’s day to day business  Any site visit at the Audited Party or audit of Audited Party’s procedures, systems and equipment is subject to Audited Party’s reasonable policies and practices that are in effect to maintain the security of Audited Party’s site, systems, and equipment, and to protect the confidentiality of proprietary and confidential information.  Audited Party is not required to give access to or disclose any confidential information of a third party or any attorney-client privileged information.  Auditing Party is not obligated to share audit results with Audited Party. However, the results of any audit are the Confidential Information of both parties, and in all cases subject to the confidentiality obligations in this Agreement. 

12. Publicity.

Each party will be provided with an advance copy of any press release that the other party may wish to release and given an opportunity to reject (or make changes to) the press release prior to publication, provided that the party’s approval will not be unreasonably withheld or delayed.

13. General.

(a) Export Compliance.  Pindrop Property and derivatives thereof may be subject to export laws and regulations of the United States and other jurisdictions. Pindrop and Company each represents that it is not on any U.S. government denied-party list. Company will not permit any User to access or use any Pindrop Property in a U.S.-embargoed country or region (currently Cuba, Iran, North Korea, Syria or Crimea) or in violation of any U.S. export law or regulation or other equivalent laws of other jurisdictions, as relevant.

(b) Governing Law; Jurisdiction and Attorneys’ Fees.  This Agreement is governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of law provisions. With respect to any legal disputes between Company and Pindrop arising out of or related to this Agreement, Company and Pindrop irrevocably consent to the exclusive personal jurisdiction of the federal courts located in Delaware or, if the Federal courts do not have jurisdiction, in the Superior Court of the State of Delaware, and any appellate court from any state or Federal court.  In the event of any dispute arising out of or related to this Agreement, the prevailing party is entitled to recover its reasonable attorneys’ fees and costs.

(c) Notices.  All notices permitted or required under this Agreement will be in writing and will be delivered as follows with notice deemed given as indicated (i) by personal delivery when delivered personally; (ii) by commercially established courier service upon delivery or, if the courier attempted delivery on a normal business day and delivery was not accepted, upon attempted delivery; or (iii) by certified or registered mail, return receipt requested, 10 days after deposit in the mail.  Notice will be sent to the parties at the addresses below the signature block or at any other address as each party will notify the other of in writing.

(d) Waivers; Severability.  Neither party will by mere lapse of time without giving notice or taking other action be deemed to have waived any breach by the other party of any of the provisions of this Agreement.  Further, either party’s waiver of a particular breach of this Agreement by the other party does not constitute a continuing waiver of the breach, or of other breaches of the same or other provisions of this Agreement. If any provision of this Agreement is held illegal, unenforceable, or in conflict with any law of a federal, state, or local government having jurisdiction over this Agreement, the validity of the remaining portions or provisions will not be affected.

(e) Force Majeure.  Except for the payment of money due or payable, neither party is liable for any failure or delay in performance under this Agreement which might be due to strikes, shortages, riots, insurrection, fires, flood, storm, other weather conditions, explosion, acts of God, war, government action, inability to obtain delivery of parts, supplies or labor, labor conditions (including strikes, lockouts, or other industrial disturbances), earthquakes, riots or acts of terrorism, epidemic, pandemic, or any other cause which is beyond the party’s reasonable control (each a “force majeure event”).  The occurrence of a force majeure event will not relieve Pindrop of its obligation to implement its disaster recovery plan or provide disaster recovery services for an impacted Product, as contemplated in Section 10 (BCP Program) of Exhibit B (Pindrop Information Security and BCP Program).

(f) Assignment.  Each party may, with written notice to the other party, assign this Agreement to any third party who succeeds to substantially all of that party’s assets and business related to the Products covered under this Agreement by merger or purchase, provided that the assignee assumes this Agreement by an instrument in writing.  Except as authorized in the preceding sentence, this Agreement may not be assigned or transferred by either party without the prior written consent of the other party.  If Company is a financial institution under the GLBA and Company’s assignee is not, then (i) Company must disclose that fact to Pindrop in its written notice of assignment; and (ii) Pindrop reserves the right, in its discretion, to modify any Products and Services accessed or used by the assignee, including by way of example only, disabling features or functionality in the Products or Services or as otherwise deemed reasonably necessary to comply with applicable Laws.  Notwithstanding the foregoing, if the assignee of Pindrop is unacceptable to Company in its good faith judgement for any legal or regulatory reasons or is unable to provide reasonable assurances that it has the financial, technical, or operational resources to fulfill its obligations under this Agreement: (A) Company may terminate this Agreement upon written notice to Pindrop (in which case all Online Orders hereunder will also immediately terminate) within 1 month of receipt of Pindrop’s notice of the change of control; and (B) in the event of any termination, Pindrop will promptly refund to Company all prepaid, unused fees for any full years of the Subscription Term remaining under the impacted Online Orders (i.e., not for the then-current year of the Subscription Term). 

(g) Entire Agreement.  This Agreement (i) is the complete agreement between the parties with respect to its subject matter and supersedes any and all prior agreements and understandings and (ii) unless expressly authorized otherwise in this Agreement, may be amended only in a writing that refers to this Agreement and is signed by both parties.  The parties are independent contractors. Except as expressly agreed by the parties, neither party is deemed to be an employee, agent, partner or legal representative of the other for any purpose and neither will have any right, power or authority to create any obligation or responsibility on the other’s behalf.  To the extent of any conflict between an Online Order and this Agreement, the Online Order controls.

(h) Injunctive Relief.  Notwithstanding any other provision of this Agreement, any violation by either party of the other party’s intellectual property or proprietary rights will cause irreparable damage for which recovery of money damages would be inadequate, and the aggrieved party will therefore be entitled to seek timely injunctive relief to protect the party’s rights, without the need to post bond.

(i) Government and Public-Sector Users.  The following terms apply, if relevant:

(i) US Government User Terms.  The Pindrop Property made available under this Agreement is or otherwise contains commercial computer software as that term is defined in 48 C.F.R. 252-227-7014(a)(l). If acquired by or on behalf of a civilian agency, the U.S. Government acquires this commercial computer software and/or commercial computer software documentation and other technical data subject to the terms of this Agreement as specified in 48 C.F.R. 12.212 (Computer Software) and 12.211 (Technical Data) of the Federal Acquisition Regulations (“FAR”) and its successors.  If acquired by or on behalf of any agency within the Department of Defense (“DOD”), the U.S. Government acquires this commercial computer software and/or commercial computer software documentation subject to the terms of this Agreement as specified in 48 C.F.R. 227.7202-3 of the DOD FAR Supplement (“DFAR”) and its successors.  This U.S. Government Rights clause is in lieu of, and supersedes, any other FAR, DFAR, or other clause or provision that addresses government rights in computer software or technical data under this Agreement.  

(ii) Freedom of Information Act Restrictions.  If the Freedom of Information Act, 5 U.S.C. 552 et seq. or a State’s equivalent law (each, a “FOI Act”) applies to Company, Company acknowledges that Confidential Information is entitled to be exempt from disclosure under a FOI Act. Company will promptly notify Pindrop of any requests for the disclosure of any Confidential Information under a FOI Act, and will assert to the government or requester, orally and in writing, that the Confidential Information is exempt from disclosure under FOI Act.

(j) Limited Right to Modify Terms.  If litigation or a change in applicable Law or the regulatory landscape occurs which affects this Agreement or either party‘s activities under this Agreement, and a party reasonably believes in good faith that the change will have a substantial adverse effect on that party’s rights or obligations under this Agreement, then the party may, upon written notice, require the other party to enter into good faith negotiations to renegotiate the terms of this Agreement, with the notice providing reasonable detail as to the nature of any proposed modification. 

Exhibit A – Data Privacy Terms

P

1.  Definitions.

(a) “Aggregate Data” means information that relates to a group or category of individuals, from which individual identities have been removed, that is not linked or reasonably linkable to any individual or household.

(b) “Data Protection Laws” means any state or federal privacy or data protection laws to which Company or Pindrop (as a service provider to Company) are subject, including but not limited to, the Gramm-Leach-Bliley Act (GLBA) and its implementing regulations; the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), Cal. Civ. Code 1.81.5, the Utah Consumer Privacy Act (UCPA), Utah Annotated Code §13-61-101, the Virginia Consumer Data Protection Act (VCDPA), Va. Code Ann. §§ 59.1-575 to 59.1-585, and any other legislation which implements any other current or future legal act concerning the protection, privacy, and/or processing of Personal Data, including any amendment or re-enactment of the foregoing.

(c) “Deidentified Data” means information that cannot reasonably identify, related to, described, be capable of being associated with, or linked, directly or indirectly, to a particular individual.

(d) “Personal Data” means any personal information as described in the applicable Data Protection Laws and relates only to Personal Data, or any part of the Personal Data, in respect of which Pindrop is a processor in connection with the performance of its obligations under the Agreement.

(e) “Process”, “Processing”, or “Processed” means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether automated or not, such as, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction .

(f) “Processing Purpose” means the purpose for which Pindrop is Processing Personal Data as described in Section 2(b) of this Exhibit A.

(g) “sale”, “sell”, or “selling” will have the meaning as ascribed to it under applicable Data Protection Law.

(h) “Business”, “Controller”, “Processor”, and “Service Provider” will have the meaning as ascribed to it or to a similar term under applicable Data Protection Law.

2. Processing Purpose. With respect to Pindrop’s provision of the Products and Services to Company under this Agreement and each Online Order (the “Relevant Agreements”):     

(a) Pindrop is a Service Provider or Processor (as relevant), with respect to any Personal Data that Pindrop Processes, on behalf of Company, under the Relevant Agreements (“Personal Data”);

(b) Company has disclosed Personal Data to Pindrop and its affiliates for the Processing Purposes of (1) detecting security incidents and/or utilization by a caller of a non-human voice, and protecting against malicious, deceptive, fraudulent or illegal activity (including, in each case, populating the Pindrop Database); and (2) assisting in the authentication of callers of Company, as well as is reasonably necessary in support of any other valid Processing Purposes that are part of the Products, Services and that are expressly agreed to by the parties in the Relevant Agreements, including and subject to restrictions on use (such as those relevant to Fraudulent Call Data);

(c) Pindrop and Company acknowledge and confirm that Pindrop does not receive any Personal Data as consideration for any Products, Services or other items provided under the Relevant Agreements; and

(d) Company hereby instructs and authorizes Pindrop to Process Personal Data in connection with Pindrop’s performance and exercise of its obligations and rights under the Relevant Agreements.  Any additional or alternate instructions must be mutually agreed upon in writing.

3. Permitted Use. Pindrop will only collect, use, retain, disclose and otherwise Process Personal Data (a) for its performance of the Relevant Agreements and the Services and provision of the Products, including in support of Pindrop’s and its affiliates internal operations as necessary to the provision of the Products and Services, (b) for its internal use to build or improve the quality of the Products and Services, provided that Pindrop does not use the Personal Data to perform services on behalf of another person; or (c) as otherwise necessary for compliance with applicable Laws. Pindrop will ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data and are subject to a duty of confidentiality with respect to Personal Data.  

4. Service Providers. Pindrop may disclose Personal Data to, and permit the Processing of Personal Data by, its service providers who perform services on behalf of Pindrop, in support of the provision of the Products and Services to Company (each, a “Service Provider”).  Pindrop will ensure that Service Providers are subject to equivalent contractual requirements with respect to Personal Data that apply to Pindrop under this Exhibit A. Pindrop is responsible for the actions of its Service Providers that breach the terms of this Exhibit A.

5. Restrictions. Pindrop is prohibited from selling, retaining, using, disclosing, or otherwise Processing Personal Data for any purpose other than for the Processing Purpose or as otherwise described in Section 6 (Deidentified Data and Aggregated Data) of this Exhibit A, which, for the avoidance of doubt, also prohibits Pindrop from retaining, using, or disclosing Personal Data outside of its business relationship with Company or for any other Commercial Purpose.  Where permitted by Company under the Relevant Agreements, Pindrop may retain use, or otherwise Process certain Personal Data (and combine it with personal data from other clients) as reasonably necessary to detect data security incidents, or protect against fraudulent or illegal activity (e.g., as part of the Pindrop Database).  Pindrop certifies that it understands and will comply with the foregoing restrictions described in this paragraph.

6. Deidentified Data and Aggregate Data. Pindrop and its affiliates may use Deidentified Information and Aggregate Data relating to Personal Information or derived from the Products and Services, for the purposes of providing the Products and Services, improving its operations, and enhancing the features, functions, and performance of the Products and Services.  Pindrop and its affiliates may also, during and after the term of the Agreement, use, maintain, and disclose the Deidentified Data and Aggregate Data for its own product improvement and general purposes.  Pindrop will not identify Company or otherwise disclose Company as the source of any Deidentified Data or Aggregate Data in any manner in connection with any general use purposes.  For clarity, Support Data may, if it meets the criteria described in this Section 6, also be used for the purposes authorized in this Section.

7.  Audit. Company will have the right to audit Pindrop’s Processing of Personal Data and Pindrop’s compliance with this Exhibit A in accordance with Section 11 (Audits) of the Agreement. Any report, documents, information, or record provided to Company or created under this Section 7 is considered Pindrop Confidential Information.

8. Duration of Processing.  Pindrop will only Process Personal Data for the duration of the Relevant Agreements and as otherwise allowed under the Relevant Agreements or permitted under applicable Law. Unless retention of Personal Data is otherwise permitted under the Relevant Agreements, at the termination or expiration of the Relevant Agreements, Personal Data will be returned and/or deleted in accordance with Section 10(e) (Obligations Upon Termination) in the main body of the Agreement.

9. Data Subject Requests. If Pindrop receives a complaint, dispute, or request from a data subject to exercise the data subject’s rights under Data Protection Laws, and Pindrop is able to confirm that the request relates to Company, Pindrop will promptly notify Company of the data subject request. Taking into account the nature of Pindrop’s Processing of Personal Data, Pindrop will provide reasonable assistance to Company in responding to data subject requests as required by Data Protection Laws and only to the extent commercially feasible. Unless required by applicable Law, Pindrop will not respond to or take any action to comply with a data subject request without Company’s approval.

Exhibit B – Pindrop Information Security and BCP Programs

1. Definitions.

Capitalized terms used in this Exhibit B have the meanings given below or, if not defined below, the meanings given in the main body of this Agreement.

“Company-Controlled Systems” means: (i) Information Systems that are within Company’s possession or control; and (ii) all On-Premise Appliances.

“In-Scope Subcontractor” means each of Pindrop’s subcontractors who are engaged by Pindrop to deliver components of the Products or Services to Company and will have access to, process, or store Company Call Data.

“Information System” means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.

“On-Premises Appliances” means all appliances (including, without limitation, Pindrop’s or Pindrop-provided Products) that are procured by Company under an Online Order and installed within Company’s facilities, Company’s data centers, or Company’s third-party data centers.

“Pindrop-Controlled Systems” means (i) Information Systems that are within Pindrop’s possession or control; and (ii) Amazon Web Services (“AWS”) Information Systems or Google Cloud Platform (“GCP”) that meet the following criteria: (a) under Pindrop’s enterprise account with AWS or GCP, as relevant; (b) used by Pindrop to deliver the Products or Services or used by Pindrop for Pindrop’s internal,  corporate-level systems; and (c) are AWS Information Systems or GCP Information Systems for which Pindrop solely configures and manages the security controls used by Pindrop to protect the data stored within the AWS Information Systems or GCP Information Systems. The defined term Pindrop-Controlled Systems excludes all Company-Controlled System.

“Security Breach” means a reasonably suspected or confirmed unauthorized disclosure of Company’s Confidential Information within Pindrop’s possession or control; or a reasonably suspected or confirmed unauthorized access by a third party to any Pindrop-Controlled Systems that process, hold, or provide access to Company’s Confidential Information.

2. Governance and Oversight; Security Audits. 

(a) Pindrop will have in place a cybersecurity program designed to protect the confidentiality, integrity, and availability of the Pindrop-Controlled Systems, as detailed in this Exhibit B.  The cybersecurity program includes tracking data asset locations and maintaining risk based written security policy or policies that satisfy the requirements described in this Exhibit B (“Security Policy”).  Pindrop will not make any change to its Security Policy that will materially degrade the overall level of security described in this Exhibit B.

(b) Pindrop’s Security Policy is based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Company’s Confidential Information within Pindrop’s possession or control that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of the information, and assesses the sufficiency of any safeguards in place to control these risks.  The risk assessment will be written and include: (i) criteria for the evaluation and categorization of identified security risks or threats to Company’s Confidential Information within Pindrop’s possession or control; (ii) criteria for the assessment of the confidentiality, integrity, and availability of Company’s Confidential Information within Pindrop’s possession or control, including the adequacy of the existing controls in the context of the identified risks or threats; and (iii) requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the Security Policy will address the risks. 

(c) Pindrop will periodically perform additional risk assessments that reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Company’s Confidential Information within Pindrop’s possession or control that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of the information, and reassess the sufficiency of any safeguards in place to control these risks. 

(d) Pindrop will (i) design and implement safeguards to control the risks identified through the risk assessments it performs; and (ii) evaluate and adjust its information security program in light of the results of the testing and monitoring described in this Exhibit B, any material changes to Pindrop’s operations or business arrangements, and any other circumstances that Pindrop knows or has reason to know may have a material impact on Pindrop’s information security program.

(e) Pindrop will assign an appropriate individual within Pindrop’s Information Security team to maintain responsibility and executive oversight for the Security Policy, including, without limitation, implementation, formal governance and revision management, employee education, and compliance enforcement. The individual assigned by Pindrop to maintain responsibility and executive oversight for the Security Policy will report in writing, regularly and at least annually, to Pindrop’s executive team or board of directors or equivalent governing body.  Any reports will include the following information: (i) the overall status of Pindrop’s information security program; and (ii) material matters related to Pindrop’s information security program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management’s responses thereto, compliance obligations and recommendations for changes in the information security program.

(f) Subject to the terms in Section 11 (Audits) of the Agreement, the rights in this Section 2(f) will apply.  If a Company Regulator exercising its supervisory authority makes a request to Company to access the Products or Services, Company will use commercially reasonable efforts to resolve that request directly with the Regulator using alternative methods, including by reviewing the security certifications for the Pindrop-Controlled Systems with the Regulator.  If the Company Regulator determines that the information available through these mechanisms is insufficient to verify compliance with applicable Laws then, upon the Company Regulator’s request and Company’s written confirmation that the Company Regulator has the requisite supervisory authority over Company to make the request, Pindrop will provide the Company Regulator with: (a) information about the Products and Services and the opportunity to discuss the Products and Services operations and controls with Pindrop subject matter experts; and (b) if required, a direct right to examine the Products and Services used by Company, including by conducting an examination on premises. Pindrop may charge Company a fee (based on Pindrop’s reasonable costs) for any discussion, communication, and examination.  Any discussion, communication, or examination requested by the Company Regulator under this subsection will, except in an emergency or crisis situation, be conducted consistent with the terms of Section 11 (Audits) of the main body of the Agreement.

3. Policies and Procedures.

(a) The policies that comprise the Security Policy are commercially reasonable, communicated to relevant Pindrop employees, and designed to: (i) be protective of Company’s Confidential Information within the Pindrop-Controlled Systems; and (ii)  support Pindrop’s compliance with its obligations under this Agreement.  If requested by Company in writing, Pindrop agrees to provide Company with (1) the title page and table of contents related to the Security Policy or other related policies or procedures relevant to Pindrop’s business operations described in this Exhibit B; (2) an opportunity to discuss Pindrop’s security measures; (3) confirmation that penetration testing and vulnerability scanning has been performed; and (4) independent audit reports relevant to the Products (such as SOC2 Type 2) that Pindrop makes generally available to its customers under confidentiality terms.

(b) Pindrop will review its Security Policy at least annually and amend the Security Policy (or subparts thereof) as Pindrop deems commercially reasonable (e.g., in light of relevant risk assessment findings, relevant changes in applicable Laws or standards, technology advances, changes to Pindrop’s systems or Pindrop’s own changing business operations).

(c) As part of the Security Policy, Pindrop will have security-minded development practices for applications that form any part of the Products or that are used to deliver the Products, and procedures for evaluating and assessing the security of externally developed applications that form any part of the Products or that are used in the delivery of the Products.

(d) Pindrop will maintain and follow employment verification requirements for all new Pindrop employee hires, with verifications occurring prior to the date of hire. These requirements will include criminal background checks, proof of identity validation, and additional checks as deemed reasonably necessary by Pindrop and as permitted by applicable Law.  Employment verification measures will be in line with requirements under Industry Standards (as defined below). Each Pindrop local entity is responsible for implementing the foregoing requirements in its hiring process as relevant and permitted under local law. Pindrop will provide verification of the completion of background checks in a satisfactory manner for employees upon Company’s reasonable request; however, Pindrop is not required to provide an actual copy of the background check results.

(e) Pindrop will have a training program that includes conducting security education for its employees annually. The training program will: (i) provide security awareness training that is updated to reflect risks identified by Pindrop’s risk assessments; and (ii) promote the maintenance of current knowledge of changing information security threats and countermeasures.

4. Compliance.  Pindrop-Controlled Systems will be subject to annual certification of compliance with the Payment Card Industry Data Security Standards (PCI-DSS) (with respect to relevant cardholder data environments only), ISO 27001, and SSAE SOC2 or any substantially equivalent or alternative successor standard (“Industry Standards”).  Upon written request from Company, Pindrop will provide evidence of the compliance and accreditation with the Industry Standards as reasonably determined by Pindrop, such as certificates, attestations, or reports resulting from accredited independent third-party audits (accredited independent third-party audits will occur at the frequency required by the relevant standard). Additionally, Pindrop will use commercially reasonable efforts to verify that its In-Scope Subcontractors comply with all Laws applicable to the operation of the In-Scope Subcontractors’ business and all Laws generally applicable to providers of information technology services, in each case, to the extent relevant to the specific products and services being provided by In-Scope Subcontractor to Pindrop in connection with the Products and Services covered under this Agreement.  The verification may be accomplished through Pindrop’s vendor due diligence process.  In the event that Pindrop’s vendor due diligence process identifies a non-compliance with the aforementioned Laws, Pindrop will work with the In-Scope Subcontractor to cure the deficiency.

5. Incident Response and Security Breaches.

(a) Pindrop will maintain and follow documented incident response policies consistent with National Institute of Standards and Technology, United States Department of Commerce (NIST) guidelines or equivalent industry standards for computer security incident handling. Pindrop’s written incident response plan will be designed to promptly respond to, and recover from, any event materially affecting the confidentiality, integrity, or availability of Company’s Confidential Information within Pindrop’s possession or control. The incident response plan will address the following areas: (i) the goals of the incident response plan; (ii) the internal processes for responding; (iii) the definition of clear roles, responsibilities and levels of decision-making authority; (iv) external and internal communications and information sharing; (v) identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; (vi) documentation and reporting; and (vii) the evaluation and revision as necessary of the incident response plan.

(b) Pindrop will investigate Security Breaches (and security incidents that are not yet Security Breaches but that are reasonably likely to result in Security Breaches) of which Pindrop becomes aware, perform a root-cause analysis of the same and take prompt action designed to contain the Security Breach.  Company must notify Pindrop of any suspected vulnerability or security incident by immediately submitting a technical support request to Pindrop.

(c) Pindrop will notify Company within no more than 24 hours after Pindrop becomes aware of a Security Breach that has impacted Company’s Confidential Information. Pindrop will provide Company with reasonably requested information about the Security Breach and the status of any Pindrop containment and service restoration activities.

6. Physical Security and Entry Control.

(a) Pindrop will maintain reasonable physical entry controls, such as barriers, card-controlled entry points, surveillance cameras, and manned reception desks, designed to protect against unauthorized entry into Pindrop-managed facilities (i.e., its headquarter facility) used to provide the Pindrop-Controlled Systems. Auxiliary entry points into the facilities, such as delivery areas and loading docks, will be controlled and isolated from computing resources.

(b) Access to Pindrop-managed facilities and controlled areas within those facilities will be limited by job role and subject to authorized approval.  Access will be logged, and the logs will be retained for not less than one year.  Pindrop will revoke access to Pindrop-managed facilities upon separation of an authorized employee.  Pindrop will follow formal documented separation procedures that include prompt removal from access control lists and surrender of physical access badges.

(c) Any person granted temporary permission to enter an Pindrop-managed facility or a controlled area within the facility will be registered upon entering the premises and will be escorted by authorized personnel.

(d) Pindrop will take precautions designed to protect the physical infrastructure of Pindrop-managed facilities against environmental threats, both naturally occurring and man-made, such as excessive ambient temperature, fire, flood, humidity, theft, and vandalism.

7. Access, Intervention, Transfer and Separation Control.

(a) Pindrop will maintain measures for Pindrop-Controlled Systems that are designed to logically separate and prevent Company’s Confidential Information stored within Pindrop-Controlled Systems from being exposed to or accessed by unauthorized persons.  Pindrop will maintain isolation of its production and non-production environments, and, if Company’s Confidential Information is transferred to a non-production environment, for example to reproduce an error at Company’s request, security and privacy protections in the non-production environment will be equivalent to those in production.

(b) Pindrop will encrypt Company’s Confidential Information that is subject to long-term storage within Pindrop-Controlled Systems and when Company’s Confidential Information is transmitted by Pindrop over public networks. Pindrop will maintain documented procedures for encryption key generation, issuance, distribution, storage, rotation, revocation, recovery, backup, destruction, access, and use.  To the extent that encryption is impractical, Pindrop will use compensating controls designed to protect Company’s Confidential Information.

(c) If Pindrop requires access to Company’s Confidential Information that is stored within Pindrop-Controlled Systems, and if access is managed by Pindrop, Pindrop will deploy measures designed to restrict access to the minimum level required.  Access, including, without limitation, administrative access, will be individual, role-based, and subject to approval and regular validation by authorized Pindrop personnel following the principles of segregation of duties. Pindrop will maintain measures to identify and remove redundant and dormant accounts with privileged access and will promptly revoke access upon the account owner’s separation or upon the request of authorized Pindrop personnel, such as the account owner’s manager.

(d) For Pindrop-Controlled Systems, Pindrop will:

(i) monitor and periodically test the Pindrop-Controlled Systems to assess the effectiveness of the Security Policy;

(ii) maintain technical measures enforcing timeout of inactive sessions, lockout of accounts after multiple sequential failed login attempts, strong password or passphrase authentication, and password change frequency; 

(iii) monitor use of privileged access and maintain security information and event management measures designed to: (1) identify unauthorized access, use or tampering; (2) facilitate a timely and appropriate response, and (3) enable internal and independent third-party audits of compliance with the Security Policy; 

(iv) where practicable for a given Pindrop-Controlled System, use multi-factor authentication designed to protect against unauthorized access to Pindrop-Controlled System;

(v) maintain logs in which privileged access and activity are recorded will be retained in compliance with Pindrop’s worldwide records management plan and Security Policy;

(vi) maintain measures designed to protect against unauthorized access, modification, and accidental or deliberate destruction of the logs described in the prior (v);

(vii) maintain tools designed to detect and remove Malicious Code from the Pindrop-Controlled Systems;

(viii) adopt procedures for change management; and

(ix) develop, implement, and maintain procedures for the secure disposal of Company’s Confidential Information within Pindrop’s possession or control in any format used in connection with the provision of the Product or Service to the Customer to which it relates, unless the information is necessary for business operations or for other legitimate business purposes or as otherwise expressly authorized by Company in this Agreement or an Online Order, is otherwise required to be retained by law or regulation, as described in Section 10(e) (Obligations Upon Termination) of the Agreement, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.

(e) Pindrop will securely sanitize physical media intended for reuse prior to reuse, and will destroy physical media not intended for reuse, consistent with NIST guidelines for media sanitization. Upon Company’s reasonable request, Pindrop will provide a certificate of destruction certifying the destruction of any of Company’s Confidential Information within Pindrop’s possession or control.

8. Service Integrity and Availability Control.

With respect to Pindrop-Controlled Systems, Pindrop will:

(a) Perform security risk assessments at least annually;

(b) Perform security testing and vulnerability assessments on a periodic basis;

(c) Enlist a qualified testing service to perform penetration testing at least annually;

(d) Perform automated vulnerability scanning against configuration industry standards reasonably designed to identify publicly-known security vulnerabilities in Pindrop-Controlled Systems based on Pindrop’s risk assessment: (i) at least every six months; (ii) whenever there are material changes to Pindrop’s technical operations of the nature that reasonably justify the performance of a scan; and (iii) whenever there are circumstances that Pindrop knows or has reason to know may have a material impact on Pindrop’s information security program of the nature that reasonably justify the performance of a scan;

(e) Follow Pindrop’s policies with respect to the remediation of identified vulnerabilities, based on associated risk, exploitability, and impact;

(f) Take reasonable steps to avoid disruption of the Products and Services when performing its tests, assessments, scans, and execution of remediation activities;

(g) Maintain measures designed to assess, test, and apply security advisory patches. Upon determining that a security advisory patch is relevant and appropriate, Pindrop will implement the patch under Pindrop’s policies, taking into account associated risk, exploitability, and impact;

(h) Maintain policies and procedures designed to manage risks associated with the application of changes; and 

(i) Maintain an inventory of information technology assets.

9. Vendor Management Program. 

(a) Pindrop agrees to maintain a formal vendor management program.  As part of the program, Pindrop is responsible for conducting due diligence on each of its In-Scope Subcontractors on a periodic basis to assess the extent to which each In-Scope Subcontractor has reasonable security measures designed to protect the Company Call Data in that In-Scope Subcontractor’s possession or control.  In conducting In-Scope Subcontractor due diligence, Pindrop may rely upon the information available in an In-Scope Subcontractor’s SOC2 or comparable report or certification (each, an “Independent Audit Report”) to make the assessment, even if the Independent Audit Report does not contain the level of detail specified in this Exhibit B.  Upon request by Company, Pindrop will direct Company to the location at which it can obtain copies of an In-Scope Subcontractor’s Independent Audit Report. In the event that Company is unable to obtain the Independent Audit Report, Pindrop will use reasonable efforts to secure the relevant Independent Audit Report from the In-Scope Subcontractor and provide a copy to Company.  Pindrop agrees to provide Company with a minimum of 30 days prior notice if there is a material change in the identity of the In-Scope Subcontractors relevant to the Products or Services covered under an existing Online Order. If an In-Scope Subcontractor is Processing Company Personal Information, then within 30 days of receiving notice of a new In-Scope Subcontractor, Company may object (in good faith) to the engagement. In the event Company makes an objection within the time period, the parties will work in good faith to resolve the objection. If the parties are not able to come to a mutually agreed to solution, Company’s sole and exclusive remedy is to terminate the relevant  Online Order under which the new In-Scope Subcontractor is Processing Company Personal Information.

(b) In addition to In-Scope Subcontractors, Company understands and agrees that Pindrop may use other vendor systems and solutions to support its day to day back office business operations where Confidential Information of Company (other than data that’s been input into a Product) may be collected, processed or stored, including by way of example, contract management, billing or other financial transaction-related tools and solutions (each, a “Back Office Business System”).  Back Office Business Systems are not Pindrop-Controlled Systems, but are subject to the requirements of Sections 9(c) and 9(d) of this Exhibit B. 

(c) Pindrop will have a written agreement in place with each In-Scope Subcontractor and each vendor providing a Back Office Business System that contains commercially reasonable confidentiality obligations designed to protect the confidentiality of the Company Call Data in the possession or control of the In-Scope Subcontractor or the confidentiality of the Confidential Information in the possession or control of each vendor providing the Back Office Business System, as relevant.

(d) Pindrop is responsible for any unauthorized disclosure of Company Call Data by an In-Scope Subcontractor and Confidential Information by each vendor providing a Back Office Business System to the same extent as Pindrop itself would be by the terms of this Agreement.

10. BCP Program. 

(a) Pindrop’s BCP will include (i) a business impact analysis that includes a risk assessment that documents prioritization of business functions and process, systems, subcontractors, resource requirements and interdependencies that may affect recovery timelines and alternative resource plans; (ii) specifically defined or targeted RTOs (recovery time objective); and (iii) specifically defined or targeted RPOs (recovery point objective).  Unless provided otherwise in an Online Order, Pindrop’s RTO and RPO policy for a single availability zone failure for a Product will not exceed 24 hours.

(b) Pindrop will conduct periodic exercises with respect to its BCP (such as tabletop exercises), but on no less than an annual basis.  If an event triggers Pindrop’s BCP (each, a “BCP Event Trigger”), Pindrop is responsible for implementing the BCP in accordance with Pindrop’s policies and procedures.  Company understands and agrees that if a BCP Event Trigger occurs, depending on the nature and scope of the event and whether Company procure “high availability” Appliances for any Products deployed at Company-managed facilities, the availability and/or ability to recover Company’s Confidential Information, including without limitation, the Company Call Data, in Pindrop’s possession or control may be impacted. 

(c) The Products are not designed for and should not be used by Company as an official record or similar, whether for regulatory purposes or otherwise. 

(d) Should the Products in use by Company experience an outage, Pindrop will notify Company of the outage and provide periodic status updates until the impact is resolved, as detailed in the Support Program Terms.

(e) Pindrop will provide reasonable prior notice to Company if Pindrop’s BCP is changed in a way that would have a material adverse impact in Pindrop’s ability to deliver the Products or the Services to Company as described in this Agreement, each relevant Online Order. 

11. Company Responsibilities. Company agrees to take commercially reasonable measures designed to detect and prevent the introduction of Malicious Code into Pindrop-Controlled Systems used in the delivery of Products or Services to Company. Company also understands and agrees that Company is responsible for determining whether the Products and Services are suitable for Company’s use and implementing and managing security measures for all components of the Products and Services that Pindrop does not manage or for which Pindrop does not have security obligations under this Exhibit B, with Pindrop’s only security obligations being as described in this Exhibit B. Examples of Company responsibilities include, without limitation: (a) securing all Company-Controlled System; and (b) accepting and implementing all security patches provided by Pindrop with respect to any On-Premises Appliances (and all other software distributed by Pindrop to Company in order to enable the security patches), without delay.  Company understands and agrees that Pindrop does not manage, and is not responsible for the security of, On-Premises Appliances.  Company further agrees that it is Company’s responsibility, and not Pindrop’s responsibility, to ensure adequate backups of any Company Call Data on the Company-Controlled System that are physically and logically separated from the Products and Services being provided by Pindrop under this Agreement.  Company agrees that Pindrop will not be in breach of its obligations under this Exhibit B if and to the extent that Pindrop’s non-compliance is directly caused by Company’s failure to comply with its own security responsibilities under this Agreement.  

Exhibit C – Implementation and Product-Specific Terms

1. Call Routing.  The Product will be implemented and deployed based on an agreed to architecture for the routing of calls reflected in the Online Order (“Approved Architecture”).  The Approved Architecture will apply for the duration of the relevant Subscription Term under the Online Order.

2. Pindrop Protect Cloud-Specific Terms.

(a)     Pindrop Database.  During the term of an Online Order, the Product will collect, process, and analyze Company Call Data. Pindrop and its affiliates are authorized to use and contribute the Fraudulent Call Data to the Pindrop Database for the purpose of identifying, monitoring, and tracking phone-based fraud and suspicious transactions or passively authenticating a caller for the benefit of Company, Pindrop’s and its affiliates’ existing or future customers, and the Consortium Members (the “Authorized Use of Fraudster Data”).  Pindrop will only identify (i.e., “tag”) that Fraudulent Call Data was provided by Company on a pseudonymized basis (e.g., using a code name within the Pindrop Database itself). For clarity, neither Company nor any other Pindrop customer has or will have access to or the ability to view the Pindrop Database or its stored data.  Company agrees that the Authorized Use of Fraudster Data survives any termination or expiration of this Agreement or the relevant Online Order.

(b)    Call Recording Storage Terms.  The following call recording storage and related terms apply to the configuration reflected in the relevant Online Order:

Company Storage of Call Recordings (default configuration unless specified otherwise in the relevant Online Order)

The default storage option for call recordings created by a Product in the ordinary course of use is Company’s own Core Hosting Provider (as defined below) instance (i.e., under Company’s own direct account with the Core Hosting Provider) (each a “CHP Instance”). For purposes of this Exhibit C, “Core Hosting Provider” or “CHP” means the third-party service provider whom Pindrop uses to host the Products covered under an Online Order (e.g., AWS or Google), as reflected in the relevant Online Order. 

Company is solely responsible for all aspects of the CHP Instance, including without limitation, the cost of securing and maintaining the CHP Instances for the duration of the Online Orders as well as the security settings relevant to the CHP Instance.

The CHP Instance will be configured for use with a Product as described in the Approved Architecture, which configuration will include, at a minimum, (i) sufficient administrative and access rights for Pindrop to be able to monitor and maintain the call recordings as needed to deliver the Product as contemplated in the Documentation and for Pindrop to provide the maintenance and support for that Product (including sharing IAM credentials, access key, secret key and encryption settings with Pindrop until the expiration of the relevant Subscription Term to enable access); and (ii) the retention of the call recordings for the Calls as established from time to time based on Company’s instructions and the Product’s standard features and functionality (collectively, “Minimum CHP Configuration Requirements”).  Company agrees to maintain the Minimum CHP Configuration Requirements for the CHP Instance for the duration of all Online Orders relevant to the Product, unless Company and Pindrop mutually agree otherwise in writing. 

Upon the expiration or termination of Company’s right to use a Product under an Online Order, Company is responsible for the deletion of any call recordings from the CHP Instance.

Pindrop Storage of Call Recordings

If the Approved Architecture provides that Pindrop, rather than Company, will store the call recordings created by the Product in its ordinary course of use on behalf of Company in Pindrop’s CHP instance (i.e., under Pindrop’s own and direct account with the CHP, such as AWS or Google) (each, a “Pindrop CHP Instance”), then the following terms apply:

(i) Pindrop will maintain the call recordings based on the time periods configured within the Product as established from time to time based on Company’s instructions and the Product’s standard features and functionality.

(ii) Company’s Users will have access to the call recordings through the standard user interface for the Product to enable Users to disposition a given Call as either fraudulent or genuine.  No other administrative access will be granted to Company for the Pindrop CHP Instances.

(iii) Upon the expiration or termination of Company’s right to use a Product under one or more Online Orders, then Pindrop will delete any remaining call recordings from the Calls from Pindrop’s CHP Instance.

3. Acceptable Use Policy.  When transmitting Company Call Data via the Product, Company will comply with Pindrop’s then-current acceptable use policy, which is available upon request or at https://www.pindrop.com/wp-content/uploads/2021/12/Pindrop-Acceptable-Use-Policy-Sept-2018.pdf.

4. CHP Flow-Down Terms.  Notwithstanding anything to the contrary in this Agreement, Company acknowledges and agrees that, in providing hosting and related cloud platform services (“CHP Services”) to Company, (a) the CHP may require that Pindrop notify it of any unauthorized access or use by Company of the CHP Services, and Company authorizes Pindrop to provide any required notice to the CHP, (b) Company’s receipt of CHP Services may be subject to legal intercept or monitoring activities by the CHP, its suppliers, or local authorities in accordance with its standard business practices and applicable Laws, and (c) Company may not use the CHP Services, or any interfaces provided with the CHP Services, to access or use any other CHP product or service in a manner that violates the terms of service relevant to the other CHP product or service.

5. Amazon Connect Integration Specific Terms.  Where the Approved Architecture will use Pindrop’s native integration call capture method for Amazon Connect, “Company Call Data” includes the Amazon Connect Data Stream (i.e., the call audio, Contact Status Request, Contact Trace Record Stream and Agent Event Stream and any replacement features and functionality that collect or create data within Amazon Connect for a given Call and are then routed by Amazon Connect to the Product for analysis). Currently, AWS refers to these more generally as the “Kinesis” data streams and the AWS Lambda functions.

6. Call Center Partner Integration-Related Terms.  Where the Approved Architecture will use a call capture method that integrates with a Call Center Partner Solution (as reflected in the relevant Online Order), this Section applies.  As Company’s subcontractor with access to the Product, Company is responsible for the Call Center Partner’s and the Call Center Partner Solution’s compliance with all terms of the Agreement and each relevant Online Order to the same extent as Company’s own personnel and systems.

“Call Center Partner” means the third-party vendor used by Company to provide Company’s contact center through which the Calls will be routed, as further detailed in the relevant Approved Architecture.  Examples of Call Center Partners include Amazon with respect to Amazon Connect and Twilio with respect to Twilio’s call center offerings.

“Call Center Partner Solution” means the solution and services obtained by Company from the Call Center Partner under a direct agreement between Company and the Call Center Partner.

7. Tap-To-Cloud Call Capture Terms.  If the call capture method for the Product is specified as “tap-to-cloud” in an Online Order, then the additional Tap-To-Cloud Call Capture Terms available here apply.

8. Managed Service Provider Terms.  If Company is authorized under an Online Order to bundle a Product as part of Company Managed Services (defined below), then the additional terms in this Section 8 apply.  If this Section 8 conflicts with any other terms of this Agreement, this Section 8 controls.

(a) Bundled Offering. Subject to the terms of this Agreement and the Online Order, Pindrop grants Company a non-exclusive, non-transferable, non-assignable right to bundle the Product solely as a non-severable part of Company Managed Services to Company Customers in the Authorized Geography. Company does not have the right to appoint or otherwise authorize any other third party, directly or indirectly, to perform any activities or exercise any rights granted to Company under this Agreement or any Online Order (whether as a sub-service provider or otherwise).  Company will not make any false or misleading representations with regard to Pindrop, its affiliates, the Products or Services, or any representations, warranties, or guarantees with respect to the Products or Services that are inconsistent with this Agreement, any Online Order, or Documentation.

(b) Company Customer-Facing Requirements.  Products and Services bundled by Company as part of a Company Managed Service must be made under a Company Customer Agreement (defined below), which will be no less protective of Pindrop Property than the relevant terms in this Agreement and each Online Order. As between Pindrop and Company, Company is solely and exclusively liable for all commitments and terms it agrees to in each Company Customer Agreement. Under no circumstances will Pindrop be liable to a Company Customer in connection with a Company Customer Agreement.  As between Pindrop and Company, (i) Company is solely and exclusively responsible for providing appropriate notices and disclosures to each Company Customer with respect to Company Call Data and Outputs relative to the Calls relevant to the Company Customer and how Company Call Data is collected, used, stored and the like (as detailed in this Agreement and each relevant Online Order); and (ii) Company will secure and maintain from each Company Customer the necessary rights for Company to grant Pindrop and its affiliates the rights and licenses under this Agreement and each Online Order, and enable Company to fulfill and comply with its obligations to Pindrop under this Agreement and each Online Order, including without limitation terms relevant to Company Call Data and Outputs.

(c) Company Responsibilities.

(i) Customer-Unique Identifiers.  To enable differentiation of Calls, Company will ensure that each Company Customer is assigned a unique identifier that is transmitted as part of the Company Call Data to the Product for each Call.

(ii) Use on Behalf of Company Customers.  In its role as a service provider of the Company Managed Services to Company Customers, Company is permitted to use a Product solely to perform phone number fraud verification or authentication on behalf of and solely for each Company Customer’s own products or services based on the features and functionality enabled in the Product, and for no other purpose (e.g., not for credit decisioning purposes or to determine a consumer’s eligibility for credit or insurance, or for any other permissible purpose set forth in the FCRA).  For clarity, any use or purpose restrictions relevant to Company under this Agreement or the relevant Online Order will likewise apply to Company’s bundling of Products as part of the Company Managed Services.

(iii) No Company Customer Access.  Company acknowledges and agrees that neither a Company Customer nor any of a Company Customer’s personnel will have access to or use of, either directly or indirectly, Products or Services, including any Outputs.  Company may, however, provide aggregated data with respect to Calls analyzed by Products (i.e., quantity of calls analyzed, authenticated or for which fraud was detected, account status and the stand-alone risk score) to the relevant Company Customers under written confidentiality obligations.

(iv) Responsibility for Company Customers.  Any act or omission committed by a Company Customer that, if committed by Company would a breach of this Agreement or the relevant Online Order, is considered a breach by Company, including by way of example, breach of confidentiality obligations or a failure to comply with the obligations in Section 7(d) (Company’s Responsibility Statement) of this Agreement.  Further, a breach by Company of the restrictions in the last sentence of Sections 8(a) (Bundled Offering) above or its obligations under Section 8(b) (Company Customer-Facing Obligations) above or any claim by a Company Customer that Company failed to comply with the Company Customer Agreement is (A) included within the scope of Company’s obligations to Pindrop in Sections 9(b) (Company Coverage for Third Party Claims) and 9(c) (Procedural Requirements for Third Party Claims) of this Agreement and (B) excluded from Company’s limitation of liability for direct damages under Section 8(b)(ii) of this Agreement.

For purposes of this Section 8, the following definitions apply:

“Company Customer Agreement” means a written agreement between Company and a Company Customer under which Company offers Products and Services as bundled with the Company Managed Services in connection with an Online Order.

“Company Managed Services” means a service whereby Company (a) assumes, performs or provides the one or more of the following (i) responsibility for day-to-day operations and management of all or a portion of the Company Customer’s call center data processing operations, (ii) facility management, systems integration or similar services for the Customer in connection with the Company Customer’s call center, or (iii) business process outsourcing services to the Customer in connection with its call center services; all regardless of whether the Product is located at the Company Customer’s or a third party location or Company facility, whether used on the Company Customer’s or third party owned equipment, and (b) is accessing and using Products and Services on behalf of or for the benefit of a Company Customer.

“Managed Service Customer” means a Company Customer who has entered into a Company Customer Agreement to obtain Company Managed Services from Company.