ThreatKey Master Subscription Agreement
Last Updated: 11/18/2022
This ThreatKey Master Subscription Agreement (the “Agreement”) is between ThreatKey, Inc., a Delaware corporation (“ThreatKey”). and each party (a “Customer”) that executes an Order Form for ThreatKey's hosted applications and other services (collectively, the “Service”). This Agreement consists of these terms, each order form for Services that has been executed by ThreatKey and Customer (each an “Order Form”) and all exhibits and amendment of any of the foregoing. By executing the initial Order Form, Customer agrees to all the terms set forth below.
1. ThreatKey Service Overview.
1.1 Provision of the Service. The Service consists of a software-as-a-service product to help businesses manage security assessment and remediation measures as described in more detail at https://www.threatkey.com/. During each subscription term, ThreatKey will provide to Customer the Service(s) identified on each Order Form and Customer may use the Service to support its internal business operations subject to the terms of this Agreement and the Order Form. Customer may place orders for additional Services or extend the term of the existing Services by specifying such order details in an Order Form agreed to in writing by the parties.
1.2 Subscription Term. Customer’s Service subscription is for the time period specified in the Order Form, or if no such term is stated, then for one year, in either case subject to the provisions of this Agreement. The subscription term will automatically renew for additional one year periods unless either party notifies the other in writing at least 30 days prior to expiration of the then-current term, so long as ThreatKey makes the Service available. ThreatKey will invoice Customer for each renewal period at least 30 days prior to expiration of each subscription term.
1.3 Orders by Affiliates. Customer’s Affiliates may subscribe to use the Service on execution of additional Order Forms referencing this Agreement. On execution of an Order Form by ThreatKey and the Affiliate, the Affiliate will be bound by the provisions of this Agreement as if it were an original party hereto. “Affiliate” means an entity controlling, controlled by or under common control with a party to this Agreement at any time during the term of this Agreement, for so long as such ownership and control exists, provided such entity is not a current or prospective competitor to ThreatKey or in the business of developing and offering products or technologies that are substantially similar to the Service.
1.4 Free Trials. ThreatKey reserves the right to provide any or part of the Service on a free trial basis. If Customer registers for the Service for a free trial, ThreatKey will make one or more Services available to Customer on a trial basis free of charge until the earlier of: (a) the end of the free trial period for which Customer registered to use the applicable Service, or (b) the start date of any Service subscription ordered by Customer. Additional trial terms and conditions may appear on the trial registration web page. Any such additional terms and conditions are incorporated into this Agreement by reference and are legally binding. ANY CUSTOMIZATIONS MADE TO THE SERVICE BY OR FOR CUSTOMER, DURING CUSTOMER’S FREE TRIAL WILL BE PERMANENTLY LOST UNLESS CUSTOMER PURCHASES A SUBSCRIPTION TO THE SAME SERVICES AS THOSE COVERED BY THE TRIAL, PURCHASES UPGRADED SERVICES, OR EXPORTS SUCH DATA, BEFORE THE END OF THE TRIAL PERIOD. DURING THE FREE TRIAL PERIOD, THE SERVICE IS PROVIDED “AS IS” WITHOUT ANY WARRANTY.
1.5 Beta Features. From time to time, ThreatKey may invite Customer to try Beta Features. Customer may accept or decline any such trial in its sole discretion. Beta Features are for evaluation purposes only and not for production use, are not considered part of the Service under this Agreement, are not supported, and may be subject to additional terms. ThreatKey may discontinue Beta Features at any time in its sole discretion and may never make them generally available.
1.6 Compliance. Customer is solely responsible for: (a) the accuracy, content and legality of all data entered by the Customer manually into the Service or pulled into the product via ThreatKey’s integrations (“Customer Data”), and (b) any consents and notices required to permit (i) Customer's use and receipt of the Services, and (ii) ThreatKey’s access to and processing of Customer Data pursuant to this Agreement.
1.7 Integrations. ThreatKey may provide tools that enable Customer to connect its account to third-party services. By using one of these tools, Customer hereby authorizes ThreatKey to import Customer Data to, or export Customer Data from, the applicable third party service. Third-party services are not under ThreatKey’s control, and Customer is solely responsible for its decisions to import or export Customer Data.
1.8 Customer Data Return and Deletion. During the subscription term or within 30 days thereafter on Customer’s request, Customer may export Customer Data from the Service. After the post-termination period, ThreatKey may delete Customer Data in accordance with its standard schedule and procedures. If Customer elects to proactively delete its account at any time, all associated Customer Data will be deleted permanently and cannot be retrieved.
2. Payment Terms.
2.1 Invoicing; Payments. Customer shall pay ThreatKey the fees set forth in each applicable Order Form. ThreatKey will bill through an invoice. Full payment for invoices issued in any given month must be received by ThreatKey within 30 days after delivery of the invoice, which may be sent by email. Except as otherwise provided herein all fees are noncancelable and nonrefundable. If Customer believes that ThreatKey has billed Customer incorrectly, Customer must contact ThreatKey no later than 60 days after the date of the first billing statement in which the error or problem appeared, in order to receive an adjustment or credit. Inquiries should be directed to ThreatKey’s customer support department.
2.2 Taxes. Customer is responsible for any sales, use, value added, excise, property, withholding or similar tax and any related tariffs, and similar charges, except taxes based on ThreatKey’s net income. If Customer is required to pay any such taxes, Customer shall pay such taxes with no reduction or offset in the amounts payable to ThreatKey hereunder. If an applicable tax authority requires ThreatKey to pay any taxes that should have been payable by Customer, ThreatKey will advise Customer in writing, and Customer will promptly reimburse ThreatKey for the amounts paid.
2.3 Delinquent Accounts. ThreatKey may suspend or terminate access to the Service if overdue fees are not paid promptly following notice from ThreatKey. Unpaid amounts are subject to a finance charge of 1.5% per month on any outstanding balance, or the maximum permitted by law, whichever is lower, plus all expenses of collection.
3. Use Rights and Restrictions
3.1 Limited License. Subject to Customer’s compliance with this Agreement, ThreatKey grants Customer a non-exclusive, non-transferable, non-sublicensable, revocable right to access and use the Service.
3.2 License Restrictions. Except and solely to the extent such a restriction is impermissible under applicable law, Customer may not: (a) reproduce, distribute, publicly display, publicly perform, or create derivative works of the Service; (b) make modifications to the Service; or (c) interfere with or circumvent any feature of the Service, including any security or access control mechanism.
3.3 Use Restrictions. by using the Service, Customer agrees not to:
(a) use the Service for any illegal purpose or in violation of any local, state, national, or international law;
(b) violate, encourage others to violate, or provide instructions on how to violate, any right of a third party, including by infringing or misappropriating any third-party intellectual property right;
(c) access, search, or otherwise use any portion of the Service through the use of any engine, software, tool, agent, device, or mechanism (including spiders, robots, crawlers, and data mining tools) other than the software or search agents provided by ThreatKey;
(d) interfere with security-related features of the Service, including by: disabling or circumventing features that prevent or limit use, printing or copying of any content; or reverse engineering or otherwise attempting to discover the source code of any portion of the Service except to the extent that the activity is expressly permitted by applicable law;
(e) interfere with the operation of the Service or any user’s enjoyment of the Service, including by: uploading or otherwise disseminating any virus, adware, spyware, worm, or other malicious code; making any unsolicited offer or advertisement to another user of the Service; collecting personal information about another user or third party without consent; or interfering with or disrupting any network, equipment, or server connected to or used to provide the Service;
(f) perform any fraudulent activity including impersonating any person or entity, claiming a false affiliation or identity, accessing any other Service account without permission;
(g) use the Service for the development of a competing software service or product or to ThreatKey’s detriment or commercial disadvantage;
(h) sell or otherwise transfer the access granted under this Agreement or any Materials (as defined in Section 4.3) or any right or ability to view, access, or use any Materials; or
3.4 attempt to do any of the acts described in this Section 3 or assist or permit any person in engaging in any of the acts described in this Section 3.
3.5 Feedback. ThreatKey respects and appreciates the thoughts and comments from its users. If Customer provides input and suggestions regarding existing functionalities, problems with or proposed modifications or improvements to the Service (“Feedback”), then it hereby grant ThreatKey an unrestricted, perpetual, irrevocable, non-exclusive, fully-paid, royalty-free right and license to exploit the Feedback in any manner and for any purpose, including to improve the Service and create other products and services. ThreatKey will have no obligation to provide Customer with attribution for any Feedback it provides to ThreatKey.
4. Ownership; Proprietary Rights.
4.1 No Ownership Assignment. This Agreement is for SaaS use rights. Neither party will assign ownership rights in any of its assets to the other pursuant to this Agreement, and neither party grants the other any rights or licenses not expressly set out in this Agreement.
4.2 What Customer Owns. Customer owns all right, title and interest in and to the Customer Data, and all intellectual property rights related to any of the foregoing.
4.3 What ThreatKey Owns. ThreatKey owns or has and retains all appropriate rights, title and interest in and to the visual interfaces, graphics, design, compilation, information, data, computer code (including source code or object code), products, software, services, and all other elements of the Service provided by ThreatKey (“Materials”). Except as expressly authorized by ThreatKey, Customer may not make use of the Materials. There are no implied licenses in this Agreement and ThreatKey reserves all rights to the Materials not granted expressly in this Agreement.
5.1 Confidential Information. Each party may have access to information that is confidential to the other party. As used herein, “Confidential Information” means all confidential and proprietary information of a party (“Disclosing Party”) disclosed to the other party (“Receiving Party”), whether orally or in writing that is clearly identified as confidential as well as any information that, based on the circumstances under which it was disclosed, a reasonable person would believe to be confidential, including but not limited to the terms and conditions of this Agreement (including pricing and other terms reflected in an Order Form), Customer Data, the Service, business and marketing plans, technology and technical information, product designs, trade secrets and business processes.
5.2 Exceptions. A party's Confidential Information shall not include information that: (a) is or becomes publicly available through no act or omission of the other party; (b) was in the other party's lawful possession prior to the disclosure and had not been obtained by the other party either directly or indirectly from the Disclosing Party; (c) is lawfully disclosed to the other party by a third party without restriction on disclosure; or (d) is independently developed by the other party without use of or reference to the other party's Confidential Information. The parties agree to use all reasonable care to prevent disclosure of the other party's Confidential Information to any third party. This Section 5 constitutes the entire understanding of the parties and supersedes all prior or contemporaneous agreements, representations or negotiations, whether oral or written, with respect to Confidential Information.
5.3 Legal Requests. If Receiving Party receives a request to disclose any Confidential Information of Disclosing Party pursuant to a subpoena, order, civil or criminal investigative demand, agency administrative demand, law, rule, regulation, or a judicial or similar process issued by a court of competent jurisdiction, the Receiving Party’s regulators or any other administrative body (each such request, a “Disclosure Request”), the Receiving Party is permitted to disclose such Confidential Information only to the extent necessary to comply with the Disclosure Request or as otherwise required by law. If legally permitted, Receiving Party shall provide Disclosing Party with prompt prior notice of such Disclosure Request and reasonable assistance, at Disclosing Party's expense, if Disclosing Party wishes to seek protection or confidential treatment of the Confidential Information relevant to the Disclosure Request. If the Receiving Party receives a Disclosure Request as part of a proceeding to which the Disclosing Party is a party, and the Disclosing Party is not contesting the Disclosure Request or is requesting the Disclosure Request, the Disclosing Party shall reimburse the Receiving Party for its reasonable cost and fees incurred in compiling and providing secure access to the Confidential Information relevant to the Disclosure Request.
5.4 Injunctive Relief. If Receiving Party discloses (or threatens to disclose) any Confidential Information of Disclosing Party in breach of this Section 5, Disclosing Party shall have the right, in addition to any other remedies available to it, to seek injunctive relief to enjoin such acts, it being acknowledged by the Parties that any other available remedies may be inadequate.
5.5 Survival. Upon any termination of this Agreement, the Receiving Party shall continue to maintain the confidentiality of the Disclosing Party's Confidential Information for five years (except any trade secrets which shall remain subject to the confidentiality obligations under this Agreement for so long as such Confidential Information remains a trade secret under applicable law) and, upon request, return to the Disclosing Party or destroy (at the Disclosing Party's election, and subject to applicable law or regulation) all materials containing such Confidential Information.
5.6 Customer Identification. ThreatKey may identify Customer as a user of the Service and may use Customer’s name and logo in ThreatKey’s customer list, press releases, blog posts, advertisements, and website.
6. Term, Termination, and Modification of the Service
6.1 Term. This Agreement is effective beginning on the effective date listed in the first Order Form executed by the parties (“Effective Date”) and continues in effect throughout the duration of all Order Forms hereunder, unless terminated earlier according to Section 9.2.
6.2 Termination for Cause. In addition to any other remedies it may have, either party may terminate this Agreement upon written notice, if the other party: (a) materially breaches any of the terms or conditions of this Agreement and fails to cure such breach within 30 days after written notice describing the breach; or (b) files for bankruptcy or is the subject of an involuntary filing in bankruptcy (in the latter case, which filing is not discharged within 60 days) or makes an assignment for the benefit of creditors or a trustee is appointed over all or a substantial portion of its assets. If ThreatKey terminates this Agreement for Customer’s breach, Customer remains obligated to pay the balance due on Customer’s account for the remainder of the Term, computed in accordance with the applicable Order Form(s), and will be billed for such unpaid fees.
6.3 Effect of Termination. Upon termination of this Agreement: (a) Customer’s license rights will terminate and Customer must immediately cease all use of the Service; (b) Customer will no longer be authorized to access its account or the Service; (c) Customer must pay ThreatKey any unpaid amount that was due prior to termination; and (d) all payment obligations accrued prior to termination and Sections 4, 5 and 7 - 10 will survive termination.
7. Warranties and Covenants.
7.1 Authority. Each of ThreatKey and Customer represents and warrants that: (a) it has the full right, power and authority to enter into and fully perform this Agreement; (b) the person signing this Agreement on its behalf is a duly authorized representative of such party who has in fact been authorized to execute this Agreement; (c) its entry herein does not violate any other agreement by which it is bound; and (d) it is a legal entity in good standing in the jurisdiction of its formation.
7.2 Limited Warranty. The Service, when used by Customer in according with the provisions of this Agreement and in compliance with the applicable specifications will perform, in all material respects, according to ThreatKey’s Service documentation at https://docs.threatkey.com/ or any successor site (the “Documentation”), during the term in the corresponding Order Form.
7.3 Support. Support consists of problem diagnosis and resolution of errors in the Service within a time reasonable under the circumstances and considering the impact of the problem on Customer. Support is available between 9:00 AM and 9:00 PM Eastern Time, Monday through Friday, not including US holidays.
7.4 Protection of Customer Data. ThreatKey will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Customer Data in accordance with its security documentation at https://www.threatkey.com/security which is incorporated herein by reference. Those safeguards will include, but will not be limited to, measures for preventing access, use, modification or disclosure of Customer Data by ThreatKey personnel except: (a) to provide the Service and to prevent or address service or technical problems, or (b) as Customer expressly permits in writing.
7.5 Compliance with Laws. Customer will comply with all laws applicable to Customer’s use of the Service. Without limiting the foregoing, Customer represents and warrants that it is not: (a) listed or identified on any U.S. government list of sanctioned parties, or (b) located in a country where it would be prohibited from using the Service due to economic sanctions or trade embargoes. Customer further covenants that it will comply fully with all United States and other export and sanctions laws applicable to Customer’s use of the Service, which include restrictions on destinations, end users, and end use. ThreatKey reserves the right to terminate Customer’s access to the Service if Customer engages in activities that violate these laws.
7.6 EXCEPT AS SET FORTH ABOVE THE SERVICE AND ALL MATERIALS AND CONTENT AVAILABLE THROUGH THE SERVICE ARE PROVIDED “AS IS” AND ON AN “AS AVAILABLE” BASIS. THREATKEY DISCLAIMS ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, RELATING TO THE SERVICE AND ALL MATERIALS AND CONTENT AVAILABLE THROUGH THE SERVICE, INCLUDING: (a) ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, QUIET ENJOYMENT, OR NON-INFRINGEMENT; AND (b) ANY WARRANTY ARISING OUT OF COURSE OF DEALING, USAGE, OR TRADE. THREATKEY DOES NOT WARRANT THAT THE SERVICE OR ANY PORTION OF THE SERVICE, OR ANY MATERIALS OR CONTENT OFFERED THROUGH THE SERVICE, WILL BE UNINTERRUPTED, SECURE, OR FREE OF ERRORS, VIRUSES, OR OTHER HARMFUL COMPONENTS, AND THREATKEY DOES NOT WARRANT THAT ANY OF THOSE ISSUES WILL BE CORRECTED. THE SERVICE MAY NOT BE ABLE TO DETECT OR CORRECT ALL SECURITY VULNERABILITIES, THREATS, OR OTHER SECURITY ISSUES. ANY RELIANCE ON THE SERVICE AND ANY ACTION TAKEN OR NOT TAKEN AS A RESULT OF THE SERVICE IS AT CUSTOMER’S SOLE RISK.
7.7 NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED BY CUSTOMER FROM THE SERVICE OR THREATKEY ENTITIES OR ANY MATERIALS OR CONTENT AVAILABLE THROUGH THE SERVICE WILL CREATE ANY WARRANTY REGARDING ANY OF THE THREATKEY ENTITIES OR THE SERVICE THAT IS NOT EXPRESSLY STATED IN THIS AGREEMENT. THREATKEY IS NOT RESPONSIBLE FOR ANY DAMAGE THAT MAY RESULT FROM THE SERVICE AND CUSTOMER’S DEALING WITH ANY OTHER SERVICE USER.
7.8 THE LIMITATIONS, EXCLUSIONS AND DISCLAIMERS IN THIS SECTION 9 APPLY TO THE FULLEST EXTENT PERMITTED BY LAW. ThreatKey does not disclaim any warranty or other right that ThreatKey is prohibited from disclaiming under applicable law.
8.1 Indemnification by Customer. To the fullest extent permitted by law, Customer is responsible for its use of the Service, and Customer will defend, indemnify and hold harmless ThreatKey, its affiliates and their respective shareholders, directors, managers, members, officers, employees, consultants, and agents (together, the “ Related Parties”) from and against all liability, damage, loss, and expense, including attorneys’ fees and costs ("Losses”), arising out of or related to claims, demands, suits, actions or proceedings made or brought by third parties (collectively, “Claims”) against the ThreatKey or its Related Parties arising from or related to the Customer Data.
8.2 Indemnification by ThreatKey. ThreatKey will defend, indemnify and hold harmless Customer and its Related Parties from and against Claims brought by a third party alleging that the Service directly infringes or misappropriates a third party’s patent, copyright, or trademark rights in the United States. However, ThreatKey will have no such obligations to the extent Claims arise from: (a) modifications to the Service by anyone other than ThreatKey (provided that ThreatKey shall not be liable if ThreatKey made the modifications using requirements, documents, written specifications or other written materials submitted by Customer or its agents or representatives); (b) use of the Service in violation of this Agreement or the Documentation; or (c) third party software or services or Customer Data.
8.3 Indemnification Procedure.
(a) Promptly after a party seeking indemnification learns of the existence or commencement of a Claim, the indemnified party must notify the other party of the Claim in writing. The indemnifying party’s indemnity obligations will be waived only if and to the extent that its ability to conduct the defense are materially prejudiced by the indemnified party’s failure to give notice.
(b) The indemnifying party will at its own expense assume the defense and settlement of the Claim with counsel reasonably satisfactory to the indemnified party. The indemnified party: (i) may join in the defense and settlement of the Claim and employ counsel at its own expense, and (ii) will reasonably cooperate with the indemnifying party in the defense and settlement of the Claim.
(c) The indemnifying party may not settle any Claim without the indemnified party’s written consent unless the settlement: (i) includes a release of all Claims; (ii) contains no admission of liability or wrongdoing by the indemnified party; and (iii) imposes no obligations upon the indemnified party other than an obligation to stop using any infringing items.
(d) The indemnified party must mitigate the damages or other losses that would otherwise be recoverable from the indemnifying party, including by taking actions to reduce or limit the amount of damages and/or other losses incurred.
9. Limitations of Liability
9.1 In no event will either party or its Related Parties be liable to the other party for any indirect, incidental, special, consequential or punitive damages (including damages for loss of profits, goodwill, or any other intangible loss) arising out of or relating to this Agreement, the Service or Customer’s use of the Service, whether such claims are based on warranty, contract, tort (including negligence), statute, or any other legal theory, and whether or not any party has been informed of the possibility of damage.
9.2 The aggregate liability of each party and its Related Parties to the other for all claims arising out of or relating to this Agreement, the Service or Customer’s use of the Service, whether in contract, tort, or otherwise, is limited to the greater of: (a) the amount Customer has paid to ThreatKey for access to and use of the Service in the 12 months prior to the event or circumstance giving rise to the claim and (b) US$100.
9.3 The foregoing paragraphs will not limit customer’s payment obligations or its liability for misappropriation of ThreatKey’s intellectual property rights in the Service. Each provision of this Agreement that provides for a limitation of liability, disclaimer of warranties, or exclusion of damages is intended to and does allocate the risks between the parties under this Agreement. This allocation is an essential element of the basis of the bargain between the parties. Each of these provisions is severable and independent of all other provisions of this Agreement. The limitations in this section 9 will apply even if any limited remedy fails of its essential purpose.
10.1 Amendments. ThreatKey may amend this Agreement from time to time by posting an amended version at its website and providing Customer notice thereof. Such amendment will be deemed accepted and become effective 30 days after such notice (the “Proposed Amendment Date”). However, if Customer gives ThreatKey written notice of rejection of the amendment prior to the Proposed Amendment Date, this Agreement will continue under its original provisions, and the amendment will become effective at the start of the next term. Except as expressly provided above, any amendment to this Agreement must be in writing and signed by both parties.
10.2 Notices. All notices must be in writing and sent to the other party's primary point of contact for this Agreement. Notices will be deemed delivered when: (a) verified by written receipt if sent by personal courier, overnight courier, or postal mail; or (b) confirmed or replied to by the recipient if sent by email.
10.3 Integration. This Agreement, including any Order Forms, exhibits and any other agreements expressly incorporated by reference into this Agreement, is the entire and exclusive understanding and agreement between Customer and ThreatKey regarding Customer’s use of the Service. This Agreement expressly supersedes any nondisclosure agreements between the parties whether entered prior to subsequent to the Effective Date.
10.4 Assignment. This Agreement may not be assigned by either party without the other party’s written consent, whether by operation of law or otherwise; provided that either party may assign this Agreement without consent to its successor in the event of a merger, acquisition or sale of all or substantially all of the assets of such party. Any other purported assignment shall be void.
10.5 Integration; Construction; Interpretation. This Agreement sets forth the entire agreement and understanding of the parties relating to the subject matter herein and merges all prior discussions between them. This Agreement shall supersede the terms of any purchase order or other business form. If accepted by ThreatKey in lieu of or in addition to its Order Form, Customer’s purchase order shall be binding only as to the following terms: (a) the Services ordered and (b) the appropriately calculated fees due. Other terms shall be void. This Agreement is the result of negotiations between and has been reviewed by each of the parties hereto and their respective counsel, if any; accordingly, this Agreement shall be deemed to be the product of all of the parties hereto, and no ambiguity shall be construed in favor of or against any one of the parties hereto. Headings contained in this Agreement are for convenience of reference only and do not form part of this Agreement. A word importing the singular includes the plural and vice versa. Gendered pronouns are used for convenience and are intended to refer the masculine or feminine, as applicable. The word “including” shall be interpreted to mean “including without limitation”.
10.6 Severability. If any provision of this Agreement is adjudicated invalid or unenforceable, this Agreement will be amended to the minimum extent necessary to achieve, to the maximum extent possible, the same legal and commercial effect originally intended by the parties. To the extent permitted by applicable law, the parties waive any provision of law that would render any clause of this Agreement prohibited or unenforceable in any respect.
10.7 Governing Law. This Agreement is governed by the laws of the State of New York without regard to conflict of law principles. Customer and ThreatKey submit to the personal and exclusive jurisdiction of the state courts and federal courts located within New York, New York for resolution of any lawsuit or court proceeding permitted under this Agreement. ThreatKey operates the Service from its offices in New York, and it makes no representation that Materials included in the Service are appropriate or available for use in other locations.