MASTER SUBSCRIPTION AND SERVICES AGREEMENT
This MASTER SUBSCRIPTION AND SERVICES AGREEMENT (this “Agreement”) is effective as of [DATE], 2019 (the “Effective Date”) and is entered into by and between User Experience, S.L., a Spain corporation (“Checkealos”), and [Customer Nam], a [State] corporation (“Customer”).
- Subscriptions.
Checkealos owns certain proprietary software applications and services and has developed and maintains proprietary software and hardware systems that enable and support web-based delivery of such applications and services (together, the “Software Services”). One such Software Service is Checkealos’s web-based, self-service digital user testing and customer experience measurement solution (the “Self-Service Solution”). Among other features, the Self-Service Solution enables Customer Users to (a) depending on the type of Customer User, create, design or manage studies that involve the testing and evaluation of web sites, mobile sites, mobile applications and web applications (“Studies”) and/or (b) depending on the type of Customer User, invite individuals (“Participants”) to participate in those Studies by taking online surveys, completing task based studies, and providing other feedback. The Ordered Software Service(s), together with the Related Services, both of which are defined below, shall collectively constitute the “Services”.
(a) From time to time during the Term (as defined below), Customer and its Affiliates (as defined below) may subscribe for the Self-Service Solution by entering into an order form (each, an “Order Form”) that sets forth the terms under which Checkealos will make such solution (the “Ordered Software Service(s)”) available to Customer. For purposes hereof, an “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with Customer. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity. Checkealos’s corporate affiliates may also enter into Order Form(s) with Customer and/or its Affiliates. References to “Checkealos” in this Agreement shall be deemed to be references to the Checkealos affiliate under the applicable Order Form.
(b) Each Order Form will set forth the start date (the “Subscription Start Date”), the term of the subscription (the “Subscription Period”), the authorized scope of use (the “Scope of Use”), the fees payable, payment terms and any other terms to which the parties may agree. Each Order Form shall incorporate the terms of this Agreement by reference and shall be deemed a part hereof.
- Checkealos Services.
In connection with Customer’s use of the Self-Service Solution, Checkealos will perform the following related services (collectively, the “Related Services”) during the applicable Subscription Period:
(a) Checkealos will provision user accounts (i.e., username/password pairs) for the Self-Service Solution for each user designated by Customer’s “Administrator” identified in the Order Form (each a “Customer User”), up to the number of Customer User accounts allowed under the Order Form.
(b) Checkealos will host and maintain the Self-Service Solution and the other software utilized by Checkealos to deliver the Self-Service Solution (collectively, the “Software”) on servers operated and maintained by or at the direction of Checkealos in a secure, fault-tolerant, seismically-compliant data center (the “Data Center”) in
accordance with the terms set forth at the “ANNEXE II: SaaS Delivery Services Exhibit”. As of the Effective Date, Checkealos uses Amazon Web Services (“AWS”) as its hosting services providers for its Software Service.
(c) Checkealos will provide Customer with the customer support services described at “ANNEXE I: the “Customer Support Exhibit”.
(d) If Customer desires assistance with study set-up, top-line data analysis, organization of results, reports, or other services (collectively, “Professional Services”), such Professional Services shall either be identified in the applicable Order Form or be documented in a separate statement of work (each, a “SOW”) for the fees set forth therein. All SOWs will incorporate and be subject to the terms of this Agreement.
- Access to the Self-Service Solution.
(a) Subject to the terms of this Agreement, Checkealos hereby grants Customer a non-exclusive, non-transferable right to access and use the Self-Service Solution during the Subscription Period set forth in the applicable Order Form to: (i) create, design, submit content to, manage and access the results of Studies; (ii) invite Participants to view, submit content to, and otherwise participate in Studies; and (iii) otherwise use the features and functionality of the Self-Service Solution for Customer’s internal business purposes, all subject to the Scope of Use limitations set forth in the Order Form and the other terms and conditions of this Agreement.
(b) Each account may be used only by the individual Customer User to whom it is assigned. Customer may re-assign Customer User accounts by written notice to Checkealos, which may be given via email from the Administrator designated in the Order Form; provided, that Customer may not re-assign Customer User accounts for the purpose of defeating the limit on Customer Users set forth in the Order Form. Customer may designate its (and its Affiliates’) employees or independent contractors as its Customer Users; provided, that (i) Customer remains responsible for all use and misuse of the Self-Service Solution that occurs under Customer Users’ login credentials and for any breach of this Agreement by any of its Customer Users, (ii) Customer agrees to notify Checkealos of any unauthorized access or use of which Customer becomes aware, and (iii) all usage of the Self-Service Solution by Customer Users is subject to the Scope of Use limitations set forth in the Order Form.
(c) Customer will not (and will ensure that Customer Users do not): (i) “frame,” distribute, resell, or permit access to the Self- Service Solution by any third party other than to invite Participants to participate in Studies in accordance with this Agreement; (ii) permit multiple Customer Users to access the Self-Service Solution using shared login credentials; (iii) use the Self-Service Solution other than in compliance with this Agreement and applicable laws; (iv) reverse engineer, attempt to gain unauthorized access to the Self-Service Solution or attempt to discover the underlying source code or structure of the Self-Service Solution; (v) submit to the Self-Service Solution any content or data that is false, defamatory, illegal or violates a third party’s rights; or (vi) submit to the Self-Service Solution any routine, device or other undisclosed feature that is designed to delete, disable, deactivate, interfere with or otherwise harm any software, system or service.
(d) Checkealos monitors all use of the Self-Service Solution for security, operational, product improvement and product performance purposes. Checkealos may temporarily suspend a particular Customer User’s access in the event that: (i) such Customer User is engaged in, or Checkealos in good faith suspects that such Customer User is engaged in, any unauthorized conduct; or (ii) there has been unauthorized access to such Customer User’s account. Checkealos will provide Customer with prompt notice if it suspends a Customer Users’ access to the Self-Service Solution pursuant to this Section 3(d) and will restore access as soon as reasonably practicable once the situation is remedied.
- Customer Responsibilities.
(a) Customer acknowledges that, in order to access the Self-Service Solution, its networks, equipment, software and services used to access the Self-Service Solution must comply with the operating system, browser and internet requirements available at “ANNEXE IV: System Requirements” as Checkealos may update them from time to time.
(b) Customer shall ensure that each Customer User will keep his or her account name and password confidential and notify Checkealos immediately upon learning of any unauthorized use of a Customer User account name or password. Customer will be responsible for all activities and charges incurred through the use of its Customer Users’ account names and passwords.
(c) The Self-Service Solution includes a feature that allows Customer to record a Participant’s activity on a web site or application tracked as part of a Study (“Checkealos Recorder”). If Customer uses Checkealos Recorder to collect any information, Customer is responsible to obtain the necessary consents from and disclose to Participants the information that Customer will collect, how Customer will use that information, and make any other disclosures required by applicable law.
- Customer Content.
(a) As between the parties, Customer retains all right, title and interest in: (i) any and all data, files, attachments, text, images, and other content that Customer Users upload or submit to the Self-Service Solution or otherwise provides to Checkealos in connection with the Services (collectively, “Customer Content”); and (ii) the reports and information about Studies obtained by Customer from Checkealos as part of the Services (“Study Content”). Customer Content includes survey answers and other data and content submitted to the Self-Service Solution by Participants. Customer represents and warrants that it has all rights, permissions and consents necessary to (1) submit all Customer Content to Checkealos, (2) grant Checkealos the limited rights to use Customer Content set forth in this Agreement, and (3) disclose and display Customer Content to its Customer Users and Participants.
(b) Customer agrees that Checkealos may use the Customer Content and Study Content to make the Services available to Customer in accordance with this Section 5, including without limitation by displaying Customer Content to Participants and Customer Users.
Further, Checkealos may make Customer Content available on a confidential basis to Checkealos’s service providers who act on Checkealos’s behalf in providing the Self-Service Solution; provided, that such (i) service providers are subject to confidentiality obligations substantially as protective of the Customer Content as this Agreement
(c) The Self-Service Solution includes a feature that allows Customer to download Customer Content and Study Content during the applicable Subscription Period. Checkealos will retain Customer Content and Study Content for six (6) months after expiration or termination (the “Retention Period”) and, upon Customer’s written request during this Retention Period, will deliver Customer Content and Study Content to Customer.
- Security and Data Privacy.
(a) Checkealos maintains a formal security program that is designed to: (i) ensure the security and integrity of Customer Content and Study Content, including but not limited to any Personal Information included therein; (ii) protect against threats or hazards to the security or integrity of Customer Content and Study Content, including but not limited to any Personal Information included therein; and (iii) prevent unauthorized access to Customer Content and Study Content, including but not limited to any Personal Information included therein. Checkealos also implements and maintains the backup and recovery measures for Customer Content stored on the Self-Service Solution. Details are set forth in ANNEXE II: SaaS Delivery Services Exhibit.
(b) If Checkealos becomes aware of a security incident that may affect Customer Content or Study Content, Checkealos will promptly notify Customer (which may be given via email to Customer’s Administrator). If such security incident involves Personal Information that Customer has previously notified Checkealos was included in the Customer Content, Checkealos shall cooperate with Customer in providing notice to the individuals and government authorities as required by applicable laws. In the event of a security incident, Checkealos shall use its commercially reasonable efforts to: (i) conduct an investigation of the reasons for and circumstances surrounding the incident; (ii) prevent, contain and mitigate the impact of the incident; and (iii) collect and preserve all evidence concerning the discovery, cause, remedial actions and impacts related to the incident.
(c) Customer acknowledges that the Self-Service Solution is not intended for the collection and processing of information that can be used to identify a particular individual, including but not limited to, name, date of birth, social security number, email, postal address, phone number and any other information that, either alone or in combination with other data, could be used to identify or contact a particular person (“Personal Information”). Upon specific instructions by Customer to their Checkealos Customer Success Manager and only if deemed necessary at the express direction of the Customer, Studies can be configured so that Participants provide Personal Information through or in connection with such Study. In such case, Customer agrees to obtain or cooperate with Checkealos to obtain the Participant’s explicit consent before collecting any Personal Information. Customer acknowledges the risks inherent in the collection of Personal Information, and Customer disclaims all liability against Checkealos for any claims, causes of action, damages, judgments, settlements, and costs asserted by a third party or Customer as a result of the collection, use, transfer, or other processing of Personal Information when specifically requested by Customer in connection with any Studies. Customer agrees that it will not use Personal Information for any purpose beyond the intended limited scope of this Agreement and that Customer will not use Personal Information to contact a Participant outside of the Self-Service Solution.
(d) In addition to any other requirements described in Section 9, each of Customer and Checkealos shall maintain reasonable security measures consistent with this Agreement to protect Personal Information collected in connection with this Agreement from unauthorized access, use, disclosure, alternation, possession, loss, theft, manipulation, and destruction (“Unauthorized Access”).
Such security measures will conform to applicable privacy policies, if any, and with all applicable data protection and privacy laws, rules, and regulations. Each party will notify the other party as soon as practicable of any Unauthorized Access of Personal Information associated with Studies, including without limitation exceeding authorized access to or use of any Personal Information. The notifying party shall cooperate fully with the notified party in investigating and responding to each successful or attempted Unauthorized Access.
- Fees and Payment Terms.
(a) Customer shall pay Checkealos the annual subscription fees listed on each Order Form (“Subscription Fees”) in accordance with the terms contained therein. If Professional Services are required in connection with Customer’s access of the Self-Service Solution, Customer shall pay Checkealos the Professional Services fees outlined in the applicable Order Form or SOW, as the case may be, in accordance with the terms contained therein. Prepaid Professional Services also may be included as part of the bundled Subscription Fees pursuant to the applicable Order Form.
(b) Except as otherwise provided in an Order Form, all fees are invoiced annually in advance at the beginning of each year of the applicable Subscription Period, and invoices are payable net 30 days from invoice date. Fees payable under this Agreement do not include local, state or federal taxes or duties of any kind, all of which are the responsibility of Customer (except for taxes based on Checkealos’s income). Customer will send payments to the payment address specified on each invoice or as otherwise instructed by Checkealos. Unless otherwise provided in an Order Form, all amounts under this Agreement are payable in U.S. dollars and, except as expressly otherwise provided herein or in the Order Form, all fees are nonrefundable once paid.
(c) If a payment for an undisputed invoice is not received by Checkealos by the due date and such failure to pay is not reasonably disputed in good faith or remedied within 15 days of Customer’s receipt of notice thereof from Checkealos, Checkealos may, at Checkealos’s sole discretion, temporarily suspend Customer’s access to the Self-Service Solution and provision of the Related Services until all payments currently due from Customer are received by Checkealos.
- Term and Termination.
(a) Unless earlier terminated in accordance with the terms hereof, this Agreement will commence on the Effective Date and will continue until 60 days past the date that there are no outstanding Order Forms or SOWs (the “Term”).
(b) Subscriptions to use the Self-Service Solution begin on the Subscription Start Date specified in the relevant Order Form(s) and continue for the Subscription Period set forth therein. In the event of termination or expiration of an Order Form or SOW, this Agreement shall continue to apply to any other Order Forms or SOWs still in effect. If applicable, the Subscription Period may automatically renew for additional successive period(s) in accordance with the terms stated on the relevant Order Form.
(c) Either party may terminate this Agreement upon written notice to the other if the other party commits a material breach of its obligations hereunder and the breaching party fails to cure such breach within 30 days following its receipt of written notice specifying the breach (or 15 days in the case of non-payment). If Checkealos validly terminates an Order Form or this Agreement for breach by Customer that remains uncured after 30 days, Customer shall pay any unpaid fees covering the remainder of the committed Subscription Period under all impacted Order Forms.
(d) Upon termination or expiration of this Agreement for any reason, all access rights granted to Customer hereunder shall immediately terminate and each party shall promptly return to the other party all copies and originals of documents and other materials that contain or embody the other party’s Confidential Information (as defined below) that are in its possession, and all forward obligations shall cease, except that Customer shall be obliged to pay all amounts: (i) under any and all Order Forms terminated by Checkealos, and (ii) for services rendered prior to termination by Customer. Sections 3(c), 7 through 14, and 16 shall survive termination.
- Confidentiality.
(a) As used herein, the “Confidential Information” of a party (the “Disclosing Party”) means all financial, technical, or business information of the Disclosing Party that the Disclosing Party designates as confidential at the time of disclosure to the other party (“Receiving Party”) or that the Receiving Party reasonably should understand to be confidential based on the nature of the information or the circumstances surrounding its disclosure. The terms and conditions of this Agreement are the Confidential Information of each party, Customer Content and Study Content are Customer’s Confidential Information (subject to Section 9(b)), and the System Requirements, and documentation for the Self-Service Solution are Checkealos’s Confidential Information.
Except as expressly permitted in this Agreement, the Receiving Party will not disclose, duplicate, publish, transfer or otherwise make available Confidential Information of the Disclosing Party in any form to any person or entity without the Disclosing Party’s prior written consent. Notwithstanding the foregoing, the Receiving Party may disclose the Disclosing Party’s Confidential Information to its accountants, attorneys, auditors and advisors in connection with this Agreement, provided that such parties have entered into written confidentiality obligations with Receiving Party that are no less stringent than those contained herein. Notwithstanding the foregoing, the Receiving Party may disclose Confidential Information to the extent required by law, provided that the Receiving Party: (i) gives the Disclosing Party prior notice of such disclosure so as to afford the Disclosing Party a reasonable opportunity to appear, object, and obtain a protective order or other appropriate relief regarding such disclosure (if such notice is not prohibited by applicable law); (ii) uses diligent efforts to limit disclosure and to obtain confidential treatment or a protective order; and (iii) allows the Disclosing Party to participate in the proceeding. Confidential Information does not include any information that: (x) is or becomes generally known to the public without the Receiving Party’s breach of any obligation owed to the Disclosing Party; (y) was independently developed by the Receiving Party without the Receiving Party’s breach of any obligation owed to the Disclosing Party; or (z) is received from a third party who obtained such Confidential Information without any third party’s breach of any obligation owed to the Disclosing Party.
(b) The Self-Service Solution is intended to facilitate collaboration between Customer Users and Participants. Accordingly, notwithstanding Section 9(a) or any provision of any separate nondisclosure agreement entered into by the parties, Checkealos may distribute and disclose Customer Content to third parties to the limited extent permitted in Section 5(b), but only as necessary to provide the Self-Service Solution.
- Intellectual Property Rights.
Checkealos and its licensors retain all right, title and interest in and to (a) the Self-Service Solution, the Software and the other technology used to provide it, (b) all electronic and print documentation, audio and video material, and other content and data made available through the Self-Service Solution or Related Services, (c) all software code and other materials, ideas or deliverables that are created or prepared by Checkealos in connection therewith, including any customizations of the Self-Service Solution (but excluding any Customer Content, Study Content, or other Confidential Information of Customer incorporated therein), and (d) all intellectual property and proprietary rights in the foregoing. Except for Customer’s rights to access and use the Self-Service Solution set forth in this Agreement, nothing in this Agreement licenses or conveys any of Checkealos’s intellectual property or proprietary rights to anyone, including Customer. Customer agrees that Checkealos will have a perpetual right to use and incorporate into its Software Services any feedback or suggestions for enhancement that Customer, Customer Users or Participants provide to Checkealos concerning the Self-Service Solution without any obligation or compensation.
- Warranties.
(a) Checkealos will perform Professional Services in a professional, workmanlike manner in compliance with industry standards. Customer’s sole remedy for breach of this warranty shall be for Checkealos to re-perform non-conforming Professional Services.
(b) Checkealos warrants to Customer during the applicable Subscription Period of a particular Order Form that the Self-Service Solution will operate in substantial accordance with its then-current Documentation. The foregoing warranty shall not apply to performance issues: (i) caused by factors outside of Checkealos’s reasonable control; (ii) that result from any actions or inactions of Customer or any third parties; or (iii) that result from Customer’s operating environment or systems. Customer’s sole remedy for Checkealos’s breach of this warranty shall be that Checkealos shall be required to use commercially reasonable efforts to modify the Self-Service Solution to achieve in all material respects the functionality described in the Documentation. If Checkealos is unable to restore such functionality as warranted within a reasonable time considering the severity of the error and its impact on Customer, Customer shall be entitled to terminate the relevant Order Form, in which case Customer shall be entitled to receive a refund of any prepaid Subscription Fees in an amount pro rated to reflect the period of time between date Customer was unable to use the Self-Service Solution due to such non-conformity and the end of the period for which Customer has prepaid for such use. Checkealos shall have no obligation with respect to a warranty claim unless notified of such claim within 60 days of the first instance of any material functionality problem.
- DISCLAIMERS.
EXCEPT FOR THE EXPRESS WARRANTIES CONTAINED IN SECTION 11 AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE ORDERED SOFTWARE SERVICE(S) AND RELATED SERVICES PROVIDED BY OR ON BEHALF OF CHECKEALOS ARE PROVIDED “AS IS” AND WITHOUT ANY REPRESENTATIONS OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED. CHECKEALOS DISCLAIMS ANY AND ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
CHECKEALOS DOES NOT WARRANT THAT ACCESS TO THE SELF-SERVICE SOLUTION WILL BE UNINTERRUPTED OR ERROR FREE, OR THAT THE SELF-SERVICE SOLUTION WILL MEET CUSTOMER’S NEEDS.
- Indemnification.
If any action is brought against Customer claiming that the Self-Service Solution infringes any patent issued as of the Effective Date or any copyright, trademark or trade secret of a third party, Checkealos will indemnify, defend and hold Customer harmless from and against any and all damages, losses, liabilities, settlements, costs and expenses (including without limitation reasonable costs and attorneys’ fees) (“Losses”) to the extent incurred by Customer in connection with any such infringement claim; provided, that Checkealos will not be obligated under this sentence to the extent any such infringement arises from (a) use of the Self-Service Solution in combination with technology or services not provided by Checkealos, (b) violation of Section 3(c), or (c) Customer Content. Checkealos’s obligations hereunder are subject to the following: (x) Customer must notify Checkealos within a reasonable time of Customer’s learning of the claim (however lack or delay of notice shall not excuse Checkealos’s indemnification obligations except to the extent such lack or delay caused material prejudice to Checkealos); (y)
Checkealos shall have sole control over the defense of the claim, including appeals and all negotiations, settlements or compromises; and (z) Customer shall provide Checkealos with reasonable assistance, information, and authority necessary to perform the above. Customer may be represented, at Customer’s expense, by counsel of Customer’s selection. If an infringement claim described in this Section has been asserted, Customer will permit Checkealos, at Checkealos’s option, to: (i) procure the right to continue using the allegedly infringing item; (ii) replace or modify the allegedly infringing item to eliminate the infringement while providing functionally equivalent performance; or (iii) if either of the above is not commercially reasonable, terminate the affected Order Form and refund to Customer a pro-rated amount of any prepaid Subscription Fees relating to the Self-Service Solution based on the period of time between the date Customer was unable to use the Self-Service Solution and the end of the period for which Customer has prepaid for such use. In the event Customer Content or Study Content is alleged to or does infringe or violate any intellectual property right or other legal right of any third party, Customer will indemnify and hold Checkealos harmless from and against any and all Losses incurred by Checkealos resulting therefrom.
- LIMITATIONS ON LIABILITY.
EXCEPT FOR LIABILITIES ARISING UNDER SECTIONS 3(C), 9 AND 10, AND FOR CLAIMS FOR INDEMNIFICATION UNDER SECTION 13, IN NO EVENT WILL (A) EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL PUNITIVE, EXEMPLARY OR CONSEQUENTIAL DAMAGES, INCLUDING WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, LOSS OF REVENUE OR LOSS OF DATA OR (B) THE MAXIMUM AGGREGATE LIABILITY THAT EITHER PARTY MAY INCUR IN ANY ACTION OR PROCEEDING RELATING HERETO EXCEED THE AMOUNTS ACTUALLY PAID OR OWING TO CHECKEALOS HERE UNDER DURING THE 12 MONTHS IMMEDIATELY PRECEDING THE FIRST EVENT GIVING RISE TO THE CLAIM.
- Insurance.
Checkealos will, at its expense, procure and maintain throughout the Term the following insurance coverage: (i) Employer’s Liability insurance in compliance with all applicable legal requirements (with a minimum coverage of 6,000,000 Euros); (ii) Professional indemnity insurance with limits of no less than 6,000,000 Euros per occurrence. Upon request, Checkealos will provide certificates of insurance evidencing coverage in compliance with the requirements of this Section 15. Checkealos will give Customer, or cause its insurers to give Customer, at least thirty (30) days’ prior written notice of cancellation or non-renewal of any insurance policy that provides any of the coverage specified in this Section 15.
- Miscellaneous.
This Agreement contains the entire agreement between the parties with respect to the subject matter hereof and supersedes all other oral or written representations, understandings or agreements relating to the subject matter hereof. Except where this Agreement permits notice via email, all notices under this Agreement must be in writing and sent via internationally recognized delivery service, and shall be deemed given five (5) business days after being sent.
Notices must be addressed to the receiving party’s address set forth in the signature block below. Neither party may assign, transfer or delegate any of the rights or obligations under this Agreement without the prior written consent of the other party; provided that either party may assign this Agreement and all Order Forms and SOWs to an entity that has acquired all or substantially all of its assets or capital stock as successor to the business and, provided further, that any assignment by Customer shall be subject to the Scope of Use contained in the applicable Order Form. Each of the parties hereto is an independent contractor and neither party is an agent, distributor, or representative of the other. The employees of one party will not be deemed to be employees of the other party. Neither party will act or represent itself, directly or by implication, as an agent of the other or in any manner assume or create any obligation on behalf of, or in the name of, the other. This Agreement shall be governed by and construed in accordance with the The Madrid Court of Arbitration Center (ArbitraMadrid), without regard to its conflict of laws principles. In the event of any action for the breach of this Agreement, the prevailing party shall be entitled to reasonable attorneys’ fees, costs and expenses incurred in connection with such action. This Agreement may be executed in one or more counterparts, including by facsimile, each of which shall be deemed an original, and all of which shall constitute one and the same instrument.
IN WITNESS WHEREOF, the parties have executed this Agreement as of the date set forth above. User Experience, SL. [Customer Name]
By: By:
Name: Name:
Title: Title:
Address: Calle Imágen 6, 6C
41003 Sevilla – Spain
ANNEXE I: Customer Support Services Exhibit
Overview
Provided that Customer remains current in its payment obligations to Checkealos , Checkealos will provide the following support for problems that Customer has or experiences with an Ordered Software Service that are verifiable and reproducible as a failure of an Ordered Software Service to conform to its Documentation. Capitalized terms used but not defined in this Customer Support Services Exhibit shall have the meanings given to them in the Agreement.
Support Hours
Technical Support is provided from 12 a.m. to 5 p.m. Central European Time, Monday through Friday, excluding all Spain holidays (“Support Hours”) by e-mail at [email protected]. Checkealos shall track and log all support requests, and Customer may email Checkealos at any time to inquire about a support request. Emails received outside of support hours will be collected, but no action can be guaranteed until the next business day.
Incident Priority and Response Times
The following guidelines will be used to determine priority of incidents and response timeline. Checkealos will determine severity in its sole discretion. To enable such support, Customer must report technical issues in a timely manner to its designated Checkealos support contact(s) and provide reasonable assistance as requested by Checkealos to diagnose and resolve such issues.
When Customer logs a support request in accordance with the process described above, Checkealos will (a) acknowledge the request as soon as is reasonably practicable and, in any case, in accordance with the table below, (b) use reasonable commercial efforts to resolve each significant error by providing a reasonable workaround, an object code patch or a specific action plan for how Checkealos will address the problem, (c) provide an estimate of how long it believes it will take to resolve the problem, and (d) provide ongoing updates pursuant to the table below.
Priority | Description Response Initiated Within | Follow-up Feedback (status update) |
1 – Critical | Unable to use system, critical impact on Immediate up to operations (i.e., system is down) 2 hours | Every 4 hours or as agreed at time of incident |
2 – Major 3 – Minor 4 – Procedural | Able to use system, critical impact on operations Immediate up to (i.e., Customer cannot log in, Study is not 2 hours launching or is collecting the wrong data) Able to use system, operations impacted (i.e., Immediate up to issues and bugs that block Customer’s activities 8 hours on the system when the applicable Study is currently live and launching the same day, with results being due the same day, or similar issues and bugs but Study launch is not immediately required or urgent) Procedure presently available to circumvent Immediate up to (issues and bugs that do not block Customer’s 24 hours activities on the system because a workaround exists, or where such issues and bugs do not have a direct impact on the applicable Study) | Every 24 hours or as agreed at time of incident As agreed at time of incident As agreed at time of incident |
Note: If a support request is made outside of Support Hours, the clock begins to run when the next block of Support Hours commences.
Exclusions
Any problems caused by (a) use of an Ordered Software Service by Customer in a manner not in accordance with the Agreement or the applicable Order Form; (b) Customer’s breach of its obligations contained herein or in the applicable Order Form; (c) modifications to the Ordered Software Service not made or authorized by Checkealos ; or (d) a failure by Customer to procure the minimum software and equipment needed to properly access and use the Ordered Software Service (including without limitation, the requirements set forth at “ANNEXE IV: System Requirements” (collectively, “Access Equipment”) or problems with the Access Equipment, are not covered by Technical Support, and Customer shall be responsible for paying Checkealos ’s normal reasonable charges and expenses for time or other resources provided by Checkealos and requested by Customer to diagnose or attempt to correct any such problems.
ANNEXE II: SaaS Delivery Services Exhibit
Overview
Checkealos’s SaaS Delivery Services comprise the complete set-up, delivery and administration of the Ordered Software Services on servers operated and maintained by or at the direction of Checkealos. Checkealos will set up, manage, monitor, tune, and react to all aspects of the Ordered Software Services, including Customer Content, databases, network, servers, security components, internet links, etc. By managing all these services, Customer can access the Ordered Software Services via a secured connection from a web browser. Checkealos may delegate the performance of certain portions of the SaaS Delivery Services to third parties, provided Checkealos remains responsible to Customer for the delivery of the Ordered Software Services. Capitalized terms used but not defined in this SaaS Delivery Services Exhibit shall have the meanings given to them in the Agreement.
Security
Checkealos operates an information security program designed to protect Customer Content utilizing industry standard policies and technologies. Checkealos takes appropriate measures to protect the Ordered Software Services against “hackers” and others who may seek to modify the Ordered Software Services or the data therein without the consent of Checkealos or Customer, and to correct each Ordered Software Service to its original form in the event that it is modified without Checkealos’s consent. Checkealos tests code for potential areas where security could be breached.
Data Centers and Physical Security
The equipment hosting the Software is located in one or more secure, fault-tolerant, seismically-compliant data centers (each, a “Data Center”). Physical access to each Data Center is restricted and controlled by access lists held by the colocation facility’s security department. Multiple forms of authentication are required to access each facility. Each Data Center is equipped with fire, water, and heat detection and protection systems. As of the Effective Date, Checkealos uses the following hosting service providers for the Ordered Software Services:
For Ordered Software Services hosted in the United States, Checkealos uses Amazon Web Services (“AWS”), currently located in Oregon. Data Center certifications include SSAE 16 – SOC2, ISO 9001, ISO 14001, ISO-IEC 27001, OHSAS 18001, Safe Harbor Self-Certification and CDSA Certification.
For Ordered Software Services, Checkealos also uses Amazon Web Services (“AWS”), currently located in Ireland. Europe based Data Centers certifications include SSAE 16 – SOC2, ISO-IEC 27001, BS7799, ISO 9000:2001 and ISO 14001.
Application Security
○ All Checkealos application traffic traverses the Internet via encrypted channels and only communicates to the outside through HTTPs using AES-256 bit encryption.
○ Firewalls that limit services to only those required for the application to function.
○ The applications include protection from SQL Injection, Cross-Site Scripting and Cross-Site Request Forgery.
○ The application includes password lockout feature to prevent brute force attacks.
○ Regular third party security scans are conducted.
○ Systems are securely configured according to a security baseline. This baseline must include removing unnecessary services and changing default, vendor-supplied or otherwise weak user accounts and passwords.
○ Web servers are configured to accept requests for only authorized and published directories. Default sites, executables or directory listings are disabled.
○ Logical access to the production environment can only be established via a secure encrypted session that is restricted to authorized Checkealos Technical Operations staff.
○ All administrative access is logged and monitored.
Data Security
○ Data is encrypted at rest using AES-256 bit.
○ All Customer Content is protected via a multi-layer security design that includes encryption, firewalls, and other security methods.
○ Only authorized personnel are granted rights to access Customer Content.
○ Authorized personnel who access Customer Content are provided with unique user IDs.
○ Once Checkealos personnel no longer need access to Customer Content, that person’s access is revoked.
○ All application traffic is passed between the System and Customer through secured encrypted channels.
○ Access to Customer’s instance of the Ordered Software Services requires authentication.
○ Once authenticated, role based authorization controls dictate the level of access granted to a user.
○ Logical access to backend systems and databases requires individually assigned user accounts provided only to those Checkealos personnel with a legitimate business need-to-know.
Authentication
- All access to systems is controlled by an authentication method involving a minimum of a unique user ID/password combination.
- Privileged users and administrators use strong authentication.
- Passwords may be changed on a periodic basis if requested by Customer.
- Passwords are never stored in clear text and are hashed with SHA-256, which is a one-way hash, so there is no key that can decrypt it to get the original password.
- Passwords must be complex and not easy to guess or crack.
- Effectiveness of authentication is tested on a regular basis to ensure that unauthorized authentication is not easily permitted.
- All activity performed under a user ID is the responsibility of the individual assigned to that user ID. Users do not share their user ID/password with others or allow other employees to use their user ID/password to perform actions.
- Use of generic user accounts is not permitted.
- Client connections are not allowed to retain access to a disrupted session, a session that has ended abnormally, or when a security-related parameter has been exceeded or violated. An abnormal ending of a session results in denied access and requires the user to begin the login process.
System and Network Security
At the network level, Checkealos’s production environment is designed to provide maximum security based on industry-standard practices.
- Industry-standard firewalls are implemented in high availability mode to protect the application environment and associated data from the Internet and untrusted networks. .
- The front-end application and web servers are isolated from other services such as DNS and SMTP. ● Inbound and outbound connections are denied unless expressly allowed
- The databases are further protected in a separate data island firewalled such that they can only be accessed by the front-end servers. No direct access from the Internet is allowed to the database servers.
- The system is monitored for unauthorized access or malicious traffic.
- Malware prevention technologies include, but are not limited to, desktop and gateway antivirus. ● Effectiveness of controls is tested on a periodic basis.
Host Security
At the host level, Checkealos servers are fine-tuned or “hardened”.
- Only necessary services and software are installed.
- Servers are regularly updated with the latest security patches.
- All management traffic to the servers is encrypted.
- Where applicable, malware detection tools are used.
- Administrative access to servers is restricted to authorized resources and occurs over a secure encrypted session. All administrative access is logged and monitored.
- Security auditing is turned on and logs are sent to a secure log collection system.
Logging and Monitoring
Checkealos logs security relevant events, including, but not limited to, login failures, use of privileged accounts, changes to access models or file permissions, modification to installed software or the operating system, changes to user permissions or privileges or use of any privileged system function, on all systems. Security logs are retained for a minimum of 1 year. Access to security logs is restricted to authorized staff. System clocks are synchronized with a NTP to ensure the accuracy of audit logs.
Availability of Ordered Software Services
Checkealos shall use commercially reasonable efforts to maintain each Ordered Software Service in a manner that minimizes errors and interruptions and to make such Ordered Software Service available 24 hours a day, seven days a week, but it is understood that an Ordered Software Service may be temporarily unavailable due to (a) maintenance, application of Updates (as defined below) and testing of systems, applications and networks within the Data Center (collectively, “Scheduled Maintenance”), or (b) Force Majeure Events. Checkealos will use all commercially reasonable efforts to provide Customer with 72 hours advance notice of any Scheduled Maintenance.
In the event of an outage of an Ordered Software Service other than Scheduled Maintenance where users experience no response (“Emergency Downtime”), Checkealos will follow its standard outage procedure.
Configuration Management
Emergency, non-routine, and other configuration changes to existing Checkealos infrastructure are authorized, logged, tested, approved and documented in accordance with industry best practices for similar systems. Updates to Checkealos’s
infrastructure are done to minimize any impact on the customer and their use of the services. Checkealos will communicate with customers when service use is likely to be adversely affected.
Checkealos applies a systematic approach to managing change so that changes to customer impacting services are thoroughly reviewed, tested, approved and well communicated. Checkealos’s change management process is designed to avoid unintended service disruptions and to maintain the integrity of service to the customer.
Whenever possible, software changes are scheduled during regular Scheduled Maintenance/change windows. Emergency changes to production systems that require deviations from standard change management procedures are associated with an incident and are logged and approved as appropriate.
Service Level Agreement
Monthly Availability Credit
Checkealos will use all reasonable efforts to minimize downtime of the Ordered Software Services and to ensure a Monthly Availability Percentage of 99.5%, except as set forth below. The Monthly Availability Credit is calculated on an aggregate Monthly basis as follows:
Monthly Availability Percentage = (total minutes in the month – total number of minutes that the Ordered Software Service is inoperable in that month) / total minutes in the month
So long as Checkealos takes commercially reasonable steps to restore service as rapidly as possible, the Monthly Availability Percentage excludes (1) periods of Scheduled Maintenance; (2) problems caused by use by Customer of the Ordered Software Services in a manner not in accordance with the Documentation; (3) outages due to problems with Customer Content; (4) outages due to system administration, commands, file transfers performed by Customer representatives; (5) outages due to denial of service attacks, natural disasters, changes resulting from government, political, or other regulatory actions or court orders, strikes of third parties or labor disputes of third parties, acts of civil disobedience, acts of war, acts against parties (including carriers and Checkealos’s other vendors), and other force majeure items; (6) lack of availability due to untimely response time of Customer to respond to incidents that require its
participation for source identification and/or resolution; (7) outages due to Customer’s breach of its material obligations under the Agreement; and (8) outages due to failure of the Customer Access Equipment or other Customer hardware or software.
ANNEXE III: ORDER FORM
Customer: Contact: |
Address: Phone: |
Legal Entity: E-Mail: |
Checkealos Administrator: [Name] |
Services: [Name and briefly describe services here] ___________ (the “Service(s)”). |
Services Fees: $______________ per year, payable in Initial Service Term: [One] Year advance, subject to the terms of Section 4 herein. |
Service Capacity: ___________________ [Note: include any limits on usage.]
Also, if additional fees will be required for overages, include details here or in fees section above]
Any company that has separate legal entity registrations need to get a subscripotion. But within a company dif erent of ices they can request additional accounts rather than buying full subscription package.
Credit monthly restrictions
This Order Form (“Order Form”) is entered into on this _______ day of ________, 2019 (the “Effective Date”) between [User Experience, SL] with a place of business at _________________ (“Company”), and the Customer listed above (“Customer”). There shall be no force or effect to any different terms of any related purchase order or similar form even if signed by the parties after the date hereof.
[User Experience, SL]: [Customer]:
By: By:
Name: Name:
Title:
ANNEXE IV: System Requirements
Operating System
Microsoft XP / Vista / W7 / W8 / W10 |
Mac Linux MacOS X10.4+ Linux |
Browser
IE | Edge | Chrome Firefox | Safari |
IE 11 | Latest versions | Latest versions Latest versions | 6.1.x+ |
All browsers must have javascript, flash and cookies enabled as well as an SSL 256-bit encryption available.
Screen Resolution
By default, the minimum screen resolution to use is 1280×1024. However, to comfortably use the following areas below, the minimum recommended screen resolution is 1920×1080:
Internet Connection
DSL or faster.
Firewall
Firewalls may prevent you from accessing Checkealos Platform. If this is the case, contact your IT department for assistance.