Terms of Service - Subscription Agreement
We have updated Drata’s Terms of Service - Subscription Services Agreement (“Agreement”) effective as of March 4, 2024. If you want to view the previous version of this, click here. If you want a PDF version of this, click here. THIS AGREEMENT IS A BINDING CONTRACT AND GOVERNS THE USE OF AND ACCESS TO THE SERVICES BY YOU AND YOUR AUTHORIZED USERS WHETHER IN CONNECTION WITH A PAID SUBSCRIPTION OR FREE TRIAL FOR THE SERVICES. By accepting this Agreement, either by accessing or using a Service, or authorizing or permitting any User to access or use a Service, Customer agrees to be bound by this Agreement as of the date of such access or use of the Service (the “Effective Date”). If You are entering into this Agreement on behalf of a company, organization or another legal entity (an “Entity”), You are agreeing to this Agreement for that Entity and representing to Drata that You have the authority to bind such Entity and its Affiliates to this Agreement, in which case the terms “Customer,” “You,” or “Your” herein refers to such Entity and its Affiliates. If You do not have such authority, or if You do not agree with this Agreement, You must not use or authorize any use of the Services. Customer and Drata shall each be referred to as a “Party” and collectively referred to as the “Parties” for purposes of this Agreement. The purpose of this Agreement is to establish the terms and conditions under which Customer may purchase Drata’s Services and Professional Services as described in an Order Form, Statement of Work or other document signed or agreed to by the Customer. The terms of the Order Form or Statement of Work shall control in the event of any inconsistency or conflict with the terms of this Agreement. Non-English translations of this Agreement are provided for convenience only. In the event of any ambiguity or conflict between translations, the English version shall control. Table of Contents: General Terms and Conditions:
Access to the Services
Use of the Services
Term, Cancellation and Termination
Fees, Billing, Plan Modification and Payments
Confidential Information
Subprocessors and Security of Customer Data
Temporary Suspension
Non-Drata Services
Free Trials
Intellectual Property Rights
Representations, Warranties and Disclaimers
Indemnification
Limitation of Liability
Assignment, Entire Agreement and Amendment
Severability
Export Compliance and Use Restrictions
Relationship of the Parties
Notice
Governing Law
Federal Government End Use Provisions
Ethical Conduct and Compliance
Insurance
Survival
Definitions
General Terms and Conditions
SECTION 1. ACCESS TO THE SERVICES
1.1 Service. Drata will make the Services and Customer Data available pursuant to this Agreement and the applicable Order Form(s) and Documentation. Drata will use commercially reasonable efforts to make the Services available twenty-four (24) hours a day, seven (7) days a week maintaining 99.9% Service availability, except during (i) Planned Downtime (of which Drata will give advance notice via the Site or to the Account admin); and (ii) Force Majeure Events.
1.2 Support. Drata will, at no additional charge, provide support via chat and ticket on Mondays through Fridays (24 hours per day), excluding federal public holidays in the United States and other Drata announced support holidays. If purchased by Customer, Drata will provide upgraded support or support that includes service level agreements.
1.3 Professional Services. Upon Customer’s request, Drata may provide Professional Services subject to the terms and conditions stated at: https://drata.com/proserv.
1.4 Modifications. Customer acknowledges that Drata may modify the features and functionality of the Services during the Subscription Term. Drata shall provide Customer with thirty (30) days’ advance notice of any deprecation of any material feature or functionality. Drata will not materially decrease the overall functionality of the Services purchased by Customer or of the security measures detailed in this Agreement during the Subscription Term.
1.5 Additional Features. Drata will notify Customer of applicable Supplemental Terms or alternate terms and conditions prior to Customer’s activation of any additional features. Customer’s activation of any additional features in Customer’s Account will be considered acceptance of the applicable Supplemental Terms or alternate terms and conditions where applicable.
1.6 Extension of Rights to Affiliates. Customer may extend its rights, benefits and protections provided herein to its Affiliates and to contractors or service providers acting on Customer’s or Customer’s Affiliates’ behalf, provided that Customer remains responsible for their compliance hereunder. An Affiliate may also directly purchase Services or Professional Services pursuant to the terms of this Agreement provided that such Affiliate (i) executes an Order Form or Statement of Work for such Services or Professional Services; and (ii) agrees to be bound by the terms of this Agreement as if it were an original party hereto. Customer hereby authorizes Drata to share the content of this Agreement with Customer’s Affiliates.
SECTION 2. USE OF THE SERVICES
2.1 Login Management. Access to and use of certain Services is restricted, such as to the specified number of individual Users permitted under Customer’s subscription to the applicable Service, as detailed in the Documentation. For Services that are User-based, Customer agrees and acknowledges that a User login cannot be shared or used by more than one (1) individual per Account. However, User logins may be reassigned to new individuals replacing former individuals who no longer require ongoing use of the Services. Customer and Users are responsible for maintaining the confidentiality of all User login information for an Account. Customer shall not use the API or any Software in such a way to circumvent applicable Service feature or functionality restrictions or User licensing restrictions that are enforced in the Service user interface. Drata reserves the right to charge Customer, and Customer hereby agrees to pay, for any overuse of a Service in violation of this Agreement or the features and limitations on the Site or Documentation, in addition to other remedies available to Drata.
2.2 Compliance. As between Customer and Drata, Customer is responsible for compliance with the provisions of this Agreement by Users and for any and all activities that occur under an Account, which Drata may verify from time to time. Without limiting the foregoing, Customer will ensure that its use of the Services is compliant with all applicable laws and regulations as well as any and all privacy notices, agreements or other obligations Customer may maintain or enter into with Users.
2.3 Use Restrictions. Customer will not, and will ensure its Users will not: (i) make the Services available to anyone other than Customer or its Users, or use the Services for the benefit of anyone other than Customer or Customer’s Affiliates, except as expressly allowed in an Order Form; (ii) modify, adapt, alter or translate the Services; (iii) sublicense, lease, sell, resell, rent, loan, or distribute the Services, or any part thereof, or include the Services in a service bureau or outsourcing offering; (iv) reverse engineer, decompile, disassemble, or otherwise derive or determine or attempt to derive or determine the source code (or the underlying ideas, algorithms, structure or organization) of the Services or any part thereof, except as permitted by law; (v) interfere in any manner with the operation of the the Services or the hardware and network used to operate the same, or attempt to probe, scan or test vulnerability of the Services without prior authorization of Drata; (vi) use the Services to store or transmit infringing, libelous, or otherwise unlawful or tortious material, or to store or transmit material in violation of third-party privacy rights; (vii) modify, copy, disclose (except as expressly authorized in this Agreement) or make derivative works based on any part of the Services; (viii) access or use the Services, or any feature, information or functionality thereof, to build a similar or competitive product or service or otherwise engage in competitive analysis or benchmarking; (ix) attempt to access the Services through any unapproved interface; (x) remove, alter, or obscure any proprietary notices (including copyright and trademark notices) of Drata or its licensors on the Services or any copies thereof; (xi) upload to the Services any Customer Data that contains any sensitive personal information (such as financial, medical or other sensitive personal information such as government IDs, passport numbers, protected health information, credit card data, or social security numbers); or (xii) otherwise use the Services in any manner that exceeds the scope of use permitted under applicable Order Forms.
2.4 System Requirements. A high-speed Internet connection is required for proper transmission of the Services. Customer is responsible for procuring and maintaining the network connections that connect Customer’s network to the Services including, but not limited to, browser software that supports protocols used by Drata, including the Transport Layer Security (TLS) protocol or other protocols accepted by Drata and following procedures for accessing services that support such protocols. Drata is not responsible for notifying Customer or Users of any upgrades, fixes or enhancements to any such software or for any compromise of data, including Customer Data, transmitted across computer networks or telecommunications facilities (including but not limited to the Internet) which are not owned, operated or controlled by Drata. Drata assumes no responsibility for the reliability or performance of any connections as described in this section.
SECTION 3. TERM, CANCELLATION AND TERMINATION
3.1 Term. The term of this Agreement begins on the Effective Date and will remain in effect as long as the Customer has an active subscription to the Services, Statement of Work or until this Agreement is otherwise terminated in accordance with the terms hereof, whichever occurs first. The Subscription Term will be defined in each individual Order Form. Unless an Account and subscription to a Service are terminated in accordance with this Agreement or the applicable Order Form, or unless otherwise stated in the applicable Order Form, (i) Customer’s subscription to a Service will automatically renew for a Subscription Term equivalent in length to the then-expiring Subscription Term; and (ii) the Subscription Charges applicable to any subsequent Subscription Term shall be Drata’s Standard Subscription Charges for the applicable Service plan types at the time of such renewal.
3.2 Cancellation. Either Party may elect to terminate an Account and subscription to a Service at the end of the then-current Subscription Term by providing notice in accordance with Section 18 of this Agreement to [email protected] no less than thirty (30) days prior to the end of the then-existing Subscription Term.
3.3 Termination for Cause. A Party may terminate this Agreement for cause (i) upon written notice to the other Party of a material breach by the other Party, provided that the breaching Party shall have thirty (30) days to cure such material breach from the date of receipt of such written notice; or (ii) if the other Party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation, or assignment for the benefit of creditors. Additionally, Drata may immediately terminate this Agreement for cause without notice if Customer violates Drata’s User Conduct and Content Policy or if provision of the Service violates applicable law, regulation or court order.
Drata will refund any prepaid fees covering the remainder of the Subscription Term as of the effective date of termination if this Agreement is terminated by Customer in accordance with this section for Drata’s uncured material breach.
Customer agrees to pay any unpaid fees covering the remainder of the Subscription Term pursuant to all applicable Order Forms if Drata terminates this Agreement for Customer’s material breach in accordance with this section. In no event will Drata’s termination for cause relieve Customer of Customer’s obligation to pay any fees payable to Drata for the period prior to termination.
3.4 Payment Upon Termination. Except for Customer’s termination under Section 3.3, in addition to any other amounts Customer may owe Drata, Customer must immediately pay any and all unpaid Subscription Charges associated with the remainder of such Subscription Term.
3.5 No Refunds/Credits. Except for Customer’s termination rights under Section 3.3, Drata does not provide refunds or credits for Subscription Charges or other fees or payments.
3.6 Export of Customer Data. Upon Customer’s written request and in accordance with Drata’s Customer Data Deletion and Retention Policy found in Drata’s Trust Center, Drata will make Customer Data available to Customer for export or download as provided in the Documentation for thirty (30) days after the effective date of termination, expiration or migration of the Account, except for Customer Data which (i) has been deleted in accordance with the Documentation; (ii) was created and/or used in violation of this Agreement; or (iii) which, if made available, would violate applicable law. Thereafter, Drata will have no obligation to maintain or provide any Customer Data and Drata will delete Customer Data in accordance with Drata’s Data Deletion and Retention Policy available in Drata’s Trust Center unless prohibited by law or legal order.
SECTION 4. FEES, BILLING, PLAN MODIFICATIONS AND PAYMENTS
4.1 Payment and Billing. Unless otherwise expressly set forth in this Agreement, an Order Form, a Statement of Work, or as otherwise agreed for Usage Charges, all Subscription Charges are due in full upon commencement of the Subscription Term. Customer is responsible for providing valid and current account information which shall include (i) physical billing address; (ii) ship-to address; and (iii) billing contact email address. Customer agrees to promptly update the account information, including billing information, with any changes that may occur (for example, a change in Customer’s billing address or credit card expiration date). If Customer fails to pay Subscription Charges or any other charges indicated on any Order Form or Statement of Work, or in any Supplemental Terms, within five (5) days of Drata’s notice to Customer that payment is delinquent, or if Customer does not update payment information upon Drata’s request, in addition to other remedies, Drata may suspend access to and use of the Services by Customer and Users. As permitted by applicable law, Drata reserves the right to charge the Customer late payment penalties and interest charges on any past-due invoices that are not subject to a previously-noticed good faith dispute as to amount owed.
4.2 Fees. Customer will pay all Fees to Drata in accordance with the Order Form and this Agreement. Payment obligations are non-cancelable, and Fees paid are non-refundable. Except as otherwise set forth in an Order Form, Drata may increase Subscription Charges upon renewal of each Order Form Subscription Term by providing written notice to Customer at least forty-five (45) days prior to the commencement of the applicable renewal Subscription Term.
4.3 Upgrades. If Customer chooses to upgrade its plan type or add products (such as additional frameworks) during the Subscription Term, any incremental Subscription Charges associated with such upgrade will be charged in accordance with the remaining Subscription Term. In any subsequent Subscription Term, the Subscription Charges will reflect any such upgrades.
4.4 Downgrades. Customer may not downgrade its plan type or reduce the number of frameworks during any Subscription Term. Customer may only downgrade its plan type or reduce the number of frameworks for a subsequent Subscription Term at the end of the then-current Subscription Term by providing Drata with thirty (30) days prior written notice indicating which instances will be affected and the details of the downgrade requested. If a new Order Form is not signed by the Customer before the end of the then-current Subscription Term, the Services will renew as described in Section 3.1.
4.5 If applicable, Usage Charges, limits and pricing are set forth on the Order Form associated with each purchase. Drata will not prevent Customer from increasing product volume usage beyond the licensed usage volume. Such increases shall trigger an adjustment to the contract terms and result in a supplemental Order Form, or at prevailing and customary rates if not otherwise indicated. Adjustments will be applied to the remainder of the Subscription Term. In the event Customer objects to the volume increases, the Parties will work together in good faith to reduce the volume below the original Order Form volume limits or separately adjust contract terms.
4.6 Taxes. Unless otherwise stated, Drata’s Subscription Charges do not include any Taxes. Customer is responsible for paying Taxes assessed in connection with the subscription to the Services except those assessable against Drata measured by its net income. If Drata has a legal obligation to pay or collect any Taxes for which Customer is responsible, Drata will invoice Customer and Customer will pay that amount. Drata agrees to exempt Customer from any taxes for which Customer provides to Drata a tax exemption certificate prior to the issuance of an invoice; provided, however, that no such exemption shall be extended to Customer following written notice to Drata from a taxing authority of appropriate jurisdiction that Customer does not qualify for the claimed exemption.
4.6.1 If the Customer is required to withhold Taxes from payments to Drata, Customer shall pay Drata the amount owing on the invoice, less a deduction for such Taxes withheld to be remitted directly by the Customer to the relevant tax authority. Customer will provide Drata with a valid receipt for such Taxes remitted to the relevant tax authority within ninety (90) days of Customer’s payment to Drata from which the withholding was made. If Customer does not provide the valid receipt for such Taxes remitted within ninety (90) days, Customer agrees and acknowledges that it will be charged and will have to pay for the full amount of the invoice.
4.6.2 If the Customer is legally required to withhold Taxes from payments to Drata but fails to do so and pays an invoice in full, Customer may be entitled to reimbursement by Drata of the Taxes which should have been withheld. Drata shall only make such reimbursement during the first year following payment of the relevant invoice to Drata, once the Customer provides Drata with a valid receipt for the Taxes remitted to the relevant tax authority in respect of that invoice.
4.7 Payment Portals. If Customer mandates Drata to use a vendor payment portal or compliance portal that charges Drata a subscription fee or a percentage of any uploaded invoice as a required cost of doing business, Customer shall be invoiced by Drata for, and Customer shall pay, the cost of this fee.
SECTION 5. CONFIDENTIAL INFORMATION
In connection with the Services, each Party will protect the other’s Confidential Information from unauthorized use, access or disclosure in substantially the same manner as each Party protects its own Confidential Information, but with no less than reasonable care. Except as otherwise expressly permitted pursuant to this Agreement, each Party may use the other Party’s Confidential Information solely to exercise its respective rights and perform its respective obligations under this Agreement and shall disclose such Confidential Information (i) solely to the employees and/or non-employee service providers and contractors who have a need to know such Confidential Information and who are bound by terms of confidentiality intended to prevent the misuse of such Confidential Information; (ii) as necessary to comply with an order or subpoena of any administrative agency or court of competent jurisdiction; or (iii) as reasonably necessary to comply with any applicable law or regulation. The provisions of this Section 5 shall control over any non-disclosure agreement by and between the Parties and any such non-disclosure agreement shall have no further force or effect with respect to the exchange of Confidential Information after the execution of this Agreement. This section shall not apply to any information which (a) was publicly known prior to the time of disclosure by the disclosing Party; or (b) becomes publicly known after such disclosure through no action or inaction of the receiving Party in violation of this Agreement. For clarity, any exchange of Confidential Information prior to the execution of this Agreement shall continue to be governed by any such non-disclosure agreement. Given the unique nature of Confidential Information, the Parties agree that any violation or threatened violation by a Party to this Agreement with respect to Confidential Information may cause irreparable injury to the other Party. Therefore, the Parties agree such violation or threatened violation shall entitle the other Party to seek injunctive or other equitable relief in addition to all legal remedies.
SECTION 6. SUBPROCESSORS AND SECURITY OF CUSTOMER DATA
6.1 Subprocessors. Drata will utilize Subprocessors who will have access to or process Customer Data to assist in providing the Services to the Customer as detailed on the Authorized Subprocessors Page. Customer hereby confirms and provides general authorization for Drata’s use of the Subprocessors listed on the Authorized Subprocessors Page. Drata shall be responsible for the acts and omissions of members of Drata Personnel and Subprocessors to the same extent that Drata would be responsible if Drata was performing the services of each Drata Personnel or Subprocessor directly under the terms of this Agreement. Drata will notify a Customer’s admin when a new Subprocessor is added (including the name and location of the relevant Subprocessor and the activities it will perform) and by updating the Authorized Subprocessors Page.
6.2 Third-Party Service Providers. Drata may use third-party service providers that are utilized by Drata to assist in providing the Services to Customer, but do not have access to Customer Data. Any third-party service providers utilized by Drata will be subject to confidentiality obligations which are substantially similar to the confidentiality terms herein. Drata shall be responsible for the acts and omissions of members of Drata’s third-party service providers to the same extent that Drata would be responsible if Drata was performing the services of each third-party service provider directly under the terms of this Agreement.
6.3 Safeguards. Drata will maintain appropriate administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Customer Data. If either Party becomes aware of a Security Incident, that Party must promptly notify the other Party, unless legally prohibited from doing so, within forty-eight (48) hours or any shorter period required by law except that Customer is not required to notify Drata unless Customer reasonably determines there is a threat to the Service. Additionally, each Party shall reasonably assist the other Party in mitigating any potential damage. As soon as reasonably practicable after any Security Incident, Drata shall conduct a root cause analysis and, upon request, shall share the results of its analysis and its remediation plan with Customer. Unless prohibited by law, each Party shall provide the other Party with reasonable notice of and the opportunity to review and comment on the content of all public notices, filings, or press releases about a Security Incident that identify the other party by name prior to any such publication.
6.4 Customer Data. Drata will, and Customer hereby instructs Drata to, access Customer Data to provide, secure and improve the Services. Customer is solely responsible for the accuracy, content, and legality of all Customer Data. When Customer Data is used to improve Drata’s machine learning models, Drata will ensure that such Customer Data, including Personal Data, is not reproduced by the model to another customer, and will take necessary steps to prevent this, such as applying data sanitation algorithms to training data.
6.5 Customer Information. Drata shall be the Data Controller of personal information of Customer’s Users and admins; and, shall process such personal information in accordance with Drata’s Privacy Notice. Customer is responsible for informing its Users and admins of their rights set forth in Drata’s Privacy Notice. Customer represents and warrants that it has obtained all relevant consents, permissions and rights and provided all relevant notices necessary under applicable data protection laws for Drata to lawfully process such personal information for the purposes set forth in Drata’s Privacy Notice. 6.6 Data Processing Addendum. The Data Processing Addendum can be signed here and thereafter shall be incorporated by reference herein into this Agreement once signed by the Parties.
SECTION 7. TEMPORARY SUSPENSION
Drata reserves the right to restrict functionalities or suspend the Services (or any part thereof), Customer’s Account or Customer’s and/or Users’ rights to access and use the Services and remove, disable or quarantine any Customer Data or other content if (i) Drata reasonably believes that Customer or Users have violated this Agreement; or (ii) Drata suspects or detects any Malicious Software connected to a Customer’s Account or use of a Service by Customer or Users. This right includes the removal or disablement of Customer Data or other content in accordance with Drata’s policies. Drata also reserves the right to immediately suspend Customer’s Account for Customer’s violation of Drata’s User Conduct and Content Policy. Drata will use commercially reasonable efforts to notify Customer via email when taking any of the foregoing actions unless legally prohibited. Drata shall not be liable to Customer, Users or any other third party for any modification, suspension or discontinuation of Customer’s rights to access and use the Services. Drata may refer any suspected fraudulent, abusive, or illegal activity by Customer or Users to law enforcement authorities at Drata’s sole discretion.
SECTION 8. NON-DRATA SERVICES
If Customer decides to enable, access or use Non-Drata Services, Customer’s access and use of such Non-Drata Services shall be governed solely by the terms and conditions of such Non-Drata Services. Drata does not endorse, is not responsible or liable for, and makes no representations as to any aspect of such Non-Drata Services, including, without limitation, their content or the manner in which they handle, protect, manage or process data (including Customer Data), or any interaction between Customer and the provider of such Non-Drata Services. Drata cannot guarantee the continued availability of such Non-Drata Service features, and may cease enabling access to them without entitling Customer to any refund, credit or other compensation if, for example and without limitation, the provider of a Non-Drata Service ceases to make the Non-Drata Service available for interoperation with the corresponding Service in a manner acceptable to Drata. Customer irrevocably waives any claim against Drata with respect to such Non-Drata Services. Drata shall not be liable for any damage or loss caused or alleged to be caused by or in connection with Customer’s enablement, access or use of any such Non-Drata Services, or Customer’s reliance on the privacy practices, data security processes or other policies of such Non-Drata Services. Customer may be required to register for or log into such Non-Drata Services on their respective websites. By enabling any Non-Drata Services, Customer is expressly permitting Drata to disclose Customer’s login and Customer Data to the provider of the Non-Drata Service as necessary to facilitate the use or enablement of such Non-Drata Services.
SECTION 9. FREE TRIALS
If Customer is approved by Drata for Free Trial Services, Drata will make the applicable Free Trial Services available to Customer free of charge until the earlier of: (i) the end of the free trial period communicated by Drata to Customer; (ii) the start date of any Purchased Services subscriptions ordered by Customer for such Service(s); or (iii) termination of the Free Trial Services period by Drata in its sole discretion. For the purposes of trials, Section 10.5 herein shall not apply. ANY CUSTOMER DATA CUSTOMER ENTERS INTO THE FREE TRIAL SERVICES WILL BE PERMANENTLY LOST UNLESS CUSTOMER PURCHASES A SUBSCRIPTION TO THE SAME SERVICES AS THOSE COVERED BY THE FREE TRIAL SERVICES OR EXPORTS SUCH CUSTOMER DATA BEFORE THE END OF THE TRIAL PERIOD. NOTWITHSTANDING THE “REPRESENTATIONS, WARRANTIES AND DISCLAIMERS” SECTION AND “INDEMNIFICATION BY DRATA” SECTIONS BELOW, FREE TRIAL SERVICES ARE PROVIDED “AS-IS” WITHOUT ANY WARRANTY AND DRATA SHALL HAVE NO INDEMNIFICATION OBLIGATIONS NOR LIABILITY OF ANY TYPE WITH RESPECT TO THE FREE TRIAL SERVICES UNLESS SUCH EXCLUSION OF LIABILITY IS NOT ENFORCEABLE UNDER APPLICABLE LAW IN WHICH CASE DRATA’S LIABILITY WITH RESPECT TO THE FREE TRIAL SERVICES SHALL NOT EXCEED $1,000.00. WITHOUT LIMITING THE FOREGOING, DRATA AND ITS AFFILIATES AND ITS LICENSORS DO NOT REPRESENT OR WARRANT TO CUSTOMER THAT: (i) CUSTOMER’S USE OF THE FREE TRIAL SERVICES WILL MEET CUSTOMER’S REQUIREMENTS; (ii) CUSTOMER’S USE OF THE FREE TRIAL SERVICES WILL BE UNINTERRUPTED, TIMELY, SECURE OR FREE FROM ERROR; AND (iii) USAGE DATA RELATED TO FREE TRIAL SERVICES WILL BE ACCURATE. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THE “LIMITATION OF LIABILITY” SECTION BELOW, CUSTOMER SHALL BE FULLY LIABLE UNDER THIS AGREEMENT TO DRATA AND ITS AFFILIATES FOR ANY DAMAGES ARISING OUT OF CUSTOMER’S USE OF THE FREE TRIAL SERVICES.
SECTION 10. INTELLECTUAL PROPERTY RIGHTS 10.1 Intellectual Property Rights. Each Party shall retain all rights, title and interest in any and all of such Party’s respective Intellectual Property Rights. The rights granted to Customer and Users to use the Service(s) under this Agreement do not convey any additional rights in the Service(s) or in any Intellectual Property Rights of Drata associated therewith. Subject only to limited rights to access and use the Service(s) as expressly stated herein, all rights, title and interest in and to the Services and all hardware, Software and other components of or used to provide the Services and Drata’s machine learning algorithms, including all related Intellectual Property Rights, will remain with Drata and belong exclusively to Drata. 10.2 Feedback. Drata shall have a fully paid-up, royalty-free, worldwide, transferable, sub-licensable (through multiple layers), assignable, irrevocable and perpetual license to implement, use, modify, commercially exploit, incorporate into the Services or otherwise use any suggestions, enhancement requests, recommendations or other feedback regarding the Services that Drata receives from Customer, Users, or other third parties acting on Customer’s behalf. Drata also reserves the right to seek intellectual property protection for any features, functionality or components that may be based on or that were initiated by suggestions, enhancement requests, recommendations or other feedback regarding the Services that Drata receives from Customer, Users, or other third parties acting on Customer’s behalf.
10.3 Aggregated Information. Drata may aggregate, collect and analyze information relating to the provision, use and performance of the Services and may use (during and after the Term) such information to develop and improve the Services and other Drata offerings, including disclosure of such information to third parties in an aggregated and anonymized format such that no Customer nor any individual or household can be identified.
10.4 Use of Drata Marks. Customer may only use the Drata Marks in a manner permitted by Drata provided Customer does not attempt, now or in the future, to claim any rights in the Drata Marks, dilute or degrade the distinctiveness of the Drata Marks, or use the Drata Marks to disparage or misrepresent Drata or Drata Services.Â
10.5 Use of Customer Marks. The Customer Marks are Customer’s exclusive property. Drata may use Customer’s name and Customer Marks in its Customer list (including on Drata’s website, social media and in sales and marketing materials) in the same way it uses the names of its other customers. Drata shall use Customer Marks in accordance with Customer’s applicable branding guidelines if provided to Drata and Drata may not use Customer’s name or Customer Marks in any other way without Customer’s prior written consent (with email consent deemed sufficient).
10.6 Ownership of Customer Data. Customer shall retain ownership rights, including all Intellectual Property Rights, to all Customer Data processed under the terms of this Agreement.
SECTION 11. REPRESENTATIONS, WARRANTIES AND DISCLAIMERS
11.1 Warranties. Each Party represents and warrants to the other that (i) this Agreement has been duly executed and delivered and constitutes a valid and binding agreement enforceable against such Party in accordance with its terms; (ii) no authorization or approval from any third party is required in connection with such Party’s execution, delivery or performance of this Agreement; and (iii) the execution, delivery and performance of the Agreement does not and will not violate the terms or conditions of any other agreement to which it is a party or by which it is otherwise bound.
11.2 Drata Warranties. Drata warrants that during an applicable Subscription Term (i) this Agreement and the Documentation will accurately describe the applicable administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Customer Data; and (ii) the Services will perform materially in accordance with the applicable Documentation. For any breach of a warranty in this section, Customer’s exclusive remedies are those described in Section 3.3 herein. The warranties herein do not apply to any misuse or unauthorized modification of the Services made by Customer or its Users.
11.3 Disclaimers.Â
11.3.1 EXCEPT AS SPECIFICALLY SET FORTH IN SECTION 11.2, THE SERVICES, INCLUDING ALL SERVER AND NETWORK COMPONENTS, ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS, WITHOUT ANY WARRANTIES OF ANY KIND TO THE FULLEST EXTENT PERMITTED BY LAW, AND DRATA EXPRESSLY DISCLAIMS ANY AND ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. CUSTOMER ACKNOWLEDGES THAT DRATA DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, TIMELY, SECURE, ERROR-FREE OR FREE FROM VIRUSES OR OTHER MALICIOUS SOFTWARE, AND NO INFORMATION OR ADVICE OBTAINED BY CUSTOMER FROM DRATA OR THROUGH THE SERVICES SHALL CREATE ANY WARRANTY NOT EXPRESSLY STATED IN THIS AGREEMENT.
11.3.2 CUSTOMER ACKNOWLEDGES AND AGREES THAT DRATA IS NOT LIABLE, AND CUSTOMER AGREES NOT TO SEEK TO HOLD DRATA LIABLE, FOR THE CONDUCT OF THIRD PARTIES, INCLUDING PROVIDERS OF THE NON-DRATA SERVICES, AND THAT THE RISK OF INJURY FROM SUCH NON-DRATA SERVICES RESTS ENTIRELY WITH CUSTOMER.
11.3.3 FROM TIME TO TIME, DRATA MAY OFFER NEW “BETA” FEATURES OR TOOLS WITH WHICH CUSTOMER MAY EXPERIMENT. SUCH FEATURES OR TOOLS ARE OFFERED SOLELY FOR EXPERIMENTAL PURPOSES AND WITHOUT ANY WARRANTY OR LIABILITY OF ANY KIND, AND MAY BE MODIFIED OR DISCONTINUED AT DRATA’S SOLE DISCRETION.
11.3.4 CUSTOMER ACKNOWLEDGES AND AGREES THAT THE SERVICES AND THE REPORTS PROVIDED BY DRATA TO CUSTOMER ARE INTENDED AS RECOMMENDATIONS ONLY AND DO NOT CONSTITUTE ANY WARRANTY OR GUARANTY THAT CUSTOMER, BY FOLLOWING SUCH RECOMMENDATIONS, WILL BE FULLY COMPLIANT WITH ANY APPLICABLE STANDARDS CONTEMPLATED BY THE SERVICES. CUSTOMER ACKNOWLEDGES AND AGREES THAT IT IS SOLELY CUSTOMER’S RESPONSIBILITY TO ENSURE THAT IT COMPLIES WITH ALL SUCH APPLICABLE STANDARDS.
SECTION 12. INDEMNIFICATION 12.1 Indemnification by Drata. Drata will indemnify and defend the Customer from and against any claim brought by a third party against Customer alleging that Customer’s use of a Service as permitted hereunder infringes or misappropriates a third party’s valid patent, copyright, trademark or trade secret in the United States (an “IP Claim”). Drata shall, at Drata’s expense, defend such IP Claim and pay damages finally awarded against Customer in connection therewith, including reasonable fees and expenses of attorneys engaged by Drata for such defense, provided that (i) Customer promptly notifies Drata of the threat or notice of such IP Claim; (ii) Drata will have sole, exclusive control and authority to select defense attorneys, defend and/or settle any such IP Claim (however, Drata shall not settle or compromise any claim that results in liability or admission of any liability by Customer without Customer’s prior written consent); and (iii) Customer fully cooperates with Drata in connection therewith. If use of a Service by Customer or Users has become, or, in Drata’s sole discretion, is likely to become, the subject of any such IP Claim, Drata may, at Drata’s option and expense (a) procure for Customer the right to continue using the Service(s) as set forth hereunder; (b) replace or modify a Service to make it non-infringing; or (c) if options (a) or (b) are not commercially reasonable or practicable as determined in Drata’s sole discretion, terminate Customer’s subscription to the Service(s) and repay Customer, on a pro-rata basis, any Subscription Charges paid to Drata for the unused portion of Customer’s Subscription Term for such Service(s). Drata will have no liability or obligation under this Section 12.1 with respect to any IP Claim if such claim is caused in whole or in part by (x) compliance with designs, data, instructions or specifications provided by Customer; (y) modification of the Service(s) by anyone other than Drata or Drata Personnel; or (z) the combination, operation or use of the Service(s) with other hardware or software where a Service would not by itself be infringing. The provisions of this Section 12.1 state the sole, exclusive and entire liability of Drata to Customer and Customer’s sole remedy with respect to an IP Claim brought by reason of access to or use of a Service by Customer or Users. 12.2 Indemnification by Customer. Customer will indemnify, defend and hold Drata harmless against any claim brought by a third party against Drata arising from or related to (i) Customer’s use of the Services in an unlawful manner or in violation of this Agreement, an Order Form or the Documentation; (ii) Customer Data or Customer Marks infringes or misappropriates a third party’s valid patent, copyright, trademark or trade secret (each a, “Claim Against Drata”); provided that (a) Drata promptly notifies Customer of the threat or notice of such claim; (b) Customer will have the sole and exclusive control and authority to select defense attorneys, and to defend and/or settle any such claim (however, Customer shall not settle or compromise any claim that results in liability or admission of any liability by Drata without Drata’s prior written consent); and (c) Drata fully cooperates with Customer in connection therewith. SECTION 13. LIMITATION OF LIABILITY 13.1 EXCLUSION OF DAMAGES. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY (WHETHER IN CONTRACT, TORT, NEGLIGENCE OR OTHERWISE) SHALL EITHER PARTY TO THIS AGREEMENT, OR THEIR RESPECTIVE AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SERVICE PROVIDERS, SUPPLIERS OR LICENSORS, BE LIABLE TO THE OTHER PARTY OR ITS AFFILIATES FOR ANY LOST PROFITS, LOST SALES OR BUSINESS, LOST DATA (WHERE SUCH DATA IS LOST IN THE COURSE OF TRANSMISSION VIA CUSTOMER’S SYSTEMS OR OVER THE INTERNET THROUGH NO FAULT OF DRATA), BUSINESS INTERRUPTION, LOSS OF GOODWILL, COSTS OF COVER OR REPLACEMENT, OR FOR ANY OTHER TYPE OF INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, CONSEQUENTIAL OR PUNITIVE LOSS OR DAMAGES, OR FOR ANY OTHER INDIRECT LOSS OR DAMAGES INCURRED BY THE OTHER PARTY OR ITS AFFILIATES IN CONNECTION WITH THIS AGREEMENT, THE SERVICES OR PROFESSIONAL SERVICES, REGARDLESS OF WHETHER SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF OR COULD HAVE FORESEEN SUCH DAMAGES. 13.2 LIMITATION OF LIABILITY. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS AGREEMENT, DRATA’S AGGREGATE LIABILITY TO THE CUSTOMER, ITS AFFILIATES, OR ANY THIRD PARTY ARISING OUT OF THIS AGREEMENT, THE SERVICES OR PROFESSIONAL SERVICES, SHALL IN NO EVENT EXCEED THE SUBSCRIPTION CHARGES AND/OR PROFESSIONAL SERVICES FEES PAID BY THE CUSTOMER DURING THE TWELVE (12) MONTHS PRIOR TO THE FIRST EVENT OR OCCURRENCE GIVING RISE TO SUCH LIABILITY. CUSTOMER ACKNOWLEDGES AND AGREES THAT THE ESSENTIAL PURPOSE OF THIS SECTION 13.2 IS TO ALLOCATE THE RISKS UNDER THIS AGREEMENT BETWEEN THE PARTIES AND LIMIT POTENTIAL LIABILITY GIVEN THE SUBSCRIPTION CHARGES AND PROFESSIONAL SERVICES FEES, WHICH WOULD HAVE BEEN SUBSTANTIALLY HIGHER IF DRATA WERE TO ASSUME ANY FURTHER LIABILITY OTHER THAN AS SET FORTH HEREIN. DRATA HAS RELIED ON THESE LIMITATIONS IN DETERMINING WHETHER TO PROVIDE CUSTOMER WITH THE RIGHTS TO ACCESS AND USE THE SERVICES AND/OR THE PROFESSIONAL SERVICES PROVIDED FOR IN THIS AGREEMENT. THE LIMITATIONS SET FORTH IN THIS SECTION 13.2 SHALL NOT APPLY TO CLAIMS OR DAMAGES RESULTING FROM A PARTY’S IP INDEMNITY OBLIGATIONS SET FORTH IN SECTION 12 OF THIS AGREEMENT OR CUSTOMER’S BREACH OF ITS OBLIGATIONS SET FORTH IN SECTION 2.3. 13.3 LIMITATION OF LIABILITY IN THE AGGREGATE. THE LIMITATION OF LIABILITY PROVIDED FOR HEREIN APPLIES IN AGGREGATE TO ANY AND ALL CLAIMS BY CUSTOMER AND ITS AFFILIATES, AND SHALL NOT BE CUMULATIVE. 13.4 Jurisdiction-specific exclusions. Some jurisdictions do not allow the exclusion of implied warranties or limitation of liability for incidental or consequential damages or for a party’s own fraud, willful injury to the person or property of another, or violation of law, which means that some of the above limitations may not apply to Customer. IN THESE JURISDICTIONS, DRATA’S LIABILITY WILL BE LIMITED TO THE GREATEST EXTENT PERMITTED BY LAW. 13.5 Enforceable against Drata. Any claims or damages that Customer may have against Drata shall only be enforceable against Drata and not any other entity, nor any officers, directors, representatives or agents of Drata or any other entity. SECTION 14. ASSIGNMENT, ENTIRE AGREEMENT AND AMENDMENT
14.1 Assignment. Except as permitted herein, neither party may, directly or indirectly, by operation of law or otherwise, assign all or any part of this Agreement or rights under this Agreement, or delegate performance of its duties under this Agreement, without written prior consent of the other party, which consent will not be unreasonably withheld. Notwithstanding the foregoing (i) subject to Customer’s compliance with Section 2 herein, Customer may, without Drata’s consent, assign this Agreement to an Affiliate or in connection with any merger or change of control of Customer or the sale of all or substantially all of Customer’s assets, provided that any such successor agrees to fulfill its obligations pursuant to this Agreement; and (ii) Drata may assign this Agreement without Customer’s consent to any member of Drata or in connection with any merger or change of control of Drata or Drata or the sale of all or substantially all of Drata’s assets provided that any such successor agrees to fulfill its obligations pursuant to this Agreement. If requested by Drata, Customer shall execute an assignment to give effect to Drata’s assignment. Subject to the foregoing restrictions, this Agreement will be fully binding upon, inure to the benefit of and be enforceable by the Parties and their respective successors and assigns. 14.2 Entire Agreement. This Agreement constitutes the entire agreement and supersedes any and all prior agreements between Customer and Drata, with regard to the subject matter hereof. This Agreement shall apply in lieu of the terms or conditions in any purchase order, request for information, request for proposal, or other order documentation Customer or any entity which Customer represents provide(s) and all such terms or conditions in such purchase order, request for information, request for proposal, or other order documentation are null and void. Except as expressly stated herein, there are no other agreements, representations, warranties or commitments which may be relied upon by either Party with respect to the subject matter hereof. There are no oral promises, conditions, representations, understandings, interpretations or terms of any kind between the Parties, except as may otherwise be expressly provided herein. The headings used herein are for convenience only and shall not affect the interpretation of the terms of this Agreement. 14.3 Amendment. Drata may amend this Agreement from time to time, in which case the new Agreement will supersede prior versions. Drata will notify the Customer not less than thirty (30) days prior to the effective date of any such amendment and Customer’s continued use of the Services following the effective date of any such amendment may be relied upon by Drata as Customer’s consent to any such amendment. Drata’s failure to enforce at any time any provision of this Agreement does not constitute a waiver of that provision or of any other provision of this Agreement. SECTION 15. SEVERABILITY If any term in this Agreement is determined to be invalid or unenforceable by a competent court or governing body, such term shall be replaced with another term consistent with the purpose and intent of this Agreement, and the remaining provisions of this Agreement shall remain in effect. SECTION 16. EXPORT COMPLIANCE AND USE RESTRICTIONS The Services and other Drata technology, and derivatives thereof, may be subject to export controls and economic sanctions laws and regulations of the United States and other jurisdictions. Customer agrees to comply with all such laws and regulations as they relate to the access to and use of the Services and other Drata technology. Each Party represents that it (nor its parents or controlling shareholders) is not named on (nor directly or indirectly owned 50% or greater, in the aggregate, or otherwise controlled by, a person or persons named on) any U.S. government or other applicable restricted-party list, and Customer will not, and will not permit any User to: (a) access or use any Service in a U.S.-embargoed or U.S.-sanctioned country or region, (e.g., Cuba, Iran, North Korea, Syria, the Crimea region of Ukraine, the so-called Donetsk People’s Republic and Luhansk People’s Republic regions of Ukraine, or any other country or region embargoed or sanctioned during the Subscription Term); (b) access or use any Service if Customer or User is named on (or directly or indirectly owned 50% or greater, in the aggregate, or otherwise controlled by, a person or persons named on) any U.S. government or other applicable restricted-party list; (c) place any information in the Services that is controlled under the U.S. International Traffic in Arms Regulations or other similar laws; or (d) access or use any Service for any purpose prohibited by the United States or applicable international import and export laws and regulations. Drata shall have no obligation or liability to Customer if a governmental or regulatory action restricts access to the Services, and Customer agrees that this Agreement and any Order Form expressly exclude any right to access the Services from a jurisdiction where such governmental or regulatory restriction is in effect. Drata reserves the unconditional right to refuse to enter into or to terminate a contractual relationship with any particular company, legal entity or individual on the basis of export control restrictions, embargoes, sanctions or other considerations to the extent permitted by law. SECTION 17. RELATIONSHIP OF THE PARTIES The Parties are independent contractors, and this Agreement does not create a partnership, franchise, joint venture, general agency, fiduciary or employment relationship between the Parties. Customer is solely responsible for determining whether the Services meet Customer’s technical, business, or regulatory requirements. Drata’s business partners and other third parties, including any third parties with which the Services have integrations or that are retained by Customer to provide consulting services, implementation services or applications that interact with the Services, are independent of Drata. SECTION 18. NOTICE 18.1 Notices to Customer. All notices provided by Drata to Customer under this Agreement may be delivered in writing by (a) nationally recognized overnight delivery service (“Courier”) or U.S. mail to the contact mailing address provided by Customer on any Order Form; or (b) electronic mail to the electronic mail address provided by Customer for the Account admin. 18.2 Notices to Drata. All legal notices provided by Customer to Drata under this Agreement must be delivered in English and in writing by (a) Courier or U.S. mail to 4660 La Jolla Village Drive, Suite 100, San Diego, California 92122 U.S.A. Attn: Legal Department; or (b) electronic mail to [email protected]. All other notices provided by Customer to Drata under this Agreement must be delivered in English and in writing by electronic mail to [email protected]. 18.3 All notices provided by either Party to the other shall be deemed to have been given immediately upon delivery by electronic mail; or upon the earlier of proof of receipt or two (2) business days after being deposited in the mail or with a Courier as permitted above. SECTION 19. GOVERNING LAW This Agreement shall be governed by the laws of the State of California, without reference to conflict of laws principles. Any disputes under this Agreement shall be resolved in a court of general jurisdiction in San Francisco County, California. Customer hereby expressly agrees to submit to the exclusive personal jurisdiction of this jurisdiction for the purpose of resolving any dispute relating to this Agreement or relating to access to or use of the Services by Customer or Users. SECTION 20. FEDERAL GOVERNMENT END USE PROVISIONS If Customer is a U.S. federal government department or agency or contracting on behalf of such department or agency, each of the Services is a “Commercial Product” as that term is defined at 48 C.F.R. §2.101, consisting of “Commercial Computer Software” and “Commercial Computer Software Documentation”, as those terms are used in 48 C.F.R. §12.212 or 48 C.F.R. §227.7202. Consistent with 48 C.F.R. §12.212 or 48 C.F.R. §227.7202-1 through 227.7202-4, as applicable, the Services are licensed to the Customer with only those rights as provided under the terms and conditions of this Agreement. SECTION 21. ETHICAL CONDUCT AND COMPLIANCE Neither Party, nor any of its employees or agents, has offered, received or been offered, directly or indirectly, any illegal or improper bribe or kickback (whether in the form of a payment, gift, undue advantage, or thing of value), or will offer or accept the same in connection with this Agreement. All parties agree to comply with the US Foreign Corrupt Practices Act of 1977, the UK Bribery Act of 2010, and any equivalent anti-corruption requirements in other jurisdictions that are reasonably applicable to this Agreement. Modest and reasonable gifts, meals, entertainment, and other hospitality, provided in the ordinary course of business and without any corrupt intent to obtain or retain business, or influence a government decision, will not violate the above restriction. Drata will abide by its internal Code of Conduct in the provision of the Services. If Customer learns of any violation of the above restrictions by Drata, Customer will use reasonable efforts to promptly notify Drata at https://report.syntrio.com/drata. SECTION 22. INSURANCE Drata will maintain, at its own expense, adequate insurance coverage as required by law or regulation, with an insurance carrier or carriers having an A.M. Best rating of A- or better, or an equivalent rating by another rating agency in the following minimum amounts: (i) Comprehensive General Liability – not less than $1,000,000 per occurrence, $2,000,000 general aggregate; (ii) Errors and Omissions (including Cyber & Privacy) – not less than $5,000,000 in the aggregate; and (iii) Workers Compensation Coverage – as required by applicable law. Drata will furnish a Certificate of Insurance evidencing its insurance coverage to Customer via Drata’s Trust Center. Should any of the above described policies be canceled or reduced in coverage type or amount then notice will be provided to Customer. SECTION 23. SURVIVAL Sections 2.3, 3.5, 3.6, 4.6, 5 – 6, 10, 12 – 19 and 23 shall survive termination of this Agreement with respect to use of the Services by Customer and Users. Termination of this Agreement shall not limit a Party’s liability for obligations accrued as of or prior to termination or for any breach of this Agreement. SECTION 24. DEFINITIONS When used in this Agreement with initial letters capitalized, these terms have the following meaning: “Account” means any accounts or instances created by, or on behalf of, Customer or its Affiliates within the Services. “Affiliate(s)” means, with respect to a Party, any entity that directly or indirectly controls, is controlled by, or is under common control with such Party, whereby “control” (including, with correlative meaning, the terms “controlled by” and “under common control”) means the possession, directly or indirectly, of the power to direct, or cause the direction of the management and policies of such person, whether through the ownership of voting securities, by contract, or otherwise. “Agreement” means this Agreement together with any and all Order Forms, Statements of Work and other mutually executed documents. “API” means the application programming interfaces developed, made available and enabled by Drata that permit Customers to access certain functionality provided by the Services, including, without limitation, the REST API that enables the interaction with the Services automatically through HTTP requests and the application development API that enables the integration of the Services with other web applications. “Authorized Subprocessors Page” means https://drata.com/sub-processors. “Confidential Information” means all information disclosed by one Party to the other Party which is in tangible form and designated as confidential or is information, regardless of form, which a reasonable person would understand to be confidential given the nature of the information and circumstances of disclosure, including but not limited to the pricing terms, product plans and designs, business processes, security notifications, and customer advocacy communications. Notwithstanding the foregoing, Confidential Information shall not include information that (i) was already known to the receiving Party at the time of disclosure by the disclosing Party; (ii) was or is obtained by the receiving Party from a third party not known by the receiving Party to be under an obligation of confidentiality with respect to such information; (iii) is or becomes generally available to the public other than by violation of this Agreement or another valid agreement between the Parties; or (iv) was or is independently developed by the receiving Party without the use of the disclosing Party’s Confidential Information. “Customer” means the party specified above with the address as set forth on the Order Form and may also be referred to as “You” or “Your.” “Customer Data” means all electronic data, text, messages, communications or other materials submitted to and stored within a Service by Customer or Users in connection with Customer’s use of such Service, excluding User Contact Information. “Customer Marks” means any trademarks, service marks, service or trade names, taglines, logos or other designations of Customer. “Data Controller” refers to the entity that determines the purposes and means for processing personal data. “Documentation” means any written or electronic documentation, images, video, text or sounds specifying the functionalities or limitations of the Services or describing Service plan types, as applicable, provided or made available by Drata to Customer in the applicable Drata help center(s) or Site; provided, however, that Documentation shall specifically exclude any “community moderated” forums as provided or accessible through such knowledge base(s). “Drata” means Drata Inc., a Delaware corporation, or any of its successors or assignees and may also be referred to as “We,” Us” or “Our.” “Drata Marks” means any trademarks, service marks, service or trade names, taglines, logos or other designations of Drata, Drata, or its or their Affiliates, whether registered or unregistered. “Drata Personnel” means employees and/or non-employee contractors of Drata engaged by Drata in connection with performance hereunder. “Drata’s Trust Center” means the trust center and policies at https://trust.drata.com/. “Fees” means fees and charges set forth in Order Forms, including but not limited to, Subscription Charges. "Free Trial Services” means Services that Drata makes available to Customer on a free trial basis, including as part of an evaluation or proof of concept. “Force Majeure Events” means any circumstances beyond Drata’s reasonable control, including, but not limited to, an act of God, act of government, pandemic, flood, fire, earthquake, civil unrest, act of terror, strike or other labor problem (other than one involving Drata employees), Internet service provider failure or delay, Non-Drata Services, or acts undertaken by third parties, including without limitation, denial of service attack. “Intellectual Property Rights” means any and all of a Party’s patents, inventions, copyrights, trademarks, domain names, trade secrets, know-how and any other intellectual property and/or proprietary rights. “Malicious Software” means any viruses, malware, Trojan horses, time bombs, or any other similar harmful software. “Non-Drata Services” means third-party products, applications, services, software, networks, systems, directories, websites, databases and information which a Service links to, or which Customer may connect to or enable in conjunction with a Service, including, without limitation, Non-Drata Services which may be integrated directly into an Account by Customer or at Customer’s direction. “Order Form” means Drata’s generated Order Form form(s) or online ordering document or process completed, executed or approved by Customer with respect to Customer’s subscription to a Service, which may detail, among other things, the applicable plan type. “Privacy Notice” means Drata’s Privacy Notice located at https://drata.com/privacy. “Professional Services” means consulting or professional services (including any training, success and implementation services) provided by Drata Personnel as indicated on an Order Form or other written document such as an SOW. Professional Services may also be referred to as Consulting Services in the Documentation or SOW. “Security Incident” means (i) any verified unauthorized use of, loss of, access to or disclosure of, Customer’s Customer Data; provided that an incidental disclosure of Customer Data to an authorized party or Drata, or incidental access to Customer Data by an authorized party or Drata, where no reasonable suspicion exists that such disclosure or access involves theft, or is fraudulent, criminal or malicious in nature, shall not be considered a “Security Incident” for purposes of this definition, unless such incidental disclosure or incidental access triggers a notification obligation under any applicable law; or (ii) any Personal Data Breach as defined in the DPA. “Service(s)” means the products and services that are used or ordered by Customer online through a link or via an Order Form referencing this Agreement, whether on a trial or paid basis, and made available online by Drata, via the applicable Customer login link and other web pages designated by Drata, including, individually and collectively, the applicable Software, updates, API, Documentation, and all Deployed Associated Services that are provided under this Agreement. “Services” exclude Non-Drata Services as that term is defined in this Agreement. From time to time, the names and descriptions of the Services or any individual Service may be changed. To the extent Customer is given access to such Service as so described by virtue of a prior Order Form or other prior acceptance of this Agreement, this Agreement shall be deemed to apply to such Service as newly named or described. “Site” means a website operated by Drata, including www.drata.com, as well as all other websites that the Drata operates (but shall not include the Services). “Subscription Charges” means Drata’s price for the applicable Services related to Customer’s access to and use of an Account. “Subprocessor(s)” means any third-party data processor engaged by Drata who receive Customer Data from Drata for processing on behalf of Customer and in accordance with Customer’s instructions (as communicated by Drata) and the terms of its written subcontract, as provided on the Authorized Subprocessors Page. “Subscription Charges” means all charges associated with Customer’s access to and use of an Account. “Subscription Term” means the period during which Customer has agreed to subscribe to a Service. “Supplemental Terms” means additional terms and conditions that may be (i) included or incorporated on an Order Form via hyperlink or other reference; (ii) applicable to Professional Services when purchased by Customer; and (iii) applicable to additional features when activated by Customer. “Taxes” means taxes, levies, duties or similar governmental assessments, including value-added, sales, use or withholding taxes assessable by any local, state, provincial or foreign jurisdiction. “Usage Charges” means additional Subscription Charges that are incurred by Customer relating to the use of certain features and functionality that Customer enables within the Service where pricing is based on Customer’s usage as detailed in an Order Form. “User(s)” means, in the case of an individual accepting this Agreement on their own behalf, such individual, or, in the case of an individual accepting this Agreement on behalf of a company or other legal entity, an individual who Customer authorizes to use the Services pursuant to Customer’s rights under this Agreement, for whom Customer has purchased a subscription (or, for Free Trial Services, for whom Services have been provisioned by Drata), and to whom Customer (or, when applicable, Drata at Customer’s request) has supplied a username and password. Users may include, for example, employees, consultants, advisors, contractors and agents of Customer. “User Conduct and Content Policy” means the policy found in Drata’s Trust Center.