Field Effect Covalence™ Managed Services – Terms of Service

These terms of service (“Terms of Service”) govern the Service (as defined below) to be delivered to Customer by Field Effect Software Inc., 207-825 Exhibition Way, Ottawa, Ontario, K1S 5J3, Canada (“Field Effect”), as specified in an Order Form. Customer agrees to be bound by these Terms of Service as well as the Order Form, the Privacy Policy (as defined below) and any additional terms incorporated by reference (collectively, the “Agreement”). This Agreement is effective on the Effective Date set out on the Order Form.

1. Definitions

1.1. “Account” is defined in Section 2.4;

1.2. “Agreement” is defined in the preamble above;

1.3. “Ancillary Services” are secondary services that may be provided in support of a Customer engagement, including but not limited to computer and network forensic analysis, general IT advice and guidance, and recommendation of IT security best practices;

1.4. “Business Day” means between 9AM to 5PM Eastern Time on a day other than a Saturday, Sunday, or statutory holiday in the Province of Ontario;

1.5. “Confidential Information” means any data, documentation, or other information of a proprietary or confidential nature, whether or not identified as being confidential or proprietary, which is disclosed or made available by a party to the other party in connection with this Agreement. Confidential Information does not include information that the receiving Party can establish, with reasonable evidence, that: (i) the receiving party already knew; (ii) becomes public through no fault of the receiving party; (iii) was independently developed by the receiving party; or (iv) was rightfully given to the receiving party by a third party. Confidential Information, for the purposes of this Agreement, does not include any Personal Information;

1.6. “Customer” means the customer identified in the applicable Order Form, including, as applicable, Users;

1.7. “Daily” means between 8AM to 8PM Eastern Time on a day other than a Saturday, Sunday or statutory holiday in the Province of Ontario;

1.8. “Customer Data” means any data or other information provided, transmitted, displayed or made available by or through the Service by Customer or Users;

1.9. “Event of Force Majeure” is defined in Section 15.5;

1.10. “Fees” means the fees and charges specified in the Order Form;

1.11. “Field Effect” is defined in the preamble above;

1.12. “Hardware” means any Field Effect hardware as set out in the Order Form;

1.13. “High Risk Activity” means activities with a likelihood of injury or death, including but not limited to controlling aircrafts or other modes of human mass transportation, nuclear or chemical facilities, life support systems, weaponry systems or any similar scenario where failure could lead to personal injury, death or environmental damages;

1.14. “Intellectual Property Rights” means any right that is or may be granted or recognized under any Canadian or foreign legislation regarding patents, copyrights, neighbouring rights, moral rights, trade-marks, trade names, service marks, industrial designs, mask work, integrated circuit typography, privacy, publicity, celebrity or personality rights and any other statutory provision or common or civil law principle regarding intellectual and industrial property, whether registered or unregistered, and including rights in any application for any of the foregoing;

1.15. “Licensed Software” means the Field Effect Covalence™ software and any other Field Effect software specified in the Order Form to be installed in Customer network and connected to the Managed Service Network;

1.16. “Managed Service Network” means Field Effect’s computer network used to provide the Service;

1.17. “Order Form” means an order form for the Service signed and submitted by Customer and accepted by Field Effect, and which incorporates these Terms of Service by reference;

1.18. “Personal Information” means information about an identifiable individual;

1.19. “Privacy Policy” is defined in Section 6.1;

1.20. “Service” means Field Effect’s managed cyber security monitoring service, including any Licensed Software or Ancillary Services, as specified on an applicable Order Form;

1.21. “Service Level” is defined in Section 5.1;

1.22. “Support Response Time” means the applicable support response time period included for the Service Level selected by Customer on the Order Form and described in Section 5.5;

1.23. “Term” is defined in Section 11.1;

1.24. “Third Party Materials” means data, services, content, software, hardware, add-ons or applications provided by a third party that interoperates with or is complimentary to the Service. Third Party Materials may include an application that is listed in a catalog or package offered by Field Effect;

1.25. “Threat Intelligence” is defined in Section 6.2;

1.26. “Threat Response Time” means the applicable threat response time period included for the Service Level selected by Customer on the Order Form and described in Section 5.4; and

1.27. “User” means any individual who uses or gains access to the Service through the Customer’s Account.

2. Use of the service

2.1. Customer may only receive and use the Service: (i) during the Term; (ii) for its own internal business purposes; and (iii) in accordance with this Agreement. If Customer does not understand these Terms of Service or any part of this Agreement, or does not agree to any of these Terms of Service or the Agreement, then Customer must not use the Service.

2.2. Field Effect may deliver the Service with the assistance of its affiliates, subcontractors, or suppliers. Notwithstanding the foregoing, Field Effect will remain responsible to Customer for delivery of the Service.

2.3. Customer and Users must comply with all laws, rules, and regulations applicable to Customer’s use of the Service and to any Customer Data.

2.4. Customer must have an account to use the Service (“Account”). Customer is responsible for the information provided to create Customer’s Account, the security and passwords for Customer’s Account, and for any use (or User’s use) of Customer’s Account. Customer must keep login credentials confidential. If Customer believes its Account has been compromised, or if Customer becomes aware of any unauthorized use of its Account, Customer will notify Field Effect by e-mail as promptly as possible at security@fieldeffect.com.

2.5. Compliance. Field Effect may monitor use of the Service to verify Customer’s and Users’ compliance with this Agreement. Field Effect may request information from Customer to assist with such verification, and Customer shall provide such information to Field Effect. If Field Effect reasonably believes that a problem with the Service may result from Customer Data or Customer’s use of the Service, Customer will cooperate with Field Effect to identify and resolve the problem.

2.6. Monitoring. Field Effect may monitor use of the Service by Customer and Users, and collect configuration, performance, usage, and consumption data relating to such use, in order to: (i) facilitate or improve delivery of the Service; and (ii) improve Field Effect’s products and services. Field Effect will not access any Customer Data except as necessary to provide the Service.

2.7. Modification of the Service. Field Effect may, from time to time: (i) change (a) the Service, (b) the terms governing Customer’s use of the Service, or (c) any portion of the documentation relating to the Service (including the Privacy Policy); or (ii) elect to cease providing any aspect of the Service. Field Effect will give Customer prior notice of changes, and the effective dates of any changes, by posting a notice at https://my.fieldeffect.net, or via email or other communications Field Effect typically uses to notify Customer of changes. The modifications will become effective on the date specified in such notice. Customer’s continued use of the Service after such effective date will be deemed acceptance of the modified terms. If Field Effect makes a material or detrimental change to the Service, to the terms governing Customer’s use of the Service, or to any part of the Service documentation that affects Customer’s use or ability to use the Service, Customer may terminate this Agreement by notifying Field Effect no later than thirty (30) days after the effective date of the change. If Customer terminates this Agreement pursuant to this Section 2.7, the termination will be effective as of: (i) the date Field Effect receives Customer’s notice, or (ii) any later date specified in such notice. Customer will be responsible for all Fees incurred up to and including the effective date of any termination pursuant to this Section 2.7.

3. Customer Obligations

3.1. Customer is responsible for ensuring that all Users comply with Customer’s obligations under this Agreement.

3.2. Customer is responsible for maintaining a suitable connection to the Managed Service Network and for ensuring that Customer contacts identified in the Order Form are available and responsive when contacted by Field Effect to address and resolve service related incidents.

3.3. Customer and Users must not: (i) resell, sublicense, or distribute any aspect of the Service; (ii) copy, modify, or create derivative works of, reverse engineer, decompile, translate, disassemble, or otherwise attempt to extract any source code of any Licensed Software; (iii) use the Service to directly or indirectly create, train, or improve a substantially similar service or product; (iv) use the Service in connection with any High Risk Activity; (v) access the Service in a manner intended to avoid incurring Fees or accepting this Agreement or any other applicable terms; (vi) engage in, promote or encourage illegal activity; (vii) use the Service for any unlawful, invasive, infringing, defamatory or fraudulent purpose (e.g., phishing); (viii) use the Service to intentionally distribute viruses, worms, Trojan horses, corrupted files, hoaxes, or other items of a destructive or deceptive nature; (ix) interfere with the use of the Service, or any equipment used to provide the Service, by other users; (x) disable, interfere with or circumvent any aspect of the Service; (xi) generate, distribute, publish or facilitate unsolicited mass email, promotions, advertisements, or other solicitations; or (xii) use the Service or any interfaces provided by the Service to access any other Field Effect product or service in a manner that violates or avoids the terms with respect to such other Field Effect product or service.

3.4. If Customer becomes aware that any Customer Data or any use of the Service violates Section 3.3, Customer must take prompt action to remove the applicable Customer Data and/or suspend such use of the Service. Field Effect may require that Customer take action within a specified period of time. If Customer fails to comply with such request, then Field Effect may suspend Customer’s use of the Service pursuant to Section 10.

3.5. As part of or through Customer’s use of the Service, Customer may receive access to Third Party Materials. Customer is responsible for complying with any terms that may be presented to Customer when Customer accesses or receives such Third Party Materials. Except as may be expressly provided, Third Party Materials are available “AS IS” without indemnification, support (unless otherwise specified), or warranty or condition of any kind from Field Effect.

4. Payment Terms

4.1. Customer will be responsible for paying a monthly recurring fee for the Service and any applicable fees for Licensed Software and/or Hardware (together the “Fees”), as set out in the Order Form. Fees do not include any applicable commodity taxes, or other taxes levied or assessed by any local and/or government authority, as well as surcharges for foreign taxes or those imposed by third-party providers, and any applicable withholding tax (collectively “Taxes”) and Customer will be responsible for paying such Taxes. Field Effect will invoice Customer monthly in advance (unless otherwise set forth in the Order Form) for the monthly recurring fee for the Service, applicable Licensed Software and/or Hardware (if being paid by monthly recurring installments) and Taxes.

4.2. Payment. Payment may be made by credit card, cheque, electronic funds transfer or wire transfer. Field Effect, in its sole discretion, reserves the right to change acceptable methods of payment upon prior notice to Customer. Customer must pay all Fees, in the amount and currency specified in the applicable invoice, no later than thirty (30) days after the date of the invoice. If any legislation authorizes Customer to purchase the Service, and any applicable Licensed Software and/or Hardware, without payment of commodity taxes, Customer must supply Field Effect with sufficient evidence of such authorization. Fees and Taxes are subject to a late payment charge at the rate specified in the invoice, which rate may vary from time to time, calculated from the date of invoice, if Fees and Taxes are not paid when due.

4.3. Disputed Charges. If Field Effect determines that certain billing inaccuracies are attributable to Field Effect, Field Effect will not issue a corrected invoice, but will instead issue a credit memo specifying the incorrect amount in the affected invoice. If the disputed invoice has not yet been paid, Field Effect will apply the credit memo amount to the disputed invoice, and Customer will be responsible for paying the resulting net balance due on that invoice. Otherwise, the credit will be applied to the next invoice.

5. Support and service levels

5.1. Field Effect will use commercially reasonable efforts to ensure the Service performs substantially in accordance with this Agreement and the service level objectives and response times for the service level selected in the Order Form (“Service Level”), if any, for the Term, provided that the Service, including any Licensed Software and Hardware, has at all times been used in accordance with this Agreement. If Field Effect fails to meet any such objective or response time, and Customer notifies Field Effect, then Field Effect will, as its sole obligation and Customer’s exclusive remedy: (i) for any breach of the applicable objective, use commercially reasonable efforts to remedy the failed service level objective; or (ii) for any failure to meet a response time, provide a response as soon as possible. Notwithstanding the foregoing, Service availability will be subject to: (i) regularly scheduled maintenance; (ii) unscheduled maintenance with advance notice that Services may be interrupted, where feasible; (iii) failures of Internet connectivity; (iv) Customer’s failure to meet any minimum Hardware or Licensed Software requirements specified by Field Effect; or (v) any other reason beyond Field Effect’s reasonable control.

Field Effect staff are available during “Support Hours”, which are from 8am to 8pm EST, seven days a week.

5.2. Customer will be provided advance notice of scheduled maintenance outages and, in the event of an unscheduled system outage, Field Effect will use commercially reasonable efforts to provide advance notice and to restore the Service to normal operation as quickly as possible. All reasonable efforts will be made to minimize potential Customer disruption.

5.3. Field Effect will provide support for Customer’s use of the Service in accordance with the applicable service level objectives and support descriptions based on the Service Level.

5.4. Field Effect will use commercially reasonable efforts to notify Customer of potential, suspected or confirmed cyber security events in accordance with the applicable “Threat Response Time”:

  1. Urgent (e.g. probable compromise, or vulnerable system under direct threat) – Customer will be notified during Support Hours; and,
  2. All other priorities – Customer will be notified about events during Daily hours only.

While Field Effect aims to meet the applicable Threat Response Time, there is no guaranteed response time. Field Effect’s systems may generate automated alerting for events sooner than the applicable Threat Response Time. However, Field Effect will be available for follow up during the applicable Threat Response Time.

5.5. Field Effect will, as part of the Service, accept support tickets through the support platforms made available to the Customer for Customer’s selected Service Level. Field Effect will use commercially reasonable efforts to acknowledge support tickets submitted by Customer in accordance with the following “Support Response Times”, during Field Effect’s Support Hours:

  1. Tickets submitted with an “urgent” priority will be acknowledged within one (1) hour;
  2. Tickets submitted with a “high” priority will be acknowledged within eight (8) hours;
  3. Tickets submitted with a “medium” or “normal” priority will be acknowledged within two (2) Business Days; and
  4. All other tickets submitted with “low” or no priority identified will be acknowledged within five (5) Business Days.

Field Effect, in its sole discretion, reserves the right to modify the priority level of a support ticket submitted by Customer.

5.6. Field Effect will generate reports as part of the Service, in accordance with the reporting descriptions and reporting frequency specified for the applicable Service Level. Reports will be made available via email and via online portal, as determined by Field Effect.

5.7. Field Effect will conduct data analysis and system management activities as specified for the applicable Service Level. For greater clarity, data analysis will not include any traffic or data that has not been made available to Field Effect by Customer.

5.8. Field Effect will make available to the Customer certain additional services on an “as needed” basis, upon request by Customer. Rates for such additional services requested by the Customer will be charged at Field Effect’s current rates. Additional services include:

  1. Forensic Services – Forensic services (e.g., disk image analysis, network traffic capture analysis, log analysis, etc.) are available as required and requests are responded to as quickly as possible by Field Effect. If priority access is included for the applicable Service Level, then a response will be provided in the applicable Support Response Time.
  2. Cyber Security Concierge – Field Effect will respond to cyber security related questions and advice. Requests for such service are responded to as quickly as possible by Field Effect. If priority access is included for the Service Level, then a response will be provided in the applicable Support Response Time.
  3. Custom Services – Custom services (e.g., tailored sensor alert configuration) are available and, with the exception of an emergency, requests are addressed in order of receipt.

5.9. The individual listed as the Primary Contact on the Order Form will be notified, by email, of routine service notifications and suspected cyber security incidents. In the event of an urgent request, a confirmation reply email will be required from the Primary Contact. If a confirmation is not received within a reasonable time period, then the individual listed as the Secondary Contact on the Order Form will be notified. In the event that neither the Primary Contact nor the Secondary Contact answers via email, Field Effect will attempt to contact the Primary Contact and Secondary Contact by telephone, during the applicable Support Response Time hours.

5.10. The Technical Contact listed on the Order Form will be contacted during Support Hours for questions related to Customer’s network and system operation.

6. Data ownership, access and privacy

6.1. Ownership of the Service. As between the parties, Field Effect owns and retains all right, title and interest, and all Intellectual Property Rights in and to the Service, including all improvements, enhancements, modifications and derivative works thereto or thereof. This includes any information (other than Customer Data) that Field Effect collects and analyzes in connection with the Service and any reports generated by Field Effect. Customer’s rights to use the Service are limited to those expressly granted in this Agreement. No other rights with respect to the Service, any Licensed Software, any Hardware or any related Intellectual Property Rights are granted or implied.

6.2. Data Ownership. As between the parties, Customer and Users retain all right, title and interest in and to any Customer Data and all Intellectual Property Rights in such Customer Data. Field Effect’s rights to access and use Customer Data are limited to those necessary to deliver the Services. In delivering the Services, Field Effect may collect Customer Data and other information that relates to potential threats to Customer’s network(s) and may, subject to Section 6.3 below, use such Customer Data and other information to protect the networks of other Field Effect customers (“Threat Intelligence”). Field Effect will retain all right, title and interest in and to any such Threat Intelligence and all Intellectual Property Rights therein provided that Field Effect shall not disclose any Confidential Information of Customer, except as required by law.

6.3. Field Effect may collect, use, process, transfer, store and disclose Customer Data, including Personal Information, as required to provide the Service, and in accordance with Section 9.1 and Field Effect’s Terms & Privacy, found at: https://fieldeffect.com/terms-privacy/ (“Privacy Policy”). Customer warrants and represents that it has obtained all required consents and/or provided all required notifications to allow Field Effect to collect, use, process, transfer and disclose Customer Data, including Personal Information, as contemplated under this Agreement. If Customer or any Users are located in the European Union, the terms set out in Schedule “A” will apply.

6.4. Customer is responsible for ensuring that the security of the Service is appropriate for Customer’s intended use of the Service, and for the storage, hosting or processing of any Customer Data. Customer is responsible for taking and maintaining appropriate steps to protect confidentiality, integrity and security of all Customer Data from unauthorized access, use, loss or destruction. Those steps include, but are not limited to: (i) implementing any Field Effect guidance on deployment conditions; (ii) controlling the access that Customer provides to Users; (iii) configuring the Service appropriately; (iv) ensuring the security of Customer Data while it is in transit to and from the Service; (v) using encryption technology to protect Customer Data; and (vi) backing up Customer Data. Customer is responsible for providing any necessary notices to Users, and obtaining any legally required authorizations or consents from Users regarding their use of the Service.

7. Software

7.1. Depending on the configuration and implementation of the Service that Customer has purchased, as specified on the applicable Order Form, Customer may receive Licensed Software from Field Effect, to be used to deliver the Service. In such case, the terms of this Article 7 shall apply.

7.2. The Licensed Software must be installed in Customer’s on-premises network environment to enable Customer’s use of the Service. If such Licensed Software is subject to a separate licence agreement, Customer agrees to comply with the terms of such licence. If the Licensed Software does not have an accompanying licence agreement, then the licence terms set out in this Agreement will apply. Licensed Software may contain open source software, and Customer will be bound by any additional terms and conditions applicable to such software.

7.3. Subject to the terms and conditions of this Agreement, Field Effect grants to Customer, during the Term, a non-exclusive, non-transferable, non-assignable, royalty-free, license to install and use the Licensed Software solely for Customer’s internal, business purposes and in connection with the Service. Customer shall not, except with prior written approval of Field Effect, use the Licensed Software for the benefit of, or disclose the Licensed Software to, any other agency, department, person, company or other entity. Nothing in this Agreement constitutes a transfer of any Intellectual Property Rights in the Licensed Software. As between Field Effect and Customer, Field Effect owns all Intellectual Property Rights in the Licensed Software and any suggestions, comments or ideas that Customer contributes to or discloses to Field Effect with respect to the Licensed Software.

7.4. Field Effect may update and otherwise modify the Licensed Software at it sole discretion, provided such changes do not materially diminish the quality or level of service provided.

7.5. Customer must not: (i) use the Licensed Software for any purpose or in any manner other than as strictly required for Customer’s internal business purposes in connection with the Service; (ii) permit any third party to use the Licensed Software (except as may be permitted pursuant to Section 7.3); or (iii) unless and to the extent expressly permitted by applicable law, decompile, disassemble or otherwise reverse engineer the Licensed Software or permit any third party to do so.

8. Hardware

8.1. This Section 8 shall only apply if Customer’s use of the Service includes Hardware.

8.2. In the event that Customer orders any Hardware as part of the Service, Field Effect will ship the Hardware to Customer site. Customer will be responsible for ensuring the hardware is properly installed, powered on and connected to Customer’s network.

8.3. Unless otherwise indicated on the Order Form, all Hardware is to be returned to Field Effect upon termination or expiry of this Agreement.

8.4. Where Customer uses non-Field Effect hardware, Field Effect will not be responsible for providing support related to such non-Field Effect hardware, operating system configuration, hardware and system performance, and installation dependences (including required hardware or software packages).

8.5. Hardware support will be provided by the Hardware manufacturer. In cases of Hardware failure, Customer will contact Field Effect through an available support platform. Field Effect will notify the Hardware manufacturer and the Hardware manufacturer will deal with Customer directly to address the issue. Customer agrees to cooperate with the Hardware manufacturer for Hardware support activities, which may include a third party visiting Customer’s premises or the shipment of equipment back to Field Effect or a third party (at no additional cost).

9. Confidential information and personal information

9.1 Each party will: (i) protect the other party’s Confidential Information and Personal Information with the same standard of care it uses to protect its own Confidential Information and Personal Information (but in no event less than a reasonable standard of care); and (ii) not disclose Confidential Information or Personal Information, except to employees and agents who have agreed in writing to keep it confidential, on a need-to-know basis. Each party (and any employees and agents to whom it has disclosed Confidential Information or Personal Information) may use such Confidential Information or Personal Information only to exercise rights and fulfill obligations under this Agreement. Each party is responsible for any actions of its employees and agents in violation of this Section 9.1. Upon termination of this Agreement, the parties will promptly either return or destroy all Confidential Information and Personal Information, and, upon request, provide written certification of compliance with this Section 9.1. Notwithstanding the foregoing, the parties agree that this Section 9.1 does not operate to prevent the parties from retaining the other party’s business contact information (including business email addresses) after termination of this Agreement and in accordance with applicable laws.

9.2. If the receiving party is compelled by law to disclose Confidential Information or Personal Information of the disclosing party, the receiving party shall provide the disclosing party with prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the disclosing party’s cost, if the disclosing party wishes to contest the disclosure.

9.3. If the receiving party discloses or uses (or threatens to disclose or use) any Confidential Information or Personal Information of the disclosing party in breach of this Section 9, the disclosing party will have the right, in addition to any other remedies available to it, to seek injunctive relief to enjoin such acts, it being specifically acknowledged by the parties that any other available remedies are inadequate.

9.4. Neither party will issue any press release, public announcement, or public statement regarding the existence or content of this Agreement without the other party’s prior written approval. Field Effect may include Customer’s name and logo online or in promotional materials. Customer may revoke Field Effect’s right to use Customer’s name and logo under this Section 9.4 with written notice to Field Effect and a reasonable period to stop such use.

10. Suspension

10.1. Field Effect may suspend Customer’s use of the Service if (i) Field Effect has not received payment for the Service within thirty (30) days after the date on which payment is due; (ii) Customer is in breach of the Agreement; (iii) Customer’s use of the Service poses a security risk to the Service or to other users of the Service; or (iv) suspension is required pursuant to a court order or other legal requirement. Field Effect will give Customer notice before suspending Customer’s use of the Service if permitted by applicable law or unless Field Effect determines that providing notice presents a risk of harm to the Service, to other users of the Service, or to any person or property, in which case Field Effect will notify Customer as soon as feasible or permitted. Customer will remain responsible for all Fees incurred before or during any suspension.

11. Term and termination

11.1. Term. This Agreement will remain in effect for the Agreement Term specified in the Order Form or until terminated by either party in accordance with the terms set out herein (the “Term”).

11.2. Termination for Cause. Either party may terminate this Agreement by giving notice in writing to the other party upon the occurrence of any of the following: (i) the other party commits a material breach with respect to a material obligation under this Agreement and does not remedy that breach within thirty (30) days after receiving written notice of the breach; or (ii) Customer does not resolve the underlying cause resulting in a suspension pursuant to Section 10 within ten (10) days after Customer’s Account is suspended. Customer’s failure to pay any Fees, taxes or other amounts when due is a material breach with respect to a material obligation.

11.3. Termination for Insolvency. Either party may terminate this Agreement effective immediately upon notice to the other party if that party enters into a compulsory or voluntary liquidation, or convenes a meeting of its creditors or has a receiver appointed over any part of its assets or takes or suffers any similar action in consequence of a debt, or ceases for any reason to carry on business.

11.4. Termination for Convenience. Subject to any early termination fees or penalties as may be specified on the Order Form, either party may terminate this Agreement for any reason by providing Customer at least thirty (30) days’ advance written notice.

11.5. Effect of Termination. Upon the expiry or termination of this Agreement for any reason, then all rights granted to Customer under this Agreement, including Customer’s right to use the Service and any Licensed Software, will immediately terminate and Customer must: (i) stop all use of the Service, (ii) return or, if Field Effect requests, destroy any Confidential Information and Personal Information, of Field Effect, (iv) within thirty (30) days delete and destroy all Licensed Software within Customer’s possession or control; and (v) return any Hardware owned by Field Effect. As between Customer and Field Effect, Customer is responsible for ensuring that Customer has necessary copies of all Customer Data prior to the date of expiry or termination. On termination of this Agreement, Customer will be responsible for the payment of all non-recurring fees for Hardware in full and all such amounts will become immediately due and payable. Except to the extent termination is permitted under Section 2.7 or Section 11.2, termination of this Agreement will not entitle Customer to any refunds, credits or exchanges, and Customer will be liable for all Fees incurred up to the effective date of the termination.

11.6. Survival. Any provision that, by its nature and context is intended to survive termination or expiration of this Agreement, including Section 1, 4, 6.1, 6.2, 9, 11.5, 12, 13, and 14 will survive.

12. Warranty and disclaimer

12.1. CUSTOMER ACKNOWLEDGES THAT FIELD EFFECT DOES NOT WARRANT THAT THE OPERATION OF THE SERVICE, INCLUDING ANY LICENSED SOFTWARE OR HARDWARE, WILL BE UNINTERRUPTED OR ERROR FREE, OR THAT THE SERVICE WILL MEET (OR IS DESIGNED TO MEET) CUSTOMER’S BUSINESS REQUIREMENTS. SUBJECT TO SECTION 14.3, FIELD EFFECT IS NOT RESPONSIBLE OR LIABLE FOR THE DELETION OF OR FAILURE TO STORE ANY CUSTOMER DATA AND OTHER COMMUNICATIONS MAINTAINED OR TRANSMITTED THROUGH CUSTOMER’S USE OF THE SERVICE. CUSTOMER IS SOLELY RESPONSIBLE FOR SECURING AND BACKING UP CUSTOMER DATA AT ALL TIMES. EXCEPT AS EXPRESSLY PROVIDED FOR HEREIN, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, FIELD EFFECT DOES NOT MAKE ANY WARRANTY OF ANY KIND RELATED TO THE SERVICE OR LICENSED SOFTWARE, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR RELIABILITY.

12.2. CUSTOMER ACKNOWLEDGES AND AGREES THAT THE NATURE OF THE SERVICE MAY: (I) REQUIRE THAT SPECIFIC WEBSITES BE RENDERED UNREACHABLE OR UNAVAILABLE BY THE SERVICE OR FIELD EFFECT FROM TIME TO TIME IN ORDER TO MITIGATE ANY SUSPECTED, POTENTIAL OR ACTUAL THREAT; (II) RESULT IN THE DISRUPTION OF ANY NETWORK CONNECTION(S) (INCLUDING INTERNAL AND EXTERNAL NETWORK CONNECTIONS) TO THE CUSTOMER’S NETWORK OR THE MANAGED SERVICE NETWORK; (III) PREVENT EXTERNAL DEVICES (SUCH AS USB KEYS) FROM FUNCTIONING IN A COMPUTER; (IV) RESTRICT CHANGES TO COMPUTER OR NETWORK SETTINGS; (V) PREVENT CERTAIN NETWORK OR COMPUTER PROCESSES; AND (VI) RESULT IN FIELD EFFECT BLOCKING CERTAIN ACTIVITIES OR MATERIALS DUE TO FALSE POSITIVE THREATS. FIELD EFFECT IS NOT RESPONSIBLE OR LIABLE WHATSOEVER FOR ANY CLAIMS, FINES, LOSSES, DAMAGES, OR OTHER COSTS OR EXPENSES INCURRED BY CUSTOMER ARISING OUT OF OR OTHERWISE RELATING TO SUCH ACTIONS.

13. Indemnification

13.1. Indemnification by Customer. If Field Effect is subject to any third party claim or demand concerning: (i) any Customer Data; (ii) any infringement or misappropriation of any Intellectual Property Rights by Customer or any Users in connection with the use of the Service; (iii) any violation of law by Customer or any Users in connection with the use of Service; (iv) Customer’s or Users’ use of the Service in violation of this Agreement; (v) unauthorized disclosure of Customer Data to Field Effect; or (vi) Customer’s or Users’ use of any Third Party Materials (collectively, “Claims”), then Customer will defend, indemnify and hold Field Effect harmless against any such Claims and any and all fines, losses, damages or other costs arising out of or otherwise relating to the Claims, or agreed to in settlement of the Claims. Field Effect will: (i) notify Customer as soon as possible, in writing, of any Claim; (ii) give Customer control over the defence regarding any Claim; and (iii) reasonably cooperate in response to Customer’s requests for assistance. Subject to the foregoing, Field Effect may participate in the defence or settlement of the Claim, at its own expense. Customer will not settle any Claims, without Field Effect’s prior written consent, not to be unreasonably withheld.

13.2. Indemnification by Field Effect. Subject to the limitations set out in Section 13.1, Field Effect agrees to defend, indemnify and hold Customer harmless against any third party claims alleging that the Service or use of the Service for purposes authorized in this Agreement infringes any patent, copyright, trademark, service mark or other proprietary right of such third party or constitutes misuse or misappropriation of a trade secret of a third party (an “Infringement Claim”). Customer will: (i) notify Field Effect as soon as possible in writing of any Infringement Claim; (ii) give Field Effect control over the defence regarding the Infringement Claim; and (iii) reasonably cooperate in response to Field Effect’s requests for assistance. Field Effect will pay all damages finally awarded against and reasonable expenses incurred by Customer.

13.3. If the Service becomes or in Field Effect’s opinion is likely to become the subject of an Infringement Claim, Field Effect will, at Field Effect’s option and expense: (i) procure the rights necessary for Customer to keep using the Service; (ii) modify or replace the Service to make it non-infringing; or (iii) terminate the Agreement and refund any prepaid Fees.

13.4. Field Effect will have no obligation under Section 13.2 or otherwise with respect to any Infringement Claim based on: (i) Third Party Materials; (ii) any combination of Field Effect products and services with non-Field Effect products or services, including any Third Party Materials; (iii) use of the Service for a purpose or in a manner not permitted by the Agreement; (iv) any modification to the Service made without Field Effect’s express written consent; or (v) any aspect of the Service provided on a no-charge basis.

14. Limitation of liability

14.1. LIABILITY FOR DAMAGES. FIELD EFFECT’S TOTAL CUMULATIVE AGGREGATE LIABILITY TO CUSTOMER FOR DAMAGES, EXPENSES, COSTS, LIABILITY, CLAIMS OR LOSSES (COLLECTIVELY “DAMAGES”) ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT OR THE PROVISION OF THE SERVICE, WHETHER ARISING IN NEGLIGENCE, TORT, STATUTE, EQUITY, CONTRACT, COMMON LAW, OR ANY OTHER CAUSE OF ACTION OR LEGAL THEORY EVEN IF FIELD EFFECT HAS BEEN ADVISED OF THE POSSIBILITY OF THOSE DAMAGES, IS LIMITED TO DIRECT, ACTUAL, PROVABLE DAMAGES AND WILL IN NO EVENT EXCEED AN AMOUNT EQUAL TO THE TOTAL AGGREGATE MONTHLY FEES PAID BY CUSTOMER FOR THE SERVICE DURING THE SIX-MONTH PERIOD BEFORE THE EVENT GIVING RISE TO THE DAMAGES.

14.2. NO LIABILITY FOR CERTAIN DAMAGES. CUSTOMER AGREES THAT IN NO EVENT WILL FIELD EFFECT BE LIABLE FOR ANY LOST BUSINESS REVENUE, LOSS OF PROFITS, OR FAILURE TO REALIZE EXPECTED PROFITS OR SAVINGS OR ANY INDIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, SPECIAL OR PUNITIVE LOSS OR DAMAGE (EVEN IF FIELD EFFECT HAS BEEN ADVISED OR HAD KNOWLEDGE OF THE POSSIBILITY OF SAME OR COULD HAVE REASONABLY FORESEEN SAME) AND REGARDLESS OF THE FORM IN WHICH ANY ACTION IS BROUGHT, WHETHER ARISING IN NEGLIGENCE, TORT, STATUTE, EQUITY, CONTRACT, COMMON LAW, OR ANY OTHER CAUSE OF ACTION OR LEGAL THEORY EVEN IF FIELD EFFECT HAS BEEN ADVISED OF THE POSSIBILITY OF THOSE DAMAGES. FIELD EFFECT WILL NOT BE LIABLE FOR ANY DAMAGES WHATSOEVER FOR DAMAGE TO CUSTOMER NETWORKS OR THE NETWORK OF ANY THIRD PARTY AS A RESULT OF FIELD EFFECT’S DELIVERY OF THE SERVICE, INCLUDING ACCESS TO CUSTOMER NETWORKS AND CUSTOMER DATA.

14.3. NOTWITHSTANDING ANYTHING IN THIS AGREEMENT, INCLUDING BUT NOT LIMITED TO THIS ARTICLE 14, IF ANY CUSTOMER DATA IS LOST, DAMAGED, OR CORRUPTED AS A RESULT OF FIELD EFFECT’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, FIELD EFFECT’S ONLY LIABILITY IS, AT FIELD EFFECT’S OWN EXPENSE, TO RESTORE CUSTOMER DATA USING THE MOST RECENT BACK-UP KEPT BY CUSTOMER. CUSTOMER IS RESPONSIBLE FOR MAINTAINING AT ALL TIMES AN ADEQUATE BACK-UP OF CUSTOMER DATA.

15. GENERAL

15.1. Assignment. This Agreement shall bind and enure to the benefit of the parties and their respective successors and permitted assigns. Customer may not assign this Agreement, in whole or in part, without the prior written consent of Field Effect.

15.2. Notices. All notices and consents provided to Customer shall be given in writing and will be: (i) sent to the email address associated with Customer’s Account; or (ii) posted on https://support.fieldeffect.com. All legal notices or other correspondence to Field Effect must be sent to hello@fieldeffect.com.

15.3. No waiver. No waiver of any provision of this Agreement shall bind a party unless consented to in writing by that party. No waiver of any provision of this Agreement shall be a waiver of any other provisions, nor shall any waiver be a continuing waiver, unless otherwise expressly provided in the waiver.

15.4. Severability. If any provision of this Agreement is found by a court of competent jurisdiction to be invalid, illegal or unenforceable, the other provisions of this Agreement shall not be affected or impaired, and the offending provision shall automatically be modified to the least extent necessary in order to be valid, legal and enforceable.

15.5. Force Majeure. Field Effect will not be liable for any delay or failure to perform its obligations under this Agreement to the extent that the failure is caused by an Event of Force Majeure, provided that Field Effect keeps Customer informed in such circumstances and uses reasonable endeavours to rectify the situation. “Event of Force Majeure” means any event beyond the reasonable control of Field Effect, including acts of God, strike, war (including civil war), acts of any state or government, acts of terrorism, fire, explosions, the elements, epidemics, blackout, embargo, or any delay or interruption in third party telecommunications services.

15.6. Entire Agreement. This Agreement is the entire agreement between the parties with respect to the subject matter, and supersedes all other agreements between the parties relating to the subject matter. In entering into this Agreement, neither party has relied on, and neither party will have any right or remedy based on any statement, representation or warranty, express or implied (including through course of dealing), except those expressly set out in this Agreement.

15.7. Interpretation. The headings are for convenience of reference only and will not affect its construction or interpretation. The words “include” or “including” means “include without limitation” and “including without limitation”, respectively.

15.8. No Partnership and Third-Party Beneficiaries. This Agreement shall not be construed to and does not create a relationship of agency, partnership, employment or joint venture. Nothing in this Agreement, express or implied, shall or is intended to confer on any other person, firm or enterprise, any rights, benefits, remedies, obligations or liabilities of this Agreement, other than the parties, their respective successors or permitted assigns.

15.9. Governing Law. This Agreement is governed by the laws of the Province of Ontario, Canada and the laws of Canada therein (excluding its conflicts of law provisions), and the courts of Ontario will have non-exclusive jurisdiction over all matters arising hereunder. The parties attorn to the exclusive jurisdiction of the courts in Ottawa, Ontario, Canada in respect of all matters arising out of or in connection with this Agreement.

15.10. Counterparts. This Agreement may be signed in one or more counterparts (including through electronic signatures), each of which shall be considered an original and all of which, taken together, shall constitute one and the same instrument.

15.11. Language. The parties have requested that this Agreement and all correspondence and all documentation relating to this Agreement be written in the English language. Les parties aux présentes ont exigé que la présente entente, de même que toute la correspondance et la documentation relative à cette entente, soient rédigées en langue anglaise.

SCHEDULE “A”
DATA SHARING AGREEMENT
CONTROLLER TO PROCESSOR

1. Definitions and interpretation

For purposes of this Schedule, the following definitions will apply.

Data” shall mean the Personal Data, including any Special Personal Data, provided by Customer to the Service Provider pursuant to this Agreement or which is otherwise Processed by the Service Provider on behalf of Customer pursuant to this Agreement;

Controller” shall have the meaning given to it in the Regulation;

Data Subject” shall have the meaning given to it in the Regulation;

Processor” shall have the meaning given to it in the Regulation;

Personal Data” shall have the meaning given to it in the Regulation;

Processing” shall have the meaning given to it in the Regulation;

Regulation” means the regulations on the protection of natural persons with regard to the processing of personal data and on the free movement of such data known as the General Data Protection Regulation ((EU) 2016/679);

Service Provider” means Field Effect Software Inc., whose registered office is at 207-825 Exhibition Way, Ottawa, Ontario, K1S 5J3 (Canada);

Special Personal Data” shall mean the special categories of Personal Data as set out at Article 9(1) of the Regulation;

Sub-Processor” means as set out at Clause 2.4.

2. Data protection

2.1. The parties acknowledge that Customer is a Controller and the Service Provider is a Processor in relation to the Data. The parties also acknowledge that, in relation to certain Processing of the Data, the Service Provider may also be a Controller and the Service Provider agrees, in relation to Data for which it is a Controller, to comply with its obligations under the Regulation.

2.2. To the extent not stated elsewhere in this Agreement, Exhibit 1 set outs the following information in relation to the Data:

  1. subject-matter of the Processing;
  2. duration of Processing;
  3. nature and purpose of the Processing;
  4. type of Data;
  5. categories of Data Subject; and
  6. processing instructions.

2.3. The Service Provider shall:

  1. Process the Data only on the documented instructions of Customer as set out in this Agreement and any changes agreed with Customer, to perform its obligations under this Agreement and ensure it takes steps to ensure that its personnel and those of its subcontractors only Process Data on instructions from Customer, unless required to do otherwise by applicable law. If the Service Provider is aware that or of the opinion that any instruction given by Customer breaches the Regulation or data protection law of any European Union Member State, the Service Provider shall inform Customer of this before processing, unless the law prohibits such information on important grounds of public interest;
  2. ensure that its personnel who are authorised to Process Data are under obligations of confidentiality;
  3. take the measures that are expressed to be obligations of the Processor in Article 32 of the Regulation in order to ensure the appropriate level of security for the Data;
  4. taking into account the nature of the Processing, assist Customer with its obligations to comply with Data Subjects’ requests and Data Subjects’ rights under Chapter III of the Regulation through the use of appropriate technical and organisational measures;
  5. taking into account the nature of processing and the information available to the Service Provider, assist Customer in ensuring compliance with Customer’s obligations in Articles 32-36 of the Regulation and in doing so shall (at no cost to Customer):
    1. promptly record and then refer all Data Subject Requests it receives to Customer within three days of receipt of the request;
    2. provide such information and cooperation and take such action as Customer reasonably requests in relation to each Data Subject Request, within the timescales reasonably required by Customer; and
    3. not respond to any Data Subject Request or Complaint without Customer’s prior written approval.
    4. provide such information, co-operation and other assistance to Customer as Customer reasonably requires (taking into account the nature of processing and the information available to the Service Provider) to ensure compliance with Customer’s obligations under Data Protection Laws, including with respect to:
      1. security of processing;
      2. data protection impact assessments (as such term is defined in Data Protection Laws);
      3. prior consultation with a Supervisory Authority regarding high risk processing; and
      4. any remedial action and/or notifications to be taken in response to any Personal Data Breach and/or Complaint, including (subject in each case to Customer’s prior written authorisation) regarding any notification of the Personal Data Breach to Supervisory Authorities and/or communication to any affected Data Subjects.
  6. at the written election of Customer, either:
    1. securely destroy the Data (including all copies of it); or
    2. return the Data (including all copies of it) to Customer in the format required by Customer which retains the integrity of the Dataat any time upon request by Customer or promptly upon termination or expiry of this Agreement, unless the law requires storage of the Data, without prejudice to the right of the Service Provider to keep such information that may be useful to defend any court action as long as the applicable limitation period is not over;
  7. provide all information necessary to demonstrate the Service Provider’s compliance with this Clause 2 and allow Customer and its authorised representatives, upon reasonable prior written notice to the Service Provider, reasonable access during normal business hours to any relevant premises and documents to inspect the procedures and measures referred to in this Clause 2;
  8. not Process or transfer Data outside of the European Economic Area (or any country deemed adequate by the European Commission pursuant to Directive 95/46/EC or the Regulation) without putting in place adequate protection for the Data pursuant to Article 46 of the Regulation;
  9. at all times perform its obligations under this Agreement in such a manner as not to cause Customer in any way to be in breach of the Regulation; and
  10. perform its obligations under this Agreement (and any other agreement relating to the provision of the Services) in full compliance with the Regulation and all applicable guidelines, statutory orders, supplementary laws and codes of practice issued by relevant regulators pursuant to or in connection with the Regulation, including as may be issued by the Office of the Information Commissioner in the UK, data protection regulators of other European Union Member States or as may be issued by the European Commission or the Board (and “Board” shall have the meaning given at Article 68 the Regulation).

2.4. The Service Provider is authorised to appoint any third party, including consultant, sub-contractor, agent or professional adviser or other third party who may receive and/or have access to Data (“Sub-Processor“) provided that it informs Customer of any intended changes concerning the addition or replacement of any Sub-Processor, thereby giving Customer the opportunity to object to such changes.

2.5. In case of appointment of a Sub-Processor under Clause 2.4, the Service Provider shall put in place in writing with any Sub-Processor contractual obligations which are at least equivalent to the obligations imposed on the Service Provider pursuant to this Clause 2 including obligations which provide sufficient guarantees from the Sub-Processor that the processing meets the requirements of the Regulation. The Service Provider shall be liable to Customer for any failure of any such Sub-Processor to comply with such equivalent data protection obligations (including where the Service Provider is in breach of its obligation to put such obligations in writing with the Sub-Processor).

Exhibit 1
Data processing details

Subject-matter of processing:

cyber security monitoring of the Customer’s networks and systems.

Duration of the processing:

until expiry/termination of the Agreement, payment of all sums owed under the Agreement, settlement of all disputes under the Agreement and lapsing of any applicable limitation period;

more specifically, while most Data will be erased upon the expiry/termination of the Agreement, the Data contained in the following media may be stored until the latest of the above:

  1. reports issued by the Service Provider under the Agreement;
  2. logins and diagnostics monitored under the Agreement.

Nature and purpose of the processing:

monitoring the Customer’s networks and systems for cyber security threats, vulnerabilities, and other information that could be used to compromise, degrade or otherwise negatively affect the Customer’s equipment, data and operations.

Type of Personal Data:

any Personal Data (identity, contact details, economic information, etc.) contained in the Customer’s networks and systems which is provided, transmitted, displayed or made available by or through the Service Provider’s managed cyber security monitoring service by Customer or Customer’s authorized users and which is necessary to perform the cyber security monitoring service; this may include Special Personal Data.

Categories of Data Subjects:

any individual (whether clients, employees, suppliers or others) whose Data is on Customer’s networks and systems.

Processing Instructions:

the Service Provider shall perform the services set out in the Agreement involving, a combination of network and endpoint sensor technology, processed by automated systems and augmented with human analysis as necessary.