END USER LICENSE AGREEMENT

This End User license agreement (the “Agreement”) is entered into on the date the parties sign a quote or other order form for the subscription of the Software (the “Order Form“) (the “Effective Date”), by and between Build Security, Inc., a company incorporated under the laws of the State of Delaware having its principal place of business at 1621 Lewiston Drive, Sunnyvale CA (the “Company”) and the customer set forth in the Order Form (the “Customer”) (each, a “Party” and collectively, the “Parties”). Customer may use Software (as defined below) subject to the terms below. This Agreement will govern Customer’s initial purchase on the Effective Date as well as any future purchases made by the Customer that reference this Agreement.

 

1. Subscription. Subject to the terms and conditions of this Agreement, Company hereby grants Customer a limited, worldwide, non-exclusive, non-sublicensable, non-transferable and revocable right and license to install, remotely access (i.e. on a SaaS basis) and/or use (as the case may be) the Company’s authorization policy management platform (the “Software”) during the Term (as defined below), solely for Customer’s internal purposes. Unless otherwise indicated, the term “Software” also includes any appliance and any manual or documentation (“Documentation”) provided or made available to Customer in connection with the operation of the Software. Customer may only use the Software in accordance with the Documentation, subject to the use limitations indicated in Exhibit A and applicable laws and regulations.

 

2. Services.

2.1 The Software may be accessed solely by Customer’s employees or service providers who are explicitly authorized by Customer to access and use the Software (each, a “User”). Customer shall immediately report any unauthorized access or use of the Software to Company. In order to access the Software, Customer and/or its Users may be required to set up an administrative account with Company (“Account“). Customer warrants and represents that all information submitted during the registration process is, and will thereafter remain, complete and accurate. Customer shall be responsible and liable for all activities of its Users and all activities that occur under or in its Account. Customer will require that all Users keep their user ID and password information strictly confidential.

2.2 In the event Customer wishes to receive any additional services from Company, such as installation, deployment, configuration, customization, integration, training, or other professional services (“Professional Services”) Customer shall request same from Company in writing, and, subject to Company’s agreement in its sole discretion, such Professional Services shall be set out in sequential Statements of Work to this Agreement, as shall be negotiated and executed by both Parties (each, a “SOW”). Professional Services shall be charged in accordance with the fees and payment terms specified within the applicable SOW. Each SOW is hereby deemed incorporated into this Agreement by reference. To the extent of any conflict between the main body of this Agreement and a respective SOW, the former shall prevail, unless and to the extent that the SOW expressly states otherwise.

3. Subscription Fees.

3.1 The Services are conditioned on Customer’s payment in full of the applicable fees. The fees for the Initial Term are as set forth in Order Form. Unless otherwise specified in the Order Form: (i) Customer will pay all amounts due under this Agreement in U.S. Dollars; (ii) all amounts invoiced hereunder are due and payable within thirty (30) days of the date of the invoice; and (iii) all fees and other amounts paid hereunder are non-refundable. Any amount not paid when required to be paid hereunder shall accrue interest on a daily basis until paid in full at the lesser of: (a) the rate of one and a half percent (1.5%) per month; or (b) the highest amount permitted by applicable law. All amounts payable under this Agreement are exclusive of all sales, use, value-added, withholding, and other direct or indirect taxes, charges, levies, duties and/or governmental charges, except for taxes based upon Company’ net income.

4. Prohibited Uses. Except as specifically permitted herein, without the prior written consent of Company, Customer must not, and shall not allow any User or any third party to, directly or indirectly: (i) copy, modify, create derivative works of, make available or distribute, publically perform, or display any part of the Software (including by incorporation into its products), or use the Software to develop any service or product that is the same as (or substantially similar to) it; (ii) sell, license, lease, assign, transfer, pledge, rent, sublicense, or share Customer’s rights under this Agreement with any third party (including but not limited to offering the Software as part of a time-sharing, outsourcing or service bureau environment); (iii) use any “open source” or “copyleft software” in a manner that would require Company to disclose the source code of the Software to any third party; (iv) disclose the results of any testing or benchmarking of the Software to any third party; (v) disassemble, decompile, decrypt, reverse engineer, extract, or otherwise attempt to discover the Software’s source code or non-literal aspects (such as the underlying structure, sequence, organization, file formats, non-public APIs, ideas, or algorithms); (vi) remove or alter any trademarks or other proprietary right notices displayed on or in the Software; (vii) circumvent, disable or otherwise interfere with security-related features of the Software or features that enforce use limitations; (viii) export, make available or use the Software in any manner prohibited by applicable laws; and/or (ix) store or transmit any malicious code (e., software viruses, Trojan horses, worms, robots, malware, spyware or other computer instructions, devices, or techniques that erase data or programming, infect, disrupt, damage, disable, or shut down a computer system or any component of such computer system) or other unlawful material in connection with the Software.

5. Personal Data.

5.1 Customer hereby warrants and represents that (a) it will provide all appropriate notices, and has obtained and will maintain all required informed consents and licenses and will maintain all ongoing legal bases, and (b) it will comply at all times with any and all applicable privacy and data protection laws and regulations (including, without limitation, the EU General Data Protection Regulation (“GDPR”)), for allowing Company to use and process the data in accordance with this Agreement (including, without limitation, the provision of such data to Company (or access thereto) and the transfer of such data by Company to its affiliates, subsidiaries and subcontractors, including transfers outside of the European Economic Area), for the provision of the Services and the performance of this Agreement.

5.2 To the extent that Customer needs a data processing agreement, Customer shall request Company to provide it with Company’s Data Processing Agreement (“DPA”) and shall return such DPA signed to Company as described therein. In the event Customer fails to comply with any data protection or privacy law or regulation, the GDPR and/or any provision of the DPA, and/or fails to return an executed version of the DPA to Company, then to the maximum extent permitted by law, Customer shall be solely and fully responsible and liable for any such breach, violation, infringement and/or processing of personal data without a DPA.

6. Mutual Warranties. Each Party represents and warrants that it is duly organized, validly existing and in good standing under the laws of its jurisdiction of incorporation or organization; and that the execution and performance of this Agreement will not conflict with other agreements to which it is bound or violate applicable law.

7. Intellectual Property Rights.

7.1 The Software is not for sale and is Company’s sole property. All right, title, and interest, including any intellectual property rights evidenced by or embodied in, attached, connected, and/or related to the Software (and any and all improvements, modifications and derivative works thereof) and any other products, deliverables or services provided by Company, are and shall remain owned solely by Company or its licensors. This Agreement does not convey to Customer any interest in or to the Software other than a limited right to use the Software in accordance herewith. Nothing herein constitutes a waiver of Company’s intellectual property rights under any law.

7.2 If Company receives any feedback (which may consist of questions, comments, suggestions or the like) regarding any of the Services (collectively, “Feedback”), all rights, including intellectual property rights in such Feedback shall belong exclusively to Company and such shall be considered Company’s Confidential Information. Customer hereby irrevocably and unconditionally transfers and assigns to Company all intellectual property rights it has in such Feedback and waives any and all moral rights that Customer may have in respect thereto. It is further understood that use of Feedback, if any, may be made by Company at its sole discretion, and that Company in no way shall be obliged to make use of the Feedback.

7.3 Any anonymous information, which is derived from the use of the Services (i.e., metadata, aggregated and/or analytics information and/or intelligence relating to the operation, support, and/or Customer’s use, of the Software) which is not personally identifiable information and which does not identify Customer (“Analytics Information”) may be used for providing the Service, for development, and/or for statistical purposes. Such Analytics Information is Company’s exclusive property.

7.4 As between the Parties, Customer is, and shall be, the sole and exclusive owner of all data and information inputted or uploaded to the Service by or on behalf of Customer or otherwise integrated with the Software via an API, or data belonging to Customer’s applications within the environment in which the Software is made available (“Customer Data”). Customer hereby grants Company a worldwide, non-exclusive, non-assignable (except as provided herein), non-sublicensable (except to Company’s subcontractors, if applicable), non-transferable right and license, during the Term, to access and use the Customer Data, including without limitation for Company’s provision of the Software and/or services hereunder.

8. Third Party Components. The Software may use or include third party open source software, files, libraries or components that may be distributed to Customer and are subject to third party open source license terms. A list of such components is available at the request of Customer and may be updated from time to time by Company. If there is a conflict between any open source license and the terms of this Agreement, then the open source license terms shall prevail but solely in connection with the related third party open source software. Company makes no warranty or indemnity hereunder with respect to any third party open source software.

9. Confidentiality. Each Party may have access to certain non-public information and materials of the other Party, in any form or media, including without limitation trade secrets and other information related to the products, software, technology, data, know-how, or business of the other Party, and any other information that a reasonable person should have reason to believe is proprietary, confidential, or competitively sensitive (the “Confidential Information”). Each Party shall take reasonable measures, at least as protective as those taken to protect its own confidential information, but in no event less than reasonable care, to protect the other Party’s Confidential Information from disclosure to a third party. The receiving party’s obligations under this Section, with respect to any Confidential Information of the disclosing party, shall not apply to and/or shall terminate if such information: (a) was already lawfully known to the receiving party at the time of disclosure by the disclosing party; (b) was disclosed to the receiving party by a third party who had the right to make such disclosure without any confidentiality restrictions; (c) is, or through no fault of the receiving party has become, generally available to the public; or (d) was independently developed by the receiving party without access to, use of, or reliance on, the disclosing party’s Confidential Information. Neither Party shall use or disclose the Confidential Information of the other Party except for performance of its obligations under this Agreement (“Permitted Use”). The receiving party shall only permit access to the disclosing party’s Confidential Information to its respective employees, consultants, affiliates, agents and subcontractors having a need to know such information in connection with the Permitted Use, who either (i) have signed a non-disclosure agreement with the receiving party containing terms at least as restrictive as those contained herein or (ii) are otherwise bound by a duty of confidentiality to the receiving party at least as restrictive as the terms set forth herein; in any event, the receiving party shall remain liable for any acts or omissions of such persons. The receiving party will be allowed to disclose Confidential Information to the extent that such disclosure is required by law or by the order of a court or similar judicial or administrative body, provided that it promptly notifies the disclosing Party in writing of such required disclosure to enable disclosing party to seek a protective order or otherwise prevent or restrict such disclosure and cooperates reasonably with disclosing party in connection therewith. All right, title and interest in and to Confidential Information is and shall remain the sole and exclusive property of the disclosing Party.

10. LIMITED WARRANTIES. Company represents and warrants that, under normal authorized use, the Software shall substantially perform in conformance with its Documentation. As Customer’s sole and exclusive remedy and Company’s sole liability for breach of this warranty, Company shall use commercially reasonable efforts to repair the Software. The warranty set forth herein shall not apply if the failure of the Software results from or is otherwise attributable to: (i) repair, maintenance or modification of the Software by persons other than Company or its authorized contractors; (ii) accident, negligence, abuse or misuse of the Software; (iii) use of the Software other than in accordance with the Documentation; or (iv) the combination of the Software with equipment or software not authorized or provided by Company. OTHER THAN AS EXPLICITLY STATED IN THIS AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE SOFTWARE, SERVICES AND THE RESULTS THEREOF ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. COMPANY DOES NOT WARRANT THAT: (i) THE SOFTWARE AND/OR THE SERVICES WILL MEET CUSTOMER’S REQUIREMENTS, OR (ii) THE SOFTWARE WILL OPERATE ERROR-FREE. EXCEPT AS SET FORTH IN SECTION ‎6 AND THIS SECTION ‎10, THE COMPANY EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, SATISFACTORY QUALITY TITLE, NON- INFRINGEMENT, NON-INTERFERENCE, FITNESS FOR A PARTICULAR PURPOSE. COMPANY WILL NOT BE LIABLE FOR DELAYS, INTERRUPTIONS, SERVICE FAILURES OR OTHER PROBLEMS INHERENT IN USE OF THE INTERNET AND ELECTRONIC COMMUNICATIONS OR FOR ISSUES RELATED TO PUBLIC NETWORKS OR CUSTOMER’S HOSTING SERVICES. COMPANY SHALL NOT BE RESPONSIBLE FOR ANY WARRANTIES AND REPRESENTATIONS MADE BY ANY PARTNER TO CUSTOMER.

11. LIMITATION OF LIABILITY.

11.1 WITHOUT DEROGATING FROM COMPANY’S INDEMNIFICATION OBLIGATION UNDER SECTION ‎‎12 AND EXCEPT FOR ANY DAMAGES RESULTING FROM ANY BREACH OF EITHER PARTY’S CONFIDENTIALITY OBLIGATIONS HEREIN, WILLFUL MISCONDUCT, AND/OR CUSTOMER’S MISAPPROPRIATION OR OTHERWISE VIOLATION OF COMPANY’S INTELLECTUAL PROPERTY RIGHTS (INCLUDING MISUSE OF THE LICENSE BY CUSTOMER); (I) NEITHER PARTY SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, OR ANY LOSS OF REVENUE, REPUTATION, PROFITS, DATA, OR DATA USE, OR THE COST OF PROCURING ANY SUBSTITUTE GOODS OR SERVICES; (II) EITHER PARTY’S MAXIMUM LIABILITY FOR ANY DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER IN CONTRACT OR TORT, OR OTHERWISE, SHALL IN NO EVENT EXCEED, IN THE AGGREGATE, THE TOTAL AMOUNTS ACTUALLY PAID OR PAYABLE TO COMPANY BY CUSTOMER IN THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO SUCH CLAIM. THIS LIMITATION OF LIABILITY IS CUMULATIVE AND NOT PER INCIDENT. FOR CLARITY, THE LIMITATIONS IN THIS SECTION DO NOT APPLY TO PAYMENTS DUE TO COMPANY UNDER THIS AGREEMENT (INCLUDING ITS EXHIBITS).

 

12. Indemnification.

12.1 Company agrees to defend, at its expense, any third party action or suit brought against Customer alleging that the Software, when used as permitted under this Agreement and Exhibit A, infringes intellectual property rights of a third party (“IP Infringement Claim); and Company will pay any damages awarded in a final judgment against Customer that are attributable to any such IP Infringement Claim, provided that (i) Customer promptly notifies Company in writing of such claim; and (ii) Customer grants Company the sole authority to handle the defense or settlement of any such claim and provides Company with all reasonable information and assistance in connection therewith, at Company’s expense. Company will not be bound by any settlement that Customer enters into without Company’s prior written consent.

12.2 If the Software becomes, or in Company’s opinion is likely to become, the subject of an IP Infringement Claim, then Company may, at its sole discretion: (a) procure for Customer the right to continue using the Software; (b) replace or modify the Software to avoid the IP Infringement Claim; or (c) if options (a) and (b) cannot be accomplished despite Company’s reasonable efforts, then Company may terminate this Agreement and Company shall also provide a refund for any amount pre-paid by Customer for such returned Software for the remaining unused period of the license.

12.3 Notwithstanding the foregoing, Company shall have no responsibility for IP Infringement Claims resulting from or based on: (i) modifications to the Software made by a party other than Company or its designee; (ii) Customer’s failure to implement software updates provided by Company specifically to avoid infringement; or (iii) combination or use of the Software with equipment, devices or software not supplied by Company or not in accordance with the Documentation.

12.4 This Section ‎12 states Company’s entire liability, and Customer’s exclusive remedy, for any IP Infringement Claim.

13. Term and Termination.

13.1 This Agreement shall enter into force and effect on the Effective Date and shall remain in full force and effect for the period specified in the Order Form unless earlier terminated as set forth herein (the “Initial Term”). Following such Initial Term, the Agreement shall be automatically renewed for successive one (1) year terms, at the then-applicable subscription fees, unless terminated earlier as set forth herein and/or unless either Party provides the other Party with at least sixty (60) days’ prior written notice of non-renewal (each a “Renewal Term” and together with the Initial Term, the “Term”).

13.2 Either Party may terminate this Agreement with immediate effect upon written notice if (a) the other Party materially breaches this Agreement and such breach remains uncured fifteen (15) days after having received written notice thereof; or (b) a receiver is appointed for the other Party, if the other Party makes a general assignment for the benefit of its creditors, or if the other Party commences proceedings under any bankruptcy or insolvency law.

13.3 Upon termination or expiration of this Agreement: (i) the Software license granted to Customer under this Agreement shall expire, and Customer shall discontinue any further use thereof; (ii) Customer shall immediately delete and dispose of all copies of the Documentation in Customer’s or any of its representatives’ possession or control; and (iii) Company may delete all Customer Data. The provisions of this Agreement (including Exhibit A) that, by their nature and content, must survive the termination of this Agreement in order to achieve the fundamental purposes of this Agreement shall so survive, including but not limited to Sections ‎9 and‎11 hereof. The termination of this Agreement shall not limit Company from pursuing any other remedies available to it under applicable law.

14. Miscellaneous. This Agreement, including the DPA (if applicable), and any exhibits attached or referred hereto, represents the entire agreement between the Parties concerning the subject matter hereof, replaces all prior and contemporaneous oral or written understandings and statements, and may be amended only by a written agreement executed by both Parties. The failure of either Party to enforce any rights granted hereunder or to take action against the other Party in the event of any breach shall not be deemed a waiver by that Party as to subsequent enforcement or actions in the event of future breaches. Any waiver granted hereunder must be in writing. If any provision of this Agreement is held by a court of competent jurisdiction to be illegal, invalid or unenforceable, the remaining provisions of this Agreement shall remain in full force and effect and such provision shall be reformed only to the extent necessary to make it enforceable. Any use of the Software by an agency, department, or other entity of the United States government shall be governed solely by the terms of this Agreement. Neither Party may assign its rights or obligations under this Agreement without the prior written consent of the other Party, which consent may not be unreasonably withheld or delayed. Notwithstanding the foregoing, this Agreement may be assigned by either Party in connection with a merger, consolidation, sale of all of the equity interests of such Party, or a sale of all or substantially all of the assets of the Party to which this Agreement relates. Without derogating from and subject to the above-mentioned, this Agreement will bind and benefit each Party and its respective successors and assigns. This Agreement shall be governed by and construed under the laws of the State of Israel, without reference to principles and laws relating to the conflict of laws. The competent courts of the city of Tel Aviv-Jaffa shall have the exclusive jurisdiction with respect to any dispute and action arising under or in relation to this Agreement. Notwithstanding the foregoing, each Party may seek equitable relief in any court of competent jurisdiction in order to protect its proprietary rights. Each Party irrevocably waives its right to trial of any issue by jury. This Agreement does not, and shall not be construed to create any relationship, partnership, joint venture, employer-employee, agency, or franchisor-franchisee relationship between the Parties. Neither Party has any authority to enter into agreements of any kind on behalf of the other Party. Company will not be liable for any delay or failure to provide the Services resulting from circumstances or causes beyond the reasonable control of Company including, but not limited to on account of strikes, shortages, riots, insurrection, fires, flood, storms, explosions, acts of God, war, government or quasi-governmental authorities actions, riot, acts of terrorism, earthquakes, explosions, power outages, pandemic or epidemic (or similar regional health crisis), or any other cause that is beyond the reasonable control of Company. Notices to either Party shall be deemed given (a) four (4) business days after being mailed by airmail, postage prepaid, (b) the same business day, if dispatched by facsimile or electronic mail and sender receives acknowledgment of receipt. This Agreement may be executed in electronic counterparts, each of which counterpart, when so executed and delivered, shall be deemed to be an original and all of which counterparts, taken together, shall constitute but one and the same agreement.

 

* * * * * * * *

 

 

 

 

 

EXHIBIT A

SERVICE DESCRIPTION, RESTRICTIONS AND FEES

 

  1. The “Software” – build.security authorization policy management platform can be divided into 4 major components:
  • Policy Administration Point (PAP) also known as the control plane where you can –
    • Author and publish new policies;
    • Manage and view existing policies;
    • Test policies with evaluation data;
    • View decision logs;
    • Configure system-wide and project-wide settings, integrations, and configuration;
    • Manage PDPs at scale;
    • Perform impact analysis on how policy items would impact the organization, if activated.

 

The control plane is offered as a managed service in build.security’s cloud or in the customer’s private cloud. The control plane does not have access to the data plane and handles only configurations, policies, and meta-data

 

  • Policy Decision Point (PDP)

The Policy Decision Points are OPA-based docker containers that serve the purpose of getting a JSON request, running a policy on it along with the data at hand, and producing a JSON decision with sub-millisecond latency. The PDPs can be deployed as sidecar containers or as a service, in the cloud or on-prem. The PDPs come with built-in connectors to a wide range of data sources, enabling the use of external information as part of the policy evaluation phase. To minimize latency and increase performance, an in-memory caching layer is also part of the PDP

 

  • Policy Information Point (PIP)

The Policy Information Points are any private/public data sources the operator can utilize in order to make better access control decisions. These might be (but are not limited to) ticketing systems, code repositories, relational databases, NoSQL databases, SaaS applications, HR applications, CRMs etc.

 

  • Policy Enforcement Point (PEP)

The Policy Enforcement Points are those who are responsible for enforcing the decision given by the PDPs. The enforcement points could be in the form of API gateways, reverse proxies, middlewares, SDKs, and more.

 

 

  1. Limitations:

 

The license is limited to the number of active PDPs as set out in the Order Form.

 

  1. Fees:

 

As set out in the Order Form.

 

EXHIBIT B

SERVICE LEVEL AGREEMENT

 

Company reserves the right to change the terms of this SLA by providing Customer with at least thirty (30) days prior written notice.

During the term of the Agreement, Company will use commercially reasonable efforts to make the Software available with a Monthly Uptime Percentage (defined below) of at least 99.9% during each month of service (the “Service Commitment“).

The following definitions apply to this SLA:

  • Downtime” or “Downtime Incident” means the time in which Software is unavailable to Customer as measured and determined solely by Company based on its servers. Downtime Incidents shall exclude: (i) reasonable planned downtime incidents announced at least twenty-four (24) hours’ in advance by Company, including without limitation, for periodic upgrade and maintenance, cyber attacks on Company’s collectors (hardware or virtual) within Customer’s network; (ii) network disruption between a Customer’s network and the Software outside of Company’s control; (iii) Downtime Incidents that are caused by the SLA Exclusions specified below; (iv) separate instances of Software unavailability of less than five (5) minutes duration each; and/or (v) any time where Company is awaiting information from Customer or awaiting Customer’s confirmation that the Software has been restored.
  • Downtime Period” means the number of minutes in a calendar month during which the Software is unavailable to Customer due to Downtime Incident(s).
  • Monthly Uptime Percentage” means the monthly uptime expressed as a percentage, calculated based on the total number of minutes in a calendar month, minus the Downtime Period, divided by the total number of minutes in a calendar month.

Other SLA Exclusions

The SLA does not apply to any: (a) features or services excluded from the Agreement (as specified in the associated Documentation); or (b) Downtime Incidents that: (i) are caused by factors beyond Company’s reasonable control (including without limitation any force majeure event (including but not limited to strikes, shortages, riots, fires, flood, storms, explosions, acts of God, war, government or quasi-governmental authorities actions, acts of terrorism, earthquakes, power outages, pandemic or epidemic (or similar regional health crisis)), failure of Internet access or any public telecommunications network, or shortage of adequate power or transportation facilities); (ii) are attributable to repair, maintenance or modification of Company’s Software by persons not authorized by Company; (iii) resulted from accident, negligence, abnormal physical or electrical stress, abnormal environmental conditions, abuse or misuse of Company’s Software; (iv) resulted from use of Company’s Software other than in accordance with the Documentation or in violation of the Agreement; (v) resulted from Customer’s or a third party’s equipment, software or other technology (other than third party equipment within Company’s direct control); and/or (vi) resulted from the combination of Company’s Software with equipment or software not authorized or provided by Company or otherwise approved by Company in the Documentation.

 

 

Last Updated: May 18, 2021