This website, any software made available from this website, and information or documents within this website are provided “as is” without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

This website could include technical inaccuracies or typographical errors and we assume no responsibility for the accuracy or completeness of the information contained here. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the website.

Circadence may make improvements and/or changes in the products described in this website at any time and without notice and we make no commitment to update this website in any respect.

Circadence and/or any third-party copyright holders hereby disclaim all warranties and conditions with regard to this information, including all warranties and conditions of merchantability, whether express, implied or statutory, fitness for a particular purpose, title and non-infringement.

Circadence will not be liable under any theory of law, whether in an action of contract, negligence or other tortious action, for any special, indirect, incidental, punitive or consequential damages, including, but not limited to, loss of profits, business interruption, loss of information or data or costs of replacement goods, arising out of the use or inability to use this website or any Circadence product or service offered herein or resulting from use of or reliance on the information presented, even if Circadence may have been advised of the possibility of such damages.

Any software that is made available from the Services (“Software”) is the copyrighted work of Circadence and/or its suppliers. Use of the Software is governed by these Terms.

Any software that is made available is made so solely for use by end users according to these Terms. Any reproduction or redistribution of the Software not in accordance with these Terms is expressly prohibited by law, and may result in severe civil and criminal penalties. Violators will be prosecuted to the fullest extent possible.

The software is warranted, if at all, only according to these Terms. Except as warranted in these Terms, Circadence hereby disclaims all warranties and conditions with regard to the software, including all warranties and conditions of merchantability, whether express, implied or statutory, fitness for a particular purpose, title and non-infringement.

Any software which is for or on behalf of the United States of America, its agencies and/or instrumentalities (“U.S. Government”), is provided with either Commercial Rights or Restricted Rights. Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 or subparagraphs (c)(1) and (2) of the Commercial Computer Software – Restricted Rights at 48 CFR 52.227-19, as applicable. The manufacturer of such software is Circadence Corporation.

For information regarding Circadence’s treatment of personally identifiable information, please review Circadence’s current Privacy Policy.

Permission to use any Documents (such as white papers, press releases, datasheets, and FAQs) contained on this website is granted, provided that (1) any copyright notice contained on the Documents appears in all copies and that both the copyright notice and this permission notice appear, and (2) no modifications of any Documents are made. Use for any other purpose is expressly prohibited by law and may result in civil and criminal penalties. Violators will be prosecuted to the fullest extent possible.

Circadence and/or any third-party copyright holders in the documents make no representations about the suitability of the information contained in the documents for any purpose. All such documents and related graphics are provided “as is” without warranty of any kind.

Throughout this website, there may be links to third-party websites. Circadence does not control the linked sites and is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Circadence is providing these links to you only as a convenience and does not endorse such sites simply by including links to them.

1. Definitions

In addition to the terms defined above and elsewhere in these Terms, the following have the meanings set forth below:

“Agreement” shall mean understanding and acceptance of these Terms and any other documents made a part hereof or incorporated by reference herein, including any written amendments.

“API” means Circadence’s application programming interfaces that enable other software applications to communicate with or call on Software, provided under these Terms.

“Commencement Date” shall mean the date upon which the Project Ares subscription term commences, as specified in the Order.

“Deliverables” has the meaning set forth in one or more Statements of Work that the parties may from time to time enter into pursuant to these Terms.

“Documentation” shall mean the operating manuals, including a description of the functions performed by the Software, user instructions, technical literature and all other related materials, which may from time to time, be supplied to Customer by Circadence to facilitate the use of the Software.

“Error” shall mean any reproducible failure of the Software to conform in all material respects to Documentation; provided however, any failure resulting from (i) Customer’s misuse, improper use, alteration or damage of the Software; (ii) Customer’s failure to implement all Updates issued to Customer; or (ii) combining or merging any Software with any hardware or software not supplied or identified as compatible by Circadence, shall not be considered an Error.

“Fees” shall mean the fees paid by Customer for the right to use the Software during the term identified on the Order.

“Named User” shall mean an individual that has been provided separate access to the Software through a designated seat license as further described in the Order.

“Order” shall mean the customer signed Circadence Quote provided representing a purchase order, or a separate purchase order document provided by the customer in accordance with the Circadence Quote.

“Services” shall mean the subscription to the Software as defined by the Order, the Maintenance Services, and, if applicable, the Hosting Services provided by Circadence.

“Software” shall mean, collectively or individually, the standard software programs described in the Order, in object code format, and including all corrections, modifications and Updates to such software which may be provided to Customer by Circadence pursuant to these Terms.

“Subscription Materials” shall mean the Software and Documentation.

“Update” shall mean a release of the Software made generally available to customers that contains functional enhancements, and/or Error corrections. The content and timing of all Updates shall be determined by Circadence in its sole discretion.

“User” shall mean an individual authorized by Customer to use the Software as either a Named User or Variable User subscription.

“Variable User” shall mean an individual that has been provided access to the Software through Customer’s license or usage base subscription as further described in the Quote.

2. Subscription

(a) Subject to these Terms, and subject to receipt of all applicable Fees by Circadence, Circadence grants to Customer a non-transferable, nonsublicensable, non-exclusive license to access and use the subscription to the Software via the Hosting Services (as applicable), and to use the Documentation (whether in written or electronic form) in connection therewith, in each instance (unless otherwise agreed or acknowledged) solely for Customer’s business purposes during the Term. The subscription granted hereunder is limited to the maximum number of Users specified in the Order. .

(b) Except as expressly provided in Section 2(a) above, nothing contained in this Agreement shall be construed as conferring upon Customer, any right or license to the Subscription Materials, or any other materials provided by Circadence under this Agreement, and any copies thereof. Without limiting the generality of the foregoing, except as provided in Section 2(a), no right or license is granted hereunder, and Customer is not permitted, to (i) copy, print, transfer, transmit or display all or any part of the Subscription Materials, (ii) sell, rent, sublicense or otherwise distribute any of the Subscription Materials, (iii) use the Subscription Materials to provide data processing, service bureau, time sharing or other similar services of any kind to any third party, (iv) modify the Software and/or merge all or any part of the Software with or into other computer programs, or (v) compile, reverse compile, disassemble, translate, analyze, reverse engineer or attempt to reverse engineer the Software.All Users will be required to accept Circadence’s End User License Agreement (the “EULA”) as a part of these Terms.

3. Services

a) Maintenance Services

In addition to Error Correction and the installation of Updates, Circadence will provide help desk support via a web-based issue tracking system that is available twenty-four (24) hours a day, seven (7) days a week. Phone consultation is available during business hours Monday through Friday, 8AM-6PM Eastern Time, excluding the following Holidays: New Year’s Day, Memorial Day, Fourth of July, Labor Day, Veteran’s Day, Thanksgiving and Friday after Thanksgiving, Christmas Day. Circadence will evaluate issues reported by Customer via the web-based issue tracking system and apply the following problem severity levels when determining appropriate resolution procedures. Circadence shall use commercially reasonable efforts to respond to and resolve problems reported by Customer.

b) Hosting Services

1. Circadence will install the Software on servers managed by Circadence and make it accessible to Customer through a password-protected, secure website that will allow the number of Users specified in the Order to access and use the Software.
2. Circadence will use commercially reasonable efforts to ensure that the Software is available via the Hosting Services.
3. Scheduled Downtime will include the following: Required maintenance that, to the extent reasonably practicable, will be scheduled during weekend hours. Emergency maintenance for which Circadence shall give at least eight (8) hours prior notice by email or phone.Installation of Updates and daily backups. Circadence retains the right to shut down, reboot, modify or fix servers at any time if it is deemed necessary to prevent security breaches or operational failures (including, but not limited to viruses, worms, date bombs, time bombs or denial of service attacks). This may cause loss of access to the system for a period of time, but such protective action shall constitute Scheduled Downtime, and Customer will be notified immediately. Unavailability caused by a Force Majeure Event will be considered Scheduled Downtime.
4. In the event that Availability for a specific Software product is, on average, less than 90% of the Availability Target for three consecutive months, Customer may terminate this Agreement and receive a pro-rata refund of prepaid subscription fees paid for the period remaining following such termination; provided however, that if Customer fails to request in writing such termination within thirty (30) days of such event(s), no right to terminate shall remain. Outages for individual Users, which may occur for a variety of reasons including local environmental or configuration issues, shall be excluded from the Availability calculation, provided that the Software is available for other Users. Availability applies only to a Customer’s production instance, not to test or development instances. This is Circadence’s sole liability and Customer’s sole remedy with respect to Circadence’s failure to maintain Availability.

c) Other

In addition, Circadence may from time to time perform certain additional services on a time and material basis. Such additional services will be performed only upon Customer’s advance written approval and will be invoiced at Circadence’s published service rate.

4. Payment and Taxes

(a) Customer shall pay the Fees in the amounts and upon the terms set forth on the Quote for the subscription granted in Section 2(a) above, and in advance for any renewal Term.

(b) Customer shall be responsible for any taxes due upon payments to Circadence other than taxes based on Circadence’s income.

(d)All invoices are payable in full, without reduction for any offset, withholding or other claims, within 30 days after the date of invoice. For any past due invoices, Circadence may charge interest at the lesser of (i) one percent (1%) per month, or (ii) the greatest amount permitted by applicable law, in each case from the date due until paid. Notwithstanding the foregoing, failure of Customer to pay the undisputed amount of any invoices when due is a material breach of this Agreement. Circadence may, at its election, suspend performance of the Services until payment is made in full and/or terminate this Agreement and Customer’s access and subscription to the Software and Services, in addition to all other remedies available under this Agreement, at law or in equity; provided that, in the case of termination, Circadence provides written notice as required under Section 5(b).

5. Term and Termination

(a) This Agreement shall begin on the Commencement Date and continue for the number of years specified on the Order unless terminated earlier under Section 5(b) (the “Initial Term”). Following the Initial Term, this Agreement shall automatically renew for successive one year renewal Terms (each a “Renewal Term,” and collectively, the “Term”), unless either party gives written notice to the other party of termination at least thirty (30) days prior to the end of the then effective Term. Termination shall not relieve Customer of the obligation to pay any Fees accrued or payable to Circadence prior to the termination date. By executing this Agreement, Customer is agreeing to pay the full amount of Fees for the Initial Term, and any Renewal Term (as applicable), notwithstanding any early termination by Customer other than a termination by Customer for Circadence’s uncured material breach as permitted herein. The obligation of Customer to pay Fees for the full Term hereof shall apply notwithstanding any potentially conflicting language in any Exhibit or Order hereto.

(b) Circadence or Customer may terminate this Agreement, as appropriate, in whole or in part, by written notice to the other party upon the occurrence of one or more of the following events: (i) Customer’s failure to make timely payment of any undisputed amounts due hereunder within thirty (30) days after written notice of delinquency; (ii) the other party’s material breach of any other term or provision of this Agreement which, if capable of cure, remains uncured for thirty (30) days following written notice by the terminating party; (iii) the other party becomes insolvent or makes any assignment for the benefit of its creditors; (iv) any proceeding is instituted by or against the other party under any bankruptcy or similar laws for the relief of debtors and which is not dismissed within thirty (30) days of being instigated; or (v) the appointment of any trustee or receiver for any of the other party’s assets, except if such receiver requests the continuation of this Agreement.

(c) Upon termination or expiration of this Agreement, Customer shall immediately cease all use of the Software, the other Subscription Materials, and the Deliverables, immediately return to Circadence or destroy the Subscription Materials, the Deliverables, and any and all copies thereof, and certify the same to Circadence in writing within ten (10) days of such termination or expiration. Customer’s obligation to pay all amounts properly due under this Agreement, and the provisions of Sections 1, 5, 6, 7, 8(d), 9, 10, and 11 of this Agreement, shall survive the expiration or termination of this Agreement for any reason.

6. Proprietary Rights

(a) Customer acknowledges that, as between Circadence and Customer, Circadence is the exclusive owner of all rights, title and interest, including copyrights and other intellectual property rights, in and to the Subscription Materials, the Deliverables, and all related derivative works, improvements, modifications or enhancements, whether created by Circadence, Customer or any third party (“Derivatives”). If ownership of any of the Subscription Materials, Derivatives, or the Deliverables does not immediately and exclusively vest in Circadence, then, without further consideration, Customer assigns all ownership of the Subscription Materials, Derivatives, and/or the Deliverables to Circadence, immediately upon its creation, automatically and without further consideration or action by any party. At Circadence’s reasonable request, Customer shall perform any acts to transfer, perfect and defend Circadence’s ownership of the Subscription Materials, Derivatives, and/or the Deliverables.

(b) Customer shall continue to own all Customer data, products, materials and intellectual property whether now existing or hereafter created, including but not limited to any products to be used with or in the Subscription Materials or the Deliverables (“Customer Materials”); provided that Customer Materials shall not include Subscription Materials, Deliverables, or derivative works thereto. Customer represents, warrants, and covenants that: (i) it has (and will have) provided any notice and obtained all consents and rights required by applicable law to enable Circadence to lawfully collect, use, disclose or otherwise process Customer Materials or any data made available hereunder by or on behalf of Customer or its Users pursuant to this Agreement; (ii) it has full right and authority to make the Customer Materials or any data made available hereunder by or on behalf of Customer or its Users available to Circadence under this Agreement; and (iii) Circadence’s collection, use, disclosure, or processing of the Customer Materials or any data made available hereunder by or on behalf of Customer or its Users in accordance with this Agreement will not infringe upon or violate any applicable laws or any rights of any third party. Notwithstanding anything to the contrary in this Agreement, Customer acknowledges and agrees that Circadence may invite and allow individuals who separately may constitute registered users authorized by Customer and who may be using any Services or Software in their capacity as a representative of Customer (including a person who may be or may have been a User) (an “End User”) to create a personal profile with Circadence (a “Profile”) that may be accessible through the Services, Software, or through other sites and services offered by Circadence.In connection with an End User’s creation and use of a Profile, the End User may at his or her option (i) provide Circadence with personal and other information relating to such End User, including without limitation: name, address, gender, education, occupation, position, employer, year of birth, email address, password, Internet protocol address, telephone number, and years of experience in the cybersecurity space, and/or (ii) copy to his/her Profile certain data provided to Circadence by, or separately processed by Circadence on behalf of, Customer in connection with Customer’s use of the Services or Circadence’s performance of this Agreement, which data pertains only to the End User associated with the Profile (collectively, the “Profile Data”), and which may or may not be duplicative of data included in the Customer Materials or of data subject to the DPA. As between the parties, Circadence will own and control all Profile Data, including Profile Data that may be duplicative of data included in Customer Materials or of data subject to the DPA.

(c) Circadence reserves the sole and exclusive right to correct Errors.

(d)Circadence reserves the sole and exclusive right at its discretion to assert claims against third parties for infringement or misappropriation of the Subscription Materials, the Deliverables, or Circadence’s rights therein or thereto. Customer shall promptly notify Circadence of any infringement or misappropriation of the Subscription Materials, the Deliverables, or Circadence’s rights therein or thereto of which Customer becomes aware.

(e) Circadence shall have a royalty-free, worldwide, transferable, sublicensable, irrevocable, perpetual license to use or incorporate into the Subscription Materials any suggestions, enhancement requests, improvements, modifications, feedback, error identifications, or other information related to the Subscription Materials or any other products or services, including but not limited to data and information concerning any User’s tactics, techniques and procedures.

7. Confidentiality

(a) For purposes of this Agreement, the term “Proprietary Information” shall mean all technical, business, and other information of either party, which is not in the public domain, disclosed by one party (the “Disclosing Party”) to or obtained by the other party (the “Receiving Party”) in connection with this Agreement, whether prior to, on or after the date of this Agreement, that includes, without limitation, (i) the Subscription Materials, any information related to any programs, whether in source code or object code form, and any related technology, idea, algorithm or information contained therein, including without any limitation any trade secrets related to any of the foregoing, (ii) the Deliverables, (iii) a party’s product plans, designs, costs and prices, (iv) non-published financial information, marketing plans, business opportunities, research, development or know-how, (vi) any information designated by the Disclosing Party as confidential in writing and (vii) the terms and conditions of this Agreement.

(b)Except as expressly permitted by this Agreement, for the duration of this Agreement and for a period of five (5) years from the termination or expiration of this Agreement, the Receiving Party shall, and shall cause its employees to, treat the Proprietary Information of the Disclosing Party as confidential and secret, and not use, disclose or otherwise make available the Proprietary Information or any portion thereof to others. Any trade secret information of a party shall be maintained by the Receiving Party for as long as such information remains a trade secret.

(c)Notwithstanding anything to the contrary in this section, nothing contained herein shall restrict the Receiving Party’s right to use or disclose any Proprietary Information which (i) at the time of disclosure is or becomes generally available to the public through no act of the Receiving Party; (ii) was in the Receiving Party’s possession prior to the time of disclosure as established by Receiving Party in written records, and was not acquired directly or indirectly from the Disclosing Party; or (iii) is independently made available as a matter of right to the Receiving Party by others, provided such others did not acquire such information directly or indirectly from the Disclosing Party. In addition, the Receiving Party may use or disclose Proprietary Information (i) under confidentiality restriction to its financial and legal advisors, its insurance company, its auditors, social and tax authorities if requested, its parent company; or (ii) in application of a Court’s injunction; or (iii) to the extent disclosure is necessary for enforcement of this Agreement.

(d) The Receiving Party shall return to the Disclosing Party or destroy or erase all Proprietary Information of the Disclosing Party in tangible form: (i) upon the written request of the Disclosing Party; or (ii) except as otherwise specified herein, upon the expiration or termination of this Agreement, whichever comes first, and in both cases, the Receiving Party shall certify promptly and in writing that it has done so. To the extent Proprietary Information includes information relating to an identified or identifiable natural person (“PII”), (unless Circadence has or obtains the independent right to determine the purposes and means of processing of such PII (such as any PII included in the Profile Data)) Circadence shall delete or return all PII to Customer within thirty (30) days of receipt of Customer’s request unless applicable law requires retention of PII. For the avoidance of doubt, unless Customer requests such deletion or return of the PII, Circadence may retain such PII for a reasonable period following the end of the provision of the Services to Customer for the purpose of resuming such Services (including making such PII available to Customer) in the event of future Services renewal.

8. Limited Warranty

(a) Circadence warrants that (i) during the Term of this Agreement the Software will perform substantially in accordance with the Documentation and will be accessible pursuant to the terms of Hosting Services and (ii) the Services shall be performed in a professional and workmanlike manner in accordance with applicable industry standards.

(b) Circadence shall have no obligation under the foregoing warranties if Customer (i) fails to use the Software in accordance with the Documentation; (ii) uses the Software on computers for which the Software was not designed; (iii) modifies or alters the Software in any way; (iv) fails to install and use any fixes, patches, maintenance releases or Updates required by Circadence; or (v) is in arrears with respect to its payment obligations to Circadence. In addition, Circadence shall have no obligation hereunder with respect to any failures suffered by the Software to the extent caused by computer programs or code that are not provided by Circadence (including, without limitation, any computer viruses and other malicious code). Circadence shall be entitled to payment at its then-current rates for any time and materials spent attempting to identify or correct any failures for which Circadence has no obligation under this Section 8(b).

(c) Circadence’s sole liability and Customer’s sole remedy with respect to the foregoing warranties shall be for Circadence, at its sole option, to either (i) correct any Error and/or pay the credits as provided in Hosting Services; or (ii) refund to Customer a pro-rata amount of any prepaid subscription or license Fees paid to Circadence.

(d) Except as expressly provided in this section 8, Circadence makes no representations or warranties, express, implied or statutory, with respect to the subscription materials, the services, or the deliverables, including, without limitation, any warranty of merchantability, fitness for a particular purpose or non-infringement, and, without limiting the foregoing, Circadence hereby disclaims any warranty that the subscription materials or services provided hereunder will meet customer’s requirements or that the software will operate uninterrupted or error-free or that all errors can be corrected.

9. Indemnification

(a)During the Term of this Agreement Circadence agrees, at its own expense, to defend or, at its option, to settle, any claim or action brought against the Customer by any third party to the extent it is based on a claim that Customer’s use of the Software or the Deliverables in accordance with this Agreement infringes or violates any copyright and any patent or other third party intellectual property right, and will defend, indemnify and hold Customer harmless from and against any third-party claim or suit, including any losses, damages, or expenses arising from any such third-party claim or suit; provided, however, that this Section 9(a) does not cover, and Circadence shall have no obligation hereunder for, infringement claims arising from (i) Customer’s failure to use the Software in accordance with the Documentation; (ii) Customer’s failure to use the Software in its then current version; (iii) Customer’s failure to use any fixes, patches or Updates required by Circadence; (iv) use of the Subscription Materials in conjunction with third party products; or (v) any modification or alteration of the Subscription Materials by parties other than Circadence.

(b)The obligations of Circadence under this Section 9 to defend, indemnify and hold harmless the Customer shall be subject to the following: (i) Customer shall provide Circadence with prompt notice of the claim or suit giving rise to such obligation; provided, however, that any failure or delay in giving such notice shall only relieve Circadence of its obligations under this Section 9 to the extent it reasonably demonstrates that its defense or settlement of the claim or suit was adversely affected thereby; (ii) Circadence shall have sole control of the defense and of all negotiations for settlement of such claim or suit; and (iii) Customer shall cooperate with Circadence in the defense or settlement of any such claim or suit, provided that Customer shall be reimbursed for all reasonable out-of-pocket expenses incurred in providing any cooperation requested by Circadence. Subject to clause (ii) above, Customer may participate in the defense of any such claim or suit at its own expense.

(c)If a claim or suit for which Circadence is required to indemnify Customer under Section 9(a) above is or is likely to be brought, Circadence may require Customer to immediately discontinue its use of the Subscription Materials and Customer shall comply with such requirement, and Circadence will, at its sole option, either (i) procure for Customer the right to use the Subscription Materials or affected part thereof as provided in this Agreement; (ii) replace the Subscription Materials or affected part thereof with other non-infringing products or modify the Subscription Materials or affected part thereof to make it not infringing; or (iii) if the remedies set forth in clauses (i) and (ii) are not commercially feasible, as determined by Circadence, terminate this Agreement and the rights granted pursuant to Section 2(a) and refund to Customer a pro-rata amount of any prepaid subscription or license Fees hereunder. Circadence will not be liable for any costs or expenses incurred without its prior written authorization.

(d) Customer shall indemnify, defend, and hold Circadence harmless from and against any claim, action, proceeding, suit, or governmental investigation arising out of Customer’s breach of this Agreement.

10. Limitation on Liability

(a) To the maximum extent permitted by applicable law, neither party shall be liable or responsible for any consequential, special, incidental, indirect or similar damages of any nature arising out of or in connection with this agreement, the subscription materials, the services, or the deliverables (including, without limitation, damages for lost profits, revenues, use, data, orders or clients), whether arising in contract or under any other legal theory (including, without limitation, negligence or strict liability) or for any claim made against the other party by any other person, even if such party has been advised of the possibility of such claim.

(b) Except for Circadence’s intellectual property indemnification obligations under section 9, and Circadence’s gross negligence or intentional misconduct, in no event shall Circadence’s liability in connection with this agreement, including without limitation the subscription materials or services, whether caused by failure to deliver, nonperformance, defects, breach of warranty or otherwise, exceed the annual subscription fees paid by Customer to Circadence during the twelve-month period immediately preceding the event giving rise to such liability.

11. Miscellaneous

(a) Assignment. This Agreement, the Subscription Materials, the Deliverables, and the rights and licenses granted hereunder with respect thereto may not be assigned, sublicensed or transferred in any manner by Customer without the prior written consent of Circadence, which may be granted or withheld in Circadence’s sole discretion. Any attempt by Customer to assign, sublicense or transfer any of its rights, or delegate any of its duties or obligations under this Agreement without the prior written consent of Circadence shall be void and shall be a material breach of this Agreement. Notwithstanding the foregoing, this Agreement may be assigned, in whole or in part, by Circadence, to any company which is directly or indirectly controlled by Circadence or which controls Circadence or to a party that acquires substantially all of the assets or capital stock of Circadence.

(b) Waiver. No failure or delay on the part of either party to exercise any right or remedy hereunder shall operate as a waiver thereof, nor shall a single or partial exercise by either party of any right or remedy preclude any further exercise thereof or the exercise of any other right or remedy. No express waiver or assent by either party to any breach of or default in any term or condition of this Agreement shall constitute a waiver of or assent to any other breach of or default in the same or any other term or condition hereof.

(c) Entire Agreement. These Terms supersede all prior discussions, understandings and agreements between the parties with respect to the matters contained herein. These Terms including the EULA and the Order contains the sole and entire agreement between the parties with respect to the transactions contemplated herein. In the event of any conflict between any provision of this Agreement and any provision of the EULA, whichever provision is most protective of Circadence and Circadence’s intellectual property shall govern. This Agreement may not be amended or modified except by another agreement in writing executed by the parties hereto.

(d) Governing Law; Jurisdiction. The validity and effect of this Agreement shall be governed by the laws of the State of Colorado, without regard to its rules regarding conflicts of law. Any and all disputes arising from or in connection with this Agreement shall be prosecuted in a court of competent jurisdiction in Boulder or Denver, Colorado.

(e) Binding Effect. This Agreement shall inure to the benefit of and be binding upon Customer and its permitted successors and assigns, and upon Circadence and its successors and assigns.

(f) Headings. Headings as to the contents of particular sections are inserted only for convenience and shall not be construed a part of this Agreement or as a limitation on the scope of any of the terms or provisions of this Agreement.

(g) Severability. If any provision of this Agreement, or the application thereof to any person or circumstance, is held invalid, such invalidity shall not affect any other provision that can be given effect without the invalid provision or application, and to this end the provisions hereof shall be severable.

(h) Marketing. Circadence agrees to obtain Customer’s written authorization prior to publishing any information regarding Customer’s use of the Software, the Services, or the Deliverables. Notwithstanding the above, Circadence may use Customer’s name and logo in general customer lists, in Circadence marketing materials and on its website, provided that any such use is in accordance with Customer’s then-current trademark usage guidelines and that Customer is identified in a manner consistent with the identification of other names and logos in such listings.

(i) Force Majeure. Except with respect to Customer’s obligations under Section 4, neither party shall be responsible for failure or delay in performance hereunder by reason of fire, flood, riot, strikes, labor disputes, acts of terror or sabotage, freight embargoes or transportation delays, any pandemic or epidemic, acts of God or of the public enemy, war or civil disturbances, any future laws, rules, regulations or acts of any government (including any orders, rules or regulations issued by any official or agency or such government) or any other event beyond the reasonable control of such party affecting such party that would delay or prohibit performance hereunder, computer, telecommunications, Internet service provider or hosting facility failures or delays involving hardware, software or power systems not within a party’s possession or reasonable control, or any cause beyond the reasonable control of such party (a “Force Majeure Event”).Upon the occurrence of a Force Majeure Event, the party whose performance is so affected shall promptly give notice to the other party of the occurrence or circumstance upon which it intends to rely to excuse its performance. During the duration of the Force Majeure Event, the party so affected shall use its reasonable commercial efforts to avoid or remove such Force Majeure Event and shall take reasonable steps to resume its performance under this Agreement with the least possible delay.

(j)Federal Government End User Provisions. Circadence provides the Software, Subscription Materials and Services, including related software and technology, for ultimate federal government end use solely in accordance with the following: Government technical data and software rights related to the Services include only those rights customarily provided to the public as defined in this Agreement. This customary commercial license is provided in accordance with FAR 12.211 (Technical Data) and FAR 12.212 (Software) and, for Department of Defense transactions, DFAR 252.227-7015 (Technical Data – Commercial Items) and DFAR 227.7202-3 (Rights in Commercial Computer Software or Computer Software Documentation). If a government agency has a need for rights not conveyed under these terms, it must negotiate with Circadence to determine if there are acceptable terms for granting such rights, and a mutually acceptable written addendum specifically granting such rights must be included in any applicable contract or agreement.

(k)The parties will comply with the terms of the Data Processing Addendum which is incorporated herein in these Terms its entirety. For the avoidance of doubt, Circadence may process data that is duplicative of Profile Data (including Profile Data that is regulated by the GDPR (as defined in the DPA) and/or the CCPA (as defined in the DPA) on behalf of Customer pursuant to DPA, while separately and simultaneously processing such Profile Data as a controller (as defined in the DPA) and/or a business (as defined in the DPA), in each case to the extent applicable.

12. Data Processing Addendum (DPA)

a) DPA

Defined Terms. In Sections 2 through 6 of this Data Processing Addendum (“DPA”), the following terms have the meanings given in the General Data Protection Regulation (EU) 2016/679 (“GDPR”): “controller”, “personal data”, “processor”, “data subject” and “processing”.

2.Subject Matter, Nature, Purpose and Duration. Sections 1 through 6 of this DPA apply to the processing of personal data that is regulated by the GDPR by Circadence solely on behalf of Customer for the purpose of providing the Services, excluding Profile Data (“EU Personal Data”). As between the parties, (i) Customer is a controller and Circadence is a processor on behalf of Customer with regard to EU Personal Data or (ii) Customer is a processor and Circadence is a subprocessor on behalf of Customer with regard to EU Personal Data. The subject matter of EU Personal Data processing, including the purpose and nature of the processing operations carried out by Circadence on behalf of Customer, the type of EU Personal Data subject to this DPA and the categories of data subjects to whom such EU Personal Data relates, as well as Customer’s data processing instructions for Circadence, are set forth on Attachment A to this DPA and as otherwise provided in reasonable written instructions by Customer to Circadence from time to time. This DPA shall remain in effect, and the duration of the processing under this DPA shall continue, as long as Circadence carries out EU Personal Data processing operations on behalf of Customer or until the termination of the Agreement (and all EU Personal Data has been returned or deleted in accordance with Section 3(g)).

3.Processing Covenants. In processing EU Personal Data hereunder, Circadence shall:

a. process EU Personal Data only on documented instructions from Customer, unless otherwise required to do so by applicable law, in which case Circadence will inform Customer of that legal requirement before processing, unless applicable law prohibits Circadence from informing Customer. For the avoidance of doubt, this DPA shall constitute Customer’s documented instructions to Circadence to process EU Personal Data in connection with Circadence’s provision of the Services to Customer;

b. use commercially reasonable efforts intended to ensure that persons authorized to process EU Personal Data hereunder have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality or are subject to ethical rules of responsibility that include confidentiality;

c. taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement commercially reasonable technical and organizational measures intended to meet the security requirements described in Article 32 of the GDPR;

d. taking into account the nature of the processing, use commercially reasonable efforts to assist Customer, at Customer’s expense, by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the data subjects’ rights with respect to their EU Personal Data under the GDPR and any applicable national implementing legislation, regulations and secondary legislation relating to the processing of EU Personal Data (the “Data Protection Laws”);

e. taking into account the nature of processing and the information available to Circadence, use commercially reasonable efforts to assist Customer, at Customer’s expense, in ensuring compliance with Customer’s obligations described in Articles 32 through 36 of the GDPR;

f. notify Customer promptly if Circadence becomes actually aware of a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, EU Personal Data (an “EU Personal Data Incident”), provided that the provision of such notice by Circadence shall not be construed as an acknowledgement of fault or liability with respect to any such EU Personal Data Incident;

g.at the choice of Customer, and upon Customer’s written request, delete or return all EU Personal Data to Customer within thirty (30) days after the end of the provision of Services to Customer and delete existing copies unless applicable law requires retention of EU Personal Data; and

h. make available upon Customer’s reasonable request information reasonably necessary to demonstrate material compliance with the obligations laid down in this DPA and allow for and contribute to audits (each, an “Audit”), at Customer’s expense, including inspections of processing facilities under Circadence’s control, conducted by Customer or another auditor chosen by Customer (an “Auditor”), during normal business hours, no more frequently than once during any twelve (12) month period, and upon reasonable prior notice, provided that no Auditor shall be a competitor of Circadence, and provided further that in no event shall Customer have access to the information of any other client of Circadence and the disclosures made pursuant to this Section 3(h) (“Audit Information”) shall be held in confidence as Circadence’s confidential information and subject to any confidentiality obligations in the Agreement, including Section 7 thereof, and provided further that no Audit shall be undertaken unless or until Customer has requested, and Circadence has provided, documentation pursuant to this Section 3(h) and Customer reasonably determines that an Audit remains necessary to demonstrate material compliance with the obligations laid down in this DPA. Without limiting the generality of any provision in the Agreement, Customer shall employ the same degree of care to safeguard Audit Information that it uses to protect its own confidential and proprietary information and in any event, not less than a reasonable degree of care under the circumstances, and Customer shall be liable for any improper disclosure or use of Audit Information by Customer or its agents.

4.Subprocessors.Customer hereby grants Circadence general authorization to engage another processor to process EU Personal Data on behalf of Circadence (each, a “subprocessor”)to assist Circadence in processing EU Personal Data as set out in this DPA. Circadence shall enter into contractual arrangements with such subprocessors requiring the same level of data protection compliance and information security as that provided for herein. Customer hereby consents to the processing of EU Personal Data by, and the disclosure and transfer of EU Personal Data to, the subprocessors listed on Attachment B to this DPA. Circadence shall inform Customer of any intended changes concerning the addition or replacement of subprocessors at least ten (10) calendar days before the new subprocessor processes EU Personal Data. Customer may object to such changes in writing within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection (an “Objection”). In the event of an Objection, the parties will discuss such concerns in good faith with the intention of achieving a resolution. If the parties are not able to achieve a resolution as described in the previous sentence, Customer, as its sole and exclusive remedy, may terminate the Agreement for convenience, on the condition that Customer provides written notice to Circadence within five (5) calendar days of being informed of the engagement of the subprocessor. Customer shall not be entitled to any refund of fees paid prior to the date of any termination pursuant to this Section 4.

5.Customer Obligations. Customer represents, warrants, and covenants that (i) it shall comply with its obligations as a controller under the GDPR in respect of its processing of EU Personal Data and any processing instructions it issues to Circadence as referred to in Section 3(a); (ii) it has provided notice and obtained all consents and rights required by the Data Protection Laws to transfer the EU Personal Data outside the European Economic Area or United Kingdom and for Circadence to process EU Personal Data pursuant to the Agreement and this DPA; and (iii) the processing of EU Personal Data by Circadence upon the documented instructions of Customer under Section 3(a) shall have a lawful basis of processing pursuant to Article 6 of the GDPR. If Customer is a processor, Customer represents and warrants to Circadence that Customer’s instructions and actions with respect to EU Personal Data, including its appointment of Circadence as another processor, have been duly authorized by the relevant controller. Customer shall indemnify, defend and hold Circadence harmless against any claims, actions, proceedings, expenses, damages and liabilities (including without limitation any governmental investigations, complaints and actions) and reasonable attorneys’ fees arising out of Customer’s violation of this Section 5. Notwithstanding anything to the contrary in the Agreement, Customer’s indemnification obligations under this Section 5 shall not be subject to any limitations of liability set forth in the Agreement.

6.Data Transfer. Customer hereby consents to the transfer of EU Personal Data to, and the processing of EU Personal Data in, the United States of America and/or any other jurisdiction in which Circadence or its subprocessors have operations. The parties hereby enter into the Standard Contractual Clauses for Processors, as approved by the European Commission under Decision 2010/87/EU, attached hereto as Attachment C (the “SCCs”) and made a part of this DPA in their entirety.

7.Other Data. Notwithstanding anything to the contrary in the Agreement (including this DPA), Customer acknowledges that Circadence shall have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as product development and sales and marketing. To the extent any such data is considered personal data (as defined in, and regulated by the GDPR (as defined in Section 1)), then, to the extent Circadence is subject to the GDPR, Circadence is the controller (as defined in the GDPR) of such data and accordingly shall process such data in accordance with Circadence’s privacy policy and the GDPR. From and after the CCPA Effective Date (as defined in Section 8), to the extent any such data is considered personal information (as defined in, and regulated by, the CCPA (as defined in Section 8)), then, to the extent Circadence is subject to the CCPA as a business (as defined in the CCPA), Circadence is the business with respect to such data and accordingly shall process (as defined in the CCPA) such data in accordance with Circadence’s privacy policy and the CCPA.

8.CCPA Provisions. This Section 8 shall apply from and after the CCPA Effective Date (as defined below) and shall not apply before such CCPA Effective Date. As between the parties, Circadence is a service provider to Customer with respect to Consumer Information (as defined below).

a. In this Section 8:

i. “CCPA” means the California Consumer Privacy Act of 2018.

ii. “CCPA Effective Date” means January 1, 2020 or the date the CCPA becomes enforceable, whichever is later.

iii. “Consumer Information” means any personal information that is processed by Circadence solely on behalf of the Customer, but excludes Profile Data.

iv. “Medical Information” means any Consumer Information, in electronic or physical form, regarding a California resident’s medical history or medical treatment or diagnosis by a health care professional.

v. “Health Insurance Information” means a California resident’s insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the California resident, or any information in a California resident’s application and claims history, including any appeals records.

vi. “Sensitive Consumer Information” means any Consumer Information that constitutes either of the following: (A) California resident’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: (I) social security number; (II) driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific California resident; (III) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an California resident’s financial account; (IV) Medical Information; (V) Health Insurance Information; or (VI) unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific California resident (except that unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes); or (B) a username or email address in combination with a password or security question and answer that would permit access to an online account. Sensitive Consumer Information does not include publicly available Consumer Information that is lawfully made available to the general public from federal, state, or local government records.

vii. The following terms have the meanings given in the CCPA: “personal information”, “processing”, “service provider”, “sell”, “selling”, “sale” and “sold”.

b. From and after the CCPA Effective Date, except as otherwise required by applicable law, Circadence shall:

i. process the Consumer Information for the business purpose of providing the Services or as otherwise permitted by the CCPA;

ii. implement and maintain commercially reasonable security procedures and practices appropriate to the nature of the Sensitive Consumer Information (if any) intended to protect such Sensitive Consumer Information from unauthorized access, destruction, use, modification, or disclosure;

iii. not retain, use or disclose Consumer Informationfor any purpose outside the scope of the business relationship of the parties and other than for the specific purpose of performing the Services (nor retain, use, or disclose the Consumer Information for a commercial purpose other than providing the Services) or as otherwise permitted by the CCPA as applicable to service providers;

iv. not collect or use Consumer Information except as reasonably necessary to provide the Services;

v. not sell the Consumer Information;

vi. to the extent necessary, use commercially reasonable efforts to assist Customer, at Customer’s expense, in Customer’s fulfilment of Customer’s obligation to respond to California residents’ requests to exercise rights with respect to their Consumer Information under the CCPA; and

vii. use commercially reasonable efforts to assist Customer, at Customer’s expense, to the extent necessary to support Customer’s compliance with Customer’s obligations under the CCPA.

c. Circadence understands the restrictions provided in Sections 8(b)(iii) and 8(b)(v) and will comply with them.

d. Customer represents, warrants and covenants that (i) it shall comply with its obligations under the CCPA in respect of its processing of Consumer Information and any processing instructions it issues to Circadence; and (ii) it has provided notice (including pursuant to Section 1798.135 of the CCPA) and obtained all consents and rights required by the CCPA for Circadence to process Consumer Information pursuant to the Agreement and this DPA. Customer shall indemnify, defend and hold Circadence harmless against any claims, actions, proceedings, expenses, damages and liabilities (including without limitation any governmental investigations, complaints and actions) and reasonable attorneys’ fees arising out of Customer’s violation of this Section 8(d). Notwithstanding anything to the contrary in the Agreement, Customer’s indemnification obligations under this Section 8(d) shall not be subject to any limitations of liability set forth in the Agreement.

e. Nothing in this DPA shall prevent Circadence from engaging its own service providers in the processing of Consumer Information, provided that Circadence shall enter into contractual arrangements with such service providers requiring a substantially similar level of data protection compliance and information security as that provided in this Section 8 with respect to Consumer Information.

b) Attachment A

Subject Matter, Nature, Purpose and Duration of the Processing

1- Type of EU Personal Data:

EU Personal Data of representatives and users of Customer and students of Customer (if Customer is an educational institution), including without limitation: name, username, address, gender, education, occupation, position, employer, year of birth, email address, password, years of experience in the cybersecurity space, Internet protocol address, telephone number, and any information input into the Services’ chat functionality by any representatives or users of Customer or students of Customer (if Customer is an educational institution).

2- Categories of Data Subject:

Representatives and users of Customer; students of Customer (if Customer is an educational institution); and any individuals to whom any information input into the Services’ chat functionality by any representatives or users of Customer or students of Customer (if Customer is an educational institution) relates.

3- Subject Matter and Purposes for which EU Personal Data is Processed:

To provide the Services to Customer by Circadence in accordance with the Agreement.

4- Nature of the Processing:

The EU Personal Data will be subject to basic processing, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing Services by Circadence to Customer in accordance with the terms of the Agreement.

c) Attachment B

Subprocessors

1.Involta, LLC

2.ScaleMatrix Holdings, Inc.

3.Microsoft Corporation (Azure)

4.Concentric Sky, Inc. (Badgr)

5.Salesforce.com, Inc.

6.MongoDB, Inc.

d) Attachment C

STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Customer (the ‘data exporter’)

And

Circadence Corporation (the ‘data importer’)

each a ‘party’; together ‘the parties’,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

(a)‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b)‘the data exporter’ means the controller who transfers the personal data;

(c)‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d)‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e)‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f)‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

1.The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

2.The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

3.The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub- processor shall be limited to its own processing operations under the Clauses.

4.The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a)that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b)that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c)that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d)that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e)that it will ensure compliance with the security measures;

(f)that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g)to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h)to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i)that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub- processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j)that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

(a)to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b)that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c)that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d)that it will promptly notify the data exporter about:

any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

any accidental or unauthorised access; and

any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e)to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f)at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g)to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h)that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;

(i)that the processing services by the sub-processor will be carried out in accordance with Clause 11;

(j)to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

1.The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.

2.If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.

3.If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

4.The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a)to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b)to refer the dispute to the courts in the Member State in which the data exporter is established.

5.The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

6.The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

7.The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

8.The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9

Governing law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Sub-processing

9.The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses . Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.

10.The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

11.The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

12.The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data-processing services

1.The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

Appendix 1

to the Standard Contractual Clauses (Attachment C)

This Appendix forms part of the Clauses and must be completed and signed by the parties. By signing the signature page to the Agreement, the parties will be deemed to have signed this Appendix 1.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

Service recipient of data importer

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

Service provider for data exporter

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

Representatives and users of data exporter; students of data exporter (if data exporter is an educational institution); and any individuals to whom any information input into the Services’ chat functionality by any representatives or users of data exporter or students of data exporter (if data exporter is an educational institution) relates.

Categories of data

The personal data transferred concern the following categories of data (please specify):

Personal data of representatives and users of data exporter and students of data exporter (if data exporter is an educational institution), including without limitation: name, username, address, gender, education, occupation, position, employer, year of birth, email address, password, years of experience in the cybersecurity space, Internet protocol address, telephone number, and any information input into the Services’ chat functionality by any representatives or users of data exporter or students of data exporter (if data exporter is an educational institution).

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

None presently contemplated by this arrangement.

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

The personal data will be subject to basic processing, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing services to data exporter in accordance with the terms of the Agreement.

Appendix 2

to the Standard Contractual Clauses (Attachment C)

This Appendix forms part of the Clauses and must be completed and signed by the parties. By signing the signature page to the Agreement, the parties will be deemed to have signed this Appendix 2.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data importer has implemented appropriate technical and organizational measures intended to ensure a level of security appropriate to the risk.

Copyright

Copyright © 2010-2023 Circadence Corporation. All rights reserved.

All content, including the compilation of all content, on this website is the exclusive property of Circadence or its content suppliers and is protected by U.S. and international copyright laws. You are authorized to view, copy, print and distribute content found on this website provided that you use the content for informational purposes only, you do not use the content for any commercial purpose, and you retain this copyright notice.

Copyright Infringement

If you believe that your copyright in any material has been infringed by Circadence or by a third party who has made such material available for delivery from this website, please provide the following information to the person designated below: a description of the copyrighted work together with a description of where the material is located (e.g., a URL or the like) or otherwise can be found; your contact information (address, telephone number and e-mail) and your electronic or physical signature; a statement that you have a good faith belief that material identified is not authorized by the copyright owner or its agent; and a further statement by you under penalty of perjury that the information provided is accurate and that you are authorized to make the complaint on the copyright owner’s behalf.

If you believe your copyright material is being used on this website without permission, please notify the designated copyright agent, Peter-Christian Olivo, at Circadence Corporation, 1900 9th Street, Suite 300, Boulder, Colorado 80302, 303-413-8837 or email [email protected].

Patents

Portions, features and/or functionality of Circadence’s products are protected under one or more of the following United States Patent Numbers:

6,390,922, 6,179,713, 6,050,898, 5,964,660, 7,043,563, 7,120,662, 7,155,539, 7,020,783, 7,111,006, 7,127,518, 7,143,195, 6,990,531, 7,450,495, 7,330,435, 7,257,081, 7,120,120, 6,836,465, 7,525,920, 7,975,066, 8,065,399, 8,024,481, 2,730,021, 7,962,654, 8,195,823, 8,510,468, 8,218,447, 8,463,935, 8,417,770, 8,386,641, 8,977,711, 8,898,340, 8,977,712, 9,148,293, 9,380,129, 8,996,705, 9,432,296, 9,185,185, 9,578,124, 10,056,005, 9,436,542, 9,723,105, 9,923,987, 10,033,840, 10,238,948, 10,154,115, 10,205,795, 10,329,410, 10,515,564, 10,518,162, 10,516,751.

and the following foreign patent numbers: EP0284436, EP02786767, EP 02789833, AU2016327973

as well as Patents Pending in the United States and other countries.

Trademarks

Circadence, the Circadence logo, Project Ares, Project Ares logo, Trivia Loot, CyberBridge, NexAgent and RegExile are trademarks or registered trademarks of Circadence. All other trademarks mentioned in this website are the property of their respective owners. The trademarks and logos displayed on this website may not be used without the prior written consent of Circadence or their respective owners.