Subscription Services Agreement

Terms of Service

1.     Terms of Service. Customer acknowledges and agrees to the following Terms of Service, which together with any [Estimate/Order Form and any Statements of Work] entered into between Customer and Solartis, will govern Customer’s access and use of the Service and of any Professional Services set forth in a Statement of Work (collectively, the “Agreement”). Any terms and conditions in Customer’s purchase order forms or any other Customer forms that are inconsistent with or in addition to the terms and conditions contained in this Agreement will have no force or effect and are hereby rejected.

Capitalized terms shall have the meaning given to them in Section 12 (Definitions) below or as otherwise defined in the Agreement. In addition, Customer agrees that unless explicitly stated otherwise, any new features that augment or enhance the Service, and/or any new service(s) subsequently procured by the Customer from Solartis will be subject to this Agreement.

2.     Customer Must Have Internet Access. DSL, cable or another high-speed Internet connection is required for proper transmission of the Service. Customer is responsible for procuring and maintaining the network connections that connect the Customer network to the Service, including, but not limited to, "browser" software that supports HTML 5, and to follow logon procedures for services that support such protocols. Solartis is not responsible for notifying Customer of any upgrades, fixes or enhancements to any such software, or for any compromise of data transmitted across computer networks or telecommunications facilities (including but not limited to the Internet) which are not owned or operated by Solartis. Solartis assumes no responsibility for the reliability or performance of any connections as described in this Section. Solartis does not warrant or guarantee that the Services are compatible currently or will remain compatible in the future with any specific “browser” software.

2.1     Accuracy of Customer’s Contact Information. Customer shall provide accurate, current and complete information on Customer’s legal business name, address, email address, and phone number, and maintain and promptly update this information if it should change.

2.2     Users: Passwords, Access, and Notification. Customer shall authorize each User to which it wishes to grant access to the Service and assign each User a unique password and username for their access to and use of the Service. User logins are for designated Users and cannot be shared or used by more than one User, but any User login may be reassigned to another User as needed. Customer will be responsible for the confidentiality and use of User’s passwords and usernames. Customer will also be responsible for all Electronic Communications, including those containing business information, account registration, account holder information, financial information, Customer Data, and all other data of any kind contained within emails or otherwise entered electronically through the Service or under Customer’s account. Solartis will act as though any Electronic Communications it receives under Customer’s passwords, username, and/or account number will have been sent by Customer.

Customer will use all reasonable efforts to prevent unauthorized access to or use of the Service and will promptly notify Solartis of any unauthorized access or use of the Service and any loss or theft or unauthorized use of any User’s password or name and/or Service account numbers. [Customer will have no limit on the number of usernames and passwords.]

2.3     Lawful Conduct. The Solartis Cloud Service allows Customer to send Electronic Communications directly to Solartis and to third parties. Each party will comply with all applicable local, state, federal, and foreign laws, treaties, regulations, and conventions in connection with its provision or use of the Service, as applicable, including without limitation those related to privacy, electronic communications and anti-spam legislation. Customer is responsible for ensuring that its use of the Solartis Cloud Service to store or process credit card data complies with applicable Payment Card Industry Data Security Standards (“PCI DSS”) requirements. Customer shall comply with the export laws and regulations of the United States and other applicable jurisdictions in using the Solartis Cloud Service and obtain any permits, licenses and authorizations required for such compliance. Without limiting the foregoing, (i) Customer represents that it is not named on any U.S. government list of persons or entities prohibited from receiving exports, (ii) Customer shall not permit Users to access or use the Solartis Cloud Service in violation of any U.S. export embargo, prohibition or restriction, and (iii) Customer shall comply with all applicable laws regarding the transmission of technical data exported from the United States and the country in which its Users are located. Customer will not send any Electronic Communication from the Solartis Cloud Service that is unlawful, harassing, libelous, defamatory or threatening. Except as permitted by this Agreement, no part of the Solartis Cloud Service may be copied, reproduced, distributed, republished, displayed, posted or transmitted in any form or by any means. Customer agrees not to access the Solartis Cloud Service by any means other than through the interfaces that are provided by Solartis. Customer shall not do any "mirroring" or "framing" of any part of the Solartis Cloud Service, or create Internet links to the Solartis Cloud Service which include log-in information, usernames, passwords, and/or secure cookies. Customer shall not in any way express or imply that any opinions contained in Customer’s Electronic Communications are endorsed by Solartis. Customer shall ensure that all access and use of the Solartis Cloud Service by Users is in accordance with the terms and conditions of this Agreement, including but not limited to those Users that are contractors and agents, and Customer’s Affiliates. Any action or breach by any of such Users shall be deemed an action or breach by Customer and Customer waives all of those defenses that Customer may have as to why Customer should not be liable for Customer’s Users’ acts, omissions and noncompliance with this Agreement.

2.4    Data Processing and Protection. Each party will comply with Data Law applicable to such party in its performance or receipt of Services under the Agreement or to the Covered Personal Data. Customer is the data controller under the Agreement, and Solartis is the data processor. Solartis will Process Covered Personal Data solely for the purpose of providing the Services under the Agreement and in accordance with the provisions of the Agreement and applicable Data Laws.

Customer represents and warrants that: (i) it will not disclose any Covered Personal Data to Solartis save where this is lawful and in a form which is lawful and (ii) the sharing of the Covered Personal Data pursuant to the Agreement is carried out in accordance with any notices supplied to and consents, if any, obtained from Data Subjects. Each party represents and warrants that it will not Process any Covered Personal Data other than in accordance with Data Law applicable to such party in its performance or receipt of Services under the Agreement or to the Covered Personal Data. Solartis agrees to keep confidential all Covered Personal Data it Processes pursuant to the Agreement. Solartis may disclose Covered Personal Data to its employees, officers, representatives, advisers or contractors (“Processors”) who need to know such information to fulfill Solartis’s obligations under the Agreement. Solartis agrees to implement appropriate technical and organizational measures to protect Covered Personal Data against unauthorized or accidental access, loss, alteration, disclosure, destruction or other unauthorized or unlawful forms of access, misuse and Processing.

Each party agrees to comply with the Solartis Information Security and Data Privacy Addendum (the “Security Addendum”), attached hereto as Exhibit A. During the Term, Solartis may make changes to the Security Addendum in its sole judgment. Without limiting the foregoing, Solartis agrees to use reasonable efforts to take prompt and appropriate action to address and remediate any unauthorized disclosure or acquisition of or access to Covered Personal Data and to cooperate with Customer in rectifying such disclosure, as further described in Exhibit A attached hereto. Subject to the cap in Section 7, Solartis will bear certain reasonable, direct, out-of-pocket costs and expenses of reasonable and legally required remediation to the extent Solartis’s breach of its obligations under this Agreement results in the actual, unauthorized disclosure or acquisition of or access to Covered Personal Data (“Remediation Costs”); provided, that any unauthorized disclosure or acquisition of or access to Covered Personal Data caused by the actions or breach of obligations of a third party, including any contractor or Processor of Solartis, will not be attributed to Solartis, and Solartis will not be responsible for any Remediation Costs related to such event. Upon reasonable request by Customer, Solartis will provide Customer with an update on Solartis’s remediation actions. Solartis will notify Customer of any reports made by Solartis directly to the appropriate legal authorities regarding such unauthorized disclosure of Covered Personal Data. Solartis will use reasonable efforts to coordinate with Customer before making any report directly to legal authorities. To the extent that it may do so, Solartis will cooperate with Customer in the reporting of information to legal authorities and/or affected individuals. Solartis agrees to return (or destroy, if specifically requested to do so by Customer and otherwise as set forth in the Security Addendum) the Covered Personal Data or any part thereof an all copies thereof upon request of Customer or upon Solartis’s determination that it no longer has a need for such Confidential Information or Covered Personal Data. Solartis will implement and follow disposal procedures in accordance with industry standard and applicable law.


2.5     Security. Solartis agrees to maintain standard industry administrative, physical and technical safeguards for the protection, confidentiality and integrity of Customer Data. During the Term, Solartis agrees to maintain PCI DSS compliance for the portions of the Solartis Service that store and process credit card data and will ensure performance of an annual SSAE 18 (SOC 1, Type 1 and Type 2) / ISAE 3402Type II Report or similar third party audit to an established industry standard selected by Solartis. No more than once per year, Customer may receive a copy of Solartis’s final SSAE 18 (SOC 1, Type 1 and Type 2) / ISAE 3402 Type II Report* that covers the prior calendar year, which will be provided to Customer at no charge.

2.6    Third Party Web Sites, Products and Services. Solartis may offer certain Third Party Applications for sale under Estimate/Order Forms. Any procurement of such Third Party Applications by Customer will be subject to the terms specified in such Estimate/Order Forms[; provided, however that Customer’s procurement of such Third Party Applications is not required to use the Services identified in the initial Estimate/Order Forms entered into by the parties. Solartis will notify Customer on any subsequent Estimate/Order Form entered into by the parties if such Third Party Applications are required to use the Services being acquired by Customer through such subsequent Estimate/Order Form].

In addition, Solartis or third party providers may offer Third Party Applications or services, including implementation, customization and other consulting services related to Customers’ use of the Solartis Cloud Service. Except as set forth in the Estimate/Order Form, Solartis does not warrant any such Third Party Applications or services, regardless of whether or not such Third Party Applications or services are provided by a third party that is a member of a Solartis partner program or otherwise designated by Solartis as "certified," "approved" or “recommended.” Any procurement by Customer of any Third Party Applications or services is solely between Customer and the applicable third party provider. Solartis is not responsible for any other aspect of such Third Party Applications or services that Customer may procure or connect to through the Solartis Cloud Service, or any descriptions, promises or other information related to the foregoing. If Customer installs or enables Third Party Applications or services for use with the Solartis Cloud Service, Customer agrees that Solartis may allow such third party providers to access Customer Data as required for the interoperation of such Third Party Applications with the Solartis Cloud Service, and any exchange of data or other interaction between Customer and a third party provider is solely between Customer and such third party provider. Customer represents that it has the right to provide the Customer Data to Solartis for this purpose. Solartis will not be responsible for any disclosure, modification or deletion of Customer Data resulting from any such access by Third Party Applications or third party providers. No procurement of such Third Party Applications or services is required to use the Services unless Solartis notifies Customer on an Estimate/Order Form that such Third Party Applications are required to use the Services.

2.7    Transmission of Data. Customer understands that the technical processing and transmission of Customer’s Electronic Communications is fundamentally necessary to use the Services. Customer expressly consents to Solartis’s access to and use and storage of Electronic Communications and/or Customer Data, and Customer acknowledges and understands that Customer’s Electronic Communications will involve transmission over the Internet, and over various networks, only part of which may be owned and/or operated by Solartis. Customer further acknowledges and understands that Electronic Communications may be accessed by unauthorized parties when communicated across the Internet, network communications facilities, telephone or other electronic means. Solartis is not responsible for any Electronic Communications and/or Customer Data which are delayed, lost, altered, intercepted or stored during the transmission of any data whatsoever across networks not owned and/or operated by Solartis, including, but not limited to, the Internet and Customer’s local network.

2.8    Service Level. During the Term, the Solartis Cloud Service will meet the service level specified in the “Service Level Commitment” as set forth in the Solartis website located at www.Solartis.com/service- level-commitment/.

For Solartis Outsourcing Services the parties will agree, within sixty (60) calendar days after the Contract Effective Date, to the:

(1)     service levels that Solartis will use commercially reasonable efforts to meet in the performance of the Services and;

(2)    time period during which the service levels will be measured. If the applicable Service fails to achieve the service level, then Customer will be entitled, as its sole and exclusive remedy, to a credit for the applicable Service in accordance with the terms set forth in the Service Level Commitment.

The respective Service’s system logs and other records will be used for calculating any service level events.

2.9     Solartis’s Support. As part of the Solartis Cloud Service, Solartis will provide Customer with online resources to assist Customer in its use of the Service. Solartis also offers optional and “for fee” training classes, professional services consultation and support services.

If Customer has procured Solartis Support Services, the parties will follow the following procedure for Service use issue response time and categorization of security levels:

Customer will assign in its reasonable judgment a Service usage issue into one of the following categories of severity levels and Solartis will respond based on such severity levels according to the response guidelines respectively provided below, unless Solartis reasonably rejects Customer’s classification:

Severity Level 1, Critical Defects – a defect that causes the Service to become completely unusable;

Severity Level 2, Major Defects – a major defect that affects the functionality of the Service such that the defect (1) cannot be circumvented so that the programs can be used, or (2) causes a program or feature of the Service to be unusable, although other programs or features remain unaffected, or (3) causes certain features of the Service to become somewhat disabled, gives incorrect results, or causes the Service not to conform to the specifications for such service provided by Solartis to its customers generally at such time for the version implemented by or for Customer;

Severity Level 3, Minor Defects – A minor defect has no significant effect on the functionality of the Service or the usability of the support materials; and

Severity Level 4, Enhancements – a suggested addition, modification, or improvement whose absence does not render the Service unusable, cause it not to conform to its documentation, or cause incorrect results.

 


Severity 1 
(Critical/Blocker Defect)

Severity 2
(Major Defect)

Severity 3
(Minor Defect)
 

Severity 4 
(Enhancement)

 Acknowledgment

1 normal hour during business hours 

4 hours during
normal business hours 

8 hours during normal business hours  

24 hours during normal business hours

 Communication

Status calls will be held at least twice per business
day until issue is resolved 

Status calls will be held at least once
per business day
until issue is
resolved

Customer will be notified of the defect and proposed solution 

Customer will be notified of the proposed enhancement

 Resolution

24-hour response with a software fix after the issue
is reproduced by Solartis 

4 calendar days
with a software fix after the issue is reproduced
by Solartis

Minor Defects will be resolved in a software update
or new release

Enhancements will be implemented in a software update or new release

 Escalation

Solartis
management team
notified immediately

Solartis
management
team notified if
not resolved within 5 business
days  

N/A 

N/A 





 

2.10    Confidentiality. For purposes of this Agreement, “Confidential Information” will mean any information of either party (“Disclosing Party”) which is disclosed to the other party (“Receiving Party”) pursuant to this Agreement, including the terms of this Agreement, Customer Data, each party’s proprietary technology, business processes and technical product information, designs, issues, all communication between the parties regarding the Service and Professional Services and any information that is clearly identified in writing at the time of disclosure as confidential, or, if disclosed orally, which the Disclosing Party has indicated is confidential or proprietary, or any other information disclosed, which the Receiving Party, under the circumstances surrounding its disclosure, should know is treated as confidential and proprietary information of the Disclosing Party.

Notwithstanding the foregoing, Confidential Information will not include information which: (1) is known publicly; (2) is generally known in the industry before disclosure; (3) has become known publicly, without fault of the Receiving Party; (4) the Receiving Party becomes aware of from a third party not bound by non-disclosure obligations to the Disclosing Party and with the lawful right to disclose such information to the Receiving Party; or (5) is aggregate data regarding use of Solartis’s products and services that does not contain any personally identifiable or Customer-specific information.

Each party agrees: (a) to keep strictly confidential all Confidential Information; (b) not to use or disclose Confidential Information except to the extent necessary to perform its obligations or exercise rights under this Agreement or as directed by the Disclosing Party; (c) to protect the confidentiality thereof in the same manner as it protects the confidentiality of similar information and data of its own (at all times exercising at least a reasonable degree of care in the protection of such Confidential Information, including but not limited to inputting credit card data and social security numbers only in the fields designated for such data in the Solartis Cloud Service) and to make Confidential Information available to authorized persons only on a “need to know” basis. Either party may disclose Confidential Information on a need to know basis to its contractors and service providers who have executed written agreements requiring them to maintain
such information in strict confidence and use it only to facilitate the performance of their services in connection with the performance of this Agreement or Customer’s access to and use of the Services. Notwithstanding the foregoing, this Section will not prohibit the disclosure of Confidential Information to the extent that such disclosure is permitted by law or order of a court or other governmental authority or regulation.

2.11    Initial Term and Renewal. The Initial Term commences on the Contract Effective Date. Upon the expiration of the Initial term, this Agreement will automatically renew for successive one-year terms (the “Renewal Term(s)”) from the expiration date of the Initial Term or the prior Renewal Term on the terms and conditions set forth in this Agreement and at Solartis’s then current standard fees, unless either party notifies the other in writing not less than [thirty (30) calendar days] prior to the expiration date of the Initial Term or any Renewal Term of its intent not to renew this Agreement. The Initial Term and any applicable Renewal Terms are collectively referred to herein as the “Term.” In the case of free trials, notifications provided through the Service indicating the remaining number of days in the free trial will constitute notice of termination. Each Statement of Work will commence on the date it is last signed, and will expire upon completion of the project set forth in the applicable Statement of Work, or as otherwise set forth in the applicable Statement of Work.

2.12     Ownership of Customer Data. As between Solartis and Customer, all title and intellectual property rights in and to the Customer Data is owned exclusively by Customer.

Customer acknowledges and agrees that in connection with Service, Solartis makes daily backup copies of the Customer Data in Customer’s account and stores and maintains such data for a period of time consistent with Solartis standard business processes, but not be less than five (5) years.

2.13    Solartis Intellectual Property Rights. Customer agrees that as between the parties all rights, title and interest in and to the Services and all intellectual property rights related thereto are owned exclusively by Solartis or its licensors. Except as expressly provided in this Agreement, the license granted to Customer does not convey any rights in the Solartis Cloud Service, express or implied, or ownership in the Solartis Cloud Service or any intellectual property rights thereto.

In addition, Solartis will have a royalty-free, fully-paid, worldwide, transferable, sublicensable, irrevocable, and perpetual license to use or incorporate into the Solartis Cloud Service any suggestions, enhancement requests, recommendations or other feedback provided by Customer, including users, relating to the operation of the Solartis Cloud Service and not specifically related to the Customer Data or Customer’s business. All rights not expressly granted herein are reserved by Solartis. Solartis service marks, logos and product and service names are marks of Solartis (the "Solartis Marks"). Customer agrees not to display or use the Solartis Marks in any manner without Solartis’s express prior written permission. The trademarks, logos and service marks of Third Party Application providers ("Marks") are the property of such third parties. Customer is not permitted to use these Marks without the prior written consent of such third party which may own the Mark.

2.14    [Federal Government End User Provisions. If User is the US Federal Government, Solartis provides the Solartis Cloud Service, including related software and technology, in accordance with the following: Government technical data and software rights related to the Service include only those rights customarily provided to the public as defined in this Agreement. This customary license is provided in accordance with FAR 12.211 (Technical Data) and FAR 12.212 (Software) and, for Department of Defense transactions, DFAR 252.227-7015 (Technical Data – Commercial Items) and DFAR 227.7202-3 (Rights in Commercial Computer Software or Computer Software Documentation). If a government agency has a need for rights not conveyed under these terms, it must negotiate with Solartis to determine if there are acceptable terms for transferring such rights, and a mutually acceptable written addendum specifically conveying such rights must be included in any applicable contract or agreement.]

2.15    Dispute Resolution. Each party agrees that before it or any employee, agent or representative of the party files a claim or suit with a federal or state agency or court or other public forum, other than any claim or action for injunctive relief, it will provide thirty (30) days prior written notice to the other and that, within such thirty (30) day period (or longer, if extended by mutual desire of the parties), authorized representatives of the parties will meet (or confer by telephone) at least once in a good faith attempt to resolve the perceived dispute.

3.     [Professional Services

3.1    Scope of Professional Services. Subject to the terms and conditions of this Agreement [that are explicitly applicable to Professional Services], Solartis will provide Customer with Professional Services as set forth in applicable statements of work and/or an Estimate/Order Form for Professional Services mutually executed by Solartis and Customer (each, a “Statement of Work” or “SOW”). Solartis and Customer may, from time to time, execute Statements of Work that specify the professional services to be provided to Customer hereunder (the “Professional Services”). Each Statement of Work will include, at a minimum: (i) a description of the Professional Services and any work product or other deliverables and/or training materials to be developed and/or provided to Customer (each, a “Deliverable”); (ii) the scope of Professional Services; and (iii) the applicable fees and payment terms for such Professional Services, if not elsewhere specified. All Statements of Work will be deemed part of and subject to this Agreement.

3.2    Change Management Process. In the event that Customer or Solartis requests a change in any of the specifications, requirements, Deliverables, or scope (including drawings and designs) of the Professional Services described in any Statement of Work, the party seeking the change will propose the applicable changes by written notice. Within forty-eight (48) hours of receipt of the written notice, each party’s project leads will meet, either in person or via telephone conference, to discuss and agree upon the proposed changes. Solartis will prepare a change order describing the proposed changes to the Statement of Work and the applicable change in fees and expenses, if any (each, a “Change Order”). Change Orders are not binding unless and until they are executed by both parties. Executed Change Orders will be deemed part of, and subject to, this Agreement. In the event that the parties disagree about the proposed changes, the parties will promptly escalate the change request to their respective senior management officers for resolution.

3.3    Project Materials.

(1)     Deliverables. Solartis will own all rights, title and interest in and to the Deliverables (excluding any Customer Property), and related intellectual property rights. Subject to terms and conditions of this Agreement, and during the Term, Solartis hereby provides Customer with a limited, non-exclusive, non- transferable (except in connection with an assignment under Section 11.8 of this Agreement) and terminable license to use the Deliverables solely for Customer’s internal operations in connection with its authorized use of the applicable Service.

(2)    Tools. Notwithstanding any other provision of this Agreement: (i) nothing herein will be construed to assign or transfer any intellectual property rights in the proprietary tools, libraries, know-how, techniques and expertise (“Tools”) used by Solartis to develop the Deliverables, and to the extent such Tools are delivered with or as part of the Deliverables, they are licensed, not assigned, to Customer, on the same terms as the Deliverables; and (ii) the term “Deliverables” will not include the Tools.]

4.    Payment Provisions

4.1    Fees and Payment. Fees and expenses for each applicable project will be set forth in the applicable Estimate/Order Form or Statements of Work. Customer will pay the fees and expenses as specified in the applicable Estimate/Order Form or Statements of Work.

4.2    Taxes. Solartis fees do not include any local, state, federal or foreign taxes, VAT, levies or duties of any nature ("Taxes"). Customer is responsible for paying all applicable Taxes, including sales, use, personal property, value-added, excise, customs fees, import duties, stamp duties and any other similar taxes and duties, including penalties and interest, imposed by any United States federal, state, provincial or local government entity or any non-US government entity on the transactions contemplated by this Agreement, excluding only taxes based on Solartis's income. If Solartis has the legal obligation to pay or collect Taxes for which Customer is responsible under this section, the appropriate amount will be invoiced to and paid by Customer unless Customer provides Solartis with a valid tax exemption certificate authorized by the appropriate taxing authority.

5.    Limited Warranties

5.1   General and Services Warranty. Solartis warrants and represents that (i) the Solartis Cloud Service will achieve in all material respects the functionality described in the Subscription Schedule applicable to the Solartis Cloud Service procured by Customer, and (ii) such functionality of the Solartis Cloud Service will not be materially diminished during the Term. Customer’s sole and exclusive remedy for Solartis’s breach of any of these warranties (other than representation (iii)) shall be that Solartis will be required to use commercially reasonable efforts to modify the Solartis Cloud Service to meet the warranties and if Solartis is unable to do so, Customer will be entitled to terminate the Agreement and receive a prorata refund of the subscription fees paid under the Agreement for its use of the Solartis Cloud Service for the terminated portion of the Term. Solartis will have no obligation with respect to a warranty claim unless notified of such claim within sixty (60) days of the first instance of any material functionality problem, and such notice must be sent to Solartis in writing. For a breach of subsection (iii), Customer’s sole and exclusive remedy for Solartis’s breach will be the non-infringement indemnity set forth in Section 8 below. The warranties set forth in this Section 5.1 are made to and for the benefit of Customer only. Such warranties will only apply if the applicable Solartis Cloud Service has been utilized in accordance with the specifications, this Agreement and applicable law.

5.2   [Professional Services Warranty. Solartis warrants that (a) it and each of its employees, consultants and subcontractors, if any, that it uses to provide and perform Professional Services has the knowledge, skills, experience, qualifications, and resources reasonably necessary to provide and perform the Professional Services in accordance with the applicable SOW; and (b) the Professional Services will be performed for and delivered to Customer in a good, diligent, workmanlike manner in accordance with industry standards, laws and governmental regulations applicable to the performance of such services. Solartis’s ability to successfully perform hereunder is dependent upon Customer’s provision of timely information, access to resources, and participation. If through no fault or delay of Customer the Professional Services do not conform to the foregoing warranty, and Customer notifies Solartis within sixty (60) days of Solartis’s delivery of the Professional Services, Customer’s sole and exclusive remedy is to have Solartis reperform the non-conforming portions of the Professional Services.]

6.   Disclaimer of Warranties. EXCEPT AS EXPRESSLY STATED IN THIS AGREEMENT, SOLARTIS DOES NOT REPRESENT THAT CUSTOMER’S USE OF THE SERVICE, PROFESSIONAL SERVICES, DELIVERABLES, AND/OR TOOLS WILL BE SECURE, TIMELY, UNINTERRUPTED OR ERROR-FREE OR THAT THE SERVICE, PROFESSIONAL SERVICES, DELIVERABLES, AND/OR TOOLS WILL MEET CUSTOMER’S REQUIREMENTS OR THAT ALL ERRORS IN THE SERVICE, DOCUMENTATION, PROFESSIONAL SERVICES, DELIVERABLES, AND/OR TOOLS WILL BE CORRECTED OR THAT THE OVERALL SYSTEM THAT MAKES THE SERVICE AVAILABLE (INCLUDING BUT NOT LIMITED TO THE INTERNET, OTHER TRANSMISSION NETWORKS, AND CUSTOMER’S LOCAL NETWORK AND EQUIPMENT) OR THE PROFESSIONAL SERVICES, DELIVERABLES, AND/OR TOOLS WILL BE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS. THE WARRANTIES STATED IN THIS AGREEMENT ARE THE SOLE AND EXCLUSIVE WARRANTIES OFFERED BY SOLARTIS. THERE ARE NO OTHER WARRANTIES OR CONDITIONS, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS. EXCEPT AS PROVIDED HEREIN, THE SERVICES, PROFESSIONAL SERVICES, DELIVERABLES, AND/OR TOOLS PROVIDED TO CUSTOMER ARE ON AN “AS IS” AND “AS AVAILABLE” BASIS, AND ARE FOR COMMERCIAL USE ONLY. CUSTOMER ASSUMES ALL RESPONSIBILITY FOR DETERMINING WHETHER THE SERVICE, PROFESSIONAL SERVICES, DELIVERABLES, AND/OR TOOLS OR THE INFORMATION GENERATED THEREBY IS ACCURATE OR SUFFICIENT FOR CUSTOMER’S PURPOSES.

7. Limitations of Liability. EXCEPT FOR DAMAGES RELATED TO A BREACH OF ITS CONFIDENTIALITY OBLIGATIONS UNDER SECTION 2.10, ]IN NO EVENT WILL SOLARTIS BE LIABLE TO ANYONE FOR LOST PROFITS OR REVENUE OR FOR INCIDENTAL, CONSEQUENTIAL, PUNITIVE, COVER, SPECIAL, RELIANCE OR EXEMPLARY DAMAGES, OR INDIRECT DAMAGES OF ANY TYPE OR KIND HOWEVER CAUSED, WHETHER FROM BREACH OF WARRANTY, BREACH OF CONTRACT, NEGLIGENCE, OR ANY OTHER LEGAL CAUSE OF ACTION FROM OR IN CONNECTION WITH THIS AGREEMENT (AND WHETHER OR NOT SOLARTIS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES TO THE MAXIMUM EXTENT PERMITTED BY LAW).

EXCEPT WITH REGARD TO (I) AMOUNTS DUE UNDER THIS AGREEMENT, (II) A BREACH OF SECTION 2.10 (CONFIDENTIAL INFORMATION), (III) ITS INDEMNIFICATION OBLIGATIONS UNDER THIS AGREEMENT, AND (IV) ITS GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, ]THE MAXIMUM LIABILITY OF SOLARTIS TO ANY PERSON, FIRM OR CORPORATION WHATSOEVER ARISING OUT OF OR IN THE CONNECTION WITH ANY LICENSE, USE OR OTHER EMPLOYMENT OF THE SERVICE, WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM BASED ON BREACH OR REPUDIATION OF CONTRACT, BREACH OF WARRANTY, NEGLIGENCE, TORT, STATUTORY DUTY, OR OTHERWISE, WILL IN NO CASE EXCEED THE EQUIVALENT OF TWELVE (12) MONTHS IN SUBSCRIPTION FEES APPLICABLE AT THE TIME OF THE EVENT. THE MAXIMUM AGGREGATE REMEDIATION COSTS FOR WHICH SOLARTIS MAY BE LIABLE FOR UNDER SECTION 2.4 DURING THE TERM WILL NOT EXCEED ONE MILLION DOLLARS ($1,000,000). THE MAXIMUM LIABILITY OF SOLARTIS TO ANY PERSON, FIRM, OR CORPORATION WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH ANY PROFESSIONAL SERVICES, DELIVERABLES, AND/OR TOOLS, WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM BASED ON BREACH OR REPUDIATION OF CONTRACT, BREACH OF WARRANTY, NEGLIGENCE, TORT, OR OTHERWISE, WILL IN NO CASE EXCEED THE AMOUNT PAID BY CUSTOMER FOR THE APPLICABLE PROFESSIONAL SERVICES, DELIVERABLES, AND/OR TOOLS. NOTWITHSTANDING THE PREVIOUS SENTENCES, SOLARTIS WILL NOT BE LIABLE TO CUSTOMER TO THE EXTENT SUCH LIABILITY WOULD NOT HAVE OCCURRED BUT FOR CUSTOMER’S FAILURE TO COMPLY WITH THE TERMS OF THIS AGREEMENT. THE ESSENTIAL PURPOSE OF THIS PROVISION IS TO LIMIT THE POTENTIAL LIABILITY OF SOLARTIS ARISING FROM THIS AGREEMENT. THE PARTIES ACKNOWLEDGE THAT THE LIMITATIONS SET FORTH IN THIS SECTION ARE INTEGRAL TO THE AMOUNT OF FEES CHARGED IN CONNECTION WITH MAKING THE SERVICE AVAILABLE TO CUSTOMER AND PROVIDING THE PROFESSIONAL SERVICES AND THAT, WERE SOLARTIS TO ASSUME ANY FURTHER LIABILITY OTHER THAN AS SET FORTH HEREIN, SUCH FEES WOULD OF NECESSITY BE SET SUBSTANTIALLY HIGHER.

Certain states and/or jurisdictions do not allow the exclusion of implied warranties or limitations of liability for incidental or consequential damages, so the exclusions set forth above may not apply to Customer.

8.    Indemnification.

8.1   Infringement. Solartis will, at its own expense, and subject to the limitations set forth in this Section 8, defend Customer, and its officers, directors, employees, successors and assigns from and against any third-party claims, suits, demands (including pre-litigation demands), and proceedings (collectively, “Claims”), that allege that the Service infringes such third party’s patents, copyrights, trade secrets or trademarks and indemnify Customer against any damages, liabilities, costs and expenses (including reasonable attorneys’ fees and expenses) (collectively, “Losses”) reasonably and actually incurred by Customer as a result of such Claims.

Excluded from the above indemnification obligations are Claims to the extent arising from (a) use of the Service in violation of this Agreement or applicable law, (b) use of the Service after Solartis notifies Customer to discontinue use because of an infringement claim, (c) modifications to the Service not made or authorized by Solartis, or (d) use of the Service in combination with any unauthorized software, application or service made or provided other than by Solartis.

If a Claim is brought or threatened, Solartis will, at its sole option and expense, use commercially reasonable efforts either (a) to procure a license that will protect Customer against such Claim without cost to Customer; (b) to modify or replace all or portions of the Service as needed to avoid infringement, such update or replacement having substantially similar or better capabilities; or (c) if (a) and (b) are not commercially feasible, terminate the Agreement and refund to the Customer a pro-rata refund of the subscription fees paid for under the Agreement for the terminated portion of the Term. The rights and remedies granted Customer under this Section 8.1 state Solartis’s entire liability, and Customer's exclusive remedy, with respect to any claim of infringement of the intellectual property rights of a third party.

8.2   Customer’s Indemnity. Customer will, at its own expense and subject to the limitations set forth in this Section 8, defend and hold harmless Solartis from and against any and all Claims (i) alleging that Solartis’s use of the Customer Data or any trademarks or service marks other than Solartis Marks, or any use thereof, infringes the intellectual property rights or other rights, or has caused harm to a third party, or (ii) arising out of Customer’s breach of Section 2.3 (Lawful Conduct) or 2.10 (Confidential Information) above, and indemnify Solartis against any Losses reasonably and actually incurred by Solartis as a result of such Claims.

8.3   Indemnification Procedures and Survival. In the event of a potential indemnity obligation under this Section 8, the indemnified party will: (i) promptly notify the indemnifying party in writing of such Claim; (ii) allow the indemnifying party to have sole control of its defense and settlement; and (iii) upon request of the indemnifying party, cooperate in all reasonable respects, at the indemnifying party’s cost and expense, with the indemnifying party in the investigation, trial, and defense of such Claim and any appeal arising therefrom. The indemnification obligations under this Section 8 are expressly conditioned upon the indemnified party’s compliance with this Section 8.3 except that failure to notify the indemnifying party of such Claim will not relieve that party of its obligations under this Section 8 but such Claim will be reduced to the extent of any damages attributable to such failure.

9.    Suspension/Termination.

9.1   Suspension for Delinquent Account. Solartis reserves the right to suspend Customer’s and any Customer Affiliates’ access to and/or use of the Service and to stop providing the Professional Services for any accounts for which any payment is due but unpaid but only after Solartis has provided Customer two (2) delinquency notices, and at least sixty (60) days have passed since the transmission of the first notice. The suspension is for the entire account and Customer understands that such suspension would therefore include Affiliate sub-accounts. Customer agrees that Solartis will not be liable to Customer or to any Customer Affiliate or other third party for any suspension of the Service or Professional Services pursuant to this Section 9.1.

9.2   Suspension for Ongoing Harm. Customer agrees that Solartis may with reasonably contemporaneous telephonic notice to Customer suspend access to the Service if Solartis reasonably concludes that Customer’s Service is being used to engage in denial of service attacks, spamming, or illegal activity, and/or use of Customer’s Service is causing immediate, material and ongoing harm to Solartis or others. In the extraordinary event that Solartis suspends Customer’s access to the Service, Solartis will use commercially reasonable efforts to limit the suspension to the offending portion of the Service and resolve the issues causing the suspension of Service. Customer further agrees that Solartis will not be liable to Customer nor to any third party for any suspension of the Service under such circumstances as described in this Section 9.2.

9.3   Termination for Cause, Expiration. Either party may immediately terminate this Agreement and all Estimates/Order Forms issued hereunder in the event the other party commits a material breach of any provision of this Agreement which is not cured within thirty (30) days of written notice from the non- breaching party. Such notice by the complaining party will expressly state all of the reasons for the claimed breach in sufficient detail so as to provide the alleged breaching party a meaningful opportunity to cure such alleged breach and will be sent to the General Counsel and/or CEO of the alleged breaching party at the address listed in the heading of this Agreement (or such other address that may be provided pursuant to this Agreement) (“Notice”). Upon termination or expiration of this Agreement, Customer will have no rights to continue use of the Service or the Deliverables. If this Agreement is terminated by Customer for any reason other than a termination expressly permitted by this Agreement, then Solartis will be entitled to all of the fees due under this Agreement for the entire Term. If this Agreement is terminated as a result of Solartis’s breach of this Agreement, then Customer will be entitled to a refund of the pro rata portion of any subscription fees paid by Customer to Solartis under this Agreement for the terminated portion of the Term.

9.4   Handling of Customer Data In The Event Of Termination. Customer agrees that following termination of Customer’s account and/or use of the Service, Solartis may immediately deactivate Customer’s account and that following a reasonable period of not less than ninety (90) days will be entitled to delete Customer’s account from Solartis’s “live” site. During this ninety (90) day period and upon Customer’s request, Solartis will grant Customer limited access to the Service for several days for the sole purpose of permitting Customer to retrieve Customer Data, provided that Customer has paid in full all good faith undisputed amounts owed to Solartis. Customer further agrees that Solartis will not be liable to Customer nor to any third party for any termination of Customer access to the Service or deletion of Customer Data, provided that Solartis is in compliance with the terms of this Section 9.4.

9.5    Termination Assistance. Unless Solartis terminates the Agreement or suspends the Services for cause, upon request by Customer and for a period requested by Customer which may not exceed six (6) months after the termination or expiration of the Agreement (the “Termination Assistance Period”), Solartis will provide to Customer such assistance as may be required to transition from Solartis to an alternative service provider without interference with, interruption to or degradation of the Service provided by Solartis or the business, operations or systems of Customer including, without limitation, the following: (i) continued provision of the Service; (ii) continued support of the Service; (iii) data migration to an alternative platform or alternative solution; and (iv) such additional services related to the transition as are reasonably requested by Customer and agreed to by Solartis (the “Termination Assistance Services”). Customer will pay Solartis for the Termination Assistance Services on a time-and-materials basis at Solartis’s then-applicable rates. The Term of this Agreement will not be deemed to have expired or terminated until the Termination Assistance Services are completed.

10.     Modification; Discontinuation of The Service.

10.1   To the Service. Solartis may make modifications to the Service or particular components of the Service from time to time and will use commercially reasonable efforts to notify Customer of any material modifications. Solartis reserves the right to discontinue offering the Service at the conclusion of Customer’s then-current Term. Solartis will not be liable to Customer nor to any third party for any modification of the Service as described in this Section 10.1.

10.2   To Applicable Terms. If Solartis makes a material change to any applicable URL Terms, then Solartis will notify Customer by sending an email to the notification email address. If the change has a material adverse impact on Customer and Customer does not agree to the change, Customer must so notify Solartis via legal@Solartis.com within thirty (30) days after receiving notice of the change. If Customer notifies Solartis as required, then Customer will remain governed by the URL Terms in effect immediately prior to the change until the end of the then current term for the affected Service. If the affected Service is renewed, it will be renewed under Solartis's then current URL Terms.

11.     Miscellaneous.

11.1    Governing Law. The rights and obligations of the parties under the Agreement will be governed in all respects by the laws of California exclusively, without regard to conflict of law provisions. Customer agrees that upon Solartis’s request, all disputes arising hereunder will be adjudicated in the courts of competent jurisdiction sitting in Los Angeles, California, and Customer hereby agrees to consent to the personal jurisdiction of such courts.

11.2   Waiver. Failure or neglect by either party to enforce at any time any of the provisions hereof will not be construed nor will be deemed to be a waiver of such party’s rights hereunder nor in any way affect the validity of the whole or any part of the Agreement nor prejudice such party’s rights to take subsequent action.

11.3   Notices. All notices, including notices of address change, required to be sent hereunder will be in writing and will be sent to the addresses set forth below or delivered in person. The notices will be deemed to have been given upon: (i) the date actually delivered in person; (ii) the day after the date sent by overnight courier; or (iii) three (3) business days following the date such notice was mailed by first class mail. Notices may be confirmed by email or fax.

To Solartis:      1601 N. Sepulveda Blvd., #606,
                             Manhattan Beach, CA 90266

To Customer:  Customer address listed Authorized Purchaser Contract for Subscription Services

11.4    Severability. In the event that any clause, sub-clause or other provision contained in this Agreement will be determined by any competent authority to be invalid, unlawful or unenforceable to any extent, such clause, sub-clause or other provision will to that extent be severed from the remaining clauses and provisions, or the remaining part of the clause in question, which will continue to be valid and enforceable to the fullest extent permitted by law.

11.5   Force Majeure. Neither party will be liable hereunder by reason of any failure or delay in the performance of its obligations hereunder (except for the payment of money) on account of events beyond the reasonable control of such party, which may include without limitation Internet denial-of-service attacks, strikes, shortages, riots, insurrection, fires, flood, storm, explosions, acts of God, war, terrorism, governmental action, labor conditions, earthquakes and material shortages (each a “Force Majeure Event”). Upon the occurrence of a Force Majeure Event, the non-performing party will be excused from any further performance of its obligations affected by the Force Majeure Event for so long as the event continues and such party continues to use commercially reasonable efforts to resume performance.

11.6   Relationship between the Parties. Nothing in this Agreement will be construed to create a partnership, joint venture, employer/employee or agency relationship between the parties. Neither party will have the power to bind the other or to incur obligations on the other’s behalf without such other party’s prior written consent. Solartis reserves the right to use third-parties (who are under a covenant of confidentiality with Solartis), including, but not limited to, offshore subcontractors to assist with the Services and Professional Services, including, without limitation, any data migration, configuration, implementation and custom code development processes.

11.7    Non-Impediment. Nothing in this Agreement will be construed as precluding or limiting in any way the right of Solartis to provide consulting, development, or other services of any kind to any individual or entity (including without limitation performing services or developing materials which are similar to and/or competitive with the Professional Services and/or Deliverables hereunder).

11.8   Assignment. This Agreement may not be assigned by Customer, whether voluntarily or involuntarily or by operation of law, in whole or in part, to any party without the prior written consent of  Solartis, which consent may be granted or refused at Solartis’s sole discretion. Any assignment in violation of this Section 11.8 will be null and void from the beginning, and will be deemed a material breach of this Agreement.

11.9   No Third-Party Beneficiaries. This Agreement is intended for the sole and exclusive benefit of the signatories and is not intended to benefit any third party. Only the parties to this Agreement may enforce it.

11.10    [Non-Solicitation. During the term of the Agreement and for 12 months thereafter, Customer will not, without the prior written consent of Solartis, solicit, offer to employ or in any manner endeavor or attempt to employ any Solartis employee.]

11.12   Public Announcement. The parties agree to issue a mutually-acceptable joint press release announcing this Agreement and the decision by Customer to use the Services. In addition, Customer agrees to permit Solartis to list Customer as a customer of the Services in Solartis’s marketing materials, including its website. Upon reasonable request from Solartis, Customer agrees to act as a reference account for the Service. All other press and media releases, public announcements and public disclosures by either party relating to this Agreement will be coordinated with and approved by both parties prior to the release thereof, with such consent not to be unreasonably withheld.

11.13    Interpretation. Unless expressly indicated to the contrary, references to Sections mean sections in these Terms of Service. Where the context requires, singular terms will be construed to include the plural, and vice versa. The titles and headings in the Agreement are for reference purposes only and do not constitute part of the Agreement. As used herein, “include” and its derivatives (including, “e.g.”) will be deemed to mean “including but not limited to.” The parties hereto agree that any rule of construction to the effect that ambiguities are to be resolved against the drafting party will not be applied in the construction or interpretation of this Agreement.

11.14   Counterparts. This Agreement may be executed in counterparts, each of will constitute an original, and all of which will constitute one and the same instrument.

11.15   Compliance with Law. In exercising its rights under this Agreement, Customer will at all times comply with all applicable international, federal, state and local laws and will not engage in any illegal or unethical practices, including any anti-boycott laws, as amended, and any implementing regulations. Without limiting the foregoing, Customer agrees that Customer will not download, export, or re-export any software or technical data received hereunder, regardless of the manner in which received, (i) into, or to a national or resident of, any country to which the United States has embargoed goods, or (ii) to anyone on the United States Treasury Department’s list of Specially Designated Nationals or the U.S. Commerce Department’s Table of Denial Orders.

11.16   Entire Agreement. The Agreement, together with the Service Level Commitments, Subscription Schedule, Statement of Work, and Estimates/Order Forms, constitutes the complete and exclusive agreement between the parties concerning its subject matter and supersedes all prior or contemporaneous agreements or understandings, written or oral, concerning the subject matter of the Agreement. The Agreement may not be modified or amended except in a writing signed by a duly authorized representative of each party.

12.    Definitions.

“Affiliates” means any entity which directly or indirectly, through one or more intermediaries, controls, or is controlled by, or is under common control with Customer, by way of majority voting stock ownership or the ability to otherwise direct or cause the direction of the management and policies of Customer.

“Contract Effective Date” means the date on which the parties first execute an Estimate/Order Form or Statement of Work incorporating this Agreement.

“Covered Personal Data” means Personal Data which is transferred by or on behalf of Customer to Solartis pursuant to the Agreement, and any copies or derivatives resulting from Solartis’s Processing of such Personal Data.

“Customer Data” means data, information, or material provided or submitted to the Service by Customer or its Affiliates.

“Data Law” means, as in effect from time to time, any law, rule, regulation, declaration, decree, directive, statute or other enactment, order, mandate or resolution, which is applicable to either party, issued or enacted by any domestic or foreign, supra-national, national, state, county, municipal, local, territorial or other government or bureau, court, commission, board, authority, or agency, anywhere in the world, relating to data security, data protection and/or privacy, including the General Data Protection Regulation.

“Data Subject” means an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Electronic Communications” means any transfer of signs, signals, text, images, sounds, data or intelligence of any nature transmitted in whole or part electronically received and/or transmitted through the Service.

“Estimate/Order Form” means a Solartis estimate, renewal notification or order form in the name of and executed by Customer or its Affiliate and accepted by Solartis which specifies the Service and implementation services to be provided by Solartis subject to the terms of this Agreement.

“General Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and any implementing, derivative or related legislation, rule, regulation, and regulatory guidance, as amended, extended, repealed and replaced, or re-enacted from time to time.

“Initial Term” means the initial period during which the Customer is obligated to pay for the Service.

“Personal Data” means any information relating to a Data Subject.

“Process” or “Processing” means any operation or set of operations that is performed upon Covered Personal Data, whether or not by automatic means, including, but not limited to, obtaining, developing, producing, collecting, recording, organizing, structuring, accessing, using, adapting, altering, modifying, retrieving, consulting, copying, reproducing, analyzing, disclosing, disseminating, making available, aligning, combining, blocking, restricting, transmitting, transferring, selling, renting, storing, retaining, destroying, deleting, or erasing such data. For the avoidance of doubt, “Process” includes the compilation or correlation of Covered Personal Data with information from other sources and the application of algorithmic analysis to create new or derivative data sets from Covered Personal Data.

“Service(s)” collectively, Solartis’s insurance industry cloud and outsourcing services (the “Solartis Service”) and modules that are procured by Customer from Solartis in the Estimate/Order Form and any subsequent Estimate/Order Form from time to time, including associated offline components, but excluding Solartis Professional Services and Third Party Applications and implementation services.

“Solartis Cloud” means the suite of insurance software applications developed, operated, and maintained by Solartis, to which the Customer is being granted access under this Agreement.

“Solartis Cloud Services” means the provision of Solartis Cloud and related services to Customer under this Agreement.

“Solartis Outsourcing Services” means insurance business process services developed, operated and managed by Solartis, provided to Customers primarily by Solartis offshore insurance professionals, to which the Customer is subscribing under this Agreement.

“Third Party Applications” means online, Web-based applications or services and offline software products that are provided by third parties, and interoperate with the Service.

“Users” means individuals who are authorized by Customer to use the Service, and who have been supplied user identifications and passwords by Customer (or by Solartis at Customer’s request). Users may include but are not limited to Customer’s and Customer’s Affiliates’ employees, consultants, contractors, agents, insured’s or applicants for insurance.

EXHIBIT A

Information Security and Data Privacy Addendum

The requirements set forth in this Information Security and Data Privacy Addendum (this “Addendum”) concern protocols to which Solartis and Customer will adhere in connection with Solartis providing the Services and Professional Services under the Agreement. These protocols are designed to ensure the security and privacy of data processed by Solartis while performing the Services. In the event of any conflict between the terms of this Addendum and the terms of the Subscription Services Agreement, Estimate/Order Form or any Statement of Work, the requirements in this Addendum will control.

Documented Information Security Management System

1. Solartis has adopted and implemented a written Information Security Management System  (“ISMS”) that is reasonably designed to provide for the confidentiality, integrity, and availability of customer data.

1.1 Risk management under the ISMS is addressed pursuant to the InfoSec Risk Management Framework. Pursuant to the InfoSec Risk Management Framework, the process for identification, evaluation and quantification of information security risks is defined, along with the process for risk mitigation. Schedule 1 contains a summary of the InfoSec Risk Management Framework. 

1.2 Roles and responsibilities relating to the organization structure and operation of the ISMS are defined in the Solartis InfoSec Organization Roles and Responsibilities policy. Pursuant to this Policy, Solartis has defined the roles and responsibilities for management direction of the ISMS, operational oversight of the ISMS, and implementation of information security requirements by Solartis personnel. Schedule 2 contains a summary of the Solartis InfoSec Organization Roles and Responsibilities policy.

1.3 Information classification, protection and handling requirements are addressed pursuant to the Solartis Information Classification Policy. Pursuant to this Policy, information assets at Solartis are defined according to sensitivity level and procedures for the protection and handling of information assets based on classification level are enumerated. The Policy defines two types of customer data – “Internal Client” and “Internal Client Sensitive” data (together, “Customer Data”). Schedule 3 contains a summary of the Solartis Information Classification Policy.

1.4 Standards for the efficient management of documents, including change management controls, are set forth in the Solartis Documented Information Standard. Pursuant to this Policy, controlled documents are assigned owners, review and approval standards, and labelling and form and formatting requirements. Schedule 4 contains a summary of the Solartis Documented Information Standard.

1.5 Management of information security incidents is addressed by the Solartis InfoSec Incident Management Policy. Pursuant to this Policy, information security incidents are detected, identified, escalated, categorized, managed to resolution, and documented. Schedule 5 contains a summary of the Solartis InfoSec Incident Management Policy.

1.6 Pursuant to the Solartis ISMS and the above-referenced documents, Solartis has adopted the technical security measures set forth in Schedule 6.

1.7 Upon reasonable notice, Customer may inspect the above-referenced documents comprising the Solartis ISMS, which may be provided in a clean-room environment (remote or on-site), subject to Solartis confidentiality requirements.

Information Security Governance

2. The following personnel will be responsible for confirming the implementation of and ongoing compliance with this Addendum.

Solartis:         Siby Nidhiry
                             Chief Technology Officer
                             Email Address: snidhiry@solartis.com                          
                             Phone Number: (408) 806-4980

Customer:    [Insert Name; Title; Contact Information]

2.1 Any correspondence or notices regarding this Addendum will be communicated in writing via e- mail or other written notice to each of the personnel listed in Section 2.

2.2 The personnel listed in Section 2 will be responsible for jointly reviewing this Addendum on an annual basis to identify necessary changes, if any.

2.3 Any modification to the terms of this Addendum that would result in a material degradation will be governed by the Change Management Process set forth in Section 3.2 of the Subscription Services Agreement and in the Statement of Work.

Personnel

3. To the extent permitted under applicable law, Solartis will not assign any individual to perform the services pursuant to the Agreement whose background check (i) is not consistent with the information provided by the individual or (ii) who has been convicted of, or pled guilty or nolo contendere to, or is on probation or parole for, a crime involving breach of trust, fraud, dishonesty, money laundering, injury or attempted injury to any person or property.

3.1 If Solartis learns that an individual assigned to perform services pursuant to the Agreement does not meet the requirements set forth in Section 3, Solartis will, as soon as reasonably practicable and in no event more than forty-eight (48) hours after becoming aware of the non-compliance: (a) revoke such individual’s access to any Customer Data; (b) remove such individual from the Customer’s account; and (c) notify the Customer.

3.2 At Customer’s reasonable request, Solartis will confirm in writing to Customer that Solartis has complied with the obligations set forth in Section 3.

Incident Reporting and Response

4 Solartis will notify Customer in writing promptly, and in no case more than two (2) business days following discovery, of any information security or data privacy incident, defined as reasonable belief of unauthorized processing of Customer Data impacting the confidentiality, integrity or availability of Customer Data.

4.1 Following notification of an information security or data privacy incident, Solartis will provide periodic updates of its incident investigation and remediation to Customer at Customer’s reasonable request.

4.2 Solartis will cooperate with Customer’s reasonable requests in connection with investigating any information security or data privacy incident.

Customer Obligations

5. Customer is responsible for ensuring that all activities conducted by it, its personnel and agents, in connection with accessing or using the Solartis Cloud Service comply with the terms of the Agreement and all Applicable law.

5.1 Customer is responsible for ensuring the security of user credentials provisioned to enable access to the Solartis Cloud Service.

5.2 Customer will notify Solartis in writing promptly, and in no case more than two (2) business days following discovery of unauthorized access to or use of the Solartis Cloud Service. Customer will cooperate with Solartis’s reasonable requests in connection with investigating any incident of unauthorized access to or use of the Solartis Cloud Service.

5.3 Customer is responsible for notifying Solartis that Solartis will be processing Customer Data classified as Internal Client Sensitive pursuant to the Solartis Information Classification Policy. Customer will specify which Customer Data is so designated.

5.4 Customer is responsible for implementing the technical measures set forth in Schedule 7.

SCHEDULE 1. Solartis infosec Risk Management Framework

1. Solartis has adopted and implemented an InfoSec Risk Management Framework designed to define the process by which Solartis assesses information security risk and evaluates options for mitigating such risks.

2. Roles and responsibilities relating to information security risk management, including roles and responsibilities relating to the process defined in the InfoSec Risk Management Framework, are defined in the Solartis Information Security Organization Roles and Responsibilities Policy.

3. The InfoSec Risk Management Framework is comprised of the following components.

3.1 Risk Ownership. Persons or entities with sufficient authority, subject matter expertise, and interest regarding a risk are assigned accountability for and authority to manage that risk.

3.2 Risk Identification. Risks are identified in order to determine potential causes of loss to Solartis and to gain insight into how such losses may be avoided and/or mitigated. In order to identify Risks, Solartis analyzes defined Contexts and Areas of Concern in light of defined Inputs.

3.2.1 Contexts. In identifying Risks, Solartis analyzes the following Contexts – people, processes, technology, data, vendors, and physical facilities and infrastructure.

3.2.2 Areas of Concern. In identifying Risks, Solartis analyzes the following Areas of Concern – Confidentiality, Integrity, and Availability.

3.2.3 Inputs. In analyzing Contexts and Areas of Concern, Solartis considers the following Inputs – applicable legal and regulatory requirements (see Policy – Solartis Applicable Legal and Regulatory Requirements); Solartis IT assets (see Solartis IT Service Catalog); business process criticality (with a defined range of Minor to Critical); process dependency (with a defined range of Low to High); and IT services deployment architectures.

4. Risk Analysis. A Risk Priority Number is created for each Risk according to a defined calculation that considers: Risk Impact; Risk Likelihood; and Risk of Non-Detection.

4.1 Risk Impact is defined on a range from “very low” (1) to “very high” (5).

4.2 Risk Likelihood is defined on a range from “negligible” (0) to “very high” (5).

4.3 Risk of Non-Detection is assigned a range from “extremely high” probability of detection (1) to “extremely low” probability of detection (5).

5. Risk Treatment. The InfoSec Security Risk Management Framework defines four categories of Risk Treatment - (i) accepting the risk; (ii) eliminating the cause of the risk; (iii) mitigating the risk through controls; or (iv) sharing the risk (i.e. through insurance).

6. Risk Acceptance. The InfoSec Security Risk Management Framework defines the circumstances under which Risk may be “accepted,” and otherwise where Risk must be eliminated, mitigated, or shared.

SCHEDULE 2. Solartis InfoSec Organization Roles and Responsibilities

1. Solartis has adopted and implemented a policy entitled Solartis InfoSec Organization Roles and Responsibilities which defines the organization structure of and roles and responsibilities relating to the Information Security Management System within Solartis.

2. Management Commitment. Overall strategic direction of the Information Security Management System is the responsibility of the Chief Executive Officer.

2.1 Operational responsibility is delegated to the Information Security Committee (ISC) which is chaired by the Chief Information Security Officer (CISO).

2.2 Management oversight of information security is evidenced by management review and approval of security policies; review and approval of the information security budget; and review and response to management reports concerning information security.

3. Information Security Committee. The ISC is responsible for coordinating information security initiatives at the executive level. Key roles are defined to include: development of the security charger and information security policies; assessing policy exception requests; evaluating information security enhancements and controls; identifying trends and changes to information security risk; periodic reporting to management and internal audit; and coordinating communications and activities during incident response.

4. Chief Information Security Officer. The CISO chairs the ISC and provides strategic direction, support and review to the securing of information assets. Key roles are defined to include: representative to external auditors; oversight of asset inventory; defining security standards; undertaking risk assessments; reviewing and reporting on security metrics; supporting investigation and remediation of incidents; organizing training; audit planning; implementation of corrective and preventative actions; liaison with external parties regarding information security matters.

5. Audit Committee. The Audit Committee is chaired by the Lead Auditor and is assisted by Internal Auditors in planning and executing the internal audit program as to information security matters. Key roles of the Lead Auditor and Internal Auditors include preparing and assisting in the execution of the audit plan; preparation of working and final audit documentation; reporting of critical non-conformities; maintenance of confidentiality and ethical standards in carrying out audit activities.

6. Line Managers. Personnel who manage any team or process within the business function at Solartis are given defined responsibilities, including: supporting ISC planning and implementation of the ISMS; ensuring the suitability of security controls; identifying and reporting changes in IT assets, risks, and controls; reporting suspected policy violations; driving corrective actions in light of audit findings.

7. Information Asset Owners (IAO). Each IAO is responsible for the protection of the Information Asset to which it is assigned. Key responsibilities include asset classification; authorizing / removing access; change management; risk assessment of the information asset; monitoring compliance with security requirements.

8. Staff / End Users. The InfoSec Organization Roles and Responsibilities policy requires that (i) maintain responsibility for information security, (ii) access information assets only for the purpose for which access was granted; (iii) share information for business purposes and only as necessary; and (vi) report security incidents.

9. Change Advisory Board (CAB). The CAB considers and recommends the adoption or rejection of changes appropriate for higher level authorization, consistent with the IT Change Management Policy.

10. Information Security Incident Response Team (ISIRT). ISIRT is responsible for managing information security incidents, consistent with the Information Security Incident Management Policy. Key responsibilities include: acting as designated point of contact during incident response; responding to incidents; controlling information flow pursuant to the Information Security Incident Management Policy; assessing incident impact; determining disaster recovery plan steps; establishing and managing the Solartis Emergency Response Team; managing stakeholder communications; and reviewing security incidents.

11. Solartis Emergency Response Team (SERT). SERT, which is comprised of technical and operational personnel, is responsible for execution of the business continuity plan when a crisis is activated. SERT responsibilities include establishing facilities for emergency level of service; restoring key services through the continuity plan; recovering to business as usual; facilitating user acceptance testing; and reporting status to ISIRT.

SCHEDULE 3. Solartis Information Classification Policy

1. Solartis has adopted and implemented the Solartis Information Classification Policy in order to establish a framework for classifying information assets at Solartis and using the classification to assist in the determination of security controls.

1.1 Solartis classifies assets into two categories: (i) physical assets and (ii) information assets.

1.2 Physical assets are classified on a scale from Level 1 (assets that do not store information) to Level 3 (core service components, like file servers).

1.3 The management of physical assets is further defined in the Solartis IT Asset Management Process.

2 The Solartis Information Classification Policy classifies information assets into the following categories: (i) confidential; (ii) internal client; (iii) internal client sensitive; (iv) internal; (v) general.

2.1 Confidential information is defined to include highly sensitive or valuable proprietary or personal information.

2.2 Internal client information is defined to include proprietary information belonging to a client.

2.3 Internal client sensitive information is defined to include highly sensitive or valuable proprietary or personal information belonging to a client, or information where confidentiality is required by law, policy or contractual obligation.

2.4 Internal information is defined to include information that may be freely shared within Solartis, but disclosure to third-parties creates significant risk.

2.5 General information is defined to include information that may be broadly distributed within or outside Solartis, without risk.

3 The Solartis Information Classification Policy defines information protection and handling requirements for information assets according to information classification, for both printed and electronic information, in specified contexts including: labelling; distribution/transmission; storage; disposal.

3.1 Labelling requirements are further defined in the Solartis Documented Information Standard.

3.2 Distribution and transmission requirements are defined to include standards for addressing and labeling the distribution of printed information assets according to their classification and encryption and access controls for the distribution of electronic information assets according to their classification.

3.3 Storage requirements are defined to include standards for locking and colocation of printed information assets according to their classification and encryption and access controls for the storage of electronic information assets according to their classification.

3.4 Disposal requirements are defined to include standards for shredding and record-keeping for printed information assets according to their classification and prior-approval protocols, the use of approved deletion tools, and record-keeping for electronic information assets according to their classification.

SCHEDULE 4. Solartis Documented Information Standard

1. Solartis has adopted and implemented the Solartis Documented Information Standard to establish a process for efficient document management within Solartis.

2. The Solartis Documented Information Standard categorizes information into defined Documents (which are active and dynamic, and subject to change management requirements) and Records (which are static and historical in nature).

3. The Solartis Documented Information Standard assigns responsibility for the review, approval, maintenance, distribution, protection from unauthorized access, and change management for Documents.

4. The Solartis Documented Information Standard defines review and approval responsibilities for categories of Documents, ranging from management review and CEO approval of Organization Policies to functional personnel review and functional heads for Documents used for planning, operation, and control of processes.

5. The Solartis Documented Information Standard defines standards for Document labeling, which include requirements to identify relevant internal departments and a unique document identifier in Document headers.

6. The Solartis Documented Information Standard defines standards for including information classification in Document footers (in compliance with the Solartis Information Classification Policy), version numbers, and page numbers.

7. The Solartis Documented Information Standard further defines form and formatting requirements and standards for version control, including maintaining formalized document history tables.

8. Functional units are required to maintain a list of documents (LOD) and (LOR) for all controlled documents and records and the respective list must indicate the latest active version of any controlled document/record. A master document register is also maintained, which includes defined data points regarding each controlled document.

9. The Solartis Documented Information Standard defines the process for revision of Documents, subject to established review and approval responsibilities.

10. Documents created in connection with a particular project are subject to specific labeling requirements, defined to include the use of a Project ID and unique serial number for identifying such Documents.

11. The Solartis Documented Information Standard also defines electronic naming conventions for documents stored electronically.

12. The Solartis Documented Information Standard assigns the responsibility of destruction of obsolete documents to document owners, consistent with the rules set forth in the Solartis Information Classification Policy.

SCHEDULE 5: Solartis InfoSec Incident Management Policy

1. The Solartis InfoSec Incident Management Policy is designed to establish controls and procedures to efficiently manage information security incidents in a manner that mitigates impact and serves Solartis objectives of timely response, appropriate documentation, effective communication, and learning.

2. The Solartis InfoSec Incident Management Policy establishes an Information Security Incident Response Team (ISIRT). ISIRT roles and responsibilities are further defined in the Solartis InfoSec Organization Roles and Responsibilities policy.

2.1 The Solartis InfoSec Incident Management Policy defines ISIRT members as the designated points-of-contact (PoCs) within their departments for incident reporting, coordination, and management.

3. The Solartis InfoSec Incident Management Policy establishes categories into which information security incidents will be classified. Impact of information security incidents is to be determined pursuant to the Solartis InfoSec Risk Management Framework.

4 The Solartis InfoSec Incident Management Policy defines an incident management process that proceed along specific phases: (i) detection and reporting; (ii) assessment and decision; and (iii) responses.

4.1 Incident detection and reporting procedures are further defined in the following contexts: (i) vulnerability reporting; (ii) event detection procedures; and (iii) event reporting procedures.

4.2 Assessment and decision procedures are further defined in the following contexts: (i) initial decision-making by the PoC and (ii) assessment and incident confirmation by the ISIRT.

4.2.1 Procedures for initial decision-making by the PoC include both escalation protocols and a requirement that events deemed not to require escalation be documented in an Information Security Incident Register.

4.3 Response procedures are further defined in the following contexts: (i) immediate response and categorization of the incident; (ii) assessment of control over information security incident; (iii) contained security incidents; and (iv) uncontained / crisis response.

4.3.1 The Solartis InfoSec Incident Management Policy establishes immediate response and categorization procedures that include (i) identification and implementation of immediate response actions; (ii) documentation of the incident in the Information Security Incident Register; (iii) determination of resource needs, including forensic analysis; and (iv) determination of internal and external communication requirements.

4.4 The Solartis InfoSec Incident Management Policy establishes protocols regarding the preservation of data and forensic records during incident investigation.

4.5 The Solartis InfoSec Incident Management Policy establishes internal and external stakeholder notification and communication standards.

4.6 The Solartis InfoSec Incident Management Policy defines documentation requirements for incident management, and post-incident and periodic review of incident documentation by management to determine lessons learned.

SCHEDULE 6. SOLARTIS TECHNICAL SECURITY MEASURES

Context 

Category / Classification

Standard

Transmission

 Internal Client

Information must be transmitted in business- approved encrypted form with business-approved Internal Client encryption (AES 256, except were not legally permitted, in which case AES 128 encryption will be used).

 Internal Client -
 Sensitive

As required by applicable legal, regulatory and contractual requirements, in coordination with Customer, and in any event information must be transmitted in business-approved encrypted form with controlled access (e.g. password protected account access).

 Storage

  Internal Client; Internal
  Client - Sensitive

Must be stored in a password protected directory or folder with business-approved encryption. (AES 256, except were not legally permitted, in which case AES 128 encryption will be used).

  Disposal  

 Internal Client; Internal 
 Client - Sensitive

For electronic information, written confirmation from Customer is required prior to deletion. File/folder to be permanently deleted using business-approved tools designed to ensure data fragments do not remain on storage medium.

 Internal Client; Internal
 Client - Sensitive
 

For physical media, business-approved tools must be used. Tapes and CDs/DVDs must be physically destroyed. Record of disposal must be kept, with an audit trail. Space used by files may be overwritten, but only with tools designed for that purpose.

Removable Media

 Internal Client; Internal
 Client - Sensitive 

Where possible, confidential documents should be individually password protected. Passwords will not be shared in the same mode of communication (only out-of-band). Removable media storing confidential documentation must be encrypted using the same standard as set for storage. 

 

SCHEDULE 7 – Customer Technical Security Measures

Category

 Technical Measure

 Access Controls 

Customer will use commercially reasonable measures to ensure the confidentiality of all access-related authentication information (to include endpoint URLs, tokens, and access credentials).

Customer will supply to Solartis a list of white-label IP addresses for access to the Solartis services.

 Data Classification  

 Customer will provide to Solartis in writing the types and categories of sensitive information it intends to process via the Solartis services.

Customer will provide to Solartis in writing any regulatory or other security- and privacy-related obligations relating to the data Customer intends to process via the Solartis services, to the extent such obligations exceed the standards set forth in this Addendum.


US-DOCS\104216551.6

(Revised March 2019)