These Software-as-a-Service Terms and Conditions (the “SAAS Terms”) are entered into by and between Vanderbilt Industries dba ACRE Access Control, North America (“ACRE”) and the organization or individual (“Customer”) that has purchased licenses to access and use any software-as-a-service product provided by Acre (“SAAS Software”), whether such purchase was directly from ACRE or from an authorized reseller of ACRE.
These SAAS Terms are effective on the earliest of: (i) the date on which Customer executes an order form referencing these SAAS Terms (“Order Form”); (ii) the date on which Customer accepts these terms by clicking to accept or agree within the SAAS Software; or (iii) the date on which Customer uses the SAAS Software.
1. SCOPE OF LICENSE; RESTRICTIONS.
1.1 Access; License. Subject to the terms of these SAAS Terms and the terms of the applicable Order Form, ACRE grants to Customer a non-exclusive, revocable, non-sublicensable, non-transferable right to: (a) access and use the SAAS Software; and (b) use any applicable documentation or other information provided by ACRE with respect to the applicable SAAS Software (“Documentation”), during the Term indicated on the applicable Order Form by those individuals authorized to access and use such SAAS Software on Customer’s behalf (each, an “End User”).
1.2 End Users. Customer shall not grant any third parties access to the SAAS Software. Customer is responsible and liable for all uses of the SAAS Software and Documentation resulting from access provided by Customer, directly or indirectly, whether such access or use is permitted by or in violation of these SAAS Terms. Without limiting the generality of the foregoing, Customer is responsible for all acts and omissions of its End Users, and any act or omission by an End User that would constitute a breach of these SAAS Terms if taken by Customer will be deemed a breach of these SAAS Terms by Customer. Customer shall use reasonable efforts to make all End Users aware of the provisions of these SAAS Terms, as applicable to such End User’s use of the SAAS Software, and shall cause all End Users to comply with such provisions.
1.3 Credentials. To access and use the SAAS Software, each End User shall register to receive login credentials. Customer shall ensure that each login credential is only used by the End User to whom it relates. Customer shall promptly notify ACRE in writing if an individual ceases to be authorized to access and use the SAAS Software, so that access under that individual’s credentials can be terminated. Customer is solely responsible for the security and use of all login credentials. Customer shall promptly notify ACRE in writing if it becomes aware of any unauthorized access to or use of the SAAS Software.
1.4 Equipment. Customer shall be responsible for obtaining and maintaining any equipment and ancillary services needed to connect to, access, or otherwise use the SAAS Software, including without limitation, modems, hardware, servers, software, operating systems, networking, web servers and the like (collectively, “Equipment”). Customer shall be responsible for maintaining the security of Customer’s Equipment and for all uses of its Equipment.
1.5 Use Restrictions. Except as otherwise provided in these SAAS Terms or the applicable Order Form, Customer shall not itself, or through any third party, and shall cause End Users to not:
(a) decompile, disassemble, reverse engineer or otherwise attempt to discover the source code for the SAAS Software or determine how the SAAS Software is provided;
(b) modify, transform or otherwise prepare a derivative work of the SAAS Software;
(c) sell, distribute, sublicense, rent, lease, assign, pledge or otherwise make the SAAS Software available to or grant any rights in the SAAS Software to any unauthorized third party;
(d) remove or modify any confidentiality or proprietary rights notices contained in or on the SAAS Software or the accompanying documentation for the SAAS Software;
(e) attempt to gain access to areas of the SAAS Software which it has not been granted access to or unauthorized access to related systems or networks or breach any security measure;
(f) use the SAAS Software in a manner that would be reasonably anticipated to interfere with, degrade or disrupt the integrity or performance of ACRE’s technologies, services, systems or offerings;
(g) develop a competitive product or service using ideas, features, functions or graphics that are the same as or similar to those contained in the SAAS Software; or
(h) otherwise use the SAAS Software in a manner that is not contemplated by the SAAS Terms, including in a manner not contemplated by the accompanying Documentation for the SAAS Software or in a manner that violates any applicable laws or third-party rights.
1.6 Suspension. ACRE may temporarily suspend Customer’s or any End User’s access to any portion or all of the SAAS Software, if: (a) ACRE reasonably determines that (i) there is a threat or attack on any of the SAAS Software; (ii) Customer’s or any End User’s use of the SAAS Software disrupts or poses a security risk to the SAAS Software or to any other customer of ACRE; or (iii) Customer, or any End User, is using the SAAS Software for fraudulent or illegal activities; (b) Customer or any End User is in breach of these SAAS Terms; or (c) any vendor of ACRE has suspended or terminated ACRE’s access to or use of any third-party services or products required to enable Customer to access the SAAS Software. ACRE shall use commercially reasonable efforts to provide written notice of any such suspension to Customer following such suspension. ACRE shall use commercially reasonable efforts to resume providing access to the SAAS Software as soon as reasonably possible after the event giving rise to the suspension is cured.
1.7 Right to Modify or Discontinue. ACRE reserves the right to add or modify any feature, functionality, or other tool, within the SAAS Software at its own discretion and with or without prior notice to Customer. ACRE shall provide Customer written notice prior to discontinuing any material feature or functionality within the SAAS Software.
2. AVAILABILITY; SUPPORT.
2.1 SAAS Software Availability. ACRE shall use commercially reasonable efforts to make the SAAS Software available and provide certain support services in accordance with the terms of Exhibit A.
3. TERM AND TERMINATION.
3.1 Term. These SAAS Terms shall commence on the Effective Date and shall continue until all Order Forms have expired or been terminated pursuant to these SAAS Terms or the applicable terms of the Order Form (“Term”).
3.2 Order Form Term for SAAS Software. Unless otherwise set forth in the applicable Order Form, the initial term of each Order Form shall be one (1) year (“Initial Term”). Upon expiration of the Initial Term, the Order Form shall automatically renew for successive one-year periods (each, a “Renewal Term”), unless either party provides written notice of non-renewal within sixty (60) days from expiration of the Initial Term or then-current Renewal Term.
3.3 Termination for Breach. Either party may terminate these SAAS Terms or any active Order Form upon written notice to the other party if such party breaches these SAAS Terms or the terms of an active Order Form and fails to cure such breach (if curable) within thirty (30) days after receiving written notice from the other party specifying the nature of the breach. Either party may terminate these SAAS Terms or any active Order Form immediately if the other party files for bankruptcy, becomes insolvent, or makes an assignment for the benefit of creditors.
3.4 Effect of Termination. Upon expiration or earlier termination of these SAAS Terms or an Order Form, Customer shall immediately discontinue use of all applicable SAAS Software, and shall destroy and remove from all computers, hard drives, networks and other storage media all copies of such SAAS Software and Documentation. In addition, Customer shall remove and destroy any Confidential Information of ACRE and, upon request, shall certify in writing that such actions have occurred. Termination shall not relieve Customer of the obligation to pay any fees accrued or payable to ACRE under all terminated Order Forms or this entire Agreement through the effective date of termination. Following any termination or expiration of this Agreement or an Order Form, ACRE may immediately deactivate Customer’s account associated with the terminated Order Forms or this Agreement, as applicable. During a thirty (30) days period following termination or expiration, ACRE will grant Customer reasonable access to the terminated SAAS Software for the sole purpose of retrieving Customer Data associated with such terminated SAAS Software.
4. DISCLAIMER OF WARRANTIES.
4.1 Third-Party Materials. Customer acknowledges that the SAAS Software may contain or incorporate third-party materials or software (“Third-Party Materials”). Third-Party Materials are not covered by any warranties set forth in this Section 4. ACRE makes no representations or warranties with respect to any Third-Party Materials, and all use of Third-Party Materials is at Customer’s own risk.
4.2 DISCLAIMER OF WARRANTIES.
THE SAAS SOFTWARE AND DOCUMENTATION AND ANY SERVICES PROVIDED BY ACRE ARE PROVIDED “AS IS” AND “AS AVAILABLE”. EXCEPT FOR THE EXPRESS REPRESENTATIONS AND WARRANTIES PROVIDED DIRECTLY BY ACRE IN AN AGREEMENT WITH CUSTOMER, ACRE HEREBY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT, AND ALL WARRANTIES ARISING FROM COURSE OF DEALING, USAGE OR TRADE PRACTICE. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, ACRE MAKES NO WARRANTY OF ANY KIND THAT THE SAAS SOFTWARE OR THE SERVICES WILL MEET CUSTOMER’S OR ANY OTHER PERSON’S REQUIREMENTS, OPERATE WITHOUT INTERRUPTION, ACHIEVE ANY INTENDED RESULT, BE COMPATIBLE OR WORK WITH ANY SOFTWARE, SYSTEM OR OTHER SERVICES, OR BE SECURE, ACCURATE, COMPLETE, FREE OF HARMFUL CODE OR ERROR FREE.
5. INTELLECTUAL PROPERTY.
5.1 ACRE Intellectual Property. ACRE, its third-party licensors, and their respective successors and assigns shall retain all right, title, and interest in and to all Intellectual Property Rights used to create or develop, embodied in, used in, or otherwise relating to the SAAS Software, and components thereof. Except for the limited rights expressly granted herein, Customer and its End Users are not granted any right, title or interest in or to any of the foregoing. To the extent any right, title or interest in or to any Intellectual Property Rights vests in Customer or its End Users, Customer, on behalf of itself and its End Users, hereby assigns to ACRE all such right, title and interest. Customer acknowledges and agrees that any goodwill derived from its use of ACRE’s Intellectual Property Rights inures to the benefit of ACRE or its licensors, as applicable.
5.2 Prohibited Acts. Customer shall not: (a) take any action that interferes with any of ACRE’s Intellectual Property Rights, including ACRE’s ownership or exercise thereof; (b) challenge any right, title or interest of ACRE in or to ACRE’s Intellectual Property Rights; (c) make any claim or take any action adverse to ACRE’s ownership of ACRE’s Intellectual Property Rights; (d) engage in any action that tends to disparage, dilute the value of, or reflect negatively on the SAAS Software or ACRE itself; and (e) alter, obscure or remove any of ACRE’s proprietary rights notices, including any patent markings or copyright notices, placed on the SAAS Software.
5.3 Feedback. Customer or any End User may provide ACRE with comments, ideas, suggested changes, improvements, problems, defects and other feedback relating to the operation of the SAAS Software (collectively, “Feedback”). To the extent Customer or any End User provides any Feedback, Customer, on behalf of itself and its End Users, hereby assigns to ACRE all right, title and interest therein and thereto, including all associated Intellectual Property Rights.
6. DATA.
6.1 Customer Data. As between Customer and ACRE, Customer is and will remain the sole and exclusive owner of all right, title and interest in and to all information, data and other content provided to ACRE by or on behalf of Customer or its End Users through the SAAS Software (collectively, the “Customer Data”). Customer grants ACRE the right to host, use, process, display and transmit Customer Data to provide the SAAS Software pursuant to and in accordance with these SAAS Terms and the applicable Order Form. Customer has sole responsibility for the accuracy, quality, integrity, legality, reliability, and appropriateness of Customer Data, and for obtaining all rights related to Customer Data required by ACRE to provide the SAAS Software.
6.2 Data Security. In the provision of the SAAS Software, ACRE shall comply with the data security policy attached hereto as Exhibit B (“Data Security Policy”).
6.3 De-Identified Data. Customer grants to ACRE a non-exclusive, perpetual, royalty-free, assignable, transferrable, sublicensable license to reproduce, distribute, display, create derivative works of, and otherwise exploit the Customer Data solely for the purposes of providing the SAAS Software to Customer and creating the De-Identified Data. ACRE and its licensors may use the De-Identified Data for any lawful purposes, including for the purposes of marketing, promoting, benchmarking, improving and further developing the SAAS Software. “De-Identified Data” means all data derived by ACRE through processing or analyzing the Customer Data and otherwise through the operation of the SAAS Software, provided that the De-Identified Data will not be in a form that could be used to identify Customer or its End Users.
7. INDEMNIFICATION.
7.1 By ACRE. ACRE shall indemnify, defend and hold Customer harmless from and against any and all costs, liabilities, damages, losses, demands and expenses of every kind, including reasonable attorneys’ fees, costs and disbursements (collectively, “Damages”), arising out of or relating to any allegations or actual proceedings, investigations, actions, suits or any other claims brought by a third party (collectively, “Claims”) that the SAAS Software, as used in accordance with these SAAS Terms and the applicable Order Form, infringes, misappropriates or otherwise violates any third-party Intellectual Property Rights.
7.2 By Customer. Customer will indemnify, defend and hold ACRE harmless from and against any and all Damages arising out of or relating to any Claims (a) that the Customer Data infringes, misappropriates or otherwise violates any third-party Intellectual Property Rights or other rights; (b) arising out of or relating to Customer’s and/or its End Users’ breach of the SAAS Terms or Customer’s or any End User’s use of the SAAS Software; or (c) arising out of or relating to Customer’s or any End User’s gross negligence, willful misconduct or illegal acts, including those that cause tangible personal injury or property damage.
7.3 Indemnification Process. Each party's indemnification obligations are conditioned on the indemnified party: (a) promptly giving written notice of the Claim to the indemnifying party; (b) giving the indemnifying party sole control of the defense and settlement of the Claim; and (c) providing to the indemnifying party all available information and assistance in connection with the Claim, at the indemnifying party's request and expense. The indemnified party may participate in the defense of the claim, at the indemnified party's sole expense (not subject to reimbursement). Neither party may admit liability for or consent to any judgment or concede or settle or compromise any Claim unless such admission or concession or settlement or compromise includes a full and unconditional release of the other party from all liabilities in respect of such Claim.
7.4 Additional Remedies. Without limiting ACRE’s obligations set forth in Section 7.1 of these SAAS Terms, if the SAAS Software becomes, or in ACRE’s reasonable opinion is likely to become, the subject of a Claim or if as a result of a Claim, or the settlement thereof, the use of the SAAS Software is restricted, prohibited or materially limited, ACRE may, at ACRE’s sole option and expense (a) procure the right for Customer to continue using the SAAS Software without any additional cost; (b) replace or modify the same so that it becomes non-infringing without any material impact on its functionality or performance; or (c) terminate the SAAS Terms and refund to Customer a prorated portion of any prepaid fees covering the period after the effective date of termination.
7.5 Exceptions. ACRE will have no obligation to indemnify Customer under Section 7.1 of these SAAS Terms to the extent the Claim is based upon (a) the unauthorized modification of the SAAS Software; (b) use of the SAAS Software in combination with other products, processes, equipment, data, materials, software or hardware not provided by ACRE or contemplated or specified in the SAAS Terms or in the Documentation accompanying the SAAS Software; or (c) the use of the SAAS Software in a manner not authorized by the SAAS Terms. Section 7 of these SAAS Terms states the entire liability of ACRE with respect to Claims for infringement of any third-party intellectual property rights by the SAAS Software.
8. LIMITATION OF LIABILITY.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NEITHER PARTY WILL BE LIABLE UNDER ANY LEGAL THEORY FOR ANY INDIRECT, INCIDENTAL, EXEMPLARY, CONSEQUENTIAL, SPECIAL, PUNITIVE OR SIMILAR DAMAGES ARISING FROM OR RELATING TO THE SAAS TERMS, EVEN IF THAT PARTY KNOWS OR SHOULD KNOW OF THE POSSIBILITY OF SUCH DAMAGES, AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. ACRE’S AGGREGATE LIABILITY FOR DAMAGES ARISING FROM OR RELATING TO THESE SAAS TERMS WILL NOT EXCEED THE AMOUNT OF FEES PAID BY CUSTOMER TO ACRE IN THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.
9. CONFIDENTIALITY.
9.1 Defined. “Confidential Information” means all non-public confidential or proprietary information and materials of any nature of or relating to a party which the other party receives or otherwise becomes aware of in connection with the SAAS Terms. The Confidential Information of ACRE includes the non-public elements of the SAAS Software. The Confidential Information of Customer includes Customer Data. The parties will endeavor to conspicuously mark all such information as confidential if in tangible form (or identify it as such if disclosed orally or in other intangible form), but information need not be marked or identified as confidential to be deemed Confidential Information under the SAAS Terms if, under the circumstances of disclosure, such information is, or ought to be, reasonably understood to be confidential.
9.2 Confidentiality Obligations. Each party shall (a) observe complete confidentiality with respect to the disclosing party’s Confidential Information and (b) not use or disclose, or permit to be used or disclosed, the disclosing party’s Confidential Information for any purpose other than as contemplated in the SAAS Terms. Notwithstanding the foregoing, the receiving party may disclose the disclosing party’s Confidential Information to, as applicable, those of its employees and any subcontractors who have a need to know such information to assist the receiving party or act on its behalf pursuant to the SAAS Terms and who prior to receiving access thereto have signed binding agreements containing confidentiality obligations that are at least as protective of the disclosing party’s Confidential Information as those set forth in the SAAS Terms. Without limiting the generality of the foregoing, each party shall use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind, but in no event less than reasonable care. The obligations of confidence in this Section 9.2 shall not apply to Confidential Information which (i) is known by the receiving party before receipt from the disclosing party, and not impressed already with an obligation of confidentiality to the disclosing party; (ii) is or becomes publicly known without the fault of the receiving party; (iii) is obtained by the receiving party from a third party in circumstances where the receiving party has no reason to believe that there has been a breach of an obligation of confidentiality owed to the disclosing party; or (iv) the receiving party can establish by reasonable proof was substantially and independently developed by the receiving Party or representatives thereof who had no knowledge of such Confidential Information.
9.3 Permitted Disclosures. The receiving party may disclose the disclosing party’s Confidential Information (a) to the extent required by law or court order, or the requirement of a governmental authority; provided that the receiving party must provide prompt written notice, if allowed by law, and reasonable assistance to the disclosing party to enable the disclosing party to seek a protective order or otherwise prevent or restrict the nature and scope of such disclosure; (b) in privileged communications to such party’s agents, attorneys, auditors, insurers and other representatives and only subject to confidentiality obligations at least as protective as those set forth in the SAAS Terms and (c) in connection with a dispute or proceeding between the parties in accordance with the approval and at the direction of the mediator or arbitrator conducting such proceeding.
9.4 Return of Information. Upon termination of the SAAS Terms, or the disclosing party’s earlier written request, the receiving party shall return to the disclosing party, or at the disclosing party’s written request destroy, all records and materials in the receiving party’s possession or control containing the disclosing party’s Confidential Information and promptly certify in writing that it has fully complied with the foregoing obligation.
9.5 Remedies. Each party agrees and acknowledges that any breach or threatened breach of this Section 9 may cause irreparable injury to the disclosing party and that the disclosing party shall be entitled to seek injunctive relief, in addition to any other remedies that may be available to it under the SAAS Terms or at law or in equity.
10. MISCELLANEOUS.
10.1 Force Majeure. ACRE shall not be held liable or responsible to Customer nor be deemed to have defaulted under or breached these SAAS Terms for failure or delay in fulfilling or performing any term of these SAAS Terms when such failure or delay is caused by or results from causes beyond the reasonable control of ACRE including, but not limited to, failure, interruption, or outage of any communication facility, web host, or internet service provider; malicious code, tools, or devices designed to disable or disrupt systems, infrastructure, and operations; earthquakes, fire, floods, and other acts of God; embargoes, insurrections, riots, civil commotions, strikes, lockouts or other labor disturbances; acts of war or terrorism; epidemics, pandemics, or other public health events; and omissions or delays in acting by any governmental authority or the other party (“Force Majeure Event”). ACRE shall notify Customer of such Force Majeure Event as soon as reasonably practical. ACRE will use commercially reasonable efforts to restore service. If a Force Majeure Event continues for more than sixty (60) consecutive days, then either party may terminate these SAAS Terms upon written notice to the other party within thirty (30) days after the expiration of the preceding sixty (60) day period.
10.2 Governing Law. The SAAS Terms will be governed by and construed in accordance with the laws of the State of New York, without reference to conflict of laws principles that would require the application of the laws of a different jurisdiction. Each party irrevocably agrees that any legal action, suit or proceeding brought by it in any way arising out of or relating to the SAAS Terms must be brought solely and exclusively in state and federal courts located in New York, New York. The provisions of the United Nations Convention on the International Sale of Goods does not apply to the SAAS Terms.
10.3 Assignment. Customer may not assign the SAAS Terms or its respective rights and duties under the SAAS Terms, without ACRE’s prior written consent. Any purported assignment in violation of the foregoing will be null and void.
10.4 Independent Parties. The parties are and will act at all times as independent contractors, and nothing contained in the SAAS Terms will be construed or implied to create an agency, association, partnership or joint venture between the parties or to obligate either party to deal with the other on an exclusive basis.
10.5 No Third-Party Beneficiaries. Nothing in the SAAS Terms is intended to, nor will it, create any third-party beneficiaries, whether intended or incidental, and neither party will make any representations to the contrary.
10.6 Waiver; Severability. No waivers will be effective unless in writing and signed by both parties. A party’s consent to, or waiver of, enforcement of the SAAS Terms on one occasion will not be deemed a waiver of any other provision or such provision on any other occasion. If a court of competent jurisdiction adjudges any provision of the SAAS Terms to be illegal, invalid or unenforceable, or if any provision becomes illegal, invalid or unenforceable, the remaining provisions of the SAAS Terms, if capable of substantial performance, will continue in full force and effect without being impaired or invalidated in any way. The parties agree to reform and replace any illegal, invalid or unenforceable provision with a legal, valid and enforceable provision that most closely approximates the intent and economic effect of the illegal, invalid or unenforceable provision.
10.7 Publicity. Customer shall not issue or release any announcement, statement, press release or other publicity or marketing materials relating to the SAAS Terms or otherwise use ACRE’s name or trademarks without the prior written consent of ACRE. ACRE may include Customer’s name in its list of current and former customers in promotional and marketing materials with Customer’s prior written consent.
10.8 Notice. If one party is required or permitted to give notice to the other, such notice will be deemed given when delivery confirmation is received and such notice is delivered by United States certified mail, return receipt requested, or a nationally recognized overnight courier service to the other party’s at the address set forth in the Order Form. A party may specify new contacts or a new address by providing notice to the other party in accordance with this Section 10.8. Notwithstanding the foregoing, notices of an administrative nature, such as invoice approvals and electronic invoices, may also be communicated via confirmed email and will be deemed given upon acknowledgement of receipt by the recipient.
10.9 Export. Export laws and regulations of the United States and any other relevant local export laws and regulations apply to SAAS Software. Customer and ACRE each agree to comply with all such export laws and regulations (including “deemed export” and “deemed re-export” regulations). Customer agrees that no data, information, software programs and/or materials resulting from SAAS Software will be exported, directly or indirectly, in violation of these laws, or will be used for any purpose prohibited by these laws including, without limitation, nuclear, chemical, or biological weapons proliferation, or development of missile technology.
10.10 Foreign Corrupt Practices Act. Each party represents and warrants that (a) in connection with these SAAS Terms, it has not and will not make any payments or gifts or any offers or promises of payments or gifts of any kind, directly or indirectly, to any official of any government or any agency or instrumentality thereof and (b) it will comply in all respects with the Foreign Corrupt Practices Act, UK Bribery Act 2010, or any similar applicable laws.
10.11 Survival. All provisions that by their nature are intended to survive termination or expiration of this Agreement shall survive, including without limitation, Section 3.4 (Effect of Termination); Section 4 (Disclaimer of Warranties); Section 5 (Intellectual Property); Section 6 (Data); Section 7 (Indemnification); Section 8 (Limitation of Liability); Section 9 (Confidentiality); Section 10 (Miscellaneous).
10.12 Entire Agreement. The SAAS Terms, which is comprised of the documents set forth on the applicable Order Form, sets forth the complete, exclusive and final agreement of the parties concerning the subject matter hereof and supersedes, replaces and merges all prior and contemporaneous agreements, communications and understandings, oral and written, between the parties concerning the subject matter hereof.
10.13 Changes. ACRE reserves the right to make changes or modifications to these SAAS Terms from time to time with or without notice. All revised versions of these SAAS Terms will be available at www.acresecurity.com. Customer’s or its End Users’ use of the SAAS Software following the posting of the revised SAAS Terms constitutes acceptance of changes. It is Customer’s responsibility to check ACRE’s website from time to time for any changes to the SAAS Terms.
EXHIBIT A
SERVICE LEVELS AND SUPPORT FOR SAAS SOFTWARE
1. Service Levels. ACRE will use commercially reasonable efforts to make the SAAS Software Available at least 99.9% of the time as measured over the course of each calendar month during the Term, excluding unavailability as a result of any of the exceptions described below (“Availability Requirement”). “Available” means the SAAS Software is available for access and use by Customer and its End Users in material accordance with the applicable Documentation.
2. Exceptions. For purposes of calculating the Availability Requirement, the following are exceptions to the Availability Requirement, and the SAAS Software, will not be considered unavailable due, in whole or in part, to any of the following: (i) access to or use of the SAAS Software by Customer or any End User that does not comply with these SAAS Terms; (ii) delay or failure of performance caused in whole or in part by Customer's delay in performing, or failure to perform, any of its obligations under these SAAS Terms; (iii) Customer’s or its End Users’ internet connectivity; (iv) a Force Majeure Event; (v) failure, interruption, outage, or other problem with any software, hardware, system, network, facility, or other matter not supplied by ACRE pursuant to these SAAS Terms; (vi) Scheduled Maintenance (as defined below); or (vii) Emergency Maintenance (as defined below).
3. Scheduled Maintenance. In order to maintain performance and security of the SAAS Software, ACRE may need to perform scheduled maintenance that can cause periods of unavailability of the SAAS Software (“Scheduled Maintenance”). ACRE will use commercially reasonable efforts to: (a) conduct Scheduled Maintenance between the hours of 10:00 p.m. and 7:00 a.m., Eastern Time; and (b) give Customer at least forty-eight (48) hours prior notice of all Scheduled Maintenance.
4. Emergency Maintenance. Circumstances may require ACRE to perform unplanned maintenance due to a condition or situation that may cause material disruption or outage to the SAAS Software and/or pose a security risk to the SAAS Software or ACRE’s systems and networks (such unplanned maintenance, “Emergency Maintenance”). ACRE will use commercially reasonable efforts to notify Customer with as much advance notice as possible under the circumstance prior to performing Emergency Maintenance.
5. SAAS Software Updates. ACRE shall provide Customer any update, upgrade, release, or other adaptation or modification of the SAAS Software, including any updated Documentation, that ACRE provides at no additional charge to other similarly situated customers.
6. Technical Support. ACRE shall provide technical support to Customer Monday through Friday during the hours of 9:00 a.m. and 5:00 p.m., Eastern Time, with the exclusion of Federal holidays (“Support Hours”). Customer shall initiate all support requests during the Support Hours by emailing support@acre-co.com and/or by calling 855-818-7001.
EXHIBIT B
DATA SECURITY POLICY
1. COMPLIANCE; TRANSFERS OUTSIDE OF THE UNITED STATES
1.1 Compliance. With respect to the collection, storage, transfer and use of the Customer Data, including all information that relates to an identified or identifiable natural person (“Personal Data”), ACRE shall comply with (a) applicable privacy laws and generally accepted industry standards, and (b) to the extent applicable, payment card industry requirements.
1.2 Transfers Outside of the United States. ACRE stores all Customer Data in the United States. In the event ACRE desires to move the storage location of the Customer Data outside of the United States, ACRE shall provide Customer with at least ninety (90) days’ prior written notice of such intent and provide Customer the opportunity to deny such transfer.
2. PERSONAL DATA
2.1 Privacy Policy. To the extent any Personal Data of Customer or its End Users is collected, maintained, and/or processed by or on behalf of ACRE, ACRE collects, maintains, and processes such Personal Data in accordance with its privacy policy available at www.acresecurity.com (“Privacy Policy”), which may be modified from time to time in ACRE’s sole discretion. Customer consents to ACRE’s use of Personal Data in accordance with the Privacy Policy.
3. INFORMATION SECURITY PROGRAM
3.1 Information Security Program. ACRE shall maintain a comprehensive written information security program that complies with applicable privacy laws and generally accepted industry standards and which includes reasonable administrative, technical and physical safeguards to protect the Customer Data from unauthorized access, disclosure, processing, alteration and destruction (the “Information Security Program”). Among other terms, the Information Security Program shall require the following:
(a) a designated individual or team at ACRE responsible for the development and implementation of ACRE’s information security practices;
(b) employee and contractor background checks;
(c) security and privacy awareness training for all employees who work on or in connection with the SAAS Solution;
(d) transfer and storage of all data in an encrypted/secure manner;
(e) firewalls, intrusions detection systems, logging and monitoring systems and access control systems;
(f) restricting access to data, applications, systems, databases and networks to approved employees and contractors who have a business need for such access and who prior to being given access thereto have executed binding confidentiality agreements;
(g) reasonably timely de-provisioning, revocation or modification of user access to data, applications, systems, databases and networks upon any change in a user’s status;
(h) a defined business continuity/disaster recovery plan, including (i) providing for reasonable physical protection against damage from deliberate attacks as well as natural causes and disasters; (ii) implementing security mechanisms and redundancies to reasonably protect equipment from utility service outages and (iii) reasonably protecting telecommunications equipment, cabling and relays transferring data from interception or damage;
(i) testing the recovery of backups at planned intervals; and
(j) restricting physical access to the SAAS Software through reasonable safeguards such as fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks and security patrols.
4. TESTS AND AUDITS
4.1 ACRE will conduct (a) a network level penetration test and vulnerability scan conducted annually; and (b) a test of its business continuity/disaster recovery plan conducted annually. Upon reasonable request from Customer, ACRE shall provide Customer with a high-level executive summary of each such test, subject to the confidentiality obligations set forth in the SAAS Terms.
5. DATA INCIDENTS
5.1 ACRE shall notify Customer as soon as practicable, but no later than forty-eight (48) hours after becoming aware of a Data Incident. “Data Incident” means a breach that compromises or is suspected to compromise the security, confidentiality or integrity of the Customer Data or the administrative, technical or physical safeguards put in place by ACRE that relate to the protection of the security, confidentiality or integrity of the Customer Data.