Accelerator/Growth Programs Terms and Conditions
Terms and Conditions
These Terms and Conditions (including any attached schedules, the “Terms and Conditions”) are by and between mParticle, Inc. (“mParticle”) and the entity or person placing accessing the mParticle Platform (“Customer”) (the Terms and Conditions, the “Agreement”). Each of mParticle and Customer may be referred to herein individually as a “Party” or collectively as the “Parties.”
The “Effective Date” of this Agreement is the date of Customer’s initial access to the mParticle Platform (as defined below) through any online provisioning, registration or order process.
Customer acknowledges and agrees that mParticle may modify the terms and conditions of this Agreement at any time in accordance with Section 10 (Modifications to Agreement).
BY INDICATING ACCEPTANCE OF THIS AGREEMENT OR ACCESSING OR USING THE SERVICE, CUSTOMER AGREES TO BE BOUND BY ALL TERMS, CONDITIONS, AND NOTICES CONTAINED OR REFERENCED IN THIS AGREEMENT. IF CUSTOMER DOES NOT AGREE TO THIS AGREEMENT, PLEASE DO NOT USE THIS SERVICE. FOR CLARITY, EACH PARTY EXPRESSLY AGREES THAT THIS AGREEMENT IS LEGALLY BINDING UPON IT.
mParticle is a software technology company which has developed a software as a service platform that enables enterprises to (1) collect, organize and synchronize data from apps, web, connected devices, and offline data sources and (2) distribute such data to various service providers, including analytics, monetization, data warehousing and other services. As such, mParticle functions as a core data and services orchestration layer for enterprises.
1. License Grant
1.1 mParticle Platform
mParticle will make its software platform available to Customer via the Internet (the “mParticle Platform”) pursuant to this Agreement and the applicable Order during the Term (as defined below). Once Customer identifies an administrative user name and password and such administrative account is provisioned, Customer shall have access to and can utilize the mParticle Platform. Subject to the terms and conditions of this Agreement, mParticle hereby grants Customer a limited, nonexclusive, nontransferable, non-sublicensable right and license to access and use the mParticle Platform during the Term solely for Customer’s use.
1.2 mParticle SDK
mParticle will make its software development kit (in object code format only) available to Customer via the mParticle Platform (the “mParticle SDK”). Subject to the terms and conditions of this Agreement, mParticle hereby grants Customer a limited, nonexclusive, nontransferable, non-sublicenseable right and license to (a) download and internally use the mParticle SDK, (b) incorporate the mParticle SDK into Customer’s web and/or mobile apps and connected devices set forth in the Order (collectively, the “Supported Customer Properties”), (c) to distribute and otherwise make available the mParticle SDK as incorporated in the Supported Customer Properties, and (d) to send data server-to-server via mParticle’s Application Programming Interface (API).
1.3 License Grant Limitations
The following limitations and restrictions shall apply to the mParticle Platform:
- Restricted Access: The Customer shall not provide access to the mParticle Platform to any person who is not an employee or contractor of Customer.
- Except as expressly permitted hereunder Customer shall not and shall not permit or authorize any third party to: (i) reverse engineer, decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas or algorithms of any of the mParticle Platform or mParticle SDK; (ii) modify, translate or create derivative works based on any of the mParticle Platform or mParticle SDK; (iii) copy (except for archival purposes), rent, lease, distribute, pledge, assign or otherwise transfer or allow any lien, security interest or other encumbrance on any of the mParticle Platform or mParticle SDK; (iv) use any of the mParticle Platform or mParticle SDK for timesharing or service bureau purposes or (except as expressly permitted by the mParticle Platform) otherwise for the benefit of a third party; (v) hack, manipulate, interfere with or disrupt the integrity or performance of or otherwise attempt to gain unauthorized access to any of the mParticle Platform or mParticle SDK or their related systems, hardware or networks or any content or technology incorporated in any of the foregoing; or (vi) remove or obscure any proprietary notices or labels of mParticle or its suppliers on any of the mParticle Platform or mParticle SDK.
1.4 Access Credentials and mParticle API Keys
Customer and Customer’s authorized users are solely responsible for the confidentiality and use of their username and password (“Access Credentials”) and mParticle API keys (“mParticle API Keys”) that Customer and Customer’s authorized users use to access and use the mParticle Platform and mParticle SDK. Customer shall immediately notify mParticle if any Access Credentials and/or mParticle API Keys have been stolen or compromised. Customer acknowledges and agrees that Customer shall be responsible for all activities and all loss, damage and expense incurred by mParticle that occur under Customer’s and Customer’s authorized users’ Access Credentials and mParticle API Keys, including but not limited to, any misuse, communications, or any data (including Customer Data) entered through such Access Credentials and mParticle API Keys by Customer or permitted by Customer’s failure to keep its Access Credential and mParticle API Keys confidential. Unless caused by mParticle’s breach of this Agreement, gross negligence or intentional misconduct, mParticle shall not be liable for any loss or damage caused by any unauthorized use of any Access Credentials and/or mParticle API Keys.
1.5 Service Limitations
Customer’s use of the mParticle Platform is subject to the Service Level Limitations located http://docs.mparticle.com/guides/default-service-limits/. The Service Level Limitations are provided as an upper bound designed to detect possible errors in data ingestion and damage to the mParticle Platform and is in no way intended to decrease the number of MTUs for which Customer has contracted. If the Service Level Limitations are exceeded, mParticle reserves the right, in its sole discretion, to throttle and/or cap Customer’s use of the mParticle Platform and/or mParticle SDK and/or mParticle APIs.
2. Ownership; Reservation of Rights
2.1 Customer Data
Customer owns the data derived or collected by the mParticle SDK incorporated into the Supported Customer Properties and data input by Customer into the mParticle Platform (“Customer Data”). Customer hereby grants to mParticle a non-exclusive, worldwide, royalty-free, fully paid up, sublicenseable, right and license to copy, distribute, display and create derivative works of and use the Customer Data to perform mParticle’s obligations under this Agreement. Customer reserves any and all right, title and interest in and to the Customer Data other than the licenses therein expressly granted to mParticle under this Agreement. Except as expressly permitted hereunder or as authorized by Customer in connection with its use of the mParticle Platform, mParticle shall not and shall not authorize any third party to:
a. rent, sublicense, transfer, disclose, use, or grant any rights in, or share or provide access to any Customer Data, in any form, collected and created under this Agreement;
b. collect, use, combine, aggregate, or commingle the Customer Data for the benefit of any third party where such collection, use, combination, aggregation or commingling of such Customer Data is for the purpose of or results in the segmenting, building or supplementing profiles of users, or is for use in online preference marketing to users, or to perform tracking, targeting, or re-targeting of users, in each case for the benefit of any third party;
c. disclose the Customer Data to third party advertisers or publishers in any manner that would readily identify Customer’s methods, techniques, scope or scale of Customer Data collection, products or services; or
d. combine the Customer Data with any third party data except as specifically permitted hereunder.
2.2 mParticle Platform and mParticle SDK Ownership; Reservation Of Rights
Customer acknowledges and agrees that, as between the Parties, mParticle retains all rights title, and interest in and to the mParticle Platform and mParticle SDK, all copies or parts thereof (by whomever produced) and all intellectual property rights therein. mParticle grants no, and reserves any and all, rights other than the rights expressly granted to Customer under this Agreement with respect to the mParticle Platform and mParticle SDK. Customer shall acquire no, rights, title, or interest in and to the mParticle Platform or mParticle SDK or any copies thereof (by whoever produced) other than the limited licensed rights expressly granted under this Agreement. Customer will not remove, obscure, or alter any intellectual property rights notices relating to the mParticle Platform or mParticle SDK.
2.3 mParticle Usage Data
Customer acknowledges that mParticle collects data about its customers’ usage of the mParticle products (“mParticle Usage Data”) and uses it for the sole purpose of generating insights about the use of mParticle’s products to support and improve mParticle’s products generally and to enable customers to better use mParticle’s products. For avoidance of doubt, mParticle Usage Data shall not contain any Customer Data collected by Customer and ingested by the mParticle Platform. In addition, mParticle may use aggregated mParticle Usage Data that do not identify customers for the purpose of describing its products in marketing materials (e.g., total volume of customer data processed by the mParticle Platform).
Customer may from time to time provide suggestions, comments for enhancements or functionality or other feedback (“Feedback”) to mParticle with respect to the mParticle Platform and/or mParticle SDK. mParticle may determine whether or not to proceed with the development of the requested enhancements, new features or functionality. Customer hereby grants mParticle a royalty-free, fully paid up, worldwide, transferable, sublicenseable, irrevocable, perpetual license to (a) copy, distribute, transmit, display, perform, and create derivative works of the Feedback; and (b) use the Feedback and/or any subject matter thereof, including without limitation, the right to develop, manufacture, have manufactured, market, promote, sell, have sold, offer for sale, have offered for sale, import, have imported, rent, provide and/or lease products or services which practice or embody, or are configured for use in practicing, the Feedback and/or any subject matter of the Feedback.
2.5 Customer Responsibilities
Customer shall (a) use commercially reasonable efforts to prevent unauthorized access to or use of the mParticle Platform and mParticle SDK and notify mParticle promptly of any such unauthorized access or use, and (b) use mParticle Platform and mParticleSDK only in accordance with the documentation and applicable laws and regulations.
2.6 Privacy; Data Security
As set forth in the Privacy and Security Rider attached to the Order as Exhibit A.
3. Fees; Payment Terms
3.1 Accelerator/Growth Programs.
(a) Accelerator Program: mParticle offers an accelerator program, subject to the eligibility requirements and parameters set forth at https://www.mparticle.com/lpg/accelerator (“Accelerator Program”). As long as Customer is eligible for and fits within the parameters of the Accelerator Program: (i) there shall be no fees hereunder for the services described in the Accelerator Terms (defined below), (ii) the Standard Cap in Section 7.2 shall be $1,000, (iii) and the remainder of this Section 3 shall not apply. In the event of a conflict between the terms set forth in this Section 3.1(a) and at the URL above, on the one hand (collectively, “Accelerator Terms”), and the other terms of this Agreement, on the other hand, the Accelerator Terms will control.
(b)Growth Program: In the event Customer no longer qualifies for the Accelerator Program, mParticle may contact Customer to see if Customer wishes to engage in mParticle’s growth program (“Growth Program”). If Customer wishes to participate in the Growth Program, the parties will enter into an Order. At its discretion, mParticle may increase the pricing on the Order at any time by giving Customer at least thirty (30) days prior written notice (which may be sent by email or through the mParticle Platform user interface). To participate in the Growth Program, Customer shall supply mParticle with a credit card to pay the fees due hereunder. Customer hereby authorizes mParticle to keep such credit card on file and charge such credit card for fees due from Customer hereunder as and when due. Customer represents and warrants that Customer has the right to allow mParticle to do all of the foregoing. In the event that mParticle is not able to process the fees owned hereunder when due by charging such credit card, mParticle may suspend Customer’s access to the mParticle Platform until such payment is made by another method and a new credit card on file is provided. mParticle may terminate the Agreement upon thirty (30) days prior written notice if there has been more than one instance of late payment. For the avoidance of doubt, the remainder of this Section 3 shall apply. In the event of a conflict between the terms set forth in this Section 3.1(b) (“Growth Terms”) and the other terms of this Agreement, on the other hand, the Growth Terms will control.
Customer will pay mParticle all fees (“Fees”) at such times as indicated on the Order. The fees for platform access and usage are based on a base number of MTUs. mParticle calculates and bills overage fees (“Overage Fees”) monthly in arrears for MTU usage in excess of this base number of MTUs (“Monthly Overage”) . The Order may specify a single rate for Overage Fees in which case all Monthly Overages will be charged at that rate. Alternatively, the Order may specify tiered pricing. In such event, if Customer’s usage increases and elevates Customer from a lower tier to a higher tier, the pricing for the higher tier shall become the pricing for the remainder of the term of the Order (unless usage increases afterward to an even higher tier). There will be no reversion to lower tiers. For each month in which Customer moves from a lower tier to a higher tier, mParticle shall invoice the Customer for the difference between the Platform Service Fees for the new tier and the amount already paid for lower tiers, prorated for the remainder of the Term. As used herein, (i) “MTU” means an mParticle ID that has any activity in a calendar month, and (ii) “mParticle ID” means a single user-profile record created for a specified workspace as governed by Company’s desired identity strategy. Unless stated otherwise in the order page, payment for Overage Fees is due within thirty (30) days after receipt of invoice and payment for all other Fees are payable in advance upon execution of the Agreement.
3.3 Late Payment
If payment of any fees (including any reimbursement of expenses) is not made when due and payable, a late fee shall accrue at the rate of the lesser of one and one-half percent (1.5%) per month or the highest legal rate permitted by law and Customer will pay all reasonable expenses of collection. In addition, if any past due payment has not been received by mParticle within thirty (30) days from the time such payment is due, mParticle may suspend access to the mParticle Platform until such payment is made. At its discretion, mParticle may increase the pricing stated on the Order for any Renewal Term (as defined below) upon giving Customer at least sixty (60) days notice (which may be sent by email) prior to the end of the then-current Term.
3.3 Net of Taxes
All amounts payable by Customer to mParticle hereunder are exclusive of any sales, use and other taxes or duties, however designated, including without limitation, withholding taxes, royalties, know-how payments, customs, privilege, excise, sales, use, value-added and property taxes (collectively "Taxes"). Customer shall be solely responsible for payment of any Taxes, except for those taxes based on the income of mParticle. Customer will not withhold any Taxes from any amounts due mParticle.
3.4 Reimbursable Expenses
Customer will reimburse mParticle for travel expenses associated with ongoing support, such as Quarterly Business Reviews (QBRs) and on site visits, provided that Customer approves such activities via email beforehand and mParticle complies with applicable Customer Travel and Expense Policy.
4. Term, Termination
The Initial Term of this Agreement shall be as set forth on the Order. Thereafter, unless the Agreement terminates earlier in accordance with the terms of this Agreement and/or unless Customer is a participant in the Accelerator Program, the Agreement shall automatically renew for additional one year terms (each, a “Renewal Term” and, together with the Initial Term, the “Term”) unless either Party delivers to the other Party written notice at least sixty (60) days prior to the end of the then-current Term of the Party’s intent not to renew the Term.
4.2 Termination; Effect of Termination
In addition to any other remedies it may have, either Party may also terminate this Agreement if the other Party breaches any of the terms or conditions of this Agreement and fails to cure such breach within thirty (30) days’ notice (or ten (10) days in the case of nonpayment) after receiving notice thereof. Upon any termination or expiration of this Agreement for any reason: (i) mParticle shall promptly delete or erase the Customer Data or the encryption key to the Customer Data; (ii) all rights granted hereunder and all obligations of mParticle to provide the mParticle Platform and mParticle SDK shall immediately terminate and Customer shall cease use of the mParticle Platform and mParticle SDK; and (iii) Customer will pay in full for the use of the mParticle Platform and mParticle SDK up to the date of such termination or expiration.
Upon expiration or termination of this Agreement, all obligations in this Agreement shall terminate, provided that Sections 2.2 (mParticle Platform and mParticle SDK Ownership), 2.3 (mParticle Usage Data), 2.4 (Feedback), 3 (Fees; Payment Terms), 4.2 (Termination; Effect of Termination), 5 (Confidentiality), 7 (Limitations of Liability; Indemnification), 9 (General), and 4.3 (Survival) shall survive.
As used herein, “Confidential Information” means any non-public information or data, regardless of whether it is in tangible form, disclosed by either Party (the “Disclosing Party”) that the Disclosing Party has either marked as confidential or proprietary, or has identified in writing as confidential or proprietary within thirty (30) days of disclosure to the other Party (the “Receiving Party”); provided, however, that a Disclosing Party’s business plans, strategies, technology, research and development, current and prospective customers, billing records, and products or services shall be deemed Confidential Information of the Disclosing Party even if not so marked or identified. For the avoidance of doubt, mParticle’s Confidential Information includes, without limitation, the mParticle Platform, mParticle SDK and the terms of this Agreement. Notwithstanding the foregoing, “Confidential Information” shall not include information that: (a) is known to the Receiving Party prior to receipt from the Disclosing Party directly or indirectly from a source other than one having an obligation of confidentiality to the Disclosing Party; (b) becomes known (independently of disclosure by the Disclosing Party) to the Receiving Party directly or indirectly from a source other than one having an obligation of confidentiality to the Disclosing Party; (c) becomes publicly known or otherwise ceases to be secret or confidential, except through a breach of this Agreement by the Receiving Party; or (d)is independently developed by Receiving Party without use of the Confidential Information of the Disclosing Party. Each Party acknowledges that the Confidential Information constitutes valuable trade secrets and proprietary information of a Party, and each Party agrees that it shall use the Confidential Information of the other Party solely in accordance with the provisions of this Agreement and it will not disclose, or permit to be disclosed, the same directly or indirectly, to any third party without the other Party’s prior written consent, except as otherwise permitted hereunder. Each Party will use reasonable measures to protect the confidentiality and value of the other Party’s Confidential Information. Notwithstanding any provision of this Agreement, either Party may disclose the terms of this Agreement, in whole or in part (a) to its employees, officers, directors, professional advisers (e.g., attorneys, auditors, financial advisors, accountants and other professional representatives), existing and prospective investors or acquirers contemplating a potential investment in or acquisition of a Party, sources of debt financing, acquirers and/or subcontractors who have a need to know and are legally bound to keep such Confidential Information confidential by confidentiality obligations or, in the case of professional advisors, are bound by ethical duties to keep such Confidential Information confidential consistent with the terms of this Agreement; and (b) as reasonably deemed by a Party to be required by law (in which case each Party shall provide the other with prior written notification thereof, shall provide such Party with the opportunity to contest such disclosure, and shall use its reasonable efforts to minimize such disclosure to the extent permitted by Applicable Laws (as defined in the Privacy and Data Security Rider)). Each Party agrees to exercise due care in protecting the Confidential Information from unauthorized use and disclosure. In the event of actual or threatened breach of the provisions of this Section, the non-breaching Party will be entitled to seek immediate injunctive and other equitable relief, without waiving any other rights or remedies available to it. Each Party shall promptly notify the other in writing if it becomes aware of any violations of the confidentiality obligations set forth in this Agreement. Upon the termination of this Agreement, each Receiving Party agrees to promptly return to the Disclosing Party or destroy all Confidential Information of the Disclosing Party that is in the possession of the Receiving Party and to certify the return or destruction of all such Confidential Information and embodiments thereof.
6. Representations, Warranties, and Disclaimer
6.1 Representations and Warranties
Each Party represents and warrants to the other Party that (a) such Party has the required power and authority to enter into this Agreement and to perform its obligations hereunder; (b) the execution of this Agreement and performance of its obligations thereunder do not and will not violate any other agreement to which it is a party; and (c) this Agreement constitutes a legal, valid and binding obligation when signed by both Parties.
mParticle shall use reasonable efforts consistent with prevailing industry standards to provide the mParticle Platform in a manner that minimizes errors and interruptions in accessing the mParticle Platform. mParticle Platform may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, either by mParticle or by third-party providers, or because of other causes beyond mParticle’s reasonable control, but mParticle shall use reasonable efforts to provide advance notice in writing or by email of any scheduled service disruption within mParticle’s control.
EXCEPT AS EXPRESSLY SET FORTH HEREIN, EACH OF THE MPARTICLE PLATFORM AND MPARTICLE SDK IS PROVIDED ON AN “AS-IS” BASIS AND MPARTICLE DISCLAIMS ANY AND ALL WARRANTIES. EXCEPT AS OTHERWISE EXPRESSLY PROVIDED IN THIS AGREEMENT, NEITHER PARTY MAKES ANY ADDITIONAL REPRESENTATION OR WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED (EITHER IN FACT OR BY OPERATION OF LAW), OR STATUTORY, AS TO ANY MATTER WHATSOEVER. ALL OTHER EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES ARE HEREBY EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW. EACH PARTY EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, QUALITY, ACCURACY, TITLE, AND NON-INFRINGEMENT. NEITHER PARTY WARRANTS AGAINST INTERFERENCE WITH THE ENJOYMENT OF THE PRODUCTS OR SERVICES PROVIDED BY SUCH PARTY OR AGAINST INFRINGEMENT. NEITHER PARTY WARRANTS THAT THE PRODUCTS OR SERVICES PROVIDED BY SUCH PARTY ARE ERROR-FREE OR THAT OPERATION OF SUCH PARTY’S PRODUCTS OR SERVICES WILL BE SECURE OR UNINTERRUPTED. NEITHER PARTY WILL HAVE THE RIGHT TO MAKE OR PASS ON ANY REPRESENTATION OR WARRANTY ON BEHALF OF THE OTHER PARTY TO ANY THIRD PARTY.
7. Limitations of Liability; Indemnification
7.1 Disclaimer of Consequential Damages
THE PARTIES HERETO AGREE THAT, NOTWITHSTANDING ANY OTHER PROVISION IN THIS AGREEMENT, EXCEPT FOR (A) CUSTOMER’S BREACH OF SECTION 1 (LICENSE GRANT) ABOVE AND (B) EITHER PARTY’S BREACH OF SECTION 5 (CONFIDENTIALITY) ABOVE, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY SPECIAL, INDIRECT, RELIANCE, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND, LOST OR DAMAGED DATA, LOST PROFITS OR LOST REVENUE, WHETHER ARISING IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, EVEN IF A PARTY HAS BEEN NOTIFIED OF THE POSSIBILITY THEREOF.
7.2 General Cap on Liability
NOTWITHSTANDING ANY OTHER PROVISION OF THIS AGREEMENT, EXCEPT FOR (A) CUSTOMER’S BREACH OF SECTION 1 (LICENSE GRANT) ABOVE, (B) EITHER PARTY’S BREACH OF SECTION 5 (CONFIDENTIALITY) ABOVE, AND (C) LIABILITY ARISING FROM A PARTY’S INDEMNIFICATION OBLIGATIONS SET FORTH IN SECTION 7.4 AND 7.5 BELOW, AS APPLICABLE, UNDER NO CIRCUMSTANCES WILL EITHER PARTY’S AGGREGATE LIABILITY FOR DIRECT DAMAGES ARISING UNDER OR RELATING TO THIS AGREEMENT (INCLUDING BUT NOT LIMITED TO WARRANTY CLAIMS), REGARDLESS OF THE FORUM AND REGARDLESS OF WHETHER ANY ACTION OR CLAIM IS BASED ON CONTRACT, TORT, OR OTHERWISE, EXCEED THE TOTAL FEES PAID BY CUSTOMER TO MPARTICLE UNDER THIS AGREEMENT DURING THE TWELVE (12) MONTH PERIOD PRECEDING THE EVENT OR CIRCUMSTANCES GIVING RISE TO SUCH LIABILITY.
7.3 Independent Allocations of Risk
EACH PROVISION OF THIS AGREEMENT THAT PROVIDES FOR A LIMITATION OF LIABILITY, DISCLAIMER OF WARRANTIES, OR EXCLUSION OF DAMAGES IS TO ALLOCATE THE RISKS OF THIS AGREEMENT BETWEEN THE PARTIES. EACH OF THESE PROVISIONS IS SEVERABLE AND INDEPENDENT OF ALL OTHER PROVISIONS OF THIS AGREEMENT, AND EACH OF THESE PROVISIONS WILL APPLY EVEN IF THEY HAVE FAILED OF THEIR ESSENTIAL PURPOSE.
7.4 Indemnification by mParticle
mParticle shall indemnify, defend and hold harmless (“Indemnify”) Customer and the officers, directors, agents, and employees of Customer (“Customer Indemnified Parties”) from any and all losses, liabilities, penalties, costs and expenses, including reasonable attorneys’ fees (collectively, the “Liabilities”) incurred by the Customer Indemnified Parties in connection with any third-party action, claim, or proceeding (each, a “Claim”) arising from the use of the mParticle Platform or mParticle SDK in accordance with this Agreement infringing or misappropriating any third-party intellectual property rights. Notwithstanding the foregoing, mParticle shall have no liability or obligation under this Section 7.4 with respect to any Liability if such Liability is caused in whole or in part by (x) modification of the mParticle Platform or mParticle SDK by any party other than mParticle without mParticle’s express consent; (y) the combination, operation, or use of the mParticle Platform or mParticle SDK with other product(s), data or services where the mParticle Platform or mParticle SDK would not by itself be infringing; or (z) unauthorized or improper use of the mParticle Platform or mParticle SDK. If the use of the mParticle Platform or mParticle SDK by Customer has become, or in mParticle’s opinion is likely to become, the subject of any Claim, mParticle may at its option and expense (a) procure for Customer the right to continue using the mParticle Platform or mParticle SDK as set forth hereunder; (b) replace or modify the mParticle Platform or mParticle SDK to make it non-infringing so long as the mParticle Platform or mParticle SDK has at least equivalent functionality; (c) substitute an equivalent for the mParticle Platform or mParticle SDK or (d) if options (a)-(c) are not reasonably practicable, terminate this Agreement. This Section 7.4 states mParticle’s entire obligation and Customer’s sole remedies in connection with any claim related to infringement or misappropriation of the intellectual property rights of any third party by the mParticle Platform or mParticle SDK.
7.5 Indemnification by Customer
Customer shall Indemnify mParticle and the officers, directors, agents, and employees of mParticle (“mParticle Indemnified Parties”) from Liabilities incurred by the mParticle Indemnified Parties in connection with any Claim: (a) arising from or related to a breach of Section 1 and/or any use or disclosure by Customer of any mParticle Platform, mParticle SDK and/or mParticle API in violation of this Agreement; (b) arising from or related to a breach by Customer of Sections 1 and/or 2 of the Privacy and Security Rider; and/or (c) except to the extent arising from mParticle’s breach of its obligations with respect to processing Customer Data, arising from or related to the Customer Data.
7.6 Indemnification Procedure
If a Customer Indemnified Party or a mParticle Indemnified Party (each, an “Indemnified Party”) becomes aware of any Claim it believes it should be indemnified under Section 7.4 or Section 7.5, as applicable, the Indemnified Party will give the other Party (the “Indemnifying Party”) prompt written notice of such Claim. The Indemnified Party will cooperate, at the expense of the Indemnifying Party, with the Indemnifying Party and its counsel in the defense and the Indemnified Party will have the right to participate fully, at its own expense, in the defense of such Claim with counsel of its own choosing. Any compromise or settlement of a Claim will require the prior written consent of both Parties hereunder, such consent not to be unreasonably withheld or delayed.
8. Professional Services
mParticle offers its customers use of its customer solutions group for assistance in implementation, training, customization, and other services which services will all have application only to Customer’s use of the mParticle Platform, mParticle SDK and/or mParticle API (the “Professional Services”). Any Professional Services to be provided by mParticle to Customer will be set forth in a statement of work, in the form attached as Appendix A, which references this Agreement and is signed by authorized representatives of the Parties (each, a “Statement of Work”). Each Statement of Work will describe the Professional Services to be provided by mParticle, the fees to be paid by Customer for such Professional Services, and any other terms and conditions that may be agreed to by the Parties with respect to such Professional Services. Each Statement of Work is deemed incorporated into, and made a part of, this Agreement and will be governed by the terms and conditions of this Agreement. To the extent any provision set forth in a Statement of Work conflicts with any provision set forth elsewhere in this Agreement, the provision set forth elsewhere in this Agreement will control. Unless otherwise expressly provided in a Statement of Work, all rights, title, and interest to and in any work product developed pursuant to the Professional Services (including, but not limited to, all copyrights, patents, trademarks, and other intellectual property rights relating thereto) (collectively, “Work Product”) will be owned by mParticle and will be deemed to be included in the definition of mParticle Platform and mParticle SDK (as applicable) and licensed to Customer on the terms set forth herein.
Customer may not remove or export from the United States or allow the export or re-export of the mParticle Platform, mParticle SDK or anything related thereto, or any direct product thereof in violation of any restrictions, laws or regulations of the United States Department of Commerce, the United States Department of Treasury Office of Foreign Assets Control, or any other United States or foreign agency or authority. If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable. Neither Party may assign this Agreement or assign or delegate its rights or obligations under the Agreement without the other Party’s prior written consent; provided however, that mParticle may assign this Agreement to an acquirer of or successor to all or substantially all of its business or assets to which this Agreement relates, whether by merger, sale of assets, sale of stock, reorganization or otherwise. Any assignment or attempted assignment by either Party other than in accordance with this Section 9 shall be null and void. Both Parties agree that this Agreement is the complete and exclusive statement of the mutual understanding of the Parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement, and that all waivers and modifications must be in a writing signed by both Parties, except as otherwise provided herein. No agency, partnership, joint venture, or employment is created as a result of this Agreement and a Party does not have any authority of any kind to bind the other Party in any respect whatsoever. In any action or proceeding to enforce rights under this Agreement, the prevailing Party will be entitled to recover costs and attorneys’ fees. In addition to all other remedies available under this Agreement, at law or in equity, Customer further agrees that mParticle shall be entitled to injunctive relief in the event Customer uses the mParticle Platform or mParticle SDK in violation of the limited license granted herein or uses the mParticle Platform or mParticle SDK in any way not expressly permitted by this Agreement. All notices under this Agreement will be in writing and sent to the recipient’s address set forth in the Order and will be deemed to have been duly given when received, if personally delivered; when receipt is electronically confirmed, if transmitted by facsimile or email; the day after it is sent, if sent for next day delivery by recognized overnight delivery service; and upon receipt, if sent by certified or registered mail, return receipt requested. Each Party agrees that it will not, without prior written consent of the other, issue a press release regarding their business relationship. mParticle may (a) create demonstration and marketing materials and information which includes Customer Data solely in anonymized or aggregated format and disclose and otherwise make such materials and information available solely in connection with marketing and demonstrating the mParticle Platform; and (b) mention Customer and the relationship between mParticle and Customer in mParticle’s marketing collateral, website, and other promotional and marketing materials. Each Party shall be excused from performance for any period during which, and to the extent that, it is prevented from performing any obligation or service, in whole or in part, as a result of a cause beyond its reasonable control and without its fault or negligence, including, but not limited to, acts of God, acts of war, epidemics, fire, communication line failures, power failures, earthquakes, floods, blizzard, or other natural disasters (but excluding failure caused by a Party's financial condition or any internal labor problems (including strikes, lockouts, work stoppages or slowdowns, or the threat thereof)) (a “Force Majeure Event”). Delays in performing obligations due to a Force Majeure Event shall automatically extend the deadline for performing such obligations for a period equal to the duration of such Force Majeure Event. Except as otherwise agreed upon by the Parties in writing, in the event such non-performance continues for a period of thirty (30) days or more, either Party may terminate this Agreement by giving written notice thereof to the other Party. Upon the occurrence of any Force Majeure Event, the affected Party shall give the other Party written notice thereof as soon as reasonably practicable of its failure of performance, describing the cause and effect of such failure, and the anticipated duration of its inability to perform. This Agreement shall be governed by the laws of the State of New York without regard to its conflict of laws provisions. For all disputes relating to this Agreement, each Party submits to the exclusive jurisdiction of the state and federal courts located in New York, New York and waives any jurisdictional, venue, or inconvenient forum objections to such courts. Customer acknowledges that any unauthorized use of the mParticle Platform or mParticle SDK will cause irreparable harm and injury to mParticle for which there is no adequate remedy at law.
10. Modifications to Agreement
mParticle may modify the Terms and Conditions of this Agreement (including pricing and plans) from time to time, with notice given to Customer by email or through the mParticle Platform. Any modifications will become effective immediately, and if Customer disagrees with the modifications, Customer’s exclusive remedy is to cease using the mParticle Platform. Upon any changes to this Agreement, Customer may be required to click to agree to the modified Agreement in order to continue using the mParticle Platform, and in any event continued use of the mParticle Platform after the modifications take effect constitutes Customer’s acceptance of the modifications.
Exhibit A - Privacy and Security Rider
1. Consumer Privacy
2. No Sensitive Information
Customer shall not use the mParticle Platform or the mParticle SDK to collect, transmit, provide, or otherwise make available to the mParticle Platform “sensitive information”, which is defined as the following personally identifiable information about an individual: his or her financial account numbers, insurance plan numbers, precise information about health or medical conditions, and government-issued identifiers (such as a Social Security number), as well as data that may reasonably be used for the purposes of employment, health care, credit or insurance eligibility elements and/or those elements described as sensitive information under Applicable Laws and/or the Applicable Self-Regulatory Code(s). mParticle reserves the right to periodically update the definition of sensitive information in its reasonable judgment exercised in good faith.
4. EU-US and Swiss-US Privacy Shield
mParticle self-certified to and complies with the Privacy Shield, and mParticle shall maintain its self-certification to and compliance with the Privacy Shield with respect to the Processing of Personal Data that is transferred from the European Economic Area or Switzerland to the United States (“EU Personal Data”). Customer acknowledges that all EU Personal Data processed by mParticle pursuant to the provision of the mParticle Platform, mParticle SDK and mParticle APIs are stored on servers located in the United States. To the extent that the provision of the foregoing involves any transfers of EU Personal Data: (a) Customer shall use and disclose the information only for the purposes permitted by the Agreement; and (b) Customer will provide at least the same level of protection for the information as is available under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks. If Customer determines that it can no longer provide this level of protection: (a) Customer will promptly notify mParticle of this determination; (b) mParticle shall have the right to terminate the Agreement without penalty upon notice to Customer; and (c) Customer will cease processing the information or take other reasonable and appropriate steps to remediate the situation. Customer authorizes mParticle to provide this Section of the Privacy and Security Rider to the Department of Commerce upon its request (as required under the Accountability for Onward Transfer Principle of the Privacy Shield). To the extent required under Privacy Shield, mParticle shall comply with the provisions of Section 7 of this Privacy and Security Rider.
To the extent either party processes EU Personal Data hereunder: (a) Confidentiality: each party shall take reasonable steps to ensure the reliability of any individual who may have access to EU Personal Data, shall strictly limit access to those individuals with a need to know or access such data, and shall ensure that such individuals are subject to confidentiality agreements or professional or statutory obligations of confidentiality; (b) Security: mParticle shall implement reasonable technical and administrative security measures to protect such EU Personal Data and which comply with Applicable Laws); (c) Sub-processors: mParticle may not (i) engage any sub-processor of such data without Customer’s prior written consent and Customer hereby grants its consent to the sub-processors listed at http://docs.mparticle.com/guides/approved-subcontractors as of the day this Rider is executed, (ii) if permitted to engage a subprocessor in accordance with the preceding clause, mParticle will be fully responsible and liable for the sub-processor’s activities, (iii) before engaging a sub-processor, mParticle must enter a written contract with the same or similar terms as in this Agreement with respect to protections for EU Personal Data, including sufficient guarantees that the subprocessor will provide sufficient security to meet the requirements of the GDPR; (d) Obligations and Rights of Controller; Types of Data; Categories of Data Subjects; Nature and Purpose of Processing; Subject Matter and Duration of Processing: the obligations and rights of the controller, the types of personal data to be processed, the categories of data subjects, the nature and purpose of the processing, and the subject matter and duration of the processing are as described in these Terms, the Agreement, the Order and the SOW; (e) Retention: the parties shall retain EU Personal Data for no longer than is necessary for the purposes for which it was obtained; (f) Recordkeeping: each party shall maintain a record of all processing activities, in writing and in electronic form, as required by Applicable Laws; (g) Personal Data Breach: each party agrees to cooperate and assist the other in the event of a personal data breach and to provide notice as required by Applicable Laws; (h) Data Protection Impact Assessments; Responding to Data Protection Authorities: each party agrees to assist the other with data protection impact assessments, and to respond to data protection authorities, according to Applicable Laws; (i) Audits and Inspections: as set forth in Section 7(d); and (j) GDPR Responsibilities and Liabilities: Notwithstanding anything to the contrary in this Agreement, or any other agreement between the parties, Customer shall not be relieved of its own direct responsibilities and liabilities under the GDPR and other Applicable Laws. For EU Personal Data, the terms "commission", "controller", "data subject", “EEA”, "personal data", "personal data breach", “processor”, "processing", “subprocessor,” as used herein shall have the same meaning as in the GDPR. For data that is not EU Personal Data, all terms shall have the meanings given them under other Applicable Laws. To the extent required under GDPR, (a) mParticle shall comply with the provisions of Section 7 of this Privacy and Security Rider, and (b) the parties agree that: (i) the data importer is mParticle, Inc., (ii) the data exporter is the Customer, (iii) data subjects are the users of the data exporter's websites, mobile applications and other digital mediums and any data received from Customer’s Third Party Partners as described in the Agreement, (iv) Personal Data concern the following categories of data: data on user behavior collected through an SDK and/or pixels placed on the data exporter's websites, mobile applications and/or digital mediums, including email addresses, telephone numbers mobile advertising identifiers and pseudonymous identifiers of the users of the data exporter's websites, mobile applications and/or digital mediums as outlined in the Agreement, (v) there are not special categories of data unless indicated in a separate attachment to this Rider, and (vi) the personal data transferred will be subject to the following basic processing activities: the data importer will access, reproduce, display and store the relevant personal data in order to provide the services as set out in the Agreement and for no other purposes whatsoever.
6. Privacy Roles
The parties acknowledge and agree that (i) mParticle is solely a “service provider” under the CCPA and solely a “processor” under the GDPR and Privacy Shield, and (ii) mParticle is not responsible for the privacy or security practices of any of Customer Third Party Partners. As used in this Agreement, “Customer Third Party Partner” means a third-party entity engaged by Customer for the processing of Customer Data.
7. Privacy and Security Measures
(a) mParticle Warranties. mParticle agrees that: (a) it shall collect, store, transfer, dispose, disclose and use all Customer Personal Information, Customer EU Personal Data and other Customer personal information or data protected by Applicable Laws (collectively, “Subject Data”) using the highest standard of care to ensure the protection of such data and in compliance with all applicable federal, state and international laws, regulations and directives; (b) it shall not collect, retain, process, share or otherwise use Subject Data except for performing the services as described in the Agreement unless as required by law or a government authority (in which case mParticle shall use its best efforts to notify Customer before such disclosure or as soon thereafter as reasonably possible); (c) it shall not sell Subject Data as a service provider under CCPA or otherwise; (d) it shall take reasonable steps to ensure that the transfer of Subject Data is not a sale of Subject Data; and (e) except for Approved Sub-Processors, it shall only transfer Subject Data to a third-party, including a Customer Third-Party Partner as specifically directed by Customer. Any Approved Sub-Processors will be permitted to obtain Subject Data only to deliver the services mParticle has retained them to provide and are prohibited from using such Subject Data for any other purpose. mParticle shall remain fully liable for all acts or omissions of its subcontractors. As used in this Agreement, “Approved Sub-Processors” means third-party entities that process data on behalf of and as specifically directed by Supplier pursuant to a written contract and is thereby bound by obligations that are no less onerous than the obligations set out in this Privacy and Security Rider. A list of Approved Sub-Processors is available at https://docs.mparticle.com/guides/approved-subcontractors/. mParticle shall post any new sub-processors to the list of Approved Sub-Processors at least thirty (30) days in advance and Customer will be deemed to have granted its consent after the expiration of the thirty (30) day notice period. If Customer objects to mParticle’s change in such sub-processors prior to the thirty (30) day notice period, such objection must be reasonable and mParticle may, as its sole and exclusive remedy, terminate the portion of the Agreement relating to the Services that cannot be reasonably provided without the objected-to new sub-processor by providing 30 days’ written notice to Customer.
(b) Data Retention. mParticle shall retain Subject Data only for as long as necessary to provide Services to Customer. Upon Customer request, or upon termination of the Agreement for any reason, mParticle shall promptly delete or erase the Subject Data or the encryption key to such Subject Data.
(c) Security Standard and Reportable Incident Process.
- Information Security Standard. Both parties agree that they will use their commercially reasonable efforts to maintain administrative, technical, and physical safeguards that are no less rigorous than industry standard practices to ensure the security and confidentiality of Subject Data, protect against any anticipated threats or hazards to the confidentiality, availability or integrity of Subject Data, and protect against unauthorized access, use, or alteration of Subject Data. Both parties agree not to process under this Agreement Subject Data in non-encrypted or nonredacted form on as defined Section 1798.81.5(d)(1) of the California Civil Code or under other Applicable Laws except with the written permission of the other party, whereby such permission shall not be unreasonably withheld.
- Written Information Security Program. Both parties shall maintain, in writing, reasonable security procedures and practices (“Written Information Security Program” or “WISP”) as necessary to protect Subject Data within its control from unauthorized access, destruction, use, modification, or disclosure. Without limiting the generality of the foregoing statement, the WISP shall at a minimum encompass each of the elements set forth below.
- Incident Procedures. Any known or suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to transmitted, stored, or otherwise processed by mParticle or a Sub-processor of mParticle involving Subject Data in nonencrypted or nonredacted form as defined under section 1798.81.5(d)(1) of the California Civil Code or other Applicable Laws (each a “Reportable Incident”) shall be subject to the following procedures:
- mParticle shall notify Customer promptly (within 72 hours) of any Reportable Incident by sending an email with all available and relevant details to the Data Security Contact Email on the Order.
- mParticle shall investigate the Reportable Incident, and provide reasonable and necessary cooperation with Customer, including facilitating interviews with relevant personnel, making available all relevant records, logs, files, data reporting and other materials, and providing Customer with reasonable physical access to the facilities affected where owned an operated by mParticle.
- Unless required by law, mParticle shall not inform any third party, other than incident response and forensics specialists under confidentiality restriction no less strict than those set forth in the Agreement, of any Reportable Incident without first obtaining Customer’s prior written consent, other than to inform a complainant that the matter has been forwarded to Customer’s legal counsel.
- Following a Reportable Incident, mParticle shall document responsive actions taken in connection with the Incident and shall conduct a post-breach review of events and actions taken, if any, to make changes in security practices and procedures to prevent such Incident from occurring again in the future.
- Incident Remediation. mParticle shall use its commercially reasonable efforts to mitigate and remedy any Incident and prevent any further Incident at its sole expense.
- Third Party notification. mParticle agrees that, unless applicable law states otherwise, Customer shall have the sole right to determine (i) whether notice of the Reportable Incident is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies or others as required by law or regulation, or otherwise in Customer’s discretion, (ii) the contents of such notice, and (iii) whether any type of remediation may be offered to affected persons, as well as the nature and extent of any such remediation. mParticle agrees to reimburse Customer for reasonable costs described in this section for Reportable Incidents and/or as required by applicable law.
(d) Audit. No more than once per year, Customer may engage a mutually agreed upon third party to audit mParticle solely for the purposes of meeting its audit requirements pursuant to Article 28, Section 3(h) of the GDPR or as otherwise required by Applicable Laws. To request an audit, Customer must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Audit requests must be sent to security@mParticle.com. The auditor must execute a written confidentiality agreement acceptable to mParticle before conducting the audit. The audit must be conducted during regular business hours, subject to mParticle’s policies, and may not unreasonably interfere with mParticle’s business activities. Any audits are at Customer’s expense. Any request for mParticle to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required by Applicable Laws. Customer shall reimburse mParticle for any time spent for any such audit at the rates agreed to by the parties. Before the commencement of any such audit, Customer and mParticle shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by mParticle.
8. mParticle Security Measures
As a cloud-native company, mParticle makes extensive use of the Amazon AWS platform and the wide range of security features that it provides. AWS uses a ‘Shared Responsibility Model’, where Amazon is responsible for securing the underlying infrastructure and networks and mParticle secures the data that is hosted and code that runs in the AWS environment. All mParticle systems use TLS, where supported, to protect data in transit between end user devices and the mParticle Platform and between the mParticle Platform and our third party partner services (i.e., Integration Partners and Approved Sub-Processors). Data is also encrypted at rest within the AWS environment using AES256 to encrypt mParticle’s EBS volumes. mParticle’s production secrets are protected using a combination of Hashicorp Vault, Amazon KMS and CloudHSM with role based access configured to prevent plaintext secrets from being stored on disk. mParticle makes use of AWS Inspector to identify and report on known vulnerabilities in mParticle’s production hosts.
All mParticle staff undergo background checks and annual security training and must adhere to published internal security policies. Policy areas include:
- Password strength and complexity
- Encryption and key management
- Device tooling and Monitoring
- Secure development practices
- Secrets Management
- Disciplinary actions
mParticle enforces strict role-based access control with periodic audits to all systems (Corp and Prod) and operate using the principle of least privilege. Staff are only given the access that they require to do their jobs. By default, no mParticle staff are able to access Customer Data as it is both physically and logically separated from mParticle’s corporate network. mParticle developers are not granted access to the production infrastructure and all deploys are performed by the mParticle operations team. mParticle engages a number of highly reputable third party penetration testing companies to provide at least annual assessments of mParticle’s security stance. These tests include web application, infrastructure and social engineering engagements.
mParticle’s dedicated security team makes use of extensive monitoring and logging capabilities from all areas of mParticle’s stack to identify malicious behavior with automated alerting in place to flag anomalies.
Only authorized devices are able to connect to mParticle’s corporate networks and all devices are forced to include the following protections:
- Antivirus with automatic daily updates
- DNS protection using Cisco Umbrella to protect against malicious sites
- Full disk encryption. Every device is configured to use strong encryption to protect local data.
- Endpoint protection/management tools - mParticle has tooling on every corporate system to ensure compliance and detect malicious behavior.
- Automatic password protected screensaver locks
- Automatic account lockouts on number of authentication attempts
In addition mParticle utilizes Active Directory and ADFS for centralized authentication and supplement with multi factor authentication for access to sensitive systems, including mParticle’s VPNs, AWS and mParticle’s production environments. For 2FA mParticle makes use of Duo, physical yubikeys and smart cards to limit access to individual hosts within production environments in combination with SSH keys via locked down bastion hosts. mParticle conducts thorough security audits of any third party vendors and sub-contractors that mParticle engages and requires at least a comparable level of security from them.
9. mParticle liability for Security Incidents
Notwithstanding any other provision of the Agreement to the contrary, mParticle’s liability, including indemnity, for any known or suspected accidental, unauthorized or unlawful destruction, loss, alteration and/or disclosure of Customer Data while in mParticle’s possession or control, including Customer Data that is transmitted, stored, or otherwise processed by mParticle (or an mParticle Sub-Processor) (each, a “Security Incident”) shall be exclusively stated in this Section. Pursuant to Section 7.4 of the Agreement, mParticle shall Indemnify the Customer Indemnified Parties from Liabilities incurred by the Customer Indemnified Parties in connection with any Claim resulting from a Security Incident (i) to the extent that such a Security Incident arises from mParticle’s breach of this Privacy and Security Rider and results in an actual release of, or unauthorized access or disclosure of, Customer Data that is Subject Data in nonencrypted or nonredacted form, and (ii) for Consumer Remediation Costs in connection therewith only to the extent such measures are legally required by Applicable Laws or governmental or regulatory authority. As used herein, “Consumer Remediation Costs” shall mean all costs to address a Security Incident with consumers (e.g., notification to consumers of such data breach, credit monitoring, if applicable, and public relations and other monitoring). mParticle shall have no liability whatsoever in connection with any “sensitive information” ingested into the mParticle Platform or any other type of Security Incident.