ENTERPRISE TERMS OF SERVICE
These ENTERPRISE TERMS OF SERVICE (the “Agreement”) are entered into by and between Sigma Computing, Inc., a Delaware corporation with offices at 116 New Montgomery St., #700 San Francisco CA, 94105 (“Sigma”, “we”, “our”, or “us”) and the Customer identified in the table below (“Customer,” “you,” or “your”). Sigma is the owner and provider of the Sigma cloud-based intelligence tool and service, which is designed to allow customers to input and analyze data (the “Service”). Customer may wish to purchase a subscription to access and use the Service. The parties therefore agree as follows:
1. The Service.
1.1. Your Subscription. Subject to the terms of this Agreement, Customer may purchase a subscription to the Service as specified in one or more ordering documents executed by the parties (or you and a Reseller) that reference this Agreement and describe the business terms related to such subscription (“Order Form”). All subscriptions will be for the period described on the Order Form (“Subscription Period”). Subject to the terms of such Order Form and this Agreement, Customer may access and use the Service. Such use and access is permitted only by individuals authorized by Customer to use the Service for Customer’s own internal business operations (and not for the benefit of any third party) (“Users”). Users may also use Sigma’s generally published technical documentation associated with the Service (“Documentation”) solely for Customer’s internal business purposes. Customer will not receive or have access to a copy of the code or software that underlies the Service (collectively the “Software”) or receive a copy of the Software itself. Customer may permit its affiliates’ employees and contractors (provided such contractors are working for the benefit of Customer or such affiliates) to serve as Users, provided Customer remains responsible for compliance by such individuals with all of the terms and conditions of this Agreement. An “affiliate” means any entity under the control of Customer where “control” means ownership of or the right to control greater than 50% of the voting securities of such entity. Any term capitalized and not defined herein will have the definition given to such term in the applicable Order Form. For the purposes of this Agreement, a “Reseller” means a resale partner that is authorized by Sigma to resell the Service.
1.2. Support and Service Level Policy. Sigma will make commercially reasonable efforts to provide basic technical support for the Service in accordance with its support and service level policy attached to this Agreement as Exhibit A (“Support and Service Level Policy”).
1.3. Users. As part of the registration process, a single administrative User will receive login credentials from Sigma; such User will have the capability to invite any other Users to create accounts on the Service. Customer will ensure that its Users are aware of and bound by obligations and/or restrictions stated in this Agreement and Customer will be responsible for breach of any such obligation and/or restriction by a User. Customer will (a) be responsible for ensuring the security of its account and confidentiality of all user IDs and passwords for the Service, (b) prevent unauthorized access to, or use of, the Service, (c) be fully responsible for monitoring and administrating the various uses and Users of the Service, (d) ensure the quality and integrity of Customer Data, and (e) notify Sigma promptly of any unauthorized use of the Service or any breach, or attempted breach, of the security of the Service. Customer is responsible for all activities of its Users on the Service and is responsible for all uses of Customer’s account. Sigma may access Customer’s account (i) to respond to technical problems, (ii) in connection with providing and maintaining the Service and the development of new Service features and improvements, (iii) at Customer’s request, (iv) to comply with legal or contractual requirements, and/or (v) when necessary to provide the Professional Services (as defined below).
1.4. Sigma’s Ownership. Sigma owns the Service and the Documentation (collectively the “Sigma Materials”). Sigma retains all right, title and interest (including, without limitation, all patent, copyright, trademarks, trade secret and other intellectual property rights) in and to the Sigma Materials, all related and underlying technology and any updates, enhancements, upgrades, modifications, patches, workarounds, and fixes thereto and all derivative works of or modifications to any of the foregoing. There are no implied licenses under this Agreement and any rights not expressly granted to Customer in this Agreement are expressly reserved by Sigma.
2. Restrictions. If there are restrictions on Customer’s use of the Service, such as limitations on the number of types of Users, such restrictions will be in the applicable Order Form and Customer agrees to use and access the Service in compliance with those restrictions. Customer also agrees that it will not, and will not allow Users or third parties to, directly or indirectly (a) modify, translate, copy or create derivative works based on the Service, (b) reverse assemble, reverse compile, reverse engineer, decompile or otherwise attempt to discover the object code, source code, non-public APIs or underlying ideas or algorithms of the Service, except as and only to the extent this restriction is prohibited by law, (c) license, sublicense, sell, resell, rent, lease, transfer, assign, distribute, time share or otherwise commercially exploit or make the Service available to any third party, (d) remove or obscure any copyright, trademark or other proprietary notices, legends or Sigma branding contained in or on the Service, (e) use the Service in any way that violates any applicable federal, state, local or international law or regulation, (f) attempt to gain unauthorized access to, interfere with, damage or disrupt any parts of the Service, including, without limitation, by introducing viruses and other harmful code or by using flood pings, denial-of-service attacks, or similar methods or technology, (g) use or access the Service to build or support and/or assist a third party in building or supporting products or services competitive to the Service or (h) attempt to probe, scan, or test the vulnerability of the Service or any Sigma system or networks. Sigma may suspend the Service immediately upon notice to Customer if there is any use of the Service by Customer or Users that in Sigma’s reasonable judgment threatens the security, integrity or availability of the Service. However, Sigma will use commercially reasonable efforts under the circumstances to (x) provide Customer with notice and an opportunity to remedy such violation or threat prior to any such suspension; (y) where practicable limit the suspension based on the circumstances leading to the suspension; and (z) remove the suspension as quickly as reasonably practicable after the circumstances leading to the suspension have been resolved.
3. Third Party Applications. The Service may integrate with third party products, services or applications that are not owned or controlled by us (e.g., Snowflake) (“Third Party Applications”). You may or may not be required by the providers of such Third Party Applications to enter into separate agreements in order to use the Third Party Applications. You represent and warrant that you are entitled to disclose your Third Party Application login information to us and/or grant us access to your Third Party Application (including, but not limited to, for use for the purposes described herein) without breach by you of any of the terms and conditions that govern your use of the applicable Third Party Application. We do not endorse such Third Party Applications. Customer acknowledges and agrees that this Agreement does not apply to Customer’s use of such Third Party Application. SIGMA EXPRESSLY DISCLAIMS ANY AND ALL REPRESENTATIONS OR WARRANTIES RELATING TO ANY THIRD PARTY APPLICATIONS. YOU WILL LOOK SOLELY TO THE THIRD PARTY PROVIDER OF THE THIRD PARTY APPLICATIONS FOR ANY WARRANTY RELATED ISSUES OR OTHER CLAIMS RELATED THERETO. OTHERWISE, YOUR USE OF THIRD PARTY APPLICATIONS IS AT YOUR OWN RISK. SIGMA WILL HAVE NO LIABILITY OR OTHER OBLIGATION OF ANY KIND ARISING OUT OF OR RELATED TO ANY THIRD PARTY APPLICATIONS OR THE USE OR INABILITY TO USE ANY THIRD PARTY APPLICATIONS.
4. Payment Obligations.
4.1. Fees. Customer will pay for access to and use of the Service as set forth in the Order Form (“Fees”). All Fees will be paid in U.S. dollars. Payment obligations are non-cancelable and, except as expressly stated in this Agreement, non-refundable. We may modify our Fees or introduce new fees in our sole discretion; however, any new or revised Fees will only become effective upon the renewal of a Subscription Period (“Renewal Period”).
4.2. Payment. We will invoice you for the Fees and any other applicable fees (e.g. bank transfer fees) in accordance with the Order Form. Customer agrees to pay all invoices submitted in accordance with this Agreement or the Order Form within thirty (30) days after the invoice date. All information that you provide in connection with a purchase or transaction or other monetary transaction with the Service must be accurate, complete, and current. If Customer has executed an Order Form with a Reseller, Customer will pay such Reseller (and not Sigma) in accordance with the terms of such Order Form. Notwithstanding the foregoing, Customer understands and agrees that if Customer does not pay the Reseller in accordance with the applicable Order Form, Sigma will have the right to suspend Customer’s right to use and access the Service and to terminate this Agreement upon notice to Customer.
4.3. Taxes. Fees stated on the Order Form are exclusive of any taxes, levies, duties, or similar governmental assessments of any nature, including, for example, value-added, sales, use or withholding taxes, assessable by any jurisdiction (collectively, “Taxes”). Customer will be responsible for paying all Taxes associated with its purchases, except for those taxes based on our net income.
4.4. Failure to Pay. If you fail to pay any Fees in accordance with this Section 4, we may suspend your access to the Service pending payment of such overdue invoices; provided that we give you notice of such non-payment and ten (10) days (from the date of such notice) to remit the overdue Fees in full. If Customer believes that we have billed you incorrectly, Customer must contact us no later than sixty (60) days after the closing date on the first billing statement in which the error or problem appeared, in order to receive an adjustment or credit. Overdue Fees are subject to a finance charge of 1.5% per month on any outstanding balance, or the maximum permitted by law, whichever is lower.
4.5. Adding Users. Users that are given administrative permission by Customer may add Users at any time through the Service. Upon adding additional User(s), you will have thirty (30) days to purchase a pro-rata subscription for such User(s) at the same price stated on the applicable, then-current Order Form by executing a new Order Form with us. If, within such thirty (30) day period, you do not execute a new Order Form for such additional Users, you will be invoiced the current list price for those Users for the remainder of the Subscription Period. The number of Users purchased under an Order Form cannot be decreased during the Subscription Period; the number of Users purchased may only be decreased upon renewal.
5. Term and Termination.
5.1. Agreement Term. This Agreement will become effective on the Subscription Start Date of the first Order Form entered into by the parties and remain effective for the duration of each Order Form including any renewals thereof. If the parties terminate this Agreement, it will automatically terminate all Order Forms.
5.2. Order Form Term and Renewal. Subscriptions to access and use the Service commence on the start date stated on the applicable Order Form (“Subscription Start Date”) and continue for the duration of the Subscription Period. Each Order Form will renew as stated on such Order Form. Either party may choose not to renew any Order Form by giving the other party notice of non-renewal at least thirty (30) days before the end of the then-current Subscription Period.
5.3. Termination for Cause. Either party may terminate this Agreement upon written notice to the other party if the other party materially breaches this Agreement and such breach is not cured within thirty (30) days after the non-breaching party provides written notice of such breach.
5.4. Effect of Termination. If Customer terminates this Agreement as a result of Sigma’s uncured breach, we will refund any unused, prepaid Fees for the remainder of the then-current Subscription Period (as stated on the applicable Order Form). Upon any termination for cause by us, Customer will pay any unpaid Fees covering the remainder of the then-current Subscription Period after the effective date of termination. In no event will any termination relieve Customer of the obligation to pay any Fees payable to us for the period prior to the effective date of termination. Upon any termination of this Agreement, all rights and licenses granted by Sigma hereunder will immediately terminate; Customer will no longer have the right to access or use the Service. Within 30 days of any termination or expiration, Sigma will delete Customer’s passwords and all related information, files and Customer Data, unless Customer requests an earlier deletion in writing.
5.5. Survival. Sections 1.4, 4, 5, 6.2, 7, 8, 9, 10.2, 10.3, and 11 will survive any termination or expiration of this Agreement.
6. Warranties and Disclaimers.
6.1. Sigma Warranties. Sigma represents and warrants that (a) it will comply with all applicable federal, state and local United States laws and regulations with respect to its business operations under this Agreement and all applicable United States and European Union laws with respect to its processing and use of Customer Data; (b) the Service will substantially comply in all material respects with the Documentation, (c) it will provide the Support Service in a professional and workmanlike manner, (d) it has used commercially reasonable efforts to ensure that the software underlying the Service and the environment used for the Service contain no Harmful Code, and (e) it uses commercially reasonable efforts to prevent the introduction of Harmful Code into the software underlying the Service and the environment used for the Service. For purposes of the Agreement, “Malicious Code” means any virus, worm, logic bomb or any other code designed to contaminate other computer programs or computer data, consume computer resources, modify, destroy, record or transmit data in a manner not intended by the computer, system or network, or in some other fashion disrupt the normal operation of a computer, system or network. If the Service is not provided in accordance with the above warranty, Customer will promptly notify Sigma and Sigma will make commercially reasonable efforts to rectify such non-compliance; if Sigma is not able to so modify or otherwise fix the Service, Sigma will terminate this Agreement and refund any unused pre-paid Fees to Customer. The foregoing remedy is Customer’s sole remedy and Sigma’s sole liability if Sigma breaches the terms of Section 6.1.
6.2. Disclaimer. EXCEPT AS EXPRESSLY PROVIDED FOR HEREIN, THE SERVICES AND ALL RELATED COMPONENTS AND INFORMATION ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS WITHOUT ANY WARRANTIES OF ANY KIND, AND WE EXPRESSLY DISCLAIM ANY AND ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. CUSTOMER ACKNOWLEDGES THAT WE DO NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE. SOME JURISDICTIONS DO NOT ALLOW THE DISCLAIMER OF CERTAIN TYPES OF WARRANTIES. THE FOREGOING DISCLAIMERS WILL NOT APPLY TO THE EXTENT PROHIBITED BY APPLICABLE LAW.
7. Limitation of Liability. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS AGREEMENT, EXCEPT FOR (I) CUSTOMER’S BREACH OF SECTIONS 2.1 or 6.2, OR (II) EITHER PARTY’S OBLIGATIONS UNDER SECTION 8, NEITHER PARTY WILL BE LIABLE WITH RESPECT TO ANY CAUSE RELATED TO OR ARISING OUT OF THIS AGREEMENT, WHETHER IN AN ACTION BASED ON A CONTRACT, TORT (INCLUDING NEGLIGENCE AND STRICT LIABILITY) OR ANY OTHER LEGAL THEORY, HOWEVER ARISING, FOR (A) INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, (B) ANY DAMAGES BASED ON USE OR ACCESS, INTERRUPTION, DELAY OR INABILITY TO USE THE SERVICE, LOST REVENUES OR PROFITS, DELAYS, INTERRUPTION OR LOSS OF SERVICES, BUSINESS OR GOODWILL, LOSS OR CORRUPTION OF DATA, LOSS RESULTING FROM SYSTEM OR SYSTEM SERVICE FAILURE, MALFUNCTION OR SHUTDOWN, FAILURE TO ACCURATELY TRANSFER, READ OR TRANSMIT INFORMATION, FAILURE TO UPDATE OR PROVIDE CORRECT INFORMATION, SYSTEM INCOMPATIBILITY OR PROVISION OF INCORRECT COMPATIBILITY INFORMATION OR BREACHES IN SYSTEM SECURITY, OR (C) ANY DAMAGES THAT IN THE AGGREGATE EXCEED THE TOTAL FEES PAID OR PAYABLE BY CUSTOMER FOR THE SERVICE THAT IS OR THE PROFESSIONAL SERVICES THAT ARE THE SUBJECT OF THE CLAIM DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT WHICH GIVES RISE TO SUCH DAMAGES. THESE LIMITATIONS WILL APPLY WHETHER OR NOT A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY.
8.1. Sigma’s Indemnification. Sigma will defend Customer and its Users, officers, directors, and employees against any third party claim or action brought against Customer to the extent based on the allegation that the Service infringes such third party’s intellectual property rights (patents, utility models, design rights, copyrights and trademarks or any other intellectual property right) and we agree to pay any settlements with respect to the foregoing indemnification obligations that Sigma agrees to in a writing signed by Sigma’s authorized officer or final judgments awarded to the third party claimant by a court of competent jurisdiction. The foregoing obligations do not apply with respect to the Service or portions or components of either that are (a) not provided by Sigma, (b) combined with other products, processes or materials that are not reasonably contemplated by us or our Documentation, or (c) where Customer’s use of the Service is not in accordance with this Agreement or our Documentation.
8.2. Procedures. Sigma’s obligations under Section 8.1 are conditioned on Customer (a) providing Sigma with prompt written notice of any claim, (b) granting Sigma the sole control of the defense and settlement of the claim, and (c) providing reasonable information and assistance to Sigma in the defense or settlement of the claim at Sigma’s expense. Notwithstanding anything else to the contrary in this Agreement, any obligation of sigma to defend, indemnify and hold Customer harmless hereunder is limited to Sigma’s payment for the cost of defense of the third party claim incurred by Sigma and the payment of (i) any settlements agreed to by Sigma in a writing signed by an officer of Sigma, or (ii) final judgments awarded to the third party claimant by a court of competent jurisdiction.
8.3. Options. If Customer’s use of the Service has become, or in Sigma’s opinion is likely to become, the subject of any claim of infringement, Sigma may at its option and expense, (a) procure for Customer the right to continue using and receiving the Service as set forth hereunder, (b) modify the Service to make it non-infringing, (c) substitute an equivalent for the Service or (d) if Sigma, in its sole discretion, determines that options (a)-(c) are not commercially practicable, terminate this Agreement and refund Customer any pre-paid, unused Fees for the remainder of the then-current Subscription Period.
8.4. Sole Remedy. NOTWITHSTANDING ANYTHING ELSE TO THE CONTRARY IN THIS AGREEMENT, THIS SECTION 8 STATES SIGMA’S ENTIRE RESPONSIBILITY AND CUSTOMER’S SOLE AND EXCLUSIVE REMEDY WITH RESPECT TO INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS UNDER THIS AGREEMENT.
9.1. Definition. Each party (the “Receiving Party”) understands that the other party (the “Disclosing Party”) may disclose business, technical or financial information relating to the Disclosing Party’s business that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure (hereinafter referred to as the “Confidential Information” of the Disclosing Party). Sigma’s Confidential Information includes non-public information regarding features, functionality and performance of the Service. Customer’s Confidential Information includes the User Information and Customer Data. This Agreement and the information in all Order Forms will be deemed the Confidential Information of both parties. Notwithstanding the above, Confidential Information does not include information that (a) is or becomes generally available to the public without breach of any obligation owed to the Disclosing Party; (b) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party; (c) is received from a third party without breach of any obligation owed to the Disclosing Party; or (d) was independently developed by the Receiving Party without use or reference to the Disclosing Party’s Confidential Information.
9.2. Protection and Use of Confidential Information. The Receiving Party will (a) protect the Disclosing Party’s Confidential Information using the same degree of care used to protect its own confidential or proprietary information of like importance, but in any case using no less than a reasonable degree of care, (b) limit access to the Confidential Information to those employees, affiliates, Subprocessors (as described in the Data Processing Addendum referenced below), agents, consultants, legal advisors, financial advisors, and contractors (“Representatives”) who need to know such information in connection with this Agreement and who are bound by confidentiality and non-use obligations just as protective of the Disclosing Party’s Confidential Information as the terms of this Agreement; (c) except as expressly set forth herein, will not disclose any of Disclosing Party’s Confidential Information to any third parties without the Disclosing Party’s prior written consent; and (d) will not use the Disclosing Party’s Confidential Information for any purpose other than to fulfill its obligations under this Agreement. Nothing above will prevent either party from sharing Confidential Information with prospective investors or acquirors; provided, however, that the foregoing are bound to standard confidentiality obligations.
9.3. Compelled Access or Disclosure. The Receiving Party may access or disclose Confidential Information of the Disclosing Party if it is required by law; provided, however, that the Receiving Party gives the Disclosing Party prior notice of the compelled access or disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party’s cost, if the Disclosing Party wishes to contest the access or disclosure.
9.4. Feedback. You may from time to time provide suggestions, comments or other feedback with respect to the Service (“Feedback”). For the avoidance of doubt, Feedback will only refer to suggestions, comments or other feedback provided to Sigma regarding the Service and will not include your Personal Data. Sigma may want to incorporate Feedback into its Service and this clause provides us with the necessary license to do so. You hereby grant to us and our assigns a royalty-free, worldwide, perpetual, irrevocable, fully transferable and sublicenseable right and license to use, disclose, reproduce, modify, create derivative works from, distribute, display and otherwise distribute and exploit any Feedback as we see fit, entirely without obligation or restriction of any kind, except that Sigma will not identify you as the provider of such Feedback.
10.1. User Information. In order to use the Service, Customer and its Users are required to provide User Information and other information in order to access the Service. Customer grants Sigma and its subcontractors the right to store, process and retrieve the information associated with Customer’s account, such as IP address, username, password, and any personally identifiable information including, without limitation, name, phone number, or email address (“User Information”), provided to Sigma in connection with Customer’s use of the Service. Customer represents and warrants that it has obtained express written consent from its Users to transfer User Information to Sigma and to process the User Information as contemplated by the Users’ use of the Service. Customer (on behalf of its Users) grants us the right to access, use, process, copy, distribute, perform, export and display User Information, only as reasonably necessary (a) to provide the Service to you (including the transfer of User Information to us); (b) to prevent or address service, security, support or technical issues; (c) as required by law; and (d) as expressly permitted in writing by you.
10.2. Customer Data. The Service is designed to allow Customer to input and analyze data within the Customer’s data warehouse (“Data Warehouse”). The Customer acknowledges and agrees that data from the Data Warehouse is not stored or cached within the Service. Any Data Warehouse data that is disclosed to Sigma will be deemed “Customer Data.” Sigma will have access to the Customer Data only if permitted by Customer; the parties anticipate that such access will only be for the purpose of providing Professional Services or support for the Service. To the extent that Customer Data is shared with Sigma, Customer grants Sigma and its licensors a non-exclusive, worldwide, royalty-free, paid-up, transferable right and license to use, process and display such Customer Data for the purpose of providing the Service or the Professional Services. Except as expressly provided herein, Customer will own all right, title and interest in and to the Customer Data.
10.3. Usage Data. As we operate the Service, we collect data pertaining to the performance of the Service and measures of the operation of the Service (“Usage Data”). Notwithstanding anything else to the contrary herein; provided that the Usage Data is aggregated and anonymized, and no personal identifying information of Customer is revealed to any third party, the parties agree that Sigma is free to use the Usage Data in any manner. Sigma owns all right, title, and interest in and to such Usage Data. For clarity, this section does not give Sigma the right to identify Customer as the source of any Usage Data.
10.4. Data Processing Addendum. We will process any User Information and Customer Data that you provide to us in accordance with our data security policy attached hereto as Exhibit B (“Security Addendum”) and the data processing addendum refencing this Agreement, if separately executed by the parties (“Data Processing Addendum”). If there is a conflict between this Agreement and the Data Processing Addendum, the Data Processing Addendum will prevail.
11. General Terms.
11.1. Publicity. Sigma may identify Customer and use and display Customer’s name, logo, trademarks, or service marks on Sigma’s website and in Sigma’s marketing materials, including without limitation press releases, announcing Customer, why Customer chose Sigma, and how Customer will use Sigma, without Customer’s prior written consent. Customer will be given the opportunity to provide input and feedback on the press release, as well as a quote, prior to distribution. Customer will consider participating in a case study, webinar, and other joint marketing activities six to nine months post deployment.
11.2. Force Majeure. Except for Customer’s payment obligations hereunder, neither us nor Customer will be liable by reason of any failure or delay in the performance of its obligations on account of events beyond the reasonable control of a party, which may include denial-of-service attacks, a failure by a third-party hosting provider or utility provider, strikes, shortages, riots, fires, acts of God, war, terrorism, and governmental action.
11.3. Changes. Customer acknowledges that the Service is an on-line, subscription-based product, and that in order to provide improved customer experience Sigma may make changes to the Service provided, however Sigma will not materially decrease the core functionality of the Service. The Service Level Policy, Data Processing Addendum, and Security Addendum may be modified from time to time upon reasonable notice to Customer to reflect process improvements or changing practices; however, Sigma agrees any such modifications will not materially decrease Sigma’s obligations or materially reduce Customer’s rights as compared to those reflected in such terms as of the Subscription Start Date of the first Order Form entered into by the parties.
11.4. Relationship of the Parties. The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the parties.
11.5. No Third-Party Beneficiaries. There are no third-party beneficiaries to this Agreement; a person who is not a party to this Agreement may not enforce any of its terms under any applicable law.
11.6. Email Communications. Notices under this Agreement will be provided as follows: (a) all notices regarding the Service will be sent by email, although we may instead choose to provide notice to Customer through the Service, (b) notices to us must be sent to firstname.lastname@example.org, and (c) all notices to Customer will be sent to the email(s) provided through the Service. Notices will be deemed to have been duly given (a) the business day after it is sent, in the case of notices through email; and (b) the same day, in the case of notices through the Service.
11.7. Amendment and Waivers. No modification or amendment to this Agreement will be effective unless made in writing and signed by an authorized representative of both parties. No failure or delay by either party in exercising any right under this Agreement will constitute a waiver of that right. No waiver under this Agreement will be effective unless made in writing and signed by an authorized representative of the party being deemed to have granted the waiver.
11.8. Severability. This Agreement will be enforced to the fullest extent permitted under applicable law. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, the provision will be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions of this Agreement will remain in effect.
11.9. Assignment. Neither party will assign or delegate any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the other party (not to be unreasonably withheld). Notwithstanding the foregoing, we may assign this Agreement in its entirety (including all Order Forms), without the consent of Customer, in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of our assets. Any purported assignment in violation of this section is void. Subject to the foregoing, this Agreement will bind and inure to the benefit of the parties, their respective successors and permitted assigns.
11.10. Governing Law and Venue. This Agreement, and any disputes arising out of or related hereto, will be governed exclusively by the internal laws of the State of California, without regard to its conflicts of laws rules or the United Nations Convention on the International Sale of Goods. The parties acknowledge that this Agreement evidences a transaction involving interstate commerce. The state and federal courts located in San Francisco County, California will have exclusive jurisdiction to adjudicate any dispute arising out of or relating to this Agreement or its formation, interpretation or enforcement. Each party hereby consents and submits to the exclusive jurisdiction of such courts. Each party also hereby waives any right to jury trial in connection with any action or litigation in any way arising out of or related to this Agreement. In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover its reasonable costs and attorney’s fees.
11.11. Entire Agreement. This Agreement, including all referenced pages and Order Forms, if applicable, constitutes the entire agreement between the parties and supersedes all prior and contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter. Without limiting the foregoing, this Agreement supersedes the terms of any online agreement electronically accepted by Customer or any Users. However, to the extent of any conflict or inconsistency between the provisions in this Agreement and any other documents or pages referenced in this Agreement, the following order of precedence will apply: (1) the terms of any Order Form (if any), (2) this Agreement and (3) except as expressly stated herein, any other documents or pages referenced in this Agreement. Notwithstanding any language to the contrary therein, no terms or conditions stated in a Customer purchase order, vendor onboarding process or web portal, or any other Customer order documentation (excluding Order Forms) will be incorporated into or form any part of this Agreement, and all such terms or conditions will be null and void.
11.12. Insurance. During the term of this Agreement, Sigma will comply with the insurance requirements stated in Exhibit C.
SERVICE LEVEL POLICY
This Service Level Policy describes the hosting services and system availability commitments provided to Customer in support of the Service.
1. Definitions. Capitalized terms used in this Service Level Policy and not otherwise defined will have the respective meaning assigned thereto in the applicable Terms.
1.1. “Availability” means a percentage calculated during each calendar month that the Service are operational using the following formula: (Available Hours minus Unavailability) ÷ Available Hours.
1.2. “Available Hours” means the total number of hours in the 24-hour period each day (including holidays) during a calendar month.
1.3. “Error” means an incident that investigation reveals are caused by the Service’s failure to perform materially in accordance with the specifications set forth in the Documentation. An incident will not be classified as an Error if (a) the Service is not used for its intended purpose; (b) the incident is caused by Customer’s systems or equipment or (c) the incident is caused by a Third Party Application.
1.4. “Excusable Downtime” means the time the Service are Unavailable for reasons due to any of the following:
- Unauthorized use or misuse of the Service by Customer;
- Scheduled Maintenance;
- Customer errors or requests that require service outages approved by Customer in writing; or
- Factors outside Sigma’s reasonable control, including but not limited to outages caused by the failure of or attacks on public network or communications components or external service providers.
1.5. “Scheduled Maintenance” means regular maintenance and unavailability of the Service during non-business hours and limited to a maximum of 2 hours in any calendar month.
1.6. “Target Availability” means an Availability of Ninety-Nine and 9/10 Percent (99.9%).
1.7. “Unavailability” means any number of hours during which the Service are not satisfying the material needs of the Customer for reasons other than Excusable Downtime including any time outside of Resolution Time where an Error remains unresolved.
2. Service Availability. Sigma will meet the Target Availability each calendar month.
3. Remedies. Customer may immediately terminate the Agreement for cause if the Availability is: less than 99.8% for any four (4) consecutive months in any twelve (12) month period.
Each Error will be categorized with a severity level as defined below and will be assigned the appropriate level of resources consistent with such Error’s impact. Customer will ensure that appropriate technical and business support personnel are available (after business hours, if necessary) to resolve the Error. This escalation procedure increases the level of resources required by Sigma to resolve Errors effectively. Sigma will clarify the Error and communicate action plans to Customer within a timeframe appropriate to the severity of the pending Error.
Target Response Time is the period of time which elapses between: (1) Customer reporting an Error; and (2) the time when Sigma contacts Customer.
Target Resolution Times are measured from the first report of Error to Sigma. Customer will cooperate with reasonable procedures established by Sigma regarding reporting of Errors, but the time periods specified below will not be affected by such procedures unless Customer’s failure to comply with a procedure interferes with Sigma’s ability to respond to or report an Error.
Error Severity, Target Response Time and Target Resolution times are defined as follows:
|Error Severity||Description||Target Response Time||Target Resolution Time|
|Severity Level 1 Error||Extremely Critical – Service are down or completely unusable for Customer.||Within 1 hour||24 hours|
|Severity Level 2 Error||Critical – Significantly impaired ability to use Service in business operations such as: inability to enter data into Service, inability to produce reports, erroneous report results, and/or inability to use interfaces.||Within 2 hours||48 hours|
|Severity Level 3 Error||Important – Non-critical Error with Service, but Customer is able to continue business use of Service.||Within 24 hours||1 week|
|Severity Level 4 Error||Important – (a) an incident with the Service that would otherwise be a Severity 3 Error, except that an appropriate workaround is available without cost to Customer, or (b) all Errors not otherwise designated as Severity 1, 2, or 3.||Within 24 hours||As determined by Sigma|
Sigma utilizes infrastructure-as-a-service cloud providers as further described in the Agreement and/or Documentation (each, a “Cloud Provider“) and provides the Service to Customer from a VPC hosted by the applicable Cloud Provider (the “Cloud Environment“).
Sigma maintains a comprehensive documented security program based on NIST 800-53 (or industry recognized successor framework), under which Sigma implements and maintains physical, administrative, and technical safeguards designed to protect the confidentiality, integrity, availability, and security of the Service and Customer Data (the “Security Program”), including, but not limited to, as set forth below. Sigma regularly tests and evaluates its Security Program, and may review and update its Security Program as well as this Security Policy, provided, however, that such updates will be designed to enhance and not materially diminish the Security Program.
1. Sigma’s Audits & Certifications. The information security management system supporting the Service will be assessed by one or more independent third-party auditors in accordance with the following audits and certifications (“Third-Party Audits“), on at least an annual basis:
- SOC 1 Type II
- SOC 2 Type II
- SOC 3
Third-Party Audits are made available to Customer as described in Section 8(b) below. To the extent Sigma discontinues a Third-Party Audit, Sigma will adopt or maintain an equivalent, industry-recognized framework.
2. Hosting Location of Customer Data. Sigma hosts Customer Data in its Cloud Environment located in the United States for storage and uses multiple U.S. regions for compute. Sigma may use any region in the U.S. to store or process data and Customer hereby consents to the transfer of any data to the U.S. for storage and processing purposes in accordance with the Agreement.
a. Encryption of Customer Data. Sigma encrypts Customer Data at-rest using AES 256-bit (or better) encryption. Sigma leverages Transport Layer Security (TLS) 1.2 (or better) for Customer Data in-transit over untrusted networks.
b. Encryption Key Management. Sigma uses its Cloud Environment’s KMS with unique encryption keys per customer.
4. System & Network Security.
a. Access Controls. All Sigma personnel access to the Cloud Environment is via a unique user ID and consistent with the principle of least privilege. All access to the cloud console requires two-factor authentication. Access to the production environment is restricted, requires two-factor authentication.
b. Endpoint Controls. For access to the Cloud Environment, Sigma personnel use Sigma -issued laptops which utilize security controls that include, but are not limited to, (i) disk encryption, (ii) endpoint detection and response (EDR) tools to monitor and alert for suspicious activities and Malicious Code, (as defined above) and (iii) vulnerability management in accordance with the Section titled, “Vulnerability Management” below.
c. Separation of Environments. Sigma Computing logically separates production environments from development and testing environments. The Cloud Environment is both logically and physically separate from Sigma’s corporate offices and networks.
d. Firewalls / Security Groups. Sigma will protect the Cloud Environment using industry standard firewall or security groups technology with deny-all default policies to prevent egress and ingress network traffic protocols other than those that are business-required.
e. Hardening. The Cloud Environment will be hardened using industry-standard practices designed to protect it from vulnerabilities, including by changing default passwords, removing unnecessary software, disabling or removing unnecessary services, and regular patching as described in this Security Policy.
f. Monitoring & Logging.
- Infrastructure Logs. Monitoring tools or services, are utilized to log certain activities and changes within the Cloud Environment. These logs are further monitored, analyzed for anomalies, and are securely stored to prevent tampering for at least one year.
g. Vulnerability Detection & Management.
- Anti-Virus & Vulnerability Detection. Sigma’s cloud environment is built to be immutable and auto-updates and designed to prevent viruses. Known vulnerabilities are automatically patched at the host level. Sigma does not monitor Customer Data for Malicious Code.
- Penetration Testing & Vulnerability Detection. Sigma regularly conducts penetration tests throughout the year and engages one or more independent third parties to conduct penetration tests of the Service at least annually.
- Vulnerability Management. Vulnerabilities meeting defined risk criteria trigger alerts and are prioritized for remediation based on their potential impact to the Service. Upon becoming aware of such vulnerabilities, Sigma will use commercially reasonable efforts to address private and public (e.g., U.S.-Cert announced) critical and high vulnerabilities within 30 days, and medium vulnerabilities within 90 days. To assess whether a vulnerability is ‘critical’, ‘high’, or ‘medium’, Sigma leverages the National Vulnerability Database’s (NVD) Common Vulnerability Scoring System (CVSS), or where applicable, the U.S.-Cert rating.
5. Administrative Controls.
a. Personnel Security. Sigma requires criminal background screening on its personnel as part of its hiring process, to the extent permitted by applicable law.
b. Personnel Training. Sigma maintains security awareness and training program for its personnel, this trailing happens during onboarding and annually thereafter. The topics in this security training include but are not limited to:
- Cyber Security;
- Information Security;
- Business Email Compromise;
- Social Engineering;
- Incident Response;
- Removable Media;
- Wifi Security; and
c. Personnel Agreements. Sigma personnel are required to sign confidentiality agreements. Sigma personnel are also required to adhere to Sigma’s information security policy.
d. Personnel Access Reviews & Separation. Sigma reviews the access privileges of its personnel to the Cloud Environment regularly, and removes access on a timely basis for all separated personnel.
e. Sigma Risk Management & Threat Assessment. Sigma’s risk management process is modeled on NIST 800-53 and ISO 27001. Sigma’s security team regularly reviews reports and material changes in the threat environment, and identifies potential control deficiencies in order to make recommendations for new or improved controls and threat mitigation strategies.
f. External Threat Intelligence Monitoring. Sigma reviews external threat intelligence, including US-Cert vulnerability announcements and other trusted sources of vulnerability reports. U.S.-Cert announced vulnerabilities rated as critical or high are prioritized for remediation in accordance with Section 4.7.3 (Vulnerability Management).
g. Change Management. Sigma maintains a documented change management program.
h. Vendor Risk Management. Sigma maintains a vendor risk management program for vendors that process Customer Data designed to ensure each vendor maintains security measures consistent with Sigma’s obligations in this Security Policy.
6. Physical and Environmental Controls.
a. Cloud Environment Data Centers. Sigma works with the Cloud Providers to ensure the Cloud Provider has appropriate physical and environmental controls for its data centers hosting the Cloud Environment. Sigma regularly reviews those controls as audited under the Cloud Provider’s third-party audits and certifications. Each Cloud Provider will have a SOC 2 Type II annual audit and ISO 27001 certification, or industry recognized equivalent frameworks. Such controls, will include, but are not limited to, the following:
- Physical access to the facilities are controlled at building ingress points;
- Visitors are required to present ID and are signed in;
- Physical access to servers is managed by access control devices;
- Physical access privileges are reviewed regularly;
- Facilities utilize monitor and alarm response procedures;
- Use of CCTV;
- Fire detection and protection systems;
- Power back-up and redundancy systems; and
- Climate control systems.
b. Sigma Computing Corporate Offices. Sigma offices host no Customer Data and have no private connectivity to our Cloud Environments. We do enforce industry standard best practices for office security included but not limited to:
- Physical access to the corporate office is controlled at building ingress points;
- Badge access is required for all personnel and badge privileges are reviewed regularly;
- Visitors are required to sign in;
- Use of CCTV at building ingress points;
- Tagging and inventory of Sigma-issued laptops and network assets;
- Fire detection and sprinkler systems; and
- Climate control systems.
7. Incident Detection & Response.
a. Security Incident Reporting. If Sigma becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (a “Security Incident“), Sigma Computing will notify Customer without undue delay, and in any case, where feasible, notify Customer within 72 hours after becoming aware.
b. Investigation. In the event of a Security Incident as described above, Sigma Computing will promptly take reasonable steps to contain, investigate, and mitigate any Security Incident. Sigma in its sole discretion may engage a third party incident response/forensics company to help with the mitigation/investigation.
c. Communication and Cooperation. Sigma Computing will provide Customer timely information about the Security Incident to the extent known to Sigma Computing, including, but not limited to, the nature and consequences of the Security Incident, the measures taken and/or proposed by Sigma Computing to mitigate or contain the Security Incident, the status of Sigma Computing’s investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned. Notwithstanding the foregoing, Customer acknowledges that because Sigma Computing personnel do not have visibility to the content of Customer Data, it will be unlikely that Sigma Computing can provide information as to the particular nature of the Customer Data, or where applicable, the identities, number, or categories of affected data subjects. Sigma Computing’s communications with Customer in connection with a Security Incident will not be construed as an acknowledgment by Sigma Computing of any fault or liability with respect to the Security Incident.
8. Customer Rights & Shared Security Responsibilities.
a. Customer Penetration Testing. Customer may provide a written request for a penetration test of its Account (“Pen Test“) by submitting such request via a support ticket. Following receipt by Sigma Computing of such request, Sigma Computing and Customer will mutually agree in advance on details of such Pen Test, including the start date, scope and duration, as well as reasonable conditions designed to mitigate potential risks to confidentiality, security, or other potential disruption of the Service or Sigma Computing’s business. Pen Tests and any information arising therefrom are deemed Sigma Computing’s Confidential Information. If Customer discovers any actual or potential vulnerability in connection with a Pen Test, Customer must immediately disclose it to Sigma Computing and will not disclose it to any third-party.
b. Documentation. Upon written request and at no additional cost to the Customer, Sigma will provide Customer with access to reasonably requested documentation that evidences Sigma’s compliance with its obligations under this Security Policy in the form of (i) Sigma Computing’s SOC 1 Type II and/or SOC 2 Type II audit report, (ii) Sigma Computing’s most recently completed industry standard security questionnaire, such as a SIG or CAIQ, and (iii) data flow diagrams for the Service (“Security Reports”).
c. Sensitive Customer Data. Customer Data should not include any sensitive data (as defined by applicable data protection laws); it is the Customer’s responsibility to ensure that any Customer Data containing content regulated by PCI-DSS, FedRAMP, or containing any similarly regulated content is in compliance with the appropriate regulatory requirements and controls. Customer acknowledges and Sigma makes no warranty and has no third party verified compliance certifications around PCI-DSS, and/or FedRAMP.
d. Shared Security Responsibilities. Without diminishing Sigma’s commitments in this Security Policy, Customer agrees:
- Sigma does not assess or monitor the content of Customer Data to identify information subject to any specific legal, regulatory or other requirements and Customer is responsible for making appropriate use of the Service to ensure a level of security appropriate to the particular content of Customer Data; and
- to be responsible for managing and protecting its User roles and credentials, including but not limited to (i) requiring that all Users keep credentials confidential and not share such information with unauthorized parties, (ii) reporting to Sigma any suspicious activities in the account or if a user credential has been compromised, (iii) appropriately configuring User and role-based access controls, including scope and duration of User access, taking into account the nature of its Customer Data, and (iv) maintaining appropriate password uniqueness, length, complexity, and expiration.
e. GDPR / CCPA. As Sigma does not access the Customer Data it is the Customer’s responsibility to submit deletion requests for the appropriate data subject. Sigma shall promptly notify Customer if Sigma receives a request from a data subject for access to, correction, amendment or deletion of such data subject’s Personal Data. Sigma shall not respond to any such request without Customer’s prior consent except to confirm that the request relates to the Customer.
Sigma will obtain and maintain at its sole cost and expense during the term of this Agreement, and for one year thereafter on all claims-made policies, the following minimum insurance coverage, subject only to standard industry exclusions and deductibles:
(i) Commercial General Liability Insurance written on an occurrence form and including but not limited to operations, products/completed operations, and contractual liability coverage, with limits not less than $1,000,000 in the aggregate;
(ii) Cyber Liability Insurance, including technology errors & omissions, including coverage for: network security liability; privacy liability; privacy regulatory proceeding expenses and fines; technology professional liability (errors and omissions); privacy breach expense reimbursement; and data/information loss and business interruption; and with a total aggregate limit of not less than $5,000,000;
(iii) Workers’ Compensation Insurance coverage at limits in a sufficient amount to meet all applicable statutory requirements; and
(iv) Employer’s Liability Insurance coverage with limits not less than $1,000,000 per occurrence.
Upon request, Sigma will provide Customer with a certificate of insurance following execution of this Agreement. Sigma also will provide a current insurance certificate upon request (not more than once per calendar year) at any time during the duration of this Agreement. Each contract of insurance will be with an insurer approved to do business that is rated “A-” or better.