This Vanta Master Subscription Agreement (“MSA”) is effective as of the effective date of an applicable signed order form (such form an “Order Form” and such date the “Effective Date”) and is by and between Vanta Inc., a Delaware corporation with a place of business at 57 Post St., Suite 904, San Francisco, CA 94104 (“Vanta”), and the customer set forth on the Order Form (“Customer”) (each a “Party” and together the “Parties”). In the event of any inconsistency or conflict between the terms of the MSA and the terms of any Order Form, the terms of the Order Form control.
Section 1. Services. “Services” means the product(s) and service(s) that are ordered by Customer from Vanta online or through an Order Form referencing this MSA, whether on a trial or paid basis, and to which Vanta thereby provides access to Customer. Services exclude any products or services provided by third parties, even if Customer has connected those products or services to the Services. Subject to the terms and conditions of this MSA, Vanta will make the Services available during the Term as set forth in an Order Form.
Section 2. Fees and Payment.
2.1. Fees. Customer will pay the fees specified in the Order Form (the “Fees”).
2.2. Payment; Taxes. Vanta will invoice Customer for Fees, either within the Services or directly, within thirty (30) days of the Effective Date. Customer will pay all invoiced Fees net forty-five (45) days from the date of the invoice. Fees do not include local, state, or federal taxes or duties of any kind and any such taxes will be assumed and paid by Customer, except for taxes on Vanta based on Vanta’s income or receipts.
Section 3. Term and Termination.
3.1. Term. This MSA commences on the Effective Date and will remain in effect through the Initial Term and all Renewal Terms, as specified in the Order Form, unless otherwise terminated in accordance with this Section (the Initial Term and all Renewal Terms collectively the “Term”). If the Order Form does not specify, the Initial Term will be one year and will automatically renew for successive one-year periods unless Customer provides Vanta with notice of termination at sixty (60) days prior to the end of the Term.
3.2. Termination for Cause. A Party may terminate this MSA for cause (a) upon notice to the other Party of a material breach if such breach remains uncured after fifteen (15) days from the date of the breaching Party’s receipt of such notice; or (b) if the other Party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors. Non-payment of Fees by Customer past ninety (90) days from an invoice date, and any Prohibited Uses (as defined below), will be considered de facto material breaches of the MSA.
3.3. Cancellation. A Party may terminate the MSA and an applicable Order Form either (i) in accordance with the renewal provisions of the Order Form or (ii) if such provisions are not specified, by providing notice to the other Party of termination forty five (45) days prior to the end of the then-current Term.
3.4. Effect of Termination and Survival. Upon termination or cancellation of an Order Form or this MSA (a) with respect to termination of the entire MSA, all Order Forms will concurrently terminate, (b) Customer will have no further right to use the Services under the terminated or cancelled Order Forms and Vanta will remove Customer’s access to same, and (c) unless otherwise specified in writing, Customer will not be entitled to any refund of fees paid. The following Sections will survive termination: Section 2 (Fees and Payment), Section 5 (Confidentiality), Section 6.2 (Data Practices-Ownership), Section 8 (Intellectual Property Rights), Section 9.3 (Disclaimers), Section 10 (Indemnification), Section 11 (Limitation of Liability), and Section 12 (Miscellaneous). Termination of this MSA will not limit a Party’s liability for obligations accrued as of or prior to such termination or for any breach of this MSA.
Section 4. License and Use of the Services.
4.1. License. Vanta hereby grants Customer a non-exclusive, non-transferable, non-sublicensable right to and license to access and use the Services set forth in the Order Form for Customer’s internal business purposes, all subject to the terms and conditions of this MSA and the Order Form.
4.2. Authorized Users. Customer may designate and provide access to its (or its corporate affiliates’) employees, independent contractors, or other agents to an account on the Services as authorized users (each an “Authorized User”) up to the number of “seats” set forth in the Order Form (unlimited if not specified in the Order Form). Each account may be used only by a single, individual Authorized User, and Customer may be charged for additional seats (if applicable), or Vanta may terminate the MSA for cause, if this requirement is circumvented. Customer is responsible for all use and misuse of the Services by Authorized User accounts and for adherence to this MSA by any Authorized Users, and references to Customer herein will be deemed to apply to Authorized Users as necessary and applicable. Customer agrees to promptly notify Vanta of any unauthorized access or use of which Customer becomes aware.
4.3. Prohibited Uses. Customer and Authorized Users will not: (a) “frame,” distribute, resell, or permit access to the Services by any third party other than for its intended purposes; (b) use the Services other than in compliance with applicable federal, state, and local laws; (c) interfere with the Services or disrupt any other user’s access to the Subscription Service; (d) reverse engineer, attempt to gain unauthorized access to the Service, attempt to discover the underlying source code or structure of, or otherwise copy or attempt to copy the Services; (e) knowingly transfer to the Services any content or data that is defamatory, harassing, discriminatory, infringing of third party intellectual property rights, or unlawful; (f) transfer to the Services or otherwise use on the Services any routine, device, code, exploit, or other undisclosed feature that is designed to delete, disable, deactivate, interfere with or otherwise harm any software, program, data, device, system or service, or which is intended to provide unauthorized access or to produce unauthorized modifications; or (g) use any robot, spider, data scraping, or extraction tool or similar mechanism with respect to the Services.
Section 5. Confidentiality. As used herein, the “Confidential Information” of a Party (the “Disclosing Party”) means all financial, technical, or business information of the Disclosing Party that the Disclosing Party designates as confidential at the time of disclosure to the other Party (the “Receiving Party”) or that the Receiving Party reasonably should understand to be confidential based on the nature of the information or the circumstances surrounding its disclosure. For the sake of clarity, the Parties acknowledge that Confidential Information includes the terms and conditions of this MSA. Except as expressly permitted in this MSA, the Receiving Party will not disclose, duplicate, publish, transfer or otherwise make available Confidential Information of the Disclosing Party in any form to any person or entity without the Disclosing Party’s prior written consent. The Receiving Party will not use the Disclosing Party’s Confidential Information except to perform its obligations under this MSA, such obligations including, in the case of Vanta, to provide the Services. Notwithstanding the foregoing, the Receiving Party may disclose Confidential Information to the extent required by law, provided that the Receiving Party: (a) gives the Disclosing Party prior written notice of such disclosure so as to afford the Disclosing Party a reasonable opportunity to appear, object, and obtain a protective order or other appropriate relief regarding such disclosure (if such notice is not prohibited by applicable law); (b) uses diligent efforts to limit disclosure and to obtain confidential treatment or a protective order; and (c) allows the Disclosing Party to participate in the proceeding. Further, Confidential Information does not include any information that: (i) is or becomes generally known to the public without the Receiving Party's breach of any obligation owed to the Disclosing Party; (ii) was independently developed by the Receiving Party without the Receiving Party's breach of any obligation owed to the Disclosing Party; or (iii) is received from a third party who obtained such Confidential Information without any third party's breach of any obligation owed to the Disclosing Party.
Section 6. Data Practices.
6.1. Definitions. “Service Data” means a subset of Confidential Information comprised of electronic data, text, messages, communications, or other materials submitted to and stored within the Services by Customer in connection with use of the Services. Service Data may include, without limitation, any information relating to an identified or identifiable natural person (‘data subject’) where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity of that natural person (such information, “Personal Data”). Service Data does not include metrics and information regarding Customer’s use of the Services, including information about how Authorized Users use the Services (such information, “Usage Data”).
6.2. Ownership. Customer will continue to retain its ownership rights to all Service Data processed under the terms of this MSA and Vanta will own all Usage Data.
6.3. Vanta’s Use of Data. Vanta will use Service Data, Personal Data, and Usage Data as follows and, to the extent necessary, Customer provides Vanta a license to use, modify, reproduce, distribute, display and disclose same during the Term in accordance with this MSA:
6.3.1. Operating the Services. Vanta may receive, collect, store and/or process Service Data based on Vanta’s legitimate interest in operating the Services. For example, Vanta may collect Personal Data (such as name or email address) through the account activation process. Vanta may also use Service Data in an anonymized manner for the training of the machine learning models to support certain features and functionality within the Services.
6.3.2. Communications. Vanta may communicate with Customer or Authorized Users (i) to send product information and promotional offers or (i) about the Services generally. If Customer or an Authorized User does not want to receive such communications, Customer may email email@example.com. Customer and necessary Authorized Users will always receive transactional messages that are required for Vanta to provide the Services (such as billing notices and product usage notifications).
6.3.3. Improving the Services. Vanta may collect, and may engage third-party analytics providers to collect, Usage Data to develop new features, improve existing features, or inform sales and marketing strategies based on Vanta’s legitimate interest in improving the Services. When Vanta uses Usage Data, any Personal Data that was included in Service Data shall be anonymized and/or aggregated in such a manner that it no longer constitutes Service Data or Personal Data under applicable data protection laws. Any such third-party analytics providers will not share or otherwise disclose Usage Data, although Vanta may make Usage Data publicly available from time to time.
6.3.4. Connecting to Third-Party Services. Customer may wish to connect third-party services to the Services (e.g., connecting Vanta to Customer’s single-sign-on service to verify 2FA status of Customer’s employees). When Customer uses a third-party service to connect with Vanta, logs into the Services through a third-party authentication service, or otherwise provides Vanta with access to information from a third-party service, Vanta may obtain other information, including Personal Data, from those third parties and combine that Service or Usage Data based on Vanta’s legitimate interest in providing Customer with functionality that supports the Services. Any access that Vanta may receive to such information from a third-party service is always in accordance with the features and functionality, particularly as to authorization, of that service. By authorizing Vanta to connect with a third-party service, Customer authorizes Vanta to access and store any information provided to Vanta by that third-party service, and to use and disclose that information in accordance with this MSA.
6.3.5. Third-Party Service Providers. Customer agrees that Vanta may provide Service Data and Personal Data to authorized third-party service providers only to the extent necessary to develop and operate the Services. Any such third-party service providers will only be given access to Service Data and Personal Data to the extent reasonably necessary to develop and operate the Services and will be subject to (a) confidentiality obligations that are commercially reasonable and substantially consistent with the standards described in this MSA; and (b) their agreement to comply with the data transfer restrictions applicable to Personal Data as set forth below.
6.4. Service Data Safeguards. (i) Vanta will not sell, rent, or lease Service Data to any third party, and will not share Service Data with third parties, except as permitted by this MSA and to provide, secure, and support the Services. (ii) Vanta will maintain commercially reasonable (particularly for a company of Vanta’s size and revenue) appropriate administrative, physical, and technical safeguards for protection of the security, confidentiality, and integrity of Service Data.
Section 7. Privacy Practices.
Section 8. Intellectual Property Rights. Each Party will retain all rights, title and interest in any patents, inventions, copyrights, trademarks, domain names, trade secrets, know-how and any other intellectual property and/or proprietary rights (“Intellectual Property Rights”), and Vanta in particular will exclusively retain such rights in the Services and all components of or used to provide the Services. Customer hereby provides Vanta a fully paid-up, royalty-free, worldwide, transferable, sub-licensable (through multiple layers), assignable, irrevocable and perpetual license to implement, use, modify, commercially exploit, incorporate into the Services or otherwise use any suggestions, enhancement requests, recommendations or other feedback Vanta receives from Customer, Customer’s agents or representatives, Authorized Users, or other third parties acting on Customer’s behalf; and Vanta also reserves the right to seek intellectual property protection for any features, functionality or components that may be based on or that were initiated by such suggestions, enhancement requests, recommendations or other feedback.
Section 9. Representations, Warranties, and Disclaimers.
9.1. Authority. Each Party represents that it has validly entered into this MSA and has the legal power to do so.
9.2. Warranties. Vanta warrants that during an applicable Term (a) this MSA will accurately describe the applicable administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Service Data; and (b) the Services will perform materially in accordance with any applicable documentation provided within the Services. For any breach of a warranty in this section, Customer’s exclusive remedies are those described in Section 3 (Term and Termination) herein.
9.3. Disclaimers. EXCEPT AS SPECIFICALLY SET FORTH IN THIS SECTION AND ANY APPLICABLE SERVICE LEVEL AGREEMENT, THE SERVICES, INCLUDING ALL SERVER AND NETWORK COMPONENTS, ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS, WITHOUT ANY WARRANTIES OF ANY KIND TO THE FULLEST EXTENT PERMITTED BY LAW, AND VANTA EXPRESSLY DISCLAIMS ANY AND ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. CUSTOMER ACKNOWLEDGES THAT VANTA DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, TIMELY, SECURE, ERROR-FREE, OR FREE FROM VIRUSES OR OTHER MALICIOUS SOFTWARE, AND NO INFORMATION OR ADVICE OBTAINED BY CUSTOMER FROM VANTA OR THROUGH THE SERVICES SHALL CREATE ANY WARRANTY NOT EXPRESSLY STATED IN THIS MSA. THE PARTIES ADDITIONALLY AGREE THAT VANTA WILL HAVE NO LIABILITY OR RESPONSIBILITY FOR CLIENT’S VARIOUS COMPLIANCE PROGRAMS, AND THAT THE SERVICES, TO THE EXTENT APPLICABLE, ARE ONLY TOOLS FOR ASSISTING CLIENT IN MEETING THE VARIOUS COMPLIANCE OBLIGATIONS FOR WHICH IT SOLELY IS RESPONSIBLE.
Section 10. Indemnification.
10.1. Indemnification by Vanta. Vanta will indemnify and hold Customer harmless from and against any claim brought by a third party against Customer by reason of Customer’s use of a Service as permitted hereunder, alleging that such Service infringes or misappropriates a third party’s valid patent, copyright, trademark, or trade secret. Vanta will, at its expense, defend such claim and pay damages finally awarded against Customer in connection therewith, including the reasonable fees and expenses of the attorneys engaged by Vanta for such defense, provided that (a) Customer promptly notifies Vanta of the threat or notice of such claim; (b) Vanta will have the sole and exclusive control and authority to select defense attorneys, and defend and/or settle any such claim (however, Vanta will not settle or compromise any claim that results in liability or admission of any liability by Customer without prior written consent); and (c) Customer fully cooperates with Vanta in connection therewith. If use of a Service by Customer has become, or, in Vanta’s opinion, is likely to become, the subject of any such claim, Vanta may, at its option and expense, (i) procure for Customer the right to continue using the Service(s) as set forth hereunder; (ii) replace or modify a Service to make it non-infringing; or (iii) if options (i) or (ii) are not commercially reasonable or practicable as determined by Vanta, terminate Customer’s subscription to the Service(s) and repay, on a pro-rata basis, any Fees previously paid to Vanta for the corresponding unused portion of the Term for such Service(s). Vanta will have no liability or obligation under this Section with respect to any claim if such claim is caused in whole or in part by (x) compliance with designs, data, instructions or specifications provided by Customer; (y) modification of the Service(s) by anyone other than Vanta; or (z) the combination, operation or use of the Service(s) with other hardware or software where a Service would not by itself be infringing. The provisions of this Section state the sole, exclusive, and entire liability of Vanta to Customer and constitute Customer’s sole remedy with respect to an claim brought by reason of access to or use of a Service by Customer, Customer’s agents, or Authorized Users.
10.2. Indemnification by Customer. Customer will indemnify and hold Vanta harmless against any claim (a) arising from unauthorized or improper use of the Service(s) by Customer, Customer’s agents, or Authorized Users in breach of this MSA; or (b) alleging that Customer’s use of the Service(s), or Customer’s Service Data, infringes or misappropriates a third party’s valid patent, copyright, trademark, or trade secret; provided (i) Vanta promptly notifies Customer of the threat or notice of such claim; (ii) Customer will have the sole and exclusive control and authority to select defense attorneys, and defend and/or settle any such claim (however, Customer will not settle or compromise any claim that results in liability or admission of any liability by Vanta without prior written consent); and (iii) Vanta fully cooperates in connection therewith.
SECTION 11. LIMITATION OF LIABILITY. EXCEPT FOR THE PARTIES’ INDEMNIFICATION OBLIGATIONS UNDER SECTION 10, UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY (WHETHER IN CONTRACT, TORT, NEGLIGENCE OR OTHERWISE) WILL EITHER PARTY TO THIS MSA, OR THEIR AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SERVICE PROVIDERS, SUPPLIERS OR LICENSORS BE LIABLE TO THE OTHER PARTY OR ANY AFFILIATE FOR ANY LOST PROFITS, LOST SALES OR BUSINESS, LOST DATA (BEING DATA LOST IN THE COURSE OF TRANSMISSION VIA CUSTOMER’S SYSTEMS OR OVER THE INTERNET THROUGH NO FAULT OF VANTA), BUSINESS INTERRUPTION, LOSS OF GOODWILL, COSTS OF COVER OR REPLACEMENT, OR FOR ANY TYPE OF INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, CONSEQUENTIAL OR PUNITIVE LOSS OR DAMAGES, OR ANY OTHER INDIRECT LOSS OR DAMAGES INCURRED BY THE OTHER PARTY OR ANY AFFILIATE IN CONNECTION WITH THIS MSA OR THE SERVICES REGARDLESS OF WHETHER SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF OR COULD HAVE FORESEEN SUCH DAMAGES. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS MSA, EITHER PARTY’S AGGREGATE LIABILITY TO THE OTHER PARTY OR ANY THIRD PARTY ARISING OUT OF THIS MSA OR THE SERVICES WILL IN NO EVENT EXCEED THE FEES PAID BY CUSTOMER DURING THE TWELVE (12) MONTHS PRIOR TO THE FIRST EVENT OR OCCURRENCE GIVING RISE TO SUCH LIABILITY. CUSTOMER ACKNOWLEDGES AND AGREES THAT THE ESSENTIAL PURPOSE OF THIS SECTION IS TO ALLOCATE THE RISKS UNDER THIS MSA BETWEEN THE PARTIES AND LIMIT POTENTIAL LIABILITY GIVEN THE FEES, WHICH WOULD HAVE BEEN SUBSTANTIALLY HIGHER IF VANTA WERE TO ASSUME ANY FURTHER LIABILITY OTHER THAN AS SET FORTH HEREIN. VANTA HAS RELIED ON THESE LIMITATIONS IN DETERMINING WHETHER TO PROVIDE CUSTOMER WITH THE RIGHTS TO ACCESS AND USE THE SERVICES PROVIDED FOR IN THIS MSA. THE LIMITATION OF LIABILITY PROVIDED FOR HEREIN WILL APPLY IN AGGREGATE TO SUBSCRIBER AND ITS AFFILIATES AND SHALL NOT BE CUMULATIVE. Some jurisdictions do not allow the exclusion of implied warranties or limitation of liability for incidental or consequential damages or for personal injury or death, which means that some of the above limitations may not apply. IN THESE JURISDICTIONS, A PARTY’S LIABILITY WILL BE LIMITED TO THE GREATEST EXTENT PERMITTED BY LAW. Any claims or damages that Customer may have against Vanta will only be enforceable against Vanta and not any other entity or its officers, directors, representatives, or agents.
Section 12. Miscellaneous.
12.1. Entire Agreement. This MSA and the applicable Order Form(s) constitute the entire agreement, and supersedes all prior agreements, between Vanta and Customer regarding the subject matter hereof.
12.2. Assignment. Either Party may, without the consent of the other Party, assign this MSA to any affiliate or in connection with any merger, change of control, or the sale of all or substantially all of such Party’s assets provided that (1) the other Party is provided prior notice of such assignment and (2) any such successor agrees to fulfill its obligations pursuant to this MSA. Subject to the foregoing restrictions, this MSA will be fully binding upon, inure to the benefit of and be enforceable by the Parties and their respective successors and assigns.
12.3. Severability. If any provision in this MSA is held by a court of competent jurisdiction to be unenforceable, such provision will be modified by the court and interpreted so as to best accomplish the original provision to the fullest extent permitted by law, and the remaining provisions of this MSA will remain in effect.
12.4. Relationship of the Parties. The Parties are independent contractors. This MSA does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the Parties.
12.5. Notices. All notices provided by Vanta to Customer under this MSA may be delivered in writing (a) by nationally recognized overnight delivery service (“Courier”) or U.S. mail to the contact mailing address provided by Customer on the Order Form; or (b) electronic mail to the electronic mail address provided for Customer’s account owner. Customer must give notice to Vanta in writing by Courier or U.S. mail to 57 Post St., Suite 904, San Francisco, CA 94104 Attn: Legal Department. All notices shall be deemed to have been given immediately upon delivery by electronic mail; or, if otherwise delivered upon the earlier of receipt or two (2) business days after being deposited in the mail or with a Courier as permitted above.
12.6. Governing Law, Jurisdiction, Venue. This MSA will be governed by the laws of the State of California, without reference to conflict of laws principles. Any disputes under this MSA shall be resolved in a court of general jurisdiction in San Francisco County, California. Customer hereby expressly agrees to submit to the exclusive personal jurisdiction and venue of such courts for the purpose of resolving any dispute relating to this MSA or access to or use of the Services by Customer, its agents, or Authorized Users.
12.7. Export Compliance. The Services and other software or components of the Services that Vanta may provide or make available to Customer are subject to U.S. export control and economic sanctions laws as administered and enforced by the Office of Foreign Assets and Control of the United States Department of Treasury. Customer agrees to comply with all such laws and regulations as they relate to access to and use of the Services. Customer will not access or use the Services if Customer or any Authorized Users are located in any jurisdiction in which the provision of the Services, software, or other components is prohibited under U.S. or other applicable laws or regulations (a “Prohibited Jurisdiction”) and Customer will not provide access to the Services to any government, entity, or individual located in any Prohibited Jurisdiction. Customer represents and warrants that (a) it is not named on any U.S. government list of persons or entities prohibited from receiving U.S. exports, or transacting with any U.S. person; (b) it is not a national of, or a company registered in, any Prohibited Jurisdiction; (c) it will not permit any individuals under its control to access or use the Services in violation of any U.S. or other applicable export embargoes, prohibitions or restrictions; and (d) it will comply with all applicable laws regarding the transmission of technical data exported from the United States and the countries in which it and Authorized Users are located.
12.8. Anti-Corruption. Customer agrees that it has not received or been offered any illegal or improper bribe, kickback, payment, gift, or thing of value from any of Vanta’s employees or agents in connection with this MSA. Reasonable gifts and entertainment provided in the ordinary course of business do not violate the above restriction. If Customer learns of any violation of the above restriction, Customer will use reasonable efforts to promptly give notice to Vanta.
12.9. Publicity and Marketing. Vanta may use Customer’s name, logo, and trademarks solely to identify Customer as a client of Vanta on Vanta’s website and other marketing materials and in accordance with Customer’s trademark usage guidelines, if Customer provides same to Vanta. Vanta may share aggregated and/or anonymized information regarding use of the Services with third parties for marketing purposes to develop and promote Services. Vanta never will disclose aggregated and/or anonymized information to a third party in a manner that would identify Customer as the source of the information or Authorized Users or others personally.
12.10. Amendments. Vanta may amend this MSA from time to time, in which case the new MSA will supersede prior versions. Vanta will notify Customer not less than ten (10) days prior to the effective date of any such amendment and Vanta’s continued use of the Services following the effective date of any such amendment may be relied upon by Vanta as consent to any such amendment. Vanta’s failure to enforce at any time any provision of this MSA does not constitute a waiver of that provision or of any other provision of this MSA.