PerimeterX Subscription Agreement

This PerimeterX Subscription Agreement (“PSA”) governs any purchase of PerimeterX, Inc. (“PerimeterX”) website monitoring and security services (“Services”) that you (the “Subscriber”) purchase directly from PerimeterX or through its authorized resellers (“Reseller”). This PSA, the Order Form or Subscription Confirmation (as applicable), and any other incorporated terms comprise the complete understanding between the parties on the subject matter (“Agreement”).

1. THE SERVICES

1.1 Ordering. If Subscriber purchases directly from PerimeterX, then an ordering document will be signed by both PerimeterX and Subscriber (the “Order Form”) and Subscriber will pay PerimeterX the fees for the Services in accordance with the payment terms stated in the Order Form. If Subscriber purchases Services through a Reseller, then the description of the Services will be set forth in the ordering document Subscriber enters with the Reseller (the “Subscription Confirmation,” which for the purposes of this Agreement is also an “Order Form”) and payment will be made to Reseller in accordance with the terms of the Subscription Confirmation. The Reseller is responsible for the accuracy of the Subscription Confirmation, Resellers are not authorized to make any promises or commitments on PerimeterX's behalf, and PerimeterX is not bound by any obligations to Subscriber other than as specified in this PSA. Except as otherwise stated the Agreement, Subscriber’s purchases are non-cancelable and payment for Services is non-refundable. Subscriber will pay all applicable sales tax, VAT, GST, use tax, or similar transaction taxes imposed on Subscriber’s purchase of Services. Subscriber will have no liability for taxes that are imposed on PerimeterX or Reseller, as applicable, that are measured by PerimeterX’s or Reseller’s net or gross income.

1.2 Use of the Service. Subscriber may access and use Services only for its internal business purposes. PerimeterX shall provide Subscriber with access to the Services in accordance with the Agreement. The Services generally include access to the PerimeterX “Portal” that is hosted by PerimeterX (e.g., console.perimeterx.com) in order to display activity on the Subscriber’s “Websites” and “Apps” identified in the Order Form. The Portal may only be accessed and used by Subscriber’s employees (“Authorized Users”). PerimeterX may set reasonable limits on the number of Authorized Users permitted to access the Service from time to time. Subscriber is responsible for the use of the Service by its Authorized Users and their compliance with this Agreement. Subscriber, on behalf of itself and its Authorized Users, agrees not to: (1) use the Service other than as authorized in this Agreement; (2) modify, alter, decompile or reverse engineer the Service; (3) interfere with or disrupt the integrity or performance of the Service; or (4) deactivate, impair, or circumvent any security or authentication measures of the Service. Subscriber will not provide access to the Services to any third party, resell or sublicense it, except that Subscriber may allow its Affiliates to access and use the Services if Subscriber is fully liable for its Affiliates’ use of the Services and compliance with the Agreement (each such Affiliate also the “Subscriber” for the purpose of this Agreement). Without undue delay, Subscriber will notify PerimeterX upon learning of any unauthorized use of the Services. "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity where “control” means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

2. DUTIES

2.1 Provision of Services. Subscriber is responsible for providing PerimeterX with the information necessary for PerimeterX to provide the Services. Subscriber is solely responsible for the accuracy, quality and legality of such information. The Services may record certain information (“Subscriber Data”) about how a person (“User”) uses Subscriber’s Websites and Apps.

2.2 Data Protection. PerimeterX generally does not process Personal Data under the Data Privacy Laws of many jurisdictions. PerimeterX’s Page Defender and Code Defender Services generally will not process any Personal Data. PerimeterX’s Bot Defender Service may process a User’s Internet Protocol (IP) address that qualifies as an identifier under the GDPR and CCPA, but it can’t be used by PerimeterX to identify an individual since PerimeterX does not collect other information that could lead to identification. Except as provided above, PerimeterX’s Bot Defender Service generally does not collect personally identifiable information that identifies the User of the Subscriber Website or App, such as name, email address, credit card or financial information, health information, usernames, passwords or other login credentials. PerimeterX’s other solutions (such as, Account Defender, Compromised Credential and Human Challenge solutions) may process Personal Data. If PerimeterX processes Personal Data on behalf of Subscriber, then the terms of the PerimeterX Data Processing Agreement, which include the standard contractual clauses as applicable, found at https://www.perimeterx.com/legal/dpa is made a part of this Agreement in connection with the processing of Personal Data. As part of providing the Services, PerimeterX maintains a growing global network of points of presence or POPs that will process, transmit and cache Subscriber Data (including possibly Personal Data). Subscriber Data will be processed and transmitted across the borders of different countries. If Subscriber purchases through a Reseller that is also providing support or other services in connection with the PerimeterX Service, then Subscriber authorizes PerimeterX to share data with that Reseller to the extent necessary to provide those support or other services. “Data Privacy Laws” means applicable national, federal, state and provincial laws relating to data privacy, the protection of Personal Data, and the cross-border transfer of Personal Data (e.g., to the extent applicable, the CCPA and GDPR), excluding any law that requires data to be stored in a specific country. “Personal Data” means (i) any information relating to an identified or identifiable natural person where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or (ii) is defined as “Personal Information” or “Personal Data” by applicable Data Privacy Laws (e.g., CCPA § 1798.140(o) or GDPR Art. 4).

2.3 Compliance with Laws. The parties will comply with all applicable Data Privacy Laws and all international, federal, state, provincial and local laws relating to corruption practice and bribery. If any variation to the Agreement between the parties is required to maintain compliance with changes to Data Privacy Laws, the parties will negotiate necessary variations to this Agreement in good faith to address changes. Subscriber shall at all times have in place and comply with a privacy policy that is both (i) conspicuously posted to the Subscriber Website and (ii) is compliance with all Data Privacy Laws; including, where required, disclosure of collection of Subscriber Data by Subscriber’s service providers (including PerimeterX).

2.4 Data Backup and Download. PerimeterX will provide daily backups of Subscriber Data. For most Services, the Portal will allow Subscriber to download an “Activity Timeline” in a CSV format (i.e. aggregated User data for a finite period of time). In the event of any loss or corruption of Subscriber Data, PerimeterX shall use its commercially reasonable efforts to restore the lost or corrupted Subscriber Data from the latest backup of such Subscriber Data maintained by PerimeterX. PerimeterX has the ability to allow Subscriber to view the data normally available in the PerimeterX Portal in platforms/dashboards of various third parties (e.g., DataDog). If Subscriber instructs PerimeterX send data to a third-party platform or dashboard (i.e. any company other than PerimeterX), then Subscriber agrees that PerimeterX will have no liability for any unauthorized use, disclosure, loss of that data in connection with that data processed by that third-party. Because Subscriber has the ability to download data from the Portal, PerimeterX’s efforts to restore lost or corrupted Subscriber Data pursuant to this Section is PerimeterX’s sole liability and Subscriber’s sole remedy in the event of any loss or corruption of Subscriber Data. PerimeterX shall not be responsible for any loss, destruction, alteration, unauthorized disclosure or corruption of Subscriber Data caused by Subscriber or any third party.

3. CONFIDENTIAL INFORMATION

3.1 Definition. “Confidential Information” means any information disclosed under the Agreement that (a) if tangible, is clearly marked as “Confidential” or with a similar designation; (b) if intangible, is identified as “Confidential” by discloser at the time of disclosure and confirmed in writing to recipient as being Confidential Information; or (c) from the relevant circumstances should reasonably be known by recipient to be confidential (e.g. pricing, product plans, non-public Personal Data, etc.). Confidential Information does not include any portion of the information that recipient can prove (a) was rightfully known to recipient before receipt from discloser; (b) was generally known to the public on the Effective Date; (c) becomes generally known to the public after the Effective Date, through no fault of recipient; (d) was received by recipient from a third party without any confidentiality obligation; or (e) was independently developed by recipient without breach of this Section 3.

3.2 Limited Use and Non-Disclosure. Recipient will (a) use Confidential Information only for the purposes of furthering the business relationship between the parties; (b) protect Confidential Information using the same degree of care it uses to protect its own confidential information of a like nature, but in no event less than a reasonable degree of care; or (c) not disclose Confidential Information to any third party except (1) to Affiliates or employees, consultants, and agents who (i) have a need to know it in order to carry out their obligations under the Agreement, and (ii) are under written confidentiality and non-use obligations at least as restrictive as those stated in this PSA or (2) as required by law.

4. INTELLECTUAL PROPERTY RIGHTS

As between PerimeterX and Subscriber, Subscriber owns all worldwide right, title and interest in and to the Subscriber Data and Subscriber’s Websites and Apps, including all worldwide Intellectual Property Rights. PerimeterX and its licensors own all Intellectual Property Rights in and to the PerimeterX Service (“PerimeterX IP”). Except as expressly set forth in the Agreement, no rights to any PerimeterX IP, any Subscriber Data or Subscriber Websites and Apps is granted to a party. Subscriber is not obligated to provide PerimeterX with any suggestions, enhancement requests, or other feedback about the Services or related technology. However, if Subscriber provides any feedback to PerimeterX, PerimeterX may use and modify it without any restriction or payment. A great value proposition is that PerimeterX’s Service is architected so that all customers can benefit from the threats that PerimeterX has identified for a different customer even though that particular customer is not identified as the source of the information. Provided Subscriber is not identified or capable of being re-identified as the source of the data, Subscriber grants PerimeterX a perpetual, irrevocable license to Subscriber Data so it: (1) may share and publish details related to a threat (e.g., malware, a denial of service attack or other malicious activity), including the originating IP address, that PerimeterX in good faith believes it has identified; (2) use and analyze Subscriber Data to provide, improve, and support its products and services; and (3) share aggregated, anonymous data with third parties for industry research and analysis, demographic profiling and other similar purposes. “Intellectual Property Right(s)” means worldwide patent rights (including, without limitation, patent applications and disclosures), trademarks, copyrights, moral rights, know-how, and any other intellectual property rights recognized in any country or jurisdiction in the world.

5. TERM AND TERMINATION

5.1 Term. This PSA is effective on the date the first Order Form is fully executed (“Effective Date”) and remains in effect until all Order Forms under this PSA are terminated or expire.

5.2 Termination and Suspension. Either party may terminate this PSA or an Order Form if the other party materially breaches the Agreement and fails to cure the breach within 30 days after receiving notice of the breach. PerimeterX may suspend Subscriber’s access to the Services if Subscriber is in breach of the Agreement and has received written notice describing the breach and the suspension will continue for as long as reasonably necessary for Subscriber to remedy the breach. PerimeterX may temporarily suspend the Service if Subscriber exceeds the prepaid usage by more than 900% as measured on a per minute basis.

5.3 Effect of Termination. Except for Subscriber’s termination for PerimeterX’s uncured material breach under Section 5.2, termination of this PSA or an Order Form will not relieve Subscriber from its obligation to pay PerimeterX any fees stated in an Order Form. If Subscriber terminates this PSA or an Order Form because of PerimeterX’s uncured material breach, PerimeterX will refund a pro-rata share of any prepaid fees under the applicable Order Form. After termination or expiration of the PSA or an Order Form, (a) PerimeterX will delete applicable data within 60 days and may take steps to prevent the data flow from Subscriber to PerimeterX and (b) Subscriber will disable all data feeds to PerimeterX within 72 hours or else all usage will be billed at the Excess Use Fee after being notified that the data feeds remain in place. Termination of an Order Form does not terminate this PSA; however, termination of this PSA will result in the immediate termination of all Order Forms. Sections 3, 4, and 6-9 of this PSA will survive termination.

6. LIMITED WARRANTY; DISCLAIMER

Any Service Level Agreement is set forth in the Order Form. PerimeterX makes no representation or warranty about the Services, including the results obtained from or the conclusions drawn from the use of Services or that the Services will be uninterrupted or error-free. To the fullest extent permitted under applicable law, PerimeterX disclaims all express and implied warranties, including any implied or statutory warranty, any implied warranty of title or non-infringement (since PerimeterX indemnifies for IP infringement), merchantability or fitness for a particular purpose.

7. INDEMNIFICATION

7.1 Indemnification Scope. PerimeterX will defend and indemnify Subscriber, its Affiliates, and their respective directors, officers and employees from and against all third party claims to the extent resulting from or alleged to have resulted from (a) the Services’ infringement of a third party’s Intellectual Property Right or (b) any violation of applicable Data Privacy Laws by PerimeterX. Subscriber will defend and indemnify PerimeterX, its Affiliates, and their respective directors, officers and employees from and against all third party claims to the extent resulting from or alleged to have resulted from (y) PerimeterX’s use of the Subscriber Data in accordance with this Agreement or (z) any violation of applicable Data Privacy Laws by Subscriber. PerimeterX will have no liability under this Section to the extent that any third-party claims are based on the combination, operation or use of the Services with equipment, devices, or data not supplied by PerimeterX or its vendors, if a claim would not have occurred but for such combination, operation or use.

7.2 Indemnification Procedures. Each party will promptly notify the other in writing of any third-party claim. The indemnifying party will (a) control the defense of the claim; and (b) obtain the other party’s prior written approval of the indemnifying party’s settlement or compromise of a claim. The indemnified party will (y) not unreasonably withhold or delay its approval of the request for settlement or compromise; and (z) assist and cooperate in the defense as reasonably requested by the indemnifying party at the indemnifying party’s expense.

8. LIMITATION OF LIABILITY

In this Section, “liability” means any liability, whether under contract, tort, or otherwise, including for negligence.

8.1 General Limitations on Liability. Subject to section 8.2 (Exceptions to Limitations):

(a) neither party will have any liability arising out of or relating to the Agreement for: (1) indirect, special, incidental or consequential losses (whether or not foreseeable or contemplated by the parties at the Effective Date); (2) exemplary or punitive damages; or (3) the other party’s lost revenues, profits, or data; and

(b) each party's aggregate liability arising out of or relating to the Agreement will not exceed the greater of the amount paid or payable to PerimeterX under the applicable Order Form for the 12 months preceding the subject claim.

8.2 Exceptions to Limitations. Nothing in this Agreement excludes or limits either party’s liability for: (a) breach of confidentiality obligations under Section 3, (b) the indemnification obligations under Section 7, or (c) matters for which liability cannot be excluded or limited under applicable law.

9. DISPUTE RESOLUTION

If Subscriber is domiciled in the United States: This Agreement and all matters arising out of or relating to this Agreement is governed by California law, without regard to conflict of law, and each party irrevocably consents to exclusive jurisdiction over all claims and disputes between the parties, as follows: (a) if PerimeterX is the plaintiff, the state and federal courts located in the state and county of Subscriber’s address identified in the Order Form, or (b) if Subscriber is the plaintiff, the Superior Court of San Mateo County, California, and federal court in the Northern District of California.

If Subscriber is domiciled outside of the United States: Any unresolved dispute arising out of or in connection with this Agreement shall be finally resolved by arbitration with one arbitrator conducted in English under the Rules of Arbitration of the International Chamber of Commerce that are made a part of this Agreement. Either party can obtain temporary restraining orders, preliminary injunctions, and other similar relief in a court of competent jurisdiction when necessary to preserve status quo or prevent injury pending resolution of the dispute on its merits by arbitration. This Agreement and all matters arising out of or relating to this Agreement shall be governed by the laws of (without regard to conflict of law) and the location of the arbitration will be, as follows:

| --- | --- | --- | | Subscriber domiciled in Asia: | laws of Singapore | arbitration will be held in Singapore | | Subscriber domiciled in Canada: | laws of Ontario | arbitration will be held in Toronto | | Subscriber domiciled in Mexico or Central or South America: | laws of New York | arbitration will be held in New York City | | Subscriber domiciled elsewhere (other than US): | laws of England | arbitration will be held in London |

10. MISCELLANEOUS

Neither party will assign the Agreement in whole or in part without the other party’s prior written consent (which consent will not be unreasonably denied, delayed or conditioned), except to an Affiliate or a successor that is made in connection with a merger or sale of all or substantially all of a party’s assets or stock. Any attempted assignment in violation of this restriction is void. The Agreement shall bind and inure to the benefit of the parties, their respective successors and permitted assigns. If a conflict exists between any of the terms in the Agreement, then the Order Form will govern. Neither party relies on any undertaking, promise, assurance, statement, representation, warranty or understanding of any person relating to the subject matter of the Agreement, other than as stated in the Agreement. Notices will be provided in writing and delivered by commercial overnight or next day courier to the address of the other party stated on the Order Form. The Agreement does not create a partnership, agency relationship, or joint venture between the parties. Neither party has the power or authority to bind the other or to create any obligation or responsibility on behalf of the other. Under no circumstances will any employee of one party be deemed to be the employee of the other. If any provision of the Agreement is unenforceable, that provision will be modified to render it enforceable to the extent possible to give effect to the parties’ intentions and the remaining provisions will not be affected. The parties may amend the Agreement only in a written amendment signed by both parties. This PSA can be executed electronically and in counterparts, each of which is deemed to be an original and together comprise a single document. Each party represents and warrants that the individual binding a party under this PSA is authorized to do so.