Access Agreement

1.1 Access Protocols

“Access Protocols” means the credentials, passwords, access codes, or other relevant procedures provided by Vendor to Customer to access the Services, which may include, without limitation use of the IonQ API.

1.2 Affiliate(s)

“Affiliate(s)” means any entity that directly or indirectly Controls, is Controlled by, or is under common Control with a party.

1.3 Circuit

“Circuit” means the sequence, code, and/or routine to be executed through the Services.

1.4 Compute Services/Services

“Compute Services” or “Services” means IonQ’s execution of Customer’s Jobs using the Technology.

1.5 Control

“Control” control of greater than fifty percent of the voting rights or equity interests of a party.

1.6 Customer

“Customer” means the person or entity that submits a Job to Vendor.

1.7 Documentation

“Documentation” means the technical materials provided by Vendor to Customer in hard copy or electronic form, including via online URL or link, describing the use and operation of the Services.

1.8 Job

“Job” means: (a) for Circuits to be run on the IonQ Quantum Technology, the Circuit to be run by the Services for the number of Shots specified by the Customer; and (b) for Circuits to be run in the IonQ simulator technology the Circuits to be run.

1.9 Job Guidelines

“Job Guidelines” means the Vendor guidelines about the type of Jobs that may be submitted through the Services that are made available at https://ionq.com/guidelines, as may be amended from time to time by Vendor in its sole discretion.

1.10 Job Request

“Job Request” means the Job request form submitted by Customer and accepted by Vendor regarding the Services.

1.11 Shots

“Shots” means the number of times the Circuit submitted by Customer will be run by the Services.

1.12 Technology

"Technology means the IonQ quantum computer, and all software, interfaces, tools, utilities and other technologies relating thereto (and any related intellectual property) that is provided by or on behalf of Vendor and used to provide the Services (the “IonQ Quantum Technology”).

2.1 Access

Subject to Customer’s compliance with the terms of this Agreement, including payment of applicable fees, Vendor will provide Customer with the ability to submit Jobs for execution through the Services using the Access Protocols made available by Vendor.

2.2 Acceptance

All Jobs are subject to acceptance or rejection by Vendor in its sole discretion. Neither entering into this Agreement nor receiving access to the Services guarantees that any particular Job, or any Job at all, will be accepted for execution by Vendor.

2.3 Provision of Compute Services

Once a Job is accepted by Vendor, Vendor will provide the Compute Services for the Job. Vendor makes no guarantees as to how long a Job will take to run or when a Job will be completed. Once a Job is completed, Vendor will promptly provide the results back to Customer.

2.4 Restrictions

Customer agrees that it will not, and will not permit any other party to: (a) allow any third party to access the Services or Documentation; (b) sublicense, lease, sell, resell, rent, loan, distribute, transfer, or otherwise allow the use of the Services or Documentation for the benefit of any third party except as expressly allowed herein; or (c) access or use the Services or Documentation for the purpose of developing or creating a competitive service or product.

3.1 Customer Materials

Customer hereby grants Vendor a non-exclusive, worldwide, royalty-free, and fully-paid license to use all code, algorithms, data, instructions, and other materials provided by Customer (“Customer Data”) in connection with the provisions of the Services. As between the parties, Customer owns all right, title, and interest in the Customer Data.

3.2 Customer Responsibility and Obligations

Customer may not share any Access Protocols issued to or on behalf of Customer or access the Services for any other party. Customer (not Vendor) will be liable for any activities undertaken, or omissions made, by anyone using its Access Protocols. Customer will immediately notify Vendor of any unauthorized use of its Access Protocols or any breach of security relating to the Services known to Customer. Furthermore, Customer shall ensure that all Jobs, Customer Data, and applications used by Customer in connection with the Services comply with this Agreement, all applicable laws, the Documentation, and Job Guidelines. Customer is also responsible for obtaining and maintaining any required consents necessary to permit the processing of Customer Data under this Agreement. Customer will not disclose to any third party the results of any survey, benchmark test or other evaluation of the Services or the Technology except with Vendor’s prior written consent. Vendor is not obligated to back up any Customer Data, and Customer is solely responsible for creating backup copies of any Customer Data and any results of the Services obtained by Customer, at Customer’s sole cost and expense. Customer shall have the sole responsibility for the accuracy, quality, integrity, legality, reliability, and appropriateness of all Customer Data. Vendor makes no guarantees as to which version of the Technology any given Job will be run on.

3.3 Vendor Materials

Vendor owns and retains all right, title and interest (including, but not limited to, all copyright and patent rights) in the Services, Technology, and Documentation, and Vendor reserves all rights to the foregoing that are not expressly granted herein. No other license or right of any kind (express or implied) is granted to Customer by Vendor in or to the Services, Documentation, Technology, or any part thereof.

3.4 Feedback

Customer hereby grants Vendor a royalty-free, worldwide, transferable, sub-licensable, irrevocable, perpetual license to use or incorporate in the Services any suggestions, enhancement requests, recommendations or other feedback provided by Customer relating to the Services (“Feedback”).

3.5 Usage Data

The parties acknowledge and agree that Vendor may collect usage data relating to Customer’s use of the Services. Vendor will own all rights in such data and may use such data for any purpose (including, but not limited to, providing the Services and Technology, and troubleshooting, auditing, and improving the Services and Technology), provided that if Vendor provides such data to a third party it will aggregate and anonymize such data so that Customer cannot be identified as the source of such data. In no event, will such usage data contain the details of the Job (e.g., the code or algorithms sent by Customer or the results thereof).

3.6 Data Processing Addendum

Unless a separate agreement covering the subject matter of this Agreement is entered into by the parties that specifically references the Data Processing Addendum, each party will comply with the Data Processing Addendum attached to this Agreement as Attachment 1. The Data Processing Addendum is incorporated into this Agreement by reference.

3.7 Security

Vendor will implement reasonable technical and organizational safeguards designed to protect Customer Data against unauthorized loss, destruction, alteration, access, or disclosure.

3.8 Third Party Materials

As a part of the Services, Customer may have access to materials that are hosted by another party. Customer agrees that it is not possible for Vendor to monitor such materials and that Customer’s access to these materials is at Customer’s risk.

3.9 Open Source Software

Certain items of software may be provided to Customer with the Services and are subject to “open source” or “free software” licenses (“Open Source Software”). Some of the Open Source Software is owned by third parties. The Open Source Software is not subject to the terms and conditions of Sections 3.1 or 6.1. Instead, each item of Open Source Software is licensed under the terms of the end-user license that accompanies such Open Source Software. Nothing in this Agreement limits Customer’s rights under, or grants Customer rights that supersede, the terms and conditions of any applicable end user license for the Open Source Software. If required by any license for particular Open Source Software, Vendor makes such Open Source Software, and Vendor’s modifications to that Open Source Software, available by written request at the notice address set forth below.

3.10 DMCA

Vendor provides information to help copyright holders manage their intellectual property online, but Vendor cannot determine whether something is being used legally without input from the copyright holders. Vendor will respond to notices of alleged copyright infringement and may terminate repeat infringers in appropriate circumstances as required to maintain safe harbor for online service providers under the U.S. Digital Millennium Copyright Act. If Customer believes a person or entity is violating Customer’s copyrights, Customer can notify Vendor at Vendor’s notice address described in Section 10.7 (Notice).

3.11 Publication

Customer agrees to provide Vendor with a reasonable opportunity to review and comment on any article or other publication, whether in digital or printed form, regarding the Compute Services, Technology or the execution of Customer’s Jobs prior to the publication of such article or other publication. Vendor may object to such publication if Vendor deems such article or publication may: (a) result in the inadvertent disclosure of Vendor’s confidential or trade secret information, and/or (b) includes an inaccuracy relating to the algorithm or the optimization of the algorithm utilized for the Compute Services requested by the Customer. The Customer further agrees that Customer will not publish the results of any Compute Services provided by Vendor for the Customer, without Vendor’s prior written consent, which shall not be unreasonably withheld.

3.12 Publicity

If requested by Vendor, Customer agrees to cooperate in good faith with Vendor on a press release or similar marketing materials following execution of this Agreement and agrees to allow Vendor to list (using Customer’s name and/or Customer’s logo, as determined by Vendor) Customer as a customer on Vendor’s website.

4.1 Definition

“Confidential Information” means any nonpublic information of a party (the “Disclosing Party”), whether disclosed orally or in written or digital media, that is identified as “confidential” or with a similar legend at the time of such disclosure or that the receiving party (the “Receiving Party”) knows or should have known is the confidential or proprietary information of the Disclosing Party. The Services, Documentation, and Technology, and all enhancements and improvements thereto will be considered Confidential Information of Vendor. The Jobs and Customer Data will be considered the Confidential Information of Customer.

4.2 Protection of Confidential Information

The Receiving Party agrees that it will not use or disclose to any third party any Confidential Information of the Disclosing Party, except as expressly permitted under this Agreement. The Receiving Party will limit access to the Confidential Information to those employees or contractors who have a need to know, who have confidentiality obligations no less restrictive than those set forth herein, and who have been informed of the confidential nature of such information. In addition, the Receiving Party will protect the Disclosing Party’s Confidential Information from unauthorized use, access, or disclosure in the same manner that it protects its own proprietary information of a similar nature, but in no event with less than reasonable care. At the Disclosing Party’s request or upon termination or expiration of this Agreement, the Receiving Party will return to the Disclosing Party or destroy (or permanently erase in the case of electronic files) all copies of the Confidential Information of the Disclosing Party, and the Receiving Party will, upon request, certify to the Disclosing Party its compliance with this sentence.

4.3 Exceptions

The confidentiality obligations set forth in Section 4.2 will not apply to any information that (a) is at the time of disclosure or becomes generally available to the public through no fault of the Receiving Party; (b) is rightfully provided to the Receiving Party without restriction by a third party who is free of any confidentiality duties or obligations; (c) was already rightfully known to the Receiving Party at the time of disclosure free of any confidentiality duties or obligations; or (d) the Receiving Party can demonstrate, by clear and convincing evidence, was independently developed by employees and contractors of the Receiving Party who had no access to the Confidential Information. In addition, the Receiving Party may disclose Confidential Information to the extent that such disclosure is necessary for the Receiving Party to enforce its rights under this Agreement or is required by law or by the order of a court or similar judicial or administrative body, provided that (to the extent legally permissible) the Receiving Party promptly notifies the Disclosing Party in writing of such required disclosure and cooperates with the Disclosing Party if the Disclosing Party seeks an appropriate protective order.

5.1 Fees and Payment

Unless otherwise agreed to in a Job Request, Customer shall pay Vendor the fees for Jobs and Shots as set forth in the Vendor pricing identified when placing the Jobs (the “Fees”). Non-payment or late payment of undisputed fees are material breaches of this Agreement. If any amount is past due more than thirty (30) days, Customer shall pay interest on the overdue balance at the rate of 1% per month or the maximum permitted by law, whichever is less, plus all expenses of collection. Vendor shall be entitled to withhold performance and discontinue service until all amounts due are paid in full.

5.2 Taxes

The Fees are exclusive of all applicable sales, use, value-added and other taxes, and all applicable duties, tariffs, assessments, export and import fees, or other similar charges, and Customer will be responsible for payment of all such taxes (other than taxes based on Vendor’s income), fees, duties, and charges and any related penalties and interest, arising from the payment of the Fees or the provision of the Services to Customer. Customer will make all payments of Fees to Vendor in USD and free and clear of, and without reduction for, any withholding taxes; any such taxes imposed on payments of Fees to Vendor will be Customer’s sole responsibility, and Customer will provide Vendor with official receipts issued by the appropriate taxing authority, or such other evidence as the Vendor may reasonably request, to establish that such taxes have been paid. Customer shall indemnify and defend Vendor in connection with any proceedings brought by any taxing authorities in connection with this Agreement.

6.1 Vendor Warranty

Vendor represents and warrants that it will provide the Services in a professional and workmanlike manner and that the Services will conform with the Documentation provided for that Services. Vendor does not guarantee that a given Job will return any results or expected results. Customer is responsible for creating the Job and Vendor is only responsible for running the accepted Jobs as submitted by Customer on Vendor Technology as part of the Services.

6.2 Customer Warranty

By submitting a Job and/or any Customer Data to the Services, Customer represents and warrants that (a) Customer has all necessary rights (including the necessary rights from any end users) to grant Vendor the licenses set forth herein with respect to such Job and Customer Data; (b) the Job and Customer Data shall not (i) misappropriate any trade secret; (ii) be deceptive, libelous, obscene, unlawful, or otherwise objectionable; (iii) contain any viruses, worms or other malicious computer programming codes intended to damage Vendor’s system or data; or (iv) violate any applicable laws; and (c) the Job and Customer Data comply with all applicable laws, rules, regulations, and Job Guidelines in effect at the time of such submission.

6.3 DISCLAIMER

THE PARTIES ACKNOWLEDGE THAT THE SERVICES AND TECHNOLOGY ARE EXPERIMENTAL IN NATURE AND THAT THE DOCUMENTATION, TECHNOLOGY, AND SERVICES ARE PROVIDED “AS IS.” VENDOR MAKES NO (AND HEREBY DISCLAIMS ALL) REPRESENTATIONS AND WARRANTIES, WHETHER WRITTEN, ORAL, EXPRESS, IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE. IONQ DOES NOT WARRANT THAT ANY ERRORS CAN BE CORRECTED, OR THAT OPERATION OF THE SERVICES SHALL BE UNINTERRUPTED OR ERROR-FREE. SOME STATES AND JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SOME OF THE ABOVE LIMITATIONS MAY NOT APPLY TO CUSTOMER.

7.1 Limits on Liability

IN NO EVENT WILL (A) EITHER PARTY BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE, OR OTHER INDIRECT DAMAGES (INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOST DATA) ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT OR ITS PERFORMANCE HEREUNDER; AND (B) EITHER PARTY’S LIABILITY TO THE OTHER AS A RESULT OF ANY CLAIM ARISING UNDER THIS AGREEMENT, REGARDLESS OF WHETHER SUCH CLAIM IS BASED ON BREACH OF CONTRACT, TORT, STRICT LIABILITY, OR ANY OTHER THEORY OF LIABILITY, EXCEED THE AMOUNT PAID BY CUSTOMER IN THE TWELVE (12) MONTHS PRIOR TO THE OCCURRENCE OF THE ACT OR OMISSION GIVING RISE TO SUCH CLAIM. SOME STATES AND JURISDICTIONS DO NOT ALLOW FOR THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION AND EXCLUSION MAY NOT APPLY TO CUSTOMER.

7.2 Basis of the Bargain

The parties agree that the limitations of liability set forth in this section shall survive and continue in full force and effect despite any failure of consideration or of an exclusive remedy. The parties acknowledge that the Fees have been set and the Agreement entered into in reliance upon these limitations of liability and that all such limitations form an essential basis of the bargain between the parties.

8.1 Term

This Agreement shall apply to any Jobs submitted to Vendor until such time as the terms have changed as contemplated above (“Term”).

10.1 Independent Contractors

The parties are independent contractors and nothing in this Agreement shall be deemed to create any partnership, joint venture or agency relationship between the parties. Neither party is, nor will either party hold itself out to be, vested with any power or right to bind the other party contractually or act on behalf of the other party as a broker, agent or otherwise.

10.2 Entire Agreement

This Agreement, together with all Job Requests, contains the entire agreement of the parties with respect to its subject matter and supersedes any prior or contemporaneous understandings or communications (oral or written) regarding such subject matter. This Agreement, and any order, may be modified only by a written amendment executed by an authorized representative of each party. In the event of a conflict between the terms in an order and this Agreement, the terms contained in this Agreement shall control unless otherwise expressly stated in the order.

10.3 Severability

In the event any provision of this Agreement is held by a court of law or other governmental agency to be void or unenforceable, such provision shall be changed and interpreted so as to best accomplish the objectives of the original provision to the fullest extent allowed by law, and the remaining provisions shall remain in full force and effect.

10.4 Assignment

Neither party shall assign this Agreement without the other party’s prior written consent, which shall not be unreasonably withheld. Notwithstanding the foregoing, either party may assign this Agreement without the other party’s consent to a successor of its business or assets to which this Agreement relates pursuant to a merger, consolidation, reorganization or sale of substantially all of its assets or stock related to this Agreement. This Agreement shall be binding upon and inure to the benefit of the parties and their successors and permitted assigns.

10.5 Force Majeure

Vendor shall not be deemed to be in breach of this Agreement for any failure or delay in performance caused by reasons beyond its reasonable control, including, but not limited to, any failure, disruptions or issues related to any third party services or acts, or any acts of God, war, terrorism, strikes, failure of suppliers, fires, floods or earthquakes.

10.6 Export Control

The use of the Services is subject to U.S. export control laws and may be subject to similar regulations in other countries. Customer agrees to comply with all such laws.

10.7 Notice

Any notice given under this Agreement shall be in writing and shall be effective (i) upon receipt or refusal if (a) delivered by hand or (b) sent via overnight mail by a nationally recognized express delivery service; or (ii) sent via U.S. mail, postage prepaid, certified mail return receipt requested, when addressed to the address set forth below (or to such other address that a party may specify in a notice given under this Section).

10.8 Waivers

No delay or omission to exercise any right or remedy accruing to either party hereunder shall impair that right or remedy or be construed to be a waiver of any breach or default. No waiver of any provision of this Agreement shall be valid unless in writing and signed by the waiving party.

1.1 Terms defined in the Agreement apply to this Addendum. In addition, in this Addendum:

• “Alternative Transfer Solution” means a solution, other than the Model Contract Clauses, that enables the lawful transfer of personal data to a third country in accordance with European Data Protection Law.
• “Customer Personal Data” means the personal data contained within the Customer Data.
• “Data Incident” means a breach of Vendor’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by Vendor.
• “EEA” means the European Economic Area.
• “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
• “European Data Protection Law” means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).
• “European or National Law” means, as applicable: (a) EU or EU Member State law (if the EU GDPR applies to the processing of Customer Personal Data); and/or (b) the law of the UK or a part of the UK (if the UK GDPR applies to the processing of Customer Personal Data).
• “GDPR” means, as applicable: (a) the EU GDPR; and/or (b) the UK GDPR.
• “Model Contract Clauses” mean the Standard Contractual Clauses for Processors approved by the European Commission for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
• “Non-European Data Protection Law” means data protection or privacy laws in force outside the European Economic Area, Switzerland and the UK.
• “Subprocessor” means a third party authorized as another processor under this Addendum to have logical access to and process Customer Data to provide parts of the Service and support.
• “UK GDPR” means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, if in force.

1.2 The terms “personal data”, “data subject”, “processing”, “controller” and “processor” as used in this Addendum have the meanings given in the GDPR irrespective of whether European Data Protection Law or Non-European Data Protection Law applies.

3.1 Application of European Law.

The parties acknowledge that European Data Protection Law will apply to the processing of Customer Personal Data if, for example:

3.2 Application of Non-European Law

The parties acknowledge that Non-European Data Protection Law may also apply to the processing of Customer Personal Data.

3.3 Application of Terms

Except to the extent this Addendum states otherwise, this Addendum will apply irrespective of whether European Data Protection Law or Non-European Data Protection Law applies to the processing of Customer Personal Data.

4.1 Roles and Regulatory Compliance; Authorization

4.2 Scope of Processing

5.1 Deletion by Customer

Vendor will enable Customer to delete Customer Data during the Term in a manner consistent with the functionality of the Service. If Customer uses the Service to delete any Customer Data during the Term and that Customer Data cannot be recovered by Customer, this use will constitute an instruction to Vendor to delete the relevant Customer Data from Vendor’s systems in accordance with applicable law.

5.2 Deletion on Termination

On expiry of the Term, Customer instructs Vendor to delete all Customer Data (including existing copies) from Vendor’s systems in accordance with applicable law. This requirement will not apply: (a) to the extent Vendor is required by applicable law to retain some or all of the Customer Data, or (b) to Customer Data that Vendor has archived on back-up systems, which Customer Data Vendor will securely isolate and protect from any further processing, except to the extent required by law.

6.1 Vendor’s Security Measures, Controls and Assistance

6.2 Data Incidents

Vendor will notify Customer promptly and without undue delay after becoming aware of a Data Incident, and promptly take reasonable steps to minimize harm and secure Customer Data. Vendor’s notification of a Data Incident will describe, to the extent possible, the nature of the Data Incident, the measures taken to mitigate the potential risks and the measures Vendor recommends Customer take to address the Data Incident.

6.3 Customer’s Security Responsibilities

Without prejudice to Vendor’s obligations under Sections 6.1 (Vendor’s Security Measures, Controls and Assistance) and 6.2 (Data Incidents), and elsewhere in the Agreement, Customer is responsible for its use of the Service and its storage of any copies of Customer Data outside Vendor’s or its Subprocessors’ systems, including: (a) protecting the security of Customer Data when in transit to and from the Service; (b) securing the account authentication credentials, systems and devices Customer uses to access the Service; and (c) backing up its Customer Data as appropriate.

6.4 Customer’s Audit Rights

Upon Customer’s request, and subject to the confidentiality obligations of the Agreement, Vendor will make available to Customer (or Customer’s independent, third-party auditor) information regarding Vendor’s compliance with the security obligations specified in this Addendum in the form of third-party certifications and audit reports (such certifications and reports the “Security Documentation”). Customer agrees that Vendor’s compliance with Section 6.1 (Vendor’s Security Measures, Controls and Assistance) will fulfil any audit cooperation responsibilities that may apply to Vendor under Data Protection Laws.

8.1 Access

During the Term, Vendor will enable Customer, in a manner consistent with the functionality of the Service, to access, rectify and restrict processing of Customer Data, including via the deletion functionality provided by Vendor as described in Section 5.1 (Deletion by Customer), and to export Customer Data.

8.2 Customer Responsibility for Data Subject Requests

During the Term, if Vendor receives a request from a data subject relating to Customer Personal Data, and the request identifies Customer, Vendor will advise the data subject to submit their request to Customer. Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Service.

8.3 Vendor’s Data Subject Request Assistance

Vendor will (taking into account the nature of the processing of Customer Personal Data) assist Customer in fulfilling its obligations under Chapter III of the GDPR to respond to requests for exercising the data subject’s rights by: (a) complying with Sections 8.1 (Access) and 8.2 (Customer’s Responsibility for Data Subject Requests); and (b) if subsections (a) and (b) above are insufficient for Customer to comply with such obligations, upon Customer’s request, providing additional reasonable assistance.

9.1 Data Storage and Processing Facilities

Vendor may store and process Customer Data anywhere Vendor or its Subprocessors maintain data processing operations.

9.2 Transfers of Data

9.3 Disclosure of Confidential Information Containing Personal Data

If the Model Contract Clauses apply as described in Section 9.2 (Transfers of Data), Vendor will, notwithstanding any term to the contrary in the Agreement, ensure that any disclosure of Customer’s Confidential Information containing personal data, and any notifications relating to any such disclosures, will be made in accordance with such Model Contract Clauses.

10.1 Consent to Subprocessor Engagement

Customer authorizes the engagement as Subprocessors of: (a) those entities listed at URL provided by the Vendor on the Listing, as may be updated by Vendor from time to time in accordance with this Addendum; and (b) all other Vendor Affiliates from time to time. In addition, without prejudice to Section 10.3 (Opportunity to Object to Subprocessor Changes), Customer generally authorizes the engagement as Subprocessors of any other third parties (each, a “New Third Party Subprocessor”).

10.2 Requirements for Subprocessor Engagement

When engaging any Subprocessor, Vendor will:

10.3 Opportunity to Object to Subprocessor Changes

11.1 Liability Cap

The total combined liability of either party and its Affiliates towards the other party and its Affiliates under or in connection with the Agreement, including this Addendum and the Model Contract Clauses as applicable, combined will be subject to any limitation of liability provisions (including any agreed aggregate financial cap) that apply under the Agreement.

11.2 Liability Cap Exclusions

Nothing in Section 11.1 (Liability Cap) will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).

1.1 Access Controls

Customer’s administrators and end users must authenticate themselves via a central authentication system or via a single sign on system to use the Service.

1.2 Encryption

Vendor makes encryption available.

1.3 Storage and Sharing

Vendor stores data in a multi-tenant environment. Subject to any Customer instructions to the contrary, Vendor replicates Customer Data between multiple geographically dispersed data centers. Vendor also logically isolates Customer Data, and logically separates each end user’s data from the data of other end users, and data for an authenticated end user will not be displayed to another end user (unless the former end user or an administrator allows the data to be shared). Customer will be given control over specific data sharing policies. Those policies, in accordance with the functionality of the Service, will enable Customer to determine the product sharing settings applicable to end users for specific purposes.

1.4 Network

1.5 Incident Response

Vendor monitors a variety of communication channels for security incidents, and Vendor’s security personnel will react promptly to known incidents.

2.1 Infrastructure Security Personnel

Vendor has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. Vendor’s infrastructure security personnel are responsible for the ongoing monitoring of Vendor’s security infrastructure, the review of the Service, and responding to security incidents.

2.2 Vendor Personnel

Vendor personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Vendor conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations. Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Vendor’s confidentiality and privacy policies. Personnel are provided with security training. Personnel handling Customer Data are required to complete additional requirements appropriate to their role (e.g., certifications). Vendor’s personnel will not process Customer Data without authorization.

2.3 Internal Data Access Processes and Policies – Access Policy

Vendor’s internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. Vendor designs its systems to: (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during processing. The systems are designed to detect any inappropriate access. Vendor employs a centralized access management system to control personnel access to production servers, and only provides access to a limited number of authorized personnel. Vendor’s authentication and authorization systems are designed to provide Vendor with secure and flexible access mechanisms. These mechanisms are designed to grant only approved access rights to site hosts, logs, data and configuration information. Vendor requires the use of unique user IDs, strong passwords, two factor authentication and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; and a need to know basis. The granting or modification of access rights must also be in accordance with Vendor’s internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g., login to workstations), password policies that follow at least industry standard practices are implemented. These standards include restrictions on password reuse and sufficient password strength.