LAST UPDATED: MARCH 2, 2022
"Effective Date" the effective date of the Order Form referencing this Agreement.
The Order Form and this MSA, Data Security Exhibit, Service Level Agreement, and Data Portability Exhibit, collectively "Exhibits",describe the terms and conditions under which Very Good Security Inc., with an address of 207 Powell St. Floor 2, San Francisco, CA 94102 ("VGS") agrees to provide Customer the services described in each Exhibit. By execution of the Order Form incorporating this Agreement, both VGS and Customer, collectively "Parties", hereby agree to be governed by the Exhibits attached hereto, unless otherwise agreed to by the parties in writing.
The Terms and Conditions, Data Security Exhibit, Service Level Agreement, Data Portability Exhibit, Order Form and any other applicable Exhibits attached hereto set forth the entire understanding of the parties with respect to the subject matter described herein and constitute the entire agreement ("Agreement") between the parties. By signing the incorporating Order Form, Customer and Very Good Security hereby agree as follows:
These Terms and Conditions will apply to Customer's use of Very Good Security's tokenization services, professional services, content, products and offline components ("Services") ordered by Customer pursuant to an ordering document (including this Agreement as well as any online form) specifying the Services to be provided hereunder and related payment terms and/or order form ("Order") or used in a sandbox environment pursuant to Section 2 below. These Terms and Conditions, the attached Service Level Agreement and Data Security exhibits, and all Orders (collectively referred to as this "Agreement") represent the parties\' entire understanding regarding the Services and will control over any different or additional terms of any purchase order or other non-Very Good Security ordering document, and no terms included in any such purchase order or other non-Very Good Security ordering document will apply to the Services. In the event of a conflict between these Terms and Conditions and an Order, the terms of the Order will control. All capitalized terms not defined herein will have the meanings attributed in the Order.
VGS provides a sandbox environment for Customer free of charge (though specific services like IP anonymization may have caps) solely for the purposes of testing. Sensitive data or critical workflows should not be utilized with this sandbox. If Customer uses the Services in a sandbox environment provided by Very Good Security, additional terms and conditions related to such sandbox environment may appear on the web page(s) for such Services. Any such additional terms and conditions are incorporated into this Agreement by reference and are legally binding. NOTWITHSTANDING ANYTHING CONTAINED HEREIN, ALL SERVICES PROVIDED IN A SANDBOX ENVIRONMENT ARE PROVIDED "AS-IS" WITHOUT ANY REPRESENTATIONS, SERVICE LEVEL AGREEMENTS, WARRANTIES OR INDEMNITIES, AND VERY GOOD SECURITY WILL HAVE NO LIABILITY ARISING OUT OF CUSTOMER'S USE OF SUCH SERVICES.
During the Subscription Term set forth in an Order, Very Good Security grants to Customer a nontransferable, nonexclusive, worldwide right to permit those individuals authorized by Customer or on Customer's behalf, and who are Customer's employees, agents or contractors ("Users"), to access and use the Services subject to the terms of this Agreement. Each Order may define specific usage rights ("Usage Rights"), and Customer will at all times ensure that its use does not exceed its Usage Rights.
Customer will not, directly or indirectly: (i) reverse engineer, decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas or algorithms of the Services or any software, documentation or data related to or provided with the Services ("Software"); (ii) modify, translate, or create derivative works based on the Services or Software; or copy (except for archival purposes), rent, lease, distribute, pledge, assign, or otherwise transfer or encumber rights to the Services or Software; (iii) use or access the Services to build or support, and/or assist a third party in building or supporting, products or services competitive to Very Good Security; (iv) remove any proprietary notices or labels from the Services or Software; or (v) otherwise use the Services or Software outside of the scope of the rights granted in Section 3. Customer will use the Services and Software only for its own business operations, and not otherwise outside of the scope of the express rights granted herein.
Customer will not knowingly or willfully use the Services in any manner that could damage, disable, overburden, impair or otherwise interfere with Very Good Security's provision of the Services. Customer will be responsible for maintaining the security of its equipment and account access passwords. Customer represents and warrants that Customer will use the Services only in compliance with applicable laws and regulations. Customer will be liable for all acts and omissions of its Users.
Very Good Security may immediately suspend Customer's password, account, and access to the Services if (i) Customer fails to make payment due within ten business days after Very Good Security has provided Customer with notice of such failure; (ii) Customer violates Section 3, 4, or 11 of these Terms and Conditions, or (iii) if it detects suspicious activity. Any suspension by Very Good Security of the Services under the preceding sentence will not relieve Customer of its payment obligations under this Agreement. Once any issues are resolved, VGS will immediately restore access. Removal of access will be limited to affected/misused accounts and will not suspend Services unless 4.3(i) is not resolved or 4.3(ii) is detected across each of Customer's accounts.
Certain "free" or "open source" based software (the "FOSS Software") may be provided by Very Good Security hereunder, but is not considered part of the Software hereunder.
Very Good Security will retain ownership of all intellectual property rights in and to the Services and Software (including all derivatives or improvements thereof). Customer grants Very Good Security the unencumbered right to use and incorporate in any of its products or services any suggestions, enhancement requests, feedback, recommendations or other input provided by Customer relating to the Services or Software. Any rights not expressly granted herein are reserved by Very Good Security.
Customer will retain ownership of any data or information originated by Customer that Customer submits or provides in the course of using the Services ("Customer Data"). Very Good Security has no ownership rights in or to Customer Data. Customer will be solely responsible for the accuracy, quality, content and legality of Customer Data, the means by which Customer Data is acquired and the transfer of Customer Data outside of the Very Good Security Services. Customer Data will be deemed to be Customer Confidential Information pursuant to Section 11 below. Customer represents and warrants that it has all rights necessary to provide Very Good Security with the Customer Data and to use (including to tokenize, store and de-tokenize Customer Data) and transmit such Customer Data in order to provide the Services. Customer is responsible for the security of Customer Data that is stored on Customer's website or application or based on Customer's configuration of the Services. Upon request by Customer, Very Good Security agrees to promptly delete Customer Data specified in Customer's request.
Customer will pay all fees set forth in this Agreement. In entering into this Agreement Customer will provide Very Good Security with information regarding Customer's payment instrument. Customer represents and warrants that such information is true and that Customer is authorized to use the payment instrument, and Customer will promptly update its account information with any changes that may occur. To the extent any amounts are to be paid in advance, Customer authorizes Very Good Security to bill Customer's payment instrument in advance in accordance with the terms of the applicable payment plan, and Customer agrees to pay any charges so incurred.
All fees are non-cancelable and nonrefundable, except as expressly specified in Section 8.2. All fees are exclusive of taxes, levies, or duties imposed by taxing authorities, and Customer will be responsible for payment of all such taxes, levies, or duties (excluding taxes based on Very Good Security's income), even if such amounts are not listed on an Order or Invoice. Customer will pay all fees in U.S. Dollars or in such other currency as agreed to in writing by the parties.
All amounts invoiced hereunder are due and payable as specified in the Order, if not specified therin they are due net thirty (30) days from invoice date. Unpaid invoices that are not the subject of a written good faith dispute are subject to a finance charge of 1.5% per month on any outstanding balance, or the maximum permitted by law, whichever is lower, plus all reasonable expenses of collection.
If at any time Very Good Security determines that Customer is exceeding the Usage Rights, Very Good Security reserves the right to charge and Customer agrees to pay Very Good Security's then-current usage fees for such overage.
This Agreement will commence as of the date set forth in this Agreement (the "effective date"). Unless earlier terminated as set forth below, this agreement will remain in effect through the end of the Subscription Term in any current Order. If a subscription is purchased or any additional Order is purchased, the Subscription Term will automatically renew for additional successive periods of time equal to the length of the original Subscription Term ("Term") (e.g., if the Subscription Term is a year, it will automatically renew for additional year). Renewal will be at prices to be determined then and services/usage quotas will be the same as the quotas provided in the latest month of the then-current term, unless either party provides written notice of non-renewal at least thirty (30) days prior to the end of the then-current term. All sections of this Agreement which by their nature should survive termination will survive, including without limitation, accrued rights to payment, use restrictions and indemnity obligations, confidentiality obligations, warranty disclaimers, and limitations of liability.
In the event of a material breach by either party, the non-breaching party will have the right to terminate the applicable Order for cause if such breach has not been cured within 30 days of written notice from the non-breaching party specifying the breach in detail. If Very Good Security terminates an Order for Customer's material breach, all fees set forth on such Order are immediately due and payable. In addition, either party may terminate Customer's access to any sandbox environment for the Services at any time without notice.
Upon any termination or expiration of an Order, Customer's right to access and use the Services covered by that Order will terminate. Notwithstanding the foregoing, at Customer's request if received within 30 days of termination of the Order, Very Good Security will permit Customer to access the Services solely to the extent necessary for Customer to retrieve a file of Customer Data then in Very Good Security's possession. Customer acknowledges and agrees that Very Good Security has no obligation to retain Customer Data and that Very Good Security will have the right to irretrievably delete and destroy Customer Data after 30 days following the termination of this Agreement. Any outstanding remaining amount of fees and charges regarding the Order or Subscription Term must be paid in full as governed by the terms of this Agreement.
Provided this Agreement is not terminated by VGS pursuant to Section 7.1, Section 7.3 or Entity terminates for cause pursuant to Section 7.2, VGS will continue to provide Services to Customer accounts in existence on the date of termination, pursuant to Section 7.3, commencing on the date of termination of this Agreement and continuing thereafter for three (3) months (the "Extended Service Period"); further, the provision of these extended services shall require prompt payment of three (3) months worth of fees and charges covered by the Order. Further, the Parties may agree in writing to extend the term of the Extended Service Period.
Each party represents and warrants to the other party that it has the power and authority to enter into this Agreement. Very Good Security warrants to Customer that it will (a) perform the Services substantially in accordance with its documentation under normal use; and (b) provide the Services in a manner consistent with generally accepted industry standards. Customer must notify Very Good Security of any warranty deficiencies within 30 days from performance of the relevant Services in order to receive warranty remedies.
For breach of the express warranty set forth above, Customer\'s exclusive remedy will be the re-performance of the deficient Services. If Very Good Security cannot re-perform such deficient Services as warranted, Customer will be entitled to recover a pro-rata portion of the unused fees paid to Very Good Security for such deficient Services, and such refund will be Very Good Security\'s entire liability.
Very Good Security represents and warrants that: (a) it does, and will continue to throughout the term of this Agreement including without limitation to any renewal Term, implement, maintain and use technical, physical and administrative safeguards to protect all Customer Data that are at least as rigorous as accepted industry practices and standards for information security, and as required under all applicable privacy and data security laws; (b) the Software will not contain any virus, worm, trap door, back door, Trojan horse, malicious code, or other limiting routine, instruction, or design that would erase data, provide unauthorized access or disrupt Customer's system from operating as intended; (c) it will comply with all applicable laws, rules and regulations with respect to privacy or data security; and (d) without limiting any other provision of this Agreement, it is, and will continue to be throughout the Term, fully compliant with a current applicable PCI Data Security Standard ("PCI DSS"), including without limitation establishing, implementing and maintaining a comprehensive information security program that assures Very Good Security and its personnel's compliance with the foregoing. Very Good Security shall promptly provide, at the request of the Company, current certification of compliance with the PCI DSS by an authority commonly recognized by the payment card industry for such purpose, on at least an annual basis. Very Good Security shall undergo regular audits as prescribed by the PCI DSS board and shall provide Customer with access to findings of such audits, and Very Good Security shall immediately notify Customer of any significant security risks or changes identified as a result of such audits. Very Good Security shall at all times during the Term limit access to Customer Data to those employees, authorized agents, contractors, consultants, service providers and subcontractors who have a need to such access in order for Very Good Security to perform its obligations under this Agreement (collectively, "Authorized Persons"). Very Good Security shall ensure that each Authorized Person is aware of the requirements of Very Good Security's internal security measures and the terms and conditions of this Agreement and shall secure a legally binding agreement from each Authorized Person to comply therewith prior to permitting such Authorized Person to access Customer Data. Very Good Security shall be responsible for, and remain liable to, Customer for the actions and omissions of all Authorized Persons relating to Customer Data as if they were Very Good Security's own actions and omissions and shall periodically review whether each Authorized Persons continues to need access in order for Very Good Security to perform its obligations under this Agreement. Without limiting the foregoing, Very Good Security agrees it will, throughout the Term, comply with the Very Good Security Data Security Exhibit hereby attached to this Agreement and incorporated herein by this reference.
The Services may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, or because of other causes beyond Very Good Security's reasonable control, but Very Good Security will use reasonable efforts to provide advance notice in writing or by e-mail of any scheduled unavailability of the Services. Very Good Security shall comply with the Very Good Security Service Level Agreement hereby attached to this Agreement and incorporated herein by this reference. Very Good Security currently has and will continue to maintain industry standard insurance coverage, at its sole expense.
EXCEPT FOR THE EXPRESS WARRANTIES SET FORTH HEREIN, Very Good Security AND ITS THIRD PARTY PROVIDERS HEREBY DISCLAIM ALL EXPRESS OR IMPLIED WARRANTIES WITH REGARD TO THE SERVICES, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT AND QUALITY. Very Good Security AND ITS THIRD PARTY PROVIDERS MAKE NO REPRESENTATIONS OR WARRANTIES REGARDING THE RELIABILITY, AVAILABILITY, TIMELINESS, SUITABILITY, ACCURACY OR COMPLETENESS OF THE SERVICES OR THE RESULTS CUSTOMER MAY OBTAIN BY USING THE SERVICES. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, Very Good Security AND ITS THIRD PARTY PROVIDERS DO NOT REPRESENT OR WARRANT THAT (A) THE OPERATION OR USE OF THE SERVICES WILL BE TIMELY, UNINTERRUPTED OR ERROR-FREE; OR (B) THE QUALITY OF THE, SERVICES WILL MEET CUSTOMER\'S REQUIREMENTS. CUSTOMER ACKNOWLEDGES THAT NEITHER Very Good Security NOR ITS THIRD PARTY PROVIDERS CONTROLS THE TRANSFER OF DATA OVER COMMUNICATIONS FACILITIES, INCLUDING THE INTERNET, AND THAT THE SERVICES MAY BE SUBJECT TO LIMITATIONS, DELAYS, AND OTHER PROBLEMS INHERENT IN THE USE OF SUCH COMMUNICATIONS FACILITIES. Very Good Security IS NOT RESPONSIBLE FOR ANY DELAYS, DELIVERY FAILURES, OR OTHER DAMAGE RESULTING FROM SUCH PROBLEMS. EXCEPT WHERE EXPRESSLY PROVIDED OTHERWISE BY Very Good Security, THE SERVICES ARE PROVIDED TO CUSTOMER ON AN "AS IS" BASIS.
Customer will defend, indemnify, and hold harmless Very Good Security and its officers, directors, employees, agents, affiliates, successors and permitted assigns (collectively, "VGS Indemnified Party") from and against any Losses (as defined below), arising from any third party claim against VGS Indemnified Party resulting from any breach by Customer of this Agreement or any use of the Services in violation of any law or regulation. Very Good Security will defend, indemnify, and hold harmless Customer and its officers, directors, employees, agents, affiliates, successors and permitted assigns (collectively, "Customer Indemnified Party") against any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including attorneys' fees, payable to a third party by Indemnified Party (collectively, "Losses"), arising out of any third party claim against Customer Indemnified Party resulting from Very Good Security's or its agents' collection, processing, storage, use, transmission or destruction of Confidential Information, including, but not limited to, a suspected or actual Incident (as defined in the Very Good Security Data Security Exhibit attached to this Agreement), in each case resulting from Very Good Security's breach of Sections 8.3 or 11 of this Agreement. The indemnified party shall (a) give written notice to the indemnifying party promptly after learning of such claim, (b) tender the defense of the claim to the indemnifying party, (c) provide the indemnifying party with reasonable assistance, at the indemnifying party's expense, in connection with the defense of such claim, and (d) not settle any such claim without the prior written consent of the indemnifying party.
EXCEPT FOR VERY GOOD SECURITY'S BREACH OF SECTIONS 8.3 OR 11 OF THIS AGREEMENT, OR VERY GOOD SECURITY'S INDEMNIFICATION OBLIGATIONS UNDER SECTION 9, OR VERY GOOD SECURITY'S OBLIGATIONS UNDER SECTION 3 OF THE VERY GOOD SECURITY DATA SECURITY EXHIBIT ATTACHED TO THIS AGREEMENT (COLLECTIVELY, THE "SPECIAL LIABILITIES"), VERY GOOD SECURITY WILL NOT BE LIABLE UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY: (A) FOR ERROR OR INTERRUPTION OF USE, INACCURACY OR COST OF PROCUREMENT OF SUBSTITUTE GOODS, SERVICE OR TECHNOLOGY OR LOSS OF BUSINESS; (B) FOR ANY INDIRECT, EXEMPLARY, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES; (C) FOR ANY MATTER BEYOND ITS REASONABLE CONTROL, EVEN IF IT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE; OR (D) FOR ANY AMOUNTS THAT, TOGETHER WITH AMOUNTS ASSOCIATED WITH ALL OTHER CLAIMS, EXCEED THE FEES PAID BY CUSTOMER IN THE PRECEEDING 3 MONTHS. WITH RESPECT TO THE SPECIAL LIABILITIES, VERY GOOD SECURITY'S AGGREGATE LIABILITY WILL NOT EXCEED ONE MILLION DOLLARS (US $1,000,000).
Each party (the "Receiving Party") understands that the other party (the "Disclosing Party") has disclosed or may disclose information relating to the Disclosing Party's business (hereinafter referred to as "Confidential Information" of the Disclosing Party). The Receiving Party agrees: (i) without limiting any other provision of this Agreement, to take reasonable precautions to protect such Confidential Information; and (ii) not to use (except to perform its obligations hereunder or as permitted in Section 12 below) or divulge to any third person any such Confidential Information. The Disclosing Party agrees that the foregoing will not apply with respect to any Confidential Information that the Receiving Party can document (a) is or becomes generally available to the public; or (b) was without restriction rightfully in its possession or known by it prior to receipt from the Disclosing Party; or (c) was rightfully disclosed to it without restriction by a third party; or (d) was independently developed without use of any Confidential Information of the Disclosing Party. If the Receiving Party is required by law to make any disclosure of such Confidential Information, it may do so to the extent of such requirement, provided that it first gives written notice to the Disclosing Party thereof (if legally permitted). Each party shall be responsible for any breach of its confidentiality obligations by its respective employees and agents. Upon termination of this Agreement for any reason, or upon the Disclosing Party's request at any time, the Receiving Party shall promptly return to the disclosing party all originals and copies of any of the Disclosing Party's Confidential Information and destroy all information, records and materials developed therefrom. In the event of any threatened or actual breach of this Agreement involving an unauthorized use, disclosure or retention of Confidential Information, the Disclosing Party may suffer irreparable injury not adequately compensable by money damages and for which the Disclosing Party may not have an adequate remedy available at law. Accordingly, the Parties specifically agree that the Disclosing Party shall be entitled to seek injunctive or other equitable relief to prevent or curtail any such breach, threatened or actual, without posting a bond or security and without prejudice to such other rights as may be available under this Agreement or under applicable law.
Notwithstanding anything else in this Agreement or otherwise, Very Good Security may monitor Customer's use of the Services and use Customer Data in an aggregate and anonymous manner, compile statistical and performance information related to the provision and operation of the Services, and may make such information publicly available, provided that such information does not incorporate Customer Data and/or identify Customer's Confidential Information. Very Good Security retains all intellectual property rights in such information.
Very Good Security may give notice applicable to Very Good Security's general Services customer base by means of a general notice on the Services portal, and notices specific to Customer by electronic mail to Customer's e-mail address on record in Very Good Security's account information or by written communication sent by first class mail or pre-paid post to Customer's address on record in Very Good Security's account information. If Customer has a dispute with Very Good Security, wishes to provide a notice under this Agreement, or becomes subject to insolvency or other similar legal proceedings, Customer will promptly send written notice to support@verygoodsecurity.com as well as to Very Good Security at 207 Powell St. Floor 2, San Francisco, CA 94102.
Any action, claim, or dispute related to this Agreement will be governed by California law, excluding its conflicts of law provisions, and controlling U.S. federal law. The Uniform Computer Information Transactions Act will not apply to this Agreement. In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover costs and attorneys' fees. The failure of either party to enforce any right or provision in this Agreement will not constitute a waiver of such right or provision unless acknowledged and agreed to by such party in writing.
This Agreement (including all Order(s)) represents the parties' entire understanding relating to the Services, and supersede any prior or contemporaneous, conflicting or additional communications. Customer acknowledges that this Agreement is a contract between Customer and Very Good Security, even though it may be electronic and not physically signed by Customer and Very Good Security, and it governs Customer's use of the Service and takes the place of any prior agreements between Customer and Very Good Security. This Agreement may be amended only by written agreement signed by the parties. If any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, then such provision(s) will be construed to reflect the intentions of the invalid or unenforceable provision(s), with all other provisions remaining in full force and effect.
No joint venture, partnership, employment, or agency relationship exists between Very Good Security and Customer as a result of this Agreement or use of the Services. Neither party may assign this Agreement without the prior written approval of the other, such approval not to be unreasonably withheld or delayed, provided that such approval will not be required in connection with a merger or acquisition of all or substantially all of the assets or business of the assigning party related to this Agreement. Any purported assignment in violation of this Section will be void.
Very Good Security will comply with industry standard security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption and any other organizational and technical measures appropriate to protect against unauthorized access to Customer Data), and with all applicable laws regarding data privacy. At Customer's request, but no more than on an annual basis, Very Good Security will provide Customer with an incident response policy, network security policy, and data flow diagram, in an industry standard format.
Once a year, and after any substantial change is made to Very Good Security's network infrastructure, application, or software/hardware, Very Good Security, at its sole expense, will provide an application security assessment and network vulnerability assessment (collectively, "Assessments"). Very Good Security will respond promptly to any Customer inquiries or requests related to the Assessments. The summaries of such Assessments will be made available to Customer upon request.
Very Good Security shall notify Customer of an Incident as soon as practicable, but no later than twenty-four (24) hours after Very Good Security becomes aware of it, and agrees to fully cooperate with Customer in Customer's response to such Incident, including, without limitation: (i) assisting with any investigation, (ii) providing Customer with physical access to the facilities and operations affected (to the extent possible), (iii) facilitating interviews with Very Good Security's employees and others involved in the matter, (iv) cooperating in the preparation and transmittal of any notice to be sent to third parties, and (v) making available all relevant records, logs, files, data reporting and other matters in Very Good Security's control required to comply with applicable law, regulation, industry standards or as otherwise required by Customer. Very Good Security shall use commercially reasonable efforts to remedy any Incident as soon as reasonably practicable and prevent any further Incident at Very Good Security's expense in accordance with applicable privacy rights, laws, regulations and standards. Very Good Security shall reimburse Customer for all costs required under applicable law to be incurred by Customer in responding to, and mitigating damages caused by, any Incident resulting from a breach by Very Good Security of Section 8.3 of this Agreement (including this Data Security Exhibit), including all such costs of notice and/or remediation. The incident response and indemnification obligations herein only apply to data specifically and explicitly secured by VGS. In the event of an Incident, Very Good Security shall promptly use its commercially reasonable efforts to prevent a recurrence of any such Incident. "Incident" means any act or omission that compromises either the security, confidentiality or integrity of Customer Data or the physical, technical, administrative or organizational safeguards put in place by Very Good Security that relate to the protection of the security, confidentiality or integrity of Customer Data and that results in the unauthorized access, use, disclosure or deletion of Customer Data. Very Good Security will promptly notify Customer if any notices are required under applicable law in connection with an Incident and allow Customer to assist in preparing and delivering the notices.
Very Good Security will ensure that its personnel who handle Customer Data receive an appropriate level of formal training on handling sensitive data securely. Very Good Security will require all such personnel to acknowledge in writing that they have completed their security training obligations described.
Very Good Security will maintain a written disaster recovery plan and provide documentation of the same to Customer upon request, redacted for confidential information. Very Good Security will test that plan at least annually.
Very Good Security will only share Customer Data as authorized or instructed by Customer (except as required under applicable law). Customer acknowledges, however, that Very Good Security may disclose metadata regarding Customer Data (which does not include the value of a monetary transaction) with third party service providers for the purposes of providing the Services.
Very Good Security may retain Customer Data for purposes of compliance with applicable laws, including after termination of Customer's account.
[End Data Security Exhibit]
Very Good Security will use commercially reasonable efforts to ensure that the Services are Available 99.9%, measured monthly, excluding scheduled maintenance. For purposes hereof, "Availability" or "Available" means the Services are available for access and use through the web application of the Services. Any downtime resulting from Customer's equipment or systems or service providers required by Customer, outages of utilities or other reasons beyond Very Good Security's control will be excluded from any such calculation.
In the event that Very Good Security is unable to provide the Availability objective noted above in any given calendar month, as Customer's sole remedy Customer will receive a credit on its next invoice equal to the corresponding percentage noted below of one (1) month's subscription fees for the Services for the month in which the Availability objective was not obtained.
| Services availability | Credit |
|---|---|
| Availability of 99.0% - 99.9% | 10% |
| Availability of 98.0% - 98.9% | 15% |
| Availability of 97.0% - 97.9% | 20% |
| Availability of 95.0% - 96.9% | 25% |
| Less than 95.0% | 50% |
Total Time: Total amount of time in the month
Outage Time: Time in the month where Very Good Security failed to accept traffic
Uptime: Total Time -- Outage Time
Availability: Availability shall be calculated as Uptime divided by Total Time.
Remedies will not accrue (i.e., no credits will be issued and an outage will not be considered unavailability for purposes of this Service Level Agreement) if Customer is not current in its payment obligations either when the outage occurs or when the credit would otherwise be issued. To receive credits, Customer must submit a written request, prior to fifteen (15) days after the end of the month in which the Services were unavailable.
Very Good Security has a team of technical support engineers available to assist with incidents, problems, technical tasks or questions. Technical support for VGS Services can be reached at:
https://support.verygoodsecurity.com
support@verygoodsecurity.com
Technical support is available 24 hours a day, 7 days a week for incidents involving Urgent and High level service disruption, and in the following business hours for all other requests. Business hours excludes regional holidays and weekends:
9:00 AM - 6:00 PM EET (UTC+2)
9:00 AM - 6:00 PM PST (UTC-8)
Urgent and High level service disruptions are defined and addressed as followed:
| Service Disruption | Description | Priority | First Response | Resolution | Timeframe |
|---|---|---|---|---|---|
| Service Unavailable | VGS Platform or Services is completely unavailable and Customer business is impacted. | Urgent | 30m | 4h | 24/7 |
| Service Degraded | VGS Platform or Services availability is significantly impacting Customer business. | High | 2h | 12h | 24/7 |
[End SLA]
Upon termination of this Agreement and subject to the terms in this Exhibit, Customer may export from Very Good Security any of the Customer Data defined in Section 5.2 of the Very Good Security Terms and Conditions so long as the transfer of such data is in compliance with the latest version of PCI--DSS requirements and such transfer is allowable under any applicable laws, rules, or regulations.
Prior to Very Good Security transferring to sensitive Customer Data (including but not limited to PII, Card Data, and Customer must provide three items:
I. A face-to-face meeting or video chat with Customer's authorized representative;
II. A PGP signed email including: a signed letter from Customer outlining the actions to take, defining the affected data, and authorizing Very Good Security to move forward; and
III. Proof that the intended recipient of the data is in compliance with current PCI- DSS Level 1 requirements (usually in the form of a current AOC executed by a Qualified Security Assessor).
Any actions impacting transmittal of Customer Data in this section will be logged in Very Good Security's automated logging system. Upon request, Customer may receive a copy of Customer specific logs reflecting such actions.
Any fees or expenses incurred by data transfers under this section are Customer's sole responsibility.
No other terms or conditions of the Agreement shall be negated or changed as a result of this Exhibit.
[End Data Portability Exhibit]