This Software as a Service Agreement (“Agreement”) including any Addenda, Exhibits, or Schedules attached to it or otherwise agreed between the Parties, is a binding legal agreement between you (“Customer”) and the applicable ControlUp Entity specified in the Schedule (as defined below) (the “Vendor” or “ControlUp,”), which sets forth the terms and conditions under which the Customer is entitled to access and use the Software that has been developed and is owned by ControlUp. This Agreement also applies to, and governs, the executed ordering document (such as an order form, sales order, proposal, or quote) to which it is attached, hyperlinked, or otherwise incorporated (the “Zeitplan”).
BY ACCEPTING THE TERMS OF THIS AGREEMENT, (1) THE CUSTOMER HEREBY WAIVES, IRREVOCABLY, ANY RIGHTS OR REQUIREMENTS UNDER ANY LAWS OR REGULATIONS IN ANY JURISDICTION WHICH REQUIRE AN ORIGINAL (NON-ELECTRONIC) SIGNATURE OR DELIVERY OR RETENTION OF NON-ELECTRONIC RECORDS, TO THE MAXIMUM EXTENT PERMITTED UNDER APPLICABLE LAW; AND (2) THE CUSTOMER HEREBY AGREES TO THE PROCESSING OF PERSONAL DATA IN THE SOFTWARE AS DETAILED IN THE APPLICABLE DOCUMENT, I.E., THE DATA PROCESSING AGREEMENT (AVAILABLE AT: https://controlup.com/privacy/dpa) OR PRIVACY POLICY (AVAILABLE AT: https://www.controlup.com/controlup-privacy-policy), WHICH IS INCORPORATED AS AN INTEGRAL PART OF THIS AGREEMENT. CUSTOMER ACKNOWLEDGES THAT ANY RESELLER OR THIRD PARTY THROUGH WHICH IT OBTAINS ACCESS TO THE SOFTWARE OR SERVICES IS ACTING SOLELY AS A DISTRIBUTOR AND IS NOT AN AGENT OF CONTROLUP. SUCH RESELLER HAS NO AUTHORITY TO MAKE REPRESENTATIONS ON BEHALF OF CONTROLUP OR TO ALTER, AMEND, OR MODIFY THE TERMS OF THIS AGREEMENT.
All capitalized terms used in this Agreement shall have the meanings set forth in Exhibit A attached hereto. Other capitalized terms used in this Agreement are defined where they are used and have the meanings so indicated.
For the purposes of this Agreement the term Customer also includes Customer’s affiliates as defined in Exhibit A.
2.1 Services and Software under Schedules. Vendor will implement, configure, maintain and provide remote access to and use of: (i) the Software described in the applicable Schedule(s), and (ii) the Customer Data. Such Software will be made accessible through the Facilities, in accordance with the milestones, implementation dates, specifications and requirements set out in the Agreement and in the applicable Schedule(s). Hosted Services include and/or will allow for:
2.2 Grant of License and Related Obligations and Restrictions.
(a) Facilities. Vendor hereby grants Customer, its employees, agents, and vendors a limited, personal, non-exclusive, non-transferable, non-sublicensable license during the Term to access and use the Facilities as contemplated hereunder, including in the description of the Services set out in an applicable Schedule.
(b) Software. Vendor hereby grants Customer, its employees, agents and vendors as well as Customer’s Affiliates, their employees, agents and vendors a non-transferable (except as set out in Section 14.2) non-exclusive, worldwide, irrevocable (for the applicable Schedule Term) license to use the Software and Documentation.
(c) Customer Responsibilities. The Customer shall be solely responsible:
The Customer declares and warrants that Vendor shall not be held liable for any network-related problems that can be attributed to the operation of the Software. The Customer also acknowledges that internet and network configuration changes might affect the Software’s performance and accessibility.
(d) Customer Restrictions. The following restrictions shall also apply to the Customer’s use of the Software:
(e) License Scope and Usage Limits. Customer’s permitted use of the Software and Services shall be limited to the quantity of licenses, metrics, or capacity purchased and set forth in the applicable Schedule (e.g., Named Users, Concurrent Sessions, Endpoints, or other authorized usage metrics).
(f) Monitoring and Excess Use. Vendor may audit and monitor the Customer’s use of the Software and Services to verify compliance with the license metrics, quantities, and other usage limitations specified in the applicable Schedule. If, at any time during the Term, Vendor notifies Customer of its over deployment exceeding the number of licenses permitted under the applicable Schedule – including (i) Named Users, (ii) End Points, and/or (iii) Concurrent Licenses (“Excess Use”), then Customer shall within ninety (90) days of such notice, either (A) cease such Excess Use or (B) purchase the additional number of licenses required to address such Excess Use pro-rated to the end date of the then applicable Schedule Term.
(g) Pre-Authorized Growth. Any increases in Customer’s usage of the Software or Services that fall within the growth allowances, auto-scaling provisions, or expansion tiers expressly set forth in the applicable Schedule shall not constitute Excess Use under this Agreement.
(h) Repeated Excess Use. If Customer elects to cease such Excess Use but subsequently incurs Excess Use again during the same Schedule Term, Vendor reserves the right to invoice Customer for such Excess Use at the then-current applicable rates, pro-rated through the end of the Schedule Term, regardless of whether Customer later ceases such Excess Use. Unless otherwise specified in the Schedule, Customer shall pay all invoices for Excess Use within sixty (60) days of the invoice date.
2.3 Customer Data Availability, Ownership and Usage Restrictions. Vendor shall make all Customer Data (complete and unaltered) available to Customer upon its request but no more frequently than once per month, in a format reasonably requested by Customer, at no additional charge. With respect to the Customer Data stored by Customer in the Software or Facilities, such Customer Data and related information shall be made available through the Software or Facilities without request 24/7, immediately after uploading. As between the Parties, Customer Data is and shall remain the property of Customer. Vendor shall use the Customer Data solely to perform Vendor’s obligations under this Agreement. It is acknowledged and agreed that Vendor (alone and/or together with its affiliates and service providers) may generate and commercially exploit usage statistics, as well as use Customer Data for the purpose of enhancing the Software and additional developments, including the transfer of the same from single-tenant to multi-tenant and vice versa, it being clear that nothing in this Agreement shall be deemed to prohibit or otherwise limit such activities. Except as expressly permitted in this Agreement, Vendor shall not sell, assign, lease, disseminate, or otherwise dispose of the Customer Data or any part thereof to any other person, nor shall Vendor commercially exploit any part of the Customer Data. Vendor shall not possess or assert any property interest in, or any lien or other right against or to, any Customer Data.
2.4 Back-up. Vendor shall perform daily and weekly back-ups of all Customer Data and maintain such back-ups throughout the applicable Schedule Term(s). At no additional cost to Customer, Vendor shall also maintain a copy of each such weekly back-up of the Customer Data replicated in several availability zones. Such third-party back-up shall be subject to security obligations, which are no less restrictive than the security obligations of Vendor hereunder.
2.5 Vendor’s Personnel; Subcontracting. The Services will be performed only by Vendor’s Personnel. Vendor may not assign or subcontract to another entity or person any of the Services, including, without limitation, co-location of the Facilities, to be performed hereunder without the express prior written consent of Customer. Vendor shall conduct appropriate due diligence on all Approved Subcontractors (e.g based on official certification like SOC 2 or ISO and any other relevant certification). Vendor shall enter into a written agreement with each Approved Subcontractor. The written agreement shall require the Approved Subcontractor to protect Customer Data (including personal data and critical data) and Confidentiality in accordance with non-disclosure obligations non less stringent than those set forth in this Agreement and also with all applicable terms and conditions of this Agreement. Vendor shall conduct appropriate oversight of all Approved Subcontractors and shall ensure that Approved Subcontractors comply with the applicable terms and conditions of this Agreement. Notwithstanding approval by Customer of any subcontracting, Vendor will remain fully liable for the acts and omissions of its agents and Approved Subcontractors as if performed by Vendor.
2.6 Security and Supervision. Vendor’s Representatives, when on Customer’s premises or accessing Customer’s networks or providing maintenance services hereunder, will comply with all of Customer’s security, supervision and other standard procedures applicable to such Personnel.
3.1 Service Levels. Vendor shall provide the Services in accordance with the Service Levels set out in the applicable Schedule and as detailed in ControlUp’s Service Level Agreement (available upon request at support@controlup.com) (“Service Level Agreement”).
3.2 Support Services. Vendor shall provide the Support Services set out in each applicable Schedule and as detailed in ControlUp’s Support Definitions, available at https://support.controlup.com/docs/service-level-agreement-and-support-definitions.
3.3 Scope of Support and Exclusions. ControlUp is responsible only for providing support for failures of its products to materially conform to the functional specifications set forth in the applicable product documentation. If the Customer provides ControlUp Support with all necessary components to replicate an issue, ControlUp will attempt to resolve it, provided it is able to reproduce the problem. To facilitate the collection of information and resolution of issues classified as Critical or High priority, the Customer must be available during business hours throughout the issue resolution process. ControlUp will not provide support in cases where the problem arises from the ControlUp product being combined, integrated, or operated with hardware or software not supported or authorized by ControlUp, improper or unauthorized use of the ControlUp product by the Customer in a manner inconsistent with the Agreed Use, or the inability to reproduce the issue on an unmodified version of the ControlUp product running on the applicable supported platform.
3.4 Exclusions for Third-Party Hosted Services. Vendor shall not be responsible for any service interruptions, outages, or performance issues caused by third-party hosting providers, cloud infrastructure providers, or other external services used in connection with the Software or Services (e.g., AWS, Azure, Google Cloud). Any such interruptions shall not be deemed a breach of the Service Levels or give rise to any liability on the part of Vendor.
Vendor shall apply Vendor’s business continuity and disaster recovery plans (available upon request at security@controlup.com) to all Services(all of Vendor’s supporting detailed documentation and plans as contemplated by the provisions of this Section 4, the “Disaster Recovery Plan”). The Disaster Recovery Plan for all Services shall: (i) be designed to continue all Vendor business operations that are critical to the overall operation and functionality of the Services notwithstanding the occurrence of a Crisis; (ii) specify procedures and frequency of testing; and (iii) shall be, and shall be maintained consistent with, then-current generally accepted industry standards. The Disaster Recovery Plan shall specifically address the ability of Vendor to provide the Customer each of the Services in the event of a Crisis. The Disaster Recovery Plan shall provide, among other things, a mechanism for the redundancy or back-up of business operations designed to keep the Services from becoming unavailable for a significant amount of time due to a Crisis and to permit the related business operations of Customer to be re-instituted in a time period that permits the ongoing operation and functionality of Customer’s business to which the Services relate. Without limiting the generality of the foregoing, the Disaster Recovery Plan will address the following elements:
Notwithstanding the above, if a Crisis prevents Vendor from providing the Services to Customer, Vendor shall allocate its efforts and resources to restoring Customer’s Services no less favorably to Customer than it allocates to any of its other customers affected by the Crisis. Vendor shall review and update the Disaster Recovery Plan on a regular basis with the aim of evolving and enhancing the Disaster Recovery Plan in line with industry changes in disaster recovery. Vendor shall ensure that the Disaster Recovery Plan has been tested at least once in any twelve (12) months period. Upon Customer’s written request, Vendor shall provide Customer with an executive level summary of the results of any such tests and shall reasonably consider suggested by Customer to remediate any deficiencies in the Disaster Recovery Plan identified by such tests.
Should a disaster or other event, including an Error, occur with a material adverse impact on the Services, the Facilities or the Software, each Party shall immediately notify the other Party and in any case, within 48 hours after becoming aware of such event. Each Party shall cooperate in good faith with the other Party (i) in the notification process of any incident to the other Party’s competent regulatory authority, where applicable (e.g. in case of data breaches (including personal data and critical data, where applicable), cyberattacks etc); (ii) in the assessment of any such incident, error, disaster and/or breach and its root causes; (iii) in the definition and implementation of any remediation and/or action plan to address the identified deficiencies.
Vendor undertakes to and shall ensure to report to Customer any incident impacting the confidentiality, integrity, availability and authenticity of any Customer Data. Such notification shall be sent to the email address specified in the Data Processing Addendum (DPA) and shall include the known details of the incident, its potential implications, and the actions taken or planned by Vendor in response. The email must include the known details of the event, the implications and Vendor’s actions undertaken in response of such event.
6.1 Vendor shall implement and maintain an information security program that complies with the requirements of SOC2 and/or ISO27001 certifications. The program shall include policies, procedures, and controls to protect customer data, ensure service integrity, and minimize disruptions, with regular audits and updates to maintain compliance with these standards.Vendor will accurately and completely collect and maintain information regarding the storage location, media, and method of storage of all Confidential Information on an ongoing basis.
At the Customer request and by the termination of this Agreement at the latest, and regardless of the ground for its termination, the Vendor undertakes, at its own costs, (a) to return to Customer, within a reasonable time and in its existing format, Customer data which the Vendor has knowledge of, and (b) to delete or destroy all or part of any such Customer data that might remain in the Vendor’s possession or of which the Vendor might have retained a copy (especially in archived or backed-up files), subject to the applicable legal provisions, in particular provisions about record keeping.
To the extent Services rendered by the Vendor are considered “outsourced services” in accordance with any law or regulation on outsourcing applicable to the Customer and/or any Customer Affiliates in connection with this Agreement and the related Services, Vendor shall comply at all times with the relevant applicable law or regulation, in particular it shall have verifiable internal controls in place to ensure compliance with security regulations and procedures and implement appropriate organizational and technical measures as contractually and specifically agreed for each Service in order to protect all Customer Data from unauthorized processing, and to ensure the accessibility, the confidentiality and safety, the availability, authenticity and the integrity of these Customer Data.
6.2 Protection. Vendor must, at all times, take all necessary security and protective measures against, in particular, destruction, loss, access by unauthorized third parties or alteration of or to Customer Data provided or administered by the Customer or its subcontractors to which the Vendor has access for the purposes of fulfilling its obligations under the Agreement.
6.3 Data Property. All Customer Confidential Information are and shall remain the Customer’s exclusive property and shall be treated as the Customer’s Confidential Information. Likewise, information generated by the systems, such as application logs, tables, reports, accounts, printed material of any and all types (account statements, etc.), is the Customer’s exclusive property. Vendor shall acquire no rights over this information or data and only use the Customer’s Confidential Information to the extent necessary for the performance of the Services. Unless written approval from Customer given in advance, Customer’s Confidential Information must not be, notably used by the Vendor and/or its Representatives other than for strict fulfilment of those obligations stipulated in the Agreement, which implies the Customer Data shall be rigorously physically and/or logically segregated from data of the Vendor’s other users/customers.
7.1 Use of Data. ControlUp and its Affiliates may process Customer Data, and may engage authorized third-party service providers to process such data on their behalf, for the purposes of analyzing and assessing Customer’s usage, inputs, outputs, functionality, and feedback related to the Services, in order to support, maintain, enhance, and improve the performance, security, and functionality of the Services. For any analytics, insights, or artificial intelligence–related processing, ControlUp shall ensure that all application usage data utilized for such purposes is anonymized and aggregated so that it cannot reasonably be used to identify any individual or specific Customer instance. ControlUp shall not disclose Customer Data to any third party except as permitted under this Agreement, nor use any personal details contained in inputs (such as user names) for such purposes. Nothing in this Section limits ControlUp’s obligations under applicable data protection or privacy laws.
7.2 Disclaimer. Customer acknowledges that, due to the nature of AI technologies, any information or output generated by such functionality is provided “AS IS”, without any representations or warranties, express or implied.
7.3 Authorization. Customer represents and warrants that it possesses all necessary rights, title, interests, and licenses in and to the Customer Data and hereby authorizes ControlUp to process such Customer Data as described in this Section and elsewhere in this Agreement.
7.4 Customer Election to Disable AI Functionality. Customer may elect, by written notice to ControlUp, to disable or opt out of the use of AI functionality within the Services, to the extent such opt-out capability is made available by ControlUp. Customer acknowledges and agrees that opting out may result in limited, degraded, or unavailable features, analytics, insights, or automation capabilities, and may adversely affect the performance, operation, or accuracy of the Services. ControlUp shall have no liability whatsoever for any reduced functionality, performance issues, or inability to access or use certain features resulting from Customer’s election to opt out.
8.1 Restrictions. The receiving party will keep the Confidential Information of the disclosing party confidential. The receiving party may disclose the Confidential Information of the disclosing party to its Representatives who have a need to know such Confidential Information solely in connection with this Agreement. The receiving party will cause such Representatives to comply with this Agreement and will assume full responsibility for any breach of this Agreement by any such Representatives. The receiving party will not transfer or disclose any Confidential Information of the disclosing party to any third party without the disclosing party’s prior written permission and without such third party having a corresponding contractual obligation to keep such Confidential Information confidential. The receiving party will not use any Confidential Information of the disclosing party for any purpose other than in connection with this Agreement. Notwithstanding anything to the contrary, Customer may disclose Vendor Confidential Information to third parties in connection with such third party’s provision of software or services to Customer. Such disclosures will be made under an obligation of confidentiality limiting the use of such Confidential Information by such third parties to the provision of software and/or services to Customer.
8.2 Exclusions. Confidential Information will not include information that: (i) is in the public domain at the time of disclosure; (ii) was in the possession of or demonstrably known by the receiving party prior to its receipt from the disclosing party without restriction on its use or disclosure; (iii) is independently developed by the receiving party without use of, reference to or reliance on the disclosing party’s Confidential Information; or (iv) becomes known by the receiving party from a source other than the disclosing party without breach of this Agreement and is not subject to an obligation of confidentiality.
8.3 Legal Requirements. If the receiving party is required to disclose any of the disclosing party’s Confidential Information under a subpoena, court order, statute, law, rule, regulation or other similar requirement (a “Legal Requirement”), the receiving party will, to the extent not precluded by law, provide prompt prior notice of such Legal Requirement to the disclosing party so the disclosing party may seek an appropriate protective order or other appropriate remedy or waive compliance with the provisions of this Agreement. If the disclosing party is not successful in obtaining a protective order or other appropriate remedy and the receiving party is, in the reasonable opinion of its counsel, legally compelled to disclose such Confidential Information, or if the disclosing party waives compliance with the provisions of this Agreement in writing, the receiving party may disclose, without liability hereunder, such Confidential Information in accordance with, but solely to the extent necessary, in the reasonable opinion of its counsel, to comply with the Legal Requirement. Notwithstanding anything to the contrary, Customer may disclose Vendor Confidential Information as required to satisfy any request by any governmental or regulatory body. Recipient’s obligations of confidentiality for each item of discloser’s Confidential Information will not expire.
8.4 Data Protection Contract Requirements. Vendor and Customer shall enter into a Data Processing Agreement (“DPA”) available at https://controlup.com/privacy/dpa.
8.5 Disposition of Confidential Information on Termination or Expiration. Upon termination or expiration of this Agreement or upon the disclosing party’s written request and where practicable, the receiving party will return to the disclosing party all copies of Confidential Information already in the receiving party’s possession or within its control. Alternatively, with the disclosing party’s prior written consent, the receiving party may destroy such Confidential Information using means to protect against unauthorized access to or use of the information, including, where appropriate, burning, shredding, or pulverizing such information, or by taking such other means as to assure that such information may not be recoverable following its disposal. In such case, an officer of the receiving party will certify in writing to the disclosing party that all such Confidential Information has been destroyed. Notwithstanding the above, the receiving party may retain copies of such Confidential Information as required by applicable law, or, to the extent such copies are electronically stored in accordance with the receiving party’s email record retention policies, so long as such Confidential Information is kept confidential as required under this Agreement.
8.6 Ownership. Vendor shall own and retain all right, title and interest in and to (a) the Software and Services, including any and all improvements, enhancements or modifications thereto (regardless of the developing party and whether or not the same are a result off any feedback by the Customer), and (b) all intellectual property rights related to any of the foregoing. The Customer shall also refrain from reverse engineering, decompiling, disassembling or attempting in any other manner whatsoever to discover the source code of the Software.
9.1 Customer Audit. Vendor has its and its Authorized Subcontractors internal system of control of the Service delivery processes audited on an annual basis according to an internationally accepted reporting standard such as ISAE 3402 or a similar standard by an independent auditing company. Customer will receive such annual reports in due course after preparation for Customer’s review. In addition, Vendor shall deliver to Customer any report and finding made on Vendor and the Authorized Subcontractors, whether produced by their internal or external auditors or by other third parties appointed by Vendor or the Authorized Subcontractors in relation to the Agreement. Customer and its Affiliates where applicable, reserve a right to audit either itself/themselves or through a third-party independent contractor selected by Customer at Customer’s expense, the Vendor and/or its Approved Subcontractors during standard business hours, subject to reasonable coordination and no more than twice every calendar year. The Audit right includes but is not limited to an on-site audit and review of Vendor’s architecture, systems and procedures used, and records kept, in connection with the Services and the Software, as well as an audit of the performance of the agreed Services. Customer and its Affiliates, where applicable, reserve the right to request information on this matter for monitoring purpose. During the Term and for twelve (12) months thereafter, Vendor agrees to maintain, in accordance with generally accepted accounting principles, complete and accurate records so as to permit Customer to monitor compliance with this Agreement, and applicable laws, rules and regulations. Each audit and review shall be conducted upon Customer’s reasonable request. Upon notice of any audit findings, Vendor shall use commercially reasonable efforts to make any necessary changes to ensure compliance with its obligations under the Agreement, and applicable laws, rules and regulations. Any audits described in this Section shall be conducted during reasonable times and upon reasonable advance notice to Vendor and shall be of reasonable duration and shall not unreasonably interfere with Vendor’s day-to-day operations. Further, Customer shall not conduct an audit more than once per year. In the event that Customer conducts an audit through a third party independent contractor, such independent contractor shall be required to enter into a non-disclosure agreement containing confidentiality provisions substantially similar to those set out in Section 5 to protect Vendor Confidential Information. The Vendor, having obtained external certifications (ISO 27001, ISO 27017, ISO 27018 and ISO 27701, is committed to provide evidence of such certifications on a yearly basis.
9.2 Regulatory Audit. In addition to the above audit rights in favor of Customer, and/or its affiliates, where applicable, Vendor will provide to Customer’s and/or Affiliates regulators and other law enforcement agents access at all reasonable times, after providing Vendor with at least forty-eight (48) hours advance notice (except in the event of audits or investigations by regulators or other law enforcement agents, or investigations of reasonable suspicion of misappropriation, fraud or business irregularities of a potentially criminal nature, or relating to Customer data protection requirements), to Vendor’s records kept in connection with the Services and the Software for the purpose of performing regulatory audits to enable Customer’s regulators included Customer’S Affiliates regulators or other law enforcement personnel to confirm that Vendor is meeting all applicable information privacy, security, regulatory and other legal requirements which Vendor is required to comply with in connection with performance of its obligations under this Agreement. During the Term and for twelve (12) months thereafter, Vendor agrees to maintain, in accordance with generally accepted accounting principles, complete and accurate records so as to permit Customer’s regulators included Customer’s Affiliates regulators and any other law enforcement agents to confirm that Vendor is meeting all applicable information privacy, security, regulatory and other legal requirements which Vendor is required to comply with in connection with performance of its obligations under this Agreement.
10.1 Fees. The Fees for the Services and Software will be specified in the applicable Schedule. Customer shall provide Vendor with complete and accurate billing and contact information. This information includes Customer’s legal company/organization name (if applicable), street address, telephone number, fax number (if applicable), e-mail address, and name of an authorized billing contact. In the event of a change of any of this information, Customer agrees to update the information within 30 days of any change.
10.2 Taxes. Except to the extent that Customer has provided an exemption certificate, direct pay permit or other such appropriate documentation, Vendor shall add to each invoice and Customer shall pay any sales, use, excise, value-added, gross receipts, services, consumption and other similar transaction taxes (“Transaction Taxes”) however designated that are properly due and payable upon the Software and Services provided under this Agreement, and required by law to be collected from Customer, excluding however taxes based upon Vendor’s net income and any taxes or amounts in lieu thereof (e.g., Ohio Commercial Activity Tax, and Washington B&O Tax) paid or payable by Vendor. Such Transaction Taxes shall only become due and payable by Customer upon the receipt of an invoice from Vendor in line with local transaction tax rules and regulations.
10.3 Purchase Orders. If Customer issues a purchase order, such purchase order shall be for the total fees set forth in the applicable Order. ControlUp hereby rejects any additional or conflicting terms included in any purchase order or other Customer ordering documents, and acceptance of such documents is expressly conditioned on the terms and conditions of this Agreement.
10.4 Late Payment Fee. Any undisputed amounts not paid when due will accrue interest at a rate of one and one-half percent (1.5%) per month, or the maximum rate permitted by law, whichever is lower, from the due date until paid in full. Vendor may, after providing written notice, suspend performance of the Services or access to the Software until payment is received.
11.1 Agreement Term. This Agreement is effective as of the Effective Date and, unless terminated earlier in accordance with this Agreement, will continue until the termination or expiration of any and all Schedules (the “Term”).
12.1 Termination for Convenience. Customer may terminate this Agreement at any time for convenience by giving forty-five (45) days’ prior written notice to Service Provider. Under this Agreement, Customer may purchase ControlUp subscriptions or licenses on one-year or multi-year commitment terms. In the event of termination without cause by Customer, Customer will fulfill all financial commitments for any such subscriptions or licenses through the end of the applicable commitment period. Termination without cause will not relieve Customer of its payment obligations for the committed term.
12.2 Termination for Material Breach. If either party materially breaches this Agreement or any Schedule, and such breach is incapable of cure, or such breach is capable of cure but the breaching party does not cure such breach within thirty (30) days after written notice of material breach, the non-breaching party may terminate the relevant Schedule upon written notice of immediate effect (“Termination for Cause”).
12.3 Effect of Expiration/Termination. In case of Termination for Cause by Customer, Customer shall be entitled to receive, as a sole remedy, a refund equal to the proportional portion of the fees already paid to Vendor, which may also be set-off against yet unbilled and/or unpaid fees for the remainder of the Schedule Term. The foregoing is without prejudice to the Customer’s right to assert any damage arising from any Vendor’s liability as set forth in the Agreement.
12.4 Upon termination of this Agreement, for any cause whatsoever, the following terms shall apply:
13.1 Auto-Renewal. This Agreement shall remain in effect for the term specified in the applicable Schedule (the “Initial Term”). Thereafter, certain Schedules under this Agreement may be subject to automatic renewal for successive one (1) year periods (each, a “Renewal Term” and together with the Initial Term, the “Term”), in accordance with ControlUp’s then-current Auto-Renewal Policy (available at Auto-Renewal Policy). The Auto-Renewal Policy applies only to customers within its defined scope. If the Auto-Renewal Policy applies to Customer and Customer does not wish to renew, Customer must provide written notice of non-renewal prior to the end of the then-current Term, following the cancellation procedures described in the policy.
13.2 Non-Auto-Renewal Orders. Customers that fall outside the scope of the Auto-Renewal Policy must enter into a new Schedule to continue receiving services under this Agreement.
14.1 Non-Infringement. Vendor represents, warrants and covenants that: (i) it has and will have all rights, titles, licenses, intellectual property, permissions and approvals necessary in connection with its performance under this Agreement and to grant Customer the rights granted hereunder; and (ii) none of the Services or Software nor their use as contemplated under this Agreement, do or will infringe, violate, trespass or in any manner contravene or breach any patent, copyright, trademark, license or other property or proprietary right or constitute the unauthorized use or misappropriation of any trade secret of any third party.
14.2 Software and Services. Vendor represents, warrants and covenants that: (i) the Software and resulting Services will conform to and operate in accordance with the Documentation; (ii) it shall perform the Services in conformance with the levels of service, quality control and other performance standards described in each applicable Schedule and/or Exhibit to this Agreement and as otherwise reasonably specified by Customer; (iii) all Services provided in connection with this Agreement are and will be performed to the best of Vendor’s ability and in an effective, timely, professional and workmanlike manner in accordance with the highest applicable industry standards and practices; and (iv) Vendor Personnel performing any Services hereunder will be appropriately trained and have a level of skill commensurate with the requirements of this Agreement, and Vendor will promptly and cooperatively work with Customer to rectify any reasonable issues that Customer has with any person who is performing Services under this Agreement, including replacement, upon Customer’s reasonable request.
14.3 Defects; Errors. Vendor represents, warrants and covenants that Software and Facilities will properly operate without a material defect or Error.
14.4 Compliance with Laws. Vendor represents, warrants and covenants that the Services, Software and the use contemplated under the Agreement is and for the duration of the Term, shall continue to be in compliance with all applicable national, federal, state and local laws, rules and regulations, and that Vendor shall take no action or make any omission that would cause Customer to fail to comply with such laws, rules and regulations. Vendor agrees to inform Customer in writing of developments affecting the representations, warranties, and covenants set forth in this Section 14.4 during the Term. Without limiting the generality of the foregoing:
(a) Anti-Bribery and Anti-Corruption. In connection with this Agreement, Vendor represents, warrants and covenants that is and at all times has been in compliance with all applicable anti-bribery and anti-corruption laws, including, but not limited to, the U.S. Foreign Corrupt Practices Act, the U.K. Bribery Act, the Organisation for Economic Co-operation and Development Convention on Combating Bribery of Foreign Public Officials in International Business Transactions. Except as previously disclosed to Customer in writing, Vendor represents, warrants and covenants that: (i) Vendor has not and will not make, permit or authorize, directly or indirectly, any offer, payment, promise, gift or transfer of money, anything of value, or any financial or other advantage to any person to secure any improper advantage; (ii) Vendor has not been and is not currently subject to any governmental or regulatory review, audit, inspection or investigation related to applicable anti-bribery laws; and (iii) Vendor is not aware of any allegations, investigations or inquiries by any governmental authority with regard to a potential violation of applicable anti-bribery law by Vendor or its Representatives or other persons acting on its behalf. Vendor agrees to accurately record in its books and records any and all expenses related to this Agreement. Vendor agrees that it will not permit any of its Representatives to pay bribes in connection with Vendor’s execution of its obligations under this Agreement. In the event Vendor obtains credible information indicating that any of its Representatives have paid bribes in connection with Vendor’s execution of its obligations under this Agreement, Vendor will promptly notify Customer in writing. Vendor agrees to provide Customer with periodic certifications of compliance with applicable anti-bribery and anti-corruption laws.
(b) Anti-Money Laundering. In connection with this Agreement, Vendor represents, warrants and covenants that it is and at all times has been in compliance with all laws, rules and regulations relating to the prevention of money laundering and/or terrorist financing applicable to it or its property or in respect of its business or operations, including all applicable financial record-keeping, know-your-customer and reporting requirements of the United States, and equivalent laws, rules and regulations enforced by other jurisdictions, which laws include, without limitation, the Currency and Foreign Transactions Reporting Act of 1970 (commonly known as the Bank Secrecy Act), as amended from time to time, including by the USA PATRIOT Act of 2001.
(c) Sanctions. In connection with this Agreement, Vendor represents, warrants and covenants that is and at all times has been in compliance with all applicable laws and regulations relating to economic or financial sanctions or embargos administered or enforced by a competent governmental authority, including without limitation: (i) the United Nations Security Council; (ii) the European Union; (iii) the governmental institutions and agencies of the United States, including the Office of Foreign Assets Control of the United States Department of Treasury (“OFAC”); and (iv) the governmental institutions and agencies of the United Kingdom, including Her Majesty’s Treasury (“HMT”). Vendor represents, warrants, and covenants, that it has implemented, and will periodically review to ensure the adequacy of, compliance measures reasonably designed to achieve compliance with this paragraph, and shall promptly notify Customer upon discovery of any circumstances that may indicate a breach of these obligations.
14.5 Encryption. Vendor will identify in the applicable Schedule any encryption used in the Services and Software and the Commodity Classification, Export License or License Exceptions, and Import License granted with respect thereto. Vendor represents that it has complied with, and will continue to comply with, all applicable laws, rules and regulations of the United States or any foreign country with respect to the export or importation of the Services and Software, any modifications, enhancements or updates thereto, and any technical data derived therefrom.
14.6 Disclaimer. EXCEPT AS EXPRESSLY SET OUT IN THIS AGREEMENT, NEITHER PARTY MAKES ANY OTHER WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Customer acknowledges that Vendor engages reputable providers of hosting services, for generation and hosting services of the Software (“Hosting Services”), and that notwithstanding anything to the contrary in this Agreement or any Schedule: (i) such services are provided pursuant to the general terms of use of such provider of Hosting Services, (ii) Vendor cannot and does not make warranties for the Hosting Services, (iii) Vendor is not obligated to impose the terms under this Agreement on a provider of Hosting Services, and (iv) Vendor shall have no liability whatsoever in respect of the Hosting Services and its providers.
14.7 Limitation of Liability. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS AGREEMENT OR ANY SCHEDULE, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW VENDOR OR CUSTOMER SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL OR PUNITIVE DAMAGES, EVEN IF IT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN ADDITION, IN NO EVENT SHALL THE TOTAL LIABILITY OF VENDOR AND ANYONE ON ITS BEHALF FOR ALL DAMAGES, LOSSES, CLAIMS AND COSTS, WHETHER IN CONTRACT, TORT OR OTHERWISE, EXCEED THE AGGREGATE AMOUNT PAID BY CUSTOMER TO VENDOR DURING THE PERIOD OF 12 MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE LIABILITY. NOTWITHSTANDING THE ABOVE, NO LIMITATION OR EXCLUSION OF EITHER PARTY’S LIABILITY WILL APPLY WITH RESPECT TO ANY CLAIMS ARISING OUT OF OR RELATING TO SECTIONS 7 (CONFIDENTIALITY, PROPRIETARY RIGHTS AND DATA PROTECTION) AND 12.1 (NON-INFRINGEMENT), OR EITHER PARTY’S WILLFUL MISCONDUCT OR GROSS NEGLIGENCE, OR ANY CLAIMS FOR PERSONAL INJURY OR PROPERTY DAMAGE (INCLUDING WITHOUT LIMITATION ALL COSTS ASSOCIATED WITH THE RECOVERY OR REPLACEMENT OF LOST OR DAMAGED DATA). For the avoidance of doubt, any fines or penalties assessed on a party under applicable law arising out of the other party’s breach of this Agreement are direct damages.
15.1 Indemnification by Vendor. Vendor shall defend or settle at its expense any action, claim or proceeding, brought against Customer to the extent based upon a claim that the Software licensed by Customer infringes any third-party intellectual property right. Vendor’s obligation to indemnify Customer shall be limited to the following: Vendor agrees to pay Customer reasonable attorneys’ fees and expenses, incurred in investigation or defense of such claims, and all damages and liabilities finally awarded against Customer or paid in settlements and arising out of such third-party claims. Customer shall give Vendor prompt notice of any such claim made against it, shall provide (at the Vendor’s request and expense) such information and assistance in the defense of such claims as reasonably requested by Vendor, and shall grant Vendor sole control of the defense of any such claim, suit or proceeding, including appeals, negotiations and any settlement or compromise thereof. If the use of Software and/or the Services or part thereof becomes, or in Vendor’s opinion may become, subject to any claim of infringement of any duly issued patent or copyright or asserted trade secret right and its use is thereby enjoined, Vendor’s sole liability shall be, at Vendor’s option, to either:
Notwithstanding the foregoing, Vendor shall have no liability for Customer’s willful acts or for any settlement or compromise incurred or made by Customer without Vendor’s prior written consent. Vendor shall have no obligation to defend and shall have no liability to the extent an infringement allegation is based upon:
Subsections (a) through (e) above will be both individually and collectively known as “Other Claims”.
15.2 Customer Indemnification. Customer will defend any claim, suit, or proceeding brought against Vendor and will pay any damages or court costs (excluding consequential and exemplary damages) finally awarded against Vendor, or agreed to by Customer in settlement or compromise, to the extent such claim, suit, or proceeding is based on: (i) an infringement allegation arising from Other Claims; (ii) Customer’s use of the Software in violation of the terms and conditions herein; and (iii) Customer’s violation of any international, federal, provincial, state, or local, law, rule or regulation including any such law, rule or regulations which are privacy related. Vendor shall give Customer prompt notice of any such claim made against it, shall provide (at Customer’s request and expense) such information and assistance in the defense of such claims as reasonably requested by Customer, and shall grant Customer sole control of the defense of any such claim, suit or proceeding, including appeals, negotiations and any settlement or compromise thereof.
15.3 Each party may be represented in any such indemnification proceeding by counsel of its own choosing at its own expense. The indemnifying party shall not agree to any settlement or compromise that admits fault or imposes liability on the part of the indemnified party without its prior written consent.
16.1 Governing Law. The Agreement shall be governed by the laws of the State of Delaware without giving effect to its provisions regarding conflict of laws and only the state or federal courts located in Delaware shall have jurisdiction in any conflict or dispute arising out of this Agreement.
16.2 Assignment. Neither party will assign its rights or obligations under this Agreement without the prior written consent of the other party and any attempt to do so without such consent will be null and void. Notwithstanding the above and anything to the contrary otherwise set out in this Agreement, in the event Vendor undergoes any change of control, such change will constitute an assignment.
16.3 Notices. Any Notice to be given by Customer pursuant to this Agreement shall be sent to Vendor via Registered Mail to the address stipulated at the top of this Agreement, or via e-mail to the following E-mail address Support@controlup.com, and shall be deemed to have been received by Vendor – if sent via Registered Mail – 7 business days after the delivery of such notice, and if sent via e-mail – 2 business days after Customer confirms that it has been received by Vendor. Any Notice to be given to Customer shall be made via Registered Mail or Email address, according to the addresses Customer fills in the registration and shall be deemed to have been received by Customer – if sent via Registered Mail – 7 business days after the delivery of such notice, and if sent via e-mail – 2 business days after such notice has been sent.
16.4 No Waiver by Conduct. No waiver of any of the terms of this Agreement or any Schedule will be valid unless in writing and designated as such. Any inaction or delay on the part of either party in enforcing any of its rights under this Agreement will not be construed as a waiver of such right to enforce the same for such occurrence or any other occurrence.
16.5 No Publicity. Vendor will not disclose and will not use, in advertising, publicity or otherwise, the name of Customer or its Affiliates or any of their directors, officers, managers, employees, vendors or agents or any trade name, trademark, service mark, logo or symbol of Customer or its Affiliates, unless Vendor has obtained Customer’s prior written consent in each instance.
16.6 Severability. If any of the provisions of this Agreement are for any reason held to be invalid, illegal or unenforceable by a court of competent jurisdiction, the remaining provisions of this Agreement will be unimpaired and will remain in full force and effect, and the invalid, illegal or unenforceable provision will be replaced by a valid, legal and enforceable provision that comes closest to the intent of the parties underlying the invalid, illegal or unenforceable provision.
16.7 Third Party Beneficiaries. Unless expressly stated otherwise, this Agreement is for the sole benefit of the parties hereto and their successors and permitted assigns and nothing herein express or implied shall give or be construed to give any person other than the parties hereto any legal or equitable rights hereunder.
16.8 Counterparts; Method of Modification. This Agreement, each Schedule and Exhibit may be executed in counterparts and will not be effective or enforceable unless and until it is executed with the signature of an authorized representative of each of the relevant entities. The above notwithstanding, Vendor may change, in its sole discretion, the terms of this Agreement, from time to time, by posting a modified copy of the Agreement on Vendor’s website, or by otherwise notifying the Customer. The changes will be effective and binding as from the date that the notice will be posted, unless a different effective date is specified. Therefore, Vendor recommends to enter Vendor’s website from time to time to review information concerning such modifications. The Customer’s continued use of the Software following delivery and/or posting of a notice of modification shall be deemed as an of such modification.
LAST VERSION OCTOBER 2025