Legal

Legal

Resource Center

TokenEx respects the citizens and organizations who utilize our website and platform. Our most important asset is our relationship with our clients and prospects and protecting their data. We are committed to maintaining the availability, confidentiality, integrity, and security of information about our clients and their organizations. The following documents are available for reading or downloading. However, none of the documents that are available to you are editable in any form. If you have any questions regarding these documents, please email legal@tokenex.com.

GDPR Compliance

1.  Relation to Agreement. Except as modified and supplemented herein, all other terms of the Agreement shall remain the same and in full force and effect. In the event of a conflict between the terms of this Addendum and the terms of the Agreement, the terms of this Addendum shall  prevail and control

2. Definitions.

(a) “Applicable Laws” means any statute, law, treaty, rule, code, ordinance, regulation, permit, certificate, or any other final and non-appealable action of a governmental authority having subject-matter jurisdiction. Applicable Laws, includes, without limitation: (i) Directive EC 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, as amended, updated, or repealed from time to time (“Directive”), and any implementing, derivative, or related national legislation, rule, or regulation enacted thereunder by an European Union Member State subject to its jurisdiction, as well as the European General Data Protection Regulation (Regulation (EU) 2016/679), when it becomes applicable, and all related and derivative data protection laws (collectively “EU Data Protection Laws”), (ii) the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and (iii) the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, and the Privacy and Security Rule regulations of HIPAA and the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the HITECH Act and the Genetic Information Nondiscrimination Act (“Omnibus Final Rule”) and all amendments to and further regulations of the HIPAA and HITECH Acts (collectively, “HIPAA”).

(b) “Personal Data” means any information disclosed to, or otherwise received by, TokenEx in connection with the Agreement, that (alone or when used in combination with other information within TokenEx’s direct control) can be used to identify, locate or contact an individual.

(c) “Privacy Shield” means the European Union-United States framework of privacy principles agreed to by the United States Department of Commerce and the European Union Commission on February 2, 2016 and formally adopted by the European Union Commission implementing decision C(2016) 4176 final on July 12, 2016.

(d) “Security Incident” means any unauthorized, accidental, or unlawful loss, acquisition, modification, use, destruction, alteration, disclosure, transfer, transport or access of Personal Data.

(e) “Information System” means the computing and/or network equipment, software and systems used by TokenEX in connection with the Agreement.

(f) “Processing” or “Process” means any operation or set of operations performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaption or alteration, retrieval, consultation, use, transfer, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking or dispersed erasure or destruction.

3. Ownership of Personal Data. During the term of the Agreement, TokenEx shall have a limited, non-transferable license to use Personal Data solely for performance under the Agreement for the benefit of CLIENT. There are no implied licenses under this Addendum, and any rights to the  Personal Data not  expressly granted to         TokenEx hereunder are reserved by CLIENT. Without limiting the foregoing, none of CLIENT’s right, title and interest in Personal Data shall be diminished as a result of TokenEx’s access to, or use of, such Personal Data.

4. Information Security and Privacy Compliance. With respect to Personal Data, TokenEx agrees to the following:

(a) TokenEx represents and warrants that it has developed and implemented, and that it maintains, monitors and uses appropriate administrative, technical, and physical security measures, safeguards, procedures and practices to protect the confidentiality, integrity and availability of all Personal Data against a Security Incident.

(b) TokenEx represents and warrants that it shall Process all Personal Data in accordance with all Applicable Laws and reasonable security requirements, policies, procedures and standards designated by CLIENT from time to time, including Processing of all Personal Data it receives from CLIENT’s United States operations (“Privacy Shield Data”) in accordance with CLIENT’s Privacy Shield certification and Swiss-US Safe Harbor certification (collectively “Data Transfer Certifications”) and that at all times TokenEx’s protection of such Personal Data will meet or exceed the obligations for protection of such Personal Data set forth in the Privacy Shield principles and the Swiss Safe Harbor principles. In the event new laws or regulations are implemented that require modifications to this Addendum, the parties mutually agree, in good faith, to modify this Addendum, within thirty (30) days of such law(s) or regulation(s) becoming effective. The parties further acknowledge that each is responsible to comply with any new law(s) or regulation(s) and to ensure that its handling of Personal Data is consistent therewith.

(c) TokenEx shall not transfer, disclose, use, transport, store, or in any manner Process, internally or via third parties, the Personal Data across any national borders or permit remote access to the Personal Data by any employee, affiliate, contractor, or other third party, unless such transfer or remote access is specifically permitted in the Processing instructions provided to it by CLIENT, or it has the prior written consent of CLIENT for such transfer or access. In order to receive Personal Data in the US from countries in the European Union or European Economic Area or Switzerland, TokenEx has been Privacy Shield certified, and if the data is from Switzerland, to the Swiss Safe Harbor program (collectively, the “Data Transfer Programs”). If TokenEx has not certified to the Data Transfer Programs, or if at any time during the course of this Agreement, if a particular Personal Data transfer does not qualify for the Data Transfer Programs, or if for some other reason the Data Transfer Programs are deemed invalid for purposes of a specific Personal Data transfer or for all Personal Data transfers, then the parties agree that for the duration of any such invalidity, the Model Contract Clause Provisions as approved by the EU Commission for Controller to Processor Personal Data transfers (“Controller to Processor Model Clauses”) will be incorporated into this Addendum and this Agreement with respect to all Personal Data transfers from the EU and/or Switzerland, as the case may be, and TokenEx and CLIENT hereby agree to immediately complete, sign, and execute the Controller to Processor Model Clauses. In addition, TokenEx agrees to reasonably execute and undertake such other compliance mechanisms as may be required by Applicable Laws in other countries with similar data transfer restrictions. If, in addition to the Data Transfer Programs, the Controller to Processor Model Clauses are deemed invalid for the purpose of a specific Personal Data transfer or for all Personal Data transfers, the parties agree to work together, and execute necessary documents, in order to determine an appropriate and legal mechanism for the transfer of such Personal Data.

(d) TokenEx shall Process Personal Data solely for the purpose of performing, and only to the extent needed to perform, TokenEx’s obligations under the Agreement or as otherwise authorized in writing by CLIENT. If for any reason, TokenEx cannot comply with the obligations of this Addendum, with respect to the Processing of Personal Data, and with the obligations of the Privacy Shield principles and the Swiss Safe Harbor principles. TokenEx shall immediately notify CLIENT in writing of such inability to comply.

(e) TokenEx shall not disclose, transfer, transport, or provide access to Personal Data to any third party unless such disclosure is necessary for performance under the Agreement, and provided that such third party is fully bound in a written agreement by obligations at least as restrictive as those contained herein, including those in the Privacy Shield principles and the Swiss Safe Harbor principles. TokenEx shall remain responsible to CLIENT for all Processing of Personal Data undertaken by such third party and TokenEx shall remain responsible for any harm caused by such third party to the same extent as if TokenEx caused such harm itself, except to the extent TokenEx’s disclosure of Personal Data to such third party is required or otherwise requested by CLIENT.

(f) Within thirty (30) days of (i) CLIENT’s request, (ii) the date that Personal Data is no longer reasonably necessary for TokenEx’s performance under the Agreement or (iii) termination or expiration of the Agreement, whichever occurs first, TokenEx shall return all Personal Data, including all copies and excerpts thereof, in TokenEx’s possession and/or control (including any Personal Data in the possession of TokenEx’s subcontractors or agents) to CLIENT in the original format in which the Personal Data was received (if alternative format is requested by CLIENT, it will be at CLIENT’S expense), or as requested by CLIENT, permanently and securely destroy such Personal Data using industry standard data wiping tools acceptable to CLIENT. TokenEx shall certify to CLIENT in writing that TokenEx has fully complied with the foregoing obligations.

5. TokenEx’s Responsibilities for Required Disclosure, Security Incident Handling.

(a) Notwithstanding anything herein to the contrary, if TokenEx is required to disclose Personal Data pursuant to an order by a court or administrative body of competent jurisdiction or governmental agency TokenEx shall, if permitted by law, (i) immediately notify CLIENT prior to such disclosure; (ii) cooperate with CLIENT (at CLIENT’s cost and expense) in the event that CLIENT elects to legally contest, request confidential treatment for, or otherwise attempt to avoid or limit, such disclosure; and (iii) limit such disclosure to the minimum extent required by law.

(b) TokenEx shall notify CLIENT of any suspected Security Incident immediately upon discovery of the Security Incident, but in no event more than forty-eight (48) hours after TokenEx reasonably believes a Security Incident has occurred. As part of such notification, TokenEx shall, to the extent known or can be reasonably determined, identify:  the specific Personal Data subject to the Security Incident; (ii) the nature of the unauthorized access, loss, use and/or disclosure; (iii) the person(s) involved in the Security Incident; (iv) the actions taken (or to be taken) by TokenEx to mitigate any deleterious effect of the Security Incident; and (v) the corrective actions taken (or to be taken) by TokenEx to prevent any future Security Incident. In addition, TokenEx shall provide to CLIENT such other information as reasonably requested by CLIENT with respect to the Security Incident and whether such individual should be provided credit monitoring.

(c) In connection with any suspected Security Incident, TokenEx shall, at its sole cost and expense, be responsible for: (i) investigating the Security Incident; (ii) promptly taking all actions necessary or reasonably requested by CLIENT to mitigate the resulting damages; and (iii) providing all consumer notices and/or credit monitoring required by law or appropriate under the circumstances, provided that CLIENT will determine, in its sole discretion and pursuant to law, if any individual(s) should be notified of the Security Incident.

(d) At no cost to CLIENT, TokenEx will cure any Security Incident to any Information System which TokenEx develops and/or hosts for CLIENT, consistent with legal requirements and any forensic services that may require ensuring that evidence is properly preserved.

(e) In addition to any indemnification obligations of TokenEx under the Agreement, TokenEx shall indemnify, defend and hold harmless CLIENT, its affiliated companies, and each of their respective officers, directors, employees and agents, from and against any and all claims, actions, liabilities, losses, damages, judgments, awards, fines, penalties, costs and expenses (including reasonable attorneys’ fees and defense costs and amounts paid in investigation, defense or settlement of the foregoing) which may be sustained or suffered by any of them arising out of or based upon a Security Incident or TokenEx’s (including TokenEx’s employees’, agents’ and subcontractors’) breach of this Addendum. NO LIMITATION OF LIABILITY SET FORTH ELSEWHERE IN THE AGREEMENT IS APPLICABLE TO THE FOREGOING INDEMNITY OBLIGATIONS OR TOKENEX’S BREACH OF THIS ADDENDUM.

 6.Assurance of Compliance.

(a) Upon CLIENT’s written request, but not more frequently than annually, TokenEx shall certify in writing its compliance with this Addendum. Without limiting the foregoing, upon CLIENT’s written request but not more frequently than annually, TokenEx shall provide documentary verification of its compliance with this Addendum and shall allow reasonable inspections and audits by CLIENT or its third-party designee(s) to verify such compliance. In connection therewith, CLIENT may require formal penetration testing, security logs or other information security tests. TokenEx shall timely comply with all reasonable recommendations that result from such inspections, audits and tests. Any such audit will be conducted at CLIENT’s sole expense, except where the audit reveals TokenEx’s material noncompliance with this Addendum, in which case the reasonable cost of the audit will be borne by TokenEx.

(b) In the event any CLIENT inspection or audit reveals TokenEx’s noncompliance with this Addendum, or in the event CLIENT reasonably suspects any such noncompliance, TokenEx shall perform, upon CLIENT’s request and at TokenEx’s expense, a security audit by an independent third party approved by CLIENT in writing, to confirm TokenEx’s compliance hereunder. The audit results, along with TokenEx’s written plan for addressing or resolving any noncompliance or deficiencies identified by such audit, shall be provided to CLIENT within thirty (30) days of TokenEx’s receipt of such audit results, subject to reasonable confidentiality protections. If the audit finds TokenEx to be in compliance, then the cost associated with the requested audit will be borne by CLIENT.

(c) TokenEx shall maintain written policies and procedures regarding its disaster recovery and avoidance procedures, damage assessment and incident handling, and shall, upon CLIENT’s reasonable request, provide CLIENT with access to such policies and procedures in a manner that allows CLIENT to assess TokenEx’s effectiveness in maintaining the protection of Personal Data, including, without limitation, the operation, maintenance and technical controls of TokenEx’s Information System.

(d) TokenEx acknowledges and understands that CLIENT has the right to provide a copy of this Agreement and this Addendum, or a summary hereof, to the United States Department of Commerce, or any other regulatory authority, at any time.

7. Termination.

(a) CLIENT may terminate the Agreement upon written notice in the event TokenEx is in material breach of any obligation under this Addendum, which default is incapable of cure or which, being capable of cure, has not been cured within thirty (30) days after receipt of notice of such default.

(b) Each provision of this Addendum that by its terms would survive expiration or termination of the Agreement shall so survive.

Standard Terms of Service

These Standard Terms of Service are the terms and conditions pursuant to which TokenEx will deliver its services to any client. There is an addendum to this document which deals with GDPR, and which may supplement these terms and conditions if necessary, and to the extent applicable.

Definitions

Affiliates” means any entities that a party directly or indirectly controls, is controlled by or is under control of that party.

Availability” means the time in which the Client is able to connect to and transfer data with the System on a monthly basis, excluding Scheduled Maintenance and Emergency Security Updates.

Client” is any person or entity that uses TokenEx’s services to improve data security. For example, a Client could be someone that uses TokenEx to secure data within Client’s own corporate environment, or a Client who uses TokenEx’s services within Client’s product offering to secure Client’s customer data.

Emergency Security Update” means a period for which the Services are unavailable for use by Client in order to perform emergency security updates or perform similar work, and for which Client has been given prior notice of such period.

Platform Credentials” means all credentials provided or related to accessing the TokenEx Platform. TokenEx shall provide Client with Platform Credentials, including but not limited to (1) API Keys, (2), SFTP user accounts and (3) customer portal user accounts.

Quote for Services” means “Exhibit B”, as attached to the final contractual document. The Quote for Services will contain the details of pricing and specific services provided to Client.

Service Level Agreement” means “Exhibit A” as attached to the final contractual document. The Service Level Agreement will contain proprietary details about availability uptimes, response times, and other related information.

Scheduled Maintenance” means a period for which the Services are scheduled to be unavailable for use by Client in order to perform preventive maintenance, install upgrades or perform similar work, and for which Client has been given prior notice of such period.

TokenEx Platform” means the software products owned or licensed by TokenEx to which TokenEx grants Client access as part of the services, including, but not limited to (1) Web API’s, (2) Hosted payment pages/iframe, (3) batch file processing (sftp) and (4) customer portal.

Whitelisting” is a process which checks connecting IP addresses against an approved list of IP addresses (“Approved IPs”) that Client submits to be open and accessible. Only those “Approved IPs” will be granted access to the TokenEx platform.

1. Provision of Services. TokenEx, LLC (“TokenEx”) shall provide services to Client (identified in the signature block hereof) and Client shall pay for such services in accordance with the terms of this Service Agreement (“Agreement”) and the Quote for Services attached hereto during the initial subscription term and any extension thereof. This Agreement will automatically renew following each contract year, but may be terminated by either party upon providing the other party not less than thirty (30) days prior written notice of any termination. Client shall be obligated to pay any and all outstanding charges for services that have been delivered or invoiced prior to the date of termination.

2. TokenEx Responsibilities. TokenEx shall also provide basic support for the services at no additional charge, and use all reasonable, good-faith efforts to provide the services 24 hours a day, 7 days a week, except for (a) Scheduled Maintenance following at least five (5) days advance notice to Client, (b) any Emergency Security Update, for which TokenEx shall give notice by email as promptly as reasonably practicable, or (c) any unavailability caused by circumstances beyond TokenEx’s reasonable control. TokenEx has and will maintain during the Term, at least the following certifications: PCI-DSS Level 1 Service Provider, Privacy Shield (EU-US and Swiss-US), and SSAE 16 SOC 2 Type II.

Protection of Data. TokenEx shall maintain administrative, physical, and technical safeguards for protection of Client’s data. TokenEx shall not modify Client’s data or access it except to prevent or address service problems.

Privacy Rules. TokenEx shall comply with all applicable privacy laws and regulations to the extent that those laws apply to the services being performed under this Agreement. In the event that a governmental authority or other authority having jurisdiction requests that all or any part of Client’s data be disclosed, TokenEx shall, if allowed by law, within two (2) business days inform Client of the request or subpoena, and cooperate with Client in any defense Client wishes to make to the request or subpoena, at Client’s expense.

Background Checks. TokenEx shall perform background checks on all employees involved in the performance of services to Client, including, at a minimum: SSN verification (with trace), academic credentials (highest level of education earned or most recent place of attendance), employment history (all employers for the longer of last seven years or last three employers), Domestic Terror Watchlist and criminal history (all felonies, misdemeanors, convictions, current indictments, and time served for last seven years in all counties of residence).

3. Client Responsibilities. Client shall be responsible for the accuracy, quality and content of all of Client’s data subject to this Agreement, and use commercially reasonable efforts to prevent unauthorized access to or use of the services. Client agrees to promptly notify TokenEx of any unauthorized access or use, and use the services in compliance with all applicable laws and government regulations. Client agrees not to make TokenEx’s services available to any third party, or to sell, resell, rent or lease the Services, unless pursuant to a separate negotiated agreement with TokenEx, or as a value-added service incorporated into Client’s product offering, and then with prior notification to and prior written permission of TokenEx. Client further agrees not to use production data within the TokenEx test environment.

4. TokenEx Platform Credentials.
TokenEx shall provide Client with Platform Credentials, including but not limited to (1) API Keys, (2), SFTP user accounts and (3) customer portal user accounts. Platform Credentials are SOLELY and exclusively for the use of Client. Notwithstanding any other provision in this Agreement, Client agrees that in the event Client provides or discloses Platform Credentials to any third party, Client is liable for any harm, injury or damages whatsoever arising from any such disclosure.

In the event Client discloses TokenEx’s Platform Credentials to any party other than Client’s employees, contractors, and outsourcers performing services for or on behalf of Client, Client understands and agrees that TokenEx disclaims any and all liability or responsibility whatsoever for any breach, disclosure or loss of Client data. By disclosing TokenEx’s Platform Credentials in breach of this Agreement, Client understands that Client is exposing Client’s data vault contents to breach, and that Client assumes any and all liability whatsoever for any breach of Client’s data vault.

Additionally, and in addition to the foregoing complete release of any and all liability, Client assumes any and all risks incident to the disclosure by Client (including any of Client’s employees, officers or directors) of Client’s Platform Credentials. Client hereby releases and holds TokenEx harmless from any and all liability of any kind or character whatsoever, in any form or forum, and to the fullest extent available under applicable law, concerning, arising from or in any way related to damages that Client may sustain following Client’s disclosure of TokenEx’s Platform Credentials.

5. Whitelisting. TokenEx, as part of its authentication model, employs IP Whitelisting. In the event Client elects not to utilize the Whitelisting service TokenEx provides as part of the TokenEx authentication model, then TokenEx disclaims any and all liability or responsibility whatsoever for any breach of Client’s data. By electing not to use TokenEx’s IP address validation component of TokenEx’s authorization model, Client understands that Client is exposing Client’s data vault contents to breach. Client hereby releases and holds TokenEx harmless from any and all liability of any kind or character whatsoever, in any form or forum, and to the fullest extent available under the applicable law, concerning, arising from, or in any way related to damages that Client may sustain as a result of an unauthorized disclosure of Client’s data which was not a direct result of TokenEx’s breach of any of its obligations hereunder.

6. Fees, Invoicing and Payment. Client agrees to pay the fees set forth in the Quote for Services, to be attached to the final contractual document. Client may pay for the services with a credit card and authorize TokenEx to charge such credit card for all fees related to this Agreement. If the order form specifies that payment may be by a method other than a credit card, TokenEx will invoice Client. Invoiced charges are due net thirty (30) days from the invoice date.

7. Warranties. TokenEx warrants (1) that the Services will perform as designed, (2) that the functionality of the Services will not be materially decreased, and (3) that TokenEx will perform the Services described herein in a professional manner consistent with industry standards and this Agreement.

8. Indemnification. Each party (“Indemnifying Party”) shall, to the extent caused by the indemnifying party’s negligent act or omission, defend, indemnify and hold harmless the other party, its Affiliates and their respective directors, shareholders, employees and officers (collectively, “Indemnified Parties”) from and against all claims, losses, liabilities (including negligence, tort and strict liability), damages, judgments, suits and all legal proceedings, and any and all costs and expenses in connection therewith (including any interest, penalties, fines and reasonable legal fees and disbursements) (individually, a “Claim” or collectively, “Claims”) arising out of or in any manner connected with any breach of any representation, warranty, covenant or other obligation of the Indemnifying Party contained herein. A party seeking indemnity from the other party shall promptly notify the other party of any Claim and shall provide information, assistance and cooperation in defending against such Claim at the Indemnifying Party’s sole cost and expense. Any such notification shall be in writing and directed to the person designated in the “Notification” paragraph hereof. In addition, an Indemnified Party shall have the right to participate in the defense of any Claim, suit or proceeding at its own sole cost and expense.

The right to indemnity provided for in this paragraph is subject to the non-breaching party’s notification to the alleged breaching party of any known breach of the provisions hereof, and providing the alleged breaching party with a reasonable time within which to correct the alleged breach, and provide evidence of any such correction. The right to correct a breach provided for herein shall not apply to the Nondisclosure provisions of this Agreement.

9. Limitation of Liability. THIS PARAGRAPH DOES NOT APPLY TO ANY OBLIGATIONS ARISING UNDER THE NONDISCLOSURE SECTION(S) OF THIS AGREEMENT (for example, a data breach or any disclosure of confidential information would not be subject to this paragraph). EXCEPT FOR OBLIGATIONS ARISING UNDER THE NONDISCLOSURE PROVISIONS, NEITHER PARTY’S LIABILITY WITH RESPECT TO ANY SINGLE INCIDENT ARISING OUT OF OR RELATED TO THIS AGREEMENT (WHETHER IN CONTRACT OR TORT OR UNDER ANY OTHER THEORY OF LIABILITY) SHALL EXCEED THE AMOUNT PAID BY CLIENT HEREUNDER IN THE 12 MONTHS PRECEDING THE INCIDENT, PROVIDED THAT IN NO EVENT SHALL EITHER PARTY’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT (WHETHER IN CONTRACT OR TORT OR UNDER ANY OTHER THEORY OF LIABILITY) EXCEED THE TOTAL AMOUNT PAID BY CLIENT HEREUNDER. THE FOREGOING SHALL NOT LIMIT CLIENT’S PAYMENT OBLIGATIONS. IN NO EVENT SHALL EITHER PARTY HAVE ANY LIABILITY FOR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES HOWEVER CAUSED, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

10. Prices. Pricing reflected on the attached Quote for Services is firm for the subscription term indicated. Any pricing modification(s) under this Agreement on any renewal thereof shall not exceed five (5) percent from the prior term except by written agreement of the parties.

11. Insurance. TokenEx shall maintain, at TokenEx’s own expense and in reasonable amounts acceptable to Client, professional liability insurance covering the effects of errors and omissions in the performance of professional duties, including cyber liability and network security coverage, with coverage limits of not less than $5,000,000 per claim. Upon request, Client shall be named as an additional insured as Client’s interests may appear on liability policies. A Certificate of Liability Insurance shall be furnished to Client upon request following the execution of this Agreement.

12. Return of Data/Notice. Client may request the return of Client’s stored data in the possession or control of TokenEx at the end of a subscription term, or upon termination of this Agreement or any extension or renewal hereof. Any request must be in writing and received by TokenEx within thirty (30) days following the effective date of termination. Thereafter, TokenEx shall have no further legal or business obligation to maintain or provide any of the data after that time and all such data shall be deleted from TokenEx’s systems. Stored data shall be returned to Client not later than fourteen (14) days following receipt of a written request.

13. Applicable Law. In any dispute arising under this Agreement, the laws of the State of Delaware shall govern without regard to the choice of law rules of any jurisdiction, including Delaware.

14. Arbitration. Any controversy, dispute or claim arising out of, in connection with, or in relation to, the interpretation, performance or breach of this Agreement, including, without limitation, the validity, scope and enforceability of this Agreement, that is not first resolved by negotiation between the parties, shall be submitted to binding and final arbitration by a single arbitrator selected by the American Arbitration Association (“AAA”), having experience in data security, and conducted pursuant to the rules of the AAA. Any such action or claim must be brought within two (2) years of the date the claim arose. The arbitrator shall be limited solely to awarding remedies that are permitted by this Agreement. Notwithstanding any other provision of this Agreement, the arbitrator shall award costs to the party that substantially prevails in any arbitration proceeding, including recovery of that party’s reasonable attorney’s fees, the arbitrator’s fees, and all costs of litigation incurred by the prevailing party in connection with the arbitration. Nothing in this section shall restrict a party’s right to seek injunction or other equitable relief in any court of competent jurisdiction prior to initiating arbitration.

15. Nondisclosure. Any information, trade secrets, know-how or proprietary information, in any form, that the parties hereto exchange shall be treated as confidential, shall be used only for the purpose of performing their respective obligations hereunder, and shall not be reproduced in whole or in part or disclosed to any other person for any other purposes. All such information shall be returned promptly upon demand of the discloser. The parties shall ensure that no information is shared with any third party except where necessary to perform the disclosing party‘s obligations under this Agreement and, in such cases, the disclosing party shall obtain a similar undertaking to preserve confidentiality from the third party.

The parties further agree to be responsible for the actions of their employees and any other person provided access to their offices who may have contact with or access to information subject to this Agreement, and to monitor those persons such that said information is continuously protected.

It is expressly agreed that a remedy at law for breach of the obligations set forth in this section concerning Nondisclosure is inadequate and that each party shall, in addition to any other remedies permitted by the Agreement, be entitled to injunctive relief to prevent the breach or threatened breach thereof.

All rights and obligations contained in this Agreement concerning the nondisclosure and protection of proprietary and confidential information shall survive the termination of this Agreement.

16. Notices. Except as otherwise specifically set forth in this Agreement, all notices, demands, requests or other communications that are required to be given by any party pursuant to this Agreement shall be in writing and shall be personally delivered, mailed by first-class registered or certified mail (return receipt requested and postage prepaid), or sent by courier, addressed as follows:

If to TokenEx:

Attention: Alex Pezold
Address: P.O. Box 521068
Tulsa, OK 74152-1068
Phone: 877.316.4544
Fax: 405.703.5277

If to Client:

Attention:
Address:
Phone:
Fax:

17. Security Assessments and Audits. Upon reasonable request and no more than once every twelve (12) months, Client, one of Client’s designated clients, or a representative of either of these parties, may notify TokenEx in writing of Client’s intent to conduct either an assessment or an audit of TokenEx relevant to the services being provided to Client by TokenEx, in order to assess the performance of TokenEx’s obligations under this Agreement. For purposes of this paragraph, an “assessment” includes responding to written questions and providing limited documentation in respect of the services being provided Client by TokenEx; and, an “audit” includes both an assessment and a site visit including access to TokenEx’s facilities, systems, personnel, and records pertaining to services provided to Client or Client’s client.  Client shall provide written notice to TokenEx of Client’s intent to exercise these assessment or audit rights no less than thirty (30) days prior to initiation of any such assessment or audit. The notification shall contain the anticipated start date of the assessment or audit, questions to be answered, documents to be produced or reviewed, areas to be reviewed, and, in the event of an audit, the anticipated on-site arrival date of the auditors. All audits shall be conducted in a reasonable manner during normal business hours and shall not interfere with TokenEx’s business. TokenEx will bear internal costs incident to any such audit (salary of affected employees, etc.) of TokenEx, but only to the extent of One Thousand dollars ($1,000.00) per audit.  Any internal expenses due to salary, etc., in excess of One Thousand dollars ($,1000.00)  per audit, shall be billed to Client at TokenEx’s normal hourly rates.  Each party shall communicate in good faith to agree to terms for an audit visit and adhere to these terms and admit properly identified and authorized employees or representatives of Client or Client’s client onto TokenEx’s premises. Such access shall be limited to TokenEx’s facilities, systems, personnel and data that relate to the services provided to Client or a designated representative of Client. Copies of records that contain commingled documents or data of TokenEx that is not subject to audit or of TokenEx’s other clients shall be provided to the auditing party upon reasonable request after documents and data not subject to audit has been removed

18. Business Continuity and Disaster Recovery Plans. Upon request, TokenEx shall promptly provide to Client an outline of TokenEx’s business continuity and disaster recovery plan, testing and exercise documentation, and/or recovery strategies of TokenEx’s contractors or subcontractors.

19. Security Controls. TokenEx has implemented and maintains (a) administrative, technical, and physical safeguards and security controls, (b) data retention, and incident response policies and procedures, and (c) an architecture designed for high-availability that is tailored to and appropriate for the nature and complexity of the Services, and otherwise designed to (i) ensure the security and confidentiality of the Services, personal information, and client data, (ii) protect against any anticipated threats or hazards to the security or integrity of the Services, personal information, and the client data, and (iii) protect against unauthorized access to or use of the Services, personal information, or the client data that could result in substantial harm or inconvenience to Client, Client’s affiliates, or Client’s clients or employees.

Updating of Security Controls. TokenEx shall evaluate and adjust TokenEx’s security controls to (a) address any reasonable changes or additions to the services, TokenEx’s operations, or the relationship between the parties, (b) address any risks or vulnerabilities reported to or discovered by TokenEx, (c) meet evolving industry standards and best practices, (d) comply with and respond to any changes in privacy laws or other applicable laws, and (e) address any other circumstances that TokenEx believes may have a material impact on the services, or could adversely affect Client, Client’s affiliates or Client’s employees or clients. TokenEx shall promptly correct any deficiencies or vulnerabilities identified as part of any monitoring, testing, or auditing. Without limiting the foregoing, TokenEx shall develop and implement an action plan for prompt corrective action to eliminate the identified risk, make the action plan available to Client, and provide all information reasonably requested by Client and Client’s regulators in connection with the implementation thereof.

TokenEx shall notify Client in writing or via email immediately and in accordance with TokenEx’s Incident response policy in the event of any known or suspected breach of confidentiality or security affecting Client, Client’s affiliates, employees, relevant contractors or clients, including any known or suspected unauthorized access to or misuse, loss, alteration or destruction of personal information or other client data. The initial communication shall describe the nature and impact of the security incident, the actions already taken, and an assessment of the immediate risk. TokenEx shall cooperate in taking all reasonable actions necessary to investigate, respond to, and limit the adverse effects of the security incident on a basis no less favorable than offered to any other affected client, and shall participate in Client’s internal incident response plan where applicable. TokenEx shall coordinate with Client regarding any notification to regulators, law enforcement, affected individuals, and the press, and shall not notify or otherwise contact any employees or clients of Client without Client’s prior written approval.

20. PCI DSS Compliance. TokenEx has established security procedures and shall make reasonable efforts consistent with industry standards to protect cardholder data, meet all applicable audit requirements and comply with PCI DSS (hereinafter “Payment Card Industry Data Security Standards”) and such other applicable rules, regulations, codes of practice, guidance and industry standards related to the handling and processing of credit card data in force from time to time during the term of this Agreement (“Payment Card Issuer Requirements”), as put forth by the PCI Security Standards Council.

TokenEx is responsible for the security of cardholder data TokenEx possesses or otherwise stores, processes, or transmits on Client’s behalf, or to the extent TokenEx could impact the security of Client’s cardholder data environment.

TokenEx agrees to comply with all applicable PCI DSS requirements to the extent that TokenEx handles, has access to, or otherwise stores, processes or transmits Client’s cardholder data, or manages Client’s cardholder data environment.

TokenEx acknowledges that TokenEx is solely responsible for compliance with all applicable PCI DSS requirements for TokenEx’s tokenization products and services, including but not limited to, TokenEx’s tokenization application programing interface (API), web site/pages, and vaulting services. Client agrees to monitor TokenEx’s PCI DSS compliance at least annually.

TokenEx agrees that on request, TokenEx shall provide Client proof of the current status of TokenEx’s PCI DSS compliance. If TokenEx or any of TokenEx’s subcontractors are no longer in compliance with the Payment Card Issuer Requirements, TokenEx shall (a) notify Client of the same within twenty-four (24) hours of discovery by TokenEx, (b) implement compensating controls to mitigate risk for the non-compliance within seventy-two (72) hours of discovery of loss of compliance, and (c) develop and communicate a remediation plan and timeline for becoming compliant. If TokenEx fails to uphold the foregoing obligations Client shall have the right to terminate this Agreement or any part of the Services, and Client shall only be obligated to pay for any Products and/or Services satisfactorily delivered.

TokenEx agrees to comply with all applicable laws that require notification of individuals or parties in the event of unauthorized disclosure of cardholder data.
Pursuant to the provisions of this Agreement, in the event of a breach of any of TokenEx’s security obligations relating to PCI or other event requiring notification under applicable law, TokenEx agrees to assume responsibility for informing all such individuals in accordance with applicable laws, and, subject to the indemnity and limitations on liability provisions contained herein.

21. Cooperation with Regulators. TokenEx shall provide reasonable cooperation to Client by providing service-specific information requested by Client’s regulators or any of Client’s clients concerning the relationship between the parties, and by making any modifications to the services and/or this Agreement required by such regulators. In the event that TokenEx determines that such modifications are impracticable or uneconomical, TokenEx shall have the right to terminate this Agreement.

22. Non-Competition. TokenEx agrees that during the term of this Agreement and for a period of one (1) year following the termination this Agreement, TokenEx shall not, directly or indirectly, solicit, recruit, employ or otherwise engage or attempt to engage as an employee, independent contractor or advisor any person who was an employee or independent contractor of Client during the term of this Agreement, or in any manner induce or attempt to induce any person who was an employee or independent contractor of Client during the term of this Agreement to terminate his or her relationship with Client.

TokenEx further covenants and agrees that during the term of this Agreement and for a period of one (1) year following termination of this Agreement, TokenEx shall not, directly or indirectly, solicit or attempt to solicit any of Client’s customers or clients or engage in activity intended to redirect Client’s business, to the extent that Client’s business is the providing of electronic document management, workflow solutions, or finance processing services offered by Client during the term of this Agreement.

23. Force Majeure. Either party to this Agreement shall be released from liability hereunder for failure to perform any of its obligations hereunder where such failure to perform occurs by reason of any act of God, sabotage, war, strikes, lockouts, terrorism, military operations, national emergency, civil commotion, or the order, requisition, request or recommendation of any governmental agency or acting governmental authority, or by either party’s compliance therewith, or governmental  regulation or priority, or any other cause beyond either party’s reasonable control whether similar or dissimilar to such causes. In the event of any such disaster, TokenEx’s release of liability hereunder is subject to TokenEx’s reasonable execution of its Disaster Recovery and Business Continuity Plans, provided that any such exercise shall not itself have been rendered impracticable by any such event or its consequences. TokenEx shall be obligated to perform and Client shall be obligated to pay for only such services actually performed during any of the above-mentioned conditions. If either party is not able to perform its material obligations under this Agreement within forty-five (45) days after the aforementioned conditions have been resolved or removed, then the other party may immediately terminate this Agreement. Such termination, however, shall not affect the rights or obligations of either party that have arisen or accrued prior to such termination.

24. GENERAL PROVISIONS
Assignment. Neither party may assign or otherwise transfer this Agreement, or any of either party’s rights or obligations hereunder, without the prior written consent of the other party, which consent shall not be unreasonably withheld.

Severability. In the event that any provision of this Agreement is invalid or unenforceable, such invalid or unenforceable provision shall not invalidate or affect the other provisions of this Agreement. The other provisions of this Agreement shall remain in effect and be construed as if the invalid or unenforceable provision were not a part hereof, provided that if the invalidation or unenforceability of such provision shall, in the opinion of either party, have a material effect on such party’s rights or obligations under this Agreement, then the Agreement may be terminated by such party upon thirty (30) days’ written notice by such party to the other party.

Entire Agreement. This Agreement, together with all documents incorporated by reference herein, constitutes the entire and sole agreement between the parties with respect to the subject matter hereof and supersedes any prior agreements, negotiations, understandings, or other matters, whether oral or written, with respect to the subject matter hereof. This Agreement and the terms of the parties’ agreement cannot be modified, changed or amended except for in writing signed by a duly authorized representative of each of the party.

Headings. The headings in this Agreement are for convenience of reference only and shall not be considered in the interpretation of this Agreement.

Counterparts. This Agreement may be signed by facsimile and in one or more counterparts and, when signed by both parties, shall constitute a single binding agreement.

Mutual NDA

This NON-DISCLOSURE AGREEMENT is made and entered into this _____ day of ________________, 20____ (the “Effective Date”) by and between __________________________, with its principle office at _______________________________________ (“Company”) and TokenEx LLC, an Oklahoma limited liability company, with its principle office located at 3825 NW 166th Street, Suite C1, Edmond, Oklahoma 73012 (“TokenEx”).
WHEREAS, the parties anticipate disclosing certain information to each other and have agreed to maintain the confidentiality of each other’s information;
NOW, THEREFORE, in consideration of the premises and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree as follows:

  1. DefinitionsConfidential Information” as used in this Agreement shall include, but not be limited to, any and all financial, technical, legal, marketing, network and/or other business information, know-how, plans, records, files, file layouts, manuals, documentation or data (including but not limited to computer programs, code systems, applications, analyses, passwords, procedures, output, software sales, customer information, personal individual information, and lists compilations). All information communicated during the course of this Agreement, whether written or oral, shall be assumed confidential even it is not specifically noted as such at the time of the disclosure.“Disclosing Party” is a party to this Agreement which discloses its Confidential Information to a Receiving Party.“Receiving Party” is a party to this Agreement which accepts, receives, views, or otherwise obtains Confidential Information from a Disclosing Party.“Affiliate(s)” means, a subcontractor, advisor, agent, or affiliated entity controlling, controlled by, or under common control, performing on behalf of the Receiving Party in its obligations hereunder who have entered into a confidentiality agreement no less restrictive than the terms of this Agreement.
  2. Mutual ObligationsFor three years from the disclosure date, Receiving Party shall protect Disclosing Party’s Confidential Information at least as closely as its own Confidential Information and with no less than a reasonable standard of care, and shall: (i) disclose the other party’s Confidential Information only to its affiliates, officers, directors, employees or contractors, provided such personnel are bound by confidentiality restrictions no less protective than those set forth in this Agreement; (ii) not disclose any Confidential Information to any third party without Disclosing Party’s prior written consent; (iii) use such Confidential Information only to the extent required for the purpose of evaluating a potential business relationship; (iv) reproduce Confidential Information only as required to accomplish such purpose; (v) not reverse engineer, decompile or disassemble any software disclosed; (vi) not directly or indirectly export or transmit any Confidential Information to any country which such export or transmission is restricted by regulation or statute; and (vii) promptly provide Disclosing Party with notice of any actual or threatened breach of this Agreement. Receiving Party may use, without restriction, all information it receives from Disclosing Party that does not meet the definition of Confidential Information above. However, Receiving Party may disclose Confidential Information in accordance with a judicial or other governmental order only after giving Disclosing Party written notice and opportunity to seek confidential treatment of the information prior to disclosure.
  3. Notifications. Any notice permitted or required under this Agreement shall be deemed to have been given if it is in writing and personally served or delivered, mailed by registered or certified mail (return receipt requested), delivered by a national overnight courier service with confirmed receipt, or sent by facsimile with confirmation by registered mail to the parties at the following addresses:

    Notices to Company should be directed to:
    _____________________________________
    _____________________________________
    _____________________________________
    _____________________________________
    _____________________________________

    Notices to TokenEx should be directed to:

    TokenEx
    PO Box 521068
    Tulsa, Oklahoma 74152
    Phone #: 877.316.4544
    Attn: Alex Pezold

    Each party may change its address by giving similar notice.

  4. ExclusionsThe foregoing obligation shall not apply to Confidential Information that: (a) is now or hereafter becomes generally known through no act or failure to act on Receiving Party’s part; (b) Receiving Party independently knows at the time of receiving such information, as is evidenced by its written records; (c) a third party furnishes to Receiving Party without breaching any obligation of confidentiality and without restriction on disclosure; (d) Receiving Party has independently developed without using Disclosing Party’s Confidential Information or breaching this Agreement; or (e) Disclosing Party gives written permission to Receiving Party to disclose. The Receiving Party shall have the burden of proof with respect to any claimed exception to the obligations of confidentiality.
  5. Proprietary InformationConfidential Information and copies thereof shall remain Disclosing Party’s property and shall be returned or destroyed, at Disclosing Party’s option, on written request or when Receiving Party’s need for it has expired, and in any event, on termination of this Agreement. No rights or licenses to trademarks, inventions, copyrights or patents are implied or granted under this Agreement. Confidential Information is provided “as is” without warrant express or implied.
  6. Remedies The parties acknowledge that monetary damages may not be a sufficient remedy for unauthorized use or disclosure of Confidential Information and that each party may, without waiving any other rights or remedies or posting bond, seek injunctive or equitable relief as a court of competent jurisdiction may deem proper.
    Recipient agrees that if there is any unauthorized use or disclosure of Disclosing Party’s Information by any of Recipient’s employees or any other third party with access to Disclosing Party’s Information through Recipient, Recipient will enforce for Disclosing Party’s benefit, through litigation if necessary, all rights provided under law to seek damages and protection from additional disclosure. In the event that Disclosing Party has provided Recipient with information in which any third party has an interest (including, without limitation, software or other trade secrets licensed to Disclosing Party by such third party), Recipient shall defend, indemnify and hold Disclosing Party harmless from any and all claims and demands of such third party and any liabilities, damages, costs and expenses (including reasonable attorneys’ fees) incident thereto arising out of or related to Recipient’s breach of this Agreement. The foregoing remedies are cumulative and in addition to any and all other remedies available at law or in equity. No waiver or modification of the terms hereof shall be binding unless in writing signed by Disclosing Party. No waiver of any provision hereof at any time shall operate as a waiver of any other provision or as a waiver of any subsequent breach of the same provision. The invalidity or unenforceability of any provision hereof shall not affect the validity or enforceability of the remaining provisions, all of which shall continue in full force and effect. In the event litigation arises out of this Agreement, the prevailing party shall be entitled to recover from the non-prevailing party its reasonable attorneys’ fees and costs.
  7. GeneralTerm and Survival. This Agreement commences on the date of first exchange of Confidential Information and shall survive the termination of any related contract or other relationship between the parties.Modifications. This Agreement may only be modified by a separate writing signed by both Parties.Governing Law and Venue. This Agreement shall be governed by and construed and interpreted in accordance with the substantive laws of the State of Delaware. Whenever possible, each provision of this Agreement shall be interpreted in such manner as to be effective and valid under applicable law, but if any provision hereof shall be prohibited by or invalid under applicable law, such provision shall be ineffective to the extent of such prohibition or invalidity, without invalidating the remainder of such provision or the remaining provisions of this Agreement. All obligations and rights of the Parties expressed herein shall be in addition to, and not in limitation of, those provided by applicable law. Any disputes arising out of this Agreement shall be subject to binding and final arbitration, pursuant to the Federal Arbitration Act (as amended from time to time).
  8. Non-solicitation The parties acknowledge that each other’s business is dependent upon being able to attract, train and keep qualified persons and adequately utilize its employees. Unless it first obtains the prior written consent of the other party, neither party to this Agreement shall directly nor indirectly, for itself, or on behalf of any other person, firm, corporation or other entity, solicit, participate in or promote the solicitation of the other party’s employees to leave the employ of the other party, or hire or retain as an employee or as an independent contractor the other party’s employees, during the term of this Agreement and for two (2) years immediately following the termination of the foregoing for any reason. Should either party solicit, hire or attempt to hire any employees from the other party during this period, the hiring party agrees to pay the other party as liquidated damages and not a penalty, within thirty (30) days of such event, a finder’s fee of  the relevant person’s most recent  monetary compensation (including bonuses) received during the preceding 12-month period with such non-hiring party (annualized for the purpose of calculating said finder’s fee for employees engaged for less than 12 months). Notwithstanding the foregoing, the parties hereby acknowledge and agree that the restrictions of this Section shall not apply to the hiring by either party of any individual who, not being specifically solicited or targeted, responds to a general recruitment advertisement of the other party.THE PARTIES HAVE READ THIS AGREEMENT, UNDERSTAND IT, AND BY SIGNING BELOW AGREE TO BE BOUND BY IT. EACH PARTY REPRESENTS THAT THE INDIVIDUAL SIGNING ON ITS BEHALF HAS FULL AUTHORITY TO BIND SUCH PARTY.