1. Provision of Services. TokenEx, LLC (“TokenEx”) shall provide services to Client (identified in the signature block hereof) and Client shall pay for such services in accordance with the terms of this Service Agreement (“Agreement”) and the Quote for Services attached hereto during the initial subscription term and any extension thereof. This Agreement will automatically renew following each contract year, but may be terminated by either party upon providing the other party not less than thirty (30) days prior written notice of any termination. Client shall be obligated to pay any and all outstanding charges for services that have been delivered or invoiced prior to the date of termination.
2. TokenEx Responsibilities. TokenEx shall also provide basic support for the services at no additional charge, and use all reasonable, good-faith efforts to provide the services 24 hours a day, 7 days a week, except for (a) Scheduled Maintenance following at least five (5) days advance notice to Client, (b) any Emergency Security Update, for which TokenEx shall give notice by email as promptly as reasonably practicable, or (c) any unavailability caused by circumstances beyond TokenEx’s reasonable control. TokenEx has and will maintain during the Term, at least the following certifications: PCI-DSS Level 1 Service Provider, Privacy Shield (EU-US and Swiss-US), and SSAE 16 SOC 2 Type II.
Protection of Data. TokenEx shall maintain administrative, physical, and technical safeguards for protection of Client’s data. TokenEx shall not modify Client’s data or access it except to prevent or address service problems.
Privacy Rules. TokenEx shall comply with all applicable privacy laws and regulations to the extent that those laws apply to the services being performed under this Agreement. In the event that a governmental authority or other authority having jurisdiction requests that all or any part of Client’s data be disclosed, TokenEx shall, if allowed by law, within two (2) business days inform Client of the request or subpoena, and cooperate with Client in any defense Client wishes to make to the request or subpoena, at Client’s expense.
Background Checks. TokenEx shall perform background checks on all employees involved in the performance of services to Client, including, at a minimum: SSN verification (with trace), academic credentials (highest level of education earned or most recent place of attendance), employment history (all employers for the longer of last seven years or last three employers), Domestic Terror Watchlist and criminal history (all felonies, misdemeanors, convictions, current indictments, and time served for last seven years in all counties of residence).
3. Client Responsibilities. Client shall be responsible for the accuracy, quality and content of all of Client’s data subject to this Agreement, and use commercially reasonable efforts to prevent unauthorized access to or use of the services. Client agrees to promptly notify TokenEx of any unauthorized access or use, and use the services in compliance with all applicable laws and government regulations. Client agrees not to make TokenEx’s services available to any third party, or to sell, resell, rent or lease the Services, unless pursuant to a separate negotiated agreement with TokenEx, or as a value-added service incorporated into Client’s product offering, and then with prior notification to and prior written permission of TokenEx. Client further agrees not to use production data within the TokenEx test environment.
4. TokenEx Platform Credentials.
TokenEx shall provide Client with Platform Credentials, including but not limited to (1) API Keys, (2), SFTP user accounts and (3) customer portal user accounts. Platform Credentials are SOLELY and exclusively for the use of Client. Notwithstanding any other provision in this Agreement, Client agrees that in the event Client provides or discloses Platform Credentials to any third party, Client is liable for any harm, injury or damages whatsoever arising from any such disclosure.
In the event Client discloses TokenEx’s Platform Credentials to any party other than Client’s employees, contractors, and outsourcers performing services for or on behalf of Client, Client understands and agrees that TokenEx disclaims any and all liability or responsibility whatsoever for any breach, disclosure or loss of Client data. By disclosing TokenEx’s Platform Credentials in breach of this Agreement, Client understands that Client is exposing Client’s data vault contents to breach, and that Client assumes any and all liability whatsoever for any breach of Client’s data vault.
Additionally, and in addition to the foregoing complete release of any and all liability, Client assumes any and all risks incident to the disclosure by Client (including any of Client’s employees, officers or directors) of Client’s Platform Credentials. Client hereby releases and holds TokenEx harmless from any and all liability of any kind or character whatsoever, in any form or forum, and to the fullest extent available under applicable law, concerning, arising from or in any way related to damages that Client may sustain following Client’s disclosure of TokenEx’s Platform Credentials.
5. Whitelisting. TokenEx, as part of its authentication model, employs IP Whitelisting. In the event Client elects not to utilize the Whitelisting service TokenEx provides as part of the TokenEx authentication model, then TokenEx disclaims any and all liability or responsibility whatsoever for any breach of Client’s data. By electing not to use TokenEx’s IP address validation component of TokenEx’s authorization model, Client understands that Client is exposing Client’s data vault contents to breach. Client hereby releases and holds TokenEx harmless from any and all liability of any kind or character whatsoever, in any form or forum, and to the fullest extent available under the applicable law, concerning, arising from, or in any way related to damages that Client may sustain as a result of an unauthorized disclosure of Client’s data which was not a direct result of TokenEx’s breach of any of its obligations hereunder.
6. Fees, Invoicing and Payment. Client agrees to pay the fees set forth in the Quote for Services, to be attached to the final contractual document. Client may pay for the services with a credit card and authorize TokenEx to charge such credit card for all fees related to this Agreement. If the order form specifies that payment may be by a method other than a credit card, TokenEx will invoice Client. Invoiced charges are due net thirty (30) days from the invoice date.
7. Warranties. TokenEx warrants (1) that the Services will perform as designed, (2) that the functionality of the Services will not be materially decreased, and (3) that TokenEx will perform the Services described herein in a professional manner consistent with industry standards and this Agreement.
8. Indemnification. Each party (“Indemnifying Party”) shall, to the extent caused by the indemnifying party’s negligent act or omission, defend, indemnify and hold harmless the other party, its Affiliates and their respective directors, shareholders, employees and officers (collectively, “Indemnified Parties”) from and against all claims, losses, liabilities (including negligence, tort and strict liability), damages, judgments, suits and all legal proceedings, and any and all costs and expenses in connection therewith (including any interest, penalties, fines and reasonable legal fees and disbursements) (individually, a “Claim” or collectively, “Claims”) arising out of or in any manner connected with any breach of any representation, warranty, covenant or other obligation of the Indemnifying Party contained herein. A party seeking indemnity from the other party shall promptly notify the other party of any Claim and shall provide information, assistance and cooperation in defending against such Claim at the Indemnifying Party’s sole cost and expense. Any such notification shall be in writing and directed to the person designated in the “Notification” paragraph hereof. In addition, an Indemnified Party shall have the right to participate in the defense of any Claim, suit or proceeding at its own sole cost and expense.
The right to indemnity provided for in this paragraph is subject to the non-breaching party’s notification to the alleged breaching party of any known breach of the provisions hereof, and providing the alleged breaching party with a reasonable time within which to correct the alleged breach, and provide evidence of any such correction. The right to correct a breach provided for herein shall not apply to the Nondisclosure provisions of this Agreement.
9. Limitation of Liability. THIS PARAGRAPH DOES NOT APPLY TO ANY OBLIGATIONS ARISING UNDER THE NONDISCLOSURE SECTION(S) OF THIS AGREEMENT (for example, a data breach or any disclosure of confidential information would not be subject to this paragraph). EXCEPT FOR OBLIGATIONS ARISING UNDER THE NONDISCLOSURE PROVISIONS, NEITHER PARTY’S LIABILITY WITH RESPECT TO ANY SINGLE INCIDENT ARISING OUT OF OR RELATED TO THIS AGREEMENT (WHETHER IN CONTRACT OR TORT OR UNDER ANY OTHER THEORY OF LIABILITY) SHALL EXCEED THE AMOUNT PAID BY CLIENT HEREUNDER IN THE 12 MONTHS PRECEDING THE INCIDENT, PROVIDED THAT IN NO EVENT SHALL EITHER PARTY’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT (WHETHER IN CONTRACT OR TORT OR UNDER ANY OTHER THEORY OF LIABILITY) EXCEED THE TOTAL AMOUNT PAID BY CLIENT HEREUNDER. THE FOREGOING SHALL NOT LIMIT CLIENT’S PAYMENT OBLIGATIONS. IN NO EVENT SHALL EITHER PARTY HAVE ANY LIABILITY FOR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES HOWEVER CAUSED, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
10. Prices. Pricing reflected on the attached Quote for Services is firm for the subscription term indicated. Any pricing modification(s) under this Agreement on any renewal thereof shall not exceed five (5) percent from the prior term except by written agreement of the parties.
11. Insurance. TokenEx shall maintain, at TokenEx’s own expense and in reasonable amounts acceptable to Client, professional liability insurance covering the effects of errors and omissions in the performance of professional duties, including cyber liability and network security coverage, with coverage limits of not less than $5,000,000 per claim. Upon request, Client shall be named as an additional insured as Client’s interests may appear on liability policies. A Certificate of Liability Insurance shall be furnished to Client upon request following the execution of this Agreement.
12. Return of Data/Notice. Client may request the return of Client’s stored data in the possession or control of TokenEx at the end of a subscription term, or upon termination of this Agreement or any extension or renewal hereof. Any request must be in writing and received by TokenEx within thirty (30) days following the effective date of termination. Thereafter, TokenEx shall have no further legal or business obligation to maintain or provide any of the data after that time and all such data shall be deleted from TokenEx’s systems. Stored data shall be returned to Client not later than fourteen (14) days following receipt of a written request.
13. Applicable Law. In any dispute arising under this Agreement, the laws of the State of Delaware shall govern without regard to the choice of law rules of any jurisdiction, including Delaware.
14. Arbitration. Any controversy, dispute or claim arising out of, in connection with, or in relation to, the interpretation, performance or breach of this Agreement, including, without limitation, the validity, scope and enforceability of this Agreement, that is not first resolved by negotiation between the parties, shall be submitted to binding and final arbitration by a single arbitrator selected by the American Arbitration Association (“AAA”), having experience in data security, and conducted pursuant to the rules of the AAA. Any such action or claim must be brought within two (2) years of the date the claim arose. The arbitrator shall be limited solely to awarding remedies that are permitted by this Agreement. Notwithstanding any other provision of this Agreement, the arbitrator shall award costs to the party that substantially prevails in any arbitration proceeding, including recovery of that party’s reasonable attorney’s fees, the arbitrator’s fees, and all costs of litigation incurred by the prevailing party in connection with the arbitration. Nothing in this section shall restrict a party’s right to seek injunction or other equitable relief in any court of competent jurisdiction prior to initiating arbitration.
15. Nondisclosure. Any information, trade secrets, know-how or proprietary information, in any form, that the parties hereto exchange shall be treated as confidential, shall be used only for the purpose of performing their respective obligations hereunder, and shall not be reproduced in whole or in part or disclosed to any other person for any other purposes. All such information shall be returned promptly upon demand of the discloser. The parties shall ensure that no information is shared with any third party except where necessary to perform the disclosing party‘s obligations under this Agreement and, in such cases, the disclosing party shall obtain a similar undertaking to preserve confidentiality from the third party.
The parties further agree to be responsible for the actions of their employees and any other person provided access to their offices who may have contact with or access to information subject to this Agreement, and to monitor those persons such that said information is continuously protected.
It is expressly agreed that a remedy at law for breach of the obligations set forth in this section concerning Nondisclosure is inadequate and that each party shall, in addition to any other remedies permitted by the Agreement, be entitled to injunctive relief to prevent the breach or threatened breach thereof.
All rights and obligations contained in this Agreement concerning the nondisclosure and protection of proprietary and confidential information shall survive the termination of this Agreement.
16. Notices. Except as otherwise specifically set forth in this Agreement, all notices, demands, requests or other communications that are required to be given by any party pursuant to this Agreement shall be in writing and shall be personally delivered, mailed by first-class registered or certified mail (return receipt requested and postage prepaid), or sent by courier, addressed as follows:
If to TokenEx:
Attention: Alex Pezold
Address: P.O. Box 521068
Tulsa, OK 74152-1068
If to Client: