This Master Services Agreement (“MSA”) is entered into as of the date of last signature (the “Effective Date”) by and between NAVEX Global UK Limited, registered in the United Kingdom with company registration number 12011655, having its principal place of business located at Part Fourth Floor, 1 Queen Caroline Street, Hammersmith, London, UK W6 9HQ (“NAVEX”), and the entity that is accepting these terms as part of an online purchase (“Customer”). In consideration of the mutual covenants and conditions contained in this MSA and intending to be legally bound, the parties agree as follows:
1.0. Purpose and Scope.
1.1. Master Services Agreement.
This MSA establishes the general terms and conditions with respect to NAVEX’s provision of Services to Customer. “Service” or “Services” means, collectively: (i) NAVEX’s proprietary software-as-a-service offering that NAVEX makes available to Customer online via a Uniform Resource Locator (URL) including all related patches, updates, and upgrades (“SaaS Offering”); and (ii) any other services provided to Customer by NAVEX. This MSA and all Order Forms and other documents executed by the parties or incorporated into the MSA by reference are, collectively, the “Agreement.”
The Services to be provided will be set forth in the ordering form that is entered into through Customer’s online purchase and is governed by this MSA (“Order Form”) as well as the Service Terms attached hereto as Exhibit A and the Descriptions of Services attached hereto as Exhibit B, each of which are incorporated by this reference as though fully set forth herein. Customer may also enter into an Order Form with NAVEX describing additional Services to be purchased, which will be executed by the Parties and governed by this MSA, and such document will also be considered an “Order Form” as defined herein. Certain Services which are not recurring and for which only one-time fees apply may be added pursuant to a simplified ordering document that only requires a signature on behalf of Customer (“Change Order”). As used herein “Order Form” includes “Change Order.” Customer’s execution of an Order Form constitutes a binding commitment to purchase the Services specified in such Order Form.
1.3. Affiliates.
“Affiliate” means an entity controlling, controlled by, or under common control with a party to this MSA. Customer may authorise its Affiliates’ use of the Services provided that (i) the combined use of the Services by Customer and its Affiliates shall not exceed the applicable Subscription Metrics (as defined in Section 2.1); (ii) Customer shall ensure that any such Affiliate’s use of the Services will be in accordance with the applicable terms and obligations of the Agreement; and (iii) Customer shall be responsible for all use of the Services by any such Affiliate.
1.4. Order of Precedence.
To the extent any terms and conditions of this MSA conflict with the terms and conditions of an Order Form, the terms and conditions of this MSA shall take precedence, unless an Order Form executed by the parties expressly states that conflicting terms in the Order Form shall prevail.
1.5. Applicable Law.
“Applicable Law” means any law, rule, statute, or regulation applicable to a party.
2.0. Services.
2.1. Grant of Use.
During the applicable Services Term (as defined in Section 6.2), and subject to Customer’s compliance with the Agreement, NAVEX grants Customer a limited, non-exclusive, non-transferable (except as otherwise provided under the Agreement), worldwide (subject to the restrictions of Section 12.7) right to access and use the Services identified in the applicable Order Form in accordance with the Agreement. Customer’s use is restricted to the limitations on usage of the Services as designated and/or defined in the applicable Order Form (“Subscription Metrics”).
2.2. Subscription Metrics.
Subscription Metrics are designated by a term such as the number of “licences,” “employees,” “reports,” and the like. At all times during the Services Term, Customer shall be responsible for ensuring sufficient Subscription Metrics to accommodate one hundred percent (100%) of its usage of the Services. If Customer’s usage of the Services exceeds the contracted Subscription Metrics, Customer must promptly purchase additional Subscription Metrics to cover such additional usage by executing an Order Form increasing the Subscription Metrics. If Customer does not promptly execute an Order Form for the additional Subscription Metrics, NAVEX may increase the annual fee(s) for the applicable Services at the then-prevailing prices to account for the level of usage above Customer’s contracted Subscription Metrics.
2.3. Online Access; Hosting Infrastructure.
NAVEX will provide Customer online access to and use of the SaaS Offering in accordance with the applicable Order Form and the user instructions, release notes, manuals, and online help files that describe the operation of the Services in the form generally made available to NAVEX customers, as may be updated from time to time (collectively, the “Technical Documentation”). Customer will access the SaaS Offering by use of a supported Customer-provided browser. NAVEX is responsible for the hosting and management of the SaaS Offering, including obtaining and maintaining all computer hardware, software, communications systems, network, and other infrastructure necessary to permit Customer to access and use the SaaS Offering (“Hosting Infrastructure”), either directly or through its designated third-party supplier or data centre. NAVEX will manage and install within the Hosting Infrastructure all updates and upgrades that NAVEX makes generally available to its customers. Customer is solely responsible for obtaining and maintaining, at its own expense, all equipment and technology needed to access the SaaS Offering, including, without limitation, internet access and adequate bandwidth.
2.4. Acceptable Use.
Customer shall use the Services exclusively for authorised and legal purposes and consistently with Applicable Law.
2.5. Administrative Users; Password Management.
NAVEX will be responsible for ensuring the security and confidentiality of account names and passwords residing within its systems and while being received and processed by the SaaS Offering for the purpose of permitting access thereto. Customer is responsible for instructing any individual who Customer authorises to use the administrative features of the Services (each such individual, an “Admin User”) to keep their respective account names and passwords strictly confidential. Customer agrees to promptly notify NAVEX if account names or passwords are lost, stolen, or otherwise compromised. Customer shall be responsible for use of the Services by its Admin Users and shall ensure that any such Admin User’s use of the Services will be in accordance with the applicable terms and obligations of the Agreement. Customer must promptly take all necessary steps, including providing Notice to NAVEX, to terminate an access identification for an Admin User if there is a compromise in the security of that access identification or if unauthorised use of such access identification is suspected or has occurred.
2.6. Support.
During the applicable Services Term, NAVEX will provide a commercially reasonable level of support for the Services, including, but not limited to, the self-help support resources NAVEX makes generally available to its customers as well as support with regard to Errors (as defined in Section 7.2).
2.7. Integrations.
During the applicable Services Term, NAVEX will review Customer requests for assistance implementing interactions between the SaaS Offering and application programming interfaces, applications, services, products, or software provided by a third party (“Integrations”). Prior to requesting assistance with an Integration, Customer shall coordinate with the third party to obtain any applicable authorisations that may be required by such third party for the Integration. NAVEX is not obligated to accept a request for assistance implementing an Integration, however NAVEX agrees to review all such requests in good faith and NAVEX shall not unreasonably withhold such assistance. If NAVEX agrees to assist with the implementation of an Integration: (i) NAVEX will make commercially reasonable efforts to ensure the successful implementation of the Integration; (ii) additional fees may apply for such assistance; and (iii) NAVEX accepts no liability for errors with the Integration or for the unauthorised use, access, or processing of any Customer Data (as defined in Section 3.1) that occurs as a result of an Integration, except to the extent that such errors or access is a direct result of NAVEX’s breach of its obligations under the Agreement.
3.0. Proprietary Rights.
3.1. Ownership.
Each party shall retain all right, title, and interest in any copyrights, trademarks, patent rights, and other intellectual property or proprietary rights it has acquired or developed prior to or outside the scope of the Agreement. Any data collected, received, or processed by NAVEX through Customer’s use of the Services, including Personal Data (as defined in Section 4.5) but excluding Service Improvement Data (as defined in Section 3.5) (collectively, “Customer Data”), will remain the exclusive property of Customer. NAVEX shall own and retain all right, title, and interest, including copyrights, trademarks, and patent rights in any and all Services provided under the Agreement and any and all derivative works thereof. Neither party will acquire any right, title, or interest in the intellectual property rights of the other party by virtue of its performance under the Agreement. All rights not expressly granted are reserved exclusively by the respective owner; there are no implied rights.
3.2. Use of Customer-Provided IP in Providing the Services.
To the extent Customer provides any of Customer’s intellectual property to NAVEX with the direction to use such Customer-provided intellectual property in the course of providing the Services (“Customer-Provided IP”), Customer grants NAVEX, for the applicable Services Term and for the sole and limited purpose of delivering the Services to Customer, a limited, non-exclusive, worldwide, non-transferable, royalty-free licence to reproduce, transmit, display, distribute, create derivative works thereof for the sole purpose of formatting, and otherwise use the Customer-Provided IP in the course of delivering the Services to Customer per the terms of the Agreement. NAVEX agrees that any use of Customer-Provided IP will inure solely to the benefit of Customer and NAVEX will not at any time acquire any rights in any Customer-Provided IP. NAVEX shall not take any action that jeopardises any of Customer’s rights in any Customer-Provided IP. NAVEX may not obscure, alter, or remove any copyright, patent, trademark, service mark, or proprietary rights notices on any Customer-Provided IP.
3.3. Restrictions.
Customer shall not: (i) sell, resell, distribute, lease, rent, license, or sublicense the Services or any portion thereof, including, without limitation, to provide processing services to third parties, or otherwise use the Services on a service bureau basis; (ii) reverse engineer or otherwise attempt to discover the source code of, or trade secrets embodied in, the Services or any portion thereof; (iii) write or develop any derivative works based upon the Services; (iv) modify, adapt, tamper with, or otherwise make any changes to the Services or any part thereof; (v) breach or attempt to breach the security of the Services, the Hosting Infrastructure, or of any third party that is hosting or interfacing with any part of the Services; (vi) use or distribute through the Services any software, files, or other tools or devices designed to interfere with or compromise the privacy, security, or use of the Services or the operations or assets of any other customer of NAVEX or any third party; (vii) use the Services in a manner not authorised under the Technical Documentation or the Agreement; or (viii) take, or direct or authorise any third party to take, any action intended to or that has the effect of disrupting, impairing, disabling or interrupting the Services or NAVEX’s or its subcontractors’ ability to provide the Services.
3.4. Data Aggregation.
Customer authorises NAVEX, as part of the Services, to access and compile certain Customer Data (excluding Personal Data), for the purpose of analysis and reporting on the effectiveness and trends in corporate ethics and compliance programs. The Customer Data that NAVEX accesses and compiles shall be aggregated with other similar data across all NAVEX customers according to industry, company size, country, geographic region, or other relevant classification and shall not be used in any manner that would directly or indirectly identify Customer.
3.5. Service Improvement Data.
Customer understands that NAVEX employs certain third-party software within its Services to enable NAVEX to better understand Admin User behavior and provide Admin Users with improved functionality and other relevant enhancements to the software application(s). The data gathered from such use (“Service Improvement Data”) shall not contain Personal Data, but may include information such as browser type, pages visited, features used, and operating system version. Service Improvement Data shall exclusively be used internally by NAVEX in its efforts to continuously improve the Services.
4.1. General Security Obligation.
NAVEX will implement and maintain commercially reasonable and appropriate measures designed to secure Customer Data against accidental, unauthorised, or unlawful loss, access, or disclosure.
4.2. Additional Agreements.
Customer may supplement the privacy and/or information security provisions of this MSA by executing the Data Processing Addendum and/or the Data Security Addendum available here:
https://www.navex.com/en-us/resources/executing-a-data-processing-addendum-and-data-security-addendum-with-navex/. The parties further agree that they will work together in good faith to enter into any additional agreements that may be legally required by either party to ensure compliance with Applicable Law, particularly with regard to applicable data privacy laws.
4.3. Annual Security Reviews.
On an annual basis, NAVEX will engage a recognised, independent third party to conduct a Statement on Standards for Attestation Engagements No. 18, Service Organization Control 2, Type 2 (“SSAE 18 SOC 2 Type 2”) audit (or its equivalent or successor) of its information security program and its administrative, technical, and physical safeguards used to deliver the Services. At least annually, NAVEX will have an application and infrastructure PEN test performed by a reputable third-party on all web applications and infrastructure. NAVEX will assess criticality and remediate, or implement compensating controls for, any issues identified by NAVEX as requiring remediation in a timely manner based on level of criticality and risk. NAVEX will provide Customer an executive summary of the results of such assessments upon request.
4.4. Audit Package.
To facilitate risk-based assessments by Customer of NAVEX’s information security program, upon Customer’s request, NAVEX will provide the following: (i) NAVEX’s completed Standardized Information Gathering Questionnaire; (ii) NAVEX’s annual independent SSAE 18 SOC 2 Type II report (or its equivalent or successor); (iii) NAVEX’s annual third-party PEN tests; and (iv) any specific policies requested by Customer that NAVEX generally makes available to its customers.
4.5. Definition of Personal Data.
“Personal Data” means any information relating to an identified or identifiable natural person as further defined under Applicable Law, which may include a term similar to Personal Data, but which shall have the same general meaning (for example “personal information”) where such data is submitted to the Services as Customer Data.
4.6. Processing of Personal Data.
Customer acknowledges and agrees that NAVEX will collect, process, use, and/or store certain Personal Data in delivering the Services. Each party agrees to comply with its respective obligations under Applicable Law in relation to its processing of Personal Data. NAVEX (i) has established and shall maintain appropriate technological security measures to protect against unauthorised access to any Personal Data that is stored within the Hosting Infrastructure; (ii) shall not utilise Personal Data for any purpose other than to provide Services; (iii) shall not disclose any Personal Data to any person not authorised by Customer, except as necessary to comply with Applicable Law; (iv) will act solely on the instructions of Customer in respect of all Personal Data, unless otherwise prohibited by Applicable Law; and (v) will promptly inform Customer of any confirmed Customer Data Incident regarding disclosure of Personal Data, complaint concerning disclosure, or other unauthorised use of Personal Data. “Customer Data Incident” means any actual or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to Customer Data, including Personal Data, while processed by NAVEX or its Sub-processors of which NAVEX becomes aware. All NAVEX subcontractors with access to Personal Data (“Sub-processors”) will be contractually required to comply with Applicable Law and will be bound to strict obligations of confidentiality, privacy, and security. Customer expressly consents to NAVEX engaging Sub-processors as disclosed in an applicable Order Form. NAVEX shall be responsible for all acts and omissions by such Sub-Processors. Where Customer instructs NAVEX to engage with any third parties on behalf of Customer (for example, to implement an Integration), NAVEX shall have no liability or responsibility for the transfer of Personal Data to any such third party, except to the extent that such liability arises as a direct result of NAVEX’s breach of its obligations under the Agreement.
5.0 Fees and Payment.
5.1. Fees.
Fees are set forth in the applicable Order Form and are based on the applicable Subscription Metrics. Except as otherwise specified herein, fees are not refundable or cancellable. Except as otherwise agreed to in writing by the parties, NAVEX shall send all invoices and fee increase notices via email to the Customer email address indicated in the applicable Order Form.
5.2. Payment.
Invoices shall be issued in accordance with the terms of the applicable Order Form. Unless otherwise agreed to in writing by the parties, Customer will pay all undisputed fees due within thirty (30) calendar days following the invoice date. Except as otherwise expressly specified in the applicable Order Form, Customer shall send such payment to the address included on the invoice, and such payments shall be made in the currency specified in the applicable Order Form. Interest accrues on past due balances not under good faith dispute by Customer until paid at the lesser of (i) one and one-half percent (1.5%) per month; and (ii) the highest rate allowed by law. Customer shall reimburse NAVEX for reasonable expenses incurred, including interest, court costs, and reasonable legal fees, in collecting amounts due to NAVEX hereunder that are not under good faith dispute by Customer.
5.3. Taxes.
NAVEX is solely responsible for taxes based upon NAVEX’s net income, assets, payroll, property, and employees. Unless otherwise specified in the applicable Order Form, all fees for the Services exclude any direct or indirect taxes, levies, duties, or similar governmental assessments, including without limitation, any sales, use, value-added, withholding, or similar taxes (“Customer Taxes”). Customer is responsible for paying all Customer Taxes associated with Customer’s purchases hereunder directly to the taxing authority. As an exception to the foregoing, and unless Customer provides NAVEX with a valid tax exemption certificate authorised by the appropriate taxing authority, if NAVEX has the legal obligation to pay or collect Customer Taxes for which Customer is responsible under the Agreement, the appropriate amount shall be invoiced to and paid by Customer to NAVEX.
6.0. Term and Termination.
6.1. MSA Term.
This MSA shall be effective as of the Effective Date and remain in effect until terminated as set forth herein (“MSA Term”).
6.2. Services Term.
Unless otherwise agreed by a mutually-executed Order Form, the initial term for each Service purchased will be one year from the date that Customer enters into the relevant Order Form (the “Initial Term”). Following the Initial Term, each subscription will automatically renew for successive 1-year periods (each a “Renewal Term”). Either party may elect not to renew for a Renewal Term by providing written notification to the other party at least 30 days prior to the start of a Renewal Term. Customer may provide this notification by emailing
cancellations@navex.com. NAVEX may increase annual fees applicable to a Renewal Term by providing written notification of the increase at least 60 days prior to the start of the Renewal Term. The Initial Term and each Renewal Term together are the “Services Term”.
6.3. Suspension of Services for Non-Payment.
If any fees which are not disputed by Customer in good faith are more than thirty (30) calendar days past due, NAVEX will have the right, in addition to all other rights and remedies available to it, to suspend delivery of, or access to, the Services upon the expiration of ten (10) calendar days’ Notice.
6.4. Disputed Fees.
Customer shall set forth in writing and in reasonable detail any amount(s) disputed in good faith and the basis or reason for the dispute. Upon receipt of a Notice of dispute, the parties will make reasonable, diligent, good faith efforts to quickly resolve the dispute, and NAVEX shall provide such information as Customer reasonably requests in order to audit or confirm the charges. Neither party shall be required to pay or refund, as applicable, any amounts disputed in good faith until such dispute is fully resolved. Once the dispute is fully resolved, the agreed-upon amounts shall be paid or refunded, as applicable, within ten (10) calendar days following such resolution.
6.5. Termination.
The Agreement may be terminated (i) by either party if the other party materially breaches the Agreement and does not cure the breach within thirty (30) calendar days after receiving Notice thereof from the non-breaching party; (ii) as set forth in Section 7.5 (Infringement Remedies); (iii) as set forth in Section 12.7 (Supply Chain Due Diligence and Compliance with Law); (iv) by a party if the other party becomes insolvent (generally unable to pay its debts as they become due) or the subject of a bankruptcy, conservatorship, receivership, or similar proceeding, or makes a general assignment for the benefit of creditors; (v) by either party at any time that no Order Form is outstanding; or (vi) by NAVEX upon the expiration of ten (10) calendar days’ Notice if any fees which are not disputed by Customer in good faith are more than thirty (30) calendar days past due.
6.6. Partial Termination.
Where a party has the right to terminate the Agreement pursuant to Section 6.5 (Termination), such party may, at its discretion, either terminate the entire Agreement or instead choose to only terminate an individual Order Form. Order Forms that are not terminated shall continue in full force and effect under the terms of this MSA.
6.7. Effects of Termination or Partial Termination.
Upon any termination, without prejudice to any other rights or remedies that the parties may have, all rights licensed and obligations required hereunder shall immediately cease, except as otherwise provided. NAVEX shall provide Customer a pro-rata refund of pre-paid fees for undelivered Services in the event the Agreement or an Order Form is terminated: (i) by Customer pursuant to Section 6.5(i) in connection with an uncured material breach; (ii) by NAVEX pursuant to Section 6.5(ii) in connection with an infringement claim; or (iii) by Customer pursuant to Section 6.5(iv) in connection with NAVEX’s insolvency. Each party may retain, subject to the protections and restrictions set out in this MSA, copies of Confidential Information required for compliance with Applicable law or internal record keeping requirements. Unless otherwise documented by the parties, all Customer Data within the Hosting Infrastructure shall be deleted within forty-five (45) calendar days of expiration or termination of the applicable Order Form. Customer Data stored in backups shall be overwritten in accordance with NAVEX’s backup and retention cycle. If NAVEX terminates the Agreement or an Order Form pursuant to Section 6.5(vi) in connection with Customer’s failure to pay undisputed, past due fees, Customer agrees that it shall remain responsible for all outstanding fees payable to NAVEX for the Services Term and NAVEX may declare all such fees immediately due and payable. Customer acknowledges that such amounts are liquidated damages reflecting a reasonable measure of actual damages and not a penalty.
7.0. Warranties and Disclaimers.
7.1. NAVEX Warranties.
NAVEX warrants that: (i) the Services, when used in accordance with the current Technical Documentation, will perform in all material respects as specified in such Technical Documentation; (ii) all Services will be performed in a professional manner, in accordance with industry standards; (iii) NAVEX will comply with all laws to which it is subject in the course of performing its obligations under the Agreement; (iv) NAVEX will not design its systems to include, and will use industry standard measures to prevent the transmission of, any “back door,” “time bomb,” “Trojan horse,” “worm,” “drop dead device,” “virus,” “preventative routines,” or other similar computer software routines; and (v) to the best of its knowledge: (a) the Services do not infringe or otherwise violate any intellectual property right of any third party; and (b) no claim, action, or suit for the misappropriation or infringement of any intellectual property rights has been brought or is pending or threatened against NAVEX.
7.2. Breach of Services Warranty Remedies.
In the event of any breach of Section 7.1(i), NAVEX shall diligently endeavour to remedy any material failures of a Service to conform to its functional specifications as described in the Technical Documentation that Customer reports to NAVEX and that NAVEX is able to replicate (“Errors”). NAVEX shall not be obligated to correct Errors resulting from any (i) components or content not provided by NAVEX or its licensors; (ii) unauthorised use or use of the Services other than in accordance with the Technical Documentation and the Agreement; or (iii) viruses, malicious software, or other disruptive programs or applications that Customer introduces into the Services or which are introduced into the Services as a result of Customer’s use of the Services.
7.3. Customer Warranties.
Customer represents and warrants that: (i) Customer’s use of the Services and provision of Customer Data will comply with Applicable Law; and (ii) Customer-Provided IP will not infringe the intellectual property or other proprietary rights of any third party.
7.4. Mutual Warranties.
Each party represents and warrants that: (i) the execution, delivery, and performance of this MSA has been and shall be duly authorised by the executing party; (ii) the executing party’s performance of its obligations will not conflict with, result in a breach of, or constitute a default under any other agreement to which that party is bound; and (iii) the executing party is in material compliance with all Applicable Laws with regard to its obligations under the Agreement.
7.5. Infringement Remedies.
If the Services infringe, or if NAVEX believes that the Services infringe, on the intellectual property or other proprietary rights of any third party, NAVEX may, in its sole discretion, (i) modify the Services to be non-infringing, (ii) obtain for Customer a licence to continue using the affected Services; or (iii) if neither (i) or (ii) are practical in NAVEX’s reasonable judgment, terminate the affected Services and return to Customer the unused portion of any fees paid for the affected Services. Subject to NAVEX satisfying its express indemnification obligations under this MSA, NAVEX’s satisfactory performance of any one or all of the remedies set forth in the preceding sentence shall be Customer’s sole and exclusive remedy for NAVEX’s breach of the infringement warranty or for any damages incurred from early termination of the applicable Order Form due to a third-party infringement claim.
7.6. Disclaimer of Warranties.
EXCEPT FOR THE WARRANTIES EXPRESSLY SET FORTH HEREIN AND THOSE EXPRESSLY SET FORTH IN AN ORDER FORM, ALL SERVICES ARE PROVIDED ON AN “AS IS,” “AS AVAILABLE” BASIS, AND NAVEX DISCLAIMS, TO THE MAXIMUM EXTENT PERMITTED BY LAW, ALL OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED, OR STATUTORY WITH RESPECT TO THE SERVICES, DELIVERABLES, MARKS, OR NAVEX’S PERFORMANCE UNDER THE AGREEMENT, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OF MERCHANTABILITY, ACCURACY, FITNESS FOR A PARTICULAR PURPOSE, AND THOSE THAT ARISE FROM ANY COURSE OF DEALING OR COURSE OF PERFORMANCE. NAVEX EXPRESSLY DOES NOT WARRANT THAT CUSTOMER’S USE OF THE SERVICES WILL SATISFY THE SPECIFIC REQUIREMENTS OF ANY INTERNATIONAL, NATIONAL, FEDERAL, PROVINCIAL, STATE, OR LOCAL LAWS, REGULATIONS, OR GUIDELINES APPLICABLE TO CUSTOMER.
7.7. Additional Disclaimers and Agreements.
(i) LEGAL SERVICES.
NAVEX is not engaged in the practice of law. In the provision of Services, certain issues may arise that are quasi-legal in nature. Any statements or assistance NAVEX PROVIDES in these matters should be interpreted as opinions or advice concerning business issues to be considered in connection with the Services. Customer UNDERSTANDS AND AGREES THAT it is not relying upon NAVEX to provide legal services.
(ii) USE.
Customer UNDERSTANDS AND AGREES that it is fully responsible for its use of the Services. NAVEX expressly disclaims any liability as a result of Customer’s use of the Services or Customer’s actions or inactions with respect to any information derived therefrom, except where such liability first arose as a direct result of NAVEX’s (a) breach of thE AGREEMENT; OR (b) negligent act or omission in delivering the Services. NAVEX WILL NOT BE RESPONSIBLE FOR PAYMENT OF ANY FINES ASSESSED AGAINST CUSTOMER BY ANY REGULATORY AUTHORITY FOR CUSTOMER’S FAILURE TO COMPLY WITH STATUTORY OR REGULATORY REQUIREMENTS OF ANY KIND.
8.0 Indemnification.
8.1. Definition of Losses.
As used herein, “Losses” means any costs and expenses (including reasonable legal fees and disbursements), liability, and costs from suits, actions, or proceedings threatened, made, or brought by any third party in connection with any and all allegations, claims, or demands.
8.2. Indemnification Protection for Customer.
NAVEX will indemnify and defend Customer and its officers, directors, employees, and agents against Losses to the extent such Losses relate to or arise from (i) Customer Data Incidents; or (ii) a claim that the Services infringe or misappropriate any third-party intellectual property rights. NAVEX’s obligations under Section 8.2(ii) do not apply (a) to the extent that the allegedly infringing Service(s), portions or components thereof, or modifications thereto result from any change made by Customer or any third party for Customer; (b) if the infringement claim could have been avoided by using an unaltered current version of the Services that NAVEX provided; or (c) to the extent that an infringement claim is based upon any information, design, specification, instruction, software, data, or material not furnished by NAVEX, or any material from a third-party portal or other external source that is accessible to Customer within or from the Services (e.g., a third-party web page accessed via a hyperlink) or a third-party product.
8.3. Indemnification Protection for NAVEX.
To the extent permitted by Applicable Law, Customer will indemnify and defend NAVEX and its officers, directors, employees, and agents against any and all Losses to the extent such Losses relate to or arise from: (i) a claim that Customer-Provided IP infringes or misappropriates any third-party intellectual property rights; or (ii) any Customer Taxes for which Customer is liable. Customer’s obligations under Section 8.3(i) do not apply (a) to the extent that the allegedly infringing Customer-Provided IP, portions or components thereof, or modifications thereto result from any change made by NAVEX or any third party on behalf of NAVEX; or (b) if the infringement claim could have been avoided by using an unaltered current version of the Customer-Provided IP that Customer provided.
8.4. Indemnification Procedures.
The party from whom indemnification is being sought pursuant to this Section 8.0 (“Indemnifying Party”) shall indemnify the party seeking indemnification under this Section 8.0 (“Indemnified Party”) only on the following conditions: (i) the Indemnified Party has a valid claim for indemnification pursuant to this Section 8.0; (ii) the Indemnified Party promptly provides the Indemnifying Party with Notice of any Losses; and (iii) the Indemnified Party promptly tenders control of the defence and settlement of any such Losses to the Indemnifying Party (at the Indemnifying Party’s expense and with the Indemnifying Party’s choice of counsel); with the exception that failure to give such Notice shall not relieve the Indemnifying Party of its obligations hereunder except to the extent that the Indemnifying Party is materially prejudiced by such failure. The Indemnified Party shall cooperate fully with the Indemnifying Party at the Indemnifying Party’s request and expense in defending or settling such claim, including, without limitation, providing any information or materials necessary for the Indemnifying Party to perform the foregoing. The Indemnifying Party will not enter into any settlement or compromise of any such claim without the Indemnified Party’s prior written consent if the settlement would require admission of fault or payment by the Indemnified Party.
“Confidential Information” means any information disclosed at any time by either party, its Affiliates, directors, officers, employees, and agents (collectively, “Representatives”), to the other party or its Representatives in anticipation of or during the parties’ relationship, either directly or indirectly, in writing, orally, or by inspection of tangible objects that pertain to such party’s business, including, without limitation, information concerning technology, marketing, planned functionality, market strategies, finances, employees, planning, product roadmaps, service or product purchases, performance agreements and documentation, performance results, pricing, and other confidential or proprietary information, including information a reasonable person would understand to be confidential or proprietary. Confidential Information of either party will not, however, include any information that: (i) was publicly known and that the disclosing party made generally available in the public domain prior to the time of disclosure; (ii) becomes publicly known and that the disclosing party made generally available after disclosure to the receiving party through no action or inaction of the receiving party; (iii) is already in the possession of the receiving party without a breach of any third party’s obligations of confidentiality at the time of disclosure by the disclosing party, the burden of proof of prior possession being on the party asserting such prior possession; (iv) the receiving party obtains from a third party without a breach of such third party’s confidentiality obligations; or (v) the receiving party independently develops without use of or reference to the disclosing party’s Confidential Information, the burden of proof of independent development being on the party asserting such independent development.
Each party shall (i) hold all Confidential Information of the other party in confidence and use it only as permitted in connection with the Services provided under the Agreement; (ii) use the same care to prevent unauthorised disclosure of the disclosing party’s Confidential Information as the receiving party uses with respect to its own Confidential Information of a similar nature, which shall not, in any case, be less than the care a reasonable business person would use under similar circumstances; (iii) disclose only the Confidential Information required to comply with a court order or Applicable Law in conjunction with fulfilling obligations under Section 9.4; and (iv) only disclose the Confidential Information to its Representatives who have a need to know such information in order to perform their job, have been informed of its confidential nature, and have agreed to and are bound by no less restrictive confidentiality obligations than those in this MSA. Each party shall be liable for their respective Representatives’ breach of this MSA. Confidential Information shall not be disclosed to third parties without the other party’s prior written consent unless required by Applicable Law.
9.3. Injunctive Relief.
Each party acknowledges that a party’s actual or threatened breach of its confidentiality obligations herein would likely cause irreparable harm to the non-breaching party that could not be fully remedied by monetary damages. Each party, therefore, agrees that the non-breaching party may seek such injunctive relief or other equitable relief as may be necessary or appropriate to prevent such actual or threatened breach without the necessity of proving actual damages. Each party waives the requirement to post a bond in the event of such actual or threatened breach.
9.4. Legal Process.
If either party receives notice of a witness summons, request for production of documents, court order, or requirement of a governmental agency to disclose any information or respond to an official inquiry, the recipient thereof shall, if permitted by law, give prompt Notice to the other party so the other party may move for a protective order or other relief. Each party agrees to cooperate with the other party to respond to any notice or inquiry from a third party related to the Agreement.
10.0. Liability Exclusions and Limitations.
10.1. Liability Limitations, Generally.
THE FOLLOWING LIMITATIONS SET OUT IN THIS SECTION 10.1 SHALL NOT APPLY TO (i) DEATH OR PERSONAL INJURY CAUSED BY NAVEX’S NEGLIGENCE; (ii) FRAUDULENT MISREPRESENTATION OR ANY FRAUDULENT ACT OR OMISSION; (iii) LOSSES ARISING OUT OF CUSTOMER DATA INCIDENTS; (iv) BREACHES OF CONFIDENTIALITY OBLIGATIONS; (v) VIOLATIONS OF EITHER PARTY’S INTELLECTUAL PROPERTY RIGHTS; (vi) EITHER PARTY’S INDEMNIFICATION OBLIGATIONS; (vii) PAYMENT OF FEES; OR (viii) ANY OTHER LIABILITY WHICH MAY NOT LAWFULLLY BE EXCLUDED OR LIMITED:
(a) TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER UNDER THE AGREEMENT, WHETHER UNDER THEORY OF CONTRACT, TORT, OR OTHERWISE, FOR ANY INDIRECT, INCIDENTAL, PUNITIVE, CONSEQUENTIAL, OR SPECIAL DAMAGES (INCLUDING ANY DAMAGE TO BUSINESS REPUTATION OR LOST PROFITS), WHETHER FORESEEABLE OR NOT, AND WHETHER OR NOT SUCH PARTY IS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
(b) TO THE MAXIMUM EXTENT PERMITTED BY LAW, EACH PARTY’S AGGREGATE CUMULATIVE LIABILITY TO THE OTHER IN CONNECTION WITH THE AGREEMENT SHALL NOT EXCEED THE AGGREGATE CONTRACT VALUE FOR THE ONE- (1) YEAR PERIOD PRIOR TO THE DATE THAT SUCH LIABILITY FIRST ARISES.
10.2. Liability Limitations, Customer Data Incidents.
NAVEX’S CUMULATIVE LIABILITY UNDER THE AGREEMENT IN CONNECTION WITH ANY LOSSES ARISING OUT OF CUSTOMER DATA INCIDENTS, INCLUDING LIABILITY PURSUANT TO SECTION 8.2(i), SHALL BE LIMITED TO FIVE (5) TIMES THE FEES PAID DURING THE ONE- (1) YEAR PERIOD PRIOR TO THE DATE THAT SUCH LIABILITY FIRST ARISES.
11.0. Governing Law.
Any dispute between the parties related to the Agreement will be governed by the substantive and procedural rules of England and Wales, without regard to conflict of law principles. The parties agree to submit to the exclusive jurisdiction of and venue in London, England.
12.0. General Provisions.
12.1. Publicity.
Customer may use NAVEX’s name in internal or regulatory communications pertaining to Customer’s use of NAVEX’s Services. NAVEX may not use Customer’s name, trademarks, or logos for marketing purposes, except as specifically authorised by Customer in writing and in advance of any such use.
12.2. Insurance.
NAVEX shall, at its own cost and expense, acquire and continuously maintain during the MSA Term and any applicable Services Term the insurance coverages detailed at the following website:
https://www.navex.com/en-us/insurance/. NAVEX shall provide Customer with a certificate of insurance evidencing these coverages upon Customer’s request. For avoidance of doubt, the coverages detailed at the foregoing website in effect at the time of execution of this MSA represent the minimum coverages that NAVEX must maintain during the MSA Term and any applicable Services Term. NAVEX may, from time to time, update the foregoing website to provide for increased coverages, however NAVEX may not update the website to reduce or remove any coverages in effect as of the execution of this MSA.
12.3. Third-Party Beneficiaries.
Unless otherwise prohibited by Applicable Law, no person or entity who is not a party to the Agreement has any rights under the Contracts (Rights of Third Parties) Act 1999 or otherwise to enforce or enjoy the benefit of any term of the Agreement.
12.4. Assignment.
The terms of the Agreement shall be binding on the parties and their respective successors. Neither party may assign, transfer, or delegate its rights or obligations under the Agreement without the other party’s prior written consent, except (i) to an Affiliate; or (ii) pursuant to a transfer of all or substantially all of such party’s business and assets, whether by merger, sale of assets, sale of stock, or otherwise. Any attempted assignment, transfer, or delegation in violation of the foregoing shall be null and void.
12.5. Notice.
“Notice” means written notification to a party that shall be sent via email only, unless otherwise agreed in writing by the parties. Any Notice to NAVEX shall be sent to:
legalnotice@navex.com. Any Notice to Customer shall be sent to the email address indicated in the most recent Order Form, provided that Customer may update its email address for notice purposes at any time by notifying NAVEX of such change in accordance with the terms of this section.
12.6. No Agency.
The Agreement shall not be construed to create a joint venture or partnership between the parties. Neither party shall be deemed to be an employee, agent, partner, or legal representative of the other for any purpose, nor shall either party have any right, power, or authority to create any obligation or responsibility on behalf of the other.
12.7. Supply Chain Due Diligence and Compliance with Law.
(i) General Ethical Obligations.
NAVEX shall act in a socially responsible manner and shall adhere to international standards on human rights, environmental protection, and appropriate working conditions, including, but not limited to, the prohibition of child labour.
(ii) Code of Conduct.
NAVEX shall at all times comply with its Code of Conduct, the current version of which is available at:
https://navex.codeofconductonline.com/.
(iii) Modern Slavery.
NAVEX shall comply with all applicable anti-slavery and human trafficking laws, including but not limited to, the statutory provisions of the Modern Slavery Act 2015. Specifically, NAVEX shall not engage in any activity, practice, or conduct that would constitute an offence under the Modern Slavery Act 2015, and shall maintain appropriate policies and procedures to ensure such compliance. Neither NAVEX nor its officers, employees, or agents have been convicted of any offence under applicable anti-slavery and human trafficking laws.
(iv) Anti-bribery and Anti-corruption.
NAVEX shall comply with all applicable anti-bribery and corruption laws, including but not limited to, the Bribery Act 2010. NAVEX shall not pay, receive, request, offer, promise, or authorise the payment or transfer of anything of value, directly or indirectly, to or from any other person or entity for the purpose of improperly obtaining or retaining a business or any other advantage. NAVEX shall maintain policies and procedures to ensure compliance with this section. Neither NAVEX nor its officers, employees, or agents have been convicted of any offence under applicable anti-bribery and corruption laws.
(v) Anti-Tax Evasion.
NAVEX and its relevant associated persons (including any employee, officer, subsidiary, subcontractor or any third party providing services for or on behalf NAVEX) shall comply with all applicable laws relating to the prevention of tax evasion and/or the prevention of the facilitation of tax evasion including, but not limited to, the Criminal Finances Act 2017.
(vi) Each party shall be responsible for compliance with Applicable Law related to the performance of its obligations under the Agreement.
(vii) Each party confirms that it is not, nor is it directly or indirectly owned or controlled by, or affiliated with, a restricted party under U.S. sanctions laws or other sanctions laws applicable to a party.
(viii) NAVEX’s Services are subject to U.S. sanctions laws and Customer’s use of the Services must comply with all applicable requirements and restrictions under U.S sanctions laws. Customer agrees not use the Services for the benefit of, or otherwise transfer or provide access to the Services to: (a) a restricted party under U.S. sanctions laws; or (b) individuals or entities located in a country subject to comprehensive U.S. sanctions.
(ix) Customer’s use of the Services will comply with all applicable export controls regulations and requirements, including, without limitation, those promulgated by U.S. Departments of State, Commerce, Homeland Security, Treasury, and Defense.
(x) Customer shall not use the Services to collect, process, store, transfer, or convey any (a) “technical data,” as that term is defined in the International Traffic in Arms Regulations, 22 C.F.R. § 120.10; or (b) “covered defense information" or “controlled technical information” as those terms are defined in DFAR 252.204-7012.
(xi) Any breach of this Section 12.7 is a material breach of the Agreement for which no cure period shall apply.
12.8. Force Majeure.
Neither party shall be liable for failure to perform, or the delay in performance of, any of its obligations under the Agreement if and to the extent that such failure or delay is caused by events beyond its reasonable control, including, without limitation, pandemic, acts of the public enemy or a governmental body in its sovereign or contractual capacity, war, fire, flood, unusually severe weather, outside electrical failure, the limitations or failures of third-party internet service providers and/or telecommunication providers, or acts of terrorism, including cyberattacks. If so affected, the affected party shall use commercially reasonable efforts to avoid or remove such causes of non-performance or delay and shall continue performance hereunder with reasonable dispatch whenever such causes are removed or otherwise resolved. Where NAVEX cannot substantially perform Services for a period of thirty (30) calendar days due to a force majeure event, Customer may terminate the affected Service and NAVEX shall return to Customer the unused portion of any fees paid for the affected Service.
12.9. Waiver.
No waiver or delay in enforcement of a breach of any provision of the Agreement shall constitute a waiver of any prior, concurrent, or subsequent breach of the same or any other provision hereof, and a waiver shall not be effective unless made in writing and signed by an authorised representative of the waiving party.
12.10. Survival.
The terms and conditions of the Agreement that by their nature require performance by either party after the termination of the Agreement, including, without limitation, confidentiality obligations, limitations of liability, exclusions of damages, indemnification obligations, governing law, fees, and any other provision or partial provision that by its nature would reasonably extend beyond the termination of the Agreement shall be and remain enforceable after such termination of the Agreement for any reason whatsoever.
12.11. Severability.
If any provision of the Agreement conflicts with Applicable Law or if any provision is held to be null, void, or otherwise ineffective or invalid by a court of competent jurisdiction, (i) such provision shall be deemed to be restated to reflect as nearly as possible the original intentions of the parties in accordance with Applicable Law; and (ii) the remaining terms, provisions, covenants, and restrictions of the Agreement shall remain in full force and effect.
12.12. Entire Agreement.
The Agreement constitutes the complete agreement between the parties and supersedes all prior or contemporaneous agreements, proposals, responses to requests for proposals, representations, and warranties, written or oral, concerning the subject matter of the Agreement, including any prior non-disclosure or confidentiality agreement(s), which shall be replaced by those terms and conditions set forth herein. The parties hereto, in executing the Agreement, do not rely on any inducements, promises or representations other than such as are expressly contained in the Agreement. The Agreement may only be modified or amended in a writing signed by a duly authorised representative of each party; any other act, usage, or custom shall not be deemed to amend or modify the Agreement.
12.13. Section Headings.
The section headings are for reference purposes only and shall not in any way affect the meaning or interpretation of this MSA.
12.14. Counterparts.
The parties may execute Order Forms in counterparts. An exchange of scanned and emailed executed copies or electronic signatures is acceptable. In the event of such an exchange, such Order Forms shall become binding, and any scanned and emailed signed copies or electronic signatures shall constitute admissible evidence of the existence of such Order Forms.
Exhibit A – Service Terms
ENCRYPTION OF CUSTOMER DATA.
Customer Data is encrypted in flight and at rest when stored in the Services. Customer Data is accessible to Customer by use of a “secondary password” which is set up by Customer upon launch of the Services and used by Customer to decrypt Customer Data within the Services. The secondary password is shared among case managers and it is Customer’s responsibility to share the secondary password with the case managers Customer wishes to authorise to access and manage reports. If the secondary password is lost, Customer can restore and access Customer Data with the backup encryption file, which is provided to Customer upon launch of the Services. Customer is responsible for secure password management, including use and secure storage of Customer’s backup encryption file. WhistleB does not know Customer’s encryption keys necessary to decrypt Customer Data and cannot access Customer Data unless such access to decrypted Customer Data is authorized in writing by Customer. A lost secondary password, in combination with a lost backup encryption file, means that the Customer Data will no longer be accessible. WhistleB cannot be held liable for any loss of Customer Data related to Customer’s loss of the secondary password and backup encryption file.
ACCESS TO CUSTOMER DATA.
During the Services Term, Customer will have sole responsibility for determining whether Customer Data residing in the Services will be maintained within the Services or deleted. WhistleB will have no responsibility, liability or obligation with respect to any Customer Data that has been deleted, purged, overwritten, or otherwise destroyed by or as directed by Customer. Customer will have access and the ability to download and save Customer Data during the Services Term. Upon termination and at the request of Customer made within thirty (30) days following the effective date of termination, WhistleB will create and deliver to Customer, at Customer’s cost and expense, a copy of all encrypted Customer Data then in existence in the Services.
SUB-PROCESSORS.
Hosting Location: EU
Customer consents to the use of the applicable sub-processors set forth in the following link:
https://www.navex.com/en-us/service-hosting-providers/whistleb. The foregoing link contains a mechanism to subscribe to notifications of the addition of any new sub-processors for each applicable Service, to which Customer may subscribe. Notwithstanding any provision to the contrary, updates provided via this mechanism shall operate as the notification of changes concerning the addition of any new sub-processors
Exhibit B – Descriptions of Services
WhistleB - Core Subscription
WhistleB Core Plan – Core is delivered as a baseline, single channel web-based reporting including foundational case components. Comprised of (3) Dedictated Licenses; up to (3) languages; Case Assignment, Basic statistics, Case Log, User Log, and Two-factor authentication.
WhistleB - Core Setup
WhistleB Core setup includes:
- Initial timeline providing an overview of expectations, documentation, and customer responsibilities for a successful implementation
- Kick-off call to review implementation materials process and timelines
- Customization of one (1) reporting channel:
- Text, logo and questionnaire in up to three (3) languages. One round of edits to text and layout.
- User training videos and manuals provided
- One (1) Administrative User setup and two (2) additional user licenses
- Four (4) week implementation timeline starting at the kick-off call to complete configuration items included above. Additional changes or requests made after this period will be scoped and priced separately.