Nailing the Security Audit with RRCU

Master Subscription Agreement

Updated on May 2, 2023

This Master Subscription Agreement is entered into by and between ConductorOne, Inc. (“ConductorOne”) and the customer entering into this Agreement (“Customer”). If you represent an organization, you represent and warrant that you are an authorized to agree to this Agreement on behalf of your organization . Capitalized terms have the meanings listed at in the end of this Agreement.

1. SERVICES

1.1 Services. Customer and its Authorized Users may access and use the Services during the Term (as defined below) solely for Customer’s internal business purposes in accordance with the Agreement.
1.2 Service Levels. ConductorOne will provide the Services in accordance with the services levels described at https://www.conductorone.com/sla.
1.3 Cooperation and Assistance. Customer will cooperate with ConductorOne in good faith and provide to ConductorOne the information and personnel that ConductorOne reasonably requests and requires to provide the Services.
1.4 Authorized Users. Promptly following the Effective Date, Customer will connect its applications to ConductorOne’s Platform, which will enable ConductorOne to access Customer’s employee directory (the “Employee Directory”). Each individual listed in the Employee Directory will automatically be given access to the Platform and will be considered an Authorized User of the Services. For the sake of clarity, any new individual that is added to the Employee Directory after the Effective Date will automatically become an Authorized User once they are added. Customer will keep its user IDs and passwords for the Services confidential and will be responsible for all actions taken under an Authorized User’s account. Customer will comply with all applicable laws, rules and regulations in connection with its use of the Services. Customer will promptly notify ConductorOne of any suspected violation of this Agreement by an Authorized User and will cooperate with ConductorOne to address the suspected violation. ConductorOne may suspend or terminate any Authorized User’s access to the Services upon notice to Customer in the event that ConductorOne reasonably determines that such Authorized User violated this Agreement.
1.5 Restrictions. Customer will not allow anyone other than Authorized Users to access or use the Services from Customer’s accounts. Customer will not and will ensure that its Authorized Users do not: (a) attempt to interfere with or disrupt the Services (or any related systems or networks) or use any portion of the Services other than directly for Customer’s benefit; (b) copy, modify, alter, translate, create derivate works of or distribute any portion of the Services; (c) rent, lease, loan or resell any portion of the Services; (d) transfer any of its rights hereunder (other than in accordance with Section 9.9); (e) reverse-engineer, disassemble or decompile any portion of the Services, (f) hack or modify a license key, or try to avoid or change any license registration process ConductorOne may implement, or (g) access any portion of the Services in order to build a competitive product or service. Further, Customer may not remove or export from the United States or allow the export or re-export of the Services, or any portion thereof, in violation of any restrictions, laws or regulations of the United States Department of Commerce, the United States Department of Treasury Office of Foreign Assets Control, or any other United States or foreign agency or authority.
1.6 Customer Data. Customer is responsible for obtaining any necessary right and licenses for use of the Customer Data by Customer and ConductorOne as contemplated in this Agreement. Customer agrees that it has the legal right and authority to access, use and disclose to ConductorOne any Customer Data. Customer authorizes ConductorOne to access, process, and use the Customer Data as necessary to perform and fulfill its obligations hereunder. ConductorOne is not involved in the collection, processing or retention of any personally identifiable information from Customer, except for names and contact information that is provided by Customer’s personnel to ConductorOne for purposes of obtaining the Services and/or creating an account with ConductorOne (the “Limited PII”). ConductorOne will process the Limited PII in accordance with this Agreement, the Data Processing Agreement found at http://conductorone.com/legal/dpa (the “DPA”) and all applicable laws, rules and regulations.
1.7 Information Security. ConductorOne will maintain reasonable administrative, technical, and physical safeguards to protect Customer’s Confidential Information, the Limited PII and any Usage Data (as defined below).  ConductorOne will, on an ongoing basis, ensure that its information security program and safeguards are designed, maintained, updated and adjusted, as necessary, to protect against reasonably foreseeable internal and external risks to the security, confidentiality and integrity of Customer’s Confidential Information, the Limited PII and Usage Data
1.8 Usage Data. ConductorOne may collect and analyze data and other information relating to the provision, use and performance of the Services and related systems and technologies therefrom (“Usage Data”) in order to improve and enhance the Services. ConductorOne may disclose insights drawn from Usage Data to third parties provided that the Usage Data included in such insights are de-identified so that such Usage Data cannot be linked in any way to Customer.

2. FEES; EXPENSES; TAXES

2.1 Fees. Customer will pay to ConductorOne the amounts specified in the applicable Order Form (the “Fees”) in accordance with the terms set forth in such applicable Order Form and this Section 2. ConductorOne reserves the right to change the Fees and to institute new charges and fees at the end of the Initial Service Term or each Renewal Term, upon sixty (60) days prior notice to Customer (which may be sent by email).
2.2 Invoices; Payment. ConductorOne will invoice Customer for the Services as set forth in the Order Form and each invoice will be due and payable within thirty (30) days. All payment obligations are non-cancellable, and other than as provided in the Agreement; all amounts paid are non-refundable. ConductorOne will be entitled, in its sole discretion, to withhold performance and discontinue Customer’s access to the Services until all undisputed amounts past due are paid in full. With regard to any undisputed invoiced amount that is not paid when due, ConductorOne reserves the right to charge, and Customer agrees to pay, a late fee of one percent (1%) per month or the maximum rate permitted by applicable law, whichever is less, from the due date until paid, plus any attorney’s fees and collection costs.
2.3 Taxes. All Fees and other amounts stated or referred to in this Agreement are exclusive of all taxes, duties, levies, tariffs, and other governmental charges (collectively, “Taxes”). Customer will be responsible for payment of all Taxes and any related interest and/or penalties resulting from any payments made under this Agreement, other than any taxes based on ConductorOne’s net income.

3. PROPRIETARY RIGHTS.

3.1 Customer owns and retains all Intellectual Property Rights in: (a) the Customer Data and (b) Customer’s name, logo and other trademarks.
3.2 ConductorOne owns and retains all Intellectual Property Rights in: (a) the Services, and all improvements, enhancements or modifications made thereto by any party; (b) the Documentation (as defined below); (c) the Usage Data (excluding any Customer Data or Customer Confidential Information therein); (d) any software, applications, inventions or other technology developed by ConductorOne in connection with providing the Services.

4. CONFIDENTIALITY

4.1 Use and Nondisclosure. A receiving party will not use the disclosing party’s Confidential Information except as necessary under this Agreement and will not disclose Confidential Information to any third party except: (a) to those of its employees, advisors, service providers, contractors or agents who have a business need to know such Confidential Information; provided that each such party is bound by confidentiality restrictions at least as restrictive as the terms set forth in this Agreement or (b) as further described in the Data Processing Addendum. Each receiving party will protect the disclosing party’s Confidential Information from unauthorized use and disclosure using efforts equivalent to the efforts that the receiving party uses with respect to its own confidential information and in no event less than a reasonable standard of care. The provisions of this Section 5.1 will remain in effect during the Term and for a period of three (3) years after the expiration or termination thereof, except with regard to trade secrets of the disclosing party, which will be held in confidence for as long as such information remains a trade secret.
4.2 Exclusions. The obligations and restrictions set forth in Section 5.1 will not apply to any information that: (a) is or becomes generally known to the public through no fault of or breach of this Agreement by the receiving party; (b) is rightfully known by the receiving party at the time of disclosure; (c) is independently developed by the receiving party without access to the disclosing party’s Confidential Information; or (d) the receiving party rightfully obtains from a third party who has the right to disclose such information without breach of any confidentiality obligation to the disclosing party.
4.3 Permitted Disclosures. The provisions of this Section 5 will not restrict either party from disclosing the other party’s Confidential Information: (a) pursuant to the order or requirement of a court, administrative agency, or other governmental body; provided that to the extent legally permitted, the party required to make such a disclosure gives reasonable notice to the other party to enable it to contest such order or requirement or limit the scope of such request; (b) on a confidential basis to its legal or professional financial advisors; (c) as required under applicable securities regulations.
4.4 Injunctive Relief. The receiving party acknowledges that disclosure of Confidential Information could cause substantial harm for which damages alone may not be a sufficient remedy, and therefore that upon any such disclosure by the receiving party, the disclosing party will be entitled to seek appropriate equitable relief in addition to whatever other remedies it might have at law.

5. WARRANTY

5.1 Warranty for Services. ConductorOne warrants solely to Customer that (a) the Services will materially conform to the description set forth in the applicable Order Form, or in any user guides made available by ConductorOne as part of the Services (the “Documentation”); and (b) the Services will materially comply with all applicable laws, including federal, state, and local; in each case under normal use and circumstances when used consistently with the terms of this Agreement and in compliance with any Documentation. As ConductorOne’s sole and exclusive liability and Customer’s sole and exclusive remedy for any breach of the warranties set forth in this Section 6.1, ConductorOne will (i) use commercially reasonable efforts to modify the Services to correct the non-conformity or (ii) if ConductorOne reasonably determines that it is unable to correct the non-conformance, refund to Customer a prorated portion of the Subscription Fees (as defined in the Order Form) actually paid by Customer during the then-current Initial Term or Renewal Term (each as defined in the Order Form), in which case this Agreement and Customer’s right to use the Services will be terminated.
5.2 Disclaimer. EXCEPT AS EXPRESSLY PROVIDED IN SECTION 6.1, COMPANY MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WHATSOEVER, EXPRESS OR IMPLIED, IN CONNECTION WITH THIS AGREEMENT OR THE SERVICES, AND COMPANY HEREBY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY, ACCURACY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, AND ANY WARRANTIES ARISING FROM COURSE OF DEALING OR USAGE OF TRADE. COMPANY DISCLAIMS ANY WARRANTY THAT THE SERVICES WILL BE ERROR FREE OR UNINTERRUPTED OR THAT ALL ERRORS WILL BE CORRECTED. NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED FROM COMPANY OR ELSEWHERE SHALL CREATE ANY WARRANTY NOT EXPRESSLY STATED IN THIS AGREEMENT. CONDUCTORONE WILL HAVE NO LIABILITY FOR ANY CLAIMS, LOSSES, OR DAMAGES CAUSED BY ERRORS OR OMISSIONS IN ANY CUSTOMER DATA OR OTHER INFORMATION PROVIDED TO CONDUCTORONE BY CUSTOMER IN CONNECTION WITH THE SERVICES OR ANY ACTIONS TAKEN BY CONDUCTORONE AT CUSTOMER’S DIRECTION.

6. TERM AND TERMINATION

6.1 Term. Unless terminated earlier in accordance herewith, this Agreement will commence on the Effective Date and will continue for so long as there is an Order Form in effect (the “Term”).
6.2 Termination for Cause. Either party may terminate this Agreement upon written notice if the other party breaches any material terms of this Agreement and fails to correct the breach within thirty (30) days following written notice from the non-breaching party specifying the breach. If Customer terminates this Agreement in accordance with this Section 7.2, ConductorOne will promptly refund to Customer a prorated portion of the Subscription Fees actually paid by Customer during the then-current Initial Term or Renewal Term.
6.3 Rights and Obligations Upon Expiration or Termination. Upon expiration or termination of this Agreement, Customer’s and Authorized Users’ right to access and use the Services will immediately terminate and each will immediately cease all use of the Services.
6.4 Survival. The rights and obligations of the parties contained in Sections 1, 2, 3, 4, 5, 6.3, 8, 9, and 10 will survive any expiration or termination of this Agreement.

7. INDEMNIFICATION

7.1 Indemnification by ConductorOne. ConductorOne will defend Customer, its officers, directors and employees (“Customer Indemnitees”), from and against any third party claim (“Claim”) brought by a third-party against Customer: alleging that the Services, as provided by ConductorOne and when used by Customer pursuant to this Agreement, infringe any U.S. Intellectual Property Rights of a third party (the “IP Indemnity”) and indemnify the Customer Indemnitees against any damages awarded to the third party bringing the Claim or any settlement amounts agreed to by ConductorOne.
7.2 Injunctions. If Customer’s use of the Services is, or in ConductorOne’s opinion is likely to be, enjoined due to the type of Claim specified in Section 7.1(a), then ConductorOne may at its sole option and expense: (a) replace or modify the Services to make them non-infringing and of equivalent functionality; (b) procure for Customer the right to continue using the Services in accordance herewith; or (c) if ConductorOne is unable to accomplish either (i) or (ii) despite using its commercially reasonable efforts, terminate this Agreement and refund to Customer a pro-rata portion of the Subscription Fees paid for the then-current Initial Term or Renewal Term.
7.3 Exclusions. Notwithstanding the terms of Section 7.1, ConductorOne will have no liability for any claim of any kind to the extent that it results from: (a) the combination, operation or use of any portion of the Services with equipment, devices, software or data (including without limitation Customer Data) not supplied by ConductorOne or contemplated by the Documentation, if the claim would not have occurred but for such combination, operation or use; or (b) Customer’s or an Authorized User’s use of any portion of the Services in violation of this Agreement or the Documentation.
7.4 Sole Remedy. THE FOREGOING STATES COMPANY’S AND ITS LICENSORS’ SOLE LIABILITY AND CUSTOMER’S SOLE AND EXCLUSIVE REMEDY WITH RESPECT TO ANY ALLEGED OR ACTUAL INFRINGEMENT OR MISAPPROPRIATION OF INTELLECTUAL PROPERTY RIGHTS BY THE SERVICES.
7.5 Process for Indemnity. The party seeking indemnification under this Section 8 (the “Indemnified Party”) will (a) provide the other party (the “Indemnifying Party”) with prompt written notice of any Claim; (b) provide reasonable cooperation to the Indemnifying Party, at the Indemnifying Party’s expense, in the defense and settlement of such Claim; and (c) give the Indemnifying Party the sole authority to defend or settle such Claim, provided that it may not settle any Claim in a manner that imposes any material liability upon the Indemnified Party or requires the Indemnified Party to admit wrongdoing unless the Indemnifying Party obtains the Indemnified Party’s consent (which consent may not be unreasonably withheld).

8. LIMITATION OF LIABILITY.

NEITHER CUSTOMER NOR CONDUCTORONE, NOR THEIR RESPECTIVE AFFILIATES AND SUPPLIERS, WILL BE LIABLE UNDER THIS AGREEMENT FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES; OR LOSS OF USE, DATA, BUSINESS, REVENUES, OR PROFITS (IN EACH CASE WHETHER DIRECT OR INDIRECT), EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN THAT SUCH DAMAGES WERE POSSIBLE, EVEN IF A REMEDY FAILS OF ITS ESSENTIAL PURPOSE, AND REGARDLESS OF THE TYPE OF ACTION OR THEORY OF LIABILITY.NEITHER PARTY’S AGGREGATE LIABILITY UNDER THIS AGREEMENT WILL EXCEED THE GREATER OF ONE HUNDRED DOLLARS (US $100) OR THE AMOUNT PAID BY CUSTOMER TO CONDUCTORONE DURING THE TWELVE MONTHS PRIOR TO THE EVENT GIVING RISE TO LIABILITY.

9. GENERAL

9.1 Insurance. ConductorOne will maintain the following insurance coverage: (a) Commercial General Liability Insurance with a minimum of $1,000,000 per claim and $2,000,000 in the aggregate; (b) Technology & Cyber Liability Insurance with a minimum of $2,000,000 per claim and in the aggregate; and (c) workers’ compensation insurance as required by state or local law in the states where ConductorOne has employees. At Customer’s request, ConductorOne will provide evidence to Customer of insurance coverage.
9.2 Governing Law. This Agreement will be governed by the laws of the State of California, without regard to its conflict of law provisions. Any legal action or proceeding relating to this Agreement will be brought exclusively in the state or federal courts located in San Francisco, CA. ConductorOne and Customer agree to submit to the jurisdiction of, and agree that venue is proper in, those courts in any such legal action or proceeding.
9.3 Order of Preference. In the event of a conflict between this Master Services Agreement, the DPA and an Order Form, the order of preference will be: (a) this Master Services Agreement, (b) any exhibit to this Master Services Agreement, (c) the DPA, and (d) the Order Form.
9.4 Waiver. The waiver by either party of any default or breach of this Agreement will not constitute a waiver of any other or subsequent default or breach. No waiver of any provision of this Agreement will be effective unless it is in writing and signed by the party granting the waiver.
9.5 Notices. Notices will be sent to the addresses set forth on the signature page hereto (or such other address that is provided in accordance with this Section). The notices will be deemed to have been given upon: (a) the date actually delivered in person; (b) the day after the date sent by overnight courier; (c) three (3) days following the date such notice was mailed by first class mail; or (d) the date sent by email.
9.6 Severability. In the event any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions of this Agreement will remain in full force and effect.
9.7 Force Majeure. Neither party will be liable hereunder by reason of any failure or delay in the performance of its obligations hereunder (except for the payment of money owed) on account of events beyond the reasonable control of such party, which may include without limitation denial-of-service attacks, strikes, shortages, riots, insurrection, fires, flood, storm, explosions, pandemics, acts of God, war, terrorism, governmental action, labor conditions, earthquakes, rolling blackouts, and internet connectivity disruptions.
9.8 Relationship Between the Parties. Nothing in this Agreement will be construed to create a partnership, joint venture or agency relationship between the parties.
9.9 Assignment. Except to an Affiliate or as part of a reorganization, or to a purchaser of its business entity, equity, or substantially all of its assets or business to which its rights and obligations under this Agreement, neither party may assign its rights or obligations under this Agreement without the other party’s prior written consent. Any other attempt by either party to transfer its rights or obligations under this Agreement will be void.
9.10 Entire Agreement. This Agreement (including any exhibits hereto) constitutes the complete and exclusive agreement between the parties concerning its subject matter and supersedes all prior or contemporaneous agreements or understandings, written or oral, concerning the subject matter of this Agreement. Purchase orders are for the sole purpose of defining quantity and pricing and all other purchase order terms are rejected.
9.11 Amendment. This Agreement may not be modified or amended except in a writing signed by a duly authorized representative of each party.
9.12 No Third-Party Beneficiaries. This Agreement is intended for the sole and exclusive benefit of the parties and is not intended to benefit any third party. Only the parties to this Agreement may enforce it.**

8. DEFINITIONS

10.1 “Affiliate” means a legal entity that controls, is controlled by, or is under common control with a party, where “control” is defined as owning more than 50% of the voting shares of such entity.
10.2 “Agreement” means this Master Subscription Agreement together with any exhibits and any Order Form(s).
10.3 “Authorized User” means an employee or contractor of Customer or its Affiliates that Customer has included in its Employee Directory (as defined below as described in Section 1.4).
10.4 “Confidential Information” means any business or technical information disclosed by one party to the other party, including Customer Data, provided that it is identified as confidential at the time of disclosure or that under the circumstances, a person exercising reasonable business judgment would understand it to be confidential or proprietary.
10.5 “Customer Data” means the data and information input or uploaded into the Services by Customer or Authorized Users.
10.6 “Intellectual Property Rights” means patent rights (including, without limitation, patent applications and disclosures), copyrights, trade secrets, moral rights, know-how, and any other intellectual property rights recognized in any country or jurisdiction.
10.7 “Order Form” means the document that Customer uses to order the Services that is signed by both Customer and ConductorOne.
10.8 “Platform” means ConductorOne’s first identity orchestration and automation cloud-based web platform.
10.9 “Services” collectively means the Platform and any support or other services performed by ConductorOne under this Agreement.

Stay in touch

The best way to keep up with identity security tips, guides, and industry best practices.