SANS Master License and Services Agreement

By providing payment in response to a SANS' Price Quote, Customer, as defined in the Price Quote, represents it has read, understands and agrees to the following terms and conditions of the Master License and Services Agreement ("Agreement").

The following Addendums are attached and incorporated into this Agreement:

  • Addendum A - SSA Training Services Supplemental Terms
  • Addendum B - SAP Litmos/Callidus Cloud Services Supplemental Terms
  • Addendum C - SSA Phishing Services Supplemental Terms

1. DEFINITIONS.

1.1. Applicable Data Protection Legislation means any data protection regulation that may apply in the context of the Agreement, including, where applicable, (i) the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR") and the laws and regulations adopted to implement the GDPR and (ii) any other laws or regulations relating to the Processing of Personal Data.

1.2. Confidential Information means any information that is proprietary or confidential to a Party and either marked as confidential or identified as such to the other Party, including, but not limited to, business or technical data or know-how, customer and prospective customer lists, secrets, ideas, concepts, designs, drawings, flow charts, diagrams, financials, and other intellectual property, in whatever form including, documented information, machine readable or interpreted information transmitted in any form including, in writing, orally, or visually. Any abstracts, summaries or compilations are included in this definition of Confidential Information. For avoidance of doubt, Confidential Information includes details of SANS training courses or exams, pricing, courseware, user information, and the business relationship between the Parties.

1.3. Customer Materials means Customer-sourced data or materials not provided by SANS or its suppliers, that are used in connection with SSA Training Materials, such as Customer-sourced content, logos, artwork, or media.

1.4. Disclosing Party means the Party that discloses its Confidential Information to the Receiving Party under this Agreement.

1.5. Engagement Materials means SANS fact sheets, FAQs, help files, media files, newsletters, posters, and screensavers provided or made available by SANS to facilitate use of the SANS Products and Services. Engagement Materials do not include SSA Training Materials themselves.

1.6. Named User means, as applicable, an authorized SSA Training Named User as defined in Addendum A, an authorized SSA Litmos Training Named User as defined in Addendum B, an authorized SSA Phishing Named User, as defined in Addendum C, or a named user otherwise defined in a Price Quote or additional Addendum with respect to other Services.

1.7. Personal Data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

1.8. Price Quote means the document that details the product(s) and Services being provided to Customer by SANS, as well as the quantities, fees, Subscription Term, and payment terms.

1.9. Products means the products to be provided by SANS to Customer as set forth in a Price Quote or Statement of Work.

1.10. Professional Services means setup, implementation, installation, configuration or other professional Services to be provided by SANS to Customer under a Price Quote or Statement of Work.

1.11. Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.12. Receiving Party means the Party that receives Confidential Information of the Disclosing Party under this Agreement.

1.13. SSA Training Materials means SANS Security Awareness videos, interactive programs, online training content, exams, assessments, electronic materials, and other training Products. Each SSA Training Material is a Product and is licensed separately.

1.14. Services means the services to be performed by SANS for Customer as set forth in a Price Quote or Statement of Work.

1.15. Statement of Work or SOW means a mutually agreed statement of Services to be performed by SANS for Customer under a Price Quote.

1.16. Subscription Term means the License Term or Subscription Term specified in a Price Quote.

2. SANS PROFESSIONAL SERVICES. All Professional Services will be performed in accordance with mutually agreed SOWs. Except as provided in a Price Quote or SOW for Professional Services, Customer is fully responsible for deployment of the Products and Services. SANS will only support such deployment remotely.

3. ENGAGEMENT MATERIALS. Except as set forth in the applicable Price Quote:

3.1. Customer is granted a non-exclusive, non-transferable, and non-sublicensable license during the applicable Subscription Term to use Engagement Materials related to the Products or Services to which it subscribes, only for its own internal use in connection with such Products or Services. Engagement Materials: (i) are not subject to "per user" limitations; (ii) are provided as digital files only, and (iii) may be modified or updated by SANS from time to time.

3.2. Customer shall not, for the purposes of sale, resale, lease, and/or developing a competing product: copy, reproduce, distribute, display, modify or create derivative works based upon all or any portion of the Engagement Materials in any medium.

4. TERM AND TERMINATION.

4.1. Term. The Term of this Agreement begins on the Effective Date and continues for 12 months thereafter or as identified on the applicable Price Quote; If Customer is not then in default under this Agreement, the Term shall auto-renew and extend for successive 12-month terms thereafter unless either Party provides notice of non-renewal at least sixty (60) days before the expiration of the then-current Term. The natural expiration of the Term of this Agreement shall not terminate Subscription Terms then in force, and this Agreement shall continue to govern the applicable subscriptions and Statements of Work until their respective expirations or terminations.

4.2. Subscription Term. Each Subscription Term shall be as specified in the applicable Price Quote, and if not specified, shall be twelve (12) months from the applicable Start Date. If Customer is not in default under this Agreement, and pays the applicable subscription fees for the renewal term, the Subscription Term shall auto-renew for successive 12-month terms thereafter, unless either Party provides notice of non-renewal at least sixty (60) days prior to the end of the then current Subscription Term.

4.3. Termination. Either Party may terminate this Agreement and any or all Price Quotes or Statements of Work and Subscription Terms as follows:

4.3.1. Upon thirty (30) days' written notice in the event that the other Party materially breaches, for the first time, any provision of this Agreement (a "Default" by the "Defaulting Party"), provided that the Defaulting Party's breach, if curable, has not been cured within the thirty (30) day notice period;

4.3.2. Upon thirty (30) days' written notice in the event that the Defaulting Party engages in multiple or persistent breaches of this Agreement (including but not limited to repeated non-payment) (an "Incurable Default"). In the event of an Incurable Default, the Agreement shall terminate regardless of any attempts by the Defaulting Party to cure.

4.3.3. Immediately if (A) the other Party ceases to carry on its business; (B) a receiver or similar officer is appointed for the other Party and is not discharged within thirty (30) days; (C) the other Party becomes insolvent, admits in writing its inability to pay debts as they mature, is adjudicated bankrupt, or makes an assignment for the benefit or its creditors or another arrangement of similar import; (D) proceedings under bankruptcy or insolvency laws are commenced by or against the other Party and are not dismissed within thirty (30) days; or (E) a Party is in default of Sections 16 or 17.

4.3.4. In the event of termination, the provisions that are intended by their terms to survive the Agreement shall survive the Agreement, which include but are not limited to: Non-Disclosure; Intellectual Property/Confidential Information; Limitation on SANS' Liability, Default, and Governing Law.

4.3.5. In the event of termination, Customer shall pay SANS for all services performed by SANS up to the date of termination, as well as all fees accrued prior to the date of termination.

4.3.6. In the event of termination of this Agreement for Default, all subscriptions, Statements of Work, and Subscription Terms hereunder shall also terminate, and Customer and its Named Users shall immediately cease all use of the licensed Products and Services.

4.4. SANS may immediately suspend Customer's and/or a Named User's access to the SLP and Services in connection with any:

4.4.1. material violation by Customer or a Named User of the use limitations or restrictions in the applicable Price Quote or Addendum or SANS' intellectual property rights;

4.4.2. technical or security issues or problems caused by Customer that materially impact the business operations of SANS or other SANS clients; and/or

4.4.3. judicial, administrative, or law enforcement orders.

4.5. Upon expiration or termination of a Subscription Term, to the extent reasonably practicable, Customer shall return (or at SANS' option destroy, and certify destruction of) all SSA Training Materials in its possession.

5. INVOICES AND PAYMENT TERMS.

5.1. Except as otherwise set forth in the Price Quote, Customer will be invoiced for one hundred percent (100%) of the total fee identified in the Price Quote.

5.2. Customer shall provide payment within 30 days of invoice receipt

5.3. Customer shall be responsible for, and shall timely pay, all sales, use, value added, duties, tariffs or other taxes of any nature whatsoever associated with the purchase of Products or Services under this Agreement.

5.4. Acceptable payment forms include ACH, wire transfer, credit card, and SANS voucher account funding.

6. AUDIT

During the Term, SANS will keep true and accurate books and records relating to this procurement (collectively, "Records"). Records will include such information necessary for the Customer to verify the accuracy of the invoicing, billing, and payments in connection with the ordered services delivered hereunder, but not the underlying costs and financial data used in calculating the same. At the Customer's reasonable request, SANS will provide access to the Records, as necessary, to verify the fees and other amounts charged to the Customer, which shall be accomplished through electronic means.

7. INTELLECTUAL PROPERTY/CONFIDENTIAL INFORMATION.

7.1. Customer acknowledges that SANS or its licensors are the sole and exclusive owners of the SANS Products and Services, and the SANS Confidential Information, including, without limitation, the SSA Training Materials and the Engagement Materials, and any improvements and enhancements thereto and derivations thereof, and all intellectual property rights therein. Nothing in this Agreement transfers SANS' exclusive ownership of its intellectual property or Confidential Information.

7.2. Customer may not: (i) except as expressly provided in this Agreement, use, copy, modify, translate, or merge any such information or create derivative works therefrom; (ii) disable or circumvent any SANS licensing control feature; (iii) reverse-engineer, disassemble, or decompile such information, or otherwise attempt to access or determine its underlying source code, underlying user interface techniques or algorithms, or permit any such actions; (iv) distribute, lend, sublicense, rent or lease the above; and/or (v) attempt to build a competitive service or product, or copy any feature, function or graphic for competitive purposes.

7.3. SANS acknowledges that Customer or its licensors are the sole and exclusive owners of the Customer Materials and Customer Confidential Information, and all intellectual property rights therein. Nothing in this Agreement transfers Customer's exclusive ownership of its intellectual property or Confidential Information.

8. CONFIDENTIALITY AND NON-DISCLOSURE.

8.1. A Receiving Party may be given Confidential Information from the Disclosing Party in order to perform its obligations under this Agreement. The Receiving Party will protect the confidentiality of the Disclosing Party's Confidential Information during the Term of this Agreement and indefinitely thereafter by (a) using the same means it uses to protect its own Confidential Information, but in any event, not less than reasonable means, and (b) using the Disclosing Party's Confidential Information solely in connection with this Agreement. The Receiving Party shall not copy or disclose this Agreement and the Disclosing Party's Confidential Information except to those employees, officers, directors, subcontractors, agents, or affiliates of the Receiving Party ("Representatives") who have a need to know such Confidential Information as required in connection with this Agreement; provided, such Representatives are advised of and agree to abide by the confidentiality obligations set forth in this Agreement. Compliance by Representatives with the confidentiality and use obligations in this Agreement will remain the responsibility of Receiving Party, and both Receiving Party and Representatives shall be liable for any breach of this Agreement by Representatives.

8.2. Confidential Information will not include any information or data which:

8.3. was rightfully in the Receiving Party or its Representatives' possession prior to receipt from the Disclosing Party;

8.4. becomes rightfully available to the Receiving Party or its Representatives from a source other than the Disclosing Party who is free to lawfully disclose such information to the Receiving Party;

8.5. is independently developed by the Receiving Party or its Representatives, without the use of the Disclosing Party's Confidential Information; or

8.6. is legally required to be disclosed to a regulatory agency or pursuant to an order of a court of competent jurisdiction, provided that, where permissible, the Disclosing Party be given an opportunity to seek a protective order.

8.7. Applicable only if Customer is a governmental entity: In the event SANS, as the Disclosing Party, identifies its information as Confidential Information, and Receiving Party is a government entity and can demonstrate that SANS' Confidential Information would otherwise be public information based upon governing law, then prior to public disclosure, the Receiving Party, as a government entity, shall provide SANS written notice demonstrating SANS' Confidential Information would otherwise be public information based upon governing law.

8.8. Upon termination of this Agreement, at Disclosing Party's request and to the extent legally permissible (as interpreted by SANS), Receiving Party will destroy or return to Disclosing Party all Disclosing Party's Confidential Information in its possession or control and provide written certification of compliance thereof.

8.9. Receiving Party agrees to take appropriate actions to address incidents of unauthorized access to Disclosing Party's Confidential Information, including notification within five (5) days to Disclosing Party of any such incident.

8.10. If the parties are required by the GDPR or other applicable privacy laws or regulations to enter into a Data Processing Agreement to govern their use of personal data in connection with this Agreement, the Parties will do so and each Party shall comply with its obligations thereunder. SANS' standard Data Processing Agreement is available upon request.

9. DATA PROTECTION

9.1. In order to perform the Services under this Agreement, SANS is required to Process Personal Data. SANS shall comply with the Applicable Data Protection Legislation.

9.2. With respect to Personal Data, the Customer shall act as a Personal Data Controller, where "Controller" means the entity which alone determines the purposes and the means of the Processing of Personal Data, and SANS shall carry out the Processing of the Personal Data only on behalf of the Customer. Acting as a Data Processor, SANS shall carry out the Processing of Personal Data only according to the Customer's documented instructions for Processing, unless that law prohibits such information on important grounds of public interest.

9.3. To the extent that data includes Personal Data, the Parties agree that the SANS DPA is incorporated into these terms and applies automatically to all customers globally who require it.

10. REPRESENTATIONS AND WARRANTIES.

10.1. SANS represents and warrants to Customer:

10.1.1. it is duly organized and in good standing under the laws of the United Kingdom;

10.1.2. it has full right and power to enter into this Agreement, and the signer of this Agreement has authority to bind such Party it signs on its behalf;

10.1.3. it is not prohibited by any regulatory authority from carrying out its duties and obligations under this Agreement.

10.2. Such representations and warranties shall be continuing throughout the Term of this Agreement.

11. INTELLECTUAL PROPERTY INDEMNIFICATION.

11.1. Subject to the limitations of liability in Section 14, SANS shall defend, indemnify, and hold Customer and its officers, directors, employees, and agents (each a "Customer Indemnitee") harmless from and against any third party claims, demands, suits, proceedings, and resulting liabilities, direct damages, and expenses (collectively "Claims"), to the extent that the SSA Training Services, SSA Training Materials, SSA Phishing Services, or Engagement Materials infringe any patent, copyright, trademark, trade secret or other intellectual property interest of a third party. SANS shall, in its sole discretion and at no additional charge to Customer, make commercially reasonable efforts to replace, in whole or in part, the infringing materials or Services with substantially compatible and functionally equivalent materials or Services, modify them to avoid the infringement, or secure the right for Customer to continue their use. In the event that SANS determines that the foregoing actions are not commercially practicable, either Party may terminate the applicable Price Quote, and SANS shall refund to the Customer the applicable subscription fees for periods after the effective date of termination. This obligation does not extend to infringement by any Customer Materials incorporated into the foregoing, or to infringement resulting from any modifications or adaptations made by Customer or third parties to the foregoing.

11.2. Subject to the limitations of liability in Section 14, Customer shall defend, indemnify, and hold SANS and its officers, directors, employees, and agents (each a "SANS Indemnitee") harmless from and against any Claims alleging that the Customer Materials infringe any patent, copyright, trademark, trade secret or other intellectual property interest of a third party.

11.3. The foregoing obligations are conditioned on (i) the Customer Indemnitee or SANS Indemnitee (each an "Indemnitee" as applicable) providing prompt notification of the Claim to the other indemnifying Party (SANS and Customer each the "Indemnifying Party" as applicable), (ii) the Indemnitee allowing the Indemnifying Party to control the defense and settlement of the Claim (except that the Indemnifying Party may not agree to any settlement or consent to any judgment that would admit fault, wrongdoing or liability on the part of the Indemnitee without such Indemnitee's prior written consent), and (iii) the Indemnitee's cooperation with the Indemnifying Party as reasonably requested by the Indemnifying Party (at the Indemnifying Party's expense) in the defense and any related settlement of the Claim.

11.4. Applicable only if Customer is a governmental entity: To the extent established law preempts or limits Customer from providing indemnification to SANS, Customer's indemnification obligation in this section shall be eliminated or limited pursuant to applicable law.

12. GENERAL INDEMNIFICATION.

12.1. Subject to the limitations of liability in Section 11, each Indemnifying Party agrees to indemnify, defend and hold harmless the other Party's Indemnitee against any and all losses, damages, liabilities or expenses (including reasonable attorneys' fees and other costs of defense) in connection with any and all actions, suits, claims or demands that may be brought or instituted against any Indemnitee by any third party to the extent they arise out of or relate to (a) a breach of a representation, warranty or covenant of the Indemnifying Party under this Agreement, or (b) an Indemnifying Party's negligence or willful misconduct in performing obligations under this Agreement.

12.2. The foregoing obligations are conditioned on (i) the Indemnitee's prompt notification of the Claim to the Indemnifying Party, (ii) the Indemnitee allowing the Indemnifying Party to control the defense and settlement of the Claim (except that the Indemnifying Party may not agree to any settlement or consent to any judgment that would admit fault, wrongdoing or liability on the part of the Indemnitee without such Indemnitee's prior written consent), and (iii) the Indemnitee's cooperation with the Indemnifying Party as reasonably requested by the Indemnifying Party (at the Indemnifying Party's expense) in the defense and any related settlement of the Claim.

13. DISCLAIMER OF WARRANTY AND LIMITATIONS OF LIABILITY.

13.1. IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY INDIRECT, CONSEQUENTIAL, INCIDENTAL, SPECIAL, EXEMPLARY, OR PUNITIVE DAMAGES OR LIABILITIES OR FOR ANY LOST PROFITS, LOST SAVINGS OR LOSS OF REVENUES, ARISING FROM OR RELATING TO THIS AGREEMENT OR THE SANS PRODUCTS OR SERVICES, EVEN IF THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

13.2. IN NO EVENT SHALL SANS' LIABILITY IN ANY MANNER ARISING UNDER THIS AGREEMENT EXCEED THE TOTAL PAYMENT RECEIVED BY SANS UNDER THE PRICE QUOTE FOR THE SANS PRODUCTS OR SERVICES FROM WHICH THE CLAIM ARISES DURING THE 12-MONTH PERIOD IMMEDIATELY PRECEDING THE DATE WHEN THE CAUSE OF ACTION ARISES.

14. INSURANCE

SANS shall, at its sole expense and throughout the Term, carry and maintain the following insurance coverage: (a) Commercial General Liability, (b) Worker's Compensation; and (c) Employer's Liability, in reasonable amounts.

15. COMPLIANCE WITH LAWS

15.1. Each Party will, at its sole expense, obtain all permits and licenses, pay all fees, and comply with all federal, state, and local laws, ordinances, rules, regulations, codes, and orders applicable to it in the performance of this Agreement.

15.2. Each Party shall conduct operations in compliance with applicable laws, rules and regulations in exercising rights and obligations under any part of this Agreement. Laws may include but not be limited to the U.S. Foreign Corrupt Practices Act, the U.K. Bribery Act and local anticorruption legislation that may apply. Neither party is listed by any government agency as debarred, suspended, proposed for suspension or debarment or otherwise determined to be ineligible for government procurement programs. In exercising rights and obligations under any part of this Agreement, neither party nor anyone acting on its behalf shall make, offer, promise or authorize payment of anything of value directly or indirectly to any of the following prohibited parties for the purpose of unlawfully influencing their acts or decisions: a) employees, consultants, or representatives of the other Party, b) government officials or employees, c) political party officials or candidates, d) officers or employees of any public international organization, e) immediate family member of such persons (or any other person) for the benefit of such persons.

15.3. Each Party warrants that neither it nor its controlling owners is listed on any (i) sanction programs list maintained by the U.S. Office of Foreign Assets Control within the U.S. Treasury Department ("OFAC"), or (ii) denied party list maintained by the U.S. Bureau of Industry and Security within the U.S. Department of Commerce ("BIS"). Customer agrees it shall not allow Users access to any SANS product, service, or technology provided under this Agreement to any person or entity in a U.S. embargoed country or in violation of a U.S. export control law or regulations. Customer agrees to cooperate with SANS as necessary for SANS to comply with export requirements and recordkeeping required by OFAC, BIS, or other governmental agency.

16. GOVERNING LAW; JURISDICTION.

16.1. This Agreement and any dispute arising under or relating to this Agreement or the Products shall be governed in all respect by the law of England and Wales. The Convention on Contracts for the International Sale of Goods, and the Uniform Computer Information Transactions Act do not apply.

16.2. Each Party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any claim or dispute.

16.3. Applicable only if Customer is a governmental entity: Notwithstanding Sections 12(a)-(b), choice of law and forum shall be for those government Customers located outside the England and Wales, the country in which the Customer is located.

17. NOTICES.

All notices or reports required or permitted under this Agreement shall be in writing and shall be delivered by personal delivery, facsimile transmission, a nationally recognized overnight delivery service, by certified or registered mail, return receipt requested, or by electronic mail to be confirmed in writing delivered by one of the methods described herein, and shall be deemed given upon personal delivery, electronic confirmation of electronic mail or facsimile transmission, or signature evidencing receipt of overnight delivery or registered mail, as applicable. Notices and communications between Company and SANS shall be in English to the following addresses of the Parties or to such other addresses as the Party concerned may subsequently notify in writing to the other Party. Notice hereunder shall be delivered to the Parties' address listed on the Price Quote with attention to the Legal Department.

18. EXPORT COMPLIANCE. The Products, Services and other technology provided under this Agreement may be subject to export laws and regulations of the United Kingdom, United States and other jurisdictions. Each Party warrants that neither it nor its controlling owners is (i) listed on any sanction programs list maintained by the U.S. Office of Foreign Assets Control within the U.S. Treasury Department ("OFAC") or the U.K. Office of Financial Sanctions Implementation ("OFSI") , or (ii) denied party list maintained by the U.S. Bureau of Industry and Security within the U.S. Department of Commerce ("BIS"). Customer agrees it shall not allow users access to any Product, Service or technology provided under this Agreement to any person or entity in a U.S. or U.K. embargoed country or in violation of a U.S. or U.K. export control law or regulations. Customer agrees to cooperate with SANS as necessary for SANS to comply with export requirements and recordkeeping required by OFAC, OFSI, BIS or other governmental agency.

19. ANTI-BRIBERY, ANTI-CORRUPTION.

19.1. Each Party shall conduct operations in compliance with applicable laws, rules and regulations in exercising rights and obligations under any part of this Agreement. Laws may include but not be limited to the U.S. Foreign Corrupt Practices Act, the U.K. Bribery Act and local anticorruption legislation that may apply. Neither Party is listed by any government agency as debarred, suspended, proposed for suspension or debarment or otherwise determined to be ineligible for government procurement programs.

19.2. In exercising rights and obligations under any part of this Agreement, neither Party nor anyone acting on its behalf shall make, offer, promise or authorize payment of anything of value directly or indirectly to any of the following prohibited parties for the purpose of unlawfully influencing their acts or decisions: a) employees, consultants, or representatives of the other Party, b) government officials or employees, c) political party officials or candidates, d) officers or employees of any public international organization, e) immediate family member of such persons (or any other person) for the benefit of such persons.

20. MISCELLANEOUS.

20.1. Assignment; No Third Party Beneficiaries. Neither Party may assign this Agreement or its rights or obligations thereunder without the written consent of the other Party, which consent will not be unreasonably withheld, except that a Party may assign upon notice to a successor by merger, acquisition, or sale of substantially all of such Party's business or assets or to a wholly owned subsidiary. In addition, SANS may assign this Agreement to a subsidiary entity without written consent of Customer. SANS may subcontract all or any part of its Services, but shall remain responsible for the acts and omissions of its subcontractors as though they were acts of SANS itself. There are no third party beneficiaries to this Agreement, and nothing in this Agreement shall benefit or create any right on behalf of any person or entity other than Customer and SANS. This Agreement does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement.

20.2. Waiver. The failure of either Party to exercise or enforce any right or provision of this Agreement shall not constitute a waiver of such right or provision or a waiver of the right of such Party to thereafter enforce each and every provision of this Agreement.

20.3. Severability. If a particular provision of this Agreement is terminated or held by a court of competent jurisdiction to be invalid, illegal, or unenforceable, that provision of the Agreement will be enforced to the maximum extent legally permissible and the remainder of this Agreement will continue in full force and effect.

20.4. Headings. The headings or titles preceding the text of the sections and subsections of this Agreement are inserted solely for convenience of reference, and shall not constitute a part of this Agreement, nor shall they affect the meaning, construction or effect of this Agreement.

20.5. Independent Contractor. SANS is an independent contractor and not an employee, agent, affiliate, partner or joint venturer with or of Customer.

20.6. Force Majeure. Neither Party shall be liable to the extent that its performance of this Agreement is prevented, or rendered so difficult or expensive as to be commercially impracticable, by reason of an Act of God, labor dispute, unavailability of transportation, goods or services, governmental restrictions or actions, war (declared or undeclared) or other hostilities, pandemic, or by any other event, condition or cause which is not foreseeable on the Effective Date and is beyond the reasonable control of the Party, provided that such Party promptly informs the other Party of such event, and makes diligent efforts to work around the event and resume performance. In the event of non-performance or delay in performance attributable to any such causes, the period allowed for performance of the applicable obligation under this Agreement will be extended for a period equal to the period of the delay.

20.7. Entire Agreement. This Agreement and all appendices attached hereto (which are specifically incorporated herein by this reference) contain the full and entire agreement between the Parties. It supersedes all prior negotiations, and proposals, written or otherwise, relating to its subject matter. Any modifications, revisions or amendments to this Agreement must be set forth in writing signed by authorized representatives of both Parties.

20.8. Customer PO to Facilitate Payment Only. The Parties agree that any PO submitted by a Customer to SANS is for facilitating invoicing and payment only. Any additional, inconsistent, or different terms included in a Customer PO or other documents (including electronic) submitted to SANS by or on behalf of Customer at any time, whether before or after the Effective Date are hereby expressly rejected by SANS and of no effect. These terms and conditions shall be deemed accepted by Customer without any such additional, inconsistent, or different terms and conditions, except to the extent expressly accepted by SANS in writing and signed by SANS.

20.9. Counterparts. This Agreement may be executed and delivered (i) in any number of counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument, and/or (ii) by exchange of facsimile or PDF copies, or secure electronic signature and delivery method (e.g., DocuSign), in which case the instruments so executed and delivered shall be binding and effective for all purposes.

ADDENDUM A

SSA TRAINING SERVICES SUPPLEMENTAL TERMS

1. SUPPLEMENTAL DEFINITIONS.

a. Customer Learning Management System or Customer LMS means a Customer-supplied software application for the administration, documentation, tracking, reporting, and delivery of educational courses, training programs, or learning and development programs.

b. SSA Learning Platform or SLP means a training platform owned and operated by SANS to deliver online training. SANS reserves the right to upgrade its platform or migrate it to another, with this Agreement remaining in full force and applying equally to any upgraded or new platform(s).

d. SSA Training Named User means any individual who has been issued a user login account at any time during the Subscription Term permitting such individual to access and use SSA Training Materials through the SLP or the Customer LMS as applicable. An SSA Training Named User must be an employee, agent, contractor, or representative of Customer unless otherwise authorized by SANS.

e. SSA Training Services means the provision by SANS of SSA Training Materials or related services to Customer or its SSA Training Named Users.

2. SSA TRAINING SERVICES. Except as set forth in the Price Quote:

a. Customer is granted a non-exclusive, non-transferable, and non-sublicensable license during the Subscription Term to access and use the SLP solely to administer the delivery of SSA Training Services to SSA Training Named Users; add or delete SSA Training Named Users; assign training; run reports; customize themes; customize system notification messages; enable SSA Training Named Users to view SSA Training Materials and receive SSA Training Services, and to the extent specifically authorized by SANS; supplement SSA Training Materials with training materials related to the SSA Training Materials for presentation to SSA Training Named Users. Use of SSA Training Services for delivery of any other content is strictly prohibited.

b. Customer may permit SSA Training Named Users to access and use the SSA Training Materials through the SLP during the Subscription Term to view SSA Training Materials and receive SSA Training Services.

c. Use of SSA Training Materials during the Subscription Term is limited to no more than the number of SSA Training Named Users set forth in the Price Quote.

d. Each of the SSA Training Materials will have a separate SSA Training Named User account.

e. Customer grants SANS all necessary rights to authorize it and its affiliates and subprocessors a non-exclusive right to process data solely to provide the SSA Training Services andSAP Litmos functionality (as applicable) described in this Agreement to Customer and its SSA Training Named Users.

f. Customer shall:

i. ensure that its SSA Training Named Users comply with the terms of this Agreement and shall be responsible for the acts or omissions of any SSA Training Named User, or person using an SSA Training Named User's login, in connection with their use of the SSA Training Materials, or access to SAP Litmos or the SLP not in conformity with this Agreement;

ii. notify SANS within five (5) business days of any known unauthorized use of Customer's or any SSA Training Named User's account;

iii. not copy, reproduce, distribute, display, modify or create derivative works based upon all or any portion of SAP Litmos or the SSA Training Materials in any medium, without the express written consent of SANS, or permit any other person to do so;

iv. not sell, resell, rent, or lease the SSA Training Materials or access to SAP Litmos or the SLP, or permit any other person to do so;

v. not interfere with or disrupt the performance of SAP Litmos or the SLP, or permit any other person to do so;

vi. not provide access to anyone other than an authorized SSA Training Named User;

vii. not attempt to gain unauthorized access to SAP Litmos, the SLP, or any CBT Material, or permit any other person to do so.

3. SSA TRAINING NAMED USERS AND LEARNING PLATFORM

a. Each individual permitted to access or use a component of the SLP must be assigned a unique user login and will be considered an SSA Training Named User. Customer may not permit more than one person to access or share a single user login account, nor otherwise attempt to circumvent licensing metrics.

b. Once credentialed, an SSA Training Named User continues to be counted in the SSA Training Named User metrics even if that SSA Training Named User ceases to have a login account. New SSA Training Named Users must be added and may not be substituted for prior SSA Training Named Users.

c. Customer must adhere to SANS' reasonable guidelines to ensure system performance, including those regarding data purging, hosting hardware and infrastructure, and loads per instance.

d. SANS reserves the right to limit the number of SSA Training Named Users eligible for SANS training for system performance.

e. Customer may not use the SLP: (i) to deliver any training other than SSA training; (ii) to deliver training or manage data on behalf of any other organization; (iii) to provide software or content development services to third parties; (iv) on a service bureau or time-share basis; and/or (v) as an application service provider.

f. Customer may not, at any time, load users onto the SLP in excess of 1.05 times the number of Active Users set forth in the Agreement and/or Price Quote.

ADDENDUM B

SAP LITMOS/CALLIDUS SUPPLEMENTAL TERMS

If Customer subscribes to SAP Litmos/Callidus Cloud Services ("Litmos") through SANS under a Price Quote in order to deliver SSA Training services through the Customer LMS, then the following supplemental terms shall apply:

1. SSA Litmos Training Named User means an SSA Training Named User who accesses SSA Training Services through the Customer LMS using Litmos.

2. Extension of Supplemental Terms.

a. All definitions, terms, conditions, limitations, and restrictions in Addendum A relating to the use of the SLP shall apply, mutatis mutandis, to the use of Litmos by Customer and SSA Litmos Training Named Users.

b. Customer acknowledges that Litmos and all intellectual property rights therein are owned by SAP SE, Callidus Software, Inc., or their affiliates or licensors.

c. Confidential information of SAP SE, Callidus Software, Inc, and their affiliates obtained by Customer in connection with this Agreement shall be protected by Customer as SANS Confidential Information.

d. Customer grants SANS all necessary rights to authorize SAP SE, Callidus Software, Inc., and their subprocessors a non-exclusive right to process data solely to provide Litmos and related services to Customer and its SSA Litmos Training Named Users as part of the Services.

ADDENDUM C

SSA PHISHING SERVICE SUPPLEMENTAL TERMS

Except as set forth in the applicable Price Quote, the following supplemental terms and conditions shall apply to Customer's use of the SSA Phishing Service:

1. Supplemental Definitions

a. SSA Phishing Named User means any individual (i) with a user login account permitting such individual to access and use SSA Training Materials on the SLP or Customer LMS, or (ii) designated to be tested in SSA Phishing Service activities.

b. SSA Phishing Service means a SANS tool or service available to Customer to test its employees' ability to withstand phishing/social engineering attacks.

2. Customer is hereby granted a non-exclusive, non-transferable, and non-sublicensable license, to use the SSA Phishing Service during the Subscription Term set forth in the Price Quote, limited to the number of SSA Phishing Named Users set forth in the Price Quote.

3. Customer grants SANS all necessary rights to authorize SANS and its subprocessors a non-exclusive right to process data solely to provide the SSA Phishing Service to Customer and its SSA Phishing Named Users.

4. A person who is a user only because he or she is designated to be tested through the SSA Phishing Service will not be counted against Customer's total allotment of SSA Phishing Named Users until the first phishing message is sent to that SSA Phishing Named User by the SSA Phishing Service, at which point the he/she will become an SSA Phishing Named User.

5. Customer shall:

a. ensure that its SSA Phishing Named Users comply with the terms of this Agreement and shall be responsible for the acts or omissions of any SSA Phishing Named User, or person using an SSA Phishing Named User's login, in connection with their use of the SSA Phishing Services not in conformity with this Agreement;

b. notify SANS within five (5) business days of any known unauthorized use of Customer's account;

c. not attempt to gain unauthorized access to or reverse engineer the SSA Phishing Service;

d. not use any SANS Confidential Information to build a competitive service or product, nor copy any feature, function or graphic for competitive purposes;

e. not sell, resell, rent or lease the SSA Phishing Service; and

f. only conduct simulated phishing emails to domains and recipients for whom Customer has authorization.

6. If third party services or applications are provided to Customer as part of the SSA Phishing Services, Customer shall protect the confidential and proprietary information of such third parties to the same degree as it is obligated to protect other Confidential Information under the Agreement.

7. Neither Party shall utilize any phishing practices or templates that would create a significant risk of claims, liabilities, administrative actions, internet service provider blacklisting, or other consequences adverse to either SANS or Customer, such as identification of the sender as the Internal Revenue Service or another government agency or violations of industry standard acceptable use policies. SANS and its service providers may, but are not obligated to, take action to prevent and stop transmission of any such content provided by Customer.