SANS Security Awareness Master License and Services Agreement Terms and Conditions (v.01.2022)

By providing payment in response to a SANS’ Price Quote in response to this Master License and Services Agreement (“Agreement”), the Customer (“Customer”) represents it has read, understands, and agrees to the terms and conditions below.

The following Addendums are attached and incorporated into this Agreement:

Addendum A   SSA Training Services Supplemental Terms

Addendum B   SAP Litmos/Callidus Cloud Services Supplemental Terms

Addendum C   SSA Phishing Services Supplemental Terms

1. DEFINITIONS.

a. Customer Learning Management System or Customer LMS means a Customer-supplied system and related applications for its administration, documentation, tracking, reporting, and delivery of educational courses, training programs, or learning and development programs.

b. Customer Materials means Customer-sourced data or materials not provided by SANS or its suppliers, that are used in connection with SSA Training Materials, such as Customer-sourced content, logos, artwork, or media.

c. Engagement Materials means SANS fact sheets, FAQs, help files, media files, newsletters, posters, and screensavers provided or made available by SANS to facilitate use of the SANS Products and Services. Engagement Materials do not include SSA Training Materials themselves.

d. Named User means, as applicable, an authorized SSA Training Named User as defined in Addendum A, an authorized SSA Litmos Training Named User as defined in Addendum B, an authorized SSA Phishing Named User, as defined in Addendum C, or a named user otherwise defined in a Price Quote or additional Addendum with respect to other Services.

e. Price Quote means the document that details the product(s) and Services being provided to Customer by SANS, as well as the quantities, fees, Subscription Term, and payment terms.

f. Products means the products to be provided by SANS to Customer as set forth in a Price Quote or Statement of Work.

g. Professional Services means setup, implementation, installation, configuration or other professional Services to be provided by SANS to Customer under a Price Quote or Statement of Work.

h. Services means the services to be performed by SANS for Customer as set forth in a Price Quote or Statement of Work.

i. Statement of Work or SOW means a mutually agreed statement of Services to be performed by SANS for Customer under a Price Quote.

j. Subscription Term means the License Term or Subscription Term specified in a Price Quote.

2. SSA TRAINING SERVICES. If Customer purchases SSA Training Services under a Price Quote, the supplemental terms set forth in Addendum A (SSA Training Services Supplemental Terms) shall apply.

3. SAP LITMOS/CALLIDUS CLOUD SERVICES. If Customer purchases SAP Litmos/Callidus Cloud Services under a Price Quote, the supplemental terms set forth in Addendum B (SAP Litmos/Callidus Supplemental Terms) shall apply.

4. SSA PHISHING SERVICES. If Customer purchases SSA Phishing Services under a Price Quote, the supplemental terms set forth in Addendum C (SSA Phishing Services Supplemental Terms) shall apply.

5. SANS PROFESSIONAL SERVICES. All Professional Services will be performed in accordance with mutually agreed SOWs. Except as provided in a Price Quote or SOW for Professional Services, Customer is fully responsible for deployment of the Products and Services. SANS will only support such deployment remotely.

6. ENGAGEMENT MATERIALS. Except as set forth in the applicable Price Quote:

a. Customer is granted a non-exclusive, non-transferable, and non-sublicensable license during the applicable Subscription Term to use Engagement Materials related to the Products or Services to which it subscribes, only for its own internal use in connection with such Products or Services. Engagement Materials: (i) are not subject to “per user” limitations; (ii) are provided as digital files only, and (iii) may be modified or updated by SANS from time to time.

b. Customer shall not, for the purposes of sale, resale, lease, and/or developing a competing product: copy, reproduce, distribute, display, modify or create derivative works based upon all or any portion of the Engagement Materials in any medium.

7. TERM AND TERMINATION.

a. Term. The Term of this Agreement begins on the Effective Date and continues for 12 months thereafter or as identified on the applicable Price Quote. If Customer is not then in default under this Agreement, the Term shall auto-renew and extend for successive 12-month terms thereafter unless either Party provides notice of non-renewal at least sixty (60) days before the expiration of the then-current Term. The natural expiration of the Term of this Agreement shall not terminate Subscription Terms then in force, and this Agreement shall continue to govern the applicable subscriptions and Statements of Work until their respective expirations or terminations.

b. Subscription Term. Each Subscription Term shall be as specified in the applicable Price Quote, and if not specified, shall be twelve (12) months from the applicable Start Date. If Customer is not in default under this Agreement, and pays the applicable subscription fees for the renewal term, the Subscription Term shall auto-renew for successive 12-month terms thereafter, unless either Party provides notice of non-renewal at least sixty (60) days prior to the end of the then current Subscription Term.

c. Termination. Either Party may terminate this Agreement and any or all Price Quotes or Statements of Work and Subscription Terms as follows:

i. Upon thirty (30) days’ written notice in the event that the other Party materially breaches, for the first time, any provision of this Agreement (a “Default” by the “Defaulting Party”), provided that the Defaulting Party’s breach, if curable, has not been cured within the thirty (30) day notice period;

ii. Upon thirty (30) days’ written notice in the event that the Defaulting Party engages in multiple or persistent breaches of this Agreement (including but not limited to repeated non-payment) (an “Incurable Default”). In the event of an Incurable Default, the Agreement shall terminate regardless of any attempts by the Defaulting Party to cure.

iii. Immediately if (A) the other Party ceases to carry on its business; (B) a receiver or similar officer is appointed for the other Party and is not discharged within thirty (30) days; (C) the other Party becomes insolvent, admits in writing its inability to pay debts as they mature, is adjudicated bankrupt, or makes an assignment for the benefit or its creditors or another arrangement of similar import; (D) proceedings under bankruptcy or insolvency laws are commenced by or against the other Party and are not dismissed within thirty (30) days; or (E) a Party is in default of Sections 16 or 17.

iv. In the event of termination, the provisions that are intended by their terms to survive the Agreement shall survive the Agreement, which include but are not limited to: Non-Disclosure; Intellectual Property/Confidential Information; Limitation on SANS’ Liability, Default, and Governing Law.

v. In the event of termination, Customer shall pay SANS for all services performed by SANS up to the date of termination, as well as all fees accrued prior to the date of termination.

vi. In the event of termination of this Agreement for Default, all subscriptions, Statements of Work, and Subscription Terms hereunder shall also terminate, and Customer and its Named Users shall immediately cease all use of the licensed Products and Servicess.

d. SANS may immediately suspend Customer’s and/or a Named User’s access to the SLP and Services in connection with any:

i. material violation by Customer or a Named User of the use limitations or restrictions in the applicable Price Quote or Addendum or SANS’ intellectual property rights;

ii. technical or security issues or problems caused by Customer that materially impact the business operations of SANS or other SANS clients; and/or

iii. judicial, administrative, or law enforcement orders.

e. Upon expiration or termination of a Subscription Term, to the extent reasonably practicable, Customer shall return (or at SANS’ option destroy, and certify destruction of) all SSA Training Materials in its possession.

8. INVOICES AND PAYMENT TERMS.

a. Except as otherwise set forth in the Price Quote, Customer will be invoiced for one hundred percent (100%) of the total fee identified in the Price Quote.

b. Customer shall provide payment within 30 days of invoice receipt.

c. Customer shall be responsible for, and shall timely pay, all sales, use, value added, duties, tariffs or other taxes of any nature whatsoever associated with the purchase of Products or Services under this Agreement.

9. CONFIDENTIALITY AND NON-DISCLOSURE.

a. “Confidential Information” means information and materials, including, but not limited to, business or technical data or know-how, customer and prospective customer lists, trade secrets, designs, diagrams, methods of operation, software, financials, marketing, research and development, securities-related information, non-public personal information, and other intellectual property, in whatever form, whether written, oral, or visual, raw or summarized/abstracted, which is furnished or revealed by one Party (“Discloser”) to the other Party (“Recipient”). SANS Confidential Information includes Confidential Information of its customers and licensors.

b. The Parties acknowledge this Agreement creates a confidential relationship between them. The Recipient will protect the confidentiality of the Discloser’s Confidential Information during the Term of this Agreement and indefinitely thereafter by (a) using the same means it uses to protect its own Confidential Information, but in any event not less than reasonable means, and (b) using the Discloser's Confidential Information solely in connection with this Agreement. The Recipient shall not copy or disclose this Agreement and the Discloser's Confidential Information except to those employees, officers, directors, subcontractors, agents or affiliates of the Recipient (“Representatives”) who have a need to know such Confidential Information as required in connection with this Agreement, provided such Representatives are advised of and agree to abide by the confidentiality obligations set forth in this Agreement. Compliance by Representatives with the confidentiality and use obligations in this Agreement will remain the responsibility of Recipient and both Recipient and Representatives shall be liable for any breach of this Agreement by Representatives.

c. Confidential Information will not include any information or data which:

i. was rightfully in the Recipient's or its Representatives’ possession prior to receipt from the Discloser;

ii. becomes rightfully available to the Recipient or its Representatives from a source other than the Discloser who is free to lawfully disclose such information to the Recipient;

iii. is independently developed by the Recipient or its Representatives, without the use of the Discloser's Confidential Information; or

iv. is legally required to be disclosed to a regulatory agency or pursuant to an order of a court of competent jurisdiction, provided that, where permissible, the Discloser be given an opportunity to seek a protective order.

d. (Applicable to governmental clients only): In the event SANS, as the Discloser, identifies its information as Confidential Information, and Recipient is a United States-based local, state, or federal Government and can demonstrate that SANS’ Confidential Information would otherwise be public information based upon governing law; prior to public disclosure, the Recipient, as a United States-based local, state, or federal Government, shall provide SANS written notice demonstrating SANS’ Confidential Information would otherwise be public information based upon governing law.

e. Upon termination of this Agreement, at Discloser’s request and to the extent legally permissible (as interpreted by SANS), Recipient will destroy or return to Discloser all Discloser Confidential Information in its possession or control and provide written certification of compliance thereof.

f. Recipient agrees to take appropriate actions to address incidents of unauthorized access to Discloser’s Confidential Information, including notification within five (5) days to Discloser of any such incident.

g. If the parties are required by the GDPR or other applicable privacy laws or regulations to enter into a Data Processing Agreement to govern their use of personal data in connection with this Agreement, the Parties will do so and each Party shall comply with its obligations thereunder. SANS’ standard Data Processing Agreement is available upon request.

10. INTELLECTUAL PROPERTY/CONFIDENTIAL INFORMATION.

a. Customer acknowledges that SANS or its licensors are the sole and exclusive owners of the SANS Products and Services, and the SANS Confidential Information, including, without limitation, the SSA Training Materials and the Engagement Materials, and any improvements and enhancements thereto and derivations therof, and all intellectual property rights therein. Nothing in this Agreement transfers SANS’ exclusive ownership of its intellectual property or Confidential Information.

b. Customer may not: (i) except as expressly provided in this Agreement, use, copy, modify, translate, or merge any such information or create derivative works therefrom; (ii) disable or circumvent any SANS licensing control feature; (iii) reverse-engineer, disassemble, or decompile such information, or otherwise attempt to access or determine its underlying source code, underlying user interface techniques or algorithms, or permit any such actions; (iv) distribute, lend, sublicense, rent or lease the above; and/or (v) attempt to build a competitive service or product, or copy any feature, function or graphic for competitive purposes.

c. SANS acknowledges that Customer or its licensors are the sole and exclusive owners of the Customer Materials and Customer Confidential Information, and all intellectual property rights therein. Nothing in this Agreement transfers Customer’s exclusive ownership of its intellectual property or Confidential Information.

11. REPRESENTATIONS AND WARRANTIES.

a. SANS represents and warrants to Customer:

i. it has full right and power to enter into this Agreement;

ii. it is duly organized and in good standing under the laws of Delaware;

iii. The Services will be performed in a good and workmanlike fashion and in accordance with industry standards;

iv. The Products and Services will substantially conform to their respective SANS documentation in all material respects for a period of ninety (90) days after delivery; and

v. EXCEPT FOR THE EXPRESS WARRANTIES SET FORTH HEREIN OR IN ANY PRICE QUOTE OR SOW, (I) SANS AND ITS LICENSORS AND THIRD-PARTY PROVIDERS HEREBY DISCLAIM ALL EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT AND QUALITY; (II) SANS AND ITS LICENSORS AND THIRD-PARTY PROVIDERS MAKE NO REPRESENTATIONS OR WARRANTIES REGARDING THE RELIABILITY, AVAILABILITY, TIMELINESS, SUITABILITY, ACCURACY OR COMPLETENESS OF THE SERVICES OR THE RESULTS CUSTOMER MAY OBTAIN BY USING THE PRODUCTS OR SERVICES. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, AND SUBJECT TO THE OTHER TERMS AND CONDITIONS OF THIS AGREEMENT, SANS AND ITS LICENSORS AND THIRD-PARTY PROVIDERS DO NOT REPRESENT OR WARRANT THAT THE OPERATION OR USE OF THE SERVICES WILL BE TIMELY, UNINTERRUPTED OR ERROR-FREE. THE WARRANTIES EXTENDED HEREIN BY SANS ARE IN LIEU OF ALL OTHER WARRANTIES, EXPRESSED OR IMPLIED.

b. Customer represents and warrants that it has duly authorized the individual entering this Agreement to hereby bind Customer, and the individual entering this Agreement represents and warrants that he/she is so authorized.

12. INTELLECTUAL PROPERTY INDEMNIFICATION.

a. Subject to the limitations of liability in Section 14, SANS shall defend, indemnify, and hold Customer and its officers, directors, employees, and agents (each a “Customer Indemnitee”) harmless from and against any third party claims, demands, suits, proceedings, and resulting liabilities, direct damages, and expenses (collectively “Claims”), to the extent that the SSA Training Services, SSA Training Materials, SSA Phishing Services, or Engagement Materials infringe any patent, copyright, trademark, trade secret or other intellectual property interest of a third party. SANS shall, in its sole discretion and at no additional charge to Customer, make commercially reasonable efforts to replace, in whole or in part, the infringing materials or Services with substantially compatible and functionally equivalent materials or Services, modify them to avoid the infringement, or secure the right for Customer to continue their use. In the event that SANS determines that the foregoing actions are not commercially practicable, either Party may terminate the applicable Price Quote, and SANS shall refund to the Customer the applicable subscription fees for periods after the effective date of termination. This obligation does not extend to infringement by any Customer Materials incorporated into the foregoing, or to infringement resulting from any modifications or adaptations made by Customer or third parties to the foregoing.

b. Subject to the limitations of liability in Section 14, Customer shall defend, indemnify, and hold SANS and its officers, directors, employees, and agents (each a “SANS Indemnitee”) harmless from and against any Claims alleging that the Customer Materials infringe any patent, copyright, trademark, trade secret or other intellectual property interest of a third party.

c. The foregoing obligations are conditioned on (i) the Customer Indemnitee or SANS Indemnitee (each an “Indemnitee” as applicable) providing prompt notification of the Claim to the other indemnifying Party (SANS and Customer each the “Indemnifying Party” as applicable), (ii) the Indemnitee allowing the Indemnifying Party to control the defense and settlement of the Claim (except that the Indemnifying Party may not agree to any settlement or consent to any judgment that would admit fault, wrongdoing or liability on the part of the Indemnitee without such Indemnitee’s prior written consent), and (iii) the Indemnitee’s cooperation with the Indemnifying Party as reasonably requested by the Indemnifying Party (at the Indemnifying Party’s expense) in the defense and any related settlement of the Claim.

d. (Applicable to governmental customers only): To the extent established law preempts or limits Customer from providing indemnification to SANS, Customer’s indemnification obligation in this section shall be eliminated or limited pursuant to applicable law.

13. GENERAL INDEMNIFICATION.

a. Subject to the limitations of liability in Section 14, each Indemnifying Party agrees to indemnify, defend and hold harmless the other Party’s Indemnitee against any and all losses, damages, liabilities or expenses (including reasonable attorneys’ fees and other costs of defense) in connection with any and all actions, suits, claims or demands that may be brought or instituted against any Indemnitee by any third party to the extent they arise out of or relate to (a) a breach of a representation, warranty or covenant of the Indemnifying Party under this Agreement, or (b) an Indemnifying Party’s negligence or willful misconduct in performing obligations under this Agreement.

b. The foregoing obligations are conditioned on (i) the Indemnitee’s prompt notification of the Claim to the Indemnifying Party, (ii) the Indemnitee allowing the Indemnifying Party to control the defense and settlement of the Claim (except that the Indemnifying Party may not agree to any settlement or consent to any judgment that would admit fault, wrongdoing or liability on the part of the Indemnitee without such Indemnitee’s prior written consent), and (iii) the Indemnitee’s cooperation with the Indemnifying Party as reasonably requested by the Indemnifying Party (at the Indemnifying Party’s expense) in the defense and any related settlement of the Claim.

c. (Applicable to governmental clients only): To the extent established law preempts or limits Customer from providing indemnification to SANS, Customer’s indemnification obligation in this section shall be eliminated or limited pursuant to applicable law.

14. LIMITATIONS OF LIABILITY.

a. IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY INDIRECT, CONSEQUENTIAL, INCIDENTAL, SPECIAL, EXEMPLARY, OR PUNITIVE DAMAGES OR LIABILITIES OR FOR ANY LOST PROFITS, LOST SAVINGS OR LOSS OF REVENUES, ARISING FROM OR RELATING TO THIS AGREEMENT OR THE SANS PRODUCTS OR SERVICES, EVEN IF THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

b. IN NO EVENT SHALL SANS’ LIABILITY IN ANY MANNER ARISING UNDER THIS AGREEMENT EXCEED THE TOTAL PAYMENT RECEIVED BY SANS UNDER THE PRICE QUOTE FOR THE SANS PRODUCTS OR SERVICES FROM WHICH THE CLAIM ARISES DURING THE 12-MONTH PERIOD IMMEDIATELY PRECEDING THE DATE WHEN THE CAUSE OF ACTION ARISES.

15. GOVERNING LAW.

a. This Agreement and any dispute arising under or relating to this Agreement or the Products shall be governed in all respect by the laws of the United States and the State of Maryland, which shall be applied without reference to any conflict-of-laws rule under which different law might otherwise be applicable. The Convention on Contracts for the International Sale of Goods, and the Uniform Computer Information Transactions Act (including as adopted in Maryland) do not apply.

b. Any dispute arising under or related to this Agreement shall be adjudicated exclusively in the United States District Court for the District of Maryland, or if that Court lacks subject matter jurisdiction, then in the Circuit Court for Montgomery County, Maryland. Each Party hereby submits itself to the exclusive personal jurisdiction and venue of said courts, waives all objections to such jurisdiction and venue, including without limitation forum non conveniens, and consents to service of process by confirmed facsimile transmission or commercial courier (with written verification of receipt returned to the sender).

c. (Applicable to governmental customers only): Notwithstanding Sections 15(a)-(b), choice of law and forum shall be (i) for those government customers located in the United States of America, the state in which the Customer is located, and (ii) for those government customers located outside the United States of America, the country in which the Customer is located.

16. ANTI-BRIBERY, ANTI-CORRUPTION.

a. Each Party shall conduct operations in compliance with applicable laws, rules and regulations in exercising rights and obligations under any part of this Agreement. Laws may include but not be limited to the U.S. Foreign Corrupt Practices Act, the U.K. Bribery Act and local anticorruption legislation that may apply. Neither Party is listed by any government agency as debarred, suspended, proposed for suspension or debarment or otherwise determined to be ineligible for government procurement programs.

b. In exercising rights and obligations under any part of this Agreement, neither Party nor anyone acting on its behalf shall make, offer, promise or authorize payment of anything of value directly or indirectly to any of the following prohibited parties for the purpose of unlawfully influencing their acts or decisions: a) employees, consultants, or representatives of the other Party, b) government officials or employees, c) political party officials or candidates, d) officers or employees of any public international organization, e) immediate family member of such persons (or any other person) for the benefit of such persons.

17. EXPORT COMPLIANCE. The Products, Services and other technology provided under this Agreement may be subject to export laws and regulations of the United States of America and other jurisdictions. Each Party warrants that neither it nor its controlling owners is (i) listed on any sanction programs list maintained by the U.S. Office of Foreign Assets Control within the U.S. Treasury Department (“OFAC”), or (ii) denied party list maintained by the U.S. Bureau of Industry and Security within the U.S. Department of Commerce (“BIS”). Customer agrees it shall not allow users access to any Product, Service or technology provided under this Agreement to any person or entity in a U.S. embargoed country or in violation of a U.S. export control law or regulations. Customer agrees to cooperate with SANS as necessary for SANS to comply with export requirements and recordkeeping required by OFAC, BIS or other governmental agency.

18. MISCELLANEOUS.

a. Assignment; No Third Party Beneficiaries. Neither Party may assign this Agreement or its rights or obligations thereunder without the written consent of the other Party, which consent will not be unreasonably withheld, except that a Party may assign upon notice to a successor by merger, acquisition, or sale of substantially all of such Party’s business or assets. SANS may subcontract all or any part of its Services, but shall remain responsible for the acts and omissions of its subcontractors as though they were acts of SANS itself. There are no third party beneficiaries to this Agreement, and nothing in this Agreement shall benefit or create any right on behalf of any person or entity other than Customer and SANS.

b. Severability; No Waiver. If a particular provision of this Agreement is terminated or held by a court of competent jurisdiction to be invalid, illegal, or unenforceable, that provision of the Agreement will be enforced to the maximum extent legally permissible and the remainder of this Agreement will continue in full force and effect. Any failure of either Party to enforce at any time or for any period of time, any of the provisions of this Agreement, shall not be deemed or construed to be a waiver of such provisions or of the right of such Party thereafter to enforce each and every provision.

c. Headings. The headings or titles preceding the text of the sections and subsections of this Agreement are inserted solely for convenience of reference, and shall not constitute a part of this Agreement, nor shall they affect the meaning, construction or effect of this Agreement.

d. Independent Contractor. SANS is an independent contractor and not an employee, agent, affiliate, partner or joint venturer with or of Customer.

e. Force Majeure. Neither Party shall be liable to the extent that its performance of this Agreement is prevented, or rendered so difficult or expensive as to be commercially impracticable, by reason of an Act of God, labor dispute, unavailability of transportation, goods or services, governmental restrictions or actions, war (declared or undeclared) or other hostilities, pandemic, or by any other event, condition or cause which is not foreseeable on the Effective Date and is beyond the reasonable control of the Party, provided that such Party promptly informs the other Party of such event, and makes diligent efforts to work around the event and resume performance. In the event of non-performance or delay in performance attributable to any such causes, the period allowed for performance of the applicable obligation under this Agreement will be extended for a period equal to the period of the delay.

19. NOTICES. 

All notices or reports required or permitted under this Agreement shall be in writing and shall be delivered by personal delivery, facsimile transmission, a nationally recognized overnight delivery service, by certified or registered mail, return receipt requested, or by electronic mail to be confirmed in writing delivered by one of the methods described herein, and shall be deemed given upon personal delivery, electronic confirmation of electronic mail or facsimile transmission, or signature evidencing receipt of overnight delivery or registered mail, as applicable. Notices and communications between Company and SANS shall be in English to the following addresses of the Parties or to such other addresses as the Party concerned may subsequently notify in writing to the other Party. Notice hereunder shall be delivered to the Parties’ addresses as follows. If no address is listed for Customer below, notice for Customer is the address for Customer in the opening paragraph of this Agreement with attention to the Legal Department. 

If to SANS:
SANS Institute
Attn: Contracts Administration
11200 Rockville Pike, Suite 200
North Bethesda, MD 20852 

20. ENTIRE AGREEMENT; COUNTERPARTS.

a. This Agreement consists of the Master License and Services Agreement, together with any Addendums, Price Quotes, Statements of Work and related exhibits, appendices, and schedules, and contains the entire understanding and agreement between the Parties and extinguishes all prior negotiations and understandings as to the subject matter. Neither Party has relied on any promises or representations not expressly set forth herein. Any Customer Purchase Order (PO) is for facilitating invoicing and payment only and any terms included on or with a PO are hereby rejected and are of no effect. This Agreement shall become binding as of the Effective Date upon execution of this Agreement by both Parties. This Agreement may not be amended except by a written amendment signed by authorized representatives of both Parties.

b. This Agreement may be executed and delivered (i) in any number of counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument, and/or (ii) by exchange of facsimile or PDF copies, or secure electronic signature and delivery method (e.g. DocuSign), in which case the instruments so executed and delivered shall be binding and effective for all purposes.

ADDENDUM A

SSA TRAINING SERVICES SUPPLEMENTAL TERMS



1. SUPPLEMENTAL DEFINITIONS.

a. Customer Learning Management System or Customer LMS means a Customer-supplied software application for the administration, documentation, tracking, reporting, and delivery of educational courses, training programs, or learning and development programs.

b. Customer Materials means any Customer-sourced data or materials not provided by SANS or its suppliers, that are used in connection with SSA Training Materials, such as Customer-sourced content, logos, artwork, or media.

c. SSA Learning Platform or SLP means a training platform owned and operated by SANS to deliver online training. SANS reserves the right to upgrade its platform or migrate it to another, with this Agreement remaining in full force and applying equally to any upgraded or new platform(s).

d. SSA Training Materials means SANS Security Awareness videos, interactive programs, online training content, exams, assessments, electronic materials, and other training Products. Each Product is licensed separately.

e. SSA Training Named User means any individual who has been issued a user login account at any time during the Subscription Term permitting such individual to access and use SSA Training Materials through the SLP or the Customer LMS as applicable. An SSA Training Named User must be an employee, agent, contractor, or representative of Customer unless otherwise authorized by SANS.

f. SSA Training Services means the provision by SANS of SSA Training Materials or related services to Customer or its SSA Training Named Users.

g. Subscription Term means the subscription term for the SSA Training Services as set forth in the Price Quote.

2. SSA TRAINING SERVICES. Except as set forth in the Price Quote:

a. Customer is granted a non-exclusive, non-transferable, and non-sublicensable license during the Subscription Term to access and use the SLP solely to administer the delivery of SSA Training Services to SSA Training Named Users; add or delete SSA Training Named Users; assign training; run reports; customize themes; customize system notification messages; enable SSA Training Named Users to view SSA Training Materials and receive SSA Training Services, and to the extent specifically authorized by SANS; supplement SSA Training Materials with training materials related to the SSA Training Materials for presentation to SSA Training Named Users. Use of SSA Training Services for delivery of any other content is strictly prohibited.

b. permit SSA Training Named Users to access and use the SSA Training Materials through the SLP during the Subscription Term to view SSA Training Materials and receive SSA Training Services.

c. Use of SSA Training Materials during the Subscription Term is limited to no more than the number of SSA Training Named Users set forth in the Price Quote.

d. Each of the SSA Training Materials will have a separate SSA Training Named User count.

e. Customer grants SANS all necessary rights to authorize it and its affiliates and subprocessors a non-exclusive right to process data solely to provide the SSA Training Services SAP Litmos functionality described in this agreement to Customer and its SSA Training Named Users.

f. Customer shall:

i. ensure that its SSA Training Named Users comply with the terms of this Agreement and shall be responsible for the acts or omissions of any SSA Training Named User, or person using an SSA Training Named User’s login, in connection with their use of the SSA Training Materials or access to SAP Litmos or the SLP not in conformity with this Agreement;

ii. notify SANS within five (5) business days of any known unauthorized use of Customer’s or any SSA Training Named User’s account;

iii. not copy, reproduce, distribute, display, modify or create derivative works based upon all or any portion of SAP Litmos or the SSA Training Materials in any medium, without the express written consent of SANS, or permit any other person to do so;

iv. not sell, resell, rent, or lease the SSA Training Materials or access to SAP Litmos or the SLP, or permit any other person to do so;

v. not interfere with or disrupt the performance of SAP Litmos or the SLP, or permit any other person to do so;

vi. not provide access to anyone other than an authorized SSA Training Named User;

vii. not attempt to gain unauthorized access to SAP Litmos, the SLP, or any CBT Material, or permit any other person to do so.

3. SSA TRAINING NAMED USERS

a. Each individual permitted to access or use a component of the SLP must be assigned a unique user login and will be considered an SSA Training Named User. Customer may not permit more than one person to access or share a single user login account, nor otherwise attempt to circumvent licensing metrics.

b. Once credentialed, an SSA Training Named User continues to be counted in the SSA Training Named User metrics even if that SSA Training Named User ceases to have a login account. New SSA Training Named Users must be added and may not be substituted for prior SSA Training Named Users.

c. Customer must adhere to SANS’ reasonable guidelines to ensure system performance, including those regarding data purging, hosting hardware and infrastructure, and loads per instance.

d. SANS reserves the right to limit the number of SSA Training Named Users eligible for SANS training for system performance.

e. Customer may not use the SLP: (i) to deliver any training other than SSA training; (ii) to deliver training or manage data on behalf of any other organization; (iii) to provide software or content development services to third parties; (iv) on a service bureau or time-share basis; and/or (v) as an application service provider.

4. SSA Learning Platform

a. Each individual permitted to access or use a component of the SLP must be assigned a unique user login and will be considered an SSA Training Named User. Customer may not permit more than one person to access or share a single user login account, nor otherwise attempt to circumvent licensing metrics.

b. Customer may not, at any time, load users onto the SLP in excess of 1.05 times the number of Active Users set forth in the Agreement and/or Price Quote.

c. SANS reserves the right to limit the number of SSA Training Named Users eligible for SANS training on the SLP for system performance.

d. Customer may not use the SLP: (i) to deliver any training other than SSA training; (ii) to deliver training or manage data on behalf of any other organization; (iii) to provide software or content development services to third parties; (iv) on a service bureau or time-share basis; and/or (v) as an application service provider.


ADDENDUM B

SAP LITMOS/CALLIDUS SUPPLEMENTAL TERMS

If Customer subscribes to SAP Litmos/Callidus Cloud Services (“Litmos”) through SANS under a Price Quote in order to deliver training services through the Customer LMS, then the following supplemental terms shall apply:

1. SSA Litmos Training Named User means an SSA Training Named User who accesses SSA Training Services through the Customer LMS using Litmos.

2. Extension of Supplemental Terms.

a. All terms, conditions, limitations, and restrictions in Addendum A relating to the use of the SLP shall apply, mutatis mutandis, to the use of Litmos by Customer and SSA Litmos Training Named Users.

b. Customer acknowledges that Litmos and all intellectual property rights therein are owned by SAP SE, Callidus Software, Inc., or their affiliates or licensors.

c. Confidential information of SAP SE, Callidus Software, Inc, and their affiliates obtained by Customer in connection with this Agreement shall be protected by Customer as SANS Confidential Information.

d. Customer grants SANS all necessary rights to authorize SAP SE, Callidus Software, Inc., and their subprocessors a non-exclusive right to process data solely to provide Litmos and related services to Customer and its SSA Litmos Training Named Users as part of the Services.

3. Anti-Bribery and Compliance.

a. Each Party shall conduct operations in compliance with applicable laws, rules and regulations in exercising rights and obligations under any part of this Agreement. Laws may include but not be limited to the U.S. Foreign Corrupt Practices Act, the U.K. Bribery Act and local anticorruption legislation that may apply. Neither Party is listed by any government agency as debarred, suspended, proposed for suspension or debarment or otherwise determined to be ineligible for government procurement programs.

b. In exercising rights and obligations under any part of this Agreement, neither Party nor anyone acting on its behalf shall make, offer, promise or authorize payment of anything of value directly or indirectly to any of the following prohibited parties for the purpose of unlawfully influencing their acts or decisions: a) employees, consultants, or representatives of the other Party, b) government officials or employees, c) political party officials or candidates, d) officers or employees of any public international organization, e) immediate family member of such persons (or any other person) for the benefit of such persons.

ADDENDUM C

SSA PHISHING SERVICE SUPPLEMENTAL TERMS


Except as set forth in the applicable Price Quote, the following supplemental terms and conditions shall apply to Customer’s use of the SSA Phishing Service:

1. Supplemental Definitions

a. SSA Phishing Named User means any individual (i) with a user login account permitting such individual to access and use SSA Training Materials on the SLP or Customer LMS, or (ii) designated to be tested in SSA Phishing Service activities.

b. SSA Phishing Service means a SANS tool or service available to Customer to test its employees’ ability to withstand phishing/social engineering attacks.

2. Customer is hereby granted a non-exclusive, non-transferable, and non-sublicensable license, to use the SSA Phishing Service during the Subscription Term set forth in the Price Quote, limited to the number of SSA Phishing Named Users set forth in the Price Quote.

3. Customer grants SANS all necessary rights to authorize SANS and its subprocessors a non-exclusive right to process data solely to provide the SSA Phishing Service to Customer and its SSA Phishing Named Users.

4. A person who is a user only because he or she is designated to be tested through the SSA Phishing Service will not be counted against Customer’s total allotment of SSA Phishing Named Users until the first phishing message is sent to that SSA Phishing Named User by the SSA Phishing Service, at which point the he/she will become an SSA Phishing Named User.

5. Customer shall:

i. ensure that its SSA Phishing Named Users comply with the terms of this Agreement and shall be responsible for the acts or omissions of any SSA Phishing Named User, or person using an SSA Phishing Named User’s login, in connection with their use of the SSA Phishing Services not in conformity with this Agreement;

ii. notify SANS within five (5) business days of any known unauthorized use of Customer’s account;

iii. not attempt to gain unauthorized access to or reverse engineer the SSA Phishing Service;

iv. not use any SANS Confidential Information to build a competitive service or product, nor copy any feature, function or graphic for competitive purposes;

v. not sell, resell, rent or lease the SSA Phishing Service; and

vi. only conduct simulated phishing emails to domains and recipients for whom Customer has authorization.

6. If third party services or applications are provided to Customer as part of the SSA Phishing Services, Customer shall protect the confidential and proprietary information of such third parties to the same degree as it is obligated to protect other Confidential Information under the Agreement.

7. Neither Party shall utilize any phishing practices or templates that would create a significant risk of claims, liabilities, administrative actions, internet service provider blacklisting, or other consequences adverse to either SANS or Customer, such as identification of the sender as the Internal Revenue Service or another government agency or violations of industry standard acceptable use policies. SANS and its service providers may, but are not obligated to, take action to prevent and stop transmission of any such content provided by Customer.