***IMPORTANT READ CAREFULLY***
PURCHASE ORDER TERMS AND CONDITIONS
Updated August 16, 2017
2. DELIVERY. Vendor will provide the goods and services, including any Work Product arising therefrom (collectively, the “Work”) at such times and places and of such items and quantities as set forth in the PO. Time is of the essence in Vendor’s performance of its obligations hereunder. If Vendor delivers any Work after the date(s) specified in the PO, PhishMe may at its option, reject such Work and cancel the PO. Vendor will (a) keep PhishMe reasonably advised of the status of its performance under the PO; (b) permit PhishMe or its representatives to review and observe, from time to time upon reasonable notice, Vendor’s performance in connection with the PO; and (c) provide PhishMe with such reports as are appropriate to the nature of the Work set forth in the PO, as may be reasonably requested by PhishMe from time to time.
3. ACCEPTANCE. All Work will be received subject to PhishMe’s inspection and approval within a reasonable time after delivery (“Acceptance”). If Work does not conform to any applicable drawings, samples, descriptions or any other similar specifications (“Specifications”) or warranties set forth herein, at PhishMe’s option, PhishMe may (a) with respect to goods, at Vendor’s expense, (i) return the non-conforming goods to Vendor for a refund or (ii) require that Vendor replace the non-conforming goods, (b) with respect to services, such services will be promptly re-performed so that such services conform with the Specifications and warranties set forth herein; and (c) with respect to Work Product, such Work Product will be promptly re-delivered so that such Work Product conforms to the Specifications and warranties set forth herein. If Vendor should fail to promptly re-deliver the goods, re-perform the services or correct the Work Product to conform with the Specifications and warranties set forth herein, PhishMe may cancel the PO and seek any other remedies available in accordance with applicable law, including cover, incidental and consequential damages.
4. SHIPPING; RISK OF LOSS. Vendor will preserve, pack, package and handle all goods so as to protect the same from loss or damage and in accordance with best commercial practices in the absence of any specifications PhishMe may provide. Any goods shipped to PhishMe must be properly labeled with the PO number visible. Vendor will ensure all transport and customs documentation is complete and accurate when shipping goods. Unless otherwise agreed to in writing by PhishMe: (a) title and risk of loss will pass to PhishMe upon PhishMe’s Acceptance of goods at the location specified on the PO; and (b) prices on the face of each PO include all charges for packing and crating. PhishMe will have the right to return all freight damaged items to Vendor and receive full credit therefor, unless such damage is solely caused by PhishMe’s negligence.
5. IMPORTS AND EXPORTS.Vendor is the importer and exporter of record. Vendor will comply with all import and export laws and administrative requirements, including the payment of all associated duties, taxes and fees associated with the import or export of Vendor’s products.
6. INVOICES. Vendor will submit an invoice to PhishMe subject to this Section and in the method and manner as may be prescribed by PhishMe from time to time. Such invoice will include the applicable PO number and conform to the price and specifications set forth in the PO. If PhishMe has separately and specifically agreed to reimburse Vendor for expenses, Vendor will only be entitled to reimbursement for reasonable out-of-pocket expenses incurred directly on PhishMe’s behalf in connection with the Work on a cost-basis only, without any mark-up to the extent supported by proof (in a form reasonably satisfactory to PhishMe) that such expenses were actually paid.
7. PAYMENT; TAXES. Following Acceptance of the Work, PhishMe agrees to pay Vendor the purchase price set forth in the PO within thirty (30) days of receipt of an undisputed invoice for the Work. All amounts to be billed and paid by PhishMe hereunder are gross amounts unless otherwise agreed to in writing by the parties. PhishMe is not responsible for any taxes on Vendor income under the PO. Notwithstanding any language expressed in this Section, PhishMe may withhold (or cause there to be withheld, as the case may be) from any amounts otherwise due or payable under the PO such as federal, state and local income, employment, or other taxes as may be required to be withheld pursuant to any applicable law or regulation.
8. TERMINATION: The PO may be terminated by PhishMe at any time, for any reason, with or without cause, upon fifteen (15) days’ written notice to Vendor. If PhishMe terminates without cause, PhishMe will pay Vendor for Work performed and Vendor’s actual and reasonable expenses for Work that has been satisfactorily completed as of the date of termination, but in no event will such payment exceed the fees set forth in the PO. A party may terminate the PO, if the other party commits a material breach, and fails to remedy such breach within ten (10) days of being notified by the non-breaching party of such breach. If PhishMe terminates the PO for Vendor’s material breach, PhishMe will have no further payment obligation to Vendor, and will receive a refund for the remainder of the PO term. Unless otherwise agreed upon in writing by the parties, each party will promptly return to the other party all intellectual property of the other party upon the termination or expiration of PO.
9. INTELLECTUAL PROPERTY.
a. WORK PRODUCT. Except as otherwise provided hereunder, PhishMe is the sole and exclusive owner of any and all inventions, results, discoveries, improvements, works of authorship, materials, artwork, deliverables and intellectual property which Vendor may develop, create, write, furnish, contribute or otherwise produce in the performance of its services to PhishMe (“Work Product”). To the extent possible, all Work Product(s) hereunder will be deemed to be “works-made-for-hire” and PhishMe will be deemed to be the sole owner and author thereof in all territories and for all purposes. Vendor hereby transfers and assigns any “moral rights” or rental rights which Vendor may have in any Work Product under any copyright or similar law, either U.S. or foreign, to PhishMe. If, for any reason, under the laws of any territory or jurisdiction, the Work Products hereunder are not deemed to be works-made-for-hire and PhishMe is not deemed to be the sole author and owner thereof in all territories and jurisdictions and for all purposes, then Vendor hereby transfers and assigns to PhishMe all Intellectual Property Rights and interest that Vendor may have in and to any Work Product. “Intellectual Property Rights” means copyrights (including, without limitation, the exclusive right to use, reproduce, modify, distribute, publicly display and publicly perform the copyrighted work), trademark rights (including, without limitation, trade names, trademarks, service marks, and trade dress), patent rights (including, without limitation, the exclusive right to make, use and sell), trade secrets, moral rights, right of publicity, authors’ rights, contract and licensing rights, goodwill and all other intellectual property rights as may exist now and/or hereafter come into existence and all renewals and extensions thereof, regardless of whether such rights arise under the law of the United States or any other state, country or jurisdiction.
b. PHISHME IP. PhishMe owns all Intellectual Property Rights in and to PhishMe IP. “PhishMe IP” means all PhishMe proprietary materials, including without limitation, logos, trademarks, trade names, and copyrighted information PhishMe’s Confidential Information, Work Product, threat intelligence and threat indicators, intelligence alerts and reports, source code, and/or investigation tools, documentation, proprietary processes and methods, and any PhishMe templates and/or forms.
c. GRANT OF LIMITED LICENSE. During the term of the PO, PhishMe hereby grants to Vendor a non-exclusive, restricted license to use certain PhishMe IP, solely for purposes of performing its obligations under the PO. The term “restricted license” hereby requires Vendor to obtain prior written approval by PhishMe on any and all items for which the PhishMe IP will be used (including, but not limited to, banners, promotional items, advertisements, and the like).
d. VENDOR MARKS. Vendor owns all Intellectual Property Rights in and to Vendor’s logo’s, trademarks, and trade names (“Vendor Marks”). Upon Vendor’s prior written approval, Vendor will grant to PhishMe a license to use Vendor Marks in connection with the PO.
e. VENDOR SOFTWARE.If the goods set forth in the PO includes any software (including a software-as-a-service offering), related documentation and/or updates thereto (collectively, “Software”) the following terms and conditions apply:
i. Vendor will retain all Intellectual Property Rights in and to the Software. Vendor hereby grants to PhishMe and its affiliates a perpetual (unless otherwise limited in the PO to a specific duration), worldwide, non-exclusive license to access and/or use the Software for the business purposes of PhishMe and its affiliates. If the PO limits the Software to use by a certain number of users, then PhishMe may replace a user with another user from time to time, provided that the then-current number of users using the Software does not exceed such number. If Vendor determines that PhishMe and its affiliates have exceeded rights to the Software in the PO through increased usage that is otherwise in accordance with these terms and conditions, Vendor will promptly notify PhishMe in writing of such excess usage and PhishMe will thereafter promptly eliminate such excess usage.
ii. PhishMe and its affiliates may make a reasonable number of backup or archive copies of any Software provided by Vendor. Except as expressly permitted herein, PhishMe and its affiliates will (a) not reverse engineer, decompile or otherwise discover the source code of the Software; (b) not remove any copyright, trademark or other proprietary rights notices in the Software; and (c) reproduce such notices on any copies of the Software.
10. COMPLIANCE WITH LAW AND POLICIES. Vendor will perform its obligations and provide all Work hereunder in accordance with all applicable laws, rules, and regulations, as well as applicable PhishMe rules, policies and regulations, now in effect or hereafter amended or established by PhishMe from time to time. In particular and without limitation, Vendor will not act in any fashion or take any action that will render PhishMe liable for a violation of any applicable anti-bribery legislation (including without limitation, the U.S. Foreign Corrupt Practices Act and the UK Bribery Act 2010). Furthermore, Vendor recognizes that PhishMe is an equal opportunity employer. Vendor agrees to comply with PhishMe policies regarding employment practices and with applicable federal, state and local laws prohibiting discrimination on the basis of race, color, sex, religion, gender identity, national origin, citizenship, age, marital status, sexual orientation, disability or veteran status.
11. VENDOR PERSONNEL; SUBCONTRACTORS. PhishMe assumes no liability or responsibility for Vendor personnel. Vendor will: (a) ensure Vendor personnel are in compliance with the PO, PhishMe’s policies, and all laws, regulations, ordinances, and licensing requirements; (b) be responsible for the supervision, control, compensation, withholdings, health, and safety of Vendor personnel; (c) upon request, provide PhishMe, for export evaluation purposes, to the extent permitted by law, the country of citizenship and permanent residence and immigration status of those persons. PhishMe retains the right to refuse to accept persons made available by Vendor for export control reasons; (d) at PhishMe’s request, remove Vendor Personnel from any assignment under the PO (which right will not relieve Vendor of any responsibility it has for the PO); (e) comply, at its own expense, with all laws (including Executive Orders), regulations and ordinances relating to verification of employment eligibility for personnel to which it is or becomes subject to, such as participation in the United States Department of Homeland Security’s E-Verify program (“E-Verify”) in the United States or similar state or other government sponsored programs, and verify employment eligibility of all Vendor personnel performing services or providing Work Product to PhishMe; (f) upon PhishMe’s request, provide documentation to verify compliance with this Section; and (g) to the extent permitted by local law, ensure that prior to Vendor personnel being assigned to perform services under the PO on PhishMe’s premises and/or access PhishMe’s systems have passed a pre-assignment screening, which may include, but will not be limited to, a drug test, background check and a motor vehicle report. Vendor may not subcontract any of its rights or obligations under the PO without PhishMe’s prior written consent. If PhishMe consents to the use of a subcontractor, Vendor will guarantee and will remain liable for the performance of all subcontracted obligations in accordance with the applicable terms set forth in this Section.
12. WARRANTIES AND REPRESENTATIONS. Vendor represents and warrants that (a) it has the full power to enter into the PO and to perform its obligations hereunder; (b) it has the right and unrestricted ability to assign any Work Product hereunder to PhishMe; (c) all Work does not and will not infringe upon or violate any applicable laws or regulations or any rights of third parties, including, but not limited to, privacy or intellectual property rights, or contain any libelous, defamatory, obscene, threatening, harassing or unlawful material or otherwise contain any material that could reasonably be expected to injure the reputation of PhishMe; (d) Work will be free of defects in materials and workmanship under normal use; (e) Work delivered in electronic form, including Software, will not contain any virus, embedded device or undocumented code that is intended to obstruct, prevent or disable PhishMe’s use thereof or otherwise contain any other computer programming routines that are intended to damage, detrimentally interfere with, surreptitiously intercept or expropriate any system, data or personal information; (f) all services provided by Vendor will be provided by qualified personnel reasonably skilled and trained in the performance of the services and in a workmanlike and professional manner; and (g) Work will comply with all applicable federal, state and municipal statutes, laws, ordinances and regulations.
13. INDEMNIFICATION. Vendor will defend, indemnify and hold harmless PhishMe, and its directors, officers, shareholders, employees, contractors and affiliates, from any and all costs, losses, expenses, claims, suits, actions, damages, liabilities, fines, penalties, reasonable attorneys’ fees (including allocable cost of in-house counsel), court costs or other consequences resulting from (a) a breach of the PO by Vendor, its personnel or its subcontractors; (b) injury to persons, including without limitation death, and damage to property caused by Vendor, its personnel or its subcontractors; (c) the gross negligence or willful misconduct of Vendor, its personnel or its subcontractors; or (d) a claim that the Work infringes a valid third party intellectual property right. If the Work provided to PhishMe or the use thereof by PhishMe infringes on any third party’s intellectual property rights, Vendor will, at its expense and option, either procure for PhishMe the right to continue to use such Work, replace such Work with equivalent non-infringing Work or modify such Work so they become equivalent non-infringing Work. The foregoing, however, will not be construed to limit or exclude any other claims or remedies that PhishMe may assert.
14. LIMITATION OF LIABILITY. IN NO EVENT WILL PHISHME BE LIABLE FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES OF ANY KIND, INCLUDING BUT NOT LIMITED TO ANY LOST PROFITS AND LOST SAVINGS, HOWEVER CAUSED, WHETHER FOR BREACH OR REPUDIATION OF CONTRACT, TORT, BREACH OF WARRANTY, NEGLIGENCE, OR OTHERWISE, WHETHER OR NOT PHISHME WAS ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES. IN NO EVENT WILL THE LIABILITY OF PHISHME UNDER THE PO EXCEED THE TOTAL AMOUNT DUE AND OWING UNDER THE PO.
a. “Confidential Information” means any non-public, confidential, or proprietary information of a disclosing party (“Discloser”) that should reasonably be understood by the receiving party (“Recipient”) to be confidential because of (i) legends or other markings; (ii) the circumstances of disclosure; or (iii) the nature of the information, which may be disclosed either directly or indirectly, in writing, visual, orally or by inspection of tangible objects (including without limitation documents, prototypes, samples, products, software, product specifications and white papers) or other means. Confidential Information includes but is not limited to technology and technical information, promotional and marketing activities, inventions, finances and financial plans, customers, business and product plans, know-how, source code, data, algorithms, methods and processes, trade secrets, designs, techniques, analyses, models, strategies and objectives, and any third-party information that Discloser is otherwise obligated to keep confidential.
b. Recipient will: (i) not use any Confidential Information for any purpose except to evaluate and engage in discussions concerning a potential business relationship between the parties and/or to fulfill its obligations under the PO; (ii) use at least the same degree of care as Recipient uses to protect its own confidential information from unauthorized use, access or disclosure, but in no event less than a reasonable degree of care; (iii) limit disclosure of Confidential Information to those persons within Recipient’s organization who have a need to know and who have previously agreed in writing, prior to the receipt of Confidential Information, to be bound by confidentiality obligations similar to those set forth herein; (iv) not disclose any Confidential Information to third parties without Discloser’s prior written consent; (v) not copy, reverse engineer, disassemble, create any works from, or decompile any prototypes, software or other tangible objects which embody Discloser’s Confidential Information; and (vi) comply with, and obtain all required authorizations arising from, all U.S. and other applicable export control laws or regulations. Any reproduction of Confidential Information requires Discloser’s prior written consent and will remain the property of Discloser. Any reproductions will contain any and all notices of confidentiality contained on the original Confidential Information.
c. The foregoing confidentiality obligations will not apply to information that Recipient can demonstrate: (i) is publicly known and made generally available through no improper action or inaction of Recipient; (ii) was already in the possession of, or known by Recipient prior to the time of disclosure by Discloser through no fault or breach of the PO by Recipient; (iii) was rightfully obtained by, or disclosed to, Recipient from a third party without any obligation to maintain the Confidential Information as proprietary or confidential; or (iv) is independently developed by Recipient without use of or reference to Discloser’s Confidential Information. Recipient may disclose Confidential Information to the extent such disclosure is required to comply with applicable law or a valid order or requirement of a governmental or regulatory agency or court of competent jurisdiction, provided that Recipient (a) restricts such disclosure to the maximum extent legally permissible; (b) notifies Discloser as soon as practicable of any such requirement to the extent such provision of prior notice is permitted by applicable law; and (c) that subject to such disclosure, such disclosed materials will in all respects remain subject to the restrictions set forth in the PO.
d. Within ten (10) business days of the termination of the PO or upon Discloser’s written request, Recipient will promptly, at Recipient’s election, destroy or return all of Discloser’s Confidential Information in Recipient’s possession or in the possession of any representative of Recipient; provided, however, that Recipient will not, in connection with the foregoing obligations, be required to delete Confidential Information held electronically in archive or back-up systems, and such Confidential Information will in all respects remain subject to the restrictions set forth in the PO. Upon Discloser’s written request, Recipient will provide a certification, signed by an officer of Recipient, as to the destruction or return of Discloser’s Confidential Information.
e. ALL CONFIDENTIAL INFORMATION IS PROVIDED “AS IS.” DISCLOSER MAKES NO WARRANTIES, EXPRESS, IMPLIED OR OTHERWISE, REGARDING ITS ACCURACY, COMPLETENESS OR PERFORMANCE.
f. This Section 15 will survive the termination or expiration of the PO.
16. PUBLICITY. Without securing the prior written consent of PhishMe in each instance, Vendor will not use the name or logo of PhishMe in any news release, public announcement, advertisement, or other form of publicity, or disclose any of the terms or subject matter of the PO to any third party.
17. INSURANCE. Vendor will obtain and maintain worker’s compensation and employer’s liability insurance in amounts required under the laws of the state(s) in which the Work is to be performed; and comprehensive general liability and automobile liability insurance for bodily injury, death or loss of or damage to property of third persons in the minimum amount of $1,000,000 per occurrence which policy will name PhishMe as an additional insured. Vendor will, upon request, promptly furnish to PhishMe certificates of insurance as well as copies of any endorsements thereto evidencing PhishMe being added as an additional insured.
18. EQUITABLE REMEDIES. Each party acknowledges that a breach by it of any confidentiality and intellectual property rights provisions of the PO will cause the other party irreparable damage, for which the award of damages would not be adequate compensation. Consequently, a party may seek to institute an action to enjoin the other party from any and all acts in a violation of those provisions, without a requirement to prove irreparable harm and without the posting of a bond. This provision will not in any way limit such other remedies as may be available to a party at law or in equity.
19. ASSIGNMENT. Vendor will not assign any portion of its obligations or rights under the PO without the prior written consent of PhishMe, and any such attempted assignment in violation of this Section will be null and void.
20. SURVIVAL. In addition to any provisions specifically identified as such hereunder, any provision that contemplates performance or observance subsequent to any termination or expiration of the PO (in whole or in part, including any intellectual property ownership provision) will survive any termination or expiration of the PO and will continue in full force and effect.
21. GOVERNING LAW. All disputes and matters arising out of or relating to the PO will be governed by and construed in accordance with the laws of the Commonwealth of Virginia, without regard for its rules of conflict of laws. Vendor irrevocably and unconditionally submits to the exclusive jurisdiction of the federal or state courts within the Commonwealth of Virginia and the courts of appeal therefrom.
22. NO THIRD-PARTY BENEFICIARIES. Nothing in the PO will benefit or create any right or cause of action in or on behalf of any person or entity other than Vendor and PhishMe.
23. RELATIONSHIP OF PARTIES. Vendor will perform the Work as an independent contractor and not as an agent, employee or partner of PhishMe for any purpose whatsoever. Neither Vendor nor any Vendor personnel or subcontractors are authorized by PhishMe to incur on behalf of PhishMe, or to make any promise, warranty or representation with respect to PhishMe’s products or otherwise, and will not hold themselves out as being so authorized.
24. Any notice to be given under the PO will be in writing and addressed to the party at the address stated in the front of the PO. Notices will be deemed given and effective (i) if personally delivered, upon delivery, (ii) if sent by an overnight service with tracking capabilities, upon receipt; (iii) if sent by fax or electronic mail, at such time as the party which sent the notice receives confirmation of receipt by the applicable method of transmittal; or (iv) if sent by certified or registered mail, within five days of deposit in the mail.