UPSTREAM SECURITY SAAS LICENSE AGREEMENT
Last updated: October 2023
UPSTREAM SECURITY SAAS LICENSE AGREEMENT
This Agreement (the “Agreement”) is entered into by and between Upstream Security Ltd., together with its affiliates (the “Upstream”) and you (the “Customer”) (each, a “Party” and collectively, the “Parties”). This Agreement shall be effective on the earliest of (a) Customer entering into an order form or similar form referencing or otherwise incorporating this Agreement; or (b) Customer’s use of the Data Platform and AutoThreat Platform (the “Effective Date”). If you are entering into this Agreement on behalf of your organization, that organization is deemed to be the Customer and you represent that you have the power and authority bind that organization to this Agreement.
If Customer has purchased the license granted hereunder from a partner, reseller or distributor authorized by the Company (“Partner”), to the extent there is any conflict between this Agreement and the agreement entered between Customer and the respective Partner, including any purchase order (“Partner Order Form”), then, as between Customer and Company, this Agreement shall prevail. Any rights granted to Customer in such Partner Order Form which are not contained in this Agreement, apply only in connection with such Partner. In that case, Customer must seek redress or realization or enforcement of such rights solely with such Partner and not the Company.
- Subject to the terms and conditions of this Agreement, and Customer’s payment of applicable fees to Upstream and/or Upstream’s authorized resellers/partner (“Partner”), as applicable, Upstream hereby grants Customer a limited, non-exclusive, non-sublicensable, non-transferable, subscription based and revocable license to: (a) remotely access (i.e. on a SaaS basis) the Upstream security software (the “Data Platform”) and use it for internal purposes; and (b) remotely access and use Upstream’s AutoThreat intelligence platform, including any data provided thereunder, for internal purposes only (“AutoThreat Platform“). Unless otherwise indicated, the term “Data Platform” also includes the AutoThreat Platform and any documentation (“Documentation”) provided to Customer in connection with their operation. Customer may only use the Data Platform in accordance with the Documentation, subject to the use limitations indicated in Customer’s proposal or order (“Proposal”) or Partner Order Form (if purchased via Partner) and applicable laws.
- In addition to the abovementioned licenses, Upstream may provide additional services and/or V-SOC services (the “Additional Services”) (collectively, the Additional Services, V-Soc Services with the licenses to the Data Platform, the “Services”). For removal of doubt, the V-SOC services will only be provided to the extent Customer’s license for the Data Platform is in effect (for clarity, the V-SOC services will not be provided to Customers that only purchased a license to the AutoThreat Platform).
- Payment. (a) This Section 3(a) shall apply to the extent Customer has purchased the license granted under Section 1 and the Services directly from Upstream. The provision of the Services are conditioned on Customer’s upfront payment in full of the applicable fees set forth in the Proposal. All fees and other amounts paid hereunder are non-refundable. Any amount not paid when required to be paid hereunder shall accrue interest on the rate of one and a half percent (1.5%) per month. All amounts payable under this Agreement are exclusive of all sales, use, value-added, withholding, and other direct or indirect taxes, charges, levies and duties; (b) In case Customer purchased the license via Partner, the license granted hereunder and the related services are subject to the full payment of the applicable fees as set forth in the Partner Order Form. All payments shall be made directly to Partner, as agreed between Customer and Partner. Company may suspend or terminate Customer’s subscription to use the Data Platform if Company does not receive payment from the Partner, as a result of Customer not paying the corresponding amount to the Partner.
Customer shall be responsible for setting up a monitoring system to monitor its use of the cloud platform and cloud services and all chargeable services thereunder. At Customer’s request, Upstream will assist Customer to set up such monitoring system based on the applicable required services for each cloud platform. This obligation shall not apply with respect to customer that only purchased a license to the AutoThreat Platform.
- Customer Account. The Data Platform may only be used through a Customer account (the “Account”). Such Account may be accessed solely by Customer’s employees or service providers who are explicitly authorized by Customer to use the Data Platform in accordance with the Proposal (each, a “Permitted User”). Customer will ensure that the Permitted Users keep the Account login details secure at all times and comply with the terms of this Agreement; and will be fully responsible for any breach of this Agreement by a Permitted User. Unauthorized access or use of the Account or the Data Platform must be immediately reported to the Upstream.
- Prohibited Uses. Except as specifically permitted herein, without the prior written consent of Upstream, Customer must not, and shall not allow any Permitted User or any third party to, directly or indirectly: (i) copy, modify, create derivative works of or distribute any part of the Data Platform (including any data provided and/or included thereof, including by incorporation into its products); (ii) sell, license (or sub-license), lease, assign, transfer, pledge, or share Customer’s rights under this Agreement with any third party; (iii) use any “open source” or “copyleft software” in a manner that would require Upstream to disclose the source code of the Data Platform or Agent to any third party; (iv) disclose the results of any testing or benchmarking of the Data Platform to any third party; (v) disassemble, decompile, reverse engineer or attempt to discover the Data Platform’s source code or underlying algorithms; (vi) use the Data Platform in a manner that violates or infringes any rights of any third party, including but not limited to, privacy rights, publicity rights or intellectual property rights; (vii) remove or alter any trademarks or other proprietary notices related to the Data Platform; (viii) circumvent, disable or otherwise interfere with security-related features of the Data Platform or features that enforce use limitations; (ix) export, make available or use the Data Platform in any manner prohibited by applicable laws (including without limitation export control laws); and/or (x) transmit any malicious code (e., software viruses, Trojan horses, worms, malware or other computer instructions, devices, or techniques that erase data or programming, infect, disrupt, damage, disable, or shut down a computer system or any component of such computer system) or other unlawful material in connection with Upstream’s Product.
- Customer Data and Analytics Information. As Upstream operates the Services, Upstream may monitor and process data regarding the vehicles included in Customer’s vehicles fleet’s systems and network (the “Customer Data”). As the exclusive owner of the Customer Data, Customer hereby warrants, represents and covenants that to the extent the Customer Data includes any personally identifiable information and/or Personal Data as defined in the EU General Data Protection Regulation (“GDPR”), Customer has and will: i) provide all appropriate notices, ii) receive all the required informed consents and/or have any and all ongoing legal bases and permits, and iii) act in compliance with applicable privacy laws and data regulations (including, without limitation, the GDPR), as to allow Upstream to use the Customer Data solely in order to perform Upstream’s Services (including, without limitation, the provision of such data to Upstream (or access thereto) and the transfer of such data by Upstream to its affiliates, subsidiaries and subcontractors, including transfers outside of the European Economic Area), and not for any monetization purposes. Without limiting the generality of the foregoing, Upstream may be required to disclose the Customer Data: (a) to satisfy any applicable law, regulation, legal process, subpoena or governmental request; and/or (b) to collect, hold and/or manage the Customer Data through Upstream’s authorized third party service providers as reasonable for business purposes, which may be located in a country that does not have the same data protection laws as the data subject’s jurisdiction. Customer hereby further warrants and represents that to the extent that Customer needs a data processing agreement, Customer shall request by email to [email protected] Upstream’s Data Processing Agreement (“DPA”) and return it signed to Upstream as described therein. In the event Customer fails to comply with any data protection or privacy law or regulation, the GDPR and/or any provision of the DPA, and/or fails to return an executed version of the DPA to Upstream, then: (a) to the maximum extent permitted by law, Customer shall be solely and fully responsible and liable for any such breach, violation, infringement and/or processing of personal data without a DPA by Upstream and Upstream’s affiliates and subsidiaries (including, without limitation, their employees, officers, directors, subcontractors and agents); and (b) in the event of any claim of any kind related to any such breach, violation or infringement and/or any claim related to processing of personal data without a DPA, Customer shall defend, hold harmless and indemnify Upstream and Upstream’s affiliates and subsidiaries (including, without limitation, their employees, officers, directors, subcontractors and agents) from and against any and all losses, penalties, fines, damages, liabilities, settlements, costs and expenses, including reasonable attorneys’ fees.
It is further agreed that any anonymous information, which is derived from the use of the Data Platform (i.e., metadata, aggregated and/or analytics information which is not personally identifiable information (“Analytics Information”) may be used by Upstream for any purpose, including for providing the Service, for development and/or for statistical purposes. For the removal of doubt Upstream will be the exclusive owners of the Analytics Information.
- Warranties. Each Party represents and warrants that it is duly organized, validly existing and in good standing under the laws of its jurisdiction of incorporation or organization; and that the execution and performance of this Agreement will not conflict with other agreements to which it is bound or violate applicable law.
- Intellectual Property Rights. Upstream is and shall remain the sole owner of (i) all right, title, and interest, including any intellectual property rights related to the Services and any and all improvements and derivative works, and (ii) any know-how, including methods, logic, techniques, processes, or technologies embodied or relating to the Services, including such that was created and/or developed during or prior to the provision of the Services (including in case of a trial or evaluation of the Services by Customer), as well as any developments, improvements, continuations or derivations thereof. This Agreement does not convey to Customer any interest in or to the Services other than a limited right to use the Services in accordance with Section 1. Nothing herein constitutes a waiver of the Upstream’s intellectual property rights under any law.
If prior or during the Term, Upstream receives any feedback (e.g., questions, comments, suggestions or the like) regarding any of the Services (collectively, “Feedback”), all rights, including intellectual property rights in such Feedback shall belong exclusively to Upstream and that such shall be considered Upstream ‘s Confidential Information; and Customer hereby irrevocably and unconditionally transfers and assigns to Upstream without all intellectual property rights it has in such Feedback and waives any and all moral rights that Customer may have in respect thereto.
- Third Party Components and Sources. The Data Platform may use or include third party software, files, libraries or components that are subject to third party open source license terms. A list of such components can be found at the following URL: https://www.upstream.auto/open-source-software-terms/, as may be further updated by Upstream from time to time. In addition, it is further clarified that information provided through the AutoThreat Platform, is based, among others, on third-party sources. Accordingly, and without derogating from Section 11 below, Upstream hereby disclaims any and all express and/or implied warranties with respect to any report and/or recommendation provided in connection to the AutoThreat Platform.
- Confidentiality. Each Party may have access to certain non-public and/or proprietary information of the other Party, in any form or media, including without limitation trade secrets and other information related to the products, software, technology, data, know-how, or business of the other Party, and any other information that a reasonable person should have reason to believe is proprietary, confidential, or competitively sensitive (the “Confidential Information”). The Documentation shall be considered as Confidential Information hereunder. Each Party shall take reasonable measures, at least as protective as those taken to protect its own confidential information, but in no event less than reasonable care, to protect the other Party’s Confidential Information from disclosure to a third party. Neither Party shall use or disclose the Confidential Information of the other Party except as expressly permitted under this Agreement or by applicable law. All right, title and interest in and to Confidential Information are and shall remain the sole and exclusive property of the disclosing Party.
- LIMITED WARRANTIES. OTHER THAN AS EXPLICITLY STATED IN THIS AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE DATA PLATFORM, ANY SECURITY AUDIT REPORTS SPECIFYING ANY ERRORS, ANOMALIES OR SECURITY ALERTS IN THE VEHICLES NETWORKS OR OTHER REPORTS AND OUTPUT GENERATED THROUGH THE USE OF THE DATA PLATFORM (THE “REPORTS”) AND SERVICES ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. UPSTREAM DOES NOT WARRANT THAT THE DATA PLATFORM, THE REPORTS, OUTPUT AND/OR THE SERVICES WILL MEET CUSTOMER’S REQUIREMENTS AND DOES NOT WARRANT THAT THE DATA PLATFORM AND SERVICES WILL BE ACCURATE, UNINTERRUPTED, ERROR FREE, OR THAT DEFECTS WILL BE CORRECTED. UPSTREAM EXPRESSLY DISCLAIMS ALL EXPRESS WARRANTIES AND ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, NON-INTERFERENCE, FITNESS FOR A PARTICULAR PURPOSE AND/OR THAT THE USE OF THE DATA PLATFORM AND/OR SERVICES WILL PREVENT ANY CYBER ATTACKS AND/OR CYBER BREACH WITH RESPECT TO THE VEHICLES AND/OR THE VEHICLE’S INVOLVMENT IN ANY CAR ACCIDENT AS A RESULT OF SUCH ATTACKS.
- LIMITATION OF LIABILITY. UPSTREAM SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, ARISING OUT OF OR RELATED TO THIS AGREEMENT, INCLUDING BUT NOT LIMITED TO ANY LOSS OF REVENUE, REPUTATION, OR PROFITS, DATA LOSS, OR DATA USE.
UPSTREAM’S MAXIMUM LIABILITY FOR ANY DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER IN CONTRACT OR TORT, OR OTHERWISE, SHALL IN NO EVENT EXCEED, IN THE AGGREGATE, THE TOTAL AMOUNTS ACTUALLY PAID TO UPSTREAM IN THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO SUCH CLAIM.
- Indemnification. Upstream acknowledges and agrees to defend, at its expense, any third party action or suit brought against the Customer alleging that the Data Platform, when used as permitted under this Agreement, infringes intellectual property rights of a third party (“IP Infringement Claim”); and the Upstream will pay any damages awarded in a final judgment against the Customer that are attributable to any such claim, provided that (i) the Customer promptly notifies Upstream in writing of such claim; and (ii) the Customer grants Upstream the authority to handle the defense or settlement of any such claim and provides Upstream with all reasonable information and assistance, at Upstream’s expense. Upstream will not be bound by any settlement that the Customer enters into without Upstream’s prior written consent.
If the Data Platform becomes, or in Upstream’s opinion is likely to become, the subject of an IP Infringement Claim, then Upstream may, at its sole discretion: (a) procure for the Customer the right to continue using the Data Platform; (b) replace or modify the Data Platform to avoid the IP Infringement Claim; or (c) if options (a) and (b) cannot be accomplished despite Upstream’s reasonable efforts, then the Upstream may terminate this Agreement and in such event accept return of the affected Data Platform and provide a refund for any amount pre-paid by Customer for such returned Data Platform for the remaining unused period of the license. Notwithstanding the foregoing, Upstream shall have no responsibility for IP Infringement Claims resulting from or based on: (i) modifications to the Data Platform made by a party other than Upstream or its designee; (ii) the Customer’s failure to implement software updates provided by Upstream specifically to avoid infringement; or (iii) combination or use of the Data Platform with equipment, devices or software not supplied or authorized by Upstream or not in accordance with the Documentation.
This Section states Upstream’s entire liability, and Customer’s exclusive remedy, for claims or alleged or actual infringement.
- Term and Termination. This Agreement shall enter into force and effect on the EffectiveDate and shall remain in full force and effect for the period specified in the Proposal (the “Term”). Either Party may terminate this Agreement with immediate effect if the other Party materially breaches this Agreement and such breach remains uncured fifteen (15) days after having received written notice thereof. In case Customer purchased the license via Partner, Term shall mean the term specified in Partner Order Form. Upon termination or expiration of this Agreement: (i) Data Platform (including the Local Software) license granted to Customer under this Agreement shall expire, and Customer shall discontinue any further use and access thereof; (ii) Customer shall immediately delete and dispose of all copies of the Documentation and the Local Software; (iii) within 30 days from the termination date, Upstream shall permanently delete all Customer Data, without affecting any of the Upstream ‘s rights to the Analytics Information; and (iv) any sums paid by Customer until the date of termination are non-refundable, and Customer shall not be relieved of its duty to discharge in full all due sums owed by Customer to Upstream under this Agreement until the date of termination or expiration hereof. The provisions of this Agreement that, by their nature and content, must survive the termination of this Agreement in order to achieve the fundamental purposes of this Agreement shall so survive. The termination of this Agreement shall not limit Upstream from pursuing any other remedies available to it under applicable law.
- Miscellaneous. This Agreement – including any Proposals, and any exhibits attached or referred hereto – represents the complete agreement concerning the subject matter hereof and may be amended only by a written agreement executed by both Parties. The failure of either Party to enforce any rights granted hereunder or to take action against the other Party in the event of any breach hereunder shall not be deemed a waiver by that Party as to subsequent enforcement of rights or subsequent actions in the event of future breaches. If any provision of this Agreement is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. Any use of the Data Platform by an agency, department, or other entity of the United States government shall be governed solely by the terms of this Agreement. Neither Party may assign its rights or obligations under this Agreement without the prior written consent of the other Party, provided that Upstream may assign this Agreement except to the successor of all or substantially all of such Party’s assets or business (including a merger or acquisition). This Agreement shall be governed by and construed under the laws of the State of Israel, without reference to principles and laws relating to the conflict of laws. The competent courts of the Tel-Aviv shall have the exclusive jurisdiction with respect to any dispute and action arising under or in relation to this Agreement. This Agreement does not, and shall not be construed to create any relationship, partnership, joint venture, employer-employee, agency, or franchisor-franchisee relationship between the Parties. Upstream will not be liable for any delay or failure to provide the Services resulting from circumstances or causes beyond the reasonable control of Upstream. This Agreement may be executed in electronic counterparts, each of which counterpart, when so executed and delivered, shall be deemed to be an original and all of which counterparts, taken together, shall constitute but one and the same agreement.