Access and Use Rights.
During the Service Period, we grant to you the right to access and use the Service as set forth herein and solely for your internal business purpose in accordance with the Documentation. You remain wholly responsible for all acts and omissions of any user to whom you grant access to the Service.
Geography: Early Access for Lightstep Incident Response is for access and use in United States of America and Canada only. You agree not to use or access or provide others access to use the Service outside of United States of America and Canada.
The Early Access trial and testing period begins upon your first access to Lightstep Incident Response or upon your accepting this Agreement (whichever is earlier). The Early Access trial and testing period ends at the latest on December 31, 2021 (or may be as extended or terminated earlier in writing by ServiceNow at its discretion) (together, with the beginning date, the “Service Period”). ServiceNow reserves the right to offer other trial, testing, or subscription periods (offered in writing by ServiceNow). Either party may terminate this Agreement for convenience, upon written notice. Upon the termination date, Customer agrees to have removed from the Service any and all of Customer’s confidential information and Customer Data it had provided while using the Service, and Customer shall immediately cease accessing and using the Service. In addition, upon the termination date, all documents and other tangible objects containing or representing Confidential Information and all copies thereof which are in the possession of Recipient will be promptly destroyed or returned to Discloser upon request.
You agree that all information provided by ServiceNow in confidence to you relating to Lightstep Incident Response is ServiceNow’s Confidential Information. The term “Confidential Information” means any and all information whether in written, oral, visual, electronic or any other form, and whether or not labeled as confidential that the receiving party should reasonably understand to be confidential based on the nature of the information or circumstances of disclosure, that has been or will be provided by ServiceNow (“Discloser”) to you(“Recipient”) including without limitation license pricing, business and marketing plans, financial data, compiled databases, computer software, customer lists, ideas, concepts, prototypes and any other matters relating to the products, technical information or business of Discloser. Any feedback you provide to ServiceNow under this Agreement is solely ServiceNow’s Confidential Information. Confidential Information does not, however, include any information which Recipient can show:
was already in its lawful possession prior to receipt of the same from Discloser;
has become publicly known or otherwise generally available to the public through no action or fault of Recipient;
was received without restriction from a third party that, to the knowledge of Recipient, was not under, and did not impose, any confidentiality obligation; or
was independently developed by Recipient without use of any Confidential Information of Discloser.
Restricted Use of Confidential Information:
Recipient may only use and disclose Discloser’s Confidential Information for the purpose of providing feedback to ServiceNow. Recipient will not disclose Discloser’s Confidential Information to any third parties without the prior express written consent of Discloser. Recipient may not reverse engineer, disassemble or decompile any prototypes, software or other tangible objects which embody Discloser’s Confidential Information and which are provided to Recipient hereunder. Recipient agrees that it will take all reasonable measures to protect the secrecy of and prevent disclosure of the Confidential Information.
“As is”, No Warranty, and Disclaimer of Liability:
During the Service Period, you agree and acknowledge that the Lightstep Incident Response product is provided by the copyright holders and contributors, including ServiceNow, “as is.” In particular, to the maximum extent allowed by Law, ServiceNow disclaims all warranties of any kind (express, implied, statutory, or otherwise, oral or written, including warranties of merchantability, accuracy, title, non-infringement, or fitness for a particular purpose, and any warranties arising from usage of trade, course of dealing, or course of performance). Without limiting the above, ServiceNow does not warrant that the Service: (1) will meet the requirements of Customer or others; (2) will be accurate or operate without interruption or error; or (3) is designed for any purpose requiring fail-safe performance for which failure could result in death, personal injury or severe physical, property, or environmental damage.
You accept that, to the extent permitted by Law, in no event shall ServiceNow, or any other copyright owner or contributors be liable for any direct, indirect, incidental, special, exemplary, consequential or other damages (including but not limited to loss of use, data, or profits or business interruption) under any theory of liability (including but not limited to contract, strict liability, tort, or negligence) arising from the access, use, distribution, reproduction, transmission, modification, or exploitation of this application.
The Lightstep Incident Response product has features that are not officially supported by ServiceNow, and you accept that ServiceNow has no obligation to provide support for this application or support for issues resulting from your use, reproduction, distribution, transmission, or modification of this application. You may choose to provide feedback to ServiceNow and agree that all such feedback is solely ServiceNow intellectual property. You accept that you are using the Lightstep Incident Response product at your sole discretion and that you remain solely responsible for complying with your legal obligations under applicable Law, including data protection Laws on collection, use, disclosure and retention of personal data. Should there be any conflicting terms with another clause in this Agreement or another ServiceNow agreement, the terms of this paragraphs 1 to 6 of this Agreement supersede any such conflicting terms from this or another ServiceNow agreement with respect to the Service.
General Restrictions and Requirements.
Third-Party Providers. If you use features of the Service in conjunction with third party products, services, platforms, or data not provided by ServiceNow, then you are responsible for complying with the terms and conditions required by the third-party providers, and all such use is solely at your risk.
Third-Party Software Notices. The creators or third-party licensors of certain public standards and publicly available code require that certain notices be passed through to you. These notices are located at here (or a successor website).
Grant of Rights to Customer Data. You grant to ServiceNow a right to access, use, copy, and process Customer Data: (1) to the extent required for ServiceNow to perform its obligations under this Agreement; and (2) to support and improve ServiceNow’s products and services. You represent that you have obtained all rights necessary to process Customer Data in the Service. Except as provided in this Agreement, you reserve all rights in the Customer Data.
Product Performance Data. ServiceNow monitors how the Service is performing and how users interact with the Service (“Product Performance Data”). Product Performance Data may be combined or aggregated and may be used for a variety of purposes, including, without limitation, to monitor compliance with this Agreement, improve our products and services, provide support (to the extent applicable), and prevent Service abuse. Product Performance Data does not contain Personal Data. We may use automated tools to screen for certain types of illegal content or abusive behavior. Other that specified in sections 7.3 and 7.4, we do not monitor or access your Customer Data unless you ask us to access your Customer Data, or if required by Law.
With respect to the Service, you will not, and will now allow others to, (1) use the Service in a manner that circumvents use limits or technological control measures; (2) license, sub-license, resell, rent, lease, transfer, distribute, timeshare, or otherwise make any of it available for access by third-parties, except as may be otherwise expressly stated herein; (3) access it for purposes of developing or operating products or services for third-parties in competition with ServiceNow offerings; (4) disassemble, reverse engineer, or decompile it; (5) copy, create derivative works based on, or otherwise modify it, except as may be otherwise expressly stated in this Agreement; (6) remove or modify a copyright or other proprietary rights notice in it; (7) use it in violation of Law (including those applicable to collection and processing of Customer Data through the Service); (8) use it to reproduce, distribute, display, transmit, or use material protected by copyright or other intellectual property rights (including the rights of publicity) without first obtaining the owner’s permission; (9) use it to create, use, send, store, or run viruses or other harmful computer code, files, scripts, agents, or other programs, or otherwise engage in a malicious act or disrupt its security, integrity, or operation; or (10) access or disable any ServiceNow or third-party data, software, or network.
We may make prerelease content available to you, and if you choose to evaluate prerelease content, it is at your own risk. We provide a limited, non-exclusive, non-sublicensable, and non-transferable access and use to the prerelease content solely to internally evaluate the prerelease content for non-production purposes. Prerelease content is provided “as is”.
Privacy. The Lightstep Incident Response Data Processing Addendum (Exhibit A) (“DPA”) incorporated by reference hereto, applies to ServiceNow’s processing of Personal Data (as defined in the DPA) under this Agreement. We may make certain controls available in the Service that help support your security preferences and requirements. It is solely your responsibility to understand and implement such optional controls. Information about applicable controls, including security controls, is available in the DPA.
Entire Agreement. This Agreement contains the entire understanding of the parties relating to your use of the Service. Unless specifically stated otherwise, this Agreement supersedes all prior agreements, understandings, proposals, discussions, negotiations, representations, and warranties, both written and oral, for the Service.
Assignment. Neither party may assign this Agreement without written permission from the other party. However, we may assign this Agreement to an Affiliate.
This Agreement and any dispute or controversy arising out of or relating to this Agreement will be governed by and construed in accordance with the Laws of New York, without regard to its conflict of laws principles. The parties to this Agreement irrevocably consent to exclusive jurisdiction of, and venue in, any federal or state court of competent jurisdiction in Nrelating to your ew York County, New York to adjudicate any dispute arising out of or relating to this Agreement. To the extent permitted by applicable Law, the United Nations Convention on Contracts for the International Sale of Goods does not apply. Notwithstanding the foregoing, either party to this Agreement may, at any time, and without waiving any other rights under this Agreement, seek appropriate legal or equitable relief in any court of competent jurisdiction to protect its intellectual property rights.
Both parties will comply with all applicable Laws in their performance of this Agreement.
Force Majeure. With the exception of payment obligations, neither party is liable to the other if performance is prohibited or delayed by acts that are outside of the other party’s reasonable control.
Notices. Any notice given under this Agreement to us must be in writing, delivered by a recognized overnight courier (receipt requested) to: ServiceNow, Inc. Attn: Legal Department, 2225 Lawson Lane, Santa Clara, CA 95054; and to you by email at the email address we have on file for you, or in writing to your registered, or last known address.
Waiver, Severability. If either party fails to enforce a provision of this Agreement, it will not be deemed to be a waiver of such party’s right to enforce such provision. If any provision of this Agreement is unenforceable, the remainder of this Agreement will remain in effect.
Counterparts. This Agreement may be executed in counterparts, and each part, taken together, constitutes the same Agreement.
Export Control Laws and Trade Sanctions. The Service as well as your access to it and your usage of it are subject to export control laws and trade sanctions, including the U.S. Export Administration Regulations (EAR) and the regulations of the U.S. Office of Foreign Assets Control (OFAC regulations). You confirm that you and the end-user of the Service are not found on any denied or restricted person lists maintained under the authority of the EAR, the OFAC regulations, or any other applicable denied or restricted person list. You agree to fully comply with the EAR, OFAC regulations, and any other applicable export control laws and trade sanctions in your usage of the Service.
U.S. Government Rights. All ServiceNow software is commercial computer software and all services are commercial items. “Commercial computer software” has the meaning set forth in Federal Acquisition Regulation (“FAR”) 2.101 for civilian agency purchases and the Department of Defense (“DOD”) FAR Supplement (“DFARS”) 252.227-7014(a)(1) for defense agency purchases. If the software is licensed or the services are acquired by or on behalf of a civilian agency, ServiceNow provides the commercial computer software and/or commercial computer software documentation and other technical data subject to the terms of this Agreement as required in FAR 12.212 (Computer Software) and FAR 12.211 (Technical Data) and their successors. If the software is licensed or the services are acquired by or on behalf of any agency within the DOD, ServiceNow provides the commercial computer software and/or commercial computer software documentation and other technical data subject to the terms of this Agreement as specified in DFARS 227.7202-3 and its successors. Only if this is a DOD prime contract or DOD subcontract, the Government acquires additional rights in technical data as set forth in DFARS 252.227-7015. This U.S. Government Rights clause is in lieu of, and supersedes, any other FAR, DFARS or other clause or provision that addresses Government rights in computer software or technical data.
“Affiliate” means any person or entity directly or indirectly Controlling, Controlled by, or under common Control with a party, where “Control” means the beneficial ownership of more than 50% of the issued share capital of a company or the legal power to direct or cause direction of the general management of a legal entity.
“Agreement” means these terms, the ordering documentation (if applicable), and any other terms ServiceNow attaches or incorporates into these terms or the Agreement.
“Customer Data” means your electronic data that is uploaded by or for you, and is processed as part of the Service.
“Documentation” means the then-current ServiceNow technical documentation, user manuals, instructions, and release notes for the Lightstep Incident Response product.
“Law” means any applicable law, rule, statute, decree, decision, order, regulation, judgment, code, and requirement of any government authority (federal, state, local, or international) having jurisdiction.
“ServiceNow” means ServiceNow, Inc.
LIGHTSTEP INCIDENT RESPONSE
DATA PROCESSING ADDENDUM
“Data Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of Processing of Personal Data. For purposes of this DPA, Data Controller is Customer and, where applicable, its Affiliates either permitted by Customer to submit Personal Data to the Service or whose Personal Data is Processed in the Service.
“Data Processor” means the natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Data Controller. For purposes of this DPA, Data Processor is the ServiceNow entity that is a party to the Agreement.
“Data Protection Laws” means all applicable laws and regulations regarding the Processing of Personal Data.
“Data Subject” means an identified or identifiable natural person.
“Instructions” means Data Controller’s documented data Processing instructions issued to Data Processor in compliance with this DPA.
“Personal Data” means any information relating to a Data Subject uploaded by or for Customer or Customer’s agents, employees, or contractors to the Service as Customer Data.
“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Service” means the Early Access to the Lightstep Incident Response product.
“Sub-Processor” means any legal person or entity engaged in the Processing of Personal Data by Data Processor. For the avoidance of doubt, ServiceNow’s colocation datacenter facilities are not Sub-Processors under this DPA.
SCOPE OF THE PROCESSING
COMMISSIONED PROCESSOR. Data Controller appoints Data Processor to Process Personal Data on behalf of Data Controller as described in the Agreement and in accordance with the Instructions.
INSTRUCTIONS. The Agreement constitutes Data Controller’s written Instructions to Data Processor for Processing of Personal Data.
NATURE, SCOPE AND PURPOSE OF THE PROCESSING. Data Processor shall only Process Personal Data in accordance with Data Controller’s Instructions and to the extent necessary for providing the Service, as described in the Agreement.
CATEGORIES OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS. Data Controller may submit Personal Data to the Service as Customer Data, the extent of which is determined and controlled by Data Controller in its sole discretion and is further described in Appendix 1.
COMPLIANCE WITH DATA PROTECTION LAWS. Data Controller shall comply with all of its obligations under Data Protection Laws when Processing Personal Data. Data Controller shall represent and warrant that it has all necessary rights and a valid legal basis (as defined by applicable Data Protection Laws) to Process Personal Data.
CUSTOMER’S AFFILIATES. If Customer has entered into this Agreement on behalf of Customer’s Affiliates, the obligations of Data Processor set forth herein will extend to Customer’s Data Controller Affiliates to which Customer provides access to the Service or whose Personal Data is Processed within the Service, subject to the following conditions:
COMPLIANCECustomer shall at all times be liable for its Affiliates’ compliance with this DPA and all acts and omissions by a Data Controller Affiliate are considered acts and omissions of Customer.
CLAIMSCustomer’s Data Controller Affiliates will not bring a claim directly against Data Processor. In the event a Data Controller Affiliate wishes to assert a valid legal action, suit, claim or proceeding against Data Processor (a “Data Controller Affiliate Claim”): (i) Customer must bring such Data Controller Affiliate Claim directly against Data Processor on behalf of such Data Controller Affiliate, unless Data Protection Laws require that Data Controller Affiliate be party to such Data Controller Affiliate Claim; and (ii) all Data Controller Affiliate Claims will be considered claims made by Customer and are at all times subject to any aggregate limitation of liability set forth in the Agreement.
SECURITY RISK ASSESSMENT. Data Controller agrees that in accordance with Data Protection Laws it will perform a reasonable risk assessment to determine whether the security measures within the Service provide a reasonable level of security, taking into account the nature, scope, context and purposes of the processing, the risks associated with the Personal Data and the applicable Data Protection Laws. Data Processor shall provide Data Controller reasonable assistance by providing Data Controller with information requested by Data Controller to conduct Data Controller’s security risk assessment.
COMMUNICATION. Unless otherwise provided in this DPA, all requests, notices, cooperation, and communication, including Instructions issued or required under this DPA (collectively, “Communication”), must be in writing and between Customer and ServiceNow only and Customer shall inform the applicable Data Controller Affiliate of any Communication from ServiceNow pursuant to this DPA. Customer shall be solely responsible for ensuring any Communications (including Instructions) it provides to ServiceNow relating to Personal Data for which a Customer Affiliate is Data Controller reflect the relevant Customer Affiliate’s intentions.
NOTICE AND CONSENT. Data Controller shall provide adequate notices, and obtain the necessary permissions and consents to provide Customer Data, including any Personal Data contained therein, to Data Processor for use and disclosure. If Data Controller records or monitors telephone calls, SMS messages, or other communications using the Service, then Data Controller will: (i) comply with all applicable laws, including Data Protection Laws, prior to doing so, and (ii) provide all required notices and secure all required prior consents to record or monitor communications using the Service. Subject to the terms of this Agreement, Data Controller acknowledges that these obligations are essential to Data Processor (and its Sub-Processors) ability to provide Data Controller with access to recording and monitoring features that are may be part of the Service.
DATA CONTROLLER’S INSTRUCTIONS. Data Processor will have no liability for any harm or damages resulting from Data Processor’s compliance with unlawful Instructions received from Data Controller. Where Data Processor believes compliance with Data Controller’s Instructions could result in a violation of Data Protection Laws or is not in the ordinary course of Data Processor’s obligations in operating the Service, Data Processor shall promptly notify Data Controller thereof. Data Controller acknowledges Data Processor is reliant on Data Controller’s representations regarding the extent to which Data Controller is entitled to Process Personal Data.
DATA PROCESSOR PERSONNEL. Access to Personal Data by Data Processor will be limited to personnel who require such access to perform Data Processor’s obligations under the Agreement and who are bound by obligations to maintain the confidentiality of such Personal Data at least as protective as those set forth herein and in the Agreement.
DATA SECURITY MEASURES. Without prejudice to Data Controller’s security risk assessment obligations under Section 3.3 (Security Risk Assessment) above, Data Processor shall maintain reasonable technical and organizational safeguards to protect the security, confidentiality, and integrity of Customer Data, including any Personal Data contained therein, as described in the Agreement.
MONITORING AND SUPPORT. Processor and its Sub-Processors may use Customer Data to detect, prevent, and investigate security incidents, fraud, spam, or unlawful use of the Services by third-parties and support the Services by responding to Customer's technical problems or queries.
TERMINATION OF ACCESS. Upon termination or expiration of the Agreement, Data Processor shall use reasonable measures to remove access to Customer Data, including Personal Data contained therein, as described in the Agreement.
DATA PROCESSOR ASSISTANCE. Data Processor will assist Data Controller in ensuring compliance with Data Controller’s obligations pursuant to Data Protection Laws taking into account the nature of Processing by providing Data Controller with reasonable information requested pursuant to the terms of this DPA, including information required to conduct Data Controller’s data protection impact assessments and prior consultations with supervisory authorities, where required. For clarity, Data Controller is solely responsible for carrying out its obligations under Data Protection Laws and this DPA. Data Processor shall not undertake any task that can be performed by Data Controller.
DATA PROTECTION CONTACT. ServiceNow and its Sub-Processor Affiliates (defined below) will maintain a dedicated data protection team to respond to data protection inquiries throughout the duration of this DPA and can be contacted at firstname.lastname@example.org.
REQUESTS MADE FROM DATA SUBJECTS AND AUTHORITIES
REQUESTS FROM DATA SUBJECTS. During the Service Term, Data Processor shall provide Data Controller with the ability to access, correct, rectify, erase, or block Personal Data, or to transfer or port such Personal Data, within the Service, as may be required under applicable Data Protection Laws (collectively, “Data Subject Requests”).
RESPONSES. Data Controller will be solely responsible for responding to any Data Subject Requests, provided that Data Processor shall reasonably cooperate with the Data Controller to respond to Data Subject Requests to the extent Data Controller is unable to fulfill such Data Subject Requests using the available functionality. Data Processor will instruct the Data Subject to contact the Customer in the event Data Processor receives a Data Subject Request directly.
REQUESTS FROM AUTHORITIESIn the case of a notice, audit, inquiry, or investigation by a government body, data protection authority, or law enforcement agency regarding the Processing of Personal Data, Data Processor shall promptly notify Data Controller unless prohibited by applicable law. Each party shall cooperate with the other party by providing all reasonable information requested in the event the other party is required to produce such information to a data protection authority.
NOTIFICATION. Data Processor will report to Data Controller any accidental or unlawful destruction, loss, alteration, unauthorized disclosure, of or access to Customer Data (“Breach”) without undue delay following determination by ServiceNow that a Breach has occurred.
DATA CONTROLLER OBLIGATIONSData Controller will cooperate with Data Processor in maintaining accurate contact information in the customer support portal and by providing any information that is reasonably requested to resolve any security incident, including any Breaches, identify its root cause(s) and prevent a recurrence. Data Controller is solely responsible for determining whether to notify the relevant supervisory or regulatory authorities and impacted Data Subjects and for providing such notice.
USE OF SUB-PROCESSORS. Data Controller authorizes Data Processor to engage Sub-Processors appointed in accordance with this Section 8.
CURRENT SUB-PROCESSORSAs of the Effective Date, Data Processor engages, as applicable, Twilio, Inc., Pendo.io, Inc., and the following ServiceNow Affiliates as Sub-Processors: ServiceNow, Inc. (USA), ServiceNow Nederland B.V. (the Netherlands), ServiceNow Australia Pty Ltd (Australia), ServiceNow Software Development India Private Limited (India), ServiceNow UK Ltd. (United Kingdom), ServiceNow Ireland Limited (Ireland), and ServiceNow Japan G.K. (Japan) (collectively,“Sub-Processor Affiliates”). Data Processor will notify Data Controller of changes regarding such Sub-Processor Affiliates through Data Processor’s Support Portal (or other mechanism used to notify its general customer base). Each Sub-Processor Affiliate shall comply with the obligations of the Agreement in the Processing of the Personal Data.
NEW SUB-PROCESSORS. Prior to Data Processor or a Data Processor Affiliate engaging a Sub-Processor, Data Processor shall: (a) notify Data Controller by email to Customer’s designated contact(s) or by notification within its support portal (or other mechanism used to notify its customer base); and (b) ensure such Sub-Processor entered into a written agreement with Data Processor (or the relevant Data Processor Affiliate) requiring the Sub-Processor abide by terms no less protective than those provided in this DPA.
RIGHT TO OBJECT. Data Controller may object to Data Processor’s proposed use of a new Sub-Processor by notifying Data Processor within 10 days after receipt of Data Processor’s notice if Data Controller reasonably determines such Sub-Processor is unable to Process Personal Data in accordance with the terms of this DPA (“Objection Notice”) and choose to terminate use of the Service.
LIABILITY. Use of a Sub-Processor will not relieve, waive, or diminish any obligation of Data Processor under the Agreement, and Data Processor is liable for the acts and omissions of any Sub-Processor to the same extent as if the acts or omissions were performed by Data Processor.
INTERNATIONAL DATA TRANSFERS
STANDARD CONTRACTUAL CLAUSES AND ADEQUACY. Where required under Data Protection Laws, Data Processor or Data Processor’s Affiliates shall require Sub-Processors to abide by (a) the Standard Contractual Clauses for Data Processors established in third countries; or (b) another lawful mechanism for the transfer of Personal Data as approved by the European Commission.
APPENDIX 1 DETAILS OF PROCESSING
Duration of Processing
Data Processor will Process Personal Data for the duration of the Agreement and in accordance with Section 4 (Data Processor) of this DPA.
Data Controller may submit Personal Data to the Service, the extent of which is solely determined by Data Controller, and may include Personal Data relating to the following categories of Data Subjects:
clients and other business contacts;
employees and contractors;
subcontractors and agents; and
consultants and partners.
Categories of Personal Data
Data Controller may submit Personal Data to the Service, the extent of which is solely determined by Data Controller, and may include the following categories:
communication data (e.g. telephone, email);
business and personal contact details; and
other Personal Data submitted to the Service.
Special Categories of Personal Data
Data Controller may submit Special Categories of Personal Data to the Service, the extent of which is solely determined by Data Controller in compliance with Data Protection Laws, and may include the following categories, if any:
racial or ethnic origin;
religious or philosophical beliefs;
trade union membership;
genetic data or biometric data;
health information; and
sex life or sexual orientation.
The personal data transferred is subject to the following basic processing activities:
All activities necessary for the performance of the Agreement