This StellaConnect by Medallia Master Subscription Agreement (the “Agreement”) is effective as of the last signature on an Order between the parties (the “Effective Date”) and is between StellaService, Inc., a Medallia company, and its parent and affiliated group companies (collectively, “Medallia”) and the other signatory to an Order (“Customer”). Medallia provides experience management products (the “Medallia Products”). This Agreement establishes the terms and conditions for the purchase and provision of subscriptions to Medallia Products and related professional services provided by Medallia (“Professional Services”).
This Agreement does not itself obligate the parties to purchase or provide subscriptions to Medallia Products or Professional Services. Such obligations will be documented in ordering documents that describe the relevant Medallia Products or Professional Services scope and the related fees (an “Order”). An explicit conflict between these agreements will be resolved according to the following order of precedence: (1) an Order; and (2) this Agreement.
2. Provision of Medallia Products
Medallia will make Medallia Products available to Customer through the web browsers and mobile applications specified on the Order and will maintain the hardware and software necessary to do so. Medallia’s service level agreements will be as set forth in the applicable product and services descriptions (the “Documentation”). Medallia will provide Customer with access to every product improvement consistent with the scope established in the Order, when and if generally available.
3. Medallia Products and Professional Services Warranty
a. Express Warranties
Medallia Products will perform in a manner consistent with the Documentation, this Agreement and Order(s) (the “Solution Warranty”). Professional Services will be provided in a true and workmanlike manner, consistent with this Agreement and the Order (the “Services Warranty”).
b. Remedy for Failure of the Solution Warranty
Upon receipt of written notice of a Solution Warranty breach, Medallia will provide a correction at no charge. If Medallia cannot correct the breach within forty-five days from receipt of the warranty notice, then Customer may terminate the affected Order at any time within the next thirty days and receive: (i) if the breach notice was received fewer than ninety days after the Effective Date, a refund of all subscription fees paid; or (ii) if the notice was received at any other time, a prorated refund of subscription fees from the date of the warranty notice. This is Customer’s sole and exclusive remedy for a breach of the Solution Warranty.
c. Remedy for Failure of the Professional Services Warranty
Upon receipt of written notice of a Services Warranty breach, Medallia will re-perform the Professional Services as necessary to correct the breach. If Medallia cannot correct the breach within forty-five days from receipt of the warranty notice, then Customer may terminate the affected portion of the Order at any time within the next thirty days and receive a refund of Professional Services fees paid for nonconforming or unperformed Professional Services. This is Customer’s sole and exclusive remedy for a breach of the Professional Services Warranty.
d. Disclaimer of Other Warranties
Except as expressly provided herein, and to the maximum extent permitted by applicable law, Medallia provides Medallia Products and Professional Services “as is,” makes no warranty of any kind express or implied with regard to Medallia Products or Professional Services, and disclaims all other warranties, such as: (i) without prejudice to Customer’s right to service credits for a failure to meet Medallia’s uptime commitments, any warranty that Medallia Products and Professional Services will be error free or uninterrupted; and (ii) the implied warranties of merchantability, fitness for a particular purpose, title, and non-infringement.
4. Use of Medallia Products
a. General Obligations
Other than using Medallia Products and its functionalities under an Order, Customer may not copy, modify, distribute, sell, or lease any part of Medallia Products or included software, or reverse engineer or attempt to extract the source code of that software, unless laws prohibit those restrictions. Customer may not use Medallia Products functionality to infringe upon the intellectual property rights of others, or to commit an unlawful activity.
b. Compliance Obligations
c. Third Party Services
5. Ownership and Use Rights
a. Customer Data
Customer owns all data delivered to Medallia by Customer or collected by Medallia on behalf of Customer (the “Customer Data”), including any personal data as defined by applicable data privacy laws (“Personal Data“). Customer grants Medallia a non-exclusive, worldwide, limited license to the Customer Data for the purposes of: (i) providing and improving Medallia Products and Professional Services, as long as such improvements are not derived from the use of Personal Data; and (ii) developing and publishing broadly applicable experience management insights (such as industry experience management benchmarks, if applicable, provided that only aggregated or de-identified Customer Data is used).
b. Medallia Products
Medallia owns Medallia Products, including all features, functionalities, configurations, designs, templates, and other proprietary elements contained therein and all modifications, improvements, and derivative works thereof. Medallia will provide Customer with access to Medallia Products as described in the Order during the term of an Order for its internal business purposes. If Customer uses a Medallia API or software developer kit (“SDK”), Medallia grants Customer a non-exclusive, worldwide, limited license for use of such API or SDK for the purpose of enabling Customer to use Medallia Products. Customer will not remove, obscure, or alter Medallia’s copyright notice, or other proprietary rights notices affixed to or contained within Medallia Products or any related documentation. Customer grants Medallia a worldwide, perpetual, irrevocable, royalty-free license to use feedback provided by Customer to Medallia related to the Medallia Products.
Medallia owns the Documentation and all derivative works thereof. Medallia grants Customer a non-exclusive, worldwide limited license to use, copy, and make derivative works of the Documentation for internal business purposes during the term of an Order.
Customer grants Medallia a limited, non-exclusive license to mark Customer surveys and reports and Customer’s instance of Medallia Products with Customer’s trademarks, when requested by Customer and subject to Customer approval for consistency with its branding guidelines.
e. Reserved Rights
Customer and Medallia each reserve all intellectual property rights not explicitly granted herein.
Fees due for Medallia Products and Professional Services will be stated on the Order. Fees are non-cancelable and non-refundable other than as explicitly stated in this Agreement.
Invoiced amounts are payable in full, without reduction for transaction taxes (e.g., value added taxes, consumption taxes, goods and services taxes, GST/HST, excise, sales, use or similar taxes, and withholding taxes). Customer is required to pay all such transaction taxes, either directly or by increasing payments to Medallia to offset taxes that Customer is required to deduct from payments. If Medallia has a legal obligation to pay or collect such transaction taxes, the appropriate amount will be invoiced to and paid by Customer, unless Customer provides Medallia with a valid tax exemption certificate.
7. Term and Termination
The term of this Agreement is from the Effective Date through the last to expire Order.
b. Termination for Cause
Either party may terminate this Agreement or Order within thirty days upon the occurrence of either of the following: (a) in the event the other party fails to cure any material breach of this Agreement or the relevant Order within thirty (30) days after receipt of written notice; or (b) if the other party files or has filed against it any bankruptcy or similar proceeding or enters into any form of arrangement with its creditors that is not removed within 60 days of filing.
c. Transfer of Customer Data Upon Termination
Upon termination of this Agreement or an Order, Medallia will make customer feedback collected through and, at the time of termination, stored within Medallia Products available for secure download by Customer in a standard flat file format for at least thirty (30) days (the “Data Transfer Period”). Within sixty (60) days of the end of the Data Transfer Period, Medallia will remove all Customer Data from Medallia Products.
Medallia will maintain insurance policies providing at least the following coverage and will provide a certificate of insurance upon request:
i. Technology Errors & Omissions / Professional liability with a limit of at least $5 Million;
ii. Cyber/Network and Information Security liability with a limit of at least $5 Million;
iii. Commercial General liability with a limit of at least $1 Million;
iv. Automobile liability with a limit of at least $1 Million;
v. Workers Compensation and Employer’s liability with a limit of at least $1 Million;
vi. Umbrella liability with a limit of at least $10 million.
9. Privacy, Security, and Audits
a. Compliance with Data Protection Laws
In processing Personal Data in the Medallia Products and through the Professional Services to Customer, Medallia shall comply with applicable legal requirements for privacy, data protection and confidentiality of communications. Such applicable legal requirements include the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts (201 CMR 17.00), the California Consumer Privacy Act of 2018 (the “CCPA”), and other applicable United States data protection laws at the state level, and implementing national legislation, and Regulation 2016/679 (also known as GDPR), if applicable. Medallia shall not (i) sell Personal Data as defined under the CCPA, or (ii) retain, use, or disclose Personal Data for any purpose other than for the specific purpose of providing the Medallia Products and performing the Services. Medallia is certified under the Privacy Shield to cover the transfer of data collected in the European Economic Area and Switzerland to the United States.
b. Data Protection Agreement
Medallia offers a data processing agreement that defines Medallia’s and Customer’s obligations under GDPR, and includes the EU’s approved Standard Contractual Clauses for the handling of data collected in the European Economic Area and Switzerland outside of those areas. If Customer has a need for this agreement, Customer should please request it from Customer’s Medallia account representative.
c. Security Obligations
Medallia shall implement and maintain appropriate technical and organizational security measures to protect Customer Data from Security Incidents and to preserve the security and confidentiality of Customer Data, in accordance with Medallia’s security standards described in the Security Measures addendum
d. Security Incident Response
Medallia shall respond to Security Incidents as described in the Security Measures addendum
e. General Performance Audits
Customer may, no more than once per year, audit Medallia’s performance under this Agreement and each Order, and Medallia will maintain records sufficient for such audits, including service hours provided, uptime, and the results of security and disaster recovery tests.
f. Security Audits
Certain Medallia Products are regularly audited by independent third parties and/or internal auditors. Upon request, Medallia shall supply (on a confidential basis) a summary copy of its audit report(s), if applicable, as well as written responses (on a confidential basis), not more than once per year, to all reasonable security and audit questionnaires that are necessary to confirm Medallia’s compliance with this Agreement. Medallia shall permit Customer (or its appointed third party auditors) to carry out an audit of Medallia’s processing of Customer Data under this Agreement following: (i) a Security Incident or (ii) upon the instruction of a data protection authority.
g. Audit Procedure
Each audit requires at least thirty days’ prior notice, except in the event of a Security Incident or upon instruction of a data protection authority. Audits will take place on a mutually agreed date during Medallia’s normal business hours, and Customer will cause its representative or agent to employ such reasonable procedures and methods as are necessary and appropriate in the circumstances to minimize interference with Medallia’s normal business operations. Onsite audits are limited to two business days.
h. Data Collection
Medallia Products enable Customer to import and collect a wide range of information about Customer’s customers or end users. The types of data that are imported and collected in Medallia Products will be within Customer’s control, and will be specified during implementation and use of each product. Unless approved by Medallia’s data protection attorneys, Customer shall not configure the Medallia Products to collect bank account numbers, payment card or credit card information, bank transaction information, government identification numbers including (but not limited to) social security numbers, state identification numbers, and passport numbers, and sensitive personal information including (but not limited to) religious beliefs, health, sexual orientation, race, and union membership and Medallia will not be liable for non-compliance under laws and regulations that applies to the processing of the foregoing categories of data. This provision shall not apply to Protected Health Information as defined by HIPAA, as long as Customer has signed a Business Associate Agreement with Medallia.
a. Controlling Statement of Obligations
The terms of this Confidentiality provision supersede any non-disclosure or confidentiality agreement entered into by the parties prior to the Effective Date of this Agreement.
b. Confidential Information
Confidential Information means all information provided by a disclosing party to a receiving party that a reasonable industry participant would deem to be confidential, including for example: (i) all information that is marked confidential; (ii) the terms of each Order; (iii) features and functionality of Medallia Products and related documentation; and (iv) Customer Data. Confidential Information does not include information that is independently developed, that becomes public knowledge through no fault of the receiving party, or that is received from a third party under circumstances that do not create a reasonable suspicion that it has been misappropriated or improperly disclosed.
c. Use and Disclosure Restrictions
A receiving party will use commercially reasonable efforts to protect Confidential Information it receives and will use Confidential Information only as necessary to perform its obligations and exercise its rights under this Agreement and each Order. A receiving party will not disclose Confidential Information to third parties other than as permitted under this Agreement or as compelled by a court or regulator of competent authority (and then while taking all reasonable steps to inform the disclosing party prior to disclosure and to limit the scope of the disclosure).
a. Intellectual Property Indemnification by Medallia
Medallia will defend Customer against claims, causes of action, and investigations by third parties or government agencies and will pay the resulting judgments, fines, settlements, court costs, and attorneys fees (to “Indemnify”) for third party claims alleging that Medallia Products infringe a third-party patent, copyright, or trademark or misappropriate a third-party trade secret, subject to the following limitations: (i) if the alleged infringement arises from a modification by Customer or the unauthorized use of Medallia Products; (ii) if the alleged infringement arises from a violation of Customer’s obligations under Section 4 (“Use of Medallia Products”); or (iii) if the alleged infringement arises from the combination of Medallia Products with any product or process not provided by Medallia, and if Medallia would not be liable for inducement or contribution for such infringement, then Medallia will have no obligation to Indemnify. If Customer establishes a reasonable belief that use of Medallia Products will be enjoined, then Medallia will use commercially reasonable efforts to substitute the affected functionality with a non-infringing alternative or to procure a license to allow for the continued use of the affected functionality. If use of Medallia Products is enjoined and if Medallia has not provided a non-infringing alternative, then Customer may, within 30 days of the date of the injunction, terminate the affected Order immediately upon written notice and receive a refund of the unused portion of prepaid fees.
b. Data Breach Indemnification by Medallia
Medallia will Indemnify Customer for third party claims arising from the improper access, use, or disclosure of personally identifiable Customer Data caused by: (i) Medallia’s breach of its obligations under this Agreement; or (ii) the willful misconduct or gross negligence of Medallia personnel or any third party under Medallia’s control.
c. Indemnification by Customer
Customer shall Indemnify Medallia from third-party claims arising out of: (i) Customer’s or any of its employees and agents use of Medallia Products in violation of Section 4 of this Agreement; and (ii) alleged infringement of a third-party patent, copyright, or trademark or misappropriation of a third-party trade secret arising out of (A) an unauthorized modification by Customer of Medallia Products; or (B) an unauthorized combination of Medallia Products with any product or process not provided or authorized by Medallia.
d. Indemnification Requirements and Procedure
The party seeking indemnification (the “Indemnified Party”) will provide timely notice to the party from which it seeks indemnification (the “Indemnifying Party”) (although untimely notice will relieve the Indemnifying Party of its indemnification obligations only commensurate with actual prejudice suffered as a result) and will provide reasonable assistance to Indemnifying Party at the Indemnifying Party’s expense. The Indemnifying Party will have sole control over the defense, but the Indemnified Party will have the right to participate at its own cost.
12. Limitation of Damages and Liability
a. Limitation of Damages
Neither party will be liable to the other for consequential, special, incidental, punitive, exemplary, or indirect damages or for lost profits, lost revenues, harm to goodwill, or the costs of procuring replacement services, regardless of whether such damage was foreseeable. This limitation will apply to all claims under all theories of law and equity, except where prohibited by law.
b. Limitation of Liability
Except in the event of gross negligence; willful misconduct; for fees owed in excess of the below limit; and where prohibited by law, the cumulative liability of either party to the other will be limited to the fees paid or payable under this Agreement for the 12 months preceding the filing of the claim, for all other claims.
Medallia may include Customer’s name and logo on Medallia’s public customer list. Customer agrees to partner with Medallia on co-marketing and public relations activities to demonstrate the launch and success of Customer’s program (e.g., press release, case study, testimonial, video). Customer grants Medallia a limited, non-exclusive, worldwide license to use its trademark for these purposes.
14. General Terms
Each party warrants that it has the authority to enter into this Agreement and each Order.
Neither this Agreement nor any Order may be assigned without written consent (such consent not to be unreasonably withheld) and any such attempted assignment will be void.
All terms that must survive termination in order to have their customary effect, including terms related to confidentiality, indemnification, limitation of damages and liability, and post-termination data transfer will survive termination or expiration of this Agreement.
d. Force Majeure
No party will be deemed to have breached this Agreement or any Order if its failure to perform was caused by events beyond that party’s reasonable control, such as mass failure of internet infrastructure, civil unrest, and natural disasters.
e. Independent Contractors
The parties are independent contractors. Neither party has the right to bind the other, and neither party will make any contrary representation to a third party.
f. Export Compliance
Customer will comply with the export control and economic sanctions laws and regulations of the United States and other applicable jurisdictions. Consistent with that obligation, Customer will not make Medallia Products available to any person or entity that is: (i) located in a country that is subject to a U.S. government embargo, (ii) on a U.S. government list of prohibited or restricted parties, or (iii) engaged in activities directly or indirectly related to the proliferation of weapons of mass destruction.
g. Arbitration, Governing Law and Forum
Disputes arising from this Agreement will be settled by arbitration administered in San Mateo, California by the American Arbitration Association under its procedural Commercial Arbitration Rules and the substantive law of the United States of America and the State of California, and judgment on the award rendered by the arbitrator may be entered in any court with jurisdiction. This provision will not impair either party’s ability to receive injunctive or other equitable relief from any court with jurisdiction. The United Nations Convention on Contracts for the International Sale of Goods does not apply to this Agreement.
h. No Waiver
The failure of a party to timely enforce an obligation under this Agreement or Order will only be construed as a waiver if given in writing and will not act to waive any other obligation, including any future occurrence of the waived obligation.
i. Complete Agreement
This Agreement and each Order including relevant Documentation contains the full agreement of the parties (superseding all prior or contemporaneous agreements) and may only be amended by a writing signed by both parties. Terms and conditions stated in Customer order documentation (e.g., a Customer purchase order) will be null and void. Neither party enters into this Agreement or Orders based on representations not stated in these documents, and there will be no presumption against either party as the drafter thereof.
Medallia may utilize subcontractors provided that: (i) Medallia has bound the subcontractor to agreements requiring it to conform to law, regulation, industry standards, and the quality, confidentiality, and privacy standards reflected in this Agreement; and (ii) Medallia remains responsible for delivery of the scope established in the Order.
Notifications required under this Agreement or an Order in relation to breach, disputed payments, audit, or indemnification will be provided in writing to the legal departments of the parties to the addresses identified in an Order. Other notifications can be submitted via email. Notifications will be effective as of the date of delivery.
Medallia maintains and manages a comprehensive written security program designed to protect: (a) the security and integrity of Customer Data; (b) against threats and hazards that may negatively impact Customer Data; and (c) against unauthorized access to Customer Data. Medallia’s security program includes the following:
1. Risk Management
a. Conducting an annual risk assessment designed to identify threats and vulnerabilities in the administrative, physical, legal, regulatory, and technical safeguards used in the Medallia Products.
b. Maintaining a documented risk remediation process to assign ownership of identified risks, establish remediation plans and timeframes, and provide for periodic monitoring of progress.
2. Information Security Program
a. Maintaining a documented comprehensive information security program. This program will include policies and procedures aligning with industry best practices, such as ISO 27001/27002.
b. Such information security program shall include, as applicable: (i) adequate physical security of all premises in which Customer Data will be processed and/or stored; (ii) reasonable precautions taken with respect to Medallia personnel employment; and (iii) an appropriate network security program.
c. These policies will be reviewed and updated by Medallia management annually.
3. Organization of Information Security
a. Assigning security responsibilities to appropriate Medallia individuals or groups to facilitate protection of the Medallia Products environment and associated assets.
b. Establishing information security goals to be met.
4. Human Resources Security
a. Medallia employees undergo comprehensive screening during the hiring process. Background checks and reference validation will be performed to determine whether candidate qualifications are appropriate for the proposed position. Subject to any restrictions imposed by applicable law and based on jurisdiction, these background checks include criminal background checks, employment validation, and education verification as applicable.
b. Ensuring all Medallia employees are subject to confidentiality and non-disclosure commitments before access is provisioned to Medallia Products and/or Customer Data.
c. Ensuring applicable Medallia employees receive security and privacy awareness training designed to provide such employees with information security knowledge to provide for the security, availability, and confidentiality of Customer Data.
d. Upon Medallia employee separation or change in roles, Medallia shall ensure any Medallia employee access is revoked in a timely manner and all Medallia assets, both information and physical, are returned.
5. Asset Management
a. Maintaining asset and information management policies and procedures. This includes ownership of assets, an inventory of assets, classification guidelines, and handling standards pertaining to Medallia assets.
b. Maintaining media handling procedures to ensure media containing Customer Data is encrypted and stored in a secure location subject to strict physical access controls.
c. When a storage device has reached the end of its useful life, procedures include a decommissioning process that is designed to prevent Customer Data from being exposed to unauthorized individuals using the techniques recommended by NIST to destroy data as part of the decommissioning process.
d. If a hardware device is unable to be decommissioned using these procedures, the device will be virtually shredded, degaussed, purged/wiped, or physically destroyed in accordance with industry-standard practices. Devices used in the administration of the Medallia Products that have been decommissioned will be subjected to these or equally effective standards.
6. Access Controls
a. Maintaining a logical access policy and corresponding procedures. The logical access procedures will define the request, approval and access provisioning process for Medallia personnel. The logical access process will restrict Medallia user (local and remote) access based on the principle of least privilege for applications and databases. Medallia user access recertification to determine access and privileges will be performed periodically. Procedures for onboarding and off-boarding Medallia personnel users in a timely manner will be documented. Procedures for Medallia personnel user inactivity threshold leading to account suspension and removal threshold will be documented.
b. Limiting access to Customer Data to its personnel who have a need to access Customer Data as a condition to Medallia’s performance of the services under this Agreement. Medallia shall utilize the principle of “least privilege” and the concept of “minimum necessary” when determining the level of access for all Medallia users to Customer Data. Medallia shall require strong passwords subject to complexity requirements and periodic rotation.
7. System Boundaries
a. The systems that compose a functioning Medallia cloud platform for the Products are limited to shared components such as network devices, servers, and software that are physically installed and operating within Medallia’s Internet-enabled network infrastructure. This system boundary also includes the network connectivity, power, physical security, and environmental services provided by the third-party provider that owns and operates the data centers in which this network infrastructure is collocated.
b. Medallia is not responsible for any system components that are not within this system boundary, including network devices, network connectivity, workstations, servers, and software owned and operated by the Customer or other third parties. Medallia may provide support for these components at its reasonable discretion.
a. Customer maintains ownership of the encryption all Customer Data uploaded to their Products through the full lifecycle period. Customer Data may be uploaded via SFTP, TLS/SSL, or through an Medallia services API over a TLS/SSL connection to the Medallia cloud platform. Medallia will configure TLS and/or SSL certificates.
b. Customer Data shall be encrypted at rest at the storage-level.
9. Physical and Environment Security
a. Medallia products and customer data are hosted at providers who have demonstrated compliance with one or more of the following standards (or a reasonable equivalent): International Organization for Standardization (“ISO”) 27001 and/or American Institute of Certified Public Accountants (“AICPA”) Service Organization Controls (“SOC”) Reports for Services Organizations. These providers provide Internet connectivity, physical security, power, and environmental systems and services for the Medallia cloud platform used for the Products.
b. An N-tiered architecture is used to support presentation, application, processing, and data services. For enhanced security in the Medallia cloud platform, technologies such as firewalls, intrusion detection and prevention, and vulnerability management are used.
10. Operations Security
a. Maintaining documented Medallia cloud operating procedures.
b. Maintaining change and release management controls to ensure changes to products production systems made by Medallia are properly authorized and reviewed prior to implementation.
c. Monitoring usage, security events, and capacity levels within the Medallia cloud to manage availability and proactively plan for future capacity requirements.
d. Utilizing virus and malware protection software a, which are configured to meet common industry standards designed to protect Medallia systems and Customer Data from virus infections or similar malicious payloads.
e. Implementing disaster recovery and business continuity procedures. These will include periodic replication of Customer Data to a secondary data center in a geographically disparate location from the primary data center.
f. Maintaining a system and security logging process to capture critical system logs. These logs shall be maintained for at least six months and reviewed on a periodic basis.
g. Ensuring systems processing and storing customer data are appropriately configured and hardened.
h. Ensuring servers, operating systems, and supporting software used in the Medallia cloud for Products receive Critical and High security patches within a timely manner, In the event any such security patch would materially adversely affect the Products, then Medallia will use commercially reasonable efforts to implement compensating controls until a security patch is available that would not materially adversely affect the Products.
i. Conducting third-party external application penetration tests periodically.
11. Supplier Relationships
a. Maintaining a Vendor Management Program to evaluate and mitigate risks for any third parties that host or process customer data.
12. Security Incident
a. Employing incident response standards that are based upon applicable industry standards, such as ISO 27001:2013 and National Institute for Standards and Technology (“NIST”), or equivalent in order to maintain the information security components of the Products environment.
b. Responses to these incidents follow the Medallia documented incident response sequence. This sequence includes the incident trigger phase, evaluation phase, escalation phase, response phase, recovery phase, de-escalation phase, and post-incident review phase.
c. Medallia will notify Customer of a Security Incident as required pursuant to applicable law but in no event later than 72 hour after a Security Incident. A “Security Incident” means a determination by Medallia of an actual disclosure of unencrypted Customer Data to an unauthorized person or entity.
13. Information Security Aspects of Business Continuity Management
a. Maintaining a business continuity and disaster recovery plan.
b. Reviewing and testing this plan annually.