MASTER SERVICE AGREEMENT (MSA)
THIS GITGUARDIAN MASTER SERVICE AGREEMENT (the “MSA”), by and between GitGuardian SAS, a French “Société par Actions Simplifiée” located at 54, rue de Seine, 75006 Paris, France, and its wholly owned subsidiary GitGuardian Inc., a company incorporated in Delaware, having its registered office at 185 Alewife Brook Parkway Ste 210 Cambridge MA 02138 (“GitGuardian”), and the Client contracting party identified on the applicable Order Form (together with Affiliates of such company or entity, for so long as they remain Affiliates, which have entered into Order Forms for the GitGuardian Services with such Affiliate), each a (“Client”) is effective as of the Start Date of the first Order Form executed between GitGuardian and Client. GitGuardian and Client may each be referred to herein individually as a “Party” or collectively as the “Parties”.
By accepting this MSA, by (i) executing an Order Form that references this MSA, (ii) subscribing to the GitGuardian Service through Authorized Resellers, or (iii) clicking “Agree” or “Yes” to the terms of this MSA to gain initial access to, or use of, the Services, the Parties hereby agree to be bound by the terms and conditions of this MSA, including any specific services terms, product details and any applicable license and/or subscription terms set forth in applicable Service Schedules located at https://gitguardian.com.com/legal and/or Order Form(s). Each Order Form is governed by and incorporates the following documents in effect as of the Start Date of the applicable Order Form, collectively referred to as the “Agreement”, that consists of, as applicable:
- the Order Form(s);
- the DPA where applicable;
- the Service Schedule(s);
- any other attachments, addenda, and/or appendix(ices) to this MSA; and
- this MSA.
The applicable attachment(s), addenda, appendix(ices), and Service Schedule(s) is determined by the GitGuardian Service(s) purchased on the Order Form(s), or through Authorized Resellers. In the event of a conflict, the order of precedence is as set out above in descending order of control.
For sake of clarity, if the Client purchases GitGuardian cloud-based services, the SaaS Module (Service Schedule 1) shall apply; if the Client purchases GitGuardian onpremise services, the Self-Hosted Module (Service Schedule 2) shall apply.
1. DEFINITIONS.
Capitalized words not listed here will be defined within the Agreement.
“Affiliate(s)” means any entity, whether incorporated or not, that is controlled by or under common control with a party and its successors, and "control" (or variants of it) shall mean the ability whether directly or indirectly to direct the affairs of another by means of ownership, contract or otherwise.
“Confidential Information” means all non-public or non-generally available technical or non-technical information (however recorded or preserved) disclosed by a party to the other party that is conspicuously marked as confidential or would be considered confidential information by a reasonable party under the circumstances.
“Discloser” means the party disclosing the Confidential Information under this Agreement.
"Documentation" means any manuals, documentation, and other supporting materials related to the Services that GitGuardian provides or makes available to Client that sets out a description of the Services and instructions for use of the Services. Documentation is considered part of the Services.
“GitGuardian Services” or “Services” shall mean the service items listed in the applicable Service Schedules and purchased by Client pursuant to the applicable Order Form.
“GitGuardian Materials” means the Services, Documentation, and any other information, data, documents, materials, works, and other content, devices, methods, processes, hardware, software, and other technologies and inventions, including any deliverables, technical or functional descriptions, requirements, plans, or reports, that are provided or used by GitGuardian in connection with the Services or otherwise comprise or relate to the Services. For the avoidance of doubt, GitGuardian Materials include Performance Data and any information, data, or other content derived from GitGuardian’s monitoring or support of Client’s access to or use of the Services, but do not include Client Data (where such data is processed in connection with the Services).
“Order Form” means an order pursuant to which from time to time Client orders the Services or rights to GitGuardian Services, and which is signed (i) by Client and GitGuardian; or (ii) by Client and an Authorized Partner (“Authorized Partner” means a third party that GitGuardian has authorized to resell the Services to the Client). The Order Form is incorporated into this Agreement by reference and specifies the Services to be provided by GitGuardian pursuant to this Agreement.
“Performance Data” means, where applicable, usage data and information compiled by GitGuardian on Client’s use of the Services, including statistical and performance information related to the provision and operation of the Services. Performance Data includes information concerning Client’s and Users’ use of the various features and functionality of the Services and analytics and statistical data derived therefrom, and aggregated and anonymized data derived from Client Data (where such data is processed in connection with the Services) so that such data does not identify a person.
“Recipient” means the party receiving the Confidential Information under this Agreement.
“Service Data” means the information and data made available to Client by GitGuardian in connection with the Services, including issues and remediations.
“User” has the definition provided in the corresponding Service Schedule, in accordance with the Services purchased by Client.
“Subscription Fees” means the fees payable for the Services as set out in an applicable Order Form.
2. FEES AND PAYMENT
2.1 If Client elects to purchase the Services through an Authorized Partner, payment for the Services will be governed by the terms agreed upon by and between Client and such Authorized Partner. Accordingly, Section 2.3 of this Agreement will not apply to Client’s payment obligations for such transactions. However, all other provisions of this Agreement remain in effect and will continue to govern Client’s use of the Services.
2.2 Client agrees to pay the Subscription Fees set out in an Order Form for the duration of the Term. GitGuardian shall provide the Services to Client specified in the applicable Order Form. Subject to the terms of this Agreement, GitGuardian permits Client and its Affiliates to have access to, use, configure and display the GitGuardian Services. GitGuardian represents, warrants and states as a condition of this Agreement that GitGuardian has the right to grant the rights provided to Client hereunder.
2.3 Unless otherwise agreed in the Order Form, Client will be invoiced at the Start Date for the delivery of the Services outlined in the Order Form, and all sums due shall be payable within thirty (30) days of Client's receipt of an accurate invoice.
If Client fails to pay any undisputed amounts as per the payment terms indicated in the corresponding Order Form, GitGuardian reserves the right, in addition to taking any other action at law or equity, to charge interest on overdue amount at a rate of five percent (5%) per annum above the European Central Bank (ECB) deposit facility rate (or, if the applicable currency is not the Euro, the equivalent benchmark rate for that currency, such as the Secured Overnight Financing Rate (SOFR) for USD), from the date on which payment became overdue until the date of actual payment in full.
3. AVAILABILITY AND SUPPORT. GitGuardian guarantees Support and Availability of its Services and support as described in the corresponding Service Schedule, in accordance with Services purchased by Client.
4. TERM. This Agreement will commence on the Effective Date and will remain in force until the end date set forth in the applicable Order Form(s). Unless otherwise terminated by either party in accordance with the terms of this Agreement, the term of each Order Form will renew automatically, unless either party provides the other party with written notice of non-renewal at least 60 days prior to the end of the then-current term.
5. INTELLECTUAL PROPERTY RIGHTS.
GitGuardian Materials. All right, title, and interest in and to the GitGuardian Materials, including all Intellectual Property Rights therein, are and will remain with GitGuardian. Client has no right, license, or authorization with respect to any of the Services except as expressly set out in this Agreement. All other rights in and to the GitGuardian Materials are expressly reserved by GitGuardian.
6. ADDITIONAL RIGHTS
Performance Data. GitGuardian may (i) collect, analyse and otherwise process Performance Data internally for its business purposes, including for the purposes of security and analytics, to improve and enhance the Services, or for other development, diagnostic and corrective purposes in connection with the Services or other GitGuardian products or services, and (ii) publicly disclose Performance Data only in an aggregated and/or de-identified form in connection with its business in a manner that does not identify Client or any of its Users.
7. CONFIDENTIAL INFORMATION.
The Recipient will: (a) hold the Confidential Information in confidence; (b) restrict disclosure of such Confidential Information to those of its employees, affiliates’ employees, or agents with a need to know such information solely for the purposes of this Agreement and who have previously agreed (e.g. as a condition to their employment or agency) to be bound by substantially similar terms of confidentiality and non-disclosure as those contained in this Agreement and which would extend to the Confidential Information; (c) use such Confidential Information solely for the purposes of this Agreement unless otherwise specified in writing by the Discloser; and (d) neither decompile or modify, and will not reverse-compile, reverse-assemble or reverse-engineer the Confidential Information. The Recipient agrees that any Confidential Information shall be handled with at least the same degree of care which it applies to its own confidential information, but in no event, less than a reasonable degree of care. The Recipient understands that the Discloser’s Confidential Information shall remain the Discloser’s property. The obligations of confidentiality of this Agreement will not apply to Confidential Information to the extent it: (a) is or was made publicly available, even for a short period of time, due to no fault of the Recipient; (b) was lawfully received by the Recipient from a third party without such restrictions; (c) was known to the Recipient, its employees, affiliate’s employees or agents without such restrictions prior to its receipt from the Discloser, as shown by documents and other competent evidence in the Recipient’s possession; or (d) was independently developed by the Recipient without access to or use of the Confidential Information of the Discloser, as shown by competent evidence in the Recipient’s possession. The Recipient may disclose Confidential Information pursuant to any statutory or regulatory authority or court order, provided that: (i) the Recipient gives the Discloser prior written notice of such requirement, (ii) the scope of such disclosure is limited to that which is legally required, and (iii) the Recipient reasonably cooperates with the Discloser, at the Discloser’s expense, in the Discloser’s efforts to ensure that the Confidential Information will be subject to a protective order or other legally available means of protection. No other use of Confidential Information is permitted, except as stated in this Agreement. Upon written request of the Discloser, all copies of Confidential Information in the possession of the Recipient, its employees, affiliate’s employees, or agents will be returned to the Discloser or promptly destroyed with a written statement of compliance by a duly authorized officer and/or person authorized to make such a statement. Recipient agrees that in the event of a breach of confidentiality obligations set forth herein, monetary damages may be inadequate to compensate Discloser for any breach and that, in addition to other remedies that may exist at law or in equity, the Discloser may seek injunctive relief and/or specific performance.
8. FEEDBACK. All written or oral comments, ideas and suggestions made by Users to GitGuardian (including regarding product experience, functionality, performance, accuracy, consistency, and ease of use of the same) (“Feedback”) may be freely utilized by GitGuardian without attribution or compensation of any kind to Client.
GitGuardian may fully exercise and exploit such Feedback for the purpose of (i) improving the operation, functionality and use of GitGuardian’s existing and future product offerings and commercializing such offerings; and (ii) publishing aggregated statistics about the quality of the Services, provided that no data in any such publication will be used to specifically identify Client, its employees or Client’s proprietary software code.
9. WARRANTIES AND DISCLAIMERS.
9.1 General Warranty. Each Party represents and warrants that it has the legal power and authority to enter into this Agreement, and that this Agreement and each Order Form is entered into by an employee or agent of such Party with all necessary authority to bind such Party to the terms and conditions of this Agreement.
9.2 Warranty Disclaimer. EXCEPT AS PROVIDED IN THIS AGREEMENT, THE GITGUARDIAN SERVICES AND CONFIDENTIAL INFORMATION ARE FURNISHED AS IS, EXCLUSIVE OF ANY WARRANTY, INCLUDING ALL WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, OR ANY OTHER WARRANTY OR INDEMNITY, WHETHER STATUTORY, EXPRESS OR IMPLIED. GITGUARDIAN DOES NOT MAKE ANY OTHER WARRANTIES AND REPRESENTATIONS OF ANY KIND. NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, PROVIDED BY GITGUARDIAN OR ANYWHERE ELSE WILL CREATE ANY WARRANTY OR CONDITION NOT EXPRESSLY STATED IN THIS AGREEMENT.
10. INDEMNIFICATION.
10.1 GitGuardian. GitGuardian shall indemnify, defend, or at its option, settle, and hold Client and Client’s Affiliates, harmless from losses incurred from a third-party claim: (a) arising out of GitGuardian’s fraud, gross negligence or wilful misconduct; or, (b) that the GitGuardian Services furnished by GitGuardian under this Agreement infringes a patent, trademark, copyright, or trade secret of any third party, and shall pay all costs, expenses, and damages in connection therewith.
10.2 Client. Client shall indemnify, defend, or at its option, settle, and hold GitGuardian and GitGuardian’s Affiliates, and each of its and their officers, directors, employees, consultants, agents, successors and assigns harmless from and against all losses arising out of Client’s: (a) fraud, gross negligence or wilful misconduct; or, (b) breach of Sections 5 “Intellectual Property Rights” and 6 “Additional Rights, Restrictions and Limitations”.
10.3 Indemnification Procedure. Each party will promptly notify the other party in writing of any claim for which such party believes it is entitled to be indemnified pursuant to this Section 11. The party seeking indemnification (the "Indemnitee") shall cooperate with the other party (the "Indemnitor") at the Indemnitor's sole cost and expense. The Indemnitor shall promptly assume control of the defense and shall employ counsel to handle and defend the same, at the Indemnitor's sole cost and expense. The Indemnitee may participate in and observe the proceedings at its own cost and expense with counsel of its own choosing. The Indemnitor shall not settle any claim in any manner that adversely affects the rights of any Indemnitee without the Indemnitee's prior written consent, which shall not be unreasonably withheld or delayed. The Indemnitee's failure to perform any obligations under this Section 11 will not relieve the Indemnitor of its indemnification obligations, except to the extent that the Indemnitor can demonstrate that it has been materially prejudiced because of such failure.
Mitigation. If any of the Services are, or in GitGuardian’s reasonable opinion are likely to be, claimed to infringe, misappropriate, or otherwise violate any third-party intellectual property right, or if Client's use of the Services is enjoined or threatened to be enjoined, GitGuardian may, at its option and sole cost and expense: (a) obtain the right for Client to continue to use the Services materially as contemplated by this Agreement; (b) modify or replace the Services, in whole or in part, to seek to make the Services (as so modified or replaced) non-infringing, while providing materially equivalent features and functionality, in which case such modifications or replacements will constitute Services under this Agreement; or, (c) by written notice to Client, terminate this Agreement and require Client to immediately cease any use of the Services, provided that Client will be entitled to a refund of any pre-paid fees for Services not delivered as of the termination date. THIS SECTION 11 SETS FORTH CLIENT’S SOLE REMEDIES AND GITGUARDIAN'S SOLE LIABILITY AND OBLIGATION FOR ANY ACTUAL, THREATENED, OR ALLEGED CLAIMS THAT THE SERVICES INFRINGE, MISAPPROPRIATE, OR OTHERWISE VIOLATE ANY INTELLECTUAL PROPERTY RIGHTS OF ANY THIRD PARTY. In no event shall GitGuardian, its Affiliates, and each of their employees, agents and sub-contractors have any liability or obligation under this Section 11 if the alleged infringement is based on; (a) a modification of the Services by Client; (b) Client’s use of the Services in a manner contrary to the Documentation; or (c) Client’s use of the Services after notice of the alleged or actual infringement from GitGuardian or any appropriate authority.
11. LIMITATION OF LIABILITY. IN NO EVENT SHALL EITHER PARTY OR AN AFFILIATE BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR PUNITIVE LOSS OR DAMAGES ARISING FROM OR CONNECTED WITH THIS AGREEMENT, UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE, REGARDLESS OF WHETHER SUCH DAMAGE WAS FORESEEABLE, WHETHER OR NOT THAT PARTY OR AFFILIATE HAD BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES. Except with respect to the indemnification obligations stated in Section 11, a party’s breach of its confidentiality obligations set forth herein, and liability which cannot be excluded or limited by applicable law, neither party shall be liable or obligated under any breach of this Agreement (i) for any amounts in excess in the fees paid to GitGuardian (or Authorized Partner, where applicable) hereunder by Client under the applicable Order Form(s) for the 12-month preceding period or (ii) for a Force Majeure Event. Because Client assumes responsibility and liability for Client’s Affiliates, no Client Affiliate shall have any liability or obligation to GitGuardian for any breach of this Agreement. Notwithstanding anything in this Agreement to the contrary, GitGuardian may not seek damages for any claim from both Client and any Client Affiliate.
12. TERMINATION. Unless otherwise specified in this Agreement, if one of the parties materially breaches any of its obligations under this Agreement, the injured party may, fifteen (15) calendar days after having given the other party formal notice to perform its obligations in writing which has remained unanswered, terminate all or part of the Agreement, without prejudice to any damages and interest. Either party reserves the right to terminate this Agreement immediately upon written notice, but without giving the other party a cure period, if Client breaches any of the terms of this Agreement relating to GitGuardian's intellectual property or if either party breaches the confidentiality obligations. When the Agreement terminates or expires: (i) the term of the Services will immediately end; (ii) Client will no longer have the right to use the Services, and any rights granted in the Agreement will automatically cease to exist as of the date of termination or expiration; (iii) if any fees were owed prior to termination, Client must pay those fees immediately; (iv) each party will promptly return to the other (or, if the other party requests it, destroy) all Confidential Information belonging to the other. Any terms or sections which by their nature should reasonably survive will survive the termination or expiration of this Agreement.
13. VERIFICATION OF USE AND ACCESS TO SERVICES. Client acknowledges and agrees to only use the Services within the limits of the number of developer seats and/or Subscription Licenses indicated in the Order Form. Client is solely responsible for monitoring the use and access of the Services within the limits of the permitted number of developer seats and/or Subscription Licenses limits. GitGuardian has the right to request in writing an audit of Client access and use of the Services (i) at any time during the term indicated in the Order Form, if GitGuardian reasonably believes or has reason to believe that Client is exceeding the limit of the number of developer seats and/or Subscription Licenses or is accessing the Services without permission; or (ii) if the term of the applicable Order Form is granted for a period of more than one year, at the end of every year. If Client is found to exceed the limit of the number of developer seats and/or Subscription Licenses, Client will be charged by GitGuardian or Authorized Partner, where applicable, for the additional developer seats and/or Subscription Licenses. Client agrees to pay the relevant fees corresponding to these additional developer seats. Failure to provide such access for an audit to GitGuardian is a material breach of the Agreement and GitGuardian has the right to terminate this Agreement as set forth in the MSA.
14. INSURANCE. GitGuardian agrees to maintain no less than the following amounts of insurance during the term of this Agreement: (a) 2 million USD in commercial general liability, per occurrence and in the aggregate; (b) 2 million USD in errors and omissions/professional liability, per occurrence and in the aggregate; and, (c) 2 million USD in cyber-liability insurance, per occurrence and in the aggregate. All insurance policies will be issued by insurance companies with an AM Best Rating of no less than A-VII. Upon receipt of a written request, GitGuardian will provide Client with a copy of its certificate of insurance evidencing the foregoing coverage.
15. MISCELLANEOUS
15.1. ASSIGNMENT. Neither party may assign or otherwise transfer any of its rights or obligations under this Agreement, in whole or in part, without prior written consent of the other party, such consent not to be unreasonably withheld, and any attempt to do so will be null and void, except to (i) an Affiliate or (ii) a party that acquires or assumes all or substantially all of a party’s business, except in the event that this assignment involves a competitor of the non-assigning party.
15.2. COMPLIANCE WITH LAWS AND DATA PRIVACY AND PROTECTION. Each party hereby represents and warrants to the other party that it will fully comply with any and all applicable federal, state and local laws, rules, and regulations. GitGuardian further warrants that it will fully comply with all relevant export laws and regulations.
15.3. DISPUTE RESOLUTION. The parties agree that in the event of a dispute or alleged breach they will work together in good faith to resolve the matter internally by escalating it to higher levels of management and, if necessary, to use a mutually agreed upon alternative dispute resolution mechanism prior to resorting to litigation. If Client is domiciled in the United States, Canada, Mexico, or a country in Central or South America or the Caribbean (the "Americas"), this Agreement will be governed by and construed in accordance with the laws of the State of New York, as if performed wholly within the state and without giving effect to the principles of conflict of law. For such Clients, any legal action or proceeding arising under this Agreement will be brought exclusively in the federal or state courts located in the State of New York and the parties hereby consent to personal jurisdiction and venue therein. If Client’s principal office is outside the Americas, this Agreement will be governed by the laws of France, any legal action or proceeding arising under this Agreement will be brought exclusively in the courts located in Paris, and the Parties hereby consent to personal jurisdiction and venue therein. Notwithstanding the foregoing, GitGuardian may bring a claim for equitable relief in any court with proper jurisdiction.
15.4. SEVERABILITY. If any provision or provisions of this Agreement shall be held to be invalid, illegal or unenforceable, such provision shall be enforced to the maximum extent permissible, and the validity, legality and enforceability of the remaining provisions shall not in any way be affected or impaired thereby.
15.5. EXECUTION. This Agreement may be executed in any number of counterparts and executed by facsimile, executed electronically using electronic signature or by other electronic communication used by the parties.
15.6. ENTIRE AGREEMENT. This Agreement including its exhibits and attachment(s) constitutes the entire agreement between the parties with reference to this transaction; and the provisions of this Agreement other than its attachment(s) shall prevail over and supersede any inconsistencies in its attachment(s) content. The terms of any purchase order, written terms or conditions, or other document that Client submits to GitGuardian that contains terms that are different from, in conflict with, or in addition to the terms of this Agreement, or any Order Form will be void and of no effect.
15.7. AMENDMENT. Any modification of this Agreement must be made in writing and be signed by authorized representatives of both parties.
15.8. WAIVER. Neither the failure nor any delay on the part of a party to exercise any right, remedy, power or privilege under this Agreement shall operate as a waiver thereof. No waiver shall be effective unless it is in writing and is signed by the party asserted to have granted such waiver.
15.9. INDEPENDENT CONTRACTOR. The parties agree that GitGuardian is an independent contractor and, as such, GitGuardian is not a partner, agent, employee or principal of Client. GitGuardian will not act for or in the place of Client in Client’s relations with third parties. GitGuardian, not Client, shall be responsible for withholding or deducting from the compensation of GitGuardian's employees, agents and subcontractors, any sums for federal or state income taxes, social security, unemployment compensation, medical, dental, workers' compensation or disability insurance coverage, and the like.
SERVICE SCHEDULE 1 - SaaS module
I. DESCRIPTION OF SAAS SERVICES
GitGuardian is a cybersecurity company that helps companies secure their software development lifecycle by detecting API keys and other authentication credentials (together, “Secrets”) in source code.
GitGuardian may provide, at Client’s request, either of the following Services:
A. PUBLIC MONITORING
GitGuardian’s Public Monitoring dashboard offered as a software as a service solution shall be provided to Client and enable Client to: (i) Monitor the official public repositories listed under Client official GitHub organization (if any), or any other sources supported by GitGuardian; (ii) Have visibility over, and analyse its developers’ public activity on GitHub; (iii) Monitor the personal public repositories listed under the accounts of developers identified as part of the Client’s perimeter; (iv) Detect exposed API keys and other authentication credentials (‘Secrets”) using probabilistic algorithms; (v) Detect the presence of Client specific/defined keywords in the monitored perimeter; (vi) Get alerted for potential leaks of Secrets; (vii) Investigate and prioritize incidents; (viii) Collect feedback from developers involved; (ix) Search in public GitHub data using GitGuardian's (proprietary) search engine; (x) Resolve or ignore Secrets incidents and specify the reason; (xi) Manage user roles and access permissions.
B. GITGUARDIAN PLATFORM
- GITGUARDIAN PUBLIC MONITORING:
GitGuardian’s Public Monitoring dashboard offered as a software as a service solution shall be provided to Client and enable Client to: (i) Monitor the official public repositories listed under Client official GitHub organization (if any), or any other sources supported by GitGuardian; (ii) Have visibility over, and analyse its developers’ public activity on GitHub; (iii) Monitor the personal public repositories listed under the accounts of developers identified as part of the Client’s perimeter; (iv) Detect exposed API keys and other authentication credentials (‘Secrets”) using probabilistic algorithms; (v) Get alerted for potential leaks of Secrets; (vii) Investigate and prioritize incidents; (viii) Collect feedback from developers involved; (ix) Resolve or ignore Secrets incidents and specify the reason; (x) Manage user roles and access permissions. - GITGUARDIAN SECRETS DETECTION:
GitGuardian’s Secrets Detection solution offered in the form of a dashboard, an API, as well as a command line interface and shall be provided to Client and enable Client to: (i) Monitor public and private code repositories listed under Client official GitHub, GitLab, Azure Repos, Bitbucket Data Center/Server accounts (if any), or other code-scanning data sources supported by GitGuardian for Secrets, which list shall be communicated by GitGuardian; (ii) Scan Client Continuous Integrations and Continuous Deployment (CI/CD) pipelines and Docker images for Secrets with GitGuardian's command-line interface application (ggshield); (iii) Set up git hooks to scan developers’ workstations using GitGuardian’s command-line interface application (ggshield); (iv) Detect Secrets using probabilistic algorithms; (v) Get alerted for potential exposure of Secrets in the code repositories listed under Client official accounts or on third-party public repositories hosted on GitHub.com; (vi) Investigate and prioritize Secrets incidents; (vii) Collect feedback from developers involved in Secrets incidents; (viii) Resolve or ignore Secrets incidents and specify the reason; (ix) Manage user roles and access permissions.
- NHI GOVERNANCE:
GitGuardian’s NHI Governance solution offered in the form of a dashboard, an API, as well as a command line interface which enables Client to: (i) Discover secrets and related non-human identities scattered in their different toolset from the Client’s Secrets Managers, workloads, machines, IaC providers, and any other sources supported by GitGuardian; (ii) Discover and maintain an up-to-date inventory of their secrets and tied non-human identities in one single pane of glass; (iii) Get detailed context such as consumers, accessed resources and scopes around each secrets; (iv) Prioritize, investigate and remediate secrets that breached a pre-defined ruleset of policies; (v) Manage enumerated secrets and tied identities continuously across their entire lifecycle; (vi) Assess and improve their security posture and secrets management hygiene.
- GITGUARDIAN HONEYTOKEN:
GitGuardian’s Honeytokens are decoy credentials that act as tripwires to reveal information about the attacker (eg. IP Address, user agent, location, etc.). They do not allow access to any actual Client resources or data. They are offered in the form of a dashboard, an API, as well as a command line interface and shall be provided to Client and enable Client to: (i) Create and manage honeytokens; (ii) Detect honeytoken deployment within code repositories; (iii) Monitor honeytoken usage and review event logs; (iv) Get alerted for potential indicators of compromise by way of triggered honeytokens; (v) Detect exposure of honeytokens on public GitHub repositories.
- GITGUARDIAN OTHER DATA SOURCES:
GitGuardian’s ODS Secrets Detection solution offered in the form of a dashboard, an API, as well as a command line interface, and shall be provided to Client and enable Client to: (i) monitor other data sources, such as Messaging tools (e.g. Slack, Teams, Emails), File Storage (e.g. OneDrive, GoogleDrive), Knowledge Management (e.g. SharePoint, Confluence); (ii) Detect Secrets using probabilistic algorithms; (iii) Get alerted for potential exposure of Secrets in the other data sources listed herein ; (iv) Investigate and prioritize Secrets incidents; (v) Collect feedback from developers involved in Secrets incidents; (vi) Resolve or ignore Secrets incidents and specify the reason; (vii) Manage user roles and access permissions.
II. ADDITIONAL TERMS TO MSA
- Definitions
“Client Data” means any data input into the Services by Users for the purpose of using the Services, including the information, data, and other content that is collected, downloaded, or otherwise received from Client or a User by or through the Services. For the avoidance of doubt, Client Data does not include Performance Data or any other information reflecting the access or use of the Services by or on behalf of Client or any User.
“User” means an individual employee, agent or contractor of Client or Client’s Affiliate for whom subscriptions to Services have been purchased under the terms of this Agreement, and who has been supplied user credentials for the Services by Client or its Affiliate (or by GitGuardian at Client’s request).
- Right to Use
GitGuardian grants Client and its Affiliates a worldwide, non-sublicensable, non-transferable, non-exclusive, and revocable (only as set forth in the termination provisions) license for Client and its Affiliates to use the software as part of and for the term of the Agreement, but solely as necessary to benefit from the Services. All GitGuardian rights not expressly granted by this license are hereby retained. Client acknowledges that it may only use the Services for its own internal purposes and on its own behalf, excluding any use on behalf of third parties.
- Restrictions on Use
3.1 General obligations. Client and its Affiliates will not (i) license, sublicense, sell, resell, transfer, assign, distribute, or commercially exploit or make the Services available to any unauthorised third party in any way; (ii) modify or make derivative works based upon the Services; (iii) remove or alter any proprietary markings from the Services; (iv) access the Services to build a competitive product or service, or to copy any feature or function of the Services; (v) interfere with or disrupt the integrity of performance of the Services; or (vi) attempt to gain unauthorized access to the Services or their related systems or networks (vii) reverse engineer, disassemble or de-compile the source code of the GitGuardian Services. Client and its Affiliates are prohibited from using the Services to engage in malicious or illegal activities or facilitate the purchases or sales of any illegal products and services. Under this Agreement Client and Client’s Affiliates will have no claim to the copyrights, trade secrets, patents, trademarks or other proprietary rights in the GitGuardian Services or in any modifications, enhancements and other works derivative of the GitGuardian Services.
3.2 Suspension of use and access to Services. GitGuardian reserves the right to suspend Client access to or use of the Services with fifteen (15) days written notice in the event that GitGuardian (i) reasonably suspects that Client is exceeding the permitted number of developer seats; (ii) reasonably suspects that Client is using the Services in an unauthorized manner which is not in compliance with the Agreement or (iii) does not receive payment by Client or Authorized Partner within the date mentioned in the applicable Order Form. In the event that GitGuardian suspends access or use by Client to Services, then GitGuardian may terminate this Agreement as set forth in the MSA.
- Additional Intellectual Property Rights
4.1 Client Data. As between Client and GitGuardian, Client is and will remain the sole and exclusive owner of all right, title, and interest in and to all Client Data, including all Intellectual Property Rights relating thereto, subject to the rights and permissions granted in Section 4.2.
4.2 Consent of Rights to GitGuardian. Client hereby grants all such rights and permissions in or relating to Client Data as are necessary to enable GitGuardian to perform the Services and otherwise exercise its rights and obligations hereunder. In accordance with Section “Feedback” of the MSA, Client hereby irrevocably transfers and assigns to GitGuardian all Intellectual Property Rights embodied in, or arising in connection with, Feedback.
- Additional Warranties and Disclaimers
5.1 GitGuardian warrants that the Services will perform substantially in accordance with the Documentation and that all support will be performed with reasonable skill and care (“Warranty”). If the Services do not conform with the foregoing Warranty, GitGuardian will, at its expense, use all reasonable commercial efforts to promptly correct any such non-conformance. Such correction constitutes Client's sole and exclusive remedy for any breach of the Warranty.
5.2 Notwithstanding the Warranty, Client acknowledges and agrees that: (i) the Warranty does not apply to the extent of any non-conformance which is caused by the use of the Services by Client that is not in accordance with the Documentation; (ii) the Services will evolve over time and that functionality may be added and removed from time to time, provided that GitGuardian will not materially degrade the Services, (iii) GitGuardian is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over third party communications networks, including the internet.
5.3 GitGuardian represents and warrants that the Services do not contain any malicious code, including any viruses, malware, disabling code, time bombs, or Trojan horses.
- Personal Data Processing
The Parties agree to comply with the Data Processing Addendum, which is incorporated into this Agreement, and can be found at the following link https://www.gitguardian.com/legal/data-processing-addendum.
- Availability of Services and Support
7.1. Additional definitions
“Available”: The Service will be deemed “available” so long as Authorized Users are able to login to the Service interface and access monitoring data over the internet; “Availability” has a correlative meaning. Availability is assessed from the point where the Services are made available from GitGuardian’s hosting provider and measured in minutes over the course of each calendar month during the Term of this Agreement.
“Exceptions” means any of: (a) Client’s failure to correctly configure the Services; (b) failures of, or issues with, Client’s environment; (c) Force Majeure Events; or (d) maintenance during a window for which GitGuardian provides notice by email or through the Services, provided always that: (i) GitGuardian gives Client at least 7 days prior written notice of such maintenance; (ii) such maintenance period will not exceed ten (10) hours in any month during the term of the applicable Order Form(s).
7.2 Service Level Commitment
GitGuardian will make each Service purchased by Client pursuant to this Agreement Available at least 99.5% of the time, exclusive of any time the Service is not Available as a result of one or more Exceptions (the “Availability Standard”). If the actual Availability of the Service is less than the Availability Standard in any three months within a consecutive 12 month period during the Term of any Order Form(s) under the Agreement, Client may terminate the corresponding Order Form upon written notice to GitGuardian. Client may request Availability information by submitting a Support Request. Additionally, each calendar month, GitGuardian will make available to Client a report detailing its actual performance during the prior calendar month against the Availability Standard. Such report shall be delivered via a secure dashboard (currently available at https://gitguardian.statuspage.io/), with the ability for Client to subscribe to updates via email. In the event of such termination, GitGuardian will issue Client a Pro-Rated Refund (as defined in Section III below).
7.3 Refunds
If an Order Form is terminated early by Client pursuant to this Section: (a) Client shall not be obligated to pay any additional amounts specified in the Order Form following the effective date of termination and (b) GitGuardian will refund to Client a pro-rata share of any unused amounts prepaid by Client under the applicable Order Form for the Service on the basis of the remaining portion of the current Order Form term (a “Pro-Rated Refund”).
7.4 Force Majeure
Neither Party shall be liable or responsible to the other Party, nor be deemed to have defaulted under or breached this Agreement, for any failure or delay in fulfilling or performing any term of this Agreement to the extent such failure or delay is caused by a Force Majeure Event, in each case, provided the event is outside the reasonable control of the affected Party, the affected Party provides prompt notice to the other Party, stating the period of time the occurrence is expected to continue, and the affected Party uses diligent efforts to end the failure or delay and minimize the effects of such Force Majeure Event.
7.5. Support
GitGuardian will respond to errors or failures of the Services (“Errors”) within the Error Response Times set forth in the table below and resolve or correct the Errors within the Error Resolution Times set forth below:
Business Plan:
Enterprise Plan:
Enterprise Plan:
For these Error Response Times and Error Resolution Times to apply, support tickets have to be opened by Client through the GitGuardian support portal at https://gitguardian.zendesk.com and the priority needs to be set by the Client accordingly.
Upon receiving tickets marked as Urgent from Client, GitGuardian will re-assess severity and reserves the right to decrease ticket severity if the ticket content doesn’t match the criteria listed above.
All tickets and written support shall be in English.
Hours and days of operation:
- Business Plan: Business hours and days.
- Enterprise Plan: Business hours and days, with priority ticket handling.
- Premium Care Plan: From Monday 9:00 AM Paris time to Friday 6:00 PM Pacific time, with priority ticket handling.
For the avoidance of doubt, “Business hours” are from 9AM to 6PM Pacific time if You are based in the Americas and 9AM to 6PM Paris time if You are located outside of the Americas.
For the avoidance of doubt, “Business days” means Monday to Friday, excluding Saturday, Sunday and any French bank holidays if You are based outside of the Americas, and if the You are based in the Americas, Monday to Friday, excluding Saturday, Sunday, and the recognized closure days for the following holidays: New Year’s Day, Martin Luther King, Jr. Day, Memorial Day, Independence Day, Labor Day, Thanksgiving Day, and Christmas Day.
7.6 Service credits.
If GitGuardian fails to meet the Monthly Average Error Response Time or Monthly Average Error Resolution Time in a given calendar month, You will receive service credit equal to a one-week extension of the term of the Order Form. “Monthly Average” means, for each Error severity level and for each Service, the average Response Time or Resolution Time for all Errors of that severity level reported during the applicable calendar month. Service credits are Your sole remedy for GitGuardian’s failure to meet the Monthly Average Error Response Time or Monthly Average Error Resolution Time.
SERVICE SCHEDULE 2 - Self-Hosted Module
I. DESCRIPTION OF SELF-HOSTED SERVICES
GitGuardian is a cybersecurity company that helps companies secure their software development lifecycle by detecting API keys and other authentication credentials (together, “Secrets”) in source code.
GitGuardian may provide, at Client’s request, either of the following Services:
GITGUARDIAN PLATFORM
- GITGUARDIAN PUBLIC MONITORING:
GitGuardian’s Public Monitoring dashboard offered as a software as a service solution shall be provided to Client and enable Client to: (i) Monitor the official public repositories listed under Client official GitHub organization (if any), or any other sources supported by GitGuardian; (ii) Have visibility over, and analyse its developers’ public activity on GitHub; (iii) Monitor the personal public repositories listed under the accounts of developers identified as part of the Client’s perimeter; (iv) Detect exposed API keys and other authentication credentials (‘Secrets”) using probabilistic algorithms; (v) Get alerted for potential leaks of Secrets; (vii) Investigate and prioritize incidents; (viii) Collect feedback from developers involved; (ix) Resolve or ignore Secrets incidents and specify the reason; (x) Manage user roles and access permissions. - GITGUARDIAN SECRETS DETECTION:
GitGuardian’s Secrets Detection solution offered in the form of a dashboard, an API, as well as a command line interface and shall be provided to Client and enable Client to: (i) Monitor public and private code repositories listed under Client official GitHub, GitLab, Azure Repos, Bitbucket Data Center/Server accounts (if any), or other code-scanning data sources supported by GitGuardian for Secrets, which list shall be communicated by GitGuardian; (ii) Scan Client Continuous Integrations and Continuous Deployment (CI/CD) pipelines and Docker images for Secrets with GitGuardian's command-line interface application (ggshield); (iii) Set up git hooks to scan developers’ workstations using GitGuardian’s command-line interface application (ggshield); (iv) Detect Secrets using probabilistic algorithms; (v) Get alerted for potential exposure of Secrets in the code repositories listed under Client official accounts or on third-party public repositories hosted on GitHub.com; (vi) Investigate and prioritize Secrets incidents; (vii) Collect feedback from developers involved in Secrets incidents; (viii) Resolve or ignore Secrets incidents and specify the reason; (ix) Manage user roles and access permissions.
- NHI GOVERNANCE:
GitGuardian’s NHI Governance solution offered in the form of a dashboard, an API, as well as a command line interface which enables Client to: (i) Discover secrets and related non-human identities scattered in their different toolset from the Client’s Secrets Managers, workloads, machines, IaC providers, and any other sources supported by GitGuardian; (ii) Discover and maintain an up-to-date inventory of their secrets and tied non-human identities in one single pane of glass; (iii) Get detailed context such as consumers, accessed resources and scopes around each secrets; (iv) Prioritize, investigate and remediate secrets that breached a pre-defined ruleset of policies; (v) Manage enumerated secrets and tied identities continuously across their entire lifecycle; (vi) Assess and improve their security posture and secrets management hygiene.
- GITGUARDIAN HONEYTOKEN:
GitGuardian’s Honeytokens are decoy credentials that act as tripwires to reveal information about the attacker (eg. IP Address, user agent, location, etc.). They do not allow access to any actual Client resources or data. They are offered in the form of a dashboard, an API, as well as a command line interface and shall be provided to Client and enable Client to: (i) Create and manage honeytokens; (ii) Detect honeytoken deployment within code repositories; (iii) Monitor honeytoken usage and review event logs; (iv) Get alerted for potential indicators of compromise by way of triggered honeytokens; (v) Detect exposure of honeytokens on public GitHub repositories.
- GITGUARDIAN OTHER DATA SOURCES:
GitGuardian’s ODS Secrets Detection solution offered in the form of a dashboard, an API, as well as a command line interface, and shall be provided to Client and enable Client to: (i) monitor other data sources, such as Messaging tools (e.g. Slack, Teams, Emails), File Storage (e.g. OneDrive, GoogleDrive), Knowledge Management (e.g. SharePoint, Confluence); (ii) Detect Secrets using probabilistic algorithms; (iii) Get alerted for potential exposure of Secrets in the other data sources listed herein ; (iv) Investigate and prioritize Secrets incidents; (v) Collect feedback from developers involved in Secrets incidents; (vi) Resolve or ignore Secrets incidents and specify the reason; (vii) Manage user roles and access permissions.
II. ADDITIONAL TERMS TO MSA
- Definitions
"Client Modifications" means Software modifications Client may make solely for the purpose of developing bug fixes, customizations, or additional features to any libraries licensed under open source licenses that may be included with or linked to by the Software.
"License Effective Date" means the effective date of each Order Form as stated therein.
"License Key" means the data file used by the Software's access control mechanism that allows Client to install, operate, and use the Software.
"Release" means a Software release that GitGuardian makes generally available to its customers, along with any corresponding changes to Documentation, that contains enhancements, new features, or new functionality.
"Software" means GitGuardian's proprietary GitGuardian Platform software. Software includes any applicable Documentation, any Updates to the Software that GitGuardian provides to Client or that Client can access under this Agreement.
“Subscription License” means the license assigned to each User to install, operate, access, and use the Software on Client’s behalf. Client may only assign one Subscription License per User across its GitGuardian Platform software instances. Each User will have access to as many of Client’s GitGuardian Platform software instances, as Client permits. For clarity, however, once Client assigns a Subscription License to a User, Client will not be authorized to bifurcate the Subscription License so that one User can use a Subscription License on GitGuardian Platform software while another User uses the same Subscription License on another instance of GitGuardian Platform software
"Subscription Term" means the period specified in any Order Form starting from the License Effective Date. In case of renewal, GitGuardian will provide a new License Key for Client to download that will allow continued use of the Software in accordance with the Order Form.
"Support" means technical support for the Software that GitGuardian may provide.
"Update" means a Software release that GitGuardian makes generally available to its customers, along with any corresponding changes to Documentation, that contains error corrections or bug fixes.
“User” means a single person or machine account that initiates the execution of the Software or interacts with or directs the Software in the performance of its functions. Any contributor to the project Client is securing with GitGuardian who has made at least one commit in the last ninety (90) days counts as a User, even if such contributor does not have direct access to GitGuardian’s dashboard. Contributors to Open Source projects however are not counted as Users.
- Software Licence Grant
GitGuardian grants to Client a non-exclusive, non-transferable, worldwide, royalty-free, limited-term license to install and use the Software for Client’s internal business purposes during the applicable Subscription Term, in accordance with the Documentation, and only for the number of Subscription Licenses stated in Client’s Order Form. GitGuardian represents, warrants and states as a condition of this Agreement that GitGuardian has the right to grant the rights provided to Client hereunder.
- License restrictions
Except as expressly permitted by law or by applicable third-party license, Client and its Affiliates must not and must not allow any unauthorised third party to: (i) sublicense, sell, rent, lease, transfer, assign, or redistribute the Software; (ii) host the Software for the benefit of third parties; (iii) disclose or permit any third party to access the Software, except as expressly permitted in Section 3; (iv) hack or modify the License Key, or avoid or change any license registration process; (v) except for Client Modifications, modify or create derivative works of the Software, or merge the Software with other software; (vi) disassemble, decompile, bypass any code obfuscation, or otherwise reverse engineer the Software or attempt to derive any of its source code, in whole or in part; (vii) modify, obscure, or delete any proprietary rights notices included in or on the Software or Documentation; or (viii) otherwise use or copy the Software or Documentation in a manner not expressly permitted by this Agreement. Client and its Affiliates are prohibited from using the Products to engage in malicious or illegal activities or facilitate the purchases or sales of any illegal products and services.
- Additional Intellectual Property Rights
As between the Parties, GitGuardian owns all right, title and interest, including all intellectual property rights, in and to the Products. GitGuardian reserves all rights in and to the Products not expressly granted to Client under this Agreement. The Agreement shall not grant to Client or its Affiliates any right of ownership over the Software.
- Subscription licenses
Subscription Licenses are granted on a per User basis and multiple Users may not use the same Subscription License. Client may reassign a Subscription License to a new User only after ninety (90) days from the last reassignment of that same Subscription License, unless the reassignment is due to (i) permanent hardware failure or loss, (ii) termination of the User’s employment or contract, or (iii) temporary reallocation of Subscription Licenses to cover a User’s absence. When Client reassigns a Subscription License from one User to another, Client must block the former User’s access to the Subscription License.
- Delivery
GitGuardian will make the License Key available for Client to download in a secure way. All deliveries under this Section 10 will be electronic. For the avoidance of doubt, Client is responsible for installation of any Software and acknowledge that GitGuardian has no further delivery obligation with respect to the Software after delivery of the License Key. As Updates become available, GitGuardian will make those available for download. Client must Update the Software on a commercially reasonable basis but no less than one (1) time per year. Client is responsible for maintaining the confidentiality of Client’s usernames and passwords.
- Support
7.1 Enterprise Support. GitGuardian will provide technical Support for the Software at no additional charge during Business hours and days, with priority ticket handling. For Support to apply, support tickets have to be opened by Client through the GitGuardian support portal at https://gitguardian.zendesk.com and the priority needs to be set by the Client accordingly. All tickets and written support shall be in English. For the avoidance of doubt, “Business hours” are from 9AM to 6PM Pacific time if Client is based in the Americas and 9AM to 6PM Paris time if Client is located outside of the Americas. For the avoidance of doubt, “Business days” means Monday to Friday, excluding Saturday, Sunday and any French bank holidays if Client is based outside of the Americas, and if the Client is based in the Americas, Monday to Friday, excluding Saturday, Sunday, and the recognized closure days for the following holidays: New Year’s Day, Martin Luther King, Jr. Day, Memorial Day, Independence Day, Labor Day, Thanksgiving Day, and Christmas Day.
7.2 Premium Care. GitGuardian may provide Premium Care during the Subscription Term as indicated in the Order Form. Premium Care will be offered from Monday 9:00 AM Paris time to Friday 6:00 PM Pacific time, with priority ticket handling.
For these Error Response Times to apply, support tickets have to be opened by Client through the GitGuardian support portal at https://gitguardian.zendesk.com and the priority needs to be set by the Client accordingly.
Upon receiving tickets marked as Urgent from Client, GitGuardian will re-assess severity and reserves the right to decrease ticket severity if the ticket content doesn’t match the criteria listed above.
All tickets and written support shall be in English.
7.3 Exclusions. GitGuardian will use reasonable efforts to correct any material, reproducible errors in the Software of which Client notifies GitGuardian. However, GitGuardian will not be responsible for providing Support where (i) someone (other than GitGuardian) modifies the Software; (ii) Client changes its operating system or environment in a way that adversely affects the Software or its performance; (iii) Client uses the Software in a manner other than as authorized under this Agreement or the Documentation; or (iv) there is negligence or misuse by Client of the Software.
7.4 Updates; Releases. GitGuardian will only Support a given Release of the Software for four (4) months from the last Update of the Release. If Client requires Support for earlier Releases of the Software, then Client must pay for that Support in accordance with the terms of a mutually agreed upon Order Form.
8. Limited Warranties
8.1 Limited Software Warranties. GitGuardian warrants that: (i) the unmodified Software, at the time it is made available to Client for download, will not contain or transmit any malware, viruses, or worms (otherwise known as computer code or other technology specifically designed to disrupt, disable, or harm Client’s software, hardware, computer system, or network), (ii) for ninety (90) days from the date it is made available for initial download, the unmodified Software will substantially conform to its Documentation, and (iii) the Products will be performed with reasonable skill and care. GitGuardian does not warrant that Client’s use of the Software will be uninterrupted, or that the operation of the Software will be error-free. Notwithstanding the foregoing, Client acknowledges and agrees that: (i) the warranty in this Section 14 does not apply to the extent of any non-conformance which is caused by the use of the Software by Client that is not in accordance with the Documentation; (ii) the Software will evolve over time and that functionality may be added and removed from time to time, provided that GitGuardian will not materially degrade the Software, (iii) GitGuardian is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over third party communications networks, including the internet. GitGuardian's only obligation, and Client’s sole and exclusive remedy for any breach of this warranty will be, at GitGuardian's option and expense, to either (a) repair the Software; (b) replace the Software; or (c) terminate this Agreement with respect to the defective Software, and refund the unused, prepaid fees for the defective Software during the then-current Subscription Term.
8.2 Beta Previews. Client may choose to use Beta Previews in its sole discretion. Beta Previews may not be supported and may be changed at any time without notice. Beta Previews may not be as reliable or available as the Software. Beta Previews are not subject to the same security measures to which the Software has been and is subject. GitGuardian will have no liability arising out of or in connection with Beta Previews. CLIENT USES BETA PREVIEWS AT ITS OWN RISK.