Uptick Service Agreement
Updated: May 18th, 2020
This Uptick Service Agreement (“Service Agreement”) describes your rights and responsibilities as a customer of our Services.
These Terms are between you and Uptick Labs Inc., a Delaware corporation (“Uptick”, “Provider”) located at 44 Montgomery Street, Suite 300, San Francisco, CA 94104. “You” or “Customer” means the company you represent is accepting this Service Agreement or, if that does not apply, then you individually. If You are accepting on behalf of your employer or another company, then You represent that You: (i) have full authority to bind your employer or company to this Service Agreement; and (ii) agree to this Service Agreement on behalf of your employer or company. The exception to this is if your employer or company has a separate written agreement with Uptick covering the use of the Services, in which case that agreement governs.
If You do not have the legal authority to bind your employer or company (or do not agree with this Service Agreement), then do not click the “confirm” button (or similar “I agree” checkbox) and do not use the Services.
To be eligible to register for an Uptick account, You must review and accept this Service Agreement. You may accept this Service Agreement by: (1) clicking a box indicating acceptance (such as a “I accept” or “confirm” button); (2) executing an applicable order form that references this Service Agreement (each an “Order Form”).
This Services Agreement was last updated on May 4th, 2020. It is effective between You and Uptick as of the date of You accepting this Service Agreement.
1. Access and Use.
(a) Provision of Access. Subject to Customer’s full compliance with all terms and conditions of this Agreement, Provider hereby grants Customer a non-exclusive, non-transferable license to access and use the Services during the Term, solely by Authorized Users set forth in the applicable Order Form, for Customer’s internal use and in accordance with Provider’s documentation to the Services (“Documentation”). Provider shall provide to Customer the necessary user information and network links or connections to allow Customer to access the Services. Provider may in its sole discretion modify, enhance or otherwise change the Services, provided that such changes do not materially limit or adversely affect the Services provided to Customer hereunder.
(b) Use Restrictions. Customer shall not, directly or indirectly: (i) reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to or attempt to discover the source code, object code or underlying structure, ideas or algorithms of the Services or any software, Documentation or data related to the Services (“Software”) (provided that reverse engineering is prohibited only to the extent such prohibition is not contrary to applicable law); (ii) copy, modify, translate, or create derivative works of the Services or Software, in whole or in part; (iii) use or access the Services or Software for timesharing or service bureau purposes or for any purpose other than for the internal benefit of Customer as set forth in this Agreement; (iv) rent, lease, lend, sell, license, sublicense, assign, distribute, publish, transfer, or otherwise make available the Services or Software; (v) remove any product identification, proprietary, copyright or other notices from the Services or Software; (v) use the Services or Software in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of any person, or that violates any applicable laws or regulations (including but not limited to any privacy laws, and laws or regulations concerning intellectual property, consumer and child protection, obscenity or defamation); or (vi) permit any third party to do any of the foregoing. Customer will use reasonable efforts to prevent any unauthorized use of the Services or the Software and will promptly notify Provider of any unauthorized use that comes to Customer’s attention and provide all reasonable cooperation to prevent and terminate such use.
(d) Reservation of Rights. Except for the limited rights and licenses expressly granted under this Agreement, nothing in this Agreement grants, by implication, waiver, estoppel, or otherwise, to Customer or any third party any intellectual property rights or other right, title, or interest in or to the Provider IP.
(e) Suspension. Notwithstanding anything to the contrary in this Agreement, Provider may temporarily suspend Customer’s and any Authorized End User’s access to any portion or all of the Services if Provider reasonably determines that there is a threat or attack on any of the Provider IP (“Suspension”). Provider shall use commercially reasonable efforts to provide prior notice of any Suspension to Customer and to provide updates regarding resumption of access to the Services following any Suspension. Provider will have no liability for any damage, liabilities, losses (including any loss of data or profits), or any other consequences that Customer or any Authorized User may incur as a result of a Service Suspension.
2. Customer Data Security.
Provider will maintain commercially reasonable administrative, physical and technical safeguards for the Services to protect against the accidental or unauthorized access, use, alteration or disclosure of Customer Data properly uploaded to the Services and processed or stored on a computer and/or computer network owned or controlled by Provider in connection with the Services.
If, at any time, Provider fails to comply with this Section, Customer may promptly notify Provider in writing of any such noncompliance. Provider will, within thirty (30) days of receipt of such written notification, either correct the noncompliance or provide Customer with a plan for correcting the noncompliance. If the noncompliance is not corrected or if a reasonably acceptable plan for correcting them is not established during such period, Customer may terminate this Agreement as its sole and exclusive remedy for such noncompliance. Provider will use commercially reasonably efforts to manage Customer Data in accordance with the Information Security Policy set forth on Exhibit A.
3. Customer Responsibilities.
(a) General. Customer is responsible and liable for all uses of the Services and Documentation resulting from access provided by Customer, including all acts and omissions of Authorized Users. Customer shall make all Authorized Users aware of this Agreement’s provisions as applicable to such Authorized User’s use of the Services and shall cause Authorized Users to comply with such provisions.
(b) Third-Party Products. Provider may from time to time make third-party products provided with or incorporated into the Services (“Third-Party Products”) available to Customer. For purposes of this Agreement, such Third-Party Products are subject to their own terms and conditions and the applicable flow through provisions.
4. Fees and Payment.
(a) Fees. Customer shall pay Provider the fees (“Fees”) as set forth in the applicable Order Form without offset or deduction. Customer shall make all payments hereunder in US dollars on or before the due date set forth in applicable Order Form. If Customer use of the Services exceeds the Service Capacity set forth on the applicable Order Form, Customer will be invoiced at the end of each calendar month for the excess usage over the Service Capacity, at the rate set forth on the applicable Order Form. If Customer fails to make any payment when due, without limiting Provider’s other rights and remedies: (i) Provider may charge interest on the past due amount at the rate of 1.0% per month calculated daily and compounded monthly or, if lower, the highest rate permitted under applicable law; (ii) Customer shall reimburse Provider for all costs incurred by Provider in collecting any late payments or interest, including attorneys’ fees, court costs, and collection agency fees; and (iii) if such failure continues for 10 days or more, Provider may suspend Customer’s and its Authorized Users’ access to any portion or all of the Services until such amounts are paid in full.
(b) Taxes. All Fees and other amounts payable by Customer under this Agreement are exclusive of taxes and similar assessments. Customer is responsible for all sales, use, and excise taxes, and any other similar taxes, duties, and charges of any kind imposed by any federal, state, or local governmental or regulatory authority on any amounts payable by Customer hereunder, other than any taxes imposed on Provider’s income.
5. Confidential Information.
From time to time during the Term, either Party may disclose or make available to the other Party information about its business affairs, products, confidential intellectual property, trade secrets, third-party confidential information, and other sensitive or proprietary information, whether or not marked, designated or otherwise identified as “confidential” (collectively, “Confidential Information”). Confidential Information does not include information that, at the time of disclosure is: (a) in the public domain; (b) known to the receiving Party at the time of disclosure; (c) rightfully obtained by the receiving Party on a non-confidential basis from a third party; or (d) independently developed by the receiving Party. The receiving Party shall not disclose the disclosing Party’s Confidential Information to any person or entity, except to the receiving Party’s employees or consultants who have a need to know the Confidential Information for the receiving Party to exercise its rights or perform its obligations hereunder. Notwithstanding the foregoing, each Party may disclose Confidential Information to the limited extent required (i) in order to comply with the order of a court or other governmental body, or as otherwise necessary to comply with applicable law, provided that the Party making the disclosure pursuant to the order shall first have given written notice to the other Party and made a reasonable effort to obtain a protective order; or (ii) to establish a Party’s rights under this Agreement, including to make required court filings. Provider may use Customer Data to (i) provide the Services to Customer and perform this Agreement; and (b) to test, improve, and provide Provider products and services in a manner that does not disclose Customer Data or Confidential Information of Customer. If Customer or any of its employees or contractors sends or transmits any communications or materials to Provider by mail, email, telephone, or otherwise, suggesting or recommending changes to the Provider IP, including without limitation, new features or functionality relating thereto, or any comments, questions, suggestions, or the like (”Feedback”), Provider is free to use such Feedback irrespective of any other obligation or limitation between the Parties governing such Feedback. On the expiration or termination of the Agreement, the receiving Party shall promptly return to the disclosing Party all copies, whether in written, electronic, or other form or media, of the disclosing Party’s Confidential Information, or destroy all such copies and certify in writing to the disclosing Party that such Confidential Information has been destroyed. Each Party’s confidentiality obligations with regard to Confidential Information are effective as of the Effective Date and will expire Three (3) years from the date first disclosed to the receiving Party; provided, however, with respect to any Confidential Information that constitutes a trade secret (as determined under applicable law), such obligations of non-disclosure will survive the termination or expiration of this Agreement for as long as such Confidential Information remains subject to trade secret protection under applicable law.
6. Warranties and Disclaimers.
(a) Mutual. Each Party represents and warrants that (i) it is duly organized, validly existing, and in good standing under the laws of the state of its organization; (ii) it has full power and authority to enter into this Agreement, to carry out its obligations under this Agreement, and to grant the rights granted to the other Party herein; (iii) the execution of this Agreement by such party, and the performance by such party of its obligations and duties hereunder do not and will not violate any other agreement to which such party is a party or by which it is otherwise bound; and (iv) it and its performance hereunder will comply with all applicable laws and regulations.
(b) Provider. Provider warrants that (i) it will not knowingly include, in any Software released to the public and provided to Customer hereunder, any computer code or other computer instructions, devices or techniques, including without limitation those known as disabling devices, trojans, or time bombs, that intentionally disrupt, disable, harm, infect, defraud, damage, or otherwise impede in any manner, the operation of a network, computer program or computer system or any component thereof, including its security or user data, and (iii) it will provide the support and professional services under this Agreement in a professional and workmanlike manner.
(c) Disclaimers. EXCEPT FOR THE LIMITED WARRANTY SET FORTH IN SECTION 8, THE PROVIDER IP IS PROVIDED “AS IS” AND PROVIDER HEREBY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. PROVIDER SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT, AND ALL WARRANTIES ARISING FROM COURSE OF DEALING, USAGE, OR TRADE PRACTICE. EXCEPT FOR THE LIMITED WARRANTY SET FORTH IN SECTION 8, PROVIDER MAKES NO WARRANTY OF ANY KIND THAT THE PROVIDER IP, OR ANY PRODUCTS OR RESULTS OF THE USE THEREOF, WILL MEET CUSTOMER’S OR ANY OTHER PERSON’S REQUIREMENTS, OPERATE WITHOUT INTERRUPTION, ACHIEVE ANY INTENDED RESULT, BE COMPATIBLE OR WORK WITH ANY SOFTWARE, SYSTEM OR OTHER SERVICES, OR BE SECURE, ACCURATE, COMPLETE, FREE OF HARMFUL CODE, OR ERROR FREE.
(a) Provider Indemnification. Provider shall indemnify, defend, and hold harmless Customer from and against any and all losses, damages, liabilities, costs (including reasonable attorneys’ fees) (”Losses”) incurred by Customer resulting from any third-party claim, suit, action, or proceeding (”Third-Party Claim”) that the Services infringes or misappropriates such third party’s [US] patents, copyrights, or trade secrets, provided that Customer promptly notifies Provider in writing of the claim, cooperates with Provider, and allows Provider sole authority to control the defense and settlement of such claim. If such a claim is made or appears possible, Customer agrees to permit Provider, at Provider’s sole discretion, to (A) modify or replace the Services, or component or part thereof, to make it non-infringing, or (B) obtain the right for Customer to continue use. If Provider determines that neither alternative is reasonably available, Provider may terminate this Agreement, in its entirety or with respect to the affected component or part, effective immediately on written notice to Customer. This Section 9(a) will not apply with respect to portions or components of the Services (A) not created by Provider, including but not limited to Customer Data or Third-Party Products, (B) that are modified by anyone other than Provider where the alleged infringement relates to such modification, (C) combined with other products, processes or materials where the alleged infringement relates to such combination, (D) where Customer continues allegedly infringing activity after being notified thereof or after being informed of modifications that would have avoided the alleged infringement, or (E) where Customer’s use thereof is not strictly in accordance with this Agreement and all related documentation.
(b) Customer Indemnification. Customer shall indemnify, hold harmless, and, at Provider’s option, defend Provider from and against any Losses resulting from any Third-Party Claim that the Customer Data infringes or misappropriates such third party’s intellectual property rights, or any Claims excluded from indemnity obligation in Section 9(a) above, provided that Customer may not settle any Third-Party Claim against Provider unless Provider consents to such settlement, and further provided that Provider will have the right, at its option, to defend itself against any such Third-Party Claim or to participate in the defense thereof by counsel of its own choice.
(c) Sole Remedy. THIS SECTION 9 SETS FORTH CUSTOMER’S SOLE REMEDIES AND PROVIDER’S SOLE LIABILITY AND OBLIGATION FOR ANY ACTUAL, THREATENED, OR ALLEGED CLAIMS THAT THE SERVICES INFRINGE, MISAPPROPRIATE, OR OTHERWISE VIOLATE ANY INTELLECTUAL PROPERTY RIGHTS OF ANY THIRD PARTY.
8. Limitations of Liability.
(a) Indirect Liabilities. IN NO EVENT WILL PROVIDER BE LIABLE UNDER OR IN CONNECTION WITH THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE, FOR ANY: (A) CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, ENHANCED, OR PUNITIVE DAMAGES; (B) INCREASED COSTS, DIMINUTION IN VALUE OR LOST BUSINESS, PRODUCTION, REVENUES, OR PROFITS; (C) LOSS OF GOODWILL OR REPUTATION; (D) USE, INABILITY TO USE, LOSS, INTERRUPTION, DELAY OR RECOVERY OF ANY DATA, OR BREACH OF DATA OR SYSTEM SECURITY; OR (E) COST OF REPLACEMENT GOODS OR SERVICES, IN EACH CASE REGARDLESS OF WHETHER PROVIDER WAS ADVISED OF THE POSSIBILITY OF SUCH LOSSES OR DAMAGES OR SUCH LOSSES OR DAMAGES WERE OTHERWISE FORESEEABLE.
(b) Direct Liability. IN NO EVENT WILL PROVIDER’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE EXCEED THE TOTAL AMOUNTS PAID TO PROVIDER UNDER THIS AGREEMENT IN THE THREE MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE CLAIM.
(c) Exclusions. THE FOREGOING LIMITATIONS IN THIS SECTION 10 SHALL NOT LIMIT PROVIDER’S INDEMNIFICATION OBLIGATION SET FORTH IN SECTION 9(A) OR DAMAGES ARISING OUT OF PROVIDER’S BREACH OF ITS CONFIDENTIALITY OBLIGATIONS SET FORTH IN SECTION 7.
9. Term and Termination.
(a) Term. Subject to earlier termination as provided below, this Agreement is for the Term as specified in the applicable Order Form.
(b) Termination. In addition to any other express termination right set forth in this Agreement: (i) either Party may terminate this Agreement, effective on written notice to the other Party, if the other Party materially breaches this Agreement and such breach: (A) is incapable of cure; or (B) being capable of cure, remains uncured 30 days (or 10 days for Customer’s failure to pay any amount when due) after the non-breaching Party provides the breaching Party with written notice of such breach; or (ii) either Party may terminate this Agreement, effective immediately upon written notice to the other Party, if the other Party: (A) becomes insolvent or is generally unable to pay, or fails to pay, its debts as they become due; (B) files or has filed against it, a petition for voluntary or involuntary bankruptcy or otherwise becomes subject, voluntarily or involuntarily, to any proceeding under any domestic or foreign bankruptcy or insolvency law; (C) makes or seeks to make a general assignment for the benefit of its creditors; or (D) applies for or has appointed a receiver, trustee, custodian, or similar agent appointed by order of any court of competent jurisdiction to take charge of or sell any material portion of its property or business.
(c) Effect of Expiration or Termination. Upon expiration or earlier termination of this Agreement, Customer shall immediately discontinue use of the Provider IP and, without limiting Customer’s obligations under Section 7, Customer shall delete, destroy, or return all copies of the Provider IP and certify in writing to the Provider that the Provider IP has been deleted or destroyed. No expiration or termination will affect Customer’s obligation to pay all Fees that may have become due before such expiration or termination or entitle Customer to any refund
(d) Survival. This Section 11(d) and Sections 1, 6, 7, 8(c), 9, 10, 12 and 13 survive any termination or expiration of this Agreement. No other provisions of this Agreement survive the expiration or earlier termination of this Agreement.
(a) Entire Agreement. This Agreement, together with any other documents incorporated herein by reference and all related Exhibits, constitutes the sole and entire agreement of the Parties with respect to the subject matter of this Agreement and supersedes all prior and contemporaneous understandings, agreements, and representations and warranties, both written and oral, with respect to such subject matter. In the event of any inconsistency between the statements made in the body of this Agreement, the related Exhibits, and any other documents incorporated herein by reference, the following order of precedence governs: (i) first, this Agreement, excluding its Exhibits; (ii) second, the Exhibits to this Agreement as of the Effective Date; and (iii) third, any other documents incorporated herein by reference.
(b) Notices. All notices, requests, consents, claims, demands, waivers, and other communications hereunder (each, a “Notice”) must be in writing and addressed to the Parties at the addresses set forth on the first page of this Agreement (or to such other address that may be designated by the Party giving Notice from time to time in accordance with this Section). All Notices must be delivered by personal delivery, nationally recognized overnight courier (with all fees pre-paid), facsimile or email (with confirmation of transmission) or certified or registered mail (in each case, return receipt requested, postage pre-paid). Except as otherwise provided in this Agreement, a Notice is effective only: (i) upon receipt by the receiving Party; and (ii) if the Party giving the Notice has complied with the requirements of this Section.
(c) Force Majeure. In no event shall either Party be liable to the other Party, or be deemed to have breached this Agreement, for any failure or delay in performing its obligations under this Agreement (except for any obligations to make payments), if and to the extent such failure or delay is caused by any circumstances beyond such Party’s reasonable control, including but not limited to acts of God, flood, fire, earthquake, explosion, war, terrorism, invasion, riot or other civil unrest, strikes, labor stoppages or slowdowns or other industrial disturbances, or passage of law or any action taken by a governmental or public authority, including imposing an embargo.
(d) Amendment and Modification; Waiver. No amendment to or modification of this Agreement is effective unless it is in writing and signed by an authorized representative of each Party. No waiver by any Party of any of the provisions hereof will be effective unless explicitly set forth in writing and signed by the Party so waiving. Except as otherwise set forth in this Agreement, (i) no failure to exercise, or delay in exercising, any rights, remedy, power, or privilege arising from this Agreement will operate or be construed as a waiver thereof and (ii) no single or partial exercise of any right, remedy, power, or privilege hereunder will preclude any other or further exercise thereof or the exercise of any other right, remedy, power, or privilege.
(e) Severability. If any provision of this Agreement is invalid, illegal, or unenforceable in any jurisdiction, such invalidity, illegality, or unenforceability will not affect any other term or provision of this Agreement or invalidate or render unenforceable such term or provision in any other jurisdiction. Upon such determination that any term or other provision is invalid, illegal, or unenforceable, the Parties shall negotiate in good faith to modify this Agreement so as to affect their original intent as closely as possible in a mutually acceptable manner in order that the transactions contemplated hereby be consummated as originally contemplated to the greatest extent possible.
(f) Governing Law; Submission to Jurisdiction. This Agreement is governed by and construed in accordance with the internal laws of the State of California without giving effect to any choice or conflict of law provision or rule that would require or permit the application of the laws of any jurisdiction other than those of the State of Delaware. Any legal suit, action, or proceeding arising out of or related to this Agreement or the licenses granted hereunder will be instituted exclusively in the federal courts of the United States or the courts of the State of Delaware, and each Party irrevocably submits to the exclusive jurisdiction of such courts in any such suit, action, or proceeding.
(g) Assignment. Neither Party may assign any of its rights or delegate any of its obligations hereunder without the prior written consent of the other Party, which consent shall not be unreasonably withheld, conditioned, or delayed, except that either Party may assign this Agreement without consent of the other Party to its successor in interest pursuant to a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets to which this Agreement relate. Any purported assignment or delegation in violation of this Section will be null and void. No assignment or delegation will relieve the assigning or delegating Party of any of its obligations hereunder. This Agreement is binding upon and inures to the benefit of the Parties and their respective permitted successors and assigns.
(h) Export Regulation. The Services utilize software and technology that may be subject to US export control laws, including the US Export Administration Act and its associated regulations. Customer shall not, directly or indirectly, export, re-export, or release the Services or the underlying software or technology to, or make the Services or the underlying software or technology accessible from, any jurisdiction or country to which export, re-export, or release is prohibited by law, rule, or regulation. Customer shall comply with all applicable federal laws, regulations, and rules, and complete all required undertakings (including obtaining any necessary export license or other governmental approval), prior to exporting, re-exporting, releasing, or otherwise making the Services or the underlying software or technology available outside the US.
(i) US Government Rights. Each of the Documentation and the software components that constitute the Services is a “commercial item” as that term is defined at 48 C.F.R. § 2.101, consisting of “commercial computer software” and “commercial computer software documentation” as such terms are used in 48 C.F.R. § 12.212. Accordingly, if Customer is an agency of the US Government or any contractor therefor, Customer only receives those rights with respect to the Services and Documentation as are granted to all other end users, in accordance with (a) 48 C.F.R. § 227.7201 through 48 C.F.R. § 227.7204, with respect to the Department of Defense and their contractors, or (b) 48 C.F.R. § 12.212, with respect to all other US Government users and their contractors.
(j) Equitable Relief. Each Party acknowledges and agrees that a breach or threatened breach by such Party of any of its obligations under Section 7 or, in the case of Customer, Section 2(b), would cause the other Party irreparable harm for which monetary damages would not be an adequate remedy and agrees that, in the event of such breach or threatened breach, the other Party will be entitled to equitable relief, including a restraining order, an injunction, specific performance and any other relief that may be available from any court, without any requirement to post a bond or other security, or to prove actual damages or that monetary damages are not an adequate remedy. Such remedies are not exclusive and are in addition to all other remedies that may be available at law, in equity or otherwise.
(k) Publicity. Customer agrees that Provider may reference Customer as a customer in its marketing and promotional materials and activities, including but not limited to Provider’s website, and agrees to participate in press announcements, case studies, trade shows, or other forms reasonably requested by Provider, provided that Provider’s use of Customer’s name and trademarks will be in accordance with Customer’s trademark guidelines, if any, provided to Provider.
(l) Counterparts. This Agreement may be executed in counterparts, each of which is deemed an original, but all of which together are deemed to be one and the same agreement.
INFORMATION SECURITY POLICY
Uptick uses commercially reasonable organizational and technical measures designed to prevent unauthorized access, use, alteration, or disclosure of Customer Data stored on systems under Uptick’s control. Uptick maintains these security measures in accordance with ISO 27001.
1. Customer Data and Management. Uptick limits its personnel’s access to Customer Data as follows:
1.1. Requires unique user access authorization through secure logins and passwords, including multi-factor authentication for Cloud Hosting administrator access
1.2. Limits the Customer Data available to Uptick personnel on a “need to know” basis.
1.3. Restricts access to Uptick’s production environment by Uptick personnel based on business need.
1.4. Encrypts user security credentials for production access; and
1.5. Prohibits Uptick personnel from storing Customer Data on electronic portable storage devices such as computer laptops, portable drives, and other similar devices.
1.6. Uptick physically and logically separates each of its customers’ data and maintains measures designed to prevent Customer Data from being exposed to or accessed by other customers.
2. Data Encryption. Uptick provides industry-standard encryption for Customer Data as follows:
2.1. Implements encryption in transport and at rest.
2.2. Uses strong encryption methodologies to protect Customer Data, including AES 256-bit encryption for Customer Data stored in Uptick’s production environment; and
2.3. Encrypts all Customer Data located in cloud storage while at rest.
3. Network Security, Physical Security and Environmental Controls
3.1. Uptick uses firewalls, network access controls and other techniques designed to prevent unauthorized access to systems processing Customer Data.
3.2. Uptick maintains measures designed to assess, test, and apply security patches to all relevant systems and applications used to provide the Services.
3.3. Uptick monitors privileged access to applications that process Customer Data, including cloud services.
3.4. The Services operate on Amazon Web Services (“AWS”) and are protected by the security and environmental controls of Amazon and Google, respectively. Detailed information about AWS security is available at https://aws.amazon.com/security/. For AWS SOC Reports, please see https://aws.amazon.com/compliance/soc-faqs/.
3.5. Customer Data stored within AWS is always encrypted . AWS does not have access to unencrypted Customer Data.
3.6 Each customer has a separate AWS account, and separate virtual private cloud settings, and a separate database instance.
4. Independent Security Assessments. Uptick periodically assesses the security of its systems and the Services as follows:
4.1. Annual detailed security and vulnerability assessments of the Services conducted by independent third-party security experts that include a code analysis and a comprehensive security review. Uptick shall attest to Customer the date of the most recent security and vulnerability assessment at Customer’s reasonable request.
4.2. Uptick hires accredited third parties to perform audits and to attest to various compliance and certifications annually including ISO 27001.
4.3. Bi-annual penetration testing of Uptick systems and applications to test for exploits including, but not limited to, XSS, SQL injection, access controls, and CSRF.
4.4. Monthly vulnerability scanning.
5. Incident Response. If Uptick becomes aware of unauthorized access or disclosure of Customer Data under its control (a “Breach”), Uptick will:
5.1. Take reasonable measures to mitigate the harmful effects of the Breach and prevent further unauthorized access or disclosure.
5.2. Upon confirmation of the Breach, notify Customer in writing of the Breach without undue delay. Notwithstanding the foregoing, Uptick is not required to make such notice to the extent prohibited by Laws, and Uptick may delay such notice as requested by law enforcement and/or in light of Uptick’s legitimate needs to investigate or remediate the matter before providing notice.
5.3. Each notice of a Breach will include:
5.3.1. The extent to which Customer Data has been, or is reasonably believed to have been, used, accessed, acquired, or disclosed during the Breach.
5.3.2. A description of what happened, including the date of the Breach and the date of discovery of the Breach, if known.
5.3.3. The scope of the Breach, to the extent known; and
5.3.4. A description of Uptick’s response to the Breach, including steps Uptick has taken to mitigate the harm caused by the Breach.
6. Business Continuity Management
Uptick maintains an appropriate business continuity and disaster recovery plan.
Uptick maintains processes to ensure failover redundancy with its systems, networks, and data storage.
7. Personnel Management
7.1. Uptick performs employment verification, including proof of identity validation and criminal background checks for all new hires, including contract employees, in accordance with applicable law.
7.2. Uptick provides training for its personnel who are involved in the processing of the Customer Data to ensure they do not collect, process or use Customer Data without authorization and that they keep Customer Data confidential, including following the termination of any role involving the Customer Data.
7.3. Uptick conducts routine and random monitoring of employee systems activity.
7.4. Upon employee termination, whether voluntary or involuntary, Uptick immediately disables all access to Uptick systems, including Uptick’s physical facilities.