SAAS SUBSCRIPTION AGREEMENT
This Medallia SaaS Subscription Agreement (the “Agreement”) is between Medallia, Inc. (“Medallia”) and the other signatory to an Order (“Customer”) and is effective as of the last signature on an Order between the parties (the “Effective Date”). Medallia provides an experience management platform via a Software as a Service model and related products and functionalities (the “Medallia Experience Cloud”). This Agreement establishes the terms and conditions for the purchase and provision of subscriptions to Medallia Experience Cloud products (“Subscriptions”) and related professional services provided by Medallia (“Services”).
This Agreement does not itself obligate the parties to purchase or provide Subscriptions or Services. Such obligations will be documented in additional attachments to this Agreement that describe the Subscription or Services and the related fees (an “Order”). An explicit conflict between these agreements will be resolved according to the following order of precedence: (1) an Order; and (2) this Agreement.
2. Provision of the Medallia Experience Cloud
Medallia will make the Medallia Experience Cloud available to Customer through the web browsers and mobile applications specified on the Order and will maintain the hardware and software necessary to do so. Medallia will provide Customer with access to every product improvement consistent with the scope established in the Order, when and if generally available.
3. Medallia Experience Cloud and Services Warranty
a. Express Warranties
The Medallia Experience Cloud will perform in a manner consistent with this Agreement, the Order(s), and the Product Description (the “Solution Warranty”). Services will be provided in a true and workmanlike manner, consistent with this Agreement and the Order (the “Services Warranty”).
b. Remedy for Failure of the Solution Warranty
Upon receipt of written notice of a Solution Warranty breach, Medallia will provide a correction at no charge. If Medallia cannot correct the breach within forty-five days from receipt of the warranty notice, then Customer may terminate the affected Order at any time within the next thirty days and receive: (i) if the breach notice was received fewer than ninety days after the Effective Date, a refund of all subscription fees paid; or (ii) if the notice was received at any other time, a prorated refund of subscription fees from the date of the warranty notice. This is Customer’s sole and exclusive remedy for a breach of the Solution Warranty.
c. Remedy for Failure of the Services Warranty
Upon receipt of written notice of a Services Warranty breach, Medallia will re-perform the Services as necessary to correct the breach. If Medallia cannot correct the breach within forty-five days from receipt of the warranty notice, then Customer may terminate the affected portion of the Order at any time within the next thirty days and receive a refund of Services fees paid for nonconforming or unperformed Services. This is Customer’s sole and exclusive remedy for a breach of the Services Warranty.
d. Disclaimer of Other Warranties
Except as expressly provided herein, and to the maximum extent permitted by applicable law, Medallia provides the Medallia Experience Cloud “as is,” makes no warranty of any kind express or implied with regard to the Medallia Experience Cloud or Services, and disclaims all other warranties, such as: (i) without prejudice to Customer’s right to service credits for a failure to meet Medallia’s uptime commitments, any warranty that the Medallia Experience Cloud and Services will be error free or uninterrupted; and (ii) the implied warranties of merchantability, fitness for a particular purpose, title, and non-infringement.
e. Beta Services
From time to time, Customer may have the option to participate in early access programs with Medallia where Customer gets to use alpha or beta services, products, features and documentation (“Beta Services”) offered by Medallia. These Beta Services are not generally available and may contain bugs, errors, or defects. Accordingly, Medallia provides the Beta Services to Customer “as is” and makes no warranties of any kind with respect to the Beta Services, nor does any Medallia Experience Cloud service level agreement apply to the Beta Services. Medallia may discontinue Beta Services at any time in its sole discretion and may never make them generally available.
4. Use of the Medallia Experience Cloud
a. General Obligations
Other than using the Medallia Experience Cloud and its functionalities, Customer may not copy, modify, distribute, sell, or lease any part of the Medallia Experience Cloud or included software, or reverse engineer or attempt to extract the source code of that software, unless laws prohibit those restrictions. Customer may not use the Medallia Experience Cloud functionality to infringe upon the intellectual property rights of others, or to commit an unlawful activity (e.g., through survey question content or design).
b. Compliance Obligations
c. Third Party Services
5. Ownership and Use Rights
a. Customer Data
Customer owns all data delivered to Medallia by Customer or collected by Medallia on behalf of Customer (the “Customer Data”). Customer grants Medallia a non-exclusive, worldwide, limited license to the Customer Data for the purposes of: (i) providing and improving the Medallia Experience Cloud and Services; and (ii) developing and publishing broadly applicable experience management insights (such as industry experience management benchmarks), but only when the Customer Data has been aggregated or de-identified such that the publication cannot be used to identify Customer or any survey participant.
b. Medallia Experience Cloud
Medallia owns the Medallia Experience Cloud, including all features, functionalities, configurations, designs, templates, and other proprietary elements contained therein and all modifications, improvements, and derivative works thereof. Medallia will provide Customer with access to the Medallia Experience Cloud as described in the Order during the term of a Subscription for its internal business purposes. If Customer uses a Medallia application programing interface (“API”) or software developer kit (“SDK”), Medallia grants Customer a non-exclusive, worldwide, limited license for use of such API or SDK for the purpose of enabling Customer to use the Medallia Experience Cloud. Customer will not remove, obscure, or alter Medallia’s copyright notice, or other proprietary rights notices affixed to or contained within the Medallia Experience Cloud or any related documentation.
Medallia owns the Medallia Experience Cloud documentation and all derivative works thereof. Medallia grants Customer a non-exclusive, worldwide limited license to use, copy, and make derivative works of the Medallia Experience Cloud documentation for internal business purposes during the term of a Subscription.
Customer grants Medallia a limited, non-exclusive license to mark Customer surveys and reports and Customer’s instance of the Medallia Experience Cloud with Customer’s trademarks, when requested by Customer and subject to Customer approval for consistency with its branding guidelines.
e. Reserved Rights
Customer and Medallia each reserve all intellectual property rights not explicitly granted herein.
Fees due for Subscriptions and Services will be stated on the Order. Fees are non-cancelable and non-refundable other than as explicitly stated in this Agreement.
Invoiced amounts are payable in full, without reduction for transaction taxes (e.g., value added taxes, consumption taxes, goods and services taxes, GST/HST, excise, sales, use or similar taxes, and withholding taxes). Customer is required to pay all such transaction taxes, either directly or by increasing payments to Medallia to offset taxes that Customer is required to deduct from payments. If Medallia has a legal obligation to pay or collect such transaction taxes, the appropriate amount will be invoiced to and paid by Customer, unless Customer provides Medallia with a valid tax exemption certificate.
7. Term and Termination
The term of this Agreement is from the Effective Date through the date 90 days after the last day of the last to expire Subscription.
b. Termination for Cause
Either party may terminate this Agreement or Order within thirty days upon the occurrence of either of the following: (a) in the event the other party fails to cure any material breach of this Agreement or the relevant Order within 30 days after receipt of written notice; or (b) if the other party files or has filed against it any bankruptcy or similar proceeding or enters into any form of arrangement with its creditors that is not removed within 60 days of filing.
c. Transfer of Customer Data Upon Termination
Upon termination of this Agreement or an Order, Medallia will make customer feedback collected through and, at the time of termination, stored within the Medallia Experience Cloud available for secure download by Customer in a standard flat file format for at least thirty days (the “Data Transfer Period”). Within 60 days of the end of the Data Transfer Period, Medallia will remove all Customer Data from the Medallia Experience Cloud.
Medallia will maintain insurance policies providing at least the following coverage and will provide a certificate of insurance upon request:
(i) Technology Errors & Omissions / Professional liability with a limit of at least $5 Million;
(ii) Cyber/Network and Information Security liability with a limit of at least $5 Million;
(iii) Commercial General liability with a limit of at least $1 Million;
(iv) Automobile liability with a limit of at least $1 Million;
(v) Workers Compensation and Employer’s liability with a limit of at least $1 Million;
(vi) Umbrella liability with a limit of at least $10 million.
9. Privacy, Security, and Audits
a. Privacy and Security Obligations
The parties’ privacy and security obligations are subject to the terms set forth in Attachment A: Privacy and Security Addendum (“Attachment A”).
b. General Performance Audits
Customer may, no more than once per year, audit Medallia’s, performance under this Agreement and each Order, and Medallia will maintain records sufficient for such audits, including service hours provided, uptime, and the results of security and disaster recovery tests.
c. Security Audits
Medallia is regularly audited against SSAE 16 (SOC 2 Type 2) and ISO27001 for its Core platform, and against ISO27001 standards for its Medallia for Digital platform, by independent third party auditors and/or internal auditors. Upon request, Medallia shall supply (on a confidential basis) a summary copy of its audit report(s) as well as written responses (on a confidential basis), not more than once per year, to all reasonable security and audit questionnaires that are necessary to confirm Medallia’s compliance with this Agreement. Medallia shall permit Customer (or its appointed third party auditors) to carry out an audit of Medallia’s processing of Customer Data under this Agreement following: (i) a confirmed unauthorized or unlawful breach of security suffered by Medallia that leads to the destruction, loss, alteration, or unauthorized disclosure of or access to Customer Data (a “Security Incident”); or (ii) upon the instruction of a data protection authority.
d. Audit Procedure
Each audit requires at least thirty days’ prior notice, except in the event of a Security Incident or upon instruction of a data protection authority. Audits will take place on a mutually agreed date during Medallia’s normal business hours, and Customer will cause its representative or agent to employ such reasonable procedures and methods as are necessary and appropriate in the circumstances to minimize interference with Medallia’s normal business operations. Onsite audits are limited to two business days.
a. Controlling Statement of Obligations
The terms of this Confidentiality provision supersede any non-disclosure or confidentiality agreement entered into by the parties prior to the Effective Date of this Agreement.
b. Confidential Information
Confidential Information means all information provided by a disclosing party to a receiving party that a reasonable industry participant would deem to be confidential, including for example: (i) all information that is marked confidential; (ii) the terms of this Agreement and each Order; and (iii) features and functionality of the Medallia Experience Cloud and related documentation; and (iv) Customer Data.
Confidential Information does not include information that is independently developed, that becomes public knowledge, or that is received from a third party under circumstances that do not create a reasonable suspicion that it has been misappropriated or improperly disclosed.
c. Use and Disclosure Restrictions
A receiving party will use commercially reasonable efforts to protect Confidential Information it receives and will use Confidential Information only as necessary to perform its obligations and exercise its rights under this Agreement and each Order. A receiving party will not disclose Confidential Information to third parties other than as permitted under this Agreement or as compelled by a court or regulator of competent authority (and then while taking all reasonable steps to inform the disclosing party prior to disclosure and to limit the scope of the disclosure).
a. Intellectual Property Indemnification by Medallia
Medallia will defend against claims, causes of action, and investigations by third parties or government agencies and will pay the resulting judgments, fines, settlements, court costs, and attorneys fees (to “Indemnify”) Customer for claims alleging that the Medallia Experience Cloud infringes a third-party patent, copyright, or trademark or misappropriates a third-party trade secret, subject to the following limitations: (i) if the alleged infringement arises from a modification by Customer or the unauthorized use of the Medallia Experience Cloud, then Medallia will have no obligation to Indemnify; (ii) if the alleged infringement arises from a violation of Customer’s obligations under Section 4 (“Use of the Medallia Experience Cloud”); or (iii) if the alleged infringement arises from the combination of the Medallia Experience Cloud with any product or process not provided by Medallia, and if Medallia would not be liable for inducement or contribution for such infringement, then Medallia will have no obligation to Indemnify.
If Customer establishes a reasonable belief that use of the Medallia Experience Cloud will be enjoined, then Medallia will use commercially reasonable efforts to substitute the affected functionality with a non-infringing alternative or to procure a license to allow for the continued use of the affected functionality. If use of the Medallia Experience Cloud is enjoined and if Medallia has not provided a non-infringing alternative, then Customer may, within 30 days of the date of the injunction, terminate the affected Order immediately upon written notice and receive a refund of the unused portion of prepaid fees.
b. Data Breach Indemnification by Medallia
Medallia will Indemnify Customer for third party claims arising from the improper access, use, or disclosure of personally identifiable Customer Data caused by: (i) Medallia’s breach of its obligations under Attachment A; or (ii) the willful misconduct or gross negligence of Medallia personnel or any third party under Medallia’s control.
c. Indemnification by Customer
Customer shall Indemnify Medallia from third-party claims arising out of: (i) Customer’s or any of its employees and agents use of the Medallia Experience Cloud in violation of Section 4 of this Agreement, or applicable laws and regulations; and (ii) alleged infringement of a third-party patent, copyright, or trademark or misappropriation of a third-party trade secret arising out of (A) an unauthorized modification by Customer of the Medallia Experience Cloud; or (B) an unauthorized combination of the Medallia Experience Cloud with any product or process not provided or authorized by Medallia.
d. Indemnification Requirements and Procedure
The party seeking indemnification will provide timely notice to the party from which it seeks indemnification (“Indemnifying Party”) (although untimely notice will relieve the Indemnifying Party of its Indemnification obligations only commensurate with actual prejudice suffered as a result) and will provide reasonable assistance to Indemnifying Party at the Indemnifying Party’s expense. the Indemnifying Party will have sole control over the defense, but Customer will have the right to participate at its own cost.
12. Limitation of Damages and Liability
a. Limitation of Damages
Neither party will be liable to the other for consequential, special, incidental, punitive, exemplary, or indirect damages or for lost profits, lost revenues, harm to goodwill, or the costs of procuring replacement services, regardless of whether such damage was foreseeable. This limitation will apply to all claims under all theories of law and equity, except where prohibited by law.
b. Limitation of Liability
Except in the event of gross negligence; willful misconduct; claims for Indemnification under this Agreement; for fees owed in excess of the below limit; and where prohibited by law, the cumulative liability of either party to the other will be limited to the fees paid or payable under this Agreement for the 12 months preceding the filing of the claim.
Medallia may include Customer’s name and logo on its public customer list. Subject to Customer’s approval, Medallia may also partner with Customer on co-marketing and public relations activities to demonstrate the launch and success of its program (e.g., press release, case study, video). Customer grants Medallia a limited, non-exclusive, worldwide license to use its trademark for these purposes.
14. General Terms
Each party warrants that it has the authority to enter into this Agreement and each Order.
Neither this Agreement nor any Order may be assigned without written consent and any such attempted assignment will be void.
All terms that must survive termination in order to have their customary effect, including terms related to confidentiality, indemnification, and limitation of damages and liability, will survive termination or expiration of this Agreement.
d. Force Majeure
No party will be deemed to have breached this Agreement or any Order if its failure to perform was caused by events beyond that party’s reasonable control, such as mass failure of internet infrastructure, civil unrest, and natural disasters.
e. Independent Contractors
The parties are independent contractors. Neither party has the right to bind the other, and neither party will make any contrary representation to a third party.
f. Export Compliance
Customer will comply with the export control and economic sanctions laws and regulations of the United States and other applicable jurisdictions. Consistent with that obligation, Customer will not make the Medallia Experience Cloud available to any person or entity that is: (i) located in a country that is subject to a U.S. government embargo, (ii) listed on a U.S. government list of prohibited or restricted parties, or (iii) engaged in activities directly or indirectly related to the proliferation of weapons of mass destruction.
g. Arbitration, Governing Law and Forum
Disputes arising from this Agreement will be settled by arbitration administered in San Mateo, California by the American Arbitration Association under its procedural Commercial Arbitration Rules and the substantive law of the United States of America and the State of California, and judgment on the award rendered by the arbitrator may be entered in any court with jurisdiction. This provision will not impair either party’s ability to receive injunctive or other equitable relief from any court with jurisdiction. The United Nations Convention on Contracts for the International Sale of Goods does not apply to this Agreement.
h. No Waiver
The failure of a party to timely enforce an obligation under this Agreement or Order will only be construed as a waiver if given in writing and will not act to waive any other obligation, including any future occurrence of the waived obligation.
i. Complete Agreement
The Medallia Product and Services Descriptions that accompany the Order constitute part of this Agreement. This Agreement and each Order contains the full agreement of the parties (superseding all prior or contemporaneous agreements) and may only be amended by a writing signed by both parties. Notwithstanding anything to the contrary therein, terms or conditions stated in Customer order documentation (e.g., a Customer purchase order) will be null and void. Neither party enters into this Agreement or Orders based on representations not stated in these documents, and there will be no presumption against either party as the drafter thereof.
Medallia may utilize subcontractors as described in Attachment B: Subcontractors and Medallia Subsidiaries Addendum to provide services, provided that: (i) Medallia has bound the subcontractor to agreements requiring it to conform to law, regulation, industry standards, and the quality, confidentiality, and privacy standards reflected in this Agreement; and (ii) Medallia remains responsible for delivery of the scope established in the Order Form.
Notifications required under this Agreement or an Order in relation to breach, disputed payments, audit, or indemnification will be provided in writing to the following contacts: (i) Medallia, Inc. 575 Market Street, Suite 1850, San Francisco, CA 94105, Attn: General Counsel; or (ii) Customer’s contact address as indicated in the signature block of the Order. Notice will be effective as of the date of delivery.
Privacy and Security Addendum
The Medallia Experience Cloud is subject to the following privacy and data security terms:
1. Security Program and Standards.
Medallia maintains a written information security program that contains appropriate administrative, technical and physical safeguards to protect Customer data, and that comply with SaaS industry standards for security controls. The Core Platform has been certified by an independent third party auditor as aligning with ISO 27001, SSAE16 (SOC 2 Type 2), ISAE3000 and HIPAA standards. Medallia for Digital has been certified by an independent third party auditor as aligning with the ISO 27001 standard.
Such certifications can be provided to Customer upon written request.
2. Physical Security.
Customer Data for the Core Platform will be stored on Medallia controlled hardware, collocated in data centers that are certified and audited to a SaaS industry standard for business controls (such as SSAE 16 / SOC 2 Type II). Medallia provides encryption at rest through encrypting hard drives in Medallia’s data centers.
Data Customer collects with Medallia for Digital will be stored on an Amazon S3 instance in Oregon, USA; Ireland, European Union; Sydney, Australia; or Montreal, Canada depending on Customer’s choice. More information about Amazon Web Services security can be found at https://aws.amazon.com/security/.
3. Network Security.
Medallia shall use industry standard firewall and encryption technologies to protect the public gateways through which Customer’s data travels. Medallia will use commercially reasonable efforts for protection against and detection of common network attacks. Medallia will monitor its network for attacks and will deploy appropriate processes to manage vulnerabilities.
4. Host/Access Management. User access to the Medallia Experience Cloud will be controlled through a username and password combination, managed by Medallia.
5. Application Security. The software development for the Medallia Experience Cloud follows a secure lifecycle, including source code management and appropriate reviews.
6. Compliance with Data Protection Laws.
In providing the Medallia Experience Cloud products and services to Customer, Medallia shall comply with applicable legal requirements for privacy, data protection and confidentiality of communications. Such applicable legal requirements include the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts (201 CMR 17.00) and other applicable United States data protection laws at the state level, European Union Directive 95/46/EC and implementing national legislation, and Regulation 2016/679 (also known as GDPR), if applicable.
Medallia is certified under the Privacy Shield as described here to cover the transfer of data collected in the European Economic Area and Switzerland to the United States.
Medallia offers a data processing agreement that defines Medallia’s and Customer’s obligations under GDPR, and includes the EU’s approved Standard Contractual Clauses for the handling of data collected in the European Economic Area and Switzerland outside of those areas. If Customer has a need for this agreement, please request it from Customer’s Medallia account representative.
Upon becoming aware of any confirmed unauthorized or unlawful breach of security that leads to the destruction, loss, alteration, or unauthorized disclosure of or access to Customer Data (a “Security Incident”), Medallia shall notify Customer without undue delay. Medallia shall provide timely information relating to any Security Incident as it becomes known or as is reasonably requested by Customer. Medallia shall promptly take reasonable steps to mitigate and, where possible, to remedy the effects of, any Security Incident.
7. Data Collection
The Core Platform enables Customer to send survey invitations to its customers, typically through email, based on touchpoints Customer’s customers have with its business. The types of data that are collected in questions in these survey programs is within Customer’s control, and will be specified during implementation. Typically, in order for the Medallia Core to send surveys, Customer’s business initially sends data to Medallia about survey takers in an “invitation file” that includes name, email, information about the survey taker’s interaction with Customer, as well as other information that enables Customer to segment the survey takers into groups.
Medallia for Digital collects customer feedback through surveys deployed on Customer’s digital channels. Customer can configure the types of data requested from visitors to such surveys. If surveys are configured to not ask for personal information such as name and email, then no such data will be collected except for analytics information (such as the visitor’s IP address).
Customer shall not configure the Medallia Experience Cloud to collect bank account numbers, payment card or credit card information, bank transaction information, government identification numbers including (but not limited to) social security numbers, state identification numbers, and passport numbers, and sensitive personal information including (but not limited to) religious beliefs, health, sexual orientation, race, and union membership and Medallia will not be liable for non-compliance under laws and regulations that applies to the processing of the foregoing categories of data.
Subcontractors and Medallia Subsidiaries Addendum
An up-to-date version of the list of subcontractors and a form to sign up for updates is available in Medallia’s product documentation at https://docs.medallia.com.
Medallia shall notify Customer if it adds or removes a technology provider at least fifteen (15) days prior to any such changes. Medallia shall provide Customer with automatic updates to Medallia’s technology provider list through its administrative portal. Customer may object to Medallia’s appointment of a new technology provider by sending an email to firstname.lastname@example.org within ten (10) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties will discuss such concerns in good faith with a view towards achieving resolution.