.

License Agreement

Last Modified: December 11, 2023


IF YOU ARE ENTERING INTO THIS LICENSE AGREEMENT ELECTRONICALLY AND YOU HAVE ALREADY ENTERED INTO A SEPARATE LICENSE AGREEMENT DIRECTLY WITH FORALLSECURE, INC. (“FORALLSECURE,” “WE,” or “US”) IN CONNECTION WITH THE ACCESS OR USE OF THE CLOUD SERVICES THEN THIS LICENSE AGREEMENT (“AGREEMENT”) SHALL NOT APPLY, EVEN IF YOU ARE REQUIRED TO CLICK “I AGREE”, “ACCEPT” OR OTHER SIMILAR BUTTON AFFIRMING YOUR CONSENT TO THIS AGREEMENT. OTHERWISE, PLEASE READ THE FOLLOWING CAREFULLY BEFORE INSTALLING AND/OR USING THE CLOUD SERVICES (DEFINED BELOW).


BY SIGNING THIS AGREEMENT, OR CLICKING “I AGREE”, “ACCEPT” OR OTHER SIMILAR BUTTON, OR BY INSTALLING, ACCESSING OR USING THE CLOUD SERVICES, INCLUDING ALL RELATED SOFTWARE AND DOCUMENTATION, CUSTOMER EXPRESSLY ACKNOWLEDGES AND AGREES THAT CUSTOMER, OR THE COMPANY WHICH CUSTOMER REPRESENTS (“CUSTOMER,” “YOU,” or “YOUR”) ARE ENTERING INTO A LEGAL AGREEMENT WITH FORALLSECURE, AND HAVE UNDERSTOOD AND AGREE TO COMPLY WITH, AND BE LEGALLY BOUND BY, THE TERMS AND CONDITIONS OF THIS AGREEMENT. THIS AGREEMENT TAKES EFFECT WHEN YOU CLICK THE “ACCEPT” BUTTON, ACCEPT THE ORDER, OR ACCESS OR USE THE CLOUD SERVICES AFTER RECEIVING CREDENTIALS FROM FORALLSECURE, OR ON SUCH OTHER DATE EXPRESSLY SET FORTH IN THE ORDER (as applicable, the “Effective Date”).


IF YOU DO NOT AGREE TO THESE TERMS, YOU MUST SELECT THE “CANCEL” BUTTON AND MAY NOT ACCESS OR USE THE CLOUD SERVICES. IF YOU DO NOT HAVE AUTHORITY TO ACCEPT THE TERMS OF THIS AGREEMENT, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT ACCESS OR USE THE CLOUD SERVICES. IF YOU DO NOT ACCEPT THESE TERMS, YOU MAY NOT ACCESS OR USE THE CLOUD SERVICES.

IF CUSTOMER HAS PURCHASED THE LICENSE GRANTED HEREUNDER FROM A PARTNER, RESELLER OR DISTRIBUTOR AUTHORIZED BY FORALLSECURE (“PARTNER”), THEN TO THE EXTENT THERE IS ANY CONFLICT BETWEEN THIS AGREEMENT AND THE AGREEMENT ENTERED BETWEEN CUSTOMER AND THE RESPECTIVE PARTNER, INCLUDING ANY PURCHASE ORDER (“PARTNER AGREEMENT”), THEN, AS BETWEEN CUSTOMER AND FORALLSECURE, THIS AGREEMENT SHALL PREVAIL. ANY RIGHTS GRANTED TO CUSTOMER IN SUCH PARTNER AGREEMENT WHICH ARE NOT CONTAINED IN THIS AGREEMENT, APPLY ONLY IN CONNECTION WITH THE PARTNER. IN THAT CASE, CUSTOMER MUST SEEK REDRESS OR ENFORCEMENT OF SUCH RIGHTS SOLELY WITH THE PARTNER AND NOT FORALLSECURE.


IF YOU ORDERED A FREE TRIAL OR FREE VERSION OF THE CLOUD SERVICES PURSUANT TO YOUR ORDER, THE APPLICABLE PROVISIONS OF THIS AGREEMENT WILL GOVERN YOUR FREE TRIAL OR FREE VERSION. 

Direct competitors of ForAllSecure are prohibited from accessing the Cloud Services in any version or trial available. The Cloud Services may not be used or accessed, whether for the free trial or free versions or otherwise, for purposes of monitoring functionality, performance, or any other benchmarking or competitive purpose. 

1. Definitions.

a. “Account Tier” means the service offering levels selected by Customer at account creation when agreeing to this Agreement and the Order, as well as during the Term following an upgrade, either at your option or automatically as provided in Section 7.

b. “Affiliate(s)” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

c. “Authorized Cores” means, with respect to Mayhem for Code, the total number of Customer’s CPU cores on which the Cloud Services may be used pursuant to the selected Account Tier.

d. “Authorized Developers” means the total number of Developers allowed pursuant to the selected Account Tier.

e. “Authorized Scans” means the total number of Scans allowed pursuant to the selected Account Tier.

f. “Authorized User” means Customer and Customer’s employees, consultants, contractors, and agents, including Developers, (i) who are authorized by Customer to access and use the Cloud Services under the rights granted to Customer pursuant to this Agreement and (ii) for whom access to the Cloud Services has been purchased hereunder.

g. “CLI” means the command line interface that may be used to run the Cloud Services.

h. “Cloud Services” means any of the products and services ordered by Customer under an Order or online purchasing portal, or provided to Customer free of charge or under a free trial (each as applicable), and made available online by ForAllSecure, including offline products and services, as described in the Documentation, and including but not limited to Mayhem for Code product (“Mayhem for Code”), Mayhem for API product (“Mayhem for API”), the CLI or future products, enhancements, updates, modifications provided by ForAllSecure under this Agreement, which is further described on ForAllSecure’s website available at https://forallsecure.com/ and, if applicable, as reflected in the Customer’s Order documents.

i. “Customer Data” means information, data, and other content, in any form or medium, that is submitted, posted, or transmitted by or on behalf of Customer or any other Authorized User to the Cloud Services, including but not limited to applications and code developed by Customer or Authorized Users.

j. “Developer” means each contributor to the code repository for the applications you are testing using the Cloud Services.

k. “Documentation” means ForAllSecure’s user manuals, guides, and release notes relating to the Cloud Services made generally available by ForAllSecure to Customer relating to the Cloud Services available at https://mayhem4api.forallsecure.com/docs/ or as otherwise provided by ForAllSecure.

l. “ForAllSecure IP” means the Cloud Services, the Documentation, and all intellectual property provided to Customer or any other Authorized User in connection with the foregoing. For the avoidance of doubt, ForAllSecure IP includes Aggregated Statistics and any information, data, or other content derived from ForAllSecure’s monitoring of Customer’s access to or use of the Cloud Services but does not include Customer Data.

m. “Open Source Software” means software that is subject to “open source” or “free software” licenses that may be included in the Cloud Services.

n. “Order” means an ordering, quote, or purchase document or online order specifying the Cloud Services to be provided by ForAllSecure that is agreed to between the Customer and ForAllSecure, including any modifications, amendments, or attachments thereto. By entering into an Order, Customer agrees to be bound by the terms of this Agreement as if it were an original party hereto.

o. “Scan” means each scan of the code repository for the applications you are testing using the Cloud Services.

p. “Term” means the service period designated pursuant to the selected Account Tier as identified in the Order.

q. “Third-Party Products” means any products, content, services, information, websites, or other materials that are owned by third parties and are incorporated into or accessible through the Cloud Services.

2. Access and Use.

a. Access and Use and License. Subject to and conditioned on your compliance with the terms and conditions of this Agreement and payment of Fees, as applicable in the Order, ForAllSecure shall make the Cloud Services available to Customer during the Term so that Customer and Authorized Users may utilize the Cloud Services solely for Customer’s internal business use. Customer acknowledges and agrees that payment of the Fees and its subscription to use the Cloud Services is not contingent on receipt or delivery of any certain functionality, features, or support by ForAllSecure. ForAllSecure hereby grants Customer a revocable, non-exclusive, non-transferable, non-sublicensable, limited right to access and use the Cloud Services during the Term (i) solely for Customer’s internal business operations by Authorized Users, (ii) with respect to Mayhem for API, solely for testing applications subject to Authorized Developer limits and Authorized Scan limits, and (iii) with respect to Mayhem for Code, solely on Authorized Cores, in all cases accordance with the terms and conditions herein.

b. Documentation License. Subject to the terms and conditions contained in this Agreement, ForAllSecure hereby grants you a non-exclusive, non-sublicensable, non-transferable license for Authorized Users to use the Documentation during the Term solely for your internal business purposes in connection with use of the Cloud Services.

c. Continuous Integration; CLI. Use of the Cloud Services may involve reliance on our CLI in multiple environments or continuous integration with your code management system, in each case only in accordance with the Documentation. With respect to Mayhem for API, you hereby grant ForAllSecure access to retrieve and monitor the number of Developers. If your environments or systems do not allow ForAllSecure to monitor the number of Developers through the Cloud Services, you agree to provide ForAllSecure with usage reports at least every 90 days and when reasonably requested by ForAllSecure, which shall include information reasonably requested by ForAllSecure.

d. Downloadable Software. Subject to the Order, or the individual use of the Cloud Services by a Customer, use of the Cloud Services may require or include use of downloadable software, including our CLI. ForAllSecure grants you a non-transferable, non-exclusive, non-assignable, limited right for Authorized Users to use downloadable software we provide as part of the Cloud Services. Any Third-Party Products that consist of downloadable software are subject to the terms of Section 3(e).

e. Passwords and Access Credentials. On the Effective Date, or as promptly as possible after the Effective Date of this Agreement, ForAllSecure shall provide Customer with the necessary passwords and network links or connections to allow Customer to access the Cloud Service. ForAllSecure shall also provide Customer the link to the Documentation to be used by Customer in accessing and using the Cloud Service.

f. Use Restrictions. Customer shall not, and shall not permit any Authorized User to, use the Cloud Services, any software component of the Cloud Services (including any CLI), or Documentation for any purposes beyond the scope of the access granted in this Agreement. Customer shall not, and Customer shall ensure Authorized Users do not, at any time, directly or indirectly:

1. use the Cloud Services or Documentation to create a product or service competitive with the Cloud Services or for any purpose that is to the detriment or commercial disadvantage of ForAllSecure, including using the Cloud Services or Documentation to generate product benchmarking data for public distribution or copy any ideas, features, functions or graphics of the Cloud Services;

2. copy, modify, adapt, alter, translate or create derivative works of the Cloud Services, any software component of the Cloud Services, or Documentation, in whole or in part or take any action that would cause the Cloud Services to be placed in the public domain;

3. reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to any software component of the Cloud Services, in whole or in part;

4. remove any proprietary notices from the Cloud Services or Documentation;

5. use the Cloud Services with any unsupported software or hardware as described in the Documentation;

6. use the Cloud Services on any software or hardware that you do not own or otherwise have authorization to use, or that prohibits the use of services such as the Cloud Services;

7. use the Cloud Services or Documentation in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of any person;

8. use the Cloud Services or Documentation in any manner or for any purpose that violates any applicable law, regulation, or rule, is fraudulent, or has any unlawful or fraudulent effect;

9. use the Cloud Services in a manner that would knowingly cause the Cloud Services to experience downtime or reduction in availability, interfere with, delay or disrupt the integrity of performance of the Cloud Services;

10. use the Cloud Services to transmit or input any data, content, information, or send or upload any material that contains viruses, Trojan horses, worms, time-bombs, keystroke loggers, spyware, adware or any other harmful programs or similar computer code designed to adversely affect the operation of any computer software or hardware;

11. bypass or breach any security device or protection used for or contained in the Cloud Services or interfere with the Cloud Services or gain unauthorized access to ForAllSecure IP;

12. rent, lease, lend, sell, license, sublicense, assign, distribute, publish, transfer, or otherwise make available the Cloud Services or Documentation to third parties, unless expressly permitted under this Agreement or agreed to in writing by ForAllSecure or permit any time-sharing, outsourcing, service bureau or similar uses; or

13. use, exploit or resell the Cloud Services or Documentation to provide services to third parties, unless expressly agreed to in writing by ForAllSecure.

g. Aggregated Statistics. Notwithstanding anything to the contrary in this Agreement, ForAllSecure may collect and utilize Customer’s Data and information derived from Customer’s use of the Cloud Services and monitor Customer’s use of the Cloud Services for its internal business purposes, research and development and for improvement to product and service offerings (“Research Data”). Customer acknowledges and agrees that ForAllSecure shall also have the right to aggregate, collect and compile Research Data to be used by ForAllSecure in an anonymized manner, so that results are non-personally identifiable with respect to the Customer or any Authorized User, including to compile statistical and performance information related to the provision and operation of the Cloud Services (collectively “Aggregated Statistics”). ForAllSecure may include Developer usage in Aggregated Statistics. As between ForAllSecure and Customer, all right, title, and interest in Aggregated Statistics, and all intellectual property rights therein, belong to and are retained solely by ForAllSecure. You acknowledge that ForAllSecure may compile Aggregated Statistics based on Customer Data input into the Cloud Services. You agree that ForAllSecure may (i) make Aggregated Statistics publicly available in compliance with applicable law, and (ii) use Aggregated Statistics to the extent and in the manner permitted under applicable law or regulation, including, without limitation for purposes of data gathering, analysis, service enhancement and marketing, provided that such data and information does not identify Customer or its Confidential Information.

h. Reservation of Rights. ForAllSecure reserves all rights not expressly granted to Customer in this Agreement. Except for the limited rights and licenses expressly granted under this Agreement, nothing in this Agreement grants, by implication, waiver, estoppel, or otherwise, to Customer or any third party any intellectual property rights or other right, title, or interest in or to the ForAllSecure IP.

i. Suspension. Notwithstanding anything to the contrary in this Agreement, ForAllSecure may temporarily suspend Customer’s and any other Authorized User’s access to any portion or all of the Cloud Services if: (i) ForAllSecure reasonably determines that (A) there is a threat or attack on any of the ForAllSecure IP; (B) Customer’s or any other Authorized User’s use of the ForAllSecure IP disrupts or poses a security risk to the ForAllSecure IP or to any other customer or vendor of ForAllSecure; (C) Customer or any other Authorized User is using the ForAllSecure IP for fraudulent or illegal activities; (D) subject to applicable law, Customer has ceased to continue its business in the ordinary course, made an assignment for the benefit of creditors or similar disposition of its assets, or become the subject of any bankruptcy, reorganization, liquidation, dissolution, or similar proceeding; or (E) ForAllSecure’s provision of the Cloud Services to Customer or any other Authorized User is prohibited by applicable law; (ii) any vendor of ForAllSecure has suspended or terminated ForAllSecure’s access to or use of any third-party services or products required to enable Customer to access the Cloud Services; or (iii) in accordance with 6 (any such suspension described in subclause (i), (ii), or (iii), a “Service Suspension”). ForAllSecure shall use commercially reasonable efforts to provide written notice of any Service Suspension to Customer and to provide updates regarding resumption of access to the Cloud Services following any Service Suspension. ForAllSecure shall use commercially reasonable efforts to resume providing access to the Cloud Services as soon as reasonably possible after the event giving rise to the Services Suspension is cured. ForAllSecure will have no liability for any damage, liabilities, losses (including any loss of or profits), or any other consequences that Customer or any other Authorized User may incur as a result of a Service Suspension.
3. Customer Responsibilities.

a.Account Use. You are responsible and liable for all uses of the Cloud Services and Documentation resulting from access provided by you, directly or indirectly, whether such access or use is permitted by or in violation of this Agreement. Without limiting the generality of the foregoing, you are responsible for all acts and omissions of Authorized Users, and any act or omission by an Authorized User that would constitute a breach of this Agreement if taken by you will be deemed a breach of this Agreement by you. You shall use reasonable efforts to make all Authorized Users aware of this Agreement’s provisions as applicable to such Authorized User’s use of the Cloud Services and shall cause Authorized Users to comply with such provisions. 

b.Customer Data. You hereby grant to ForAllSecure a non-exclusive, royalty-free, worldwide license to reproduce, distribute, and otherwise use and display the Customer Data and perform all acts with respect to the Customer Data as may be necessary for ForAllSecure to provide the Cloud Services to you. You hereby represent and warrant that you have all rights in the Customer Data necessary to grant all rights and licenses set forth in this Agreement, and you will ensure that Customer Data and any Authorized User’s use of Customer Data will not violate any policy or terms referenced in or incorporated into this Agreement or any applicable law. You are solely responsible for the development, content, operation, maintenance, and use of Customer Data. Customer agrees that it has sole control over the nature and scope of the Customer Data processed by the Cloud Services, and the origin or location of Authorized Users.

Data Retention Period: We retain customer data for the duration of the customer’s active subscription and for a grace period of up to 90 days following the subscription end date. This grace period allows us to accommodate payment delays and ensure continued service to active users. During this period, customer data will remain accessible to authorized users unless a written data deletion request is received. Once the grace period has expired, we will revoke access to the services and delete active customer data within the platform and services.

Backup Retention: As part of our business continuity and disaster recovery policies, we maintain encrypted backups of customer data for up to 12 months after the subscription termination or upon final data deletion. These backups are stored securely and are only accessible for restoration of services at the customer's request, in compliance with legal and contractual obligations.Immediate

Deletion Requests: Upon written request from a customer, we will permanently delete all customer data within 30 days, including all active and backup instances, notwithstanding the general retention period. This process adheres to all applicable data protection laws and ensures that no data is recoverable after deletion.

Confidentiality and Privacy: We classify customer data as confidential and ensure that it is protected during retention and deletion processes. All data deletion and retention activities are logged, monitored, and reviewed to align with SOC-2’s trust service principles for confidentiality, availability, and privacy.

c.Passwords and Access Credentials. You are responsible for keeping your passwords and access credentials associated with the Cloud Services confidential. Passwords and access credentials are unique to each Authorized User and may not be shared. You will not sell or transfer them to any other person or entity. You will promptly notify us about any known or suspected unauthorized disclosure of, access to or use of your passwords or access credentials, or any violation of Customer’s obligations with respect to the use of the Cloud Services by any Developer or Authorized User. 

d.Customer Responsibilities. Customer is solely responsible for all activities that occur in any Authorized Users’ accounts and for compliance with this Agreement by Authorized Users. Customer shall: (i) have sole responsibility for the accuracy, quality, integrity, legality, reliability, and appropriateness of all Customer Data submitted by it and its Authorized Users to the Cloud Services; and (ii) prevent unauthorized access to, or use of, the Cloud Services, and notify ForAllSecure promptly of any such unauthorized access or use. If Customer becomes aware of any violation of Customer’s obligations under this Agreement by any Authorized User, Customer will promptly notify ForAllSecure and work with ForAllSecure to promptly terminate access of any such Authorized User to the Cloud Service.

e.Third-Party Products. The Cloud Services may permit access to or interface with certain Third-Party Products. For purposes of this Agreement, such Third-Party Products are subject to their own terms and conditions. ForAllSecure makes no warranty regarding the operation or functionality of such Third-Party Products and does not guarantee that the Cloud Services will interoperate or interface with the Third-Party Products. If you do not agree to abide by the applicable terms for any such Third-Party Products, then you should not install, access, or use such Third-Party Products. 

f.Open Source Software. The Cloud Services include Open Source Software which is made available to you subject to “open source” or “free software” licenses. You are responsible for complying with the end user licenses applicable to the Open Source Software. Nothing in this Agreement limits the Customer’s rights or obligations under the terms and conditions of any applicable end user license for the Open Source Software. 
4. Evaluation License.
If ForAllSecure provides Customer with a trial or evaluation license for the Cloud Services (the “Evaluation License”), Customer agrees to use the Cloud Services solely for evaluation purposes for an evaluation period of up to thirty (30) days unless a different period is otherwise agreed in writing by ForAllSecure or specified in an Order (the “Evaluation Period”). At the end of the Evaluation Period, Customer’s right to use the Cloud Services automatically expires, Customer agrees to cease all use of the Cloud Services, and all access to the Cloud Services will be discontinued unless Customer and ForAllSecure enter into an Order pursuant to which Customer agrees to either (i) acquire a license for a paid Account Tier for the Cloud Services or (ii) downgrades to a free Account Tier for the Cloud Services. ForAllSecure makes no representations and warranties in connection with any use of the Cloud Services under an Evaluation License and all use during the Evaluation Period is at the sole risk of Customer. 


5. Service Levels and Support.

a.Service Levels. Subject to the terms and conditions of this Agreement, ForAllSecure shall use commercially reasonable efforts to make the Cloud Services available in accordance with selected Account Tier.

b.Support. This Agreement does not entitle Customer to any support for the Cloud Services.
6. Fees and Payment.

Customer shall pay all fees, if any, specified in any Order for the selected Account Tier (“Fees”). Fees shall include any upgrade fees as set forth in Section 7. Fees set out in the Account Tiers are subject to change in accordance with Section 15. Customer acknowledges and agrees that the Cloud Services are subscription services and are subject to automatic renewal as specified in any Order. All Fees will be due and payable at the beginning of each renewal term, unless otherwise set forth in the Order. ForAllSecure may charge your payment method at the beginning of each renewal term without further authorization from you until you terminate the Cloud Services in accordance with Section 14. 

In the event of an account upgrade, Fees may be adjusted during the Term in accordance with Section 7 below and Customer shall pay all such increased Fees within thirty (30) days of the date of invoice from ForAllSecure. If Customer fails to make any payment when due, including because of failure to update your payment method, without limiting ForAllSecure’s other rights and remedies: (i) ForAllSecure may charge interest on the past due amount at the rate of 1.5% per month calculated daily and compounded monthly or, if lower, the highest rate permitted under applicable law; (ii) Customer shall be liable for and shall reimburse ForAllSecure for all costs incurred by ForAllSecure in collecting any late payments or interest on unpaid Fees, including attorneys’ fees, court costs, and collection agency fees; and (iii) if such failure continues for 7 days or more, ForAllSecure may suspend, in accordance with Section 2(i), Customer’s and all other Authorized Users’ access to any portion or all of the Cloud Services until such amounts are paid in full, without incurring any obligation or liability to Customer by reason of such suspension. All Fees and other amounts payable by Customer under this Agreement are exclusive of taxes and similar assessments. Customer is responsible for all sales, use, and excise taxes, and any other similar taxes, duties, and charges of any kind imposed by any federal, state, or local governmental or regulatory authority on any amounts payable by Customer hereunder, other than any taxes imposed on ForAllSecure’s income.



7. Right to Audit.
ForAllSecure reserves the right to audit Customer’s usage of the Cloud Services every 90 days. If Customer’s usage exceeds the authorized limits of the Account Tier, ForAllSecure will upgrade your Account Tier, and charge the the difference between the Fees for the next tier (on a pro-rated basis for the remainder of your annual services period) and the Fees previously paid, on the next monthly anniversary of the Effective Date, and ForAllSecure will invoice Customer separately for such charges. In the event Customer terminates the Agreement and access to the Cloud Services at the end of the Term, Customer acknowledges and agrees that it shall pay ForAllSecure for the additional upgrade fees from the prior term within thirty (30) days of the date of invoice from ForAllSecure. ForAllSecure will not automatically downgrade Account Tiers based on usage and Customers do not have the ability to downgrade Account Tiers during a services period. ForAllSecure will consider exceptions to these upgrade provisions on a case-by-case basis if contacted by Customer or if set forth in the Order.

8. Confidential Information. 
ForAllSecure and Customer may disclose or make available (as applicable, the “Disclosing Party”) to the other party (the “Receiving Party”) information about its business affairs, products, confidential intellectual property, trade secrets, third-party confidential information, and other sensitive or proprietary information, including without limitation, the terms and conditions of this Agreement, the Cloud Services, business and marketing plans, technology and technical information, pricing information, financial results and information, product designs, product roadmaps, results of penetration testing, security reports or audits and business processes, whether orally or in written, electronic, or other form or media/in written or electronic form or media, and whether or not marked, designated, or otherwise identified as “confidential” at the time of disclosure (collectively, “Confidential Information”). Confidential Information does not include information that, at the time of disclosure is: (a) in the public domain; (b) known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party; (c) rightfully obtained by the Receiving Party on a non-confidential basis from a third party without breach of any obligation owed to the Disclosing Party; or (d) independently developed by the receiving party without breach of any obligation owed to the Disclosing Party. The Receiving Party shall not disclose the Disclosing Party’s Confidential Information to any person or entity, except to the receiving party’s employees, contractors, or service providers who have a need to know the Confidential Information for the receiving party to exercise its rights or perform its obligations hereunder and who are required to protect the Confidential Information in a manner no less stringent than required under this Agreement. Notwithstanding the foregoing, ForAllSecure may disclose Customer Data and other information provided by Customer or end-users of the Cloud Services in accordance with ForAllSecure’s Privacy Policy, and each party may disclose Confidential Information to the limited extent required (i) to comply with the order of a court or other governmental body, or as otherwise necessary to comply with applicable law, provided that the party making the disclosure pursuant to the order shall first have given written notice to the other party and made a reasonable effort to obtain a protective order; or (ii) to establish a party’s rights under this Agreement, including to make required court filings. Each party’s obligations of non-disclosure with regard to Confidential Information are effective as of the date such Confidential Information is first disclosed to the Receiving Party and will expire five years thereafter; provided, however, with respect to any Confidential Information that constitutes a trade secret (as determined under applicable law), such obligations of non-disclosure will survive the termination or expiration of this Agreement for as long as such Confidential Information remains subject to trade secret protection under applicable law. 

9. Privacy Policy.
ForAllSecure complies with its privacy policy available at https://www.mayhem.security/privacy-policy (“Privacy Policy”), in providing the Cloud Services. The Privacy Policy is subject to change as described therein. By accessing, using, and providing information to or through the Cloud Services, you acknowledge that you have reviewed and accepted our Privacy Policy, and you consent to all actions taken by us with respect to your information in compliance with the then-current version of our Privacy Policy.

10. Intellectual Property Ownership; Feedback.
As between you and us, (a) we own all right, title, and interest, including all intellectual property rights, in and to the Cloud Services and Documentation and (b) you own all right, title, and interest, including all intellectual property rights, in and to Customer Data. If you or any of your employees, contractors, or agents sends or transmits any communications or materials to us by mail, email, telephone, or otherwise, suggesting or recommending changes to the Cloud Services, including without limitation, new features or functionality relating thereto, or any comments, questions, suggestions, or the like (“Feedback”), we are free to use such Feedback irrespective of any other obligation or limitation between you and us governing such Feedback. All Feedback is and will be treated as non-confidential. You hereby assign to us on your behalf, and shall cause your employees, contractors, and agents to assign, all right, title, and interest in, and we are free to use, without any attribution or compensation to you or any third party, any ideas, know-how, concepts, techniques, or other intellectual property rights contained in the Feedback, for any purpose whatsoever, although we are not required to use any Feedback.

11. Warranty Disclaimer. 
THE CLOUD SERVICES AND DOCUMENTATION ARE PROVIDED “AS IS” AND FORALLSECURE SPECIFICALLY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. FORALLSECURE SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT, AND ALL WARRANTIES ARISING FROM COURSE OF DEALING, USAGE, OR TRADE PRACTICE. FORALLSECURE MAKES NO WARRANTY OF ANY KIND THAT THE CLOUD SERVICES, THE DOCUMENTATION OR ANY PRODUCTS OR RESULTS OF THE USE OF ANY OF THE FOREGOING, WILL MEET YOUR OR ANY OTHER PERSON’S OR ENTITY’S REQUIREMENTS, OPERATE WITHOUT INTERRUPTION, ACHIEVE ANY INTENDED RESULT, BE COMPATIBLE OR WORK WITH ANY OF YOUR OR ANY THIRD PARTY’S SOFTWARE, SYSTEM, OR OTHER SERVICES, OR BE SECURE, ACCURATE, COMPLETE, FREE OF HARMFUL CODE, OR ERROR-FREE, OR THAT ANY ERRORS OR DEFECTS CAN OR WILL BE CORRECTED. 



12. Indemnification.
a.ForAllSecure Indemnification. Subject to the terms of the Agreement, ForAllSecure will defend at its own expense any action against Customer brought by a third party alleging that the Cloud Services, in each case, as delivered, infringe any U.S. patents issued as of the Effective Date or any copyrights or misappropriate any trade secrets, in each case, of a third party, and ForAllSecure will indemnify and hold Customer harmless against those costs and damages finally awarded against Customer in any such action that are specifically attributable to such claim or those costs and damages agreed to in a monetary settlement of such action. The foregoing obligations are conditioned on Customer’s compliance with the Indemnification Conditions (defined below). If the Cloud Services become, or in ForAllSecure’s opinion are likely to become, the subject of an infringement claim, ForAllSecure may, at its option and expense, either: (i) procure for Customer the right to continue using the Cloud Services; (ii) replace or modify the Cloud Services so that they become non-infringing; or (iii) terminate the subscription to the infringing Cloud Services and refund Customer any unused, prepaid fees for the infringing Cloud Services covering the remainder of the subscription term after the date of termination. Notwithstanding the foregoing, ForAllSecure will have no obligation or liability under this Section 12(a) or otherwise with respect to any infringement claim based upon: (a) any use of the Cloud Services not in accordance with this Agreement; (b) any use of the Cloud Services in combination with products, equipment, software, or data not supplied or approved in writing by ForAllSecure if such infringement would have been avoided but for the combination with other products, equipment, software or data; (c) any claim arising from the Customer Data; or (d) any modification of the Cloud Services by any person other than ForAllSecure. THIS SECTION 12(a) STATES FORALLSECURE’S ENTIRE LIABILITY AND THE CUSTOMER’S EXCLUSIVE REMEDY FOR ANY CLAIMS OF INFRINGEMENT. 

b.Customer Indemnification. Subject to the terms of this Agreement, Customer will defend at its own expense any action against ForAllSecure brought by a third party (including any Authorized User) (i) alleging that ForAllSecure’s possession or use of the Customer Data violates, or misappropriates the rights of, or has otherwise harmed, a third party, or (ii) concerning a Authorized User’s use of the Cloud Service (provided it is not due to ForAllSecure’s breach of this Agreement), and Customer will indemnify and hold ForAllSecure harmless against those costs and damages finally awarded against ForAllSecure in any such action that are specifically attributable to such claim or those costs and damages agreed to in a monetary settlement of such action. The foregoing obligations are conditioned on ForAllSecure’s compliance with the Indemnification Conditions (defined below).

c.Indemnification ConditionsIndemnification Conditions” means the following conditions, which a party must comply with to be entitled to the defense and indemnification obligations of the other party under this Agreement. The indemnified party must (i) notify the indemnifying party promptly in writing of such claim or allegation, setting forth in reasonable detail the facts and circumstances surrounding the claim; (ii) give the indemnifying party sole control of the defense thereof and any related settlement negotiations, including not making any admission of liability or take any other action that limits the ability of the indemnifying party to defend the claim; and (iii) cooperating and, at the indemnifying party’s request and expense, assisting in such defense. 
13. Limitations of Liability.
IN NO EVENT WILL FORALLSECURE BE LIABLE UNDER OR IN CONNECTION WITH THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR OTHERWISE, FOR ANY: (a) CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, ENHANCED, OR PUNITIVE DAMAGES; (b) INCREASED COSTS, DIMINUTION IN VALUE OR LOST BUSINESS, PRODUCTION, REVENUES, OR PROFITS; (c) LOSS OF GOODWILL OR REPUTATION; (d) USE, INABILITY TO USE, LOSS, INTERRUPTION, DELAY OR RECOVERY OF ANY DATA, OR BREACH OF DATA OR SYSTEM SECURITY; OR (e) COST OF REPLACEMENT GOODS OR SERVICES, IN EACH CASE REGARDLESS OF WHETHER FORALLSECURE WAS ADVISED OF THE POSSIBILITY OF SUCH LOSSES OR DAMAGES OR SUCH LOSSES OR DAMAGES WERE OTHERWISE FORESEEABLE. IN NO EVENT WILL FORALLSECURE’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR OTHERWISE, EXCEED THE TOTAL AMOUNTS PAID TO FORALLSECURE UNDER THIS AGREEMENT IN THE TWELVE (12) MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE CLAIM. 

14. Term and Termination.

a.Term. The term of this Agreement begins on the Effective Date and continues in accordance with the subscription term set forth on the Order or as otherwise agreed in writing with ForAllSecure, unless earlier until terminated as set forth herein. The term will automatically renew for successive terms of equal duration as set forth on the Order, unless either party provides written notice of its desire not to renew prior to the expiration of the then-current term as set forth on the Order.

b.Termination. In addition to any other express termination right set forth in this Agreement:In addition to its rights set forth above in Section 14(a), ForAllSecure may terminate this Agreement, for any reason upon 30 days’ advance notice; provided that in the event of a termination solely pursuant to this section, ForAllSecure shall refund Customer such unused pre-paid fees; either party may terminate this Agreement, effective on written notice to the other party, if the other party materially breaches this Agreement, and such breach: (A) is incapable of cure; or (B) being capable of cure, remains uncured 30 days after the non-breaching party provides the breaching party with written notice of such breach; oreither party may terminate this Agreement, effective immediately upon written notice to the other party, if the other party: (A) becomes insolvent or is generally unable to pay, or fails to pay, its debts as they become due; (B) files or has filed against it, a petition for voluntary or involuntary bankruptcy or otherwise becomes subject, voluntarily or involuntarily, to any proceeding under any domestic or foreign bankruptcy or insolvency law; (C) makes or seeks to make a general assignment for the benefit of its creditors; or (D) applies for or has appointed a receiver, trustee, custodian, or similar agent appointed by order of any court of competent jurisdiction to take charge of or sell any material portion of its property or business.

c.Effect of Termination. Upon termination of this Agreement, Customer shall immediately discontinue use of the ForAllSecure IP and all rights to use the Cloud Services and Documentation granted in this Agreement will immediately cease to exist and Customer must promptly discontinue all use of the Cloud Services. No expiration or termination of this Agreement will affect Customer’s obligation to pay all Fees that have become due before such expiration or termination or entitle Customer to any refund except to the extent otherwise expressly provided in Section 12(a)(i) and Section 14(b)(i). If this Agreement is terminated by ForAllSecure pursuant to Section 14(b)(ii)-(iii), Customer shall remain responsible for any payments set forth on any outstanding Order, regardless of whether such amounts have been invoiced or are payable at the time of such termination.

Data Retention Period: We retain customer data for the duration of the customer’s active subscription and for a grace period of up to 90 days following the subscription end date. This grace period allows us to accommodate payment delays and ensure continued service to active users. During this period, customer data will remain accessible to authorized users unless a written data deletion request is received. Once the grace period has expired, we will revoke access to the services and delete active customer data within the platform and services.

Backup Retention: As part of our business continuity and disaster recovery policies, we maintain encrypted backups of customer data for up to 12 months after the subscription termination or upon final data deletion. These backups are stored securely and are only accessible for restoration of services at the customer's request, in compliance with legal and contractual obligations.

Immediate Deletion Requests: Upon written request from a customer, we will permanently delete all customer data within 30 days, including all active and backup instances, notwithstanding the general retention period. This process adheres to all applicable data protection laws and ensures that no data is recoverable after deletion.

Confidentiality and Privacy: We classify customer data as confidential and ensure that it is protected during retention and deletion processes. All data deletion and retention activities are logged, monitored, and reviewed to align with SOC-2’s trust service principles for confidentiality, availability, and privacy.

d.Survival. This Section 14(d), Sections 6, 7, 8, 10, 11, 12, 13, 14(c), 15, 16, 17, 18 and 19, and any right, obligation, or required performance of the parties in this Agreement which, by its express terms or nature and context is intended to survive termination or expiration of this Agreement, will survive any such termination or expiration.
15. Modifications.

You acknowledge and agree that we have the right, in our sole discretion, to modify this Agreement from time to time, and that modified terms become effective on posting. You are responsible for reviewing and becoming familiar with any such modifications. Your continued use of the Cloud Services after the effective date of the modifications will be deemed acceptance of the modified terms.

16. US Government Rights.

Each of the software components that constitute the Cloud Services and the Documentation is a “commercial item” as that term is defined at 48 C.F.R. § 2.101, consisting of “commercial computer software” and “commercial computer software documentation” as such terms are used in 48 C.F.R. § 12.212. Accordingly, if you are an agency of the US Government or any contractor therefor, you receive only those rights with respect to the Cloud Services and Documentation as are granted to all other end users, in accordance with (a) 48 C.F.R. § 227.7201 through 48 C.F.R. § 227.7204, with respect to the Department of Defense and their contractors, or (b) 48 C.F.R. § 12.212, with respect to all other US Government customers and their contractors. 

17. Governing Law and Jurisdiction.
This Agreement is governed by and construed in accordance with the internal laws of the State of Pennsylvania without giving effect to any choice or conflict of law provision or rule that would require or permit the application of the laws of any jurisdiction other than those of the State of Pennsylvania. Any legal suit, action, or proceeding arising out of or related to this Agreement or the rights granted hereunder will be instituted in the federal courts of the United States or the courts of the State of Pennsylvania in each case located in the city of Pittsburgh and County of Allegheny, and each party irrevocably submits to the jurisdiction of such courts in any such suit, action, or proceeding. 

18. Force Majeure.
Neither party will be liable for any failure in performance due to circumstances beyond such party’s reasonable control, including without limitation, acts of God; acts of government; flood; fire; earthquakes; civil unrest; acts of terror, strikes or other labor problems (other than those involving such party’s employees), computer, telecommunications, Internet service provider or hosting facility failures or delays involving hardware, software or power systems not within such party’s possession or reasonable control, and denial of service attacks.
19. Publicity.
ForAllSecure may use Customer’s name and logo (so long as in accordance with any mark guidelines provided by Customer to ForAllSecure) in ForAllSecure promotional materials, including, without limitation, press releases, customer lists, and presentations to third parties.
20. Miscellaneous.
This Agreement constitutes the entire agreement and understanding between the parties hereto with respect to the subject matter hereof and supersedes all prior and contemporaneous understandings, agreements, representations, and warranties, both written and oral, with respect to such subject matter. Any notices to us must be sent to our corporate headquarters address at ForAllSecure, Inc. 3710 Forbes Ave, Pittsburgh, PA 15213 and must be delivered either in person, by certified or registered mail, return receipt requested and postage prepaid, or by recognized overnight courier service, and are deemed given upon receipt by us. Notwithstanding the foregoing, you hereby consent to receiving electronic communications from us. These electronic communications may include notices about applicable fees and charges, transactional information, and other information concerning or related to the Cloud Services. You agree that any notices, agreements, disclosures, or other communications that we send to you electronically will satisfy any legal communication requirements, including that such communications be in writing. The invalidity, illegality, or unenforceability of any provision herein does not affect any other provision herein or the validity, legality, or enforceability of such provision in any other jurisdiction. Any failure to act by us with respect to a breach of this Agreement by you or others does not constitute a waiver and will not limit our rights with respect to such breach or any subsequent breaches. This Agreement is personal to you and may not be assigned or transferred for any reason whatsoever without our prior written consent and any action or conduct in violation of the foregoing will be void and without effect. We expressly reserve the right to assign this Agreement and to delegate any of its obligations hereunder. There are no third-party beneficiaries to this Agreement. The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties. Neither party will have the power to bind the other or incur obligations on the other party’s behalf without the other party’s prior written consent.