Terms and Conditions May 2022

These Terms and Conditions (“Terms”) are between Evisort Inc. (“Evisort”) and the Customer accessing the Evisort platform, which references these Terms. These Terms will govern the use and provision of any Services purchased by Customer as described in any Order Form, or the use of the Evisort platform or any services performed in the performance of any pilot or proof of concept. Any terms not defined herein have the meaning given to them in the applicable Order Form. The “Agreement” shall refer to any Order Form, these Terms, any additional Order Forms and all Appendixes and any other attachments to the Order Form.

Any individual agreeing to be bound by this agreement on behalf of an organization or other legal entity represents that such individual has the authority to bind such entity to the Terms and Conditions contained herein.

1. Definitions

  1. Access Credentials” means login information, passwords, security protocols, and policies through which Users access the Company Services.
  2. Evisort Services” means any Evisort software-as-a-service application identified in the Order Form that allows Users to access certain features and functions through a web interface. References to any Evisort Services include the Documentation.
  3. Customer Content” means the data and content uploaded or submitted into the Evisort Services by or on behalf of Customer.
  4. Confidential Information” means all written or oral information, disclosed by one party (the “Disclosing Party”) to the other (the “Recipient”), related to the business, products, services or operations of the Disclosing Party or a third party that has been identified as confidential or that by the nature of the information or the circumstances surrounding disclosure ought reasonably to be treated as confidential, including, without limitation: (i) trade secrets, inventions, ideas, processes, computer source and object code, formulae, data, programs, other works of authorship, know-how, improvements, discoveries, developments, designs and techniques; (ii) information regarding products, plans for research and development, marketing and business plans, budgets, financial statements, contracts, prices, employees, suppliers and agents; and (iii) information regarding the skills and compensation of the Disclosing Party’s employees, contractors, and other agents.
  5. Documentation” means the documentation, user manuals, help files and videos, and other materials that describe the features, functions and operation of the Evisort Services.
  6. “Documents” means the number of documents stored on the Evisort platform. For the purpose of counting Documents, each file shall count as one document, except that for any file longer than 100 pages in length, the number of pages shall be divided by 100 and then rounded up to the nearest integer for the purpose of calculating the number of Documents in the Evisort platform. For clarification, this means a one hundred (100) page document would count as one (1) document, a one hundred twenty (120) page document would count as two (2) documents, and a three-hundred (300) page document would count as three (3) documents.
  7. Order Form” means the document signed by an authorized representative of each party that references these Terms and identifies the specific Service(s) to be made available and the fees to be paid.
  8. Personal Information” means any Customer Content that identifies any specific individual and is protected under applicable privacy laws, rules and regulations.
  9. Professional Services” means any professional services provided by Evisort to Customer as described in an Order Form (as may be further elaborated in any statement of work agreed to by the parties), including implementation, support and maintenance, and training services.
  10. Services” means the Evisort Services, the Professional Services and any other services set forth in an Order Form.
  11. Service Capacity” means the number of Customer Documents that can be submitted to the Evisort Services for analysis. The Service Capacity is set forth in the applicable Order Form. For the purpose of any usage not listed in an Order Form, the Service Capacity shall be set at Evisort’s discretion. The Service Capacity may be measured at any point annually during the first year of the term and each year thereafter, and shall be measured as follows: Documents in the Evisort platform at the beginning of the applicable year plus the gross number of Documents uploaded to the Evisort platform during the applicable year.
  12. Site” means Evisort’s website at https://evisort.com and any website linked from such website or that is owned or controlled by Evisort
  13. User” means each of Customer’s employees and independent contractors who are provided Access Credentials by Customer or Evisort. The number of Users authorized by Evisort to access the Services is set forth in the applicable Order Form.

2. Access, Rights, Restrictions and Security

  1. Access Grant to Evisort Services. Subject to Customer’s compliance with the terms and conditions contained in the Agreement, including the restriction on the number of Users and Service Capacity set forth in any Order Form, Evisort grants to Customer a non-exclusive, non-transferable, non-sublicenseable, revocable right to allow the number of Users set forth in the applicable Order Form to access and use the Evisort Services, subject to the Service Capacity, during the Term (as defined below).
  2. Technical Support. Evisort shall provide Customer with reasonable technical support services throughout the Term. Evisort agrees to use commercially reasonable efforts to make the Evisort Services available to Customer at least 99.5% of the time excluding planned maintenance, measured monthly, during each month of the Term.
  3. Access Credentials. Customer will safeguard, and ensure that all Users safeguard the Access Credentials. Customer will be responsible for all acts and omissions of Users.
  4. Customer Restrictions. During the Term (as defined in Section 7) and thereafter, Customer shall not, and shall not permit any of its employees, contractors or Users to, directly or indirectly: (a) act as a reseller or distributor of, or a service bureau for, the Evisort Services or otherwise use, exploit, make available or encumber any of the Evisort Services to or for the benefit of any third party other than Customer’s customers; (b) use or demonstrate the Evisort Services in any other way that is in competition with Evisort; (c) reverse engineer, disassemble or decompile the Evisort Services or attempt to derive the source code or underlying ideas or algorithms of any part of the Evisort Services (except to the limited extent applicable laws specifically prohibit such restriction); (d) access or use the Evisort Services without the prior written consent of Evisort if customer is or becomes a direct competitor to Evisort or its affiliates; (e) share access, use, or information about the services with a direct competitor of Evisort (f) remove any notice of proprietary rights from the Services; (g) copy, modify, translate or otherwise create derivative works of any part of the Services; (h) use the Evisort Services in a manner that interferes or attempt to interfere with the proper working of the Evisort Services or any activities conducted on the Evisort Services, including bypassing or attempting to bypass any privacy settings or measures used to prevent or restrict access to the Evisort Services; (i) use manual or automated software, devices, robot, spider, or other processes to “crawl” or “spider” or to retrieve, index, “scrape”, “data mine” or in any way gather information, content or other materials from the Evisort Services in an unauthorized manner or reproduce or circumvent the navigational structure or presentation of the Evisort Services; (j) use the Evisort Services in a manner which interferes with or disrupt its integrity or performance; (k) use or allow the transmission, transfer, export, re-export or other transfer of any software, technology or information forming a part of the Evisort Services in violation of any export control or other laws and regulations of the United States or any other relevant jurisdiction; or (l) use the Evisort Services to share or store inappropriate materials, including (i) materials containing viruses or other harmful or malicious code; (ii) unsolicited mail (spam); (iii) copyrighted materials to which Customer does not have sufficient rights; (iv) harassing, tortious, or defamatory materials; or (v) other materials prohibited by applicable international, federal, state, or local laws and regulations.
  5. Customer Obligations. Customer will be responsible for obtaining and maintaining, at Customer’s expense, all of the necessary telecommunications, computer hardware, software, and Internet connectivity required by Customer or any User to access the Evisort Services from the Internet. Customer shall use commercially reasonable efforts to prevent unauthorized access to, or use of, the Evisort Services, and notify Evisort promptly of any such unauthorized use known to Customer.
  6. Proprietary Rights and Confidential Information
  7. Confidential Information.
  8. Use and Disclosure. During the Term (as defined below) of the Agreement, each party will have access to the other party’s Confidential Information. Except as otherwise expressly permitted, and without limiting each party’s obligations, under the Agreement, each Recipient agrees as follows: (A) it will not disclose the Confidential Information of the Disclosing Party to anyone except its employees, service providers, and independent contractors who have a need to know and who have been advised of and have contractually agreed to treat such information in accordance with the terms of the Agreement (each a “Representative”) and (B) it will not use or reproduce the Confidential Information disclosed by the Disclosing Party for any purpose other than exercising its rights and performing its obligations as described herein. Each Recipient will be liable for the acts and omissions of its Representatives with respect to the Disclosing Party’s Confidential Information.
  9. Exceptions. The provisions of Section 2.6 (a)(i) will not apply to Confidential Information that: (A) becomes generally available to the public through no fault of the Recipient; (B) is lawfully provided to the Recipient by a third party free of any confidentiality duties or obligations; (C) Recipient can prove, by clear and convincing evidence, was already known to the Recipient without restriction at the time of disclosure; or (D) Recipient can prove, by clear and convincing evidence, was independently developed by employees and contractors of Recipient who had no access to the Confidential Information.. Notwithstanding Section 2.6 (a)(i), each party may disclose Confidential Information to the limited extent required by a court or other governmental body, or as otherwise necessary to comply with applicable law, provided that the party making the disclosure pursuant to the order will first have given written notice to the other party and made a reasonable effort to obtain a protective order.
  10. Customer Content
  11. Customer Content. Customer is solely responsible for any and all obligations with respect to the accuracy, quality and legality of Customer Content. Customer will obtain all third party licenses, consents and permissions needed for Evisort to use the Customer Content to provide the Services.
  12. License in Customer Content. Customer grants to Evisort, on behalf of itself and its Users, a non-exclusive license to use the Customer Content as necessary for purposes of providing the Services, performing obligations under the Agreement, and exercising its rights under the Agreement. Except for the limited licenses granted to Evisort in any Customer Content, as between Customer and Evisort, Customer reserves all right, title and interest in the Customer Content. Notwithstanding anything in this agreement to the contrary, Evisort may analyze Customer Data to create one or more de-identified and aggregated data sets that do not individually identify Customer or its Users or enable anyone to identify Customer or its Users based on the information (collectively, the “Deidentified Data”). Evisort retains ownership of all right, title, and interest in and to Deidentified Data. Evisort may use Deidentified Data for Evisort’s lawful business purposes, including to improve, market, provide, and enhance the Services and for other development, diagnostic, and corrective purposes in connection with the Services and any other Evisort offerings. Evisort may disclose Deidentified Data solely in aggregate form in connection with its business. “Usage Data” means any content, data, or information that is collected or produced by the Services in connection with the use of the Services that does not identify Customer or its Users, and may include, but is not limited to, usage patterns, traffic logs and user conduct associated with the Services. Evisort retains ownership of all right, title, and interest in and to Usage Data. Evisort may use Usage Data in connection with Evisort’s rights and obligations under this Agreement and to operate, improve, analyze, and support the Services for benchmarking and reporting, and for any other lawful business purposes
  13. Evisort Services. Except for the limited access grant provided to Customer in the Agreement, Evisort reserves all right, title and interest in its intellectual property and business, including the Services, Documentation, Usage Data, Deidentified Data, and Evisort trademarks. Unless otherwise expressly set forth in an Order Form, and except for any Customer Content, all work product or services provided or developed pursuant to the Agreement or any Order Form (including any modifications and improvements to any Services pursuant to subsection (d) or any intellectual property developed pursuant to subsection (e) below), and all intellectual property and other proprietary rights derived therefrom, will be the sole and exclusive property of Evisort.
  14. Continuous Development. Customer acknowledges that Evisort may continually develop, deliver and provide to Customer on-going innovation to the Evisort Services in the form of new features, functionality, and efficiencies. Accordingly, Evisort reserves the right to modify the Evisort Services, from time to time. Some modifications will be provided to Customer at no additional charge. In the event Evisort adds additional functionality to a particular Service, Evisort may condition the implementation of such modifications on Customer’s payment of additional fees provided Customer may continue to use the version of the Evisort Services that Evisort makes generally available (without such features) without paying additional fees.
  15. Professional Services; Training and Support. Customer may request that Evisort provide certain Professional Services related to Customer’s use of the Evisort Services. Excluding those agreed between the parties in the Order Form or a separate statement of work, Evisort will have no obligation to provide or perform such services for or on behalf of Customer.

3. Security and Processing.

  1. Security. Evisort has implemented and will maintain a comprehensive information security program as described in Schedule 1 (Security Practices) which shall be consistent with industry standards that contains appropriate administrative, technical and physical safeguards reasonably designed to protect Customer Content from unauthorized disclosure. Evisort may update such security policies and safeguards from time to time, provided that any such update does not materially reduce the overall level of security or commitments as described in Schedule 1.
  2. Processing. If Customer requires, in its sole discretion, specific terms for processing Customer Content which includes personal information, this agreement hereby incorporates the terms of the Data Processing Addendum (“DPA”) at https://evisort.com/dpa, and the DPA on the Site. Should Customer require an executed version of the DPA, customer may request it by filling out the form available at https://evisort.com/dpa and the DPA available on the Site at the time of such submission will be incorporated into this Agreement on the date of such submission or the Effective Date, whichever is later.
  3. Subcontractors. Evisort may utilize subcontractors and subprocessors (“Subcontractors”) in the performance of its obligations, provided that Evisort shall remain liable and responsible for the Subcontractors’ acts and omissions to the extent any of such acts or omissions, if performed by Evisort, would constitute a breach of, or otherwise give rise to liability to Evisort under, this Agreement when they are performing for or on behalf of Evisort.

4. Consideration.

  1. Fees. Customer will pay Evisort the then applicable fees described in the Order Form for the Services and Professional Services in accordance with the terms therein (the “Fees”), along with any applicable sales and use taxes. If Customer’s use of the Services exceeds the Service Capacity or Number of Users set forth on the Order Form or otherwise requires the payment of additional fees (per the Agreement), Customer shall be billed for such usage and Customer agrees to pay the additional fees in the manner provided herein. Evisort reserves the right to change the Fees or applicable charges and to institute new charges and Fees for any renewal term by providing at least sixty (60) days’ notice to Customer prior to the beginning of such Renewal Term (which may be sent by email). If Customer believes that Evisort has billed Customer incorrectly, Customer must contact Evisort no later than sixty (60) days after the invoice date on the invoice in which the error or problem appeared, in order to receive an adjustment or credit (if applicable).
  2. Invoicing. Evisort may choose to bill through an invoice, in which case, full payment for invoices issued must be received by Evisort within thirty (30) days after the date of the invoice. Invoices shall be for the fees and applicable taxes Unpaid amounts are subject to a finance charge of 1.5% per month on any outstanding balance, or the maximum permitted by law, whichever is lower, plus all expenses of collection, and may result in immediate termination of Service. Customer shall be responsible for all taxes associated with the Services other than taxes based on Evisort’s net income.
  3. Overages. Should Customer exceed their Service Capacity by greater than a 5% variance threshold in any given time period, Evisort will have the right to invoice the Customer for the increased Service Capacity at the rate specified for overages within the contract or Order Form, pro-rated to account for any months of the term that lapsed prior to the overage. The overages may be invoiced when first incurred or on the same schedule as other invoices due under this agreement, and will be payable in accordance with these Terms. Evisort will endeavor to provide the Customer with alerts upon crossing 80% and 100% of the applicable Service Capacity.

5. Warranties; Disclaimers; Limitations on liability

  1. General Representations. Each party represents and warrants that: (a) as of the Effective Date and throughout the Term, it is duly organized, validly existing and in good standing under the laws of its jurisdiction of incorporation or organization; (b) that the execution and performance of the Agreement, or use of the Services, will not conflict with or violate any provision of any law having applicability to such party; and (c) that the Agreement, when executed and delivered, will constitute a valid and binding obligation of such party and will be enforceable against such party in accordance with its terms.
  2. Evisort Warranties. Evisort shall use reasonable efforts consistent with industry standards to maintain the Services in a manner which minimizes errors and interruptions in the Services and shall perform any Professional Services in a professional and workmanlike manner. Services may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, either by Evisort or by third-party providers, or because of other causes beyond Evisort’s reasonable control, but Evisort shall use reasonable efforts to provide advance notice in writing or by e-mail of any scheduled service disruption.
  3. Customer Content. Customer represents and warrants that it has obtained and will maintain throughout the Term, all rights, consents and permissions for Customer to make available the Customer Content to Evisort and for Evisort to use the Customer Content as contemplated herein.
  4. Compliance with Laws and Policies. Customer will use the Services in accordance with all applicable laws, rules and regulations; as well as any of Evisort’s standard published policies, if any, in effect as of the date Customer and Evisort execute an Order Form and as may be amended by Evisort, in its sole discretion, from time to time. Although Evisort has no obligation to monitor Customer’s use of Evisort Services, Evisort may do so and may prohibit any use of the Evisort Services it believes may be (or alleged to be) in violation of the foregoing.

6. Indemnification

  1. Evisort Indemnity. Evisort will indemnify, defend and hold Customer, its directors, officers, and employees harmless from and against any and all losses, damages, liability, costs and expenses awarded by a court or agreed upon in settlement, as well as all reasonable and related attorneys’ fees and court costs (collectively “Losses”) arising out of any third party claim to the extent alleging that the Evisort Services infringe any U.S. or foreign patent, copyright, trademark or trade secret.
  2. Customer Indemnity. Customer will indemnify, defend and hold harmless Evisort, its directors, officers, and employees from and against any and all Losses arising out of any third party claim (a) alleging a Customer breach of any Customer representation or warranty in Section 5, and (b) arising out of any Customer Indemnity Responsibility.
  3. Exclusions. Section 6.1 will not apply if the alleged claim arises, in whole or in part, from: (a) a use or modification of the Services by Customer or any User in breach of the Agreement, (b) a combination, operation or use of the Services with other software, hardware or technology not provided by Evisort if the claim would not have arisen but for the combination, operation or use, (c) made in whole or in part in accordance with Customer specifications if the claim would not have arisen but for such specifications, (d) where Customer continues allegedly infringing activity after being notified thereof or after being informed of modifications that would have avoided the alleged infringement, or (e) the Customer Content (any of the foregoing circumstances under clauses (a), (b), (c), (d) or (e) will be collectively referred to as a “Customer Indemnity Responsibility”).
  4. Indemnification Process. The foregoing indemnification obligations are conditioned on the indemnified party: (a) notifying the indemnifying party promptly in writing of such action, (b) reasonably cooperating and assisting in such defense and (c) giving sole control of the defense and any related settlement negotiations to the indemnifying party with the understanding that the indemnifying party may not settle any claim in a manner that admits guilt or otherwise prejudices the indemnified party, without consent.
  5. Infringement. If the Evisort Services are, or in Evisort’s opinion, are likely to become, the subject of any infringement-related claim, then Evisort will, at its expense and in its discretion: (a) procure for Customer the right to continue using the Evisort Services; (b) replace or modify the infringing technology or material so that the Evisort Services become non-infringing and remain materially functionally equivalent; or (c) terminate the Order Form pursuant to which the Evisort Services are provided and give Customer a refund for any pre-paid but unused Fees.

7. Term and Termination

  1. Term. Subject to earlier termination as provided below, the term of the Agreement will commence on the Effective Date (as defined in the Order Form) and shall remain in effect for the initial term set forth in the Order Form (the “Initial Service Term”). Thereafter, the Agreement shall automatically renew for additional periods of the same duration as the Initial Service Term (collectively, the “Term”), unless either party requests termination at least thirty (30) days prior to the end of the then-current term.
  2. Termination. Either party may terminate the Agreement or any Order Form, at its discretion, effective immediately upon written notice to the other if the other party materially breaches any provision of the Agreement and does not substantially cure the breach within thirty (30) days after receiving written notice.
  3. Suspension of Service(s). At any time during the Term, Evisort may, immediately upon notice to Customer, suspend access to any Service for the following reasons: (a) a threat to the technical security or technical integrity of the Evisort Services; (b) any amount due under the Agreement is not received by Evisort within fifteen (15) days after it was due, or (c) breach or violation by Customer of any laws, rules, or regulations.
  4. Customer Content. Evisort reserves the right to permanently and definitively delete any Customer Content thirty (30) days following termination of the Agreement. Upon termination, Evisort shall also promptly delete any Customer Content upon customer’s written request. Any data deleted may remain in an immutable electronic backups maintained by Evisort used purely for backup, disaster recovery and data protection purposes for up to an additional 90 days beyond any such deletion or certification.
  5. Effects of Termination. Upon termination or expiration of the Agreement for any reason, (a) any amounts owed to Evisort prior to such termination or expiration and all completed but unpaid Professional Services fees will be immediately due and payable and (b) all licensed and access rights granted will immediately cease to exist. Sections 1, 2.4, 2.6, 3, 5, 6, 7.4, 7.5 and 8 will survive any expiration or termination of the Agreement.

8. General

  1. Assignment. The Agreement may not be assigned by Customer without the prior written consent of Evisort. Any attempted assignment or delegation in violation of this Section 8.1 will be null, void and of no effect.
  2. Publicity. During the Term and thereafter, Evisort may refer to Customer as an Evisort customer, orally and in writing (including in promotion or marketing materials and on Evisort’s website and social media postings).
  3. Relationship. No agency, partnership, joint venture, or employment is created as a result of the Agreement and Customer does not have any authority of any kind to bind Evisort in any respect whatsoever.
  4. Notices. All notices, consents, and approvals under the Agreement must be delivered via email or in writing by courier, by electronic facsimile (fax), or by certified or registered mail, (postage prepaid and return receipt requested) to the other party at the address set forth in the Order Form and will be effective upon receipt. Either party may change its address by giving notice of the new address to the other party.
  5. Governing Law; Disputes. The Agreement will be governed by the laws of the State of California without reference to its conflicts of law principles. The United Nations Convention for the International Sale of Goods will not apply to the Agreement. Any dispute, controversy or claim arising out of or relating to the Agreement, will be made exclusively in the state or federal courts located in San Mateo County, California and both parties submit to the jurisdiction and venue of such courts.
  6. Waivers. All waivers must be in writing. Any waiver or failure to enforce any provision of the Agreement on one occasion will not be deemed a waiver of any other provision or of such provision on any other occasion.
  7. Severability. If any provision of the Agreement is unenforceable, such provision will be changed and interpreted to accomplish the objectives of such provision to the greatest extent possible under applicable law and the remaining provisions will continue in full force and effect.
  8. No Third Party Beneficiaries. The parties acknowledge that the covenants set forth in the Agreement are intended solely for the benefit of the parties, their successors and permitted assigns. Nothing herein, whether express or implied, will confer upon any person or entity (including any User or any employee) other than the parties, their successors and permitted assigns, any legal or equitable right whatsoever to enforce any provision of the Agreement.
  9. Construction. The headings of Sections of the Agreement are for convenience and are not to be used in interpreting the Agreement. As used in the Agreement, the word “including” means “including but not limited to.”
  10. Force Majeure. Any delay in the performance of any duties or obligations of either party (except the payment of money owed) will not be considered a breach of the Agreement if such delay is caused by a natural disaster, war, act of terror, or any other event beyond the reasonable control of such party. The affected party will use reasonable efforts, under the circumstances, to notify the other party of the circumstances causing the delay and to resume performance as soon as possible.
  11. Entire Agreement. The Agreement constitutes the entire agreement between the parties regarding the subject hereof and supersedes all prior or contemporaneous agreements, understandings, and communication, whether written or oral. The Agreement may be amended only by a written document signed by both parties.
  12. Insurance. During the term of this Agreement, Evisort shall maintain, at the minimum, (a) commercial general liability insurance in an amount of no less than $1,000,000 per occurrence and $2,000,000 in the aggregate, (b) cyber liability and media liability insurance coverage of at least $5,000,000 per occurrence and in the aggregate, and (c) workers’ compensation insurance as required by applicable law.


Security Practices at Evisort

1.  Security Protocols

  1. Information Security Program. Evisort shall maintain a comprehensive written information security program, including policies, standards, procedures, and related documents that establish criteria, means, methods, and measures governing the processing and security of Customer Content and the Evisort systems or networks used to process or secure Customer Content in connection with providing the Services (“Evisort Information Systems”). Subcontractors engaged by Evisort in accordance with this agreement will maintain (at a minimum) substantially similar levels of security as applicable and required by these Security Practices.
  2. Security Controls. In accordance with its information security program, Evisort shall implement appropriate physical, organizational, and technical controls designed to (a) ensure the security, integrity, and confidentiality of Customer Content accessed, collected, used, stored, or transmitted to or by Evisort, and (b) protect Customer Content from known or reasonably anticipated threats or hazards to its security, integrity, accidental loss, alteration, disclosure, and other unlawful forms of processing. Without limiting the foregoing, Evisort will, as appropriate, utilize the following controls:
  3. Firewalls. Evisort will install and maintain firewall(s) to protect data accessible via the Internet.
  4. Updates. Evisort will maintain programs and routines to keep the Evisort information systems up to date with the latest upgrades, updates, bug fixes, new versions, and other modifications
  5. Anti-malware. Evisort will deploy and use anti-malware software and will keep the anti-malware software up to date. Evisort will use such software to mitigate threats from all viruses, spyware, and other malicious code that are or should reasonably be detected.
  6. Testing. Evisort will regularly test its security programs, processes, and controls to ensure they meet the requirements of these Security Practices.
  7. Access Controls. Evisort will secure data in production Evisort Information Systems by complying with the following:
  8. Evisort will assign a unique ID to each individual with access to systems processing Customer Content.
  9. Evisort will restrict access to systems with Customer Content to only those individuals necessary to perform a specified obligation as permitted by this Agreement.
  10. Evisort will regularly review the list of individuals and services with access to systems processing Customer Content and remove accounts that no longer require access.
  11. Evisort will not use manufacturer supplied defaults for system passwords on any operating systems, software, or other systems, and will mandate the use of system-enforced “strong passwords” in accordance with or exceeding the best practices (described below) on all systems processing Customer Content.
  12. At a minimum, Evisort production passwords will (i) contain at least eight (8) characters; include at least one capitalized and one lowercase letter, at least one number, and one special symbol; and (ii); be changed whenever an account compromise is suspected or assumed.
  13. Evisort will enforce account lockout by requiring additional validation or disabling access to Customer Content when an account exceeds a designated number of incorrect password attempts in a certain period of time.
  14. Policies. Evisort will maintain and enforce appropriate information security, confidentiality, and acceptable use policies for employees, subcontractors, agents and suppliers that meet the standards set forth in these Security Practices, including methods to detect and log policy violations.
  15. Development. Development and testing environments for Evisort Information Systems will be separate from production environments.
  16. Encryption. Evisort will utilize cryptographic standards mandating authorized algorithms, key length requirements, and key management processes that are consistent with or exceed then-current industry standards, including NIST recommendations, and utilize hardening and configuration requirements consistent in approach with then-current industry standards, including SANS Institute, NIST, or Center for Internet Security (CIS) recommendations. Pursuant to such standards, Evisort will encrypt Customer Content at rest within the online Services and only allow encrypted connections to the online Service for the transfer of Customer Content.
  17. Remote Access. Evisort will ensure that any access from outside of its protected corporate or production environments to a system or systems processing Customer Content or to Evisort’s corporate or development workstation networks will require appropriate connection controls, such as VPN or multi-factor authentication.

2. System Availability. Evisort will maintain (or, with respect to systems controlled by its subcontractors, ensure that such subcontractors maintain) a disaster recovery (“DR”) program designed to recover the Service’s availability following a disaster. At a minimum, such DR program will include the following elements: (a) routine validation of procedures to regularly and programmatically create retention copies of Customer Content for the purpose of recovering lost or corrupted data; (b) inventories, updated at minimum annually, that list all critical Evisort Information Systems; (c) annual review and update of the DR program; and (d) annual testing of the DR program designed to validate the DR procedures and recoverability of the service detailed there

3. Security Incidents

  1. Procedure. If Evisort becomes aware of confirmed unauthorized or unlawful access to any Customer Content processed by Evisort Information Systems (a “Security Incident”), Evisort will promptly (a) notify Customer of the Security incident; and (b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
  2. Unsuccessful Attempts. An unsuccessful attack or intrusion is not a Security Incident subject to this Section 3. An “unsuccessful attack or intrusion” is one that does not result in unauthorized or unlawful access to Customer Content and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or TCP/UDP headers), or similar incidents.
  3. User Involvement. Unauthorized or unlawful access to Customer Content that results from the compromise of a User’s login credentials or from the intentional or inadvertent disclosure of Customer Content by a User is not a Security Incident.
  4. Notifications. Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s Admin users by any reasonable means Evisort selects, including email, as time is typically of the essence. Customers are solely responsible for maintaining accurate contact information in the online Service at all times.
  5. Disclaimer. Evisort’s obligation to report or respond to a Security Incident under this Section 3 is not an acknowledgement by Evisort of any fault or liability of Evisort with respect to the Security Incident.

4. Auditing and Reporting

  1. Monitoring. Evisort monitors the effectiveness of its information security program on an ongoing basis by conducting various audits, risk assessments, and other monitoring activities to ensure the effectiveness of its security measures and controls.
  2. Audit Reports. Evisort uses external auditors to verify the adequacy of its security measures and controls for certain Services, including the Services provided under the Agreement. The resulting audit will: (a) include testing of the entire measurement period since the previous measurement period ended; (b) be performed according to AICPA SOC2 standards or such other alternative standards that are substantially equivalent to AICPA SOC2; (c) be performed by independent third party security professionals at Evisort’s selection and expense; and (d) result in the generation of a SOC2 or SOC3 report (“Audit Report”), which will be Evisort’s Confidential Information. The Audit Report will be made available to Customer upon written request no more than annually, subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement. Customer may also request a SOC 3 report, which, if available from Evisort, will not be subject to such confidentiality obligations but shall attest to the external auditor’s verification and findings. For the avoidance of doubt, each Audit Report will only discuss Services in existence at the time the Audit Report was issued; subsequently released Services, if within the scope of the Audit Report, will be in the next annual iteration of the Audit Report.
  3. Penetration Testing. Evisort uses external security experts to conduct penetration testing of certain online Services, including the Services. Such testing will: (a) be performed at least annually; (b) be performed by independent third party security professionals at Evisort’s selection and expense; and (c) result in the generation of a penetration test report (“Pen Test Report”), which will be Evisort’s Confidential Information. Pen Test Summary Reports or attestation letters attesting to the same will be made available to Customer upon written request no more than annually subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement.
  4. Worldwide Bug Bounty Program. Evisort shall maintain a bug bounty program to proactively detect bugs and vulnerabilities on a proactive basis. The program will operate such that external security experts shall have access to a production-like version of the software by which the Services are provided, with such experts incentivized and rewarded for finding vulnerabilities with monetary rewards. This program will be run on a continuous basis with rewards available at all time to the security experts participating in the program.

Last updated: 03/2022. The previous version of these Terms can be found here.