Terms and Conditions May 24, 2022

These Terms and Conditions (“T&Cs”) are between Evisort Inc., a Delaware corporation with a principal office at 177 Bovet Road, Suite 400, San Mateo, CA 94402 (“Evisort”) and the Customer identified in the Order Form executed between Evisort and Customer. These T&Cs govern the rights and obligations of Evisort and Customer governing Customer’s access to and use of Evisort’s platform and services, including for any pilot or proof of concept or value, as specified in any Order Form.

1. Definitions. Any terms not defined herein have the meaning given to them in the applicable Order Form.

  1. Access Credentials” means login information, passwords, security protocols, and policies through which Users access the Evisort Platform and Services.
  2. “Agreement” means, collectively, these T&Cs, and including, but not limited to, all applicable Order Forms, exhibits, addenda, schedules, or appendices thereto.
  3. Evisort Platform” means the Evisort platform-as-a-service environment identified in the Order Form that allows Users to access certain features and functions through a web interface, including all Documentation.
  4. Customer Content” means the data and content uploaded or submitted to the Evisort Platform by or on behalf of Customer.
  5. Confidential Information” means all written or oral information, disclosed by one party (the “Disclosing Party”) to the other (the “Recipient”), related to the business, products, services or operations of the Disclosing Party or a third party that has been identified as confidential or that by the nature of the information or the circumstances surrounding disclosure ought reasonably to be treated as confidential, including, without limitation: (a) trade secrets, inventions, ideas, processes, computer source and object code, formulae, data, programs, other works of authorship, know-how, improvements, discoveries, developments, designs and techniques; (b) information regarding products, plans for research and development, marketing and business plans, budgets, financial statements, contracts, prices, employees, suppliers and agents; (c) all intellectual property, whether or not applied for or granted, including but not limited to patents, copyrights, trademarks, and trade dress; and (d) information regarding the skills and compensation of the Disclosing Party’s employees, contractors, and other agents.
  6. Documentation” means the documentation, user manuals, help files and videos, and other materials that describe the features, functions and operation of the Evisort Platform and Services.
  7. “Documents” means the number of documents stored on the Evisort Platform. For the purpose of counting Documents, each unique uploadable file (hereafter, “file”) shall count as one Document, except that for any file longer than 100 pages in length, the number of pages shall be divided by 100 and then rounded up to the nearest integer for the purpose of calculating the number of Documents in the Evisort Platform. For clarification, this means a one hundred (100) page file would count as one (1) Document; a one hundred twenty (120) page file would count as two (2) Documents; and a three-hundred (300) page file would count as three (3) Documents.  “Supporting Documents” are attachments to contracts, such as exhibits and appendices, order forms, invoices,  that are uploaded by Customer and linked to a Document through an "attachments" field.  Supporting Documents do not count as a Document for billing purposes."
  8. Order Form” means the document signed by an authorized representative of each party that references these T&Cs and identifies the Evisort Platform and specific Service(s) to be provided, the Term of the Agreement, any special terms, and the fees to be paid.
  9. Personal Information” means any information  that identifies any specific individual and is protected under applicable privacy laws, rules and regulations.
  10. Professional Services” means any professional services provided by Evisort to Customer as described in an Order Form (as may be further elaborated in any statement of work agreed to by the parties), including implementation, support and maintenance, and training services.
  11. Services” means any services provided by Evisort pursuant to this Agreement, including training and technical support services, Professional Services, and any other services described in an Order Form or statement of work.
  12. Service Capacity” means the number of Documents that Evisort and Customer agree can be uploaded to the Evisort Platform. The Service Capacity is set forth in the applicable Order Form; if the Service Capacity is not set forth in the Order Form, it shall be set at Evisort’s discretion. Evisort may measure Service Capacity at any point during the applicable Term using this calculation: Documents uploaded to the Evisort Platform at the beginning of the Term plus the number of Documents uploaded to the Evisort Platform during the subsequent 12 calendar months.
  13. Site” means Evisort’s website at https://evisort.com, any website linked from https://evisort.com, and any other website that is owned or controlled by Evisort and that provides access to the Evisort Platform.
  14. Usage Data” means any diagnostic and usage-related information and data from the use, performance and operation of the Evisort Platform and Services that may include, but is not limited to, usage patterns, traffic logs, and User engagement with the Evisort Platform and Services.
  15. User” means each of Customer’s employees, representatives, consultants, or independent contractors with Access Credentials. The number of Users who may be provided Access Credentials is set forth in the applicable Order Form.

2. Customer Rights and Obligations.

  1. License Grant to Evisort Platform. Subject to Customer’s compliance with the terms and conditions contained in the Agreement, Evisort grants to Customer a non-exclusive, non-transferable, limited, revocable license, with no right to sub-license, to access and use the Evisort Platform and any Services as specified in the applicable Order Form.
  2. Customer Facilities and Equipment. Customer will be responsible for obtaining and maintaining, at Customer’s expense, all of the necessary telecommunications, computer hardware and software, and Internet connectivity required by Customer or any User to access the Evisort Platform and any Services.
  3. Access Credentials. Customer will safeguard and ensure that all its Users safeguard the Access Credentials. Customer shall use commercially reasonable efforts to prevent unauthorized access to, or use of, the Evisort Platform, and notify Evisort promptly of any such unauthorized use known to Customer.  Customer will be responsible for all acts and omissions of Users.
  4. Customer Content. Customer is solely responsible for any and all obligations with respect to the accuracy, quality and legality of Customer Content. Customer will obtain all licenses, consents and permissions necessary to permit Evisort to use the Customer Content to provide the Evisort Platform and Services to Customer.
  5. License in Customer Content. Customer grants to Evisort, on behalf of itself, its customers, and its Users, a limited, non-exclusive license to use the Customer Content solely as necessary and appropriate for purposes of providing the Evisort Platform and Services, performing its rights and obligations under the Agreement. Except for the limited license granted to Evisort in any Customer Content under this Agreement, as between Customer and Evisort, Customer reserves all right, title and interest in and to the Customer Content. Notwithstanding anything in this agreement to the contrary, Evisort may use Customer Content to create one or more anonymized, de-identified, and aggregated data sets in a manner that does not permit identification of Customer, its customers, or its Users (collectively, the “Anonymized Aggregate Data”). Evisort may use Anonymized Aggregate Data for Evisort’s lawful business purposes, including to improve, market, provide, and enhance the Evisort Platform and Services and for other development, diagnostic, and corrective purposes in connection with the Evisort Platform and Services and any other Evisort offerings.
  6. Customer Restrictions. During the Term and thereafter, Customer shall not knowingly, and shall not knowingly permit any of its employees, contractors or Users to, directly or indirectly: (a) act as a reseller or distributor of, or a service bureau for, the Evisort Platform or Services or otherwise use, exploit, make available or encumber the Evisort Platform or Services to or for the benefit of any third party other than Customer’s customers; (b) use or demonstrate the Evisort Platform in an unauthorized manner; (c) reverse engineer, disassemble or decompile the Evisort Platform or Services or attempt to derive the source code or underlying ideas or algorithms of any part of the Evisort Platform or Services (except to the limited extent applicable laws specifically prohibit such restriction); (d) access or use the Evisort Platform or Services without the prior written consent of Evisort if Customer is or becomes a direct competitor to Evisort or its affiliates; (e) share access, use, or information about the Evisort Platform or Services with a direct competitor of Evisort; (f) remove any notice of proprietary rights from the Evisort Platform or Services; (g) copy, modify, translate or otherwise create derivative works of any part of the Evisort Platform or Services (other than as as necessary or attendant to Customer’s use of and access to the Evisort Platform and Services pursuant to this Agreement); (h) use the Evisort Platform or Services in a manner that interferes or attempts to interfere with the proper working of the Evisort Platform or Services, including bypassing or attempting to bypass any privacy settings or measures used to prevent or restrict access to the Evisort Platform; (i) use manual or automated software, devices, robots, spiders, or other processes to “crawl” or “spider” or to retrieve, index, “scrape”, “data mine” or in any way gather information, content or other materials from the Evisort Platform in an unauthorized manner or reproduce or circumvent the navigational structure or presentation of the Evisort Platform; (j) use the Evisort Platform in a manner which interferes with or disrupt its integrity or performance; (k) use or allow the transmission, transfer, export, re-export or other transfer of any software, technology or information forming a part of the Evisort Platform or Services in violation of any export control or other laws and regulations of the United States or any other relevant jurisdiction; or (l) use the Evisort Platform to share or store inappropriate materials, including (i) materials containing viruses or other harmful or malicious code; (ii) unsolicited mail (spam); (iii) copyrighted materials to which Customer does not have sufficient rights; (iv) harassing, tortious, or defamatory materials; or (v) other materials prohibited by applicable international, federal, state, or local laws and regulations.

3. Evisort’s Rights and Obligations.

  1. Evisort Intellectual Property. Except for the license granted to Customer under this Agreement, Evisort reserves all right, title and interest in and to its intellectual property, including the Evisort Platform, Services, Documentation, Usage Data, Anonymized Aggregate Data, and Confidential Information. Unless otherwise expressly set forth in an Order Form, and except for any Customer Content, all work product or services provided or developed pursuant to the Agreement (including any modifications and improvements to the Evisort Platform or  Services pursuant to subsection 3.2 or any intellectual property developed pursuant to subsection 3.3), and all intellectual property and other proprietary rights derived therefrom, will be the sole and exclusive property of Evisort.
  2. Continuous Development. Customer acknowledges that Evisort may continually develop, deliver and provide to Customer on-going innovation to the Evisort Platform in the form of new features, functionality, and efficiencies. Accordingly, Evisort reserves the right to modify the Evisort Platform or Services from time to time. Some modifications will be provided to Customer at no additional charge. In the event Evisort adds additional functionality, Evisort may condition the implementation of such new functionality on Customer’s payment of additional fees provided Customer may continue to use the version of the Evisort Platform and Services specified in the Order Form without paying additional fees.
  3. Professional Services; Training and Support. Customer may request that Evisort provide certain Professional Services related to Customer’s use of the Evisort Platform and Services. Any such Professional Services must be agreed to by Evisort and included in the Order Form or in a separate statement of work.
  4. Technical Support. Evisort shall provide Customer with reasonable technical support services for Customer’s access to and use of the Evisort Platform throughout the Term. Evisort agrees to use commercially reasonable efforts to make the Evisort Platform and Services available to Customer at least 99.5% of the time excluding planned maintenance, measured monthly during each month of the Term.

4. Confidential Information.

  1. Use and Disclosure. During the Term of the Agreement, each party will have access to the other party’s Confidential Information. Except as otherwise expressly permitted, and without limiting each party’s obligations under the Agreement, each Recipient agrees as follows: (a) it will not disclose the Confidential Information of the Disclosing Party to anyone except its employees, service providers, and independent contractors who have a need to know and who are bound by written confidentiality obligations similar to those herein (each a “Representative”) and (b) it will not use or reproduce the Confidential Information disclosed by the Disclosing Party for any purpose other than exercising its rights and performing its obligations as described herein. Each Recipient will be liable for the acts and omissions of its Representatives with respect to the Disclosing Party’s Confidential Information.
  2. Exceptions. The provisions of the foregoing Section 4.1 will not apply to Confidential Information that: (a) becomes generally available to the public through no fault of the Recipient; (b) is lawfully provided to the Recipient by a third party free of any confidentiality duties or obligations; (c) Recipient can prove was already known to the Recipient without restriction at the time of disclosure; or (d) Recipient can prove was independently developed by employees and contractors of Recipient who had no access to the Confidential Information. Notwithstanding the foregoing Section 4.1, each party may disclose Confidential Information to the limited extent required by a court or other governmental body, or as otherwise necessary to comply with applicable law, provided that the party making the disclosure pursuant to the order will first have given written notice (to the extent legally permitted) to the other party and made a reasonable effort to obtain a protective order.

5. Security and Processing.

  1. Security. Evisort has implemented and will maintain a comprehensive information security program as described in Schedule 1 (Security Practices) which shall be consistent with industry standards that contain appropriate administrative, technical and physical safeguards reasonably designed to protect Customer Content from unauthorized disclosure. Evisort may update such security policies and safeguards from time to time, provided that any such update does not materially reduce the overall level of security or commitments as described in Schedule 1.
  2. Processing. Evisort’s processing of personal data shall be governed by the Data Processing Addendum (DPA) entered into contemporaneously by the parties hereto. If the parties do not separately execute a DPA contemporaneously with this Agreement, the DPA available at https://evisort.com/dpa shall govern.
  3. Subcontractors. Evisort may utilize subcontractors and subprocessors (“Subcontractors”) in the performance of its obligations, provided that Evisort shall remain liable and responsible for the Subcontractors’ acts and omissions to the extent any of such acts or omissions, if performed by Evisort, would constitute a breach of, or otherwise give rise to liability to Evisort under, this Agreement when they are performing for or on behalf of Evisort.

6. Payment Terms.

  1. Fees. Customer will pay Evisort the fees specified in the Order Form (or statement of work, if applicable) for the Evisort Platform and any Services in accordance with the terms therein (the “Fees”), along with any applicable sales and use taxes. If Customer’s use of the Evisort Platform exceeds the Service Capacity or Number of Users specified in the Order Form or is otherwise contractually obligated to pay additional fees, Customer shall be billed for such additional fees in the manner provided herein.
  2. Invoicing. Unless otherwise specified in the Order Form, the payment terms in this Section 6.2 shall apply.  Evisort may choose to bill through an invoice that specifies the fees and applicable taxes, and for which full payment must be received by Evisort within thirty (30) days after the invoice date. Unpaid amounts are subject to a finance charge of 1.5% per month on any outstanding balance, or the maximum permitted by law, whichever is lower, plus all expenses of collection, and may result in suspension of access to the Evisort Platform and Services is payment is more than sixty (60) days late. Customer shall be responsible for all taxes associated with the Services other than taxes based on Evisort’s net income. If Customer believes that Evisort has billed Customer incorrectly, Customer must contact Evisort no later than sixty (60) days after the invoice date on the invoice in which the error or problem appeared, in order to receive an adjustment or credit (if applicable).
  3. Overages. Should Customer exceed the Service Capacity specified in the applicable Order Form by greater than five percent (5%) during the applicable Term, Evisort will have the right to invoice the Customer for the increased Service Capacity at the rate specified in the Order Form, pro-rated to account for any months of the Term that lapsed prior to the overage. The overages may be invoiced when first incurred or on the same schedule as other invoices due under the Order Form or these T&Cs, and will be payable in accordance with this Section 6. Evisort will use commercially reasonable efforts to provide the Customer with alerts upon crossing 80% and 100% of the applicable Service Capacity.
  4. Preferred Customer Program Discount. Evisort shall provide a discount off of Fees (detailed in the Order Form) for Customers that agree to share their experience with the Evisort Platform and Services in an audio-visual and written format for Evisort’s use in its advertising and marketing.  Example content can be found here:  https://www.evisort.com/customer-stories.  Customers electing to participate may so indicate on the Order Form.

7. Warranties; Disclaimers; Limitations on Liability.

  1. General Representations. Each party represents and warrants that: (a) as of the Effective Date and throughout the Term, it is duly organized, validly existing and in good standing under the laws of its jurisdiction of incorporation or organization; (b) the execution and performance of the Agreement, or use of the Evisort Platform and Services, will not conflict with or violate any provision of any law having applicability to such party; and (c) the Agreement, when executed and delivered, will constitute a valid and binding obligation of such party and will be enforceable against such party in accordance with its terms.
  2. Evisort Warranties. Evisort shall use reasonable efforts consistent with industry standards to maintain the Evisort Platform and Services in a manner which minimizes errors and interruptions and shall perform any Professional Services in a professional and workmanlike manner. The Evisort Platform and Services may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, either by Evisort or by third-party providers, or because of other causes beyond Evisort’s reasonable control, but Evisort shall use reasonable efforts to provide advance notice in writing or by e-mail of any scheduled service disruption.
  3. Customer Content. Customer represents and warrants that it has obtained and will maintain throughout the Term, all rights, consents and permissions for Customer to make available the Customer Content to Evisort and for Evisort to use the Customer Content as contemplated herein.
  4. Compliance with Laws and Policies. Customer will use the Evisort Platform and Services in accordance with all applicable laws, rules and regulations; as well as any of Evisort’s standard published policies, if any, in effect as of the date Customer and Evisort execute an Order Form and as may be amended by Evisort, in its sole discretion, from time to time. Although Evisort has no obligation to monitor Customer’s use of the Evisort Platform and Services, Evisort may do so and may prohibit any use of the Evisort Platform and Services it believes may be (or alleged to be) in violation of the foregoing.

8. Indemnification.

  1. Evisort Indemnity. Evisort will indemnify, defend and hold Customer, its directors, officers, and employees harmless from and against any and all losses, damages, liability, costs and expenses awarded by a court or agreed upon in settlement, as well as all reasonable and related attorneys’ fees and court costs (collectively “Losses”) arising out of any third party claim alleging that the Evisort Platform or Services infringe any third party’s intellectual property rights.
  2. Exclusions. Section 8.1 will not apply if the alleged claim arises, in whole or in part, from: (a) a use or modification of the Evisort Platform or Services by Customer or any User in breach of the Agreement, (b) a combination, operation or use of the Evisort Platform or Services with other software, hardware or technology not provided by Evisort if the claim would not have arisen but for the combination, operation or use, (c) made in whole or in part in accordance with Customer specifications if the claim would not have arisen but for such specifications, (d) where Customer continues allegedly infringing activity after being notified thereof or after being informed of modifications that would have avoided the alleged infringement, or (e) the Customer Content (any of the foregoing circumstances under clauses (a)-(e) will be collectively referred to as a “Customer Indemnity Responsibility”).
  3. Customer Indemnity. Customer will indemnify, defend and hold harmless Evisort, its directors, officers, and employees from and against any and all Losses arising out of any third party claim (a) alleging a Customer breach of any Customer representation or warranty in Section 7, and (b) arising out of any Customer Indemnity Responsibility.
  4. Indemnification Process. The foregoing indemnification obligations are conditioned on the indemnified party: (a) notifying the indemnifying party promptly in writing of such action, (b) reasonably cooperating and assisting in such defense; and (c) giving sole control of the defense and any related settlement negotiations to the indemnifying party with the understanding that the indemnifying party may not settle any claim in a manner that admits guilt or otherwise prejudices the indemnified party without its consent.
  5. Infringement Remedy. If the Evisort Platform or Services are, or in Evisort’s opinion, are likely to become, the subject of any infringement-related claim, then Evisort will, at its expense and in its discretion: (a) procure for Customer the right to continue using the Evisort Platform and Services; (b) replace or modify the infringing technology or material so that the Evisort Platform and Services become non-infringing and remain materially functionally equivalent; or (c) terminate the Order Form pursuant to which the Evisort Platform and Services are provided and give Customer a refund for any pre-paid but unused Fees. THE PROVISIONS OF THIS SECTION 8.5 STATE EVISORT’S ENTIRE LIABILITY AND CUSTOMER’S EXCLUSIVE REMEDIES FOR ANY CLAIM BY CUSTOMER THAT THE EVISORT PLATFORM OR SERVICES INFRINGE A THIRD PARTY’S INTELLECTUAL PROPERTY RIGHT.

9. Term and Termination.

  1. Term. Subject to earlier termination as provided below, the term of the Agreement will commence on the Effective Date (as defined in the Order Form) and shall remain in effect for the initial term set forth in the Order Form (the “Initial Service Term”). Thereafter, the Agreement shall automatically renew for additional periods of the same duration as the Initial Service Term (the “Renewal Term”), unless either party requests termination at least thirty (30) days prior to the end of the then-current term.  Upon at least sixty (60) days’ written notice prior to the start of the Renewal Term, Evisort may notify Customer of any new Fees or charges, if any, for the Renewal Term.  
  2. Termination. Either party may terminate the Agreement or any Order Form, at its discretion, effective immediately upon written notice to the other if the other party materially breaches any provision of the Agreement and does not substantially cure the breach within thirty (30) days after receiving written notice.
  3. Suspension of Access. At any time during the Term, Evisort may, immediately upon notice to Customer, suspend access to the Evisort Platform or any Service for the following reasons: (a) a threat to the technical security or technical integrity of the Evisort Platform or Services; (b) any amount due under the Agreement is not received by Evisort within thirty (30) days after it was due, or (c) breach or violation by Customer of any laws, rules, or regulations.
  4. Customer Content. Evisort reserves the right to permanently delete any Customer Content thirty (30) days following termination of the Agreement. Upon termination, Evisort shall also promptly delete any Customer Content upon Customer’s written request. Any data deleted may remain in immutable electronic backups maintained by Evisort and used purely for backup, disaster recovery and data protection purposes for up to an additional ninety (90) days beyond any such deletion or certification.  Customer may additionally request, up to thirty (30) days after termination, and provided that Customer has fully paid all outstanding invoices, a copy of its Customer Content, which Evisort will provide via an online shared folder.
  5. Effects of Termination. Upon termination or expiration of the Agreement for any reason, (a) any amounts owed to Evisort prior to such termination or expiration and all completed but unpaid Professional Services fees will be immediately due and payable and (b) all licensed and access rights granted will immediately cease to exist. Sections 1, 2.5, 2.6, 4, 6, 7, 8, 9.4, 9.5, and 10 will survive any expiration or termination of the Agreement.

10. General.

  1. Assignment. Neither party may assign this Agreement without the prior written consent of the other party, except in the event of a merger, sale, or acquisition of all or substantially all of the assigning party’s assets to an entity that is not a direct competitor of the non-assigning party. Any attempted assignment or delegation in violation of this Section 10.1 will be null, void and of no effect.
  2. Publicity. During the Term and thereafter, Evisort may refer to Customer as an Evisort customer, orally and in recordable format (including in promotion or marketing materials and on Evisort’s website and social media postings).
  3. Relationship. No agency, partnership, joint venture, or employment is created as a result of the Agreement and neither party has any authority of any kind to bind the other party in any respect whatsoever.
  4. Notices. All notices, consents, and approvals under the Agreement must be delivered in writing by courier, by a reputable overnight delivery service (e.g., FedEx, UPS, DHL, or USPS), or by email to the other party at the address set forth in the Order Form and will be effective upon receipt. Either party may change its address by giving notice of the new address to the other party.
  5. Governing Law; Disputes. The Agreement will be governed by the laws of the State of California without reference to its conflicts of law principles. The United Nations Convention for the International Sale of Goods will not apply to the Agreement. Any dispute, controversy or claim arising out of or relating to the Agreement, will be made exclusively in the state or federal courts located in San Mateo County, California and both parties submit to the jurisdiction and venue of such courts.
  6. Waivers. All waivers must be in writing. Any waiver or failure to enforce any provision of the Agreement on one occasion will not be deemed a waiver of any other provision or of such provision on any other occasion.
  7. Severability. If any provision of the Agreement is unenforceable, such provision will be changed and interpreted to accomplish the objectives of such provision to the greatest extent possible under applicable law and the remaining provisions will continue in full force and effect.
  8. No Third Party Beneficiaries. The parties acknowledge that the covenants set forth in the Agreement are intended solely for the benefit of the parties, their successors and permitted assigns. Nothing herein, whether express or implied, will confer upon any person or entity (including any User or any employee) other than the parties, their successors and permitted assigns, any legal or equitable right whatsoever to enforce any provision of the Agreement.
  9. Construction. The headings of Sections of the Agreement are for convenience and are not to be used in interpreting the Agreement. As used in the Agreement, the word “including” means “including but not limited to.”
  10. Force Majeure. Any delay in the performance of any duties or obligations of either party (except the payment of money owed) will not be considered a breach of the Agreement if such delay is caused by a natural disaster, war, act of terror, or any other event beyond the reasonable control of such party, but shall not include the COVID-19 pandemic. The affected party will use reasonable efforts, under the circumstances, to notify the other party of the circumstances causing the delay and to resume performance as soon as possible.
  11. Entire Agreement. The Agreement constitutes the entire agreement between the parties regarding the subject hereof and supersedes all prior or contemporaneous agreements, understandings, and communication, whether written or oral. The Agreement may be amended only by a written document signed by both parties.
  12. Insurance. During the term of this Agreement, Evisort shall maintain, at the minimum, (a) commercial general liability insurance in an amount of no less than $1,000,000 per occurrence and $2,000,000 in the aggregate, (b) cyber liability and media liability insurance coverage of at least $5,000,000 per occurrence and in the aggregate, and (c) workers’ compensation insurance as required by applicable law.

Schedule 1

Security Practices at Evisort

1. Security Protocols

  1. Information Security Program. Evisort shall maintain a comprehensive written information security program, including policies, standards, procedures, and related documents that establish criteria, means, methods, and measures governing the processing and security of Customer Content and the Evisort systems or networks used to process or secure Customer Content in connection with providing the Services (“Evisort Information Systems”). Subcontractors engaged by Evisort in accordance with this agreement will maintain (at a minimum) substantially similar levels of security as applicable and required by these Security Practices.
  2. Security Controls. In accordance with its information security program, Evisort shall implement appropriate physical, organizational, and technical controls designed to (a) ensure the security, integrity, and confidentiality of Customer Content accessed, collected, used, stored, or transmitted to or by Evisort, and (b) protect Customer Content from known or reasonably anticipated threats or hazards to its security, integrity, accidental loss, alteration, disclosure, and other unlawful forms of processing. Without limiting the foregoing, Evisort will, as appropriate, utilize the following controls:

2. System Availability

Evisort will maintain (or, with respect to systems controlled by its subcontractors, ensure that such subcontractors maintain) a disaster recovery (“DR”) program designed to recover the Service’s availability following a disaster. At a minimum, such DR program will include the following elements: (a) routine validation of procedures to regularly and programmatically create retention copies of Customer Content for the purpose of recovering lost or corrupted data; (b) inventories, updated at minimum annually, that list all critical Evisort Information Systems; (c) annual review and update of the DR program; and (d) annual testing of the DR program designed to validate the DR procedures and recoverability of the service detailed there

(a) Firewalls. Evisort will install and maintain firewall(s) to protect data accessible via the Internet.

(b) Updates. Evisort will maintain programs and routines to keep the Evisort information systems up to date with the latest upgrades, updates, bug fixes, new versions, and other modifications

(c) Anti-malware. Evisort will deploy and use anti-malware software and will keep the anti-malware software up to date. Evisort will use such software to mitigate threats from all viruses, spyware, and other malicious code that are or should reasonably be detected.

(d) Testing. Evisort will regularly test its security programs, processes, and controls to ensure they meet the requirements of these Security Practices.

(e) Access Controls. Evisort will secure data in production Evisort Information Systems by complying with the following:

(i) Evisort will assign a unique ID to each individual with access to systems processing Customer Content.

(ii) Evisort will restrict access to systems with Customer Content to only those individuals necessary to perform a specified obligation as permitted by this Agreement.

(iii) Evisort will regularly review the list of individuals and services with access to systems processing Customer Content and remove accounts that no longer require access.

(iv) Evisort will not use manufacturer supplied defaults for system passwords on any operating systems, software, or other systems, and will mandate the use of system-enforced “strong passwords” in accordance with or exceeding the best practices (described below) on all systems processing Customer Content.

(v) At a minimum, Evisort production passwords will (i) contain at least eight (8) characters; include at least one  capitalized and one lowercase letter, at least one number, and one special symbol; and (ii); be changed whenever an account compromise is suspected or assumed.

(vi) Evisort will enforce account lockout by requiring additional validation or disabling access to Customer Content when an account exceeds a designated number of incorrect password attempts in a certain period of time.

(f) Policies. Evisort will maintain and enforce appropriate information security, confidentiality, and acceptable use policies for employees, subcontractors, agents and suppliers that meet the standards set forth in these Security Practices, including methods to detect and log policy violations.

(g) Development. Development and testing environments for Evisort Information Systems will be separate from production environments.

(h) Encryption. Evisort will utilize cryptographic standards mandating authorized algorithms, key length requirements, and key management processes that are consistent with or exceed then-current industry standards, including NIST recommendations, and utilize hardening and configuration requirements consistent in approach with then-current industry standards, including SANS Institute, NIST, or Center for Internet Security (CIS) recommendations. Pursuant to such standards, Evisort will encrypt Customer Content at rest within the online Services and only allow encrypted connections to the online Service for the transfer of Customer Content.

(i) Remote Access. Evisort will ensure that any access from outside of its protected corporate or production environments to a system or systems processing Customer Content or to Evisort’s corporate or development workstation networks will require appropriate connection controls, such as VPN or multi-factor authentication.

3. Security Incidents

  1. Procedure. If Evisort becomes aware of confirmed unauthorized or unlawful access to any Customer Content processed by Evisort Information Systems (a “Security Incident”), Evisort will promptly (a) notify Customer of the Security incident; and (b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
  2. Unsuccessful Attempts. An unsuccessful attack or intrusion is not a Security Incident subject to this Section 3. An “unsuccessful attack or intrusion” is one that does not result in unauthorized or unlawful access to Customer Content and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or TCP/UDP headers), or similar incidents.
  3. User Involvement. Unauthorized or unlawful access to Customer Content that results from the compromise of a User’s login credentials or from the intentional or inadvertent disclosure of Customer Content by a User is not a Security Incident.
  4. Notifications. Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s Admin users by any reasonable means Evisort selects, including email, as time is typically of the essence. Customers are solely responsible for maintaining accurate contact information in the online Service at all times.
  5. Disclaimer. Evisort’s obligation to report or respond to a Security Incident under this Section 3 is not an acknowledgement by Evisort of any fault or liability of Evisort with respect to the Security Incident.

4. Auditing and Reporting

  1. Monitoring. Evisort monitors the effectiveness of its information security program on an ongoing basis by conducting various audits, risk assessments, and other monitoring activities to ensure the effectiveness of its security measures and controls.
  2. Audit Reports. Evisort uses external auditors to verify the adequacy of its security measures and controls for certain Services, including the Services provided under the Agreement. The resulting audit will: (a) include testing of the entire measurement period since the previous measurement period ended; (b) be performed according to AICPA SOC2 standards or such other alternative standards that are substantially equivalent to AICPA SOC2; (c) be performed by independent third party security professionals at Evisort’s selection and expense; and (d) result in the generation of a SOC2 or SOC3 report (“Audit Report”), which will be Evisort’s Confidential Information. The Audit Report will be made available to Customer upon written request no more than annually, subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement. Customer may also request a SOC 3 report, which, if available from Evisort, will not be subject to such confidentiality obligations but shall attest to the external auditor’s verification and findings. For the avoidance of doubt, each Audit Report will only discuss Services in existence at the time the Audit Report was issued; subsequently released Services, if within the scope of the Audit Report, will be in the next annual iteration of the Audit Report.  
  3. Penetration Testing. Evisort uses external security experts to conduct penetration testing of certain online Services, including the Services. Such testing will: (a) be performed at least annually; (b) be performed by independent third party security professionals at Evisort’s selection and expense; and (c) result in the generation of a penetration test report (“Pen Test Report”), which will be Evisort’s Confidential Information. Pen Test Summary Reports or attestation letters attesting to the same will be made available to Customer upon written request no more than annually subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement.  
  4. Worldwide Bug Bounty Program. Evisort shall maintain a bug bounty program to proactively detect bugs and vulnerabilities on a proactive basis. The program will operate such that external security experts shall have access to a production-like version of the software by which the Services are provided, with such experts incentivized and rewarded for finding vulnerabilities with monetary rewards. This program will be run on a continuous basis with rewards available at all time to the security experts participating in the program.

Last updated: 05/24/2022. The previous version of these Terms can be found here.