Software as a Service
SAAS Agreement

SOFTWARE AS A SERVICE AGREEMENT

TROY GROUP, INC., A DELAWARE CORPORATION (“COMPANY”), IS WILLING TO PROVIDE SAAS SERVICES TO YOU AS AN INDIVIDUAL OR THE LEGAL ENTITY YOU REPRESENT (COLLECTIVELY WITH ANY AFFILIATES, THE “CUSTOMER”) THAT WILL BE UTILIZING THE SOFTWARE (AS DEFINED BELOW), SUBJECT TO CUSTOMER'S ACCEPTANCE OF ALL OF THE TERMS AND CONDITIONS CONTAINED IN THIS SOFTWARE AS A SERVICE AGREEMENT (THE “AGREEMENT”). THIS AGREEMENT IS A LEGALLY BINDING AND ENFORCEABLE CONTRACT BETWEEN COMPANY AND CUSTOMER. CUSTOMER SHOULD READ THE TERMS AND CONDITIONS OF THIS AGREEMENT CAREFULLY BEFORE AGREEING. THESE TERMS DO NOT HAVE TO BE SIGNED IN ORDER TO BE BINDING. BY CLICKING THE “I AGREE” OR "SUBMIT" BUTTON, OR OTHERWISE INDICATING CUSTOMER'S ASSENT ELECTRONICALLY, CUSTOMER AGREES TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF CUSTOMER DOES NOT AGREE TO THESE TERMS AND CONDITIONS, DO NOT ACCEPT THIS AGREEMENT AND DO NOT USE THE SAAS SERVICES.

ALL OFFERS FOR SALE OF SAAS SERVICES ARE SUBJECT TO THESE TERMS, AND ANY PROPOSED ADDITIONS TO OR MODIFICATIONS MADE BY CUSTOMER ARE HEREBY EXPRESSLY REJECTED. IF CUSTOMER IS ACCEPTING THESE TERMS ON BEHALF OF ANOTHER PERSON OR A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT AND WARRANT THAT YOU: (I) HAVE FULL AUTHORITY TO BIND THAT PERSON, COMPANY, OR LEGAL ENTITY TO THESE TERMS, (II) HAVE READ AND UNDERSTAND THESE TERMS AND CONDITIONS, AND (III) AGREE TO THESE TERMS AND CONDITIONS ON BEHALF OF THE PERSON, COMPANY OR LEGAL ENTITY YOU REPRESENT.

For good and valuable consideration, the sufficiency of which is hereby acknowledged, Company and Customer agree to the terms and conditions set forth below:

NOW, THEREFORE, the parties hereto agree as follows:

1. DEFINITIONS

“Administrator User” means each Customer employee designated by Customer to serve as technical administrator of the SaaS Services on Customer’s behalf.

“Affiliate” means an entity which, directly or indirectly owns or controls, is owned or is controlled by or is under common ownership or control with a party, where “control” means the power to direct the management or affairs of the entity, and “ownership” means the beneficial ownership of greater than fifty percent (50%) of the voting equity securities or other equivalent voting interests of the entity.

“Customer Content” means all data and materials provided by Customer to Company for use in connection with the SaaS Services, including, without limitation, customer applications, data files, and graphics.

“Documentation” means the user guides, online help, release notes, training materials and other documentation provided or made available by Company to Customer regarding the use or operation of the SaaS Services.

“Invoice” means the invoice provided by Company to Customer reflecting the purchase of SaaS Services as well as the number of users and checks provided thereunder.

“Other Services” means all technical and non-technical services performed or delivered by Company under this Agreement, including, without limitation, implementation services and other professional services, training and education services but excluding the SaaS Services. Other Services will be provided on a time and material basis at such times or during such periods, as may be specified in an Invoice and mutually agreed to by the parties.

“Software” means the object code version of any software to which Customer is provided access as part of the Service, including any updates or new versions.

“SaaS Services” refer to the specific Company’s internet-accessible service identified in an Invoice that provides use of Company’s AssurePay Cloud check printing services that is hosted by Company or its service provider and made available to Customer over a network on a term-use basis.

“Subscription Term” shall mean that period specified in an Invoice during which Customer will have on-line access and use of the Software through Company’s SaaS Services. The Subscription Term shall renew for successive 12- month periods unless either party delivers written notice of non-renewal to the other party at least 30 days prior to the expiration of the then-current Subscription Term.

2. SAAS SERVICES

2.1 Grant of License. During the Subscription Term, Customer will receive a nonexclusive, non-assignable, royalty free, worldwide right to access and use the SaaS Services solely for Customer’s internal business operations subject to the terms of this Agreement.

2.2 Acknowledgment. Customer acknowledges that this Agreement is a services agreement and Company will not be delivering copies of the Software to Customer as part of the SaaS Services.

3. RESTRICTIONS

3.1 General. Customer shall not, and shall not permit anyone to: (i) copy or republish the SaaS Services or Software, (ii) make the SaaS Services available to any person other than authorized Administrator Users, (iii) rent, lease, distribute, sell, sublicense, transfer, or provide access to the SaaS Services to third parties, (iv) use or access the SaaS Services to provide service bureau, time-sharing or other computer hosting services to third parties, (v) reproduce, adapt, modify or create derivative works based upon the SaaS Services or Documentation, (vi) remove, modify or obscure any copyright, trademark or other proprietary notices contained in the software used to provide the SaaS Services or in the Documentation, (vii) reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code of the Software used to provide the SaaS Services, except and only to the extent such activity is expressly permitted by applicable law, (viii) incorporate the SaaS Services into a product or service Customer provided to a third party, or (ix) access the SaaS Services or use the Documentation in order to build a similar product or competitive product. Subject to the limited license granted herein, Company or its service providers shall own all right, title and interest in and to the Software, SaaS Services, Documentation, and other deliverables provided under this Agreement, including all modifications, improvements, upgrades, derivative works and feedback related thereto and intellectual property rights therein. Customer agrees to assign all right, title and interest it may have in the foregoing to Company.

4. CUSTOMER RESPONSIBILITIES

4.1 Assistance. Customer shall provide commercially reasonable information and assistance to Company to enable Company to deliver the SaaS Services. Upon request from Company, Customer shall promptly deliver Customer Content to Company in an electronic file format specified and accessible by Company. Customer acknowledges that Company’s ability to deliver the SaaS Services in the manner provided in this Agreement may depend upon the accuracy and timeliness of such information and assistance.

4.2 Compliance with Laws. Customer shall comply with all applicable local, state, national and foreign laws in connection with its use of the SaaS Services, including those laws related to data privacy, international communications, and the transmission of technical or personal data. Customer acknowledges that Company and its service providers exercise no control over the content of the information transmitted by Customer through the SaaS Services. Customer shall not upload, post, reproduce or distribute any information, software or other material protected by copyright, privacy rights, or any other intellectual property right without first obtaining the permission of the owner of such rights.

4.3 Unauthorized Use; False Information. Customer shall implement and maintain physical, technical and administrative security measures designed to protect unauthorized access, destruction, use, or modification of the SaaS Services. Customer shall: (a) notify Company immediately of any unauthorized use of any password or user id or any other known or suspected breach of security, (b) report to Company immediately and use reasonable efforts to stop any unauthorized use of the SaaS Services that is known or suspected by Customer, and (c) not provide false identity information to gain access to or use the SaaS Services. Company is not responsible for any access or use of the SaaS Services granted by Customer to third party providers, vendors or contractors, and expressly disclaims any liability and responsibility for any third party products or services, or for the acts or omissions of any third party providers, vendors or contractors.

4.4 Administrator Access. Customer shall be solely responsible for those it allows to become Administrator Users, and for the acts and omissions of its Administrator Users. Company shall not be liable for any loss of data or functionality caused directly or indirectly by the Administrator Users. Company is not responsible for Customer’s internal management or administration of how it uses the SaaS Services.

4.5 Customer Input. Customer and its duly authorized Administrative Users are solely responsible for collecting, inputting and updating all Customer Content stored on the SaaS Services, and for ensuring that the Customer Content does not (i) include anything that actually or potentially infringes or misappropriates the copyright, trade secret, trademark or other intellectual property right of any third party, or (ii) contain anything that is obscene, defamatory, harassing, offensive or malicious. Customer shall: (i) notify Company immediately of any unauthorized use of any password or user id or any other known or suspected breach of security, (ii) report to Company immediately and use reasonable efforts to stop any unauthorized use of the SaaS Services that is known or suspected by Customer and (iii) not provide false identity information to gain access to or use the SaaS Services.

4.6 License from Customer. Subject to the terms and conditions of this Agreement, Customer shall grant to Company and its service providers a limited, non-exclusive and non-transferable license, to copy, store, configure, perform, display and transmit Customer Content solely as necessary to provide the SaaS Services to Customer.

4.7 Ownership and Restrictions. Customer retains ownership and intellectual property rights in and to its Customer Content. Company or its licensors retain all ownership and intellectual property rights to the SaaS Services, Software programs, and anything developed and delivered under the Agreement. Subject to this Agreement, and solely to the extent necessary to provide the SaaS Services, Customer grants Company a worldwide royalty-free, limited term access to use, process, copy, distribute, perform, export and display the Customer Content, and to access Customer Content in order to respond to Customer’s support requests. Third party technology that may be appropriate or necessary for use with some Company programs is specified in the program Documentation or ordering document as applicable. Customer’s right to use such third party technology is governed by the terms of the third party technology license agreement specified by Company and not under this Agreement.

4.8 Suggestions. Company and its service providers shall have a royalty-free, worldwide, irrevocable, perpetual license to use and incorporate into the SaaS Services any suggestions, enhancement requests, recommendation or other feedback provided by Customer, including Administrative Users, relating to the provision or operation of the SaaS Services.

5. ORDERS AND PAYMENT

5.1 Orders. Customer shall order SaaS Services pursuant to an Invoice. All SaaS Services and Other Services acquired by Customer shall be governed exclusively by this Agreement and the applicable Invoice.

5.2 Invoicing and Payment. Company shall invoice Customer for all fees. Customer shall pay all undisputed invoices within thirty (30) days after Customer receives the invoice. Except as expressly provided otherwise, fees are non-refundable. If Customer believes an invoice is incorrect, Customer must contact Company no later than thirty (30) days after its receipt of the invoice in question and shall pay all undisputed amounts. The parties will address the disputed amounts in good faith in order to resolve the issue.

5.3 Taxes. Company shall bill Customer for applicable taxes as a separate line item on each invoice. Customer shall be responsible for payment of all sales and use taxes, value added taxes (VAT), or similar charges relating to Customer’s purchase and use of the SaaS Services. To the extent that any such taxes are payable by Company, Customer shall reimburse the amount of such taxes. If Customer has obtained an exemption from relevant taxes at the time such taxes are levied or assessed, Customer shall provide such documentation to Company in order to modify invoicing documents.

6. TERM AND TERMINATION

6.1 Term of SaaS Agreement. The term of this Agreement shall begin on the Effective Date and shall continue for the Subscription Term, unless terminated by either party as outlined in this Section. Customer will receive advanced notices of expiration 90, 60, and 30 days prior to expiration date. If renewal payment is not received prior to expiration, all services will be suspended. Reinstatement of SaaS Services is subject to fees outlined in terms of contract plus any service reactivation fees (up to $500). If confirmation and payment is not received by 30 days after expiration date, Customer account and all associated files will be deleted in accordance with information privacy laws. If Customer account and files are deleted, Customer will have to pay the full Onboarding fee (In addition to other fees due) to reinstate the Customer’s account and provision of SaaS Services.

6.2 Termination. Either party may terminate this Agreement immediately upon a material breach by the other party that has not been cured within thirty (30) days after receipt of notice of such breach.

6.3 Suspension for Non-Payment. Company reserves the right to suspend delivery of the SaaS Services and Other Services if Customer fails to timely pay any undisputed amounts due to Company under this Agreement. Suspension of the SaaS Services or Other Services shall not release Customer of its payment obligations under this Agreement. Customer agrees that Company shall not be liable to Customer or to any third party for any liabilities, claims or expenses arising from or relating to suspension of the SaaS Services or Other Services resulting from Customer’s non-payment. If Company suspends the SaaS Services, Company will promptly restore the SaaS Services upon Customer’s payment of such undisputed portion of Company’s invoice. A reactivation fee of $500 will be invoiced to the customer. If Customer’s payment is not made within thirty (30) days of suspension the Customer’s account and all associated files will be deleted from the Company’s data center in accordance with information privacy laws.

6.4 Effect of Termination. (a) Upon termination of this Agreement or expiration of the Subscription Term, Company shall immediately cease providing the SaaS Services and all usage rights granted under this Agreement shall terminate. (b) If Company terminates this Agreement due to a breach by Customer, then Customer shall immediately pay to Company all amounts then due under this Agreement and to become due during the remaining portion of the Subscription Term. If Customer terminates this Agreement due to a breach by Company, then Company shall immediately repay to Customer all pre-paid amounts for any unperformed SaaS Services scheduled to be delivered after the termination date. (c) Upon termination of this Agreement and upon subsequent written request by the disclosing party, the receiving party of tangible Confidential Information shall immediately return such information or destroy such information and provide written certification of such destruction, provided that the receiving party may permit its legal counsel to retain one archival copy of such information in the event of a subsequent dispute between the parties.

7. WARRANTIES

7.1 Warranty. Company represents and warrants that it will provide the SaaS Services in a professional manner consistent with general industry standards and that the SaaS Services will perform substantially in accordance with the Documentation. For any beach of a warranty, Customer’s exclusive remedy shall be as provided in Section 6, Term and Termination.

7.2 COMPANY DOES NOT GUARANTEE THAT THE SAAS SERVICES WILL BE PERFORMED ERROR-FREE OR UNINTERRUPTED, OR THAT COMPANY WILL CORRECT ALL SAAS SERVICES ERRORS. CUSTOMER ACKNOWLEDGES THAT COMPANY DOES NOT CONTROL THE TRANSFER OF DATA OVER COMMUNICATIONS FACILITIES, INCLUDING THE INTERNET, AND THAT THE SAAS SERVICE MAY BE SUBJECT TO LIMITATIONS, DELAYS, AND OTHER PROBLEMS INHERENT IN THE USE OF SUCH COMMUNICATIONS FACILITIES. SECTION 7.1 OF THIS AGREEMENT SETS FORTH THE SOLE AND EXCLUSIVE WARRANTY GIVEN BY COMPANY (EXPRESS OR IMPLIED) WITH RESPECT TO THE SUBJECT MATTER OF THIS AGREEMENT AND EXCEPT AS EXPRESSLY PROVIDED HEREIN, COMPANY DISCLAIMS ANY AND ALL OTHER WARRANTIES AND REPRESENTATIONS OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTY OF MERCHANTABILITY, FUNCTIONALITY, OF FITNESS FOR ANY PARTICULAR PURPOSE, ANY OR OTHER WARRANTY IMPLIED BY LAW, OR ARISING BY USAGE OF TRADE, COURSE OF DEALING OR COURSE OF PERFORMANCE. NEITHER COMPANY NOR ANY OF ITS LICENSORS OR OTHER SUPPLIERS WARRANT OR GUARANTEE THAT THE OPERATION OF THE SUBSCRIPTION SERVICE WILL BE UNINTERRUPTED, VIRUS-FREE OR ERROR-FREE, NOR SHALL COMPANY OR ANY OF ITS SERVICE PROVIDERS BE LIABLE FOR UNAUTHORIZED ALTERATION, THEFT OR DESTRUCTION OF CUSTOMER’S OR ANY USER’S DATA, FILES, OR PROGRAMS. CUSTOMER MAY HAVE OTHER STATUTORY RIGHTS BUT, THE DURATION OF STATUTORILY PROVIDED WARRANTIES IF ANY, WILL BE LIMITED TO THE SHORTEST PERIOD PERMITTED BY LAW.

8. LIMITATIONS OF LIABILITY

8.1 Acknowledgement. NEITHER PARTY (NOR ANY LICENSOR OR OTHER SUPPLIER OF COMPANY) SHALL BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR BUSINESS INTERRUPTION, LOSS OF GOOD WILL, LOST BUSINESS, PROFITS, DATA OR USE OF ANY SERVICE, INCURRED BY EITHER PARTY OR ANY THIRD PARTY IN CONNECTION WITH THIS AGREEMENT, REGARDLESS OF THE NATURE OF THE CLAIM (INCLUDING NEGLIGENCE), EVEN IF FORESEEABLE OR THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. COMPANY’S AGGREGATE LIABILITY FOR DAMAGES UNDER THIS AGREEMENT, REGARDLESS OF THE NATURE OF THE CLAIM OR ACTION, WHETHER IN CONTRACT OR TORT (INCLUDING NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY), SHALL NOT EXCEED THE FEES PAID OR PAYABLE BY CUSTOMER UNDER THIS AGREEMENT DURING THE 12 MONTHS PRECEDING THE DATE THE CLAIM AROSE.

9. CONFIDENTIALITY

9.1 Definition. “Confidential Information” means any information disclosed by a party to the other party, directly or indirectly, which, (a) if in written, graphic, machine-readable or other tangible form, is marked as “confidential” or “proprietary,” (b) if disclosed orally or by demonstration, is identified at the time of initial disclosure as confidential and is confirmed in writing to the receiving party to be “confidential” or “proprietary” within 30 days of such disclosure, (c) is specifically deemed to be confidential by the terms of this Agreement, or (d) reasonably appears to be confidential or proprietary because of the circumstances of disclosure and the nature of the information itself. Confidential Information will also include information disclosed by third parties to a disclosing party under an obligation of confidentiality. Without limiting any of the foregoing, the Software, code, inventions, know how, technical and performance information relating to the SaaS Services will be deemed Company’s Confidential Information without any marking or further designation. Subject to the display of Customer Content as contemplated by this Agreement, Customer Content is deemed Confidential Information of Customer. Company Software and Documentation are deemed Confidential Information of Company.

9.2 Confidentiality. During the term of this Agreement and for 5 years thereafter (perpetually in the case of Software), each party shall treat as confidential all Confidential Information of the other party, shall not use such Confidential Information except to exercise its rights and perform its obligations under this Agreement, and shall not disclose such Confidential Information to any third party. Without limiting the foregoing, each party shall use at least the same degree of care, but not less than a reasonable degree of care, it uses to prevent the disclosure of its own Confidential Information to prevent the disclosure of Confidential Information of the other party. Each party shall promptly notify the other party of any actual or suspected misuse or unauthorized disclosure of the other party’s Confidential Information. Neither party shall reverse engineer, disassemble or decompile any prototypes, software or other tangible objects which embody the other party's Confidential Information and which are provided to the party hereunder. Each party may disclose Confidential Information of the other party on a need-to-know basis to its employees, agents, or contractors who are subject to confidentiality agreements or duty of confidentiality requiring them to maintain such Confidential Information in confidence and use it only to facilitate the performance of their services on behalf of the receiving party.

9.3 Exceptions. Confidential Information excludes information that: (a) is known publicly at the time of the disclosure or becomes known publicly after disclosure through no fault of the receiving party, (b) is known to the receiving party, without restriction, at the time of disclosure or becomes known to the receiving party, without restriction, from a source other than the disclosing party not bound by confidentiality obligations to the disclosing party, or (c) is independently developed by the receiving party without use of the Confidential Information as demonstrated by the written records of the receiving party. The receiving party may disclose Confidential Information of the other party to the extent such disclosure is required by law, subpoena, or order of a court or other governmental authority, provided that the receiving party shall use reasonable efforts to promptly notify the other party prior to such disclosure to enable the disclosing party to seek a protective order or otherwise prevent or restrict such disclosure. Each party may disclose the existence of this Agreement and the relationship of the parties, but agrees that the specific terms of this Agreement will be treated as Confidential Information; provided, however, that each party may disclose the terms of this Agreement to those with a need to know and under a duty of confidentiality such as accountants, lawyers, bankers and investors.

10. GENERAL PROVISIONS

10.1 Non-Exclusive Service. Customer acknowledges that SaaS Services are provided on a non-exclusive basis. Nothing shall be deemed to prevent or restrict Company’s ability to provide the SaaS Services or other technology, including any features or functionality first developed for Customer, to other parties.

10.2 Personal Data. Customer hereby acknowledges and agrees that Company’s performance of this Agreement may require Company and its service providers to process, transmit and/or store Customer personal data or the personal data of Customer employees and Affiliates, including but not limited to, personally identifiable information of a living individual (PII) (“Personal Data”). By submitting personal data to Company, Customer agrees that Company and its service providers may process, transmit and/or store personal data only to the extent necessary for, and for the sole purpose of, enabling Company to perform its obligations to under this Agreement. In relation to all Personal Data provided by or through Customer to Company, Customer will be responsible as sole Data Controller for complying with all applicable data protection or similar laws such as UK GDPR and Data Protection Act (DPA) 2018 (the “Directive”) and laws implementing that Directive that regulate the processing of Personal Data and special categories of data as such terms are defined in that Directive. Customer agrees to obtain all necessary consents and make all necessary disclosures before including Personal Data in Customer Content and using the Software and SaaS Services. Customer confirms that Customer is solely responsible for any Personal Data that may be contained in Customer Content, including any information which Company shares with third parties on Customer’s behalf. Customer is solely responsible for determining the purposes and means of processing Customer Personal Data by Company and its service providers under this Agreement, including that such processing according to Customer’s instructions will not place Company or its service providers in breach of applicable data protection laws. Prior to processing, Customer will inform Company about any special categories of data contained within Customer Personal Data and any restrictions or special requirements in the processing of such special categories of data, including any cross-border transfer restrictions. Customer is responsible for ensuring that the SaaS Services meets such restrictions or special requirements. Company or its service providers may process any Personal Data that meets the requirements set forth in this Section according to this Agreement.

10.3 Personal Data in delivering SaaS Services. Customer agrees to provide any notices and obtain any consent related to Company or its service providers’ use of the data for provisioning the SaaS Services, including those related to the collection, use, processing, transfer and disclosure of personal information. Customer shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness and retains ownership of all of Customer data.

10.4 Indemnification. Customer will indemnify, defend and hold harmless Company, and its Affiliates, shareholders, officers, directors, agents and employees, from and against any and all claims, costs, damages, losses, liabilities and expenses, including reasonable attorney’s fees and costs, resulting from any claim arising out of or related to (i) Customer Content; (ii) Customer’s breach of any of the Customer’s obligations, representations, warranties, covenants set forth in this Agreement, whether by action or omission, negligence, fraud or failure to comply with applicable laws, (ii) use of the SaaS Services by Customer or any permitted user in combination with any third party software, application or service. Customer will fully cooperate with Company in the defence of any claim defended by Customer pursuant to its indemnification obligations under this Agreement, and will not settle any such claim without the prior written consent of Company.

10.5 Assignment. Neither party may assign this Agreement or any right under this Agreement, without the consent of the other party, which consent shall not be unreasonably withheld or delayed; provided however, that either party may assign this Agreement to an acquirer of all or substantially all of the business of such party to which this Agreement relates, whether by merger, asset sale or otherwise. This Agreement shall be binding upon and inure to the benefit of the parties’ successors and permitted assigns. Either party may employ subcontractors in performing its duties under this Agreement, provided, however, that such party shall not be relieved of any obligation under this Agreement.

10.6 Force Majeure. Each party will be excused from performance for any period during which, and to the extent that, such party or any subcontractor is prevented from performing any obligation or services, in whole or in part, as a result of causes beyond its reasonable control, and without its fault or negligence, including without limitation, acts of God, strikes, lockouts, riots, acts of terrorism or war, epidemics, communication line failures, and power failures.

10.7 Waiver. No waiver shall be effective unless it is in writing and signed by the waiving party. The waiver by either party of any breach of this Agreement shall not constitute a waiver of any other or subsequent breach.

10.8 Severability. If any term of this Agreement is held to be invalid or unenforceable, that term shall be reformed to achieve as nearly as possible the same effect as the original term, and the remainder of this Agreement shall remain in full force.

10.9 Entire Agreement. This Agreement contains the entire agreement of the parties and supersedes all previous oral and written communications by the parties, concerning the subject matter of this Agreement. This Agreement may be amended solely in a writing signed by both parties. Standard or printed terms contained in any purchase order or sales confirmation are deemed rejected and shall be void unless specifically accepted in writing by the party against whom their enforcement is sought; mere commencement of work or payment against such forms shall not be deemed acceptance of the terms.

10.10 No Third Party Beneficiaries. This Agreement is an agreement between the parties, and confers no rights upon either party’s employees, agents, contractors, partners of customers or upon any other person or entity.

10.11 Independent Contractor. The parties have the status of independent contractors, and nothing in this Agreement nor the conduct of the parties will be deemed to place the parties in any other relationship. Except as provided in this Agreement, neither party shall be responsible for the acts or omissions of the other party or the other party’s personnel.

10.12 Statistical Information. Company may anonymously compile statistical information related to the performance of the SaaS Services for purposes of improving the SaaS Services, provided that such information does not identify Customer’s data or include Customer’s name.

10.13 Survival. The representations and warranties set forth herein will survive the termination or expiration of this Agreement for any reason.

10.14 Governing Law. This Agreement and any claims arising out of or relating to this Agreement will be governed by, interpreted, and construed in accordance with the laws (without regard to the conflict of laws rules) of the State of California, U.S.A. The parties agree that this Agreement does not involve the sale of goods and that the Uniform Commercial Code as enacted in any jurisdiction, or any similar statutes concerning the sale of goods applies to this Agreement. The parties further agree that any legal action or proceeding relating to this Agreement will be instituted solely and exclusively in the state courts located in Orange County, California or the federal courts located in Orange County, California, and both parties agree to submit to the sole and exclusive jurisdiction and venue of such courts for any matters related to this Agreement, including, but not limited to, any matters related to the SaaS Services, Documentation, and/or the Software.

10.15 Compliance with Laws. Company shall comply with all applicable local, state, national and foreign laws in connection with its delivery of the SaaS Services, including those laws related to data privacy, international communications, and the transmission of technical or personal data.

SCHEDULE A– Data Security Protections and Safeguards

This attachment describes the organizational and technical protections and safeguards that TROY Group, Inc. (“TROY”) has in place to protect the privacy and security of Customer’s data.

Policy & Compliance

The protection of Customer’s data is integral to TROY’s business operations. All TROY employees are subject to mandatory criminal background checks and drug screening procedures to ensure the integrity of our workforce and the services we provide to you. TROY may use subcontractors from time to time to perform certain functions in furtherance of the Services. TROY contractually requires its subcontractors to adhere to the same personnel standards of quality to which TROY holds its own workforce.

TROY maintains up-to-date information security policies to ensure compliance with all applicable state and federal requirements related to maintaining security, confidentiality, and protection of Customer’s data, including the HIPAA Security Rule and GDPR. These security policies are published and available to all TROY employees and subcontractor personnel. TROY also requires its employees and subcontractor personnel to complete appropriate trainings to maintain compliance with those policies and procedures, including when existing policies are updated and before new policies go into effect.

The policies and procedures include dedicated methods for both TROY employees and subcontractor personnel to quickly report potential security risks or threats to systems and services, as well as potential data security incidents. All subcontractors and subcontractor personnel are required to immediately notify TROY of any potential threats, risks, or data security incidents.

Infrastructure & Network Security

TROY utilizes a high-availability virtual database and high-availability virtual machines to strengthen the resiliency of the AssurePay Cloud application. Thanks to the redundant and flexible nature of the system, failover can happen automatically, and TROY is able to perform maintenance on individual nodes without taking the application offline. This combination of factors helps TROY maintain a service uptime of 99.7% or better.

TROY provisions unique user accounts for all individuals with access to the TROY network, systems, and applications, and to any of Customer’s systems or applications. This applies to TROY employees, subcontractor personnel, vendors, and any other applicable third party. Documented and traceable requests and approvals from Human Resources and department managers are required before the creation of user accounts and provisioning of access rights. Additional security approvals are required for all privileged and administrative access rights.

User account access rights are reviewed annually to ensure that users are granted and maintain only the minimum privileges necessary to perform their assigned job duties. All user accounts are disabled and all access rights are immediately revoked upon notification of termination of employment or services. TROY tracks the access of its workforce to Customer data.

Identity verification procedures are in place and enforced for all user account password resets.

All connections from the TROY network to the internet and to other external or third-party networks are documented, formally authorized, and properly protected. All routers and firewalls are configured with access control lists to allow only specific network traffic to pass through. Default passwords for all services and devices are changed before being implemented. Privileged access on network and systems infrastructure, including access to security logs, is strictly limited.

TROY regularly tests its network and infrastructure security for exploitable vulnerabilities, with independent third-party penetration tests conducted annually. If any vulnerabilities are identified, they are promptly mitigated. Furthermore, TROY’s regular patching process ensures that all devices are up to date with applicable patches and software and firmware updates. Critical security patches are applied in an expedited fashion and without a requirement for prior approval. All endpoints within the TROY network are protected with up-to-date antivirus software and other defenses against malicious software attacks, and all directories can be included in real-time antivirus scanning.

TROY physically secures its infrastructure from unauthorized access, tampering, damage, and theft by any intruder.

TROY Group can provide a Drata Security Report and penetration test report upon request. Additionally, the AssurePay Cloud application operates on the Microsoft Azure cloud computing platform which is certified compliant for SOC2 for operational security and resilience. Additional information can be found at https://learn.microsoft.com/en-us/azure/compliance/. AssurePay Cloud also utilizes the market-leading and SOC2-compliant Auth0 for secure login and authentication. Additional information on Auth0 can be found at https://auth0.com/security.

Application Security

TROY Group manages authentication and access to the AssurePay Cloud application using Active Directory integration. All users with access to AssurePay Cloud are required to have and use their own unique username and password. Password requirements include a minimum of ten (10) characters, including at least one (1) capital letter, a number, and a special character. Password expiration intervals can be set to a minimum of sixty (60) days, with the four previously used passwords disallowed. AssurePay Cloud utilizes multifactor authentication for login, and user accounts can be locked after a certain number of failed login attempts.

User credentials are managed by AssurePay Cloud Identity as a Service (“IDaaS”) provider Auth0, who has one of the highest reputations within the industry for reliability and security. TROY does not store passwords or other user authentication tokens in any form on any TROY systems.

Audit logs and access reports can be produced to identify all activity of a given user within the AssurePay Cloud application.

The AssurePay Cloud application provides no method for Customer data to be transmitted or exfiltrated out of the application by email or fax.

Where data must be deleted to meet applicable document retention and destruction policies, the AssurePay Cloud application can be configured to securely destroy data at specified times or within specified time periods.

All AssurePay Cloud application code is developed and reviewed in accordance with Agile SDLC standards.

Data Security

TROY Group takes reasonable precautions in line with industry standards and best practices to protect the security of Customer’s data. If necessary, TROY Group may receive data from Customer as part of the Services provided to Customer. All Customer data will be isolated from the data of all other TROY clients and encrypted using Azure SQL Transparent Data Encryption. TROY Group will never store any of Customer’s sensitive data, even temporarily, on an end-user device such as a laptop, mobile device, removeable storage device.

Transmissions containing Customer data are secured with a minimum of Transport Layer Security (TLS) 1.2 or better.

The nature of the AssurePay Cloud’s high-availability database increases the application’s resiliency and resistance to disruption. Even so, TROY maintains and tests its procedures for successfully recovering data in the event of a disaster scenario. The standard backup and recovery procedures for the database are managed by Microsoft Azure, but TROY can manually restore the database to any point in time in the preceding seven (7) days. TROY also maintains long-term daily backups for thirty (30) days. In the unlikely event of a disaster recovery operation, TROY is able to recover and restore the system within four (4) hours during the support period.

If and when Customer’s use of TROY’s services is terminated, TROY affirms that it will promptly and securely return or destroy any Customer data in TROY’s possession.

 

SCHEDULE B

SOFTWARE MAINTENANCE AGREEMENT

SERVICE LEVELS

CALL CENTER

TROY's call center will be available Monday through Thursday 8:00 a.m. – 6:30 p.m. and Friday 8:00 a.m. – 5:30 p.m. Eastern Time, excluding holidays. Holidays observed by TROY are: New Year’s Eve, New Year’s Day, Memorial Day, 4th of July, Labor Day, Thanksgiving Day and the day after Thanksgiving, Christmas Eve, and Christmas.

RESPONSE TIME

Average response time during the stated coverage period will be within four (4) working hours of a support request at least 80 percent of the time, unless deferred to a more convenient time by the customer.