Services Terms and Conditions
This Services Terms and Conditions Agreement (the “Agreement”) is entered into by and between Gem Software, Inc., a Delaware corporation with offices at 1 Post Street, 18th Floor, San Francisco, CA 94104 (“Gem,” “Gem Software” or “Service Provider”) and the company or other legal entity identified in the signature block of the Order Form that references this Agreement, and is effective as of the effective date of such Order Form (the “Effective Date”).
DEFINITIONS
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Authorized User” means an individual who is authorized by Customer to use the Services under Customer’s account or submit Customer Data to Customer’s instance of the Services. Authorized Users are employees of Customer, and may include, to the extent expressly set forth in an Order Form, employees of Customer Affiliates.
“Customer” means the company or other legal entity named in the preamble above, and Affiliates of that company or entity (for so long as they remain Affiliates) which have entered into Order Forms for the purchase of Services under this Agreement (with respect to such Order Forms).
“Customer Data” means data, content and other information in Customer’s instance of the Services, that has been submitted to the Services by or on behalf of Customer (including from Customer’s applicant tracking system or other Third Party Services, as well as by Customer’s users). The Services, Aggregate Data and any data, content or other information made available by Gem to Customer through its use of the Services are not Customer Data.
“Documentation” means Gem’s product functionality and usage guide documentation provided by Gem for the Services set forth in an applicable Order Form, as updated from time to time, currently accessible via https://support.gem.com/hc/en-us (or a successor site).
“Order Form” means a Gem-approved ordering document or online subscription process by which the parties specify the Services to be provided hereunder that is entered into between Customer and Gem or any of Gem’s Affiliates. By entering into an Order Form hereunder, an Affiliate agrees to be bound by the terms of this Agreement as if it were an original party hereto.
“Services” means the talent engagement and recruiting optimization platform, analytics and other SaaS products and services offered by Gem. The Services exclude Third Party Services and Customer Data.
“Third Party Services” mean any web-based, offline, mobile or other software applications, services, products, systems or tools provided by Customer or a third party that are used by Customer with the Services, such as an applicant tracking system or email application.
GEM RESPONSIBILITIES
Provision of Services. Subject to the terms of this Agreement, Gem will make available to Customer the Services set forth in an applicable Order Form for the subscription term of that Order Form. Subject to the limited rights expressly granted hereunder, as between the parties, Gem Software owns and reserves all rights, title and interest in and to the Services and Documentation, as well as all APIs and software integrations offered by Service Provider and made available to Customer for use with the Services, including all related intellectual property rights. No rights are granted to Customer hereunder other than as expressly set forth herein.
Performance and Features. Gem will use commercially reasonable efforts to make the Services available 24 hours a day, 7 days a week, except for planned downtime (of which, to the extent exceeding five continuous minutes, Gem will use reasonable efforts to provide advance electronic notice). Notwithstanding the foregoing, the Services may be temporarily unavailable for unscheduled emergency maintenance, or due to causes beyond Gem’s reasonable control. Gem warrants that: (i) during a relevant subscription term, the Services will perform materially in accordance with the applicable Documentation in all material respects; and (ii) subject to the “Third Party Services” Section, Gem will not materially decrease the overall functionality of a purchased Service during a relevant subscription term. Notwithstanding anything to the contrary, for any breach of an above warranty, Customer’s exclusive remedies are those described in the Section titled “Termination for Cause.” Gem will be responsible for the performance of Gem’s personnel (including Gem’s employees and independent contractors) and their compliance with Gem’s obligations under this Agreement, except as otherwise specified herein.
Protection of Customer Data. Gem will maintain administrative, physical and technical safeguards for the security, confidentiality and integrity of Customer Data, at a level not materially less protective than as described in Gem’s Security Practices, as may be updated by Gem from time-to-time and a current version of which is attached as Schedule A (the “Security Practices”). These safeguards will include measures for preventing unauthorized access, use, modification, deletion and disclosure of Customer Data by Gem’s personnel. Before providing necessary access to Customer Data to a third-party service provider, Gem will ensure that the third-party maintains reasonable data practices for maintaining the confidentiality and security of the Customer Data and preventing unauthorized access to or use of the Customer Data. However, Customer (not Gem Software) bears sole responsibility for the accuracy, legality and appropriateness of Customer Data, and for adequate security, protection and backup of Customer Data when in Customer’s or its representatives or service providers’ possession or control. Upon Customer’s request, Gem Software will provide Customer with a copy of its most recent SOC2 Type 2 audit report.
Compliance with Laws. Gem will comply with laws and regulations that are applicable to Gem in its provisioning of the Services to its customers generally (i.e. without regard to the nature of the Customer Data or Customer’s particular use or configuration of the Services); provided, however, that Customer agrees that (i) Customer is solely responsible for the quality, legality and accuracy of Customer Data, (ii) Customer shall use the Services only in compliance with all applicable laws and regulations, and (iii) Gem is not responsible for any violation caused by Customer Data or Customer’s use of the Services.
ACCESS AND USE OF THE SERVICES
Access to the Services.
Subject to and conditioned upon Customer’s compliance with the terms of this Agreement, Service Provider hereby grants Customer a non-exclusive and non-transferable (except in compliance with Section 10.2 below) right to access and use the Services set forth in an applicable Order Form during the subscription term thereof, solely for use by Authorized Users in accordance with the terms set forth herein. Customer agrees that Service Provider may use Customer’s company name and logo to reference Customer as a Gem Services customer on Service Provider’s website and in its advertising and marketing materials.
From time-to-time, Gem may make available to Customer services, features and/or functionality on a no-charge, free or trial basis, and/or as a beta or early access offering (“Optional Services”). Use of such Optional Services is permitted only during the period designated by Gem (or if not designated, 30 days). Optional Services are optional and subject to change or discontinuation at any time in Gem’s discretion, they may be incomplete, contain bugs or errors, or include features or functionality that Gem may never release, and their features and performance information are Gem’s confidential information. And so notwithstanding anything to the contrary herein, Optional Services are provided “as is,” including with respect to their performance, speed, functionality, and availability, without any express or implied warranties, service levels, support or indemnities of any kind, and Gem will have no liability for any harm or damage associated with the Optional Services.
Customer Obligations.
Usage Restrictions. Customer will not (and will not allow any third party to): (i) make the Services or Documentation available to, or use the Services or Documentation for the benefit of, anyone other than Customer and those Authorized Users directly supporting Customer; (ii) upload, post, transmit or otherwise make available to the Services any content or information (a) that is unlawful or tortious, that infringes any intellectual property or proprietary rights, or that Customer does not have a right to make available under applicable law or contractual or fiduciary relationships, or (b) that is designed to interrupt, interfere with, destroy or limit the functionality of any computer software or hardware or telecommunications equipment; (iii) sublicense, resell, time share or otherwise similarly exploit the Services; (iv) reverse engineer, modify or create derivative works of, adapt, hack, decompile, disassemble or otherwise attempt to gain unauthorized access to the Services, or discover or disclose to a third party the source code or object code or underlying structure, ideas, know-how or algorithms relevant to the Services; (v) access or use the Services or the Documentation to build a competitive product or service or engage in competitive analyses or benchmarking or for timesharing or service bureau purposes; or (vi) use the Services in a manner that threatens the rights of other users or the security, integrity or availability of the Services.
Responsibilities in Using the Services. Customer shall: (i) use the Services only for legitimate business purposes related to recruitment of and networking with potential candidates for employment and for no other purpose; (ii) use the Services only in accordance with the terms of this Agreement, the Documentation, Gem’s then-current acceptable use policies, as may be updated from time-to-time and currently available here, and all applicable laws and regulations; (iii) provide sufficient privacy notices and obtain any consents or other rights required by applicable law, including, where required, express, freely given, specific, informed and unambiguous consent, for Customer to be able to access and use Customer Data in connection with the Services and process the personal data of any identified or identifiable individual in Customer’s use of the Services in accordance with applicable law; (iv) be responsible for obtaining and maintaining the security of account credentials and passwords for use of the Services, and any equipment and ancillary services used to connect to, access or otherwise use the Services; (v) be responsible for its Affiliates’ and Authorized Users’ compliance with this Agreement and all uses of and activities under its Services account; (vi) be solely responsible for the accuracy, appropriateness and legality of Customer Data; (vii) use commercially reasonable efforts to prevent unauthorized access to or use of the Services, and notify Gem promptly of any such unauthorized access or use. Gem has no obligation to monitor Customer’s use of the Services but Gem may do so and may prohibit any use of the Services, or remove or disable content or data, that it believes may be or is alleged to be in violation of the terms of this Agreement or Gem’s acceptable use policies.
Third Party Services. Customer grants permission to Gem to connect each Third Party Service with the Services and for the exchange and processing of Customer Data with such Third Party Service in accordance with this Agreement. Customer’s use of Third Party Services is governed by the terms and conditions and policies applicable to such Third Party Services, and Customer shall be solely responsible for compliance with such terms and conditions and policies. Gem makes no representations or warranties concerning, and disclaims any and all liability in connection with the use of, Third Party Services. Without limiting the generality of the foregoing, Gem cannot guarantee the continued availability of integrations with Third Party Services, and may cease providing interoperation or data exchange with a Third Party Service without entitling Customer to any refund, credit or other compensation (e.g. if a Third Party Service provider ceases to make the Third Party Service available for interoperation with the corresponding Services in a manner acceptable to Gem).
Customer Data. Customer grants Gem and its Affiliates a worldwide, non-exclusive, royalty-free license to host, copy, display, distribute, access, use, and process Customer Data, and provide necessary access to third party service providers acting on its behalf, such as hosting services providers, to (i) develop, provide, maintain, and improve the Services, (ii) to prevent or address service or technical problems or at Customer’s request in connection with customer support matters, or (iii) as compelled by law or as instructed by Customer in writing (by email or acceptance via other electronic means made available by Service Provider is deemed sufficient).
Feedback. At its option, Customer may provide ideas, feedback or suggestions about the Services to Service Provider (“Feedback”). Any such Feedback shall not be considered Proprietary Information, and may be used by Gem and its Affiliates for any purpose without restriction and without obligation to Customer. Gem may derive aggregated data, information and content from Customer Data, and may aggregate the same with data regarding or derived from Customer’s use of the Services (“Aggregate Data”), and may use, modify and disclose Aggregate Data to develop, improve, market and provide Gem’s products and services, analyze and report on performance and use of the Services, or otherwise operate its business, provided that such use will be in a manner that does not disclose to any third party the identity of Customer, any personnel or individual candidate of Customer, or identify Customer as the source of such data to any third party.
CONFIDENTIALITY
Definition of Proprietary Information. Each party (the “Receiving Party”) understands that the other party (the “Disclosing Party”) has disclosed or may disclose confidential information relating to the Disclosing Party’s business that is designated as confidential or proprietary at the time of disclosure or should reasonably be understood, due to the nature of the information or circumstances of disclosure, to be of a confidential or proprietary nature (hereinafter referred to as “Proprietary Information” of the Disclosing Party). Proprietary Information of Customer shall include Customer Data, and Proprietary Information of Gem Software shall include the Services, all pricing, discounting and fees hereunder, and the Documentation.
Protection of Proprietary Information. The Receiving Party agrees: (i) to take reasonable precautions to protect the confidentiality of the Disclosing Party’s Proprietary Information, and (ii) not to use Disclosing Party’s Proprietary Information for any purpose outside the scope of this Agreement, and (iii) except as otherwise authorized by the Disclosing Party, to limit access to the Disclosing Party’s Proprietary Information to those of its and its Affiliates’ employees, partners, contractors and agents who need such access for purposes consistent with this Agreement. The Disclosing Party agrees that the foregoing shall not apply with respect to any information that the Receiving Party can document (a) is or becomes generally available to the public, or (b) was in its possession or known by it without restriction on disclosure prior to receipt from the Disclosing Party, or (c) was rightfully disclosed to it without restriction by a third party, or (d) was independently developed without use of any Proprietary Information of the Disclosing Party. The Receiving Party may disclose Proprietary Information as required by law or court order provided that it: (i) gives the Disclosing Party prompt written notice (unless notice is prohibited by law); (ii) assists the Disclosing Party in obtaining an order protecting the Proprietary Information from public disclosure; and (iii) limits any such disclosure to the minimum extent necessary to comply with the legal requirement.
PAYMENT OF FEES
Service Fees. Customer will pay Service Provider the fees for the Services as listed on, and in accordance with the payment terms specified on, the applicable Order Form, or the Services may be terminated. Payment obligations are non-cancelable and, except as expressly set forth herein, fees paid are non-refundable. If Customer’s use of the Services exceeds any applicable limits set forth on the Order Form or Documentation or otherwise requires the payment of additional fees (per the terms of this Agreement), Customer shall be billed for such usage in accordance with the Billing Section below and Customer agrees to pay the additional Fees in the manner provided therein. Customer agrees that its purchases hereunder are neither contingent on the delivery of any future functionality or features nor dependent upon any oral or written public or private comments made by Gem Software regarding future functionality or features.
Disputes. If Customer believes that Service Provider has billed Customer incorrectly, Customer must contact Service Provider no later than thirty (30) days after the date of the invoice in which the error or problem appeared, in order to receive an adjustment or credit. Inquiries should be directed to Service Provider’s accounts receivable department. If any charge by Customer (excluding amounts reasonably disputed in good faith) is thirty (30) days or more overdue, Gem may, without limiting its other rights and remedies, terminate the Services, provided that Gem has given Customer ten (10) or more days’ prior notice, which may be provided to Customer’s designated billing contact via email, that its account is overdue.
Billing. Fees will be invoiced in advance, or as otherwise set forth in the applicable Order Form. Service Provider may choose to bill through an invoice, in which case, Gem will bill Customer through invoices sent via email to the billing contact designated by Customer, unless otherwise specified in an Order Form. Customer shall be responsible for all applicable taxes in connection with this Agreement, other than U.S. taxes based on Service Provider’s net income. Should any payment for Services be subject to withholding tax by any government, Customer will reimburse Gem for such withholding tax. Unpaid invoices not being disputed reasonably and in good faith are subject to a finance charge of 1.5% per month on any outstanding balance, or the maximum permitted by law, whichever is lower, plus all expenses of collection.
TERM; TERMINATION
Agreement Term. Subject to earlier termination as provided below, this Agreement commences on the Effective Date and continues until all Order Forms for Services have expired or been terminated (the “Term”).
Term of Services Subscriptions. Services subscriptions commence on the start date specified in the applicable Order Form and continue for the subscription term specified therein. Except as otherwise specified in the applicable Order Form and subject to earlier termination as provided herein, all Services subscriptions purchases will automatically renew for additional periods of equal to one year, unless either party gives the other party written notice of non-renewal (email permitted) at least thirty (30) days prior to the end of the then-current subscription term. Termination of this Agreement will terminate any and all Order Forms under this Agreement.
Termination for Cause. Either party may terminate this Agreement effective after thirty (30) days’ written notice (by email or other electronic means permitted) if the other party commits a material breach of this Agreement (including any breach of Section 3.2) and such breach is not cured within such notice period. If this Agreement is terminated as a result of a material breach by Customer during the Term, Customer will pay in full all remaining unpaid fees covering the remainder of the term of all Order Forms after the effective date of termination. Upon any termination for cause by Customer, Service Provider will refund Customer any prepaid but unused fees covering the remainder of the term of all subscriptions after the effective date of termination.
Portability and Deletion. During the Term, Customer may request deletion or export of the candidate data in Customer’s instance of the Services stored by Gem Software as described in the Documentation. Following termination or expiration, Gem Software will have no obligation to maintain or provide any Customer Data, and upon Customer’s request or otherwise, Gem Software may, unless legally prohibited, delete Customer Data in its systems or otherwise in its possession in accordance with its standard schedule and procedures set forth in the Documentation.
Effect of Termination. In no event will termination relieve Customer of the obligation to pay all fees payable to Gem Software for the period prior to the effective date of termination, or that have accrued or are otherwise owed by Customer under this Agreement and any Order Form.
Surviving Provisions. The Sections titled “Customer Obligations,” “Feedback,” “Confidentiality,” “Payment of Fees,” “Term; Termination,” “Indemnification”, “Mutual Representations and Warranties; Disclaimer”, “Limitation of Liability”, and “Miscellaneous” shall survive expiration or termination of this Agreement.
INDEMNIFICATION
Gem Indemnification. Service Provider shall defend Customer and its Affiliates, and its and their respective officers, directors, employees and contractors, from any suit or proceeding by a third party alleging that the Services infringe or misappropriate a third party’s intellectual property right (a “Claim Against Customer”), and shall indemnify Customer for any damages, attorney fees and costs finally awarded against Customer as a result of, and for amounts paid by Customer under a court-approved settlement of, a Claim Against Customer; provided, however, that Service Provider shall have no liability under this Section 7.1 to the extent a Claim Against Customer arises from (a) Customer Data or data, content or other information generated by or on behalf of Customer through Customer’s use of the Services or Third Party Services; (b) Customer’s negligence, misconduct, or breach of this Agreement; (c) compliance with Customer’s specifications, requirements or instructions; (d) any modification to or development of the Services that is not performed or authorized by Service Provider, and any operation or use of the Services with products, services or materials not provided by Service Provider, including in the use of any application programming interface (API); or (e) the use of any version of software other than the most current release made available by Service Provider.
Customer Indemnification. Customer shall defend Service Provider and its Affiliates, and its and their respective officers, directors, employees and contractors, from and against a suit or proceeding by a third party alleging that (a) the provision or use of any Customer Data hereunder violates a third party right or agreement, or (b) Customer’s use of the Services violates any applicable law or regulation, or Gem’s then-current acceptable use policies (each, a “Claim Against Gem”), and shall indemnify Service Provider for any damages, attorneys’ fees and costs finally awarded against Service Provider as a result of, or for any amounts paid by Service Provider under a court-approved settlement of, a Claim Against Gem; provided, however, that Customer shall have no liability under this Section to the extent a Claim Against Gem arises from Service Provider’s breach of this Agreement.
Indemnification Procedure; Exclusive Remedy. The indemnified party will provide the indemnifying party with prompt written notice of any claim, suit or demand, the right to assume the exclusive defense and control of any matter that is subject to indemnification, and cooperation with any reasonable requests assisting the indemnifying party’s defense and settlement of such matter. This “Indemnification” Section states the indemnifying party’s sole liability to, and the indemnified party’s exclusive remedy against, the other party for any type of claim described in this Section.
MUTUAL REPRESENTATIONS AND WARRANTIES; DISCLAIMER
Mutual Representation. Each party represents that it has validly entered into this Agreement and has the legal power to do so.
Disclaimer. CUSTOMER ACKNOWLEDGES THAT SERVICE PROVIDER DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, TIMELY, SECURE OR ERROR FREE OR MEET CUSTOMER’S REQUIREMENTS; NOR DOES IT MAKE ANY WARRANTY AS TO THE RESULTS THAT MAY BE OBTAINED FROM USE OF THE SERVICES OR THIRD PARTY SERVICES, INCLUDING ANY OUTPUT GENERATED THEREFROM. EXCEPT AS EXPRESSLY PROVIDED FOR HEREIN, THE SERVICES AND ALL RELATED COMPONENTS AND INFORMATION ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS WITHOUT ANY WARRANTIES OF ANY KIND, AND SERVICE PROVIDER EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. NOTWITHSTANDING ANYTHING TO THE CONTRARY, GEM SOFTWARE MAKES NO WARRANTY REGARDING AND DISCLAIMS ALL LIABILITY AND INDEMNIFICATION OBLIGATIONS FOR ANY HARM OR DAMAGES CAUSED BY ANY THIRD PARTY SERVICE.
LIMITATION OF LIABILITY
Limitation of Liability. NOTWITHSTANDING ANYTHING TO THE CONTRARY, EXCEPT FOR (I) EITHER PARTY’S INDEMNIFICATION OBLIGATIONS UNDER SECTION 7 (“INDEMNIFICATION”), OR (II) DAMAGES RESULTING FROM EITHER PARTY’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, IN NO EVENT SHALL EITHER PARTY’S TOTAL AGGREGATE AND CUMULATIVE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT (WHETHER IN CONTRACT OR TORT OR UNDER ANY OTHER LEGAL OR EQUITABLE THEORY OF LIABILITY) EXCEED THE TOTAL AMOUNT PAID BY CUSTOMER HEREUNDER IN THE 12 MONTHS PRECEDING THE LAST EVENT GIVING RISE TO LIABILITY. THE FOREGOING SHALL NOT LIMIT CUSTOMER’S PAYMENT OBLIGATIONS UNDER THIS AGREEMENT.
Exclusion of Consequential and Related Damages. IN NO EVENT SHALL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER PARTY OR TO ANY THIRD PARTY FOR ANY LOST PROFITS OR REVENUES OR FOR ANY INDIRECT, EXEMPLARY, INCIDENTAL, SPECIAL, COVER, PUNITIVE OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING DISCLAIMER SHALL NOT APPLY TO THE EXTENT PROHIBITED BY APPLICABLE LAW.
Scope of Limitation. The limitations hereunder apply with respect to all legal theories, whether in contract, tort or otherwise. The provisions of this “Limitation of Liability” Section allocate the risks under this Agreement between the parties, and the parties have relied on these limitations in determining whether to enter into this Agreement.
MISCELLANEOUS
Relationship of the Parties; Notices. The parties are independent contractors. No agency, partnership, franchise, joint venture, fiduciary or employment relationship between the parties is created as a result of this Agreement and neither party has any authority of any kind to bind or attempt to bind the other party as a result of this Agreement. There are no third-party beneficiaries to this Agreement. Except as otherwise set forth herein, all notices under this Agreement will be in writing addressed to the parties at the addresses set forth on the Order Form that references this Agreement and will be deemed to have been duly given when received, if personally delivered; the first business day after sending by email; the day after it is sent, if sent for next day delivery by recognized overnight delivery service; and upon receipt, if sent by certified or registered mail, return receipt requested.
Assignment. Neither party may assign any of its rights or obligations hereunder, whether by operation or law or otherwise, without the prior written consent of the other party (not to be unreasonably withheld); provided, however, that either party may assign this Agreement in its entirety (including all Order Forms), without the other party’s consent, to such party’s Affiliate or in connection with a merger, acquisition, corporate reorganization or sale of all or substantially all of its assets. A party’s sole remedy for any purported assignment by the other party in breach of this paragraph are those described in the “Termination for Cause” section of this Agreement. Subject to the foregoing, this Agreement shall bind and inure to the benefit of the parties, their respective successors and permitted assigns.
Governing Law; Dispute Resolution. This Agreement, and any disputes arising out of or related hereto, shall be governed by the laws of the State of California without regard to its conflict of laws provisions or the United Nations Convention on the International Sale of Goods. The state and federal courts located in San Francisco County, California shall have exclusive jurisdiction to adjudicate any dispute arising out of or relating to this Agreement. Each party hereby consents to the exclusive jurisdiction of such courts. The parties agree that any actual or threatened breach of Section 3.2 or 4.2 may cause irreparable injury and that injunctive or other equitable relief in a court of competent jurisdiction may be sought to prevent an initial or continuing breach of Section 3.2 or 4.2 in addition to any other relief to which the owner of Proprietary Information may be entitled. In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover its reasonable costs and attorneys’ fees. Neither party shall be liable hereunder by reason of any failure or delay in the performance of its obligations due to events beyond the reasonable control of such party, which may include denial-of-service attacks, strikes, shortages, riots, fires, acts of God, war, terrorism, and governmental action.
Waiver; Severability. No failure or delay by either party in exercising any right under this Agreement shall constitute a waiver of that right. All waivers and modifications of any provision of this Agreement must be in a writing signed on behalf of both parties by their duly authorized representatives in order to be effective, except as otherwise provided herein. If any provision of this Agreement is held by a court of competent jurisdiction to be unenforceable or invalid, that provision will be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions of this Agreement will otherwise remain in full force and effect.
Entire Agreement; Amendments. This Agreement, including all addenda and exhibits hereto and all Order Forms, is the complete and exclusive statement of the mutual understanding of the parties and supersedes all previous written and oral proposals, representations, agreements, communications and other understandings concerning Customer’s purchase and use of the Services. Except as otherwise provided herein, any amendments, modifications or supplements to this Agreement must be in writing and signed by each party’s authorized representatives or, as appropriate, accepted through electronic means provided by Gem. To the extent of any conflict or inconsistency between the provisions in the body of this Agreement and any addendum hereto or any Order Form, the terms of such addendum or Order Form shall prevail. Notwithstanding any language to the contrary therein, no terms or conditions stated in a Customer purchase order, a vendor onboarding process or web portal, or any other Customer order documentation (excluding Order Forms) shall be incorporated into or form any part of this Agreement, and all such terms or conditions shall be null and void.
By signing the Order Form that references this Agreement, the parties have caused this Agreement to be executed by their duly authorized representatives as of the Effective Date.
Schedule A
Security Practices
Gem takes the security of our customers’ data very seriously, and our practices in this area are designed to safeguard the security, confidentiality and integrity of the data that is entrusted to us. We aim to be as clear and open as we can about the way we handle security for the data that a Gem customer and its users make available via Gem’s services, as more specifically defined in the customer’s agreement with Gem covering the use of those Gem services (“Customer Data”). This Schedule applies to the Services, except to the extent specified otherwise in an Order Form or other terms that are specific to a particular Service.
Compliance.
The Services undergo security assessments by internal personnel and external security firms for the purposes of assessing our security practices and monitoring the Services for vulnerabilities. Gem has undergone a SOC 2 Type II audit, and a copy of Gem’s most recent report is available to Gem customers and prospects under non-disclosure agreement. The environment that hosts the Gem services also maintains certifications for its data centers. Information about security and privacy-related audits and certifications received by AWS, including information on ISO 27001 certification and SOC reports, is available from the AWS Compliance website.
Information Security Team.
An internal Gem group that includes the Head of Platform, Enterprise and Security and staff engineers is responsible for creating, optimizing and enforcing Gem’s information and operational security policies and procedures, including those set forth in this Schedule. This team leads monitoring, vulnerability management, incident detection and response initiatives, and is responsible for tracking and reducing organization-wide security risks. The information security team may be contacted at security@gem.com.
Personnel Practices.
Gem employees are required to sign agreements that prohibit inappropriate use and disclosure of confidential information and complete security training during onboarding as well as on an ongoing basis. Gem maintains a code of conduct that is provided to all new Gem employees for signature upon hiring and addresses acceptable business practices, conflicts of interest and expected standards of ethical and moral behavior. Gem maintains formal hiring and termination policies and procedures, including with respect to employee background checks. When an employee’s work relationship with Gem is ending or ends, Gem requires the employee’s manager to notify the operations team so that the employee’s access to any proprietary technical systems may be revoked.
Infrastructure.
The Services operate on a multi-tenant architecture that is designed to logically segregate and restrict access to Customer Data. Gem uses Heroku for its application servers and database infrastructure is provided by Amazon Web Services, Inc. (“AWS”) to host and process Customer Data. Information about security provided by AWS and Heroku is available from the AWS Security website and the Heroku security website.
Security Safeguards.
Gem maintains a written information security program that includes the implementation and maintenance of technical and organizational measures that are designed to be appropriate to the risk of (having regard to the state of technological development, cost of implementation and the nature, scope, context and purposes of processing), and to protect Customer Data against, unlawful or unauthorized destruction, loss, alteration, and disclosure.
Encryption: The Services use encryption protocols, as of the Effective Date of the Agreement: (1) SSH and TLS 1.2, to protect remote connections and data in transit over public networks, and (2) Advanced Encryption Standard (AES) 256 bit, to encrypt Customer Data at rest within RDS instances and S3 buckets.
Access Controls: Gem’s security program includes documented access approval processes and access controls that are designed to limit access to Customer Data to individuals that have a business need-to-know and are based on least privilege access principles. Gem’s access provisioning documentation defines role-based access rules for production infrastructure as well as backend data and code services. Approval is required for granting Gem employees additional levels of access to these services, and Gem conducts recurring reviews of users with access, as well as their access levels.
Threat Detection: Gem utilizes tools for automated threat detection and vulnerability management. This includes vulnerability scans of Gem’s web application and open source libraries supporting the Services. Gem classifies issue severity and response times, as of the Effective Date of the Agreement as low, medium, high and critical vulnerabilities based on Common Vulnerability Scoring System (CVSS) scores. External penetration testing of Gem’s production environment is performed by a third party annually to evaluate the Services against the App Defense Alliance’s Cloud Application Security Assessment (CASA) requirements.
Endpoint Management: Endpoint management solutions are utilized to enforce encryption and antivirus software on company issued mobile devices (i.e., workstations, laptops) that are able to connect to or access production data within the system boundaries.
Services Access Authentication
Gem supports the capability to set up single-sign-on for access to the Services. Access to a customer’s instance of the Services is controlled by customer-defined groups via configurable roles-based permissions. Gem utilizes single sign-on to enforce 2-factor authentication, multi-factor authentication for remote systems access, strong password requirements and automatic password-expiry to protect against unauthorized access to the Services’ systems and application.
Product Development
The information security team maintains a security review process for new features, functionality, and design changes and to address security concerns that may arise during development. In addition, Gem utilizes tools for code auditing, testing and review prior to production deployment.
Responsible Disclosure
Gem operates a security responsible disclosure program to enable testing on the security of the Gem services, and the reporting of issues via the program. More details of this program are available at https://www.gem.com/compliance/responsible-disclosure, or such successor site as may be made available by Gem.
Backup and Disaster Recovery
The Services are built with redundancy and availability in mind. Customer Data stored in AWS is replicated for high availability, and Customer Data and our source code are automatically backed up daily. All production and backup services are hosted within the continental United States. The primary AWS region is set to US East and Gem utilizes US West for backup. Alerts are in place to notify the operations team of failures with this system, and back-ups are fully tested on a periodic basis.
Incident Management
Gem maintains an incident management framework that is used to classify incidents and issues according to defined severity levels and document policies and procedures for incident detection and response. Gem’s incident response policies and procedures are designed to promptly identify, investigate, and remediate unauthorized disclosure of Customer Data. In the event of any confirmed security breach resulting from Gem’s failure to maintain its contractually committed security controls, Gem will notify Customer without undue delay of unauthorized access to Customer Data. Upon request from a customer, Gem will communicate the status and post-mortem details of such an incident.
Data
Data Retention
Administrators can configure data retention settings for their instance of the Services. Setting a custom duration for retention means that Customer Data older than the duration that the administrator sets will be deleted on a daily basis.
Customer Data Return
Information about the export capabilities of the Services can be found in Gem’s Help Center, available here or at such successor site as may be provided by Gem.
Customer Data Deletion
Gem provides the option for customers to request deletion of Customer Data at any time during or upon termination of a subscription term by emailing support@gem.com. Aggregate Data does not constitute Customer Data and will be maintained in accordance with Gem’s data retention practices.