Why did we build this product?

The rise of AI regulations globally (EU AI Act, U.S. Executive Order, state-level laws) is creating urgent demand for organizations to identify and manage their AI-related risks. Our customers need a way to evaluate their AI systems and ensure compliance across jurisdictions, frameworks, and internal policies, while also ensuring a defensible audit trail. AI Risk is our response to that need.

What problem is AI Risk solving?

AI Risk provides a structured and defensible assessment process to identify and document risks tied to the use of AI systems. It supports organizations in evaluating regulatory exposure, applying consistent risk frameworks, and establishing AI governance across legal, privacy, security, and compliance teams.

Who will use this product?

AI Risk is intended for cross-functional teams that include Compliance, Legal, AI Governance, and Risk Management. AI Steering committees and their component members. AI steering committees and executives responsible for AI governance risk and compliance will find this especially valuable.

What makes this different from other AI governance tools?

Unlike general-purpose risk registers or generic GRC tools, AI Risk: Codifies regulatory guidance (e.g., EU AI Act, NIST RMF) into configurable assessments. Supports multi-framework alignment and documentation. Provides built-in auditability and traceability.

What are the top use cases?

Regulatory Alignment: Mapping AI systems to the EU AI Act or NIST AI RMF. Pre-Deployment Review: Assessing risk before releasing a model or tool. Cross-Functional Collaboration: Legal, compliance, and AI teams jointly evaluating risk. Audit Trail: Documenting decisions and rationale for audits and regulators.

Will this tie into incident workflows?

Yes. Incidents involving AI system misuse or harm can trigger assessments. Likewise, risk findings can link back into Compliance or Privacy obligations when thresholds are met.

Can I see reporting by risk level or framework coverage?

Yes. Assessments will support: Risk distribution by system | Framework coverage dashboards | Gaps or missing documentation

Can AI Risk handle multiple systems or models at once?

Yes. Assessments are per system/model but the interface will support a portfolio-level view.

Is this built to scale with new regulations?

Yes. New frameworks, jurisdictions, or internal review processes can be added via configuration. We plan to provide prebuilt updates for major regulatory shifts post-GA.

How does AI Risk integrate with existing AI governance software?

Radar AI Risk connects seamlessly with other AI governance tools, enabling centralized oversight without the need to replace existing systems.

Can AI Risk support high level reporting for executives and boards?

Yes. The platform offers high level dashboards and scorecards designed for leadership to quickly assess organizational AI risk posture.

How does AI Risk help with training data compliance?

AI Risk tracks and documents training data quality, provenance, and use, ensuring compliance with privacy and ethical guidelines.

Is Radar AI Risk suitable for organizations just beginning to adopt AI?

Absolutely. Whether you are starting small or scaling enterprise-wide, Radar AI Risk provides the structure to manage compliance from the beginning of development and deployment.

Legal

Master Subscription Agreement

Master Subscription Agreement

This Master Subscription Agreement (“Agreement”) permits the entity executing a Subscription Order Form that references this Master Subscription Agreement (“Customer”) to purchase a subscription to certain RADAR products and services, as set forth in the Subscription Order Form. This Agreement, along with any exhibits and the Subscription Form, sets forth the terms and conditions under which those products and services will be delivered. This Agreement will govern Customer’s initial purchase as well as any future purchases made by Customer that reference this Agreement.

This Agreement is effective as of the date of the Subscription Order Form executed by Customer that references this Agreement (“Effective Date”):

DEFINITIONS AND INTERPRETATION. Capitalized terms not defined in this Section are defined contextually in this Agreement. Headings in this Agreement are for convenience only and do not affect its interpretation.

“Account” means the online account where Customer manages its use of the Product.

“Affiliates” means an entity that owns or controls, is owned or controlled by, or is under common ownership or control with Customer, where “control” means the power to direct the management or affairs of an entity and “ownership” means the beneficial ownership of fifty percent (50%) or more of the voting securities or other equivalent voting interests of an entity.

“Ancillary Services” means the onboarding and support of the Product, as more particularly detailed in the Subscription Form.

“Applicable Law” means all local, state, federal, and international laws, regulations, and conventions applicable to a party in the performance of its obligations under this Agreement. For the avoidance of doubt, the parties acknowledge that the scope of this definition shall not be extended by virtue of the laws and regulations that are covered by the Product’s assessments and law overview content.

“Documentation” means the applicable Product descriptions and technical documentation made available within the Product, which may be modified from time to time by RADAR.

“End Users” means Customer’s employees (and its Permitted Affiliates’ employees) who interact with the Product by submitting Guest Submission Forms. End Users are not provided with login credentials to the Product and are not authorized to access Customer’s Account.

“Erase” means to render access to data infeasible when using simple non-invasive data recovery techniques.

“Guest Submission Form” means a feature of the Product that enables End Users to document and report new incidents.

“Order Term” means the subscription term specified for the Product in the Subscription Form.

“Permitted Affiliates” means Customer’s Affiliates specifically named in the Subscription Form.

“Product” means the RADAR software-as-a-service (“SaaS”) incident management and response support platform with the onboarding services and specific configurations identified in the Subscription Form. The term “Product” includes Customer’s Account and the Documentation but does not include Professional Services.

“Professional Services” means professional services provided by RADAR pursuant to this Agreement, including, without limitation, consulting, training, and additional support services as set forth in the Statement of Work.

“Registered Users” means Customer’s and its Permitted Affiliates’ employees, agents, contractors, and suppliers of services that have a need to use the Product for the benefit of Customer and who have been provisioned with login credentials to the Product and are authorized to access Customer’s Account.

“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to Customer’s PII or PHI (each as defined in Section 5.2 (Personal Data) below) in RADAR’s control. The term “Security Incident” does not include unsuccessful attempts of the foregoing, such as pings and other broadcast attacks on RADAR’s firewall, port scans, unsuccessful login attempts, denial of service attacks, and any combination of the above.

“Statement of Work” means a statement of work for Professional Services that (i) references and is subject to the terms and condition of this Agreement, (ii) is executed by both parties, and (iii) describes the Professional Services to be performed, the associated fees, and related information.

“Subscription Form” means the RADAR-generated order documentation that (i) references and is subject to the terms and conditions of this Agreement, (ii)) is executed by both parties, and (iii) describes the Product, the Order Term, applicable fees, product entitlements, and any related information.

“Third Party Platform” means a third party platform or service that uses RADAR’s application programming interface (“API”) for the purpose of exchanging User Data with the Product.

“Updates” means all revisions, upgrades, modifications, corrections, releases, versions, fixes, and enhancements to the Product that are included within the configuration identified in the Subscription Form.

“User” means a Registered User or an End User.

“User Data” means all data, including all Personal Data (as defined in Section 5.2 (Personal Data) below), entered into the Product by or on behalf of Customer and includes the results and reports generated by the Product based on such data (excluding any RADAR report templates or other RADAR Technology).

THE PRODUCT.

Overview. The Product is designed to provide incident management and response support, including without limitation multi-factor incident risk assessment, notification guidance, and reporting. RADAR uses commercially reasonable efforts to quantify risk and interpret and apply certain data breach notification laws and regulations to assist Customer (i) in performing a consistent risk assessment and (ii) in complying with its burden of proof obligations under such laws and regulations; however, the Product does not offer any legal advice or opinions. Customer makes the final assessment and decision as to whether an incident is a data breach and whether any notification or reporting is required as a result of an incident. The Product is provided on a subscription basis for specified Order Terms and is limited in scope to the specific configuration identified in the Subscription Form.

Access and Use. Customer and its Permitted Affiliates may access and use the Product during the Order Term solely for its own internal business purposes and in accordance with the terms of this Agreement, the Documentation, and any usage restrictions described in the Subscription Form. Use of the Product by Customer and its Permitted Affiliates in the aggregate must be within the usage restrictions designated in the Subscription Form. Customer will be responsible for any breach of this Agreement by its Permitted Affiliates.

Users; Login Credentials. Customer is responsible for: (i) determining the level of access granted to its Users for use of the Product; (ii) inviting new Users to use the Product; and (iii) promptly disabling access for terminated Users.

Registered Users. Use of the Product is limited to a specific number of Registered Users. If RADAR discovers that Customer is not in compliance with the usage restrictions (including, without limitation, the number of Registered Users), RADAR may invoice Customer for excess usage in accordance with RADAR’s then-applicable fees.

End Users. Customer may allow its End Users to interact with the Product by completing and submitting Guest Submission Forms. No other use of the Product by End Users is permitted under this Agreement.

Login Credentials. RADAR will provide a unique user ID to Customer’s designated Registered User (referred to as the “owner”) during the onboarding process. Each additional Registered User must create a user ID and password (referred to as the “login credentials”) (or, in the alternative, use the Product’s authentication feature) for secure access to the Product. Each Registered User must have his or her own login credentials; the sharing of login credentials among Registered Users is strictly prohibited. Customer is responsible for ensuring that each Registered User has a named account for accessing the Product. Customer is responsible for maintaining the confidentiality and security of its login credentials (e.g. implementing strong passwords and ensuring passwords are not generic). Customer is responsible for all activity occurring under its login credentials and in its Account. Customer agrees to promptly notify RADAR of any unauthorized access or use of its login credentials, its Account, or the Product.

General Restrictions. Customer will not (and will not permit any third party to): (i) use the Product for any purpose that is unlawful or outside the scope of this Agreement; (ii) alter or tamper with the Product in any way; (iii) attempt to gain unauthorized access to the Product or other systems, networks, or data of RADAR; (iv) knowingly interfere with or disrupt the integrity or performance of the Product or other systems, networks, or data of RADAR; (v) use or knowingly permit the use of any security testing tools in order to probe, scan, or attempt to penetrate or ascertain the security or vulnerability of the Product or other systems, networks, or data of RADAR; (vi) remove, obscure, conceal, or alter any proprietary or other notices contained in the Product (including without limitation notices contained in any reports or results presented through or generated by the Product); (vii) sell, lease, rent, loan, assign, provide access, or sublicense the Product to a third party, copy the Product, or use the Product for time sharing, hosting, service bureau, or similar purposes; (viii) reverse engineer, decompile, or disassemble the Product, or otherwise seek to obtain the source code or non-public API to the Product; (ix) modify the Product or the Documentation, or create any derivative work from the foregoing; (x) publicly disseminate performance metrics or benchmarking information regarding the Product; (xi) knowingly use the Product in any manner that could damage, disable, overburden, or impair the Product servers or networks connected to the Product servers; (xii) knowingly use the Product in a manner that interferes with any other party’s use of the Product; (xiii) obtain or attempt to obtain any materials or information not intentionally made available through the Product; (xiv) use the Product to retrieve, store, or transmit any malware (e.g. viruses, worms, time bombs, Trojan horses, or other harmful or malicious code, files, scripts, agents, or programs); (xv) enter data into the Product for a purpose unrelated to incident management and/or response; or (xvi) share Registered User login credentials among different individuals.

CUSTOMER OBLIGATIONS; USER DATA.

Customer Obligations.

Customer Legal Obligations. Customer is solely responsible for the accuracy, content, and legality of all User Data. Customer will ensure that its use of the Product and User Data is compliant with Customer’s privacy policies and Applicable Law. Further, Customer will obtain all third-party licenses, rights, clearances, consents, and approvals that may be required for Customer (and RADAR on behalf of Customer) to collect, process, and store User Data and represents and warrants that such collection, processing, and storage will not violate any Applicable Law or any intellectual property, publicity, privacy, and other rights of any third parties. Customer will be responsible and liable for the breach or violation of the terms of this Agreement, the Documentation, and any usage restrictions designated in the Subscription Form by its Permitted Affiliates and Users. Customer’s use of the Product must be for the sole benefit of Customer or its Permitted Affiliates.

Customer Security Obligations. Customer agrees to make commercially reasonable efforts and to take reasonable precautions to prevent any unauthorized person or entity from gaining access to the Product, including ensuring that devices used to access the Product are appropriately protected from unauthorized logical and physical access. Customer is responsible for educating its Users on using technology in a safe and responsible manner and on their information security roles and responsibilities prior to granting access to the Product and Customer’s Account. Further, Customer is responsible for defining its network architecture to support cloud applications and understanding the security risks associated with its design. Customer will promptly notify RADAR of any actual or suspected security breaches involving the Product or Customer’s Account.

Rights in User Data. User Data will remain the sole and exclusive property of Customer. All User Data is considered Confidential Information (as defined in Section 15 (Confidentiality) below) and will remain confidential to Customer in accordance with the terms of this Agreement. Customer grants RADAR a non-exclusive license to use the User Data solely to the extent required to perform its obligations and exercise its rights under this Agreement.

Right to Use Metadata. RADAR may use aggregated Metadata (defined below) to improve the validity and capabilities of the Product, to provide trending and other reports to customers (including Customer), and for white papers and other general research reports with an intent to educate and provide benchmarking data about best practices in incident management and response. “Metadata” includes aggregate usage patterns and engagement data, generic data about an incident, such as time-to-discovery, time-to-notification, and form of the incident (paper, electronic, or verbal/visual), and does not include any data that is or could be Personal Data, such as data in free form text fields or attachments. For the avoidance of doubt, Metadata does not include Personal Data or PHI, and RADAR uses Metadata in a format that does not in any way connect or link Metadata to a particular customer or its Users, including without limitation Customer.

Data Retention. RADAR stores and maintains User Data during the Order Term and so long as Customer maintains a paid subscription to the Product. Customer may export or delete User Data from its Account at any time during the Order Term consistent with the Documentation. RADAR will Erase all User Data from its production environment following the expiration or termination of the Agreement, including backups of User Data, which will be automatically purged post-ninety (90) days except as required to comply with Applicable Law or internal data retention policies. RADAR expressly disclaims all other obligations with respect to the retention or storage of User Data.

Third Party Platforms. If Customer uses its Third Party Platform to exchange User Data with the Product, this Section applies. Customer is solely responsible for determining whether to use the Product with Third Party Platforms. RADAR will have no responsibility for any Third Party Platforms, including without limitation their availability, reliability, security, functionality, operation, or integrity. Customer acknowledges that RADAR’s API may change over time, requiring updates or revisions to Customer’s or its Third Party Platform’s integration code. RADAR will provide Customer with advance notice of any material changes to RADAR’s API. Customer acknowledges that Customer is responsible for maintaining the confidentiality, security, and use of its RADAR API tokens.

Online Security Portal. During the term of this Agreement, Customer: (i) acknowledges that RADAR will provide access to an online security portal that contains RADAR’s security documentation (including without limitation testing and drill results, standard questionnaires (e.g. CIS-20 CAIQ and SIG), and security policies); and (ii) agrees to access such online security portal as the first step for completion of any Customer-specific questionnaires and risk assessments.

SECURITY. RADAR agrees to use commercially reasonable efforts designed to prevent unauthorized access, use, alteration, or disclosure of Customer Confidential Information, including, without limitation, User Data, as described in Exhibit A (Security Statement). RADAR is not responsible for the security or confidentiality of User Data after such User Data is copied, exported, or removed from the Product by Customer or its Third Party Platforms.

DATA PROTECTION AND PRIVACY.
Protection of User Data. The parties acknowledge and agree that, to the extent the EU General Data Protection Regulation is applicable to this Agreement, Customer is the controller of User Data and RADAR is the processor of User Data under Applicable Law. RADAR agrees to use and process Personal Data contained in User Data only for the purpose of performing this Agreement and in accordance with Customer’s written instructions (as set forth in this Agreement), the applicable provisions of RADAR’s Privacy Notice located at www.radarfirst.com/privacynotice/ (“Privacy Notice”), and Applicable Law, in each instance, as may be amended from time to time. Customer acknowledges that User Data is processed and stored in the United States (“U.S.”) unless otherwise agreed by the parties in writing. The Business Associate Addendum (“BAA”) attached hereto as Exhibit D will control with regard to Protected Health Information and Electronic Protected Health Information (as defined in the BAA).
Personal Data. Customer acknowledges that the entry or disclosure of User Data within the Product that constitutes personally identifiable information (“PII”), protected health information (“PHI”), or other personal data (collectively, “Personal Data”) is not required for the Product to assess incidents. Notwithstanding the foregoing, RADAR acknowledges that Customer may choose to enter or disclose Personal Data within the Product and, as a result, will reasonably cooperate with Customer, at Customer’s sole cost and expense, to respond to any inquiries related to Customer’s privacy practices or any reasonable requests to access, correct, amend, or opt-out of the processing of Personal Data in accordance with Applicable Law.

Notifications. RADAR will notify Customer in accordance with Applicable Law and without undue delay of any Security Incident that is known to RADAR to involve unauthorized access to Customer’s User Data, and will reasonably cooperate with Customer to mitigate any risks to Customer or the individuals whose Personal Data may be affected. Security Incident notification will be made to the email specified by Customer in the Subscription Order.

Personal Data of Registered Users. Customer acknowledges that the Personal Data of its Registered Users is used and processed by RADAR for the purpose of performing this Agreement and in accordance with the applicable provisions of the Privacy Notice.

OWNERSHIP. This is a subscription agreement for access to and use of the Product and receipt of certain Ancillary Services. Customer agrees that RADAR retains all right, title, and interest (including without limitation all patent, copyright, trademark, trade secret, and other intellectual property rights) in and to the Product, the Documentation, the Metadata, all report templates and pre-existing content of RADAR, all related and underlying technology, documentation, work product, tools, designs, methodologies, processes, techniques, ideas, and know-how, and all derivative works, modifications, or improvements of any of the foregoing, as well as all comments, questions, suggestions, or other feedback related to the Product that Customer submits to RADAR (collectively, “RADAR Technology”). Customer acknowledges that: (i) the Product is offered as an online SaaS solution and Customer has no right to obtain a copy of the Product’s underlying object or source code or technology; and (ii) Customer is obtaining a limited, revocable right to access and use the Product during the Order Term and subject to the terms and conditions of this Agreement. RADAR is not providing any ownership rights or any rights in any RADAR Technology to Customer under this Agreement, any Subscription Form and/or Statement of Work. Further, no material created under this Agreement in connection with any Professional Services shall be deemed a “work for hire” under Applicable Law unless specifically designated as a “work for hire” in the related Statement of Work executed by the parties.

ORDER TERM; PAYMENT TERMS.

Order Term. Each Subscription Form shall continue for the initial Order Term set forth therein, unless earlier terminated as permitted under this Agreement. Unless otherwise specified on the Subscription Form, each Order Term will renew for successive Order Term periods as set out in the Subscription Order unless either party provides written notice of nonrenewal at least ninety (90) days prior to the expiration of the then-current Order Term.

Payment Terms. All fees are as set forth in the Subscription Form, will be paid by Customer within thirty (30) days of the date of the applicable invoice, and are nonrefundable except as expressly permitted under Section 8.2 (Termination for Cause), Section 9.1 (Limited Warranty), Section 14.1 (Indemnification by Radar) and Section 12.2 (Limited Professional Services Warranty). The pricing in the Subscription Form is valid for the initial twelve (12) month period of each Order Term. Thereafter, RADAR may increase the fees under a Subscription Form, effective as of the anniversary of the Subscription Form Order Term Start Date, provided that such fees increase by no more than ten (10%) percent based upon the prior year’s fees for like Product and Services. Customer is required to pay any sales, use, transaction privilege, goods and services tax (“GST”), value-added, or similar taxes or levies, whether domestic or foreign, other than taxes based on the income of RADAR and all such taxes and levies are excluded from any prices provided by RADAR. Any late payments shall be subject to interest charges equal to 1.5% per month of the amount due or the maximum amount allowed by Applicable Law, whichever is less, until paid.

Suspension. If (a) RADAR has sent a payment reminder to Customer for an overdue payment (email sufficient) and Customer fails to pay the amount due within ten (10) days after receiving such payment reminder or (b) Customer has breached its obligations under Section 2.3.4 (General Restrictions) or Section 3.1 (Customer Obligations), RADAR reserves the right to suspend Customer’s access to the Product until payment has been made or the breach has been cured. This suspension right is in addition to any of RADAR’s other rights or remedies under this Agreement or under Applicable Law. Prior to suspending Customer’s access for Customer’s breach of Section 2.3.4 (General Restrictions) or Section 3.1 (Customer Obligations), RADAR will use reasonable efforts to provide Customer with notice and an opportunity to cure unless RADAR reasonably determines that such breach may cause harm to other customers or threaten the security or integrity of the Product, in which case suspension may be immediate.

TERM; TERMINATION.

Term. This Agreement is effective as of the Effective Date and expires on the date of expiration or termination the Subscription Order that references this Agreement.

Termination for Cause. Either party may terminate this Agreement (including the related Subscription Form and/or Statement of Work) if the other party: (i) fails to cure any material breach of this Agreement (including a failure to pay fees) within thirty (30) days after written notice; (ii) ceases operation without a successor; or (iii) seeks protection under any bankruptcy, insolvency event, receivership, or comparable proceeding, or if any such proceeding is instituted against that party and not dismissed within sixty (60) days. Upon termination by Customer for RADAR’s breach, RADAR will promptly refund to Customer any Product fees already paid with respect to the terminated portion of the remaining Order Term. Upon termination by RADAR for Customer’s breach, Customer will pay RADAR for the total fees contractually committed for all Order Terms.

Effect of Termination. Upon any expiration or termination of this Agreement, Customer will: (i) immediately cease any and all use of the Product (including any and all related RADAR Technology) and (ii) Erase any and all copies of the Documentation, any RADAR-related credentials, and any other RADAR Confidential Information in its possession. Upon request, Customer will confirm to RADAR in writing that it has fully complied with the foregoing requirements. Following any expiration or termination of this Agreement, Customer acknowledges that: (i) Customer will have no further access to its Account or any User Data through the Product and (ii) RADAR will Erase any and all Customer Confidential Information (including, without limitation, User Data) in its possession as detailed in Section 3.4 (Data Retention), except as required to comply with Applicable Law or internal data retention policies. Neither party will have any liability resulting solely from a permitted termination of this Agreement in accordance with its terms.

PRODUCT WARRANTY; WARRANTY DISCLAIMER.

Limited Warranty. During the Order Term, RADAR warrants, for Customer’s benefit only, that the Product will operate in substantial conformity with the applicable Documentation in material respects. RADAR’s sole liability (and Customer’s sole and exclusive remedy) for any breach of this warranty will be to use commercially reasonable efforts to correct the reported non-conformity at no charge to Customer. Notwithstanding the foregoing, if RADAR determines such remedy to be impracticable or fails to correct the non-conformity, RADAR may terminate the Order Term and Customer will receive a refund of any Product fees that Customer already paid with respect to the terminated portion of the remaining Order Term as its sole and exclusive remedy. The foregoing warranty will not apply: (a) unless Customer notifies RADAR within thirty (30) days following the date on which Customer first noticed the non-conformity; (b) if the error was caused by unauthorized modifications, or third-party hardware, software, or services; (c) to any use of the Product other than as authorized in the Agreement and other than for the Product’s intended use; or (d) to any use of the Product provided on a no-charge basis (e.g. a free trial subscription).

Warranty Disclaimer. EXCEPT FOR THE LIMITED WARRANTIES SET FORTH IN SECTION 9.1 (LIMITED WARRANTY) AND SECTION 12.2 (LIMITED PROFESSIONAL SERVICES WARRANTY) OF THIS AGREEMENT, THE PRODUCT AND ALL RESULTS AND REPORTS GENERATED FROM THE PRODUCT AND ANY PROFESSIONAL SERVICES ARE PROVIDED “AS IS”. RADAR MAKES NO OTHER WARRANTIES, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, TITLE, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. RADAR DOES NOT WARRANT THAT CUSTOMER’S USE OF THE PRODUCT WILL BE UNINTERRUPTED OR ERROR-FREE, THAT RADAR WILL REVIEW THE USER DATA FOR ACCURACY, OR THAT RADAR WILL PRESERVE OR MAINTAIN THE USER DATA WITHOUT LOSS. RADAR WILL NOT BE LIABLE FOR DELAYS, INTERRUPTIONS, SERVICE FAILURES, OR OTHER PROBLEMS INHERENT IN THE USE OF THE INTERNET AND ELECTRONIC COMMUNICATIONS OR OTHER SYSTEMS OUTSIDE OF THE REASONABLE CONTROL OF RADAR (INCLUDING, WITHOUT LIMITATION, ANY THIRD PARTY PLATFORM). THE GUIDANCE AND OTHER CORRECTIVE ACTIONS RECOMMENDED BY THE PRODUCT ARE INFORMATIONAL IN NATURE AND ARE NOT INTENDED AS LEGAL ADVICE. RADAR EXPRESSLY DISCLAIMS RESPONSIBILITY FOR THE CONSEQUENCE OF THE USE OR MISUSE OF ANY SUCH GUIDANCE AND OTHER CORRECTIVE ACTIONS, AND CUSTOMER ACKNOWLEDGES AND AGREES THAT THE ENTIRE RESPONSIBILITY FOR AND RISK ARISING OUT OF THE SELECTION, USE, OR PERFORMANCE OF THE PRODUCT REMAINS WITH CUSTOMER.

ANCILLARY SERVICES AND SUPPORT. During the Order Term, RADAR will provide Ancillary Services and support for Customer in accordance with the onboarding and support program specified in the applicable Subscription Form and described in Exhibit B (Support Programs).

SERVICE LEVEL AGREEMENT. During the Order Term, the Product will be subject to the Service Level Agreement attached as Exhibit C (Service Level Agreement).

PROFESSIONAL SERVICES.

Scope and Payment. RADAR will provide Professional Services if purchased in a Statement of Work executed by the parties. For clarity, Ancillary Services in the form of the onboarding and support of the Product under the Subscription Form does not constitute Professional Services. The Professional Services under one or more Statements of Work may include: (i) training services; (ii) User Data deletion services; (iii) User Data migration services; or (iv) other services agreed to be provided by RADAR to Customer in writing. The scope of the Professional Services and the fees for the Professional Services (whether fixed fee or hourly rate basis) will be set forth in the Statement of Work.

Limited Professional Services Warranty. RADAR warrants that the Professional Services will be of a professional quality and materially conform to generally prevailing industry standards. Customer must provide written notice of any material breach of the foregoing warranty within thirty (30) days from the date that the Professional Services are completed. In such event, RADAR will either: (i) use commercially reasonable efforts to re-perform the Professional Services in a manner that conforms to the foregoing warranty; or (ii) if RADAR fails to re-perform or decides not to re-perform the Professional Services, refund the portion of the fees paid by Customer to RADAR for the nonconforming Professional Services. The foregoing procedures will constitute RADAR’s sole liability (and Customer’s sole and exclusive remedy) for any breach of the Professional Services warranty set forth in this Section 12.

LIMITATION ON LIABILITY.

Consequential Damages Waiver. EXCEPT FOR EXCLUDED CLAIMS (DEFINED IN SECTION 13.3) (EXCLUDED CLAIMS) AND SECONDARY CAP CLAIMS (DEFINED IN SECTION 13.4) (SECONDARY CAP CLAIMS), NEITHER PARTY SHALL BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, RELIANCE, CONSEQUENTIAL AND/OR PUNITIVE OR SIMILAR DAMAGES OF ANY KIND (INCLUDING LOST PROFITS, ANY LOSS OF USE, OR INTERRUPTION OF BUSINESS), REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, EVEN IF INFORMED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE.

Liability Cap. EXCEPT FOR EXCLUDED CLAIMS AND SECONDARY CAP CLAIMS, NOTWITHSTANDING ANY OTHER PROVISION OF THIS AGREEMENT, EACH PARTY’S ENTIRE LIABILITY TO THE OTHER PARTY ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT SHALL NOT EXCEED, IN THE AGGREGATE, THE AMOUNT ACTUALLY PAID OR PAYABLE BY CUSTOMER TO RADAR DURING THE PRIOR TWELVE (12) MONTHS UNDER THE SUBSCRIPTION ORDER TO WHICH THIS AGREEMENT APPLIES (“GENERAL CAP”). RADAR’S ENTIRE LIABILITY TO CUSTOMER ARISING OUT OF OR IN CONNECTION WITH SECONDARY CAP CLAIMS SHALL NOT EXCEED, IN THE AGGREGATE, THREE TIMES (3x) THE GENERAL CAP.

Excluded Claims. “EXCLUDED CLAIMS” MEANS (A) AMOUNTS PAYABLE TO THIRD PARTIES PURSUANT TO SECTION 14 (INDEMNIFICATION) OR (B) ANY CLAIM ARISING FROM CUSTOMER’S BREACH OF SECTION 2.3.4 (GENERAL RESTRICTIONS), SECTION 3.1 (CUSTOMER OBLIGATIONS), OR SECTION 15 (CONFIDENTIALITY).

Secondary Cap Claims. “SECONDARY CAP CLAIMS” MEANS ANY CLAIMS ARISING FROM RADAR’S BREACH OF SECTION 4 (SECURITY), EXHIBIT A (SECURITY STATEMENT), OR EXHIBIT D (BUSINESS ASSOCIATE ADDENDUM) RESULTING IN THE UNAUTHORIZED USE OR DISCLOSURE OF CUSTOMER CONFIDENTIAL INFORMATION.

INDEMNIFICATION.

Indemnification by RADAR. RADAR will defend Customer from and against any claim by a third party alleging that RADAR’s proprietary technology used in the performance of the Product, when used as authorized under this Agreement, actually infringes a U.S. patent, U.S. copyright, or U.S. trademark, and will indemnify Customer from and against any damages and costs awarded against Customer or agreed in settlement by RADAR (including reasonable legal fees) resulting from such claim. If Customer’s use of any Product is (or in RADAR’s opinion is likely to be) enjoined, if required by settlement, or if RADAR determines such actions are reasonably necessary to avoid material liability, RADAR may at its option and in its sole discretion: (a) substitute substantially functionally similar products or services; (b) procure for Customer the right to continue using the Product; or (c) if (a) and (b) are not commercially reasonable, terminate the Agreement and refund any Product fees to Customer that Customer already paid with respect to the terminated portion of the Order Terms. The foregoing indemnification obligation of RADAR shall not apply: (i) if the Product is modified by any party other than RADAR, but solely to the extent that the alleged infringement is caused by such modification; (ii) if the Product is combined with products or processes not provided by RADAR, but solely to the extent the alleged infringement is caused by such combination; (iii) to any unauthorized use of the Product; (iv) to any action arising as a result of User Data; or (v) if Customer settles or makes any admissions with respect to a claim without RADAR’s prior written consent. THIS SECTION SETS FORTH RADAR’S SOLE LIABILITY AND CUSTOMER’S SOLE AND EXCLUSIVE REMEDY WITH RESPECT TO ANY CLAIM THAT RADAR’S PROPRIETARY TECHNOLOGY USED IN THE PERFORMANCE OF THE PRODUCT INFRINGES ANY PATENT, COPYRIGHT, TRADEMARK, OR OTHER INTELLECTUAL PROPERTY RIGHT OF A THIRD PARTY.

Indemnification by Customer. Customer shall defend RADAR from and against any claim by a third party arising from or relating to: (i) any User Data; (ii) any breach or alleged breach by Customer of Section 2.3.4 (General Restrictions) or Section 3.1 (Customer Obligations); or (iii) Section 3.5 (Third Party Platforms). Customer shall indemnify RADAR from and against any damages awarded against RADAR or agreed in settlement by Customer (including reasonable legal fees) resulting from such claim.

Indemnification Process. The obligations of the party responsible for providing indemnification hereunder (the “Indemnifying Party”) are conditioned upon receiving from the party seeking indemnification (the “Indemnified Party”): (i) prompt written notice of a claim (but in any event notice in sufficient time for the Indemnifying Party to respond without prejudice). The Indemnified Party’s failure to give prompt notice to the Indemnifying Party does not constitute a waiver of the Indemnified Party’s right to indemnification and affects the Indemnifying Party’s indemnification obligations only to the extent that the Indemnifying Party’s rights are materially prejudiced by the failure or delay; (ii) the exclusive right to control and direct the investigation, defense, and settlement (if applicable) of the claim; and (iii) all reasonable necessary cooperation of the Indemnified Party. The Indemnified Party may participate in the defense of any claim with counsel of its own choosing at its expense. The Indemnifying Party may not settle a claim without the Indemnified Party’s prior written consent unless such settlement unconditionally releases the Indemnified Party from all liability and does not require the Indemnified Party to take or refrain from taking any action (except with respect to use or non-use of the Product or allegedly infringing materials).

CONFIDENTIALITY. Each party (as “Receiving Party”) agrees that all proprietary, confidential, or non-public information, code, inventions, know-how, business, technical, and financial information that it obtains from the disclosing party (“Disclosing Party”) constitute the confidential property of the Disclosing Party (“Confidential Information”), provided that it is identified as confidential at the time of disclosure or should be reasonably known by the Receiving Party to be confidential due to the nature of the information disclosed and the circumstances surrounding the disclosure. For the avoidance of doubt, all RADAR Technology is deemed the Confidential Information of RADAR. Except as expressly authorized herein, the Receiving Party will: (a) hold in confidence and not disclose any Confidential Information to third parties; and (b) not use Confidential Information for any purpose other than fulfilling its obligations and exercising its rights under this Agreement.

The Receiving Party may disclose Confidential Information to its employees, agents, contractors, and other representatives having a legitimate need to know (including, for Customer, its Permitted Affiliates), provided that: (i) such representatives are bound to confidentiality obligations no less protective of the Disclosing Party than this Section; and (ii) the Receiving Party remains responsible for compliance by such representatives with the terms of this Section.

The Receiving Party’s nondisclosure obligations will not apply to information which the Receiving Party can document through competent evidence: (1) was rightfully in its possession or known to it prior to receipt of the Confidential Information; (2) is or has become public knowledge through no fault of the Receiving Party; (3) is rightfully obtained by the Receiving Party from a third party without breach of any confidentiality obligation; or (4) is independently developed by employees of the Receiving Party who had no access to such information. The Receiving Party may make disclosures to the extent required by law or court order, provided the Receiving Party notifies the Disclosing Party in advance (if legally permissible) and reasonably cooperates in any effort to obtain confidential treatment.

The Receiving Party acknowledges that disclosure of Confidential Information may cause substantial harm for which damages alone may not be a sufficient remedy, and therefore, upon any such disclosure by the Receiving Party, the Disclosing Party will be entitled to seek appropriate equitable relief in addition to whatever other remedies it might have at law. The Receiving Party will notify the Disclosing Party as soon as possible of any misuse of or unauthorized access to Confidential Information of which it becomes aware and will reasonably cooperate in remedying such situation.

The provisions of this Section 15: (i) expressly replace and supersede any Nondisclosure Agreement by and between RADAR and Customer, if any, executed prior to the Effective Date (“Prior NDA”); and (ii) shall apply to all Confidential Information disclosed, revealed, or otherwise made available by each party and/or its Affiliates pursuant to the Prior NDA.

GENERAL TERMS.

Notices. Any notices under this Agreement shall be in writing. Notices to Customer shall be sent to the address specified on the Subscription Order. Notices to RADAR shall be sent to RADAR, LLC dba RadarFirst, 520 SW Sixth Avenue, Suite 200, Portland, Oregon 97204, ATTN: General Counsel, with a copy to [email protected]. Notices will be deemed effective upon receipt (or if delivery is refused, on the date of such refusal). Either party may, from time to time, change its address or email address for notices by providing written notice of such change to the other party. Notices and communications may also be provided via electronic mail (which notices and communications shall be deemed to have been received immediately upon receipt), except that neither party shall provide any notice or communication related to Section 8 (Term; Termination), Section 9.1 (Limited Warranty), Section 12.2 (Limited Professional Services Warranty) or Section 14 (Indemnification) via electronic mail.

Governing Law. This Agreement shall be governed by the laws of the State of Delaware regardless of any choice of law principles that would require the application of the laws of a different jurisdiction.

Updates. Customer acknowledges that the Product is an online subscription-based product and, in order to provide improved customer experience, RADAR may make changes to the Product. RADAR will automatically provide to Customer any Updates to the Product as soon as such Updates have been made available within the Product for RADAR’s other customers. Any Updates will not materially degrade the performance, functionality, or operation of the Product. Further, the terms described in Section 10 (Ancillary Services And Support), Section 11 (Service Level Agreement), Exhibit A (Security Statement), and Exhibit C (Service Level Agreement) may be updated from time to time upon reasonable notice to Customer to reflect process improvements or changing practices, but such updates will not materially decrease RADAR’s obligations as compared to those reflected in such terms as of the Effective Date. Except as expressly permitted herein, this Agreement, including any Order Forms and Statements of Work may only be altered, amended, or superseded solely by means of a writing signed by duly authorized representatives of the parties hereto.

Insurance. RADAR will procure and maintain insurance during the Order Term not less than the following amounts:

Commercial General Liability
$1,000,000 per occurrence
$2,000,000 in aggregate
Professional Liability
$10,000,000 per claim and in aggregate
Automobile Liability
$1,000,000 per occurrence
Workers’ Compensation
Statutory limits
Employer’s Liability
$1,000,000 per occurrence
Umbrella Liability
$5,000,000 per occurrence
Cyber and Technology Liability
$10,000,000 per claim and in aggregate
Relationship of the Parties. The parties to this Agreement are independent contractors. Nothing in this Agreement will create any agency, employment, partnership, association, fiduciary, or joint venture relationship between the parties or the parties’ representatives. No party shall have the authority to act for or on behalf of the other or to represent the other in any transaction. Each party shall be solely responsible for its representatives, regardless of where such representatives are located.

Survival. The following Sections shall survive any expiration or termination of this Agreement: Section 2.3.4 (General Restrictions), Section 3.1 (Customer Obligations), Section 3.3 (Right to Anonymized Metadata), Section 3.4 (Data Retention), Section 6 (Ownership), Section 7.2 (Payment Terms), Section 8 (Term; Termination), Section 9.2 (Warranty Disclaimer), Section 13 (Limitation on Liability), Section 14 (Indemnification), Section 15 (Confidentiality), and Section 16 (General Terms), together with each other provision of this Agreement that by its nature extends beyond the expiration or earlier termination of this Agreement.

Attorneys’ Fees. If any action, suit, or other legal or administrative proceeding (collectively, “Proceeding”) is instituted or commenced by either party against the other party to enforce, interpret or otherwise obtain judicial or quasi-judicial relief arising out of or related to this Agreement, the Prevailing Party shall be entitled to recover from the other party its reasonable attorneys’ fees and costs. The term “Prevailing Party” will mean and refer to the Party who most nearly obtains the result it is seeking in such Proceeding.

Legal Compliance. Both parties are and shall remain in material compliance with Applicable Law.

Cumulative Remedies. Except as expressly provided herein, the rights and remedies of each party under this Agreement are cumulative, and are in addition to all other rights and remedies available under Applicable Law or in equity.

Equitable Relief. Each party recognizes that any actual or threatened breach by a party of Section 15 (Confidential Information) of this Agreement, or in the case of Customer, any act that infringes, misappropriates, or violates RADAR’s intellectual property rights, may cause irreparable harm to the other party, the extent of which would be difficult and impractical to assess, and that money damages may not adequately remedy such breach. Accordingly, in addition to all other remedies available under the circumstances, a party shall be entitled to seek immediate equitable relief in any court of competent jurisdiction.

Assignment. This Agreement will bind and inure to the benefit of each party’s permitted successors and assigns. Neither party may assign this Agreement except upon the advance written consent of the other party. Notwithstanding the foregoing, a party may assign this Agreement in connection with a merger, reorganization, acquisition, or other transfer of all or substantially all of such party’s assets or voting securities. Any attempt to transfer or assign this Agreement except as expressly authorized under this Section will be null and void. In addition to the foregoing, RADAR reserves the right to renegotiate the subscription fees in the event that Customer: (i) acquires, merges, or enters into a strategic relationship with an existing RADAR customer (“Other Customer”) and (ii) requests to consolidate the accounts of Customer and Other Customer. Further, if Customer is acquired by another entity and such acquiring entity wishes to use the Product to manage its incident management operations, RADAR reserves the right to negotiate the applicable subscription fees with the acquiring entity.

Third Party Beneficiaries. This Agreement is for the sole benefit of the parties and nothing, express or implied, shall give any rights under this Agreement to any other person, including without limitation any business associates, service providers, or subcontractors.

Waiver. No right of a party or breach by the other party of any provision under this Agreement shall be waived by any act, omission, delay, or knowledge of a party, except by a written document executed by a duly authorized representative of the waiving party. Any waiver on one occasion shall not constitute a waiver of any prior, concurrent, or subsequent occasion. Except as otherwise set forth herein, the failure to exercise, or delay in exercising, any right, remedy, power, or privilege arising from this Agreement shall not operate or be construed as a waiver thereof; nor shall any single or partial exercise of any right, remedy, power, or privilege hereunder preclude any other or further exercise thereof or the exercise of any other right, remedy, power, or privilege.

Severability. If any court, arbitrator, or arbitration panel finds any provision of this Agreement to be invalid or otherwise unenforceable, that provision will be void to the extent it is contrary to applicable law. However, that finding will not affect the validity of any other provision of this Agreement, and the rest of this Agreement will remain in full force and effect unless enforcement of this Agreement without the invalidated provision would be grossly inequitable under all of the circumstances or would frustrate the primary purposes of this Agreement. Alternatively, if a court, arbitrator, or arbitration panel determines that any provision of this Agreement is not enforceable as expressly written, it is the intention of the Parties that those provisions be modified by the court, arbitrator, or arbitration panel only as is necessary for them to be enforceable.

Entire Agreement and Conflicts. This Agreement (including, without limitation, all Exhibits, Subscription Forms, and Statements of Work) reflects the entire agreement between the parties and supersedes any prior or contemporaneous agreements, communications, or understandings (whether written or oral). In the case of any conflict between the terms of this Agreement and any document that incorporates the terms of this Agreement by reference, the terms of this Agreement shall control, unless such other document explicitly modifies this Agreement with reference to each specific section being modified. Further, the parties acknowledge that any conflicting or additional terms in any Customer purchase order are void with respect to this Agreement.

/End of Agreement/
Attachments:
Exhibit A: Security Statement
Exhibit B: Support Programs
Exhibit C: Service Level Agreement
Exhibit D: Business Associate Addendum

Exhibit A: Security Statement
Purpose
RADAR maintains and enforces various policies, standards and processes designed to secure all customer data, including User Data. This document describes the core technical and organizational security measures implemented by RADAR.
Information Security Policies and Standards
RADAR will implement security requirements that are designed to:
Prevent unauthorized persons from gaining access to data processing systems (physical access control);
Prevent data processing systems being used without authorization (logical access control);
Ensure that persons entitled to use a data processing system gain access only to such User Data as they are entitled to access in accordance with their access rights and that, in the course of processing or use or storage, such User Data cannot be read, copied, modified or deleted without authorization (data access control);
Ensure that User Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the target entities for any transfer of User Data by means of data transmission facilities can be established and verified (data transfer control);
Ensure the establishment of an audit trail to document whether and by whom User Data has been entered into, modified in, or removed from data processing (entry control);
Ensure that User Data is protected against accidental destruction or loss (availability control);
Ensure there are written agreements with subcontractors for data processing of User Data (order control); and
Conduct periodic risk assessments and review and, as appropriate, revise its information security practices at least annually or whenever there is a material change in RADAR’s business practices that may reasonably affect the security, confidentiality or integrity of User Data, provided that RADAR will not modify its information security practices in a manner that will weaken or compromise the confidentiality, availability or integrity of User Data.
Physical Security
RADAR will maintain commercially reasonable security systems at all RADAR sites that house an information system that processes or stores User Data. RADAR reasonably restricts access to such sites and systems appropriately.
Organizational Security
When media are to be disposed or reused, procedures have been implemented to prevent any subsequent retrieval of any User Data stored on them before they are withdrawn from the inventory. When media are to leave the premises at which the files are located as a result of maintenance operations, procedures have been implemented to prevent undue retrieval of User data stored on them.
RADAR has implemented security policies and procedures to classify sensitive information assets, clarify security responsibilities, and promote awareness for employees.
All security incidents are managed in accordance with appropriate incident response procedures.
RADAR will encrypt, using approved industry-standard strong cryptographic algorithms, all sensitive Personal Data that RADAR: (a) transmits or sends locally or across public networks; (b) stores on endpoints, servers or storage media (whether on-premises or in the cloud); or stores on portable devices, where technically feasible.
RADAR will safeguard the security and confidentiality of all encryption keys associated with encrypted sensitive information.
Network Security
RADAR maintains network security using commercially available equipment and industry-standard techniques, including firewalls, intrusion detection systems, access control lists and routing protocols.
Access Control
Only authorized staff can grant, modify or revoke access to an information system that uses or houses User Data.
User administration procedures define user roles and their privileges and how access is granted, changed and terminated; address appropriate segregation of duties and define the logging/monitoring requirements and mechanisms.
All employees of RADAR are assigned unique user-IDs.
Access rights are implemented adhering to the “least privilege” approach.
RADAR implements commercially reasonable physical and electronic security to create and protect passwords.

Virus and Malware Controls
RADAR installs and maintains anti-virus and malware protection software to protect User Data from anticipated threats or hazards and protect against unauthorized access to or use of User Data.

Personnel
Prior to providing access to User Data to its personnel, RADAR will require its personnel to comply with its Information Security Program, which includes privacy and security training.
RADAR implements a security awareness program to train personnel about their security obligations. This program includes training about data classification obligations; physical security controls; security practices; and security incident reporting.
RADAR has clearly defined roles and responsibilities for its personnel. Screening is implemented before employment with terms and conditions of employment applied appropriately.
RADAR personnel strictly follow established security policies and procedures. Disciplinary process will be applied if personnel commit a privacy or security breach.

Subcontractors
Customer acknowledges and agrees that RADAR employs the subcontractors listed in Schedule 1 hereto, and that no further approval of those Subcontractors by Customer is required.

Business Continuity
RADAR implements appropriate disaster recovery and business resumption plans. RADAR reviews both business continuity plan and risk assessment regularly. Business continuity plans are tested and updated regularly to ensure that they are up to date and effective.

Primary Security Officer
The security officer will be responsible for managing and coordinating the performance of RADAR’s obligations set forth in its Information Security Program.

Schedule 1 to Exhibit A: Subcontractors

Subcontractor Name
Location
Function
Amazon Web Services
US-EAST-2; US-WEST-1
Hosting
Salesforce, Inc.
Washington DC – Instance NA164
Customer Service and Support Ticketing

Exhibit B: Support Programs

RADAR Standard Support Program: This program includes:

New releases & product updates
Access to the most recent releases and Product updates.

RADAR online Knowledge Base
Access to the RADAR online Knowledge Base within the RADAR Product.

Regulatory resource map and library
Access to the listing and analysis of global data breach laws. Access to listing of recent changes to certain data breach notification laws. Access to the regulatory watch list of proposed regulations and changes to existing regulations monitored by the RADAR regulatory team.

Dedicated Onboarding Manager
RADAR’s dedicated Onboarding Manager will support the optimal roll-out of your RADAR deployment including account configuration, admin training, and user training.

Customer Success team assistance
Access to RADAR’s Customer Success team to provide proactive and prompt assistance.

Product support team assistance
Access to RADAR’s technical support team for timely resolution of product usage and technical questions.

Support ticket response time
24-hour initial response time for phone and email support tickets during “general business hours” (Monday through Friday, 7:30AM-5:00PM Pacific Time, excluding weekends & U.S. federal holidays and the day after Thanksgiving) from RADAR’s Product Support team.

RADAR Premier Support Program: In addition to the items included in the RADAR Standard Support Program, Premier Support includes:
Dedicated Customer Success Manager
RADAR’s dedicated Customer Success Manager oversees your RADAR experience while providing proactive assistance to mitigate issues, champion your product requirements, and ensure success with your incident response program objectives.

Executive Sponsor
A member of RADAR’s senior leadership team will serve as your executive sponsor — providing you with direct access to a key executive for assistance with any issues or concerns that require escalation.

RADAR operations review
This semi-annual (two times per year) meeting is a full review of your RADAR deployment, ongoing customer initiatives, best practice guidance, new features, and product roadmap updates.

Product roadmap review
Semi-annual (two times per year) sessions with RADAR’s product management team — providing an advanced view of upcoming features and enhancements.

Product advisory forum membership
Ability to participate and influence product direction and roadmap by sharing and advocating for your particular growing business requirements.

Prioritized support ticket response time
4 business-hour initial response time for phone and email support tickets during general business hours and prioritized technical support from the Customer Support team.

24-Hour emergency outage support
Access to RADAR’s 24/7/365 emergency support hotline in the unlikely event that your RADAR Account is not accessible.

Support Ticket Response Times by Program
Standard Support Program
Premier Support Program
Critical Support (Outage)
Initial Response Time
In the event of an outage, RADAR offers a 24/7/365 emergency support line for customers with a Premier Support Package.
N/A
1 hour
General Support
Initial Response Time
With the exception of an outage, support requests are handled during general business hours (M-F 7:30AM-5:00PM Pacific).
24 hours (during general business hours)
Excluding weekends & U.S. federal holidays and the day after Thanksgiving
4 business hours (during general business hours)
Excluding weekends & U.S. federal holidays and the day after Thanksgiving

Exhibit C: Service Level Agreement

This Service Level Agreement (“SLA”) sets forth the service level terms that apply to the Product during the Order Term set forth in the Subscription Form. Except as otherwise indicated, the capitalized terms in this SLA will have the meanings specified in the Agreement.

SLA Definitions

“Monthly Uptime Percentage” is calculated by subtracting the percentage of minutes during the calendar month in which the Product is unavailable from one hundred percent (100%). Monthly Uptime Percentage measurements exclude downtime resulting directly or indirectly from any Exclusions (defined below).

“Service Credit” is a dollar credit that RADAR may credit back to an eligible account pursuant to the calculation described below.

Service Commitment
RADAR will use commercially reasonable efforts to make the Product available with a Monthly Uptime Percentage of at least 99.5% during any calendar month (“Service Commitment”). In the event that RADAR does not meet the Service Commitment, Customer will be eligible to receive a Service Credit as described below.

Service Credits
Service Credits are calculated as a percentage of the total subscription fees paid by Customer to RADAR that are attributable to the month for which the Service Credit is owed. The calculation of “total subscription fees” excludes one-time fees associated with onboarding, training, or support.

Monthly Uptime Percentage
Monthly Service Credit
Less than 99.5%
but equal to or greater than 99.00%
10%
Less than 99.00%
30%

RADAR will apply any Service Credits against future payments otherwise due from Customer. Service Credits will not entitle Customer to any refund or other payment from RADAR. A Service Credit will be applicable and issued only if the credit amount for the applicable calendar month is greater than one dollar ($1 USD). Service Credits may not be transferred or applied to any other account. Customer’s sole and exclusive remedy for any unavailability, non-performance, or other failure by RADAR to provide the Product is the receipt of a Service Credit in accordance with the terms of this SLA.

Credit Request and Payment Procedures
To receive a Service Credit, Customer must submit a claim within sixty (60) days after the unavailability occurred. To process Customer’s request, Customer must provide: (i) a written notice to RADAR unambiguously requesting the issuance of a Service Credit under this SLA; (ii) the dates and times of each unavailability for which Customer is submitting a claim; and (iii) documentation of Customer’s attempts to connect and the associated error message to corroborate Customer’s claimed outage. In providing the requested information, Customer is required to remove (or replace with asterisks) any confidential or sensitive information in any logs.

If RADAR reviews the claim and confirms that the Monthly Uptime Percentage is less than the Service Commitment, then RADAR will issue the Service Credit to Customer against Customer’s next payment. Customer’s failure to make the credit request in accordance with the foregoing requirements will disqualify Customer from receiving a Service Credit.

Exclusions

The Service Commitment does not apply to any RADAR performance issues: (i) that result from a suspension or termination of Customer’s right to use the Product in accordance with the Agreement; (ii) caused by factors outside of RADAR’s reasonable control, including any force majeure event, any failure of internet access, or related problems beyond the demarcation point of RADAR; (iii) that result from any actions or inactions of Customer or any third party not acting under RADAR’s direct control; (iv) that result from Customer’s equipment, software, or other technology or third party equipment, software, or other technology (other than third party equipment within RADAR’s direct control); (v) that result from connectivity or latency issues outside the United States; or (vi) that result from any scheduled maintenance (collectively, “Exclusions”). If availability is impacted by factors other than those used in the Monthly Uptime Percentage calculation, then RADAR may issue a Service Credit considering such factors at its discretion.

Exhibit D: Business Associate Addendum

This Business Associate Addendum (“Addendum”) implements certain requirements of the Health Insurance Portability and Accountability Act of 1996, as supplemented and amended by Subtitle D of the Health Information Technology for Economic and Clinical Health (HITECH) Act provisions of the American Recovery and Reinvestment Act of 2009 and the rules and regulations promulgated thereunder (collectively, “HIPAA”). Those regulations include federal privacy regulations codified at 45 CFR Parts 160 and 164 (Subparts A and E) (“Privacy Rule”), security regulations codified at 45 CFR Parts 160 and 164 (Subparts A and C) (“Security Rule”), and breach notification regulations codified at 45 CFR Part 164 (Subpart D), as may be amended from time to time.

In the course of providing the Product to Customer, RADAR may, on behalf of Customer, receive, maintain, or transmit User Data that constitutes “protected health information,” as defined at 45 CFR § 160.103, and, as a result, be deemed a business associate, as defined at 45 CFR § 160.103. Customer acknowledges, however, that use of the Product does not require entry of protected health information nor does RADAR create protected health information on behalf of Customer. The terms of this Addendum apply only in the event that Customer chooses to enter protected health information into the Product and notifies RADAR in writing of its intent to do so.

This Addendum is intended to supplement and, with respect to specific referenced sections, modify the Agreement. This Addendum expressly replaces and supersedes any pre-existing business associate agreement between RADAR and Customer.

Definitions.
The following terms used in this Addendum shall have the meaning ascribed to them by HIPAA: Breach, Data Aggregation, Designated Record Set, Disclosure, Individual, Notice of Privacy Practices, Required by Law, Secretary, Security Incident, Subcontractor, and Use.
Protected Health Information (“PHI”) and Electronic Protected Health Information (“ePHI”) shall have the same meanings as those terms in 45 CFR § 160.103, and Unsecured Protected Health Information (“Unsecured PHI”) shall have the same meaning as that term in 45 CFR § 164.402; provided, however, that such terms are limited to information received, maintained, or transmitted by RADAR from or on behalf of Customer.
Capitalized terms not defined in this Addendum shall have the meanings given in the Agreement.
Use and Disclosure of PHI by RADAR. RADAR shall Use or Disclose PHI only in the manner and for the purposes set forth in this Addendum. RADAR shall not Use or Disclose PHI in a manner that would violate the Privacy Rule if done by Customer, except as permitted by 2(c) or 2(d) below. Without limiting the generality of the foregoing, Customer hereby authorizes RADAR to do the following:
Use and Disclose PHI to the minimum necessary extent to carry out the provisions of the Agreement;
Use and Disclose PHI as Required by Law;
Use PHI to the minimum necessary extent for RADAR’s proper management and administration or to carry out its legal responsibilities; and
Disclose PHI to the minimum necessary extent for RADAR’s proper management and administration or to carry out its legal responsibilities; provided that the Disclosure is Required by Law or RADAR obtains reasonable assurances from the person to whom the PHI is Disclosed that the PHI will remain confidential and be Used or further Disclosed only as Required by Law or for the purposes for which it was Disclosed to the person, and the person notifies RADAR of any instances of which it is aware that the confidentiality of the PHI has been breached.
Use and Disclosure of PHI by Customer.
Customer is permitted, but not required, to enter ePHI in the normal course of using the Product, provided that such entry is in accordance with the terms of the Agreement and the Documentation. Customer shall not transmit PHI to RADAR in any other form or for any other purpose without RADAR’s prior written authorization.
Customer shall not authorize, request, or require RADAR to Use or Disclose PHI in any manner that would violate HIPAA if the Use or Disclosure was carried out by Customer except as permitted by Section 2(c) and 2(d) above.
Customer shall notify RADAR of (i) any restriction on Use or Disclosure of PHI requested by an Individual to which Customer has agreed, (ii) any change in authorized Use or Disclosure of PHI by an Individual, or (iii) any limitation in Customer’s Notice of Privacy Practices, to the extent such restriction, change, or limitation may affect RADAR’s Use or Disclosure of PHI. Upon receipt of such notice, RADAR may, in its discretion, determine whether it will accommodate such restriction, change, or limitation; require Customer to discontinue entry of the relevant Individual’s PHI; or discontinue entry of any PHI.
Protection of PHI.
RADAR shall maintain appropriate administrative, technical, and physical safeguards to protect the security, availability, and integrity of PHI, and, to the extent applicable, comply with the Security Rule.
RADAR’s data security protocols undergo annual independent third-party audit. Upon Customer’s request, RADAR will provide Customer with a copy of RADAR’s most recent SOC 2 Type II + HITRUST CSF audit report or similar report. Such audit report or similar report shall be deemed to be RADAR’s Confidential Information subject to Section 15 of the Agreement.
RADAR shall ensure that any Subcontractors or agents that receive, maintain, or transmit PHI on behalf of RADAR agree to restrictions and conditions no less restrictive than those that apply to RADAR in this Addendum with respect to such PHI.
To the extent RADAR agrees in writing to carry out any of Customer’s obligations under the Privacy Rule, RADAR shall comply with the requirements of the Privacy Rule that apply to the Customer in the performance of those obligations. The parties acknowledge that RADAR has no current obligations to carry out any of Customer’s obligations under the Privacy Rule under the Agreement or this Addendum.
RADAR shall mitigate to the extent practicable any harmful effect that is known to RADAR of a Use or Disclosure of PHI by RADAR in violation of the requirements of this Addendum.
Breach Notification.
RADAR shall report to Customer any Breach of Unsecured PHI in accordance with 45 CFR § 164.410. RADAR shall make such report without unreasonable delay and in no case later than five (5) business days after RADAR becomes aware of such Use, Disclosure, or Breach. RADAR shall provide to the Customer all information required by 45 CFR § 164.410(c) to the extent known and provide any additional available information reasonably requested by Customer for purposes of investigating the Breach as required by HIPAA.
RADAR shall report to Customer any successful Security Incidents affecting PHI of which RADAR becomes aware. RADAR shall make such report without unreasonable delay and in no case later than five (5) business days after RADAR becomes aware of such successful Security Incident. RADAR hereby provides Customer with notice of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents, which include, but are not limited to, pings and other broadcast attacks on RADAR’s firewall, port scans, unsuccessful login attempts, denial of service attacks, and any combination of the above. So long as such incidents do not result in a Breach of Unsecured PHI, the parties agree that no further notice of unsuccessful Security Incidents is required.
Unless otherwise required by Applicable Law, as between RADAR and Customer, Customer shall be solely responsible for deciding whether to provide breach notification to affected Individuals, government agencies, or other parties regarding and providing such notification.
Access by HHS. Upon request, RADAR shall make its internal practices, books, and records relating to the Use and Disclosure of PHI available to the Secretary for purposes of determining Customer’s compliance with HIPAA.
Individual Requests.
Customer acknowledges that RADAR does not maintain PHI in a Designated Record Set in the normal course of its business. In the event RADAR agrees in writing to maintain PHI in a Designated Record Set, upon request RADAR will provide access to PHI or make PHI available for amendment so as to facilitate Customer’s compliance with the requirements of 45 CFR §§ 164.524 and 164.526, respectively.
RADAR shall maintain documentation of its Disclosures of PHI in accordance with 45 CFR § 164.504(e)(2), and, upon request, make such information reasonably available to Customer to assist Customer with complying with its obligations under 45 CFR § 164.528.
If RADAR receives a request from an individual pertaining to his or her PHI, RADAR shall promptly forward the request to Customer. Customer shall be solely responsible for responding to all requests by Individuals for access to or amendment of PHI and for accountings of disclosures in accordance with 45 CFR §§ 164.524, 164.526, and 164.528, respectively.
Term and Termination.
This Addendum is effective as of the Effective Date and shall terminate upon the termination or expiration of the Agreement.
Either party may terminate the Agreement, and thereby this Addendum, for material breach in accordance with Section 8.2 of the Agreement.
Effect of Termination. Within ninety (90) days of expiration or termination of the Agreement, RADAR shall purge Customer’s User Data, including any ePHI, from its production environment. RADAR shall destroy or cause to be destroyed all PHI maintained by RADAR or its subcontractors elsewhere, provided that, if RADAR determines that such destruction is infeasible, RADAR agrees to extend the protections of this Addendum to such PHI for so long as it is retained, limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction of the PHI infeasible, and to destroy such PHI when it becomes feasible to do so. Customer acknowledges that RADAR maintains backup copies of User Data in the normal course of business and that destruction of such backup copies other than in accordance with RADAR retention policies and procedures is not feasible. RADAR’s obligations under this Section 9 shall survive termination of this Addendum.
Interpretation. Any ambiguity in this Addendum shall be resolved to permit the parties to comply with HIPAA. A reference in this Addendum to any regulatory section means the section as in effect or as amended.
LIMITATION ON LIABILITY.
NOTWITHSTANDING SECTION 13 OF THE AGREEMENT (LIMITATION OF LIABILITY), (I) THE COST OF MAILING LEGALLY REQUIRED NOTICES TO AFFECTED INDIVIDUALS AND (II) THE REASONABLE COST OF PROVIDING CREDIT MONITORING FOR UP TO TWELVE (12) MONTHS TO AFFECTED INDIVIDUALS, IN EACH CASE RESULTING FROM A BREACH OF UNSECURED PHI ATTRIBUTABLE TO RADAR’S BREACH OF ITS OBLIGATIONS UNDER THIS ADDENDUM SHALL BE DEEMED DIRECT DAMAGES FOR WHICH RADAR’S LIABILITY IS CAPPED AS SET FORTH IN SECTION 11.2 OF THIS ADDENDUM.
NOTWITHSTANDING SECTION 13 OF THE AGREEMENT (LIMITATION OF LIABILITY), RADAR’S LIABILITY ARISING UNDER THIS ADDENDUM SHALL NOT EXCEED, IN THE AGGREGATE, FIFTY THOUSAND DOLLARS ($50,000).
Amendment. The parties agree to take such action as is necessary to amend this Addendum from time to time as is necessary for compliance with the requirements of HIPAA and any other applicable law.
Survival. The following Sections of this Addendum shall survive any expiration or termination of this Addendum: Sections 1, 9, 10, 11, 12, 13.

How to Contact Us

If you have any questions about these legal agreements and terms, RadarFirst can be contacted via email at [email protected] or you may send a letter to:

ATTN: Legal
RADAR, LLC
520 SW 6th Ave
Suite 200
Portland, OR 97204
USA