PCI DSS Compliance Audit Program Terms & Conditions

Terms and Conditions for provision of Payment Card Industry Data Security Standard (PCI) compliance audit to be provided by Rapid7, LLC, a qualified independent scan vendor.

1. Acknowledgment

1.1 By using the web site on which this document is found ("the Site"), you acknowledge that you have read the terms and conditions contained in this agreement ("this Agreement"), and that you agree, accept and will be bound by this Agreement AND Rapid7's TERMS OF SERVICE AGREEMENT located at https://pci.rapid7.com/home/terms. If you do not agree to BOTH Agreements, you must not use the Site or participate in the supply of the PCI compliance audit services ("the PCI Program").

2. The Services

2.1 Rapid7 provides its vulnerability scanning and PCI compliance certification services by automated remote network vulnerability tests ("Remote Tests") and by reviewing the ways in which you collect, use, disclose and store personal and cardholder information. You hereby authorize such Remote Tests and review to be completed either by analysis of the information submitted by you to Rapid7 or its authorized agent as part of the PCI Program, and/or in conjunction with off-site Remote Tests that will assess your computer system's vulnerabilities to unauthorized (hacker) access according to the Payment Card Industry Security Scanning Procedures located at: https://www.pcisecuritystandards.org/tech/supporting_documents.htm

2.2 Rapid7 grants you authorization to self scan for PCI compliance only. Rapid7's PCI compliance certificate does not grant third party certification privileges and non may be represented or granted unless the third party is also an approved PCI ASV and pays Rapid7 an additional fee.

3. Disclosure of PCI Program results

3.1 You hereby authorize Rapid7 or its agents to disclose the information provided by you or derived under the PCI Program, Rapid7's analysis of the information provided by you and the results of any Remote Tests performed for you, to your acquiring (merchant) bank or Rapid7 and its authorized agents. You further authorize disclosure of answers to the PCI Self Assessment Questionnaire and summary results (Pass or Fail) of any Remote Tests conducted under the PCI Program to Visa USA, Visa International, MasterCard International, American Express, JCB or DiscoverCard.

4. Fees

4.1 You must pay any applicable PCI Program fees, as specified on the Site. If you fail to do so Rapid7 may, by giving you notice, immediately terminate this Agreement and your participation in the PCI Program.

5. Ownership of the PCI Program Services and Deliverables

5.1 The Site, the PCI Program (including the Remote Tests) and the materials, graphics, code, logos, content and information found on or in the Site, and the materials otherwise provided to you by Rapid7 or its agents (including without limitation the results of Rapid7's review) (collectively "the PCI Program Services and Deliverables") are owned or licensed by Rapid7, are subject to trademark, patent, copyright and other intellectual property rights, and are protected by worldwide intellectual property laws and treaty provisions. Rapid7 grants you a limited, non-exclusive, non-transferable license to use the PCI Program Services and Deliverables for your own internal business purposes solely for the purposes of participating in the PCI Program. The PCI Program Services and Deliverables may not be copied, reproduced, modified, published, uploaded, posted, transmitted, or distributed in any way, without Rapid7's prior written permission. Except as expressly provided herein, Rapid7 does not grant any express or implied right to you under any patents, copyrights, trademarks, or trade secret information.

5.2 The Rapid7 PCI portal provides self scanning capabilities only. Services provided through this portal may not be sold, rented, leased or provided to others.

6. Privacy and confidentiality

6.1 In the course of providing the PCI Program Services and Deliverables, Rapid7 and its authorized agents may be given access to, or be provided with, confidential information about your business and/or your website ("Business Information"), and personal information about you, your employees, your account and/or card holders and/or your website ("Personal Information").

6.2 You authorize such access and disclosure of your Business Information to Rapid7 and its authorized agents, and to your payment processor or merchant bank. You also authorize disclosure of generic summary Business Information to Visa USA, MasterCard International, American Express or DiscoverCard. Subject to the foregoing, Rapid7 and its agents will use all reasonable efforts to keep your Business Information confidential and will not otherwise disclose your Business Information to any third party.

6.3 To the extent that access to Personal Information by Rapid7 occurs, you authorize such access and authorize Rapid7 and its agents to use such Personal Information for the sole purpose of providing the PCI Program Services and Deliverables. Rapid7 and its agents will not use any such Personal Information for any other purposes than those specifically related to providing the PCI Program Services and Deliverables. All Personal Information is also subject to Rapid7's Privacy Policy.

7. Security policy

7.1 Rapid7 maintains a strict security policy. Traffic through the Site is monitored for unacceptable actions by visitors. No unauthorized, abusive, threatening, libelous, defamatory, obscene, pornographic or otherwise unlawful actions on this Site will be permitted, and all such actions may be reported to the appropriate authorities and legal action may be commenced without notice. We may by giving you notice immediately terminate this Agreement if we reasonably believe that you have used or permitted this Site to be used for such purposes.

8. Governing law

8.1 This Agreement shall be interpreted and governed by the laws of the State of Massachusetts, regardless of the conflict of laws rules of any other jurisdiction. Rapid7 and you hereby submit to the exclusive jurisdiction and venue of the courts of the State of Massachusetts to resolve any disputes between us. If any provision of this Agreement be invalid or unenforceable under any law, such provision will be enforced to the extent permitted by law. No such invalid or unenforceable provision will affect the validity or enforceability of any other provision.

9. No representation or warranties

9.1 Rapid7 makes no representations or warranties that the PCI Program Services and Deliverables are appropriate or available for use in all jurisdictions, and accessing them from jurisdictions where their contents are illegal is prohibited. Those who choose to access this Site do so on their own initiative and are responsible for compliance with local laws. Your participation in the PCI Program indicates that you have submitted to Rapid7's review as contemplated herein and on the Site and under the PCI Program, and you understand that the results of such review represent Rapid7's opinion as to the security status of your environment at the time of such review based on the information you provide to Rapid7 for that purpose. Rapid7 does not and cannot represent, warrant or guarantee that you are at the present time or will in the future be immune or protected from security breaches or other problems.

9.2 Without limiting the foregoing, to the maximum extent permitted by law, Rapid7 does not make, and hereby disclaims, any and all express and/or implied warranties, representations or conditions relating to this agreement, its subject matter and/or the PCI Program services and deliverables, including, but not limited to, warranties or conditions of merchantability, fitness for a particular purpose, non- infringement and title, and any warranties or conditions arising from a course of dealing, usage, or trade practice.

10. Disclaimer and limitation of liability

10.1 The maximum aggregate liability of Rapid7 and its agents for all claims under or relating to this Agreement or its subject matter, regardless of whether such liability is based on breach of contract, tort (including negligence), strict liability, breach of warranties, failure of essential purpose, fundamental breach, breach of a fundamental term or otherwise, is limited to an amount equal to the fees paid by you under this Agreement for the online self-assessment test under the PCI Program. In no event shall Rapid7, its officers, directors, employees, shareholders, agents or other representatives be liable for any indirect, consequential, punitive, economic or incidental damages, damages for loss of profits, business interruption, or loss of information for any reason whatsoever arising out of or in relation to this Agreement or the PCI Program Services and Deliverables, regardless of whether such liability is based on breach of contract, tort (including negligence), strict liability, breach of warranties, failure of essential purpose, fundamental breach, breach of a fundamental term or otherwise, and even if Rapid7 has been advised of the possibility of such damages. You have sole responsibility for adequate protection and backup of your data, network and/or equipment used in connection with the PCI Program and you agree you will not make a claim against Rapid7 or its agents for lost data, re-run time, network or equipment problems, inaccurate output, work delays or lost profits resulting from the PCI Program Services and Deliverables.

10.2 You agree to hold Rapid7 and its agents harmless from, and you covenant not to sue Rapid7 and its agents for any claims based on the use of the PCI Program Services and Deliverables. This disclaimer and limitation of liability are fundamental elements of the agreement between you and Rapid7 regarding the PCI Program. The PCI Program Services and Deliverables would not have been provided to you without such disclaimer and limitations.

11. No partnership

11.1 Nothing in the PCI Program Services and Deliverables or this Agreement shall be deemed in any way or for any purpose to constitute Rapid7 as a partner, agent or representative of any other party in the conduct of any business or otherwise or a member of a joint venture or joint enterprise with any other party referred to in, or linked to from, the Site or that is a licensed user of the PCI Program.

12. Links to third parties' sites

12.1 Any links on the Site to third party sites are for your convenience only. In using any such link you will be leaving Rapid7's Site. The linked sites are not under the control of Rapid7 and Rapid7 is not responsible for the contents or accuracy of any linked site or any link contained in a linked site, or any changes or updates to such sites. Rapid7 is providing these links only as a convenience, and the inclusion of any link does not imply endorsement by Rapid7 of such site.

12.2 Program at any time. Rapid7 does not endorse companies or products to which it links and reserves the right to note as such on the Site. If you decide to access any of the third party sites linked to the Site, you do this entirely at your own risk.

13. Links from third parties' sites

13.1 You may not create a web site that links to the Site without Rapid7's consent and then only in a manor expressly granted by Rapid7.

14. Agreement subject to change

14.1 Rapid7 may revise this Agreement at any time by updating this document on the Site. You should visit this page each time you access the Site to review the then current Agreement because it is binding on you. Certain provisions of the foregoing may be superseded by expressly designated legal notices or terms located on particular pages at this Site.

15. General

15.1 This Agreement AND Rapid7's TERMS OF SERVICE AGREEMENT shall BOTH together constitute the entire terms of agreement between Rapid7 and you, and together shall supersede all other (prior or contemporaneous) communications or displays whether electronic, oral, or written, between Rapid7 and you in relation to the subject matter of this Agreement.

15.2 Sections 5, 8 and 10 of this Agreement survive any termination or expiration of this Agreement.

15.3 Rapid7 may at any time modify or discontinue all or any part of the PCI Program Services and Deliverables.

15.4 No wavier of any breach of the terms of this Agreement is effective unless that waiver is in writing and signed by the waiving party. No wavier of any breach is a waiver of any other or subsequent breach.