Rapid7 End User License Agreement

1. DEFINITIONS

1.1 Content Updates means content used by certain Rapid7 Software which is updated from time to time, including but not limited to updated vulnerability signatures for vulnerability assessment products and exploits for penetration testing products.

1.2 Documentation means the documentation for the Software generally supplied by Rapid7 to assist its customers in their use of the Software, including user and system administrator guides, manuals, and the functionality specifications.

1.3 Maintenance and Support Term means the period in which Customer is entitled to receive Content Updates, as applicable, and support services from Rapid7, including all updates, enhancements, bug fixes and new releases thereto that Rapid7 makes generally available to its customers. The length of the Maintenance and Support Term shall be listed on the applicable Order Form and shall commence on the date of delivery of the Software.

1.4 Order means Rapid7’s order form or other ordering document signed or referenced by Customer or its authorized reseller which identifies the specific Software and/or Services ordered, the Volume Limitations, and the price agreed upon by the parties.

1.5 Services means Rapid7’s professional services (as described in Section 10.2) herein.

1.6 Software means those Rapid7 products listed on the applicable Order Form.

1.7 Software Term means the period in which Customer is authorized to utilize the Software. Each Software Term shall be listed on the applicable Order Form and shall commence on the date of delivery of the Software.

1.8 Volume Limitations means the capacity indicated on the Order Form, including, as applicable, number of assets, applications, data, plugins, and named individual users of the Software.

2. SOFTWARE LICENSES

2.1 License to Products. During the Software Term, Rapid7 grants Customer a non-exclusive, non-transferable, non-sublicensable right to use and access the Software (in object code only): (i) solely for Customer’s internal business purposes; (ii) within the Volume Limitations; and (iii) as described in this Agreement. The parties also agree to be bound by any further license restrictions set forth on the Order Form. The following license provisions shall also apply if Customer is purchasing (i) Nexpose Managed Security Service Provider (MSSP) Edition or (ii) Nexpose Consultant: The Nexpose MSSP and Nexpose Consultant licenses allow Customer to scan assets of third parties, provided that such third party has authorized Customer to perform such scan.

2.2 Evaluation Licenses. If Customer’s license is for a trial or evaluation only, then the Software Term shall be thirty days, or the trial or evaluation term specified on the Order Form. Customer may not utilize the same software for more than one trial or evaluation term in any twelve month period, unless otherwise agreed to by Rapid7. Rapid7 may revoke Customer’s evaluation or trial license at any time and for any reason. Sections 4 (Limited Warranty) and 9.1 (Indemnification) shall not be applicable to any evaluation or trial license.

2.3 Use by Affiliates. Subject to the Volume Limitations, Customer may make the Software available to its Affiliates under these terms, provided that Customer is liable for any breach of this Agreement by any of its Affiliates. “Affiliate(s)” means any entity now existing that is directly or indirectly controlled by Customer. For purposes of this definition “control” means the direct possession of a majority of the outstanding voting securities of an entity.

2.4 Delivery and Copies. Delivery shall be deemed to have been made upon Rapid7 providing instructions to download or activate the Software, as applicable. Notwithstanding anything to the contrary herein, Customer may make a reasonable number of copies of the Software for the sole purpose of backing-up and archiving the Software. Each copy of the Software is subject to this Agreement and must contain the same titles, trademarks, and copyright notices as the original.

2.5 Restrictions. The Software may only be used for the purposes of good-faith testing, investigation, and/or correction of security flaws, exposures, or vulnerabilities in order to advance the security or safety of devices, machines, or networks of those who use such devices, machines, or networks. Except as may be expressly permitted by applicable law, Customer will not, and will not permit or authorize third parties to: (i) reproduce, modify, translate, enhance, decompile, disassemble, reverse engineer, create derivative works of the Software, or merge the Software into another program; (ii) resell, rent, lease, or sublicense the Software or access to it, including use of the Software for timesharing or service bureau purposes; (iii) circumvent or disable any security or technological features or measures in the Software; nor (iv) use the Software in order to build a competitive product or service, for competitive analysis, or to copy any ideas, features, functions, or graphics of the Software. Customer is responsible for its employees’ compliance with this Agreement. If Customer identifies a vulnerability in the Software, all information and analysis regarding the vulnerability must be disclosed through the Rapid7 contact form, found at www.rapid7.com/disclosure/.

2.6 Ownership of Software. Rapid7 retains all right, title, and interest in and to the Documentation, Software, Content Updates and in all copies, modifications and derivative works thereto including, without limitation, all rights to patent, copyright, trade secret, trademark, and other proprietary or intellectual property rights.

2.7 Customer Systems. Customer represents and warrants that it has the appropriate authorizations from the owner of the networks, systems, IP addresses, assets, and/or hardware on which it deploys the Software, or which it targets, scans, monitors, or tests with the Software.

3. FEES AND PAYMENT TERMS

3.1 If Customer is purchasing the Software through a Rapid7 authorized reseller, then the fees shall be as set forth between Customer and reseller and the applicable fees shall be paid directly to the reseller and Section 3.2 shall not apply.

3.2 Customer agrees to pay the fees, charges, and other amounts in accordance with the Order Form from the date of invoice. All fees are nonrefundable, unless otherwise stated herein. Customer shall be responsible for remitting all taxes levied on any transaction under this Agreement, including, without limitation, all federal, state, and local sales taxes, levies and assessments, and local withholding taxes in Customer’s jurisdiction, if any, excluding, however, any taxes based on Rapid7's income. In the event Customer is required to withhold taxes from its payment or withholding taxes are subsequently required to be paid to a local taxing jurisdiction, Customer is obligated to pay such tax, and Rapid7 as applicable, will receive the Order Form payment amount as agreed to net of any such taxes. Customer shall provide to Rapid7 written evidence that such withholding tax payment was made.

4. LIMITED WARRANTY

4.1 Software Warranty. Rapid7 warrants that for a period of ninety days following the initial delivery of any Software to Customer the Software will conform, in all material respects, with the applicable Documentation. Rapid7 makes no warranty regarding third party features or services. For a breach of the above warranty, Rapid7 will, at no additional cost to Customer, use commercially reasonable efforts to provide remedial services necessary to enable the Software to conform to the warranty. Customer will provide Rapid7 with a reasonable opportunity to remedy any breach and reasonable assistance in remedying any defects. If Rapid7 is unable to restore such functionality, Customer shall be entitled to terminate the applicable Order Form and receive a pro rata refund of the fees paid. The remedies set out in this subsection are Customer’s sole remedies for breach of the above warranty.

4.2 Disclaimer. RAPID7 DOES NOT REPRESENT THAT THE SOFTWARE WILL BE UNINTERRUPTED, ERROR-FREE, OR WILL MEET CUSTOMER’S REQUIREMENTS. EXCEPT FOR THE WARRANTY ABOVE, RAPID7 MAKES NO OTHER WARRANTIES OR REPRESENTATIONS, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS. RAPID7 MAKES NO WARRANTY THAT ALL SECURITY RISKS OR THREATS WILL BE DETECTED BY USE OF THE SOFTWARE OR THAT FALSE POSITIVES WILL NOT BE FOUND.

5. LIMITATION OF LIABILITY

5.1 Exclusion of Certain Damages. NEITHER PARTY WILL BE LIABLE UNDER THIS AGREEMENT FOR LOST REVENUES OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN THAT SUCH DAMAGES WERE POSSIBLE.

5.2 Limitation on Amount of Liability. NEITHER PARTY WILL BE LIABLE UNDER THIS AGREEMENT FOR MORE THAN THE TOTAL AMOUNT PAID OR PAYABLE BY CUSTOMER TO RAPID7 HEREUNDER DURING THE TWELVE MONTHS IMMEDIATELY PRIOR TO THE EVENT GIVING RISE TO LIABILITY, EXCEPT THAT THE LIMITATION IN THIS SECTION 5.2 SHALL NOT APPLY TO: (I) VIOLATIONS OF A PARTY’S INTELLECTUAL PROPERTY RIGHTS BY THE OTHER PARTY; OR (II) A PARTY’S EXPRESS INDEMNIFICATION OBLIGATIONS UNDER THIS AGREEMENT.

6. VOLUME LIMITATIONS

6.1 Usage Verification. Customer understands and acknowledges that the Software may track and/or enforce its Volume Limitations. Additionally, upon Rapid7’s written request, such request not to exceed once every six months, Customer shall provide Rapid7 with a signed certification verifying that the Software is being used in accordance with this Agreement. In addition to the foregoing, at Rapid7’s written request, Customer will permit Rapid7 to review and verify Customer’s records, deployment, and use of the Software for compliance with the terms and conditions of this Agreement, at Rapid7’s expense. Any such review shall be scheduled at least ten days in advance, shall be conducted during normal business hours at Customer’s facilities, and shall not unreasonably interfere with Customer’s business activities.

6.2 Overscanning. In the event that the Service is used in excess of the Volume Limitations, following a reasonable notification period Customer shall be liable for, and Rapid7 reserves the right to invoice for, the fees for such excess usage at Rapid7’s then current list rates, or as otherwise set forth on the Order Form, notwithstanding the limitation on liability in Section 5.2 of this Agreement.

7. CONFIDENTIALITY

7.1 Confidential Information. “Confidential Information” means information provided by one party to the other party which is designated in writing as confidential or proprietary, as well as information which a reasonable person familiar with the disclosing party’s business and the industry in which it operates would know is of a confidential or proprietary nature. A party will not disclose the other party’s Confidential Information to any third party without the prior written consent of the other party, nor make use of any of the other party’s Confidential Information except in its performance under this Agreement. Each party accepts responsibility for the actions of its agents or employees and shall protect the other party’s Confidential Information in the same manner as it protects its own Confidential Information, but in no event with less than reasonable care. The parties expressly agree that the terms and pricing of this Agreement are Confidential Information. A receiving party shall promptly notify the disclosing party upon becoming aware of a breach or threatened breach hereunder and shall cooperate with any reasonable request of the disclosing party in enforcing its rights.

7.2 Exclusions. Information will not be deemed Confidential Information if such information: (i) is known prior to receipt from the disclosing party, without any obligation of confidentiality; (ii) becomes known to the receiving party directly or indirectly from a source other than one having an obligation of confidentiality to the disclosing party; (iii) becomes publicly known or otherwise publicly available, except through a breach of this Agreement; or (iv) is independently developed by the receiving party without use of the disclosing party’s Confidential Information. The receiving party may disclose Confidential Information pursuant to the requirements of applicable law, legal process or government regulation, provided that, unless prohibited from doing so by law enforcement or court order, the receiving party gives the disclosing party reasonable prior written notice, and such disclosure is otherwise limited to the required disclosure.

8. TERM & TERMINATION

The Software Term (or Maintenance and Support Term for Software with a perpetual Software Term) will automatically renew for an additional one year term at the rate listed on the applicable Order Form unless (i) otherwise indicated on the Order Form or (ii) either party provides the other with written notice of its election not to renew at least 30 days prior to the anniversary date. Any renewal will be invoiced at the rate indicated on the applicable Order Form. In connection with any renewal term, Rapid7 reserves the right to change the rates, applicable charges and usage policies and to introduce new charges for any subsequent Subscription Term, upon providing Customer written notice thereof (which may be provided by e-mail) at least 60 days prior to the end of the applicable term.

This Agreement or an Order Form may be terminated: (i) by either party if the other party is adjudicated as bankrupt, or if a petition in bankruptcy is filed against the other party and such petition is not discharged within sixty days of such filing; or (ii) by either party if the other party materially breaches this Agreement or the Order Form and fails to cure such breach to such party’s reasonable satisfaction within thirty days following receipt of written notice thereof. Customer’s license to use the Software shall terminate upon the expiration of the applicable Software Term. Upon any termination of this Agreement or an Order Form by Rapid7, all applicable licenses are revoked and Customer shall immediately cease use of the applicable Software and certify in writing to Rapid7 within thirty days that Customer has destroyed or returned to Rapid7 such Software and all copies thereof. Termination of this Agreement or a license granted hereunder shall not relieve Customer of its obligation to pay all fees that have accrued, have been paid, or have become payable by Customer hereunder. All provisions of this Agreement which by their nature are intended to survive the termination of this Agreement shall survive such termination.

9. INDEMNIFICATION

9.1 By Rapid7. Rapid7 will indemnify, defend, and hold harmless Customer from and against all liabilities, damages, and costs (including settlement costs and reasonable attorneys' fees) arising out of a third party claim that the Software infringes or misappropriates any intellectual property right of such third party. Notwithstanding the foregoing, in no event shall Rapid7 have any obligations or liability under this Section arising from: (i) use of any Software in a manner not anticipated by this Agreement or in combination with materials not furnished by Rapid7; or (ii) any content, information or data provided by Customer or other third parties. If the Software is or is likely to become subject to a claim of infringement or misappropriation, then Rapid7 will, at its sole option and expense, either: (i) obtain for the Customer the right to continue using the Software; (ii) replace or modify the Software to be non-infringing and substantially equivalent to the infringing Software; or (iii) if options (i) and (ii) above cannot be accomplished despite the reasonable efforts of Rapid7, then Rapid7 may terminate Customer’s rights to use the infringing Software and will refund pro-rata any prepaid fees for the infringing portion of the Software. THE RIGHTS GRANTED TO CUSTOMER UNDER THIS SECTION 9.1 SHALL BE CUSTOMER’S SOLE AND EXCLUSIVE REMEDY FOR ANY ALLEGED INFRINGEMENT BY THE SOFTWARE OF ANY PATENT, COPYRIGHT, OR OTHER PROPRIETARY RIGHT.

9.2 By Customer. Customer will indemnify, defend, and hold harmless Rapid7 from and against all liabilities, damages, and costs (including settlement costs and reasonable attorneys' fees) arising out of a third party claim regarding Customer's: (i) use of the Software in violation of applicable law; or (ii) breach of the representation and warranty made in Section 2.7 and 11.4 of this Agreement.

10. TECHNICAL SUPPORT AND PROFESSIONAL SERVICES

10.1 Maintenance and Support Services. The maintenance and support program selected by Customer shall be set forth on the applicable Order Form and shall be further subject to Rapid7’s maintenance and support policy, a copy of which is located at https://www.rapid7.com/globalassets/_pdfs/whitepaperguide/rapid7-customer-support-guidebook.pdf.

10.2 Product-Related Professional Services. Unless otherwise provided on an Order Form or statement of work (“SOW”), Customer is responsible for installing and configuring all Software. Rapid7 may provide Customer certain professional services, such as installation, configuration, consulting, training, and external scanning, if and as specified on an Order Form or a separate SOW executed by the parties. Such Services will be invoiced upon execution of the Order Form or SOW. All changes to an SOW must be approved by both parties in writing. Rapid7 shall have sole discretion in staffing the Services and may assign the performance of any portion of the Services to any subcontractor, provided that Rapid7 shall be responsible for the performance of any such subcontractor. Customer will have a non-exclusive, non-transferable license to use any deliverables or other work product developed by Rapid7 in the performance of the Services which are delivered to Customer, upon Customer's payment in full of all amounts due for such deliverables or work product. Rapid7 retains ownership of all information, software, and other property owned by it prior to this Agreement or which it develops independently of this Agreement and all deliverables and work product compiled or developed by Rapid7 in the performance of the Services.

10.3 Professional Services Rescheduling. To the extent Customer purchases Services, Customer may reschedule the Services up to ten business days prior to the start of the Services at no cost. If Customer reschedules the Services with less than ten business days’ notice, Customer will forfeit the portion of the Services equal to the number of days that were rescheduled without the required notice. If Customer reschedules the Services after they have begun, Customer will forfeit five days of Services, or the number of days remaining on the Services, whichever is fewer. Customer will also be responsible for any out-of-pocket expenses incurred by Rapid7 due to such rescheduling. If performance of the Services is delayed by Customer’s acts or omissions, including Customer’s failure to meet the requirements set forth in an SOW, Customer will forfeit the duration of such delay from its Services time.

11. GENERAL PROVISIONS

11.1 Miscellaneous. This Agreement shall be construed in accordance with and governed for all purposes by the laws of the State of Delaware (for customers located in North America), or England & Wales (for customers located outside of North America), each excluding its respective choice of law provisions and each party consents and submits to the jurisdiction and forum of the state and federal courts in the State of Delaware (for customers located in the United States) or London, England (for customers located outside the United States) for all questions and controversies arising out of this Agreement and waives all objections to venue and personal jurisdiction in these forums for such disputes; (b) this Agreement, along with the accompanying Order Form(s) constitute the entire agreement and understanding of the parties hereto with respect to the subject matter hereof and supersedes all prior agreements and undertakings, both written and oral; (c) this Agreement and each Order Form may not be modified except by a writing signed by each of the parties; (d) in case any one or more of the provisions contained in this Agreement shall for any reason be held to be invalid, illegal, or unenforceable in any respect, such invalidity, illegality, or unenforceability shall not affect any other provisions of this Agreement, but rather this Agreement shall be construed as if such invalid, illegal, or other unenforceable provision had never been contained herein; (e) Customer shall not assign its rights or obligations hereunder without Rapid7's advance written consent; (f) subject to the foregoing subsection (e), this Agreement shall be binding upon and shall enure to the benefit of the parties hereto and their successors and permitted assigns; (g) no waiver of any right or remedy hereunder with respect to any occurrence or event on one occasion shall be deemed a waiver of such right or remedy with respect to such occurrence or event on any other occasion; (h) nothing in this Agreement, express or implied, is intended to or shall confer upon any other person any right, benefit, or remedy of any nature whatsoever under or by reason of this Agreement, including but not limited to any of Customer’s own clients, customers, or employees; (i) the headings to the sections of this Agreement are for ease of reference only and shall not affect the interpretation or construction of this Agreement; (j) terms in an Order Form have precedence over conflicting terms in this Agreement, but have applicability only to that particular Order Form; and (k) this Agreement may be executed in two or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.

11.2 Export. Each party acknowledges that the export, re-export, deemed export, and import of the Software and Documentation by Customer and Rapid7 is subject to certain laws, rules, executive orders, directives, arrangements, and regulations of the United States and of other countries. Each party agrees to comply with all applicable laws with respect to the exportation, importation, and use of the Software and Documentation.

11.3 Personal Data. To the extent that Rapid7 processes personal data about any individual in the course of providing the Software or Service, Customer agrees to Rapid7’s Data Processing Agreement, located at rapid7.com/legal/dpa/.

11.4 Data Privacy. Customer represents and warrants that Customer has obtained all necessary rights to permit Rapid7 to collect and process data from Customer, including, without limitation, data from endpoints, servers, cloud applications, and logs.

11.5 Injunctive Relief. Notwithstanding any other provision of this Agreement, both parties acknowledge that any breach of this Agreement may cause the other party irreparable and immediate damage for which remedies other than injunctive relief may be inadequate. Therefore, the parties agree that, in addition to any other remedy to which a party may be entitled hereunder, at law or equity, each party shall be entitled to seek an injunction to restrain such use in addition to other appropriate remedies available under applicable law.

11.6 Relationship of the Parties. Rapid7 and Customer are independent contractors, and nothing in this Agreement shall be construed as making them partners or creating the relationships of principal and agent between them, for any purpose whatsoever. Neither party shall make any contracts, warranties or representations or assume or create any obligations, express or implied, in the other party’s name or on its behalf.

11.7 US Government Restricted Rights. This Section applies to all acquisitions of the Software or Services by or for the US federal government, or by any prime contractor or subcontractor (at any tier) under any contract, grant, cooperative agreement, or other activity with the federal government for the Government’s end use. The Software and Services are “commercial items” as that term is defined at FAR 2.101. If Customer is an Executive Agency (as defined in FAR 2.101) of the U.S. Federal Government (“Government”), Rapid7 provides the Software and Services, including any related technical data and/or professional services in accordance with the following: If a right to access the Software and Services is procured by or on behalf of any Executive Agency (other than an Executive Agency within the Department of Defense (DoD)), the Government is granted, in accordance with FAR 12.211 (Technical Data) and FAR 12.212 (Computer Software), only those rights in technical data and software customarily provided to Rapid7’s customers as such rights are described in this Agreement. If a right to access the Software and Services is procured by or on behalf of any Executive Agency within the DoD, the Government is granted, in accordance with DFARS 227.7202-3 (Rights in commercial computer software or commercial computer software documentation), only those rights in technical data and software that are customarily provided to Rapid7’s customers as such rights are described in this Agreement. In addition, DFARS 252.227-7015 (Technical Data – Commercial Items) applies to technical data provided by Rapid7 to an Executive Agency within the DoD. Note, however, that Subpart 227.72 does not apply to computer software or computer Service documentation acquired under GSA schedule contracts. Except as expressly permitted under this Agreement, no other rights or licenses are granted to the Government. Any rights requested by the Government and not granted under this Agreement must be separately agreed in writing with Rapid7. This Section 11.6 of the Agreement is in lieu of, and supersedes, any other FAR, DFARS, or other clause, provision, or supplemental regulation that addresses Government rights in the Software and Services.

11.8 Force Majeure. Other than payment obligations hereunder, neither party will be liable for any inadequate performance to the extent caused by a condition that was beyond the party's reasonable control (including, but not limited to, natural disaster, act of war or terrorism, riot, global health crisis, acts of God, or government intervention), except for mere economic hardship, so long as the party continues to use commercially reasonable efforts to resume performance.

11.9 No Reliance. Customer represents that it has not relied on the availability of any future version of the Software or any future product or service in executing this Agreement or purchasing any Software hereunder.

11.10 Notices. Unless specified otherwise herein, (i) all notices must be in writing and addressed to the attention of the other party's legal department and primary point of contact, and (ii) notice will be deemed given: (a) when verified by written receipt if sent by personal courier, overnight courier, or when received if sent by mail without verification of receipt; or (b) when verified by automated receipt or electronic logs if sent by email. When sent by email, notices to Rapid7 must be sent to notices@rapid7.com.

11.11 Publicity. Customer acknowledges that Rapid7 may use Customer’s name and logo for the purpose of identifying Customer as a customer of Rapid7 products and/or services. Rapid7 will cease using Customer’s name and logo upon written request.

11.12 Compliance with Law. Each party agrees to comply with all applicable federal, state and local laws and regulations including but not limited to export law, and those governing the use of network scanners, vulnerability assessment software products, encryption devices, user monitoring, and related software in all jurisdictions in which systems are scanned, scanning is controlled, or users are monitored.