Last updated October 2025
Master Software and Services Agreement
This Master Software and Services Agreement (the “Agreement”), effective on the date of last signature below (the “Effective Date”), is made by and between Rapid7 LLC (for customers located in the United States) or Rapid7 International Limited (for customers located outside the United States) (as applicable, “Rapid7”) and the customer signing this Agreement (“Customer”). The parties agree to be bound by the following terms and conditions to the extent the Rapid7 Offering(s) are purchased on an Ordering Document.
1. DEFINITIONS
1.1. Cloud-Hosted Software means the subscription software applications hosted by Rapid7 and identified on an Ordering Document.
1.2. Customer Content means any of Customer’s data gathered through the provision of the Offering or any data made available by Customer to Rapid7 for use in connection with the Offering.
1.3. Distributed Software means those Rapid7 products listed on the applicable Ordering Document to be deployed in Customer’s on-premise environment.
1.4. Documentation means the documentation for the Offering generally supplied by Rapid7 to assist its customers in their use of the Offering, including user and system administrator guides, manuals, and the software functionality specifications.
1.5. Managed Services means the continuous monitoring, detection, investigation, response, and other security related Services provided by Rapid7’s security operations personnel for the Term, subject to the scope, service description, and limitations set forth in the applicable Ordering Document and SOW. Managed Services may include Rapid7 operating Software on Customer’s behalf as described in the SOW.
1.6. Offering means the Software, Services, Rapid7 Data and any other products and/or services indicated on the applicable Ordering Document.
1.7. Ordering Document means a written ordering document agreed to by Rapid7 or its authorized reseller that is either signed by the Customer or referenced by Customer on a purchase order which identifies, as applicable, the specific Offering ordered, the Volume Limitations, overage options, the Term, tiers and the price agreed upon by the parties.
1.8. Professional Services means Services where Customer engages Rapid7 to perform specific, identified tasks, either at specific dates and times, or retained for a period of time in order to perform such tasks as needed.
1.9. Rapid7 Data means the proprietary data, work product, output, results, and derivatives of the foregoing produced by Rapid7 which may be made available to Customer through Offerings as set forth in an Ordering Document.
1.10. Schedule means the specific terms and conditions related to the Offering that supplement this Agreement including Schedule A (Services) and Schedule B (Software).
1.11. Service(s) means the Managed Services, Professional Services, and any other consulting, testing, or other services described in an SOW or Ordering Document, which are subject to the terms in Schedule A.
1.12. Software means Cloud-Hosted Software and Distributed Software, as applicable, which are subject to the terms in Schedule B.
1.13. Statement of Work or SOW means (i) the statement of work, scope of work, scope of service, or service brief that sets forth and describes the Services to be provided hereunder, and as applicable, any delivery schedules, timelines, specifications, and any other terms agreed upon by the parties; or (ii) Rapid7 Ordering Document which identifies the Services ordered; in each case as signed or referenced by Customer or its authorized partner.
1.14. Term means the period of time set forth in the applicable Ordering Document during which (i) Customer is allowed to use the Software, or (ii) Services may be performed.
1.15. Usage Data means information and data relating to the provision, use, interaction with, and performance of various aspects of the Offerings and related services, systems, and technologies including information and data concerning Customer’s and its users’ use of and engagement with the various features and functionality of the Offerings and analytics and statistical data derived therefrom.
1.16. Volume Limitations means the capacity indicated on the Ordering Document or Documentation, including unique assets, applications, number of scans, number of billable cloud resources, gigabytes, or workflows, as applicable.
2. USE OF OFFERING
2.1. Rapid7 Offering. Rapid7 retains ownership of all right, title, and interest in and to all intellectual property in and about the Offering including the Documentation, tools, models, know-how, methodologies, analysis frameworks, modifications and derivative works thereto including all rights to patent, copyright, trade secret, trademark, and other proprietary or intellectual property rights (“Rapid7 IP”).
2.2. Customer Systems. Customer represents and warrants that (a) it has the appropriate authorizations for the networks, systems, IP addresses, assets, and/or hardware on which it deploys the Offering(s), or which it targets, scans, monitors, or tests with the Offering(s), (b) it will use and process Rapid7’s Data in accordance with this Agreement, and (c) Customer has obtained all necessary rights to permit Rapid7 to collect and process Content from Customer, including, without limitation, data from endpoints, servers, cloud applications, and logs.
2.3. Use by Affiliates. Customer may make the Offering(s) available to its Affiliates under these terms, provided that Customer is liable for any breach of this Agreement by any of its Affiliates. “Affiliate(s)” means any entity that is controlled by Customer. For purposes of this definition, “control” means the direct possession of a majority of the outstanding voting securities of an entity.
2.4 Customer Content & Usage Data. Customer retains ownership of all rights, title, and interest in and to all Customer Content, and Customer is solely responsible for all Customer Content. Rapid7 does not guarantee the accuracy, integrity, or quality of such Customer Content. Except as otherwise provided in this Agreement, Customer shall be solely responsible for providing, updating, uploading, and maintaining all Customer Content, as applicable. Rapid7 may use Customer Content as necessary to provide the Offering to Customer. Notwithstanding the foregoing, Customer grants Rapid7 a license to anonymize, de-personalize, or aggregate Customer Content to determine usage trends, perform analytics, and improve the Offerings, including the training of internal Rapid7 models. For avoidance of doubt, Rapid7 will not use Customer Content for model training, except in de-identified and aggregated forms, and will not attempt to re-identify any de-identified data. Customer acknowledges and agrees that Rapid7 may collect, analyze, and otherwise process Usage Data internally for its business purposes, including for the purposes of security and analytics, to improve and enhance its Offerings, or for other development, including training internal models.
3. FEES; PAYMENT TERMS
3.1. Payment via Rapid7 Authorized Partner. If Customer purchases the Offering through a Rapid7 authorized partner, then terms regarding invoicing, fees, and taxes shall be as set forth between Customer and partner and the applicable fees shall be paid directly to such partner and Section 3.2 shall not apply.
3.2. Direct Payment by Customer. Customer agrees to pay the fees, charges and other amounts in accordance with the applicable Ordering Document. Rapid7 will invoice Customer upon execution of an Ordering Document or the reference to an Ordering Document in Customer’s purchase order, unless otherwise agreed by the parties. All fees are exclusive of any taxes levied on any transaction under this Agreement, including, without limitation, sales, use, excise, value added, digital service taxes, withholding taxes, customs duties and tariffs imposed by any jurisdiction or governmental authority (“Taxes”). Payments made by Customer to Rapid7 under this Agreement shall be made without reduction for any such Taxes. If Rapid7 is legally obligated to remit Taxes to a jurisdiction or governmental authority in relation to a specific Ordering Document, Rapid7 will identify such Taxes as separate items on Customer’s invoice where required, unless Rapid7 receives from Customer a valid tax-exempt certificate. Customer is responsible for providing any applicable tax-exempt certificates.
3.3. Fees and Travel Expenses. All fees are non-refundable and non-cancellable unless otherwise stated herein or in the applicable Ordering Document. In the event an Ordering Document requires travel by Rapid7 to a Customer designated site, Customer shall also reimburse Rapid7 for all reasonable out-of-pocket expenses incurred by Rapid7 in connection with delivery of the Offering.
4. CONFIDENTIALITY, PRIVACY, AND SECURITY
4.1. Confidential Information. “Confidential Information” means information provided by one party to the other party which is designated in writing as confidential or proprietary, as well as information which a reasonable person familiar with the disclosing party’s business and the industry in which it operates would know is of a confidential or proprietary nature. A party will not disclose the other party’s Confidential Information to any third party without the prior written consent of the other party, nor make use of any of the other party’s Confidential Information except in its performance under this Agreement. Each party accepts responsibility for the actions of its agents or employees and shall protect the other party’s Confidential Information in the same manner as it protects its own Confidential Information, but in no event with less than reasonable care. The parties expressly agree that the terms and pricing of this Agreement are Confidential Information. A receiving party shall promptly notify the disclosing party upon becoming aware of a breach or threatened breach hereunder and shall cooperate with any reasonable request of the disclosing party in enforcing its rights.
4.2. Exclusions. Information will not be deemed Confidential Information if such information: (i) is known prior to receipt from the disclosing party, without any obligation of confidentiality; (ii) becomes known to the receiving party directly or indirectly from a source other than one having an obligation of confidentiality to the disclosing party; (iii) becomes publicly known or otherwise publicly available, except through a breach of this Agreement; or (iv) is independently developed by the receiving party without use of the disclosing party’s Confidential Information. The receiving party may disclose Confidential Information pursuant to the requirements of applicable law, legal process, or government regulation, provided that, unless prohibited from doing so by law enforcement or court order, the receiving party gives the disclosing party reasonable prior written notice, and such disclosure is otherwise limited to the required disclosure.
4.3. Data Processing Addendum. To the extent that Rapid7 processes personal data about any individual in the course of providing the Offering, Customer agrees to Rapid7’s Data Processing Agreement, located at https://www.rapid7.com/legal/dpa/ (“DPA”).
4.4. Data Security. Rapid7 shall implement appropriate technical and organizational measures to protect Customer Content from accidental or unlawful destruction, loss, or alteration, unauthorized disclosure of, or access to Customer Content. Such measures may include, as appropriate (a) the encryption of Customer Content; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services; and (c) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of Customer Content.
5. WARRANTIES AND DISCLAIMERS
EXCEPT FOR THE WARRANTIES SET FORTH IN THIS AGREEMENT, INCLUDING, TO THE EXTENT APPLICABLE SCHEDULE A: SERVICES AND SCHEDULE B: SOFTWARE, RAPID7 MAKES NO OTHER WARRANTIES OR REPRESENTATIONS, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS. RAPID7 MAKES NO WARRANTY THAT THE USE OF THE OFFERING(S) WILL BE SUCCESSFUL, THAT THE RAPID7 DATA WILL MEET CUSTOMER’S REQUIREMENTS OR THAT REMEDIATIONS WILL BE COMPLETED WITHIN A CERTAIN TIMEFRAME, NOR DOES IT MAKE ANY WARRANTY THAT ALL SECURITY RISKS, INCIDENTS, OR THREATS WILL BE DETECTED OR REMEDIATED BY USE OF THE OFFERING(S) OR THAT THERE WILL NOT BE FALSE POSITIVES.
6. INDEMNIFICATION
6.1. By Rapid7. Rapid7 will indemnify, defend, and hold harmless Customer from and against all costs, liabilities, losses, and expenses (including, but not limited to, reasonable attorneys’ fees) (collectively, “Losses”) arising out of a third-party claim alleging that the Offering infringes or misappropriates any intellectual property rights of such third party. Notwithstanding the foregoing, in no event shall Rapid7 have any obligations or liability under this Section arising from: (i) use of any Offering in combination with materials not furnished by Rapid7, and (ii) any Customer Content, information, or data provided by Customer or other third parties. If the Offering is or is likely to become subject to a claim of infringement or misappropriation, then Rapid7 will, at its sole option and expense, either: (i) obtain for the Customer the right to continue using the Offering; (ii) replace or modify the Offering to be non-infringing and substantially equivalent to the infringing Offering; or (iii) if options (i) and (ii) above cannot be accomplished despite the reasonable efforts of Rapid7, then Rapid7 may terminate Customer’s rights to use the infringing Offering and will refund pro-rata any prepaid fees for the infringing portion of the Offering. THE RIGHTS GRANTED TO CUSTOMER UNDER THIS SECTION SHALL BE CUSTOMER’S SOLE AND EXCLUSIVE REMEDY FOR ANY ALLEGED INFRINGEMENT BY THE OFFERING OF ANY PATENT, COPYRIGHT, OR OTHER PROPRIETARY RIGHT.
6.2. By Customer. Customer will indemnify, defend, and hold harmless Rapid7 from and against all Losses arising out of a third-party claim regarding: (i) Customer’s violation of any representations and warranties made in Section 2.2 of this Agreement; (ii) Customer’s fraud, gross negligence, or willful misconduct.
6.3. Procedure. Each party will promptly notify the other party in writing of any claim for which such party believes it is entitled to be indemnified pursuant to this Section. The party seeking indemnification (the "Indemnitee") shall cooperate with the other party (the "Indemnitor") at the Indemnitor's sole cost and expense. The Indemnitor shall promptly assume control of the defense and shall employ counsel to handle and defend the same, at the Indemnitor's sole cost and expense. The Indemnitee shall not at any time admit liability or otherwise settle or compromise or attempt to settle or compromise the said claim or action except upon the express instructions of the Indemnitor. The Indemnitee may participate in and observe the proceedings at its own cost and expense with counsel of its own choosing. Neither party may settle a claim that results in liability or admission of liability by the Indemnitee without the Indemnitee’s written consent, which shall not be unreasonably withheld or delayed. The Indemnitee's failure to perform any obligations under this Section will not relieve the Indemnitor of its indemnification obligations, except to the extent that the Indemnitor can demonstrate that it has been materially prejudiced because of such failure.
7. LIMITATION OF LIABILITY
7.1. Exclusion of Certain Damages. NEITHER PARTY WILL BE LIABLE UNDER THIS AGREEMENT FOR LOST REVENUES OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN THAT SUCH DAMAGES WERE POSSIBLE.
7.2. Limitation on Amount of Liability. NEITHER PARTY WILL BE LIABLE UNDER THIS AGREEMENT FOR MORE THAN THE TOTAL AMOUNT PAID OR PAYABLE BY CUSTOMER FOR THE RELEVANT OFFERING DURING THE TWELVE MONTHS IMMEDIATELY PRIOR TO THE EVENT GIVING RISE TO LIABILITY, EXCEPT THAT THE LIMITATION IN THIS SECTION 7.2 SHALL NOT APPLY TO: (I) VIOLATIONS OF A PARTY’S INTELLECTUAL PROPERTY RIGHTS BY THE OTHER PARTY; OR (II) A PARTY’S EXPRESS INDEMNIFICATION OBLIGATIONS UNDER THIS AGREEMENT.
8. TERM AND TERMINATION
8.1. Term. The Term of each Offering will be as set forth on the Ordering Document. The Term will automatically renew for the same period of time as the initial Term at the rate listed on the applicable Ordering Document unless (i) otherwise indicated on the Ordering Document or (ii) either party provides the other with written notice of its election not to renew at least 30 days prior to the end of the applicable Term. Any renewal will be invoiced at the rate indicated on the applicable Ordering Document. In connection with any renewal term, Rapid7 reserves the right to change the rates, applicable charges and usage policies and to introduce new charges for any subsequent Term, upon providing Customer written notice thereof (which may be provided by e-mail) at least 60 days prior to the end of the applicable Term.
8.2. Termination. Either party may terminate this Agreement or any Ordering Document (i) in the event of a material breach of this Agreement or any such Ordering Document by the other party that is not cured within thirty days of written notice thereof from the other party, (ii) immediately in the event of an incurable, material breach, or (iii) immediately if the other party ceases doing business, or is the subject of a voluntary or involuntary bankruptcy, insolvency or similar proceeding that is not dismissed within sixty days of filing. All provisions of this Agreement which by their nature are intended to survive the termination of this Agreement shall survive such termination.
8.3. Effect of Termination. Upon any termination or expiration of this Agreement or any applicable Ordering Document, Rapid7 shall no longer provide the applicable Offering to Customer and Customer must cease using the Offering and send no further Customer Content to Rapid7. Customer acknowledges that by entering into a fixed term on an Ordering Document it has received preferable pricing and that Rapid7 has made related investments in reliance on the committed term. Early termination would cause Rapid7 financial loss. Accordingly, if Customer terminates or attempts to terminate the Agreement before the fixed term ends, Customer will not receive a refund of fees already paid and will remain liable for all fees due for the full term. Customer agrees that following termination of Customer’s account and/or use of the Offering, Rapid7 may immediately deactivate Customer’s account, and, following a period of not less than thirty (30) days, Rapid7 shall be entitled to delete Customer’s account and all Customer Content.
9. GENERAL PROVISIONS
9.1. Miscellaneous. (a) This Agreement shall be construed in accordance with and governed for all purposes by the laws of the State of Delaware (for customers located in North America), or England & Wales (for customers located outside of North America), each excluding its respective choice of law provisions, and each party consents and submits to the jurisdiction and forum of the state and federal courts in the State of Delaware (for customers located in North America) or London, England (for customers located outside of North America) all questions and controversies arising out of this Agreement and waives all objections to venue and personal jurisdiction in these forums for such disputes; (b) this Agreement, along with the accompanying Schedules, Addenda, and Ordering Document(s), constitutes the entire agreement and understanding of the parties hereto with respect to the subject matter hereof and supersedes all prior agreements and undertakings, both written and oral; (c) this Agreement and each Ordering Document may not be modified except by a writing signed by each of the parties; (d) in case any one or more of the provisions contained in this Agreement shall for any reason be held to be invalid, illegal, or unenforceable in any respect, such invalidity, illegality, or unenforceability shall not affect any other provisions of this Agreement but rather this Agreement shall be construed as if such invalid, illegal, or other unenforceable provision had never been contained herein; (e) Customer shall not assign its rights or obligations hereunder without Rapid7's advance written consent; (f) subject to the foregoing subsection (e), this Agreement shall be binding upon and shall inure to the benefit of the parties hereto and their successors and permitted assigns; (g) no waiver of any right or remedy hereunder with respect to any occurrence or event on one occasion shall be deemed a waiver of such right or remedy with respect to such occurrence or event on any other occasion; (h) nothing in this Agreement, express or implied, is intended to or shall confer upon any other person any right, benefit or remedy of any nature whatsoever under or by reason of this Agreement, including but not limited to any of Customer’s own clients, customers, or employees; (i) the headings to the sections of this Agreement are for ease of reference only and shall not affect the interpretation or construction of this Agreement; (j) terms in an Ordering Document have precedence over conflicting terms in this Agreement or Schedules, but have applicability only to that particular Ordering Document; (k) the terms in a Schedule have precedence over conflicting terms in this Agreement, but have applicability only to that particular Schedule; and (l) this Agreement may be executed in two or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.
9.2. Injunctive Relief. Notwithstanding any other provision of this Agreement, both parties acknowledge that any breach of this Agreement may cause the other party irreparable and immediate damage for which remedies other than injunctive relief may be inadequate. Therefore, the parties agree that, in addition to any other remedy to which a party may be entitled hereunder, at law or equity, each party shall be entitled to seek an injunction to restrain such use in addition to other appropriate remedies available under applicable law.
9.3. Relationship of the Parties. Rapid7 and Customer are independent contractors, and nothing in this Agreement shall be construed as making them partners or creating the relationships of principal and agent between them, for any purpose whatsoever. Neither party shall make any contracts, warranties, or representations or assume or create any obligations, express or implied, in the other party’s name or on its behalf.
9.4. US Government Restricted Rights. This section applies to all acquisitions of the Offering by or for the U.S. Federal Government, or by any prime contractor or subcontractor (at any tier) under any contract, grant, cooperative agreement, or other activity with the Federal Government for the Government’s end use. The Offerings are “commercial items” as that term is defined at FAR 2.101. If Customer is an Executive Agency (as defined in FAR 2.101) of the U.S. Federal Government (“Government”), Rapid7 provides the Offering, including any related technical data and/or professional services in accordance with the following: If a right to access the Offering is procured by or on behalf of any Executive Agency (other than an Executive Agency within the Department of Defense (DoD)), the Government is granted, in accordance with FAR 12.211 (Technical Data) and FAR 12.212 (Computer Software), only those rights in technical data and software customarily provided to Rapid7’s customers as such rights are described in this Agreement. If a right to access the Offering is procured by or on behalf of any Executive Agency within the DoD, the Government is granted, in accordance with DFARS 227.7202-3 (Rights in commercial computer software or commercial computer software documentation), only those rights in technical data and software that are customarily provided to Rapid7’s customers as such rights are described in this Agreement. In addition, DFARS 252.227-7015 (Technical Data – Commercial Items) applies to technical data provided by Rapid7 to an Executive Agency within the DoD. Note, however, that Subpart 227.72 does not apply to computer software or computer Offering documentation acquired under GSA schedule contracts. Except as expressly permitted under this Agreement, no other rights or licenses are granted to the Government. Any rights requested by the Government and not granted under this Agreement must be separately agreed in writing with Rapid7. This Section is in lieu of, and supersedes, any other FAR, DFARS, or other clause, provision, or supplemental regulation that addresses Government rights in the Offering.
9.5. Force Majeure. Other than payment obligations hereunder, neither party will be liable for any inadequate performance to the extent caused by a condition that was beyond the party's reasonable control (including, but not limited to, natural disaster, act of war or terrorism, riot, global health crisis, acts of God, or government intervention), except for mere economic hardship, so long as the party continues to use commercially reasonable efforts to resume performance.
9.6. No Reliance. Customer represents that it has not relied on the availability of any future feature or version of the Offering or any future product or service in executing this Agreement or purchasing any Offering hereunder.
9.7. Publicity. Customer acknowledges that Rapid7 may use Customer’s name and logo for the purpose of identifying Customer as a customer of Rapid7 Offerings. Rapid7 will cease using Customer’s name and logo upon written request.
9.8. Notices. Unless specified otherwise herein, (i) all notices must be in writing and addressed to the attention of the other party's legal department and primary point of contact and (ii) notice will be deemed given: (a) when verified by written receipt if sent by personal courier, overnight courier, or when received if sent by mail without verification of receipt; or (b) when verified by automated receipt or electronic logs if sent by email. When sent by email, notices to Rapid7 must be sent to [email protected].
9.9. Compliance with Law. Each party agrees to comply with all applicable federal, state, and local laws and regulations including but not limited to export law, and those governing the use of network scanners, vulnerability assessment software products, encryption devices, user monitoring, and related software in all jurisdictions in which systems are scanned, scanning is controlled, or users are monitored.
Rapid7 and Customer have caused these Rapid7 Terms and Conditions to be executed by their duly authorized representatives as of the Effective Date.
Offering-specific terms
Schedule A: Services
This Services Schedule (the “Services Schedule”) governs the terms and conditions in connection with the subscription to and use of Rapid7 Services. In the event of a conflict between this Services Schedule and the Agreement, this Services Schedule will prevail with respect to the Services.
SERVICES. Customer may order Services from Rapid7 through a SOW or an Ordering Document containing reference to a SOW. Rapid7 shall provide the Services as specified in the applicable SOW or Ordering Document. Rapid7 will not invoice Customer for any Services beyond those contained in the applicable SOW or Ordering Document without the prior written consent of Customer.
MANAGED SERVICES. To the extent Managed Services include any Rapid7 Software, Customer is granted a license to such Software subject to the applicable license terms. Such license will be for the Term of the Managed Services only.
PROFESSIONAL SERVICES RESCHEDULING. Customer may reschedule Professional Services up to ten business days prior to the start of the Professional Services at no cost. If Customer reschedules the Professional Services with less than ten business days’ notice, Customer will forfeit the portion of the Professional Services equal to the number of days that were rescheduled without the required notice. If Customer reschedules the Professional Services after they have begun, Customer will forfeit five days of Professional Services, or the number of days remaining on the Professional Services, whichever is fewer. Customer will also be responsible for any out-of-pocket expenses incurred by Rapid7 due to such rescheduling. If performance of the Professional Services is delayed by Customer’s acts or omissions, including Customer’s failure to meet the requirements set forth in an SOW, Customer will forfeit the duration of such delay from its Professional Services time. Customer will have twelve months from the date of order to use or schedule any Professional Services, after which time any remaining, unscheduled Professional Services time will be forfeited.
RESULTS & DELIVERABLES. Customer shall own all right, title and interest to the Results obtained by Customer through Customer’s use of the Services. For purposes of this Services Schedule, “Results” shall mean the data based on Customer Content resulting from Customer’s use of the Service, but does not include any dashboards for displaying results, report templates or other components of the Service used by Rapid7. For avoidance of doubt, Customer retains all right, title, and interest in and to Customer Content and Customer Confidential Information. Customer will have a perpetual, royalty-free, worldwide, non-exclusive, non-transferable license to use any Rapid7 IP incorporated into any draft or final reports that are created for Customer as a result of the Services provided hereunder, unless otherwise defined in the individual SOW (“Deliverable(s)”), for Customer’s internal business purposes (including sharing with auditors or third parties with a bonafide need to know, under obligations of confidentiality at least as restrictive as set forth under this Agreement), upon Customer's payment in full of all undisputed amounts due hereunder. Rapid7 may incorporate the Rapid7 IP in future releases of any of its products or services, provided Customer Content or Customer Confidential Information is not included in any Rapid7 IP.
RAPID7 PERSONNEL. Rapid7 shall have sole discretion in staffing the Services and may assign the performance of any portion of the Services to any subcontractor, except that Customer may request the use of Rapid7 personnel in any Ordering Document or at the time Customer schedules the Services. In the event that Rapid7 subcontracts any portion of the Services, Rapid7 shall be fully responsible for the acts and omissions of any such subcontractor.
SERVICES WARRANTY. Rapid7 warrants that the Services will be provided with reasonable skill and care conforming to generally accepted industry standards, and in conformance in all material respects with the requirements set forth in the SOW. Customer must report any deficiency in the Services to Rapid7 in writing within fifteen business days of delivery or performance of the portion of the Services containing the deficiency. For any breach of the above warranty, Rapid7 will, at its option and expense, either (a) use commercially reasonable efforts to provide remedial services necessary to enable the Services to conform to the warranty, or (b) refund pro-rata amounts paid for the non-conforming Services. Customer will provide reasonable assistance in remedying any defects. The remedies set out in this subsection are Customer’s sole remedies for breach of the above warranty. Termination of an SOW will not terminate the Agreement.
Schedule B: Software
This Software Schedule (the “Software Schedule”) governs the terms and conditions in connection with the subscription to and use of Rapid7 Software as defined herein. In the event of a conflict between this Software Schedule and the Agreement, this Software Schedule will prevail with respect to the Software only.
1. LICENSE.
1.1 License Grant. Rapid7 hereby grants to Customer, during the Term, a non-exclusive, non-transferable, non-sublicensable right to use and access the Software (in object code only) and the Rapid7 Data: (i) solely for Customer’s internal business purposes; (ii) within the Volume Limitations, if any; and (iii) as described in this Agreement. The parties also agree to be bound by any further license restrictions set forth on the Ordering Document. Access to the Software may require software to be downloaded or installed locally on Customer systems. If applicable, Customer must allow the downloaded and locally deployed software to integrate with such programs and devices necessary to provide data to the Software. In the event Customer elects to transmit its data to Rapid7 without encryption, Customer assumes all risks for failure to encrypt.
1.2 Distributed Software Delivery and Copies. Delivery of Distributed Software shall be deemed to have been made upon Rapid7 providing instructions to download or activate the Distributed Software, as applicable. Notwithstanding anything to the contrary herein, Customer may make a reasonable number of copies of the Distributed Software for the sole purpose of backing-up and archiving the Distributed Software.
2. RESTRICTIONS. Except as may be expressly permitted by applicable law, Customer will not, and will not permit or authorize third parties to: (i) copy, reproduce, modify, translate, enhance, decompile, disassemble, reverse engineer, create derivative works of the Software and/or Rapid7 Data or merge the Software into another program; (ii) resell, transmit, rent, lease, sublicense, distribute or transmit in any way (through any API or interface), the Software and/or Rapid7 Data or access to it including use of the Software for timesharing or service bureau purposes; (iii) combine the Rapid7 Data with Customer’s own offerings or additional data for the purposes of selling it to a third party; (iv) circumvent or disable any security or technological features or measures in the Software; (v) access the Software and/or Rapid7 Data, or any derivatives of the foregoing, in order to build a competitive product or service, for competitive analysis, or to copy any ideas, features, functions, or graphics of the Software and/or Rapid7 Data; (vi) upload or otherwise transmit, display, or distribute any Customer Content to the Software that infringes any trademark, trade secret, copyright, or other proprietary or intellectual property rights of any person; (vii) upload or otherwise transmit to the Software any material that contains software viruses or any other computer code, files, or programs designed to interrupt, destroy or limit the functionality of any computer software or hardware or telecommunications equipment; (viii) interfere with or disrupt the Software, (ix) access and/or otherwise use or benefit from any information gained through the use of the Software that could constitute a third party’s Confidential Information, trade secret, or personal data, (x) use the Offering in any manner that does not comply with, all applicable laws, rules and regulations; or (xi) use the Offering for any illegal activity or output, in any way that exposes Rapid7 or Customer to harm. Customer is responsible for its employees’ compliance with this Agreement. If Customer identifies a vulnerability in the Software, all information and analysis regarding the vulnerability must be disclosed through the Rapid7 contact form, found at https://www.rapid7.com/disclosure/.
3. VOLUME LIMITATIONS.
3.1 General. In the event that the Software is used in excess of the Volume Limitations, following a reasonable notification period by Rapid7 (“Notice Period”), Customer shall be liable for and Rapid7 reserves the right to invoice for the fees for such excess usage. The excess usage will be invoiced at Rapid7’s then current list rates for the applicable Volume Limitation tier associated with the excess usage which shall be prorated for the remainder of the Term.
3.2 Distributed Software Usage Verification. Customer understands and acknowledges that the Distributed Software may track and/or enforce its Volume Limitations. Additionally, upon Rapid7’s written request, such request not to exceed once every six months, Customer shall provide Rapid7 with a signed certification verifying that the Distributed Software is being used in accordance with this Agreement.
4. EVALUATION LICENSES. If Customer’s access to the Software is for a trial or evaluation only, then the Term shall be thirty days, or the Term specified on the Ordering Document. Customer may not utilize the same Software for more than one trial or evaluation term in any twelve-month period, unless otherwise agreed to by Rapid7. Rapid7 may revoke Customer’s trial or evaluation access at any time and for any reason. Sections 6 of this Software Schedule (Warranties) and 6.1 (Indemnification) of the Agreement shall not be applicable to any evaluation or trial license.
5. OPEN SOURCE. Customer recognizes and agrees that the Offerings are provided with, or facilitated by, certain open source software. The use of such open source software is subject to the applicable open source license terms which are either: (i) presented with the applicable Offering; or (ii) readily accessible from within the applicable software or from a publicly-available source, in which case Customer shall be responsible for any access or review, and abide by all such applicable license terms prior to any use of the corresponding software. By using the Offerings, Customer agrees to comply with and be bound by the above terms and conditions governing the use of certain open source software programs.
6. WARRANTIES.
6.1. Cloud-Hosted Software Warranty. Rapid7 warrants that, during the Term: (i) the Cloud-Hosted Software will conform, in all material respects, with the applicable Documentation; and (ii) it will not materially decrease the overall functionality of the Cloud-Hosted Software.
6.2. Distributed Software Warranty. Rapid7 warrants that for a period of ninety days following the initial delivery of any Distributed Software to Customer, the Distributed Software will conform, in all material respects, with the applicable Documentation.
6.3. Warranty Remedies. For any breach of the above warranties, Rapid7 will, at no additional cost to Customer, use commercially reasonable efforts to provide remedial services necessary to enable the Offering to conform to the warranty. Customer will provide Rapid7 with a reasonable opportunity to remedy any breach and reasonable assistance in remedying any defects. If Rapid7 is unable to restore such functionality, Customer may terminate the applicable Ordering Document and receive a pro rata refund of the fees paid for the terminated portion of the then-current Term. Rapid7 makes no warranty regarding third party features or services. The remedies set out in this subsection are Customer’s sole and exclusive remedies for breach of the above warranties.
6.4. Automation Disclaimer. Customer is responsible for implementing appropriate internal procedures and oversight to the extent it utilizes the configuration of workflows and processes, including but not limited to containment actions, quarantine actions, kill processes, and similar functionalities (“Orchestration and Automation Functionality”). EXCEPT FOR THE WARRANTY IN SECTION 6.1, THE ORCHESTRATION AND AUTOMATION FUNCTIONALITY IS MADE AVAILABLE BY RAPID7 ON AN “AS-IS” BASIS TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW. Rapid7’s Orchestration and Automation Functionality is not designed, intended, or licensed for use in hazardous environments or other applications where a malfunction could cause property damage or personal injury, and Rapid7 specifically disclaims any liability in connection with any such use. Customer assumes all risks in using third-party products or services in connection with the Orchestration and Automation Functionality.
7. INTELLIGENCE HUB OFFERING.
7.1. EU and UK Data Protection Law. In the event Customer’s purchase includes the sharing of Rapid7 Data as part of the Intelligence Hub Offering, Rapid7 shall be a Controller of the Rapid7 Data it discloses to Customer, and Customer will process the Rapid7 Data as a separate and independent Controller strictly for the purposes set out in this Agreement. The parties will not be joint Controllers. Each party shall be individually and separately responsible for complying with the obligations that apply to it as a Controller under the EU/UK Data Protection Law. To the extent that the disclosure of Rapid7 Data from Rapid7 to Customer is a Restricted Transfer under EU/UK Data Protection Law, then Module 1 of the EU SCCs shall be deemed incorporated into this Agreement and apply between Rapid7 and Customer. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I of the DPA, except that (i) Rapid7 shall be the data exporter/ Controller, and Customer shall be the data importer/Controller, and (ii) the following edits shall be made to Exhibit B (Description of Processing and Transfer): (a) the categories of data subjects whose personal data is transferred shall be employees or contact persons of data exporter and internet end-users, (b) the categories of personal data transferred shall be contact information, network data (including lists of hostnames, domains, IPs, file hashes, or emails presented as indicators of compromise), machine data, and other information that is necessary for the parties to fulfill their obligations under this Agreement, (c) the sensitive data transferred field shall specify that Rapid7 does not intentionally transfer any special categories of data to Customer as part of the Offerings, and (d) the transfers to (sub-) processors field shall not be applicable; and Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II of the DPA, provided that references to Rapid7 in Annex II of the DPA shall be deemed to refer to Customer. To the extent that the disclosure of Rapid7 Data from Rapid7 to Customer is a Restricted Transfer under the UK GDPR the Controller to Controller EU SCCs (completed as set out above) and UK Addendum (completed in a manner consistent with the EU SCCs) shall be incorporated into this Agreement and apply between Rapid7 and Customer. Capitalized terms shall have the meaning as defined in the DPA.
7.2. California Consumer Privacy Act. In the event Customer’s purchase includes the sharing of Rapid7 Data as part of the Intelligence Hub Offering, the parties acknowledge that Rapid7 is a Business in respect of the Rapid7 Data disclosed to Customer, and that Customer will process the Rapid7 Data as a separate and independent business strictly for the purposes of this Agreement. Each party shall be individually and separately responsible for complying with the obligations that apply to it as a Business under the CCPA. In addition, Rapid7 will act as a Service Provider for purposes of collecting and disclosing the Rapid7 Data to Customer. Customer appoints Rapid7 as its Service Provider to collect and disclose to Customer the Rapid7 Data. When acting as a Service Provider, Rapid7 shall process the Rapid7 Data as a Service Provider strictly for the purpose of collecting and providing access to the Service under this Agreement (the "Business Purpose"). Rapid7, in its role as Service Provider, is prohibited from retaining, using or disclosing the Rapid7 Data for any purpose other than for the Business Purpose, or as otherwise permitted by the CCPA, including retaining, using or disclosing the Rapid7 Data for a commercial purpose other than providing the services specified in this Agreement. Rapid7 in its role as Service Provider shall not: (a) sell the Rapid7 Data; (b) retain, use or disclose the Rapid7 Data for any purpose other than for the Business Purpose, including to retain, use, or disclose the Rapid7 Data for a commercial purpose other than performing its services under this Agreement; (c) retain, use, or disclose the Rapid7 Data outside of the direct business relationship between the Customer and Rapid7. Rapid7 certifies that it understands the restrictions set out in this Clause and will comply with them. Nothing in this section shall limit or prohibit Rapid7 from processing the Rapid7 Data as a Business independent from its role as Service Provider to collect the Rapid7 Data on behalf of Customer. Capitalized terms shall have the meaning as defined in the DPA.
8. SUSPENSION OF CLOUD-HOSTED SOFTWARE AND RAPID7 DATA. Rapid7 reserves the right to suspend Customer’s access to the Cloud-Hosted Software and Rapid7 Data upon notification, if (a) Customer is more than thirty days late with respect to any payments due hereunder, and upon such suspension, Customer shall still be liable for all payments that have accrued prior to the date of suspension and that will accrue throughout the remainder of the Term and Rapid7 will not be obligated to restore access to the Cloud-Hosted Software and Rapid7 Data until Customer has paid all fees owed to Rapid7; and/or (b) Rapid7 reasonably concludes that Customer is using the Cloud-Hosted Software and Rapid7 Data to engage in illegal activity, actions in contravention to this Agreement, and/or Customer’s use of the Cloud-Hosted Software and Rapid7 Data is causing immediate, material and ongoing harm to others. In the event that Rapid7 suspends Customer’s access to the Cloud-Hosted Software and Rapid7 Data, Rapid7 will use commercially reasonable efforts to limit the suspension to the offending portion of the Cloud-Hosted Software and Rapid7 Data and work with Customer to resolve the issues requiring the suspension of Cloud-Hosted Software and Rapid7 Data. Customer agrees that Rapid7 shall not be liable to Customer nor to any third party for any suspension of the Cloud-Hosted Software and Rapid7 Data under this Section 8. If any suspension remains uncured for a period of thirty days, Rapid7 may, upon written notice to Customer, terminate this Agreement.
9. AVAILABILITY. Subject to this Agreement and the Service Level Agreement located at https://www.rapid7.com/legal/sla/, Rapid7 shall use commercially reasonable efforts to provide the Cloud-Hosted Software twenty-four hours a day, seven days a week throughout the Term. Customer agrees that from time to time the Cloud-Hosted Software may be inaccessible or inoperable for various reasons, including: (i) equipment malfunctions; (ii) periodic maintenance procedures or repairs which Rapid7 may undertake from time to time; or (iii) causes beyond the control of Rapid7 or which are not reasonably foreseeable by Rapid7, including interruption or failure of telecommunication or digital transmission links, hostile network attacks or network congestion, or other failures (collectively “Downtime”). Rapid7 shall use commercially reasonable efforts to provide twenty-four-hour advance notice to Customer in the event of any scheduled Downtime. Rapid7 shall have no obligation during performance of such operations to mirror Customer Content or to transfer Customer Content. Rapid7 shall use commercially reasonable efforts to minimize any disruption, inaccessibility, and/or inoperability of the Cloud-Hosted Software in connection with Downtime, whether scheduled or not.
10. SUPPORT SERVICES. Rapid7 shall provide support during any Term for Software, or else as otherwise set forth on the applicable Ordering Document, subject to Rapid7’s support policy, located at https://www.rapid7.com/docs/customers-support-guidebook.pdf.