This Master Services Agreement (the “Agreement”), effective on the date of last signature below (the “Effective Date”), is made by and between Rapid7 LLC (for customers located in the United States) or Rapid7 International Limited (for customers located outside the United States) (as applicable, “Rapid7”) and the customer signing this Agreement (“Customer”). The parties agree to be bound by the following terms and conditions in connection with the Services as defined herein.
1.1. Customer Data means any of Customer’s data gathered through the provision of the Services or contained in any Deliverable.
1.2. Deliverables means the draft or final reports that are created for Customer as a result of the Services provided hereunder unless deliverable is otherwise defined in the individual Statements of Work.
1.3. Services means the consulting, training, implementation, or other services described in an SOW that Rapid7 provides pursuant to Section 2.1 hereof. Services may be Managed Services or Professional Services:
(a) Managed Services means Services where Rapid7 manages an aspect of Customer’s business for the term and scope indicated in an SOW. Managed Services may include Rapid7 operating or subscribing to software on Customer’s behalf.
(b) Professional Services means Services where Customer engages Rapid7 to perform specific, identified tasks, either at specific dates and times, or retained for a period of time in order to perform them as needed.
1.4. SOW means: (a) a mutually agreed upon Statement of Work or Scope of Work that sets forth and describes the Services to be provided hereunder, the fees to be paid, and as applicable, any delivery schedules, timelines, specifications, and any other terms agreed upon by the parties; or (b) a Rapid7 ordering document signed by Customer which identifies the Services ordered and references this Agreement.
2.1. Services. Customer may order Services from Rapid7 by executing an SOW. Rapid7 shall provide Customer the Services as specified in an SOW. All changes to an SOW must be approved by both parties in writing. Rapid7 will not invoice Customer for any Services beyond those contained in the SOW without the prior consent of Customer.
2.2. Deliverables. Customer retains all right, title, and interest in and to Customer Data. Rapid7 owns all right, title, and interest in and to Rapid7’s trade secrets, Confidential Information, or other proprietary rights in any material used by Rapid7 or presented to Customer, whether such was developed prior to the Services, independent of this Agreement, or in performance of the Services (each, a “Rapid7 IP”), including but not limited to, documentation, software, designs, inventions, discoveries, specifications, improvements, tools, models, know-how, methodologies, programs, analysis frameworks, report formats, manner of data expression, pictorial materials, and the like. Customer will have a perpetual, non-exclusive, non-transferable license to use any Rapid7 IP incorporated into any Deliverable, for Customer’s internal business purposes only, upon Customer's payment in full of all amounts due hereunder. Rapid7 may incorporate the Rapid7 IP in future releases of any of its products or services, provided Customer Data is not included in any Rapid7 IP.
2.3. Rapid7 Personnel. Rapid7 shall have sole discretion in staffing the Services and may assign the performance of any portion of the Services to any subcontractor (unless otherwise indicated on a specific SOW), provided that Customer may request the use of Rapid7 personnel at the time Customer schedules the Services. In the event that Rapid7 subcontracts any portion of the Services, Rapid7 shall be fully responsible for the acts and omissions of any such subcontractor and shall not be relieved of its obligations under this Agreement.
2.4. Customer Systems. Customer represents and warrants that it has the appropriate authorizations from the owner of the networks, systems, IP addresses, assets, and/or hardware to instruct Rapid7 to perform the Services, or which are targeted, scanned, monitored, or tested by the Services as instructed by Customer.
2.5. Managed Services. To the extent Managed Services include any Rapid7 software, the applicable license or subscription terms to such software will apply to Customer’s use thereof. Any license to a Rapid7 software product as part of a Managed Services will be for the term of the Managed Services only, unless otherwise specified in the SOW. The Managed Services will include the components as described in such SOW or in any published documentation for the Managed Services as may be made available by Rapid7.
2.6. Professional Services. To the extent Customer purchases Professional Services, Customer may reschedule the Services up to ten business days’ prior to the start of the Services at no cost. If Customer reschedules the Services with less than ten business days’ notice, Customer will forfeit the portion (in days) of the Services that were rescheduled without the required notice. If Customer reschedules the Services after they have begun, Customer will forfeit five business days of Services, or the number of days remaining on the Services, whichever is fewer. Customer will also be responsible for any expenses incurred by Rapid7 due to such rescheduling. If performance of the Professional Services is delayed by Customer’s acts or omissions, including Customer’s failure to meet the requirements set forth in an SOW, Customer will forfeit the duration of such delay from its Professional Services time. Customer will have twelve months from the date of order to use or schedule any Professional Services, after which time any remaining, unscheduled Professional Services time will be forfeited.
3. FEES; PAYMENT TERMS
Customer agrees to pay the fees, charges and other amounts in accordance with the applicable SOW. If Customer is purchasing the Services through a Rapid7 authorized reseller, then the fees shall be as set forth between Customer and reseller and the applicable fees shall be paid directly to the reseller. Rapid7 will invoice Customer upon execution of an SOW, unless otherwise agreed by the parties. All fees are non-refundable, unless otherwise stated herein. In addition to paying the applicable fees, Customer shall also pay all reasonable travel and out-of-pocket expenses incurred by Rapid7 in connection with any Services rendered, provided that the reimbursement of such expenses is indicated on the applicable SOW. Customer shall be responsible for all taxes levied on any transaction under this Agreement, including, without limitation, all federal, state, and local sales taxes, levies and assessments and local withholding taxes in Customer’s jurisdiction, if any, excluding, however, any taxes based on Rapid7's income. In the event Customer is required to withhold taxes from its payment or withholding taxes are subsequently required to be paid to a local taxing jurisdiction, Customer is obligated to pay such tax, and Rapid7 as applicable, will receive the full payment, net of any such taxes, as agreed on the applicable Order Form and Customer shall provide to Rapid7 written evidence that such withholding tax payment was made.
4.1. Confidential Information. During the term of this Agreement, each party will regard any information provided to it by the other party and designated in writing as proprietary or confidential as confidential (“Confidential Information”). Confidential Information shall also include information which a reasonable person familiar with the disclosing party’s business and the industry in which it operates would know is of a confidential or proprietary nature. A party will not disclose the other party’s Confidential Information to any third party without the prior written consent of the other party, nor make use of any of the other party’s Confidential Information except in its performance under this Agreement. Each party accepts responsibility for the actions of its agents or employees and shall protect the other party’s Confidential Information in the same manner as it protects its own Confidential Information, but in no event with less than reasonable care. The parties expressly agree that the terms and pricing of this Agreement are Confidential Information. A receiving party shall promptly notify the disclosing party upon becoming aware of a breach or threatened breach hereunder and shall cooperate with any reasonable request of the disclosing party in enforcing its rights.
4.2. Exclusions. Information will not be deemed Confidential Information if such information: (i) is known prior to receipt from the disclosing party, without any obligation of confidentiality; (ii) becomes known to the receiving party directly or indirectly from a source other than one having an obligation of confidentiality to the disclosing party; (iii) becomes publicly known or otherwise publicly available, except through a breach of this Agreement; or (iv) is independently developed by the receiving party without use of the disclosing party’s Confidential Information. The receiving party may disclose Confidential Information pursuant to the requirements of applicable law, legal process or government regulation, provided that, unless prohibited from doing so by law enforcement or court order, the receiving party gives the disclosing party reasonable prior written notice, and such disclosure is otherwise limited to the required disclosure.
5. DATA PRIVACY
5.1. Customer Data. To the extent that Rapid7 processes personal data about any individual in the course of providing the Service, Customer agrees to Rapid7’s Data Processing Agreement, located at https://www.rapid7.com/legal/dpa/. Rapid7 may use Customer Data solely as necessary to: (i) provide the Services to Customer; (ii) in anonymized and aggregated form, generate statistics and produce reports; and (iii) collect metadata about Services usage in order to continue to improve the development and delivery of the Services.
5.2. Data Privacy. Customer represents and warrants that the collection of Customer Data as contemplated by this Agreement does not violate any laws, regulations, or any rights of a third party, and that Customer has obtained all necessary rights to permit Rapid7 to process Customer Data from and about Customer, including, without limitation, data from endpoints, servers, cloud applications, and logs.
6. LIMITED WARRANTY
6.1. Warranty and Remedy. Rapid7 warrants that the Services will be provided with reasonable skill and care conforming to generally accepted industry standards, and in conformance in all material respects with the requirements set forth in the SOW. Customer must report any deficiency in Services to Rapid7 in writing within fifteen business days of delivery or performance of the portion of the Services containing the deficiency. For any breach of the above warranty, Rapid7 will, at its option and expense, provide remedial services necessary to enable the Services to conform to the warranty, or refund amounts paid solely in respect of the defective Services. Customer will provide Rapid7 with a reasonable opportunity to remedy any breach and reasonable assistance in remedying any defects. The remedies set out in this subsection are Customer’s sole remedies for breach of the above warranty.
6.2. No Other Warranty. EXCEPT FOR THE WARRANTY ABOVE, RAPID7 MAKES NO OTHER WARRANTIES OR REPRESENTATIONS, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS. RAPID7 MAKES NO WARRANTY THAT ALL SECURITY RISKS, INCIDENTS, OR THREATS WILL BE DETECTED OR REMEDIATED BY USE OF THE SERVICES OR THAT FALSE POSITIVES WILL NOT BE FOUND.
7. LIMITATION OF LIABILITY
7.1. Limitation on Indirect Liability. NEITHER PARTY WILL BE LIABLE UNDER THIS AGREEMENT FOR LOST REVENUES OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN THAT SUCH DAMAGES WERE POSSIBLE.
7.2. Limitation on Amount of Liability. NEITHER PARTY MAY BE HELD LIABLE UNDER THIS AGREEMENT FOR MORE THAN THE AMOUNT PAID OR PAYABLE BY CUSTOMER TO RAPID7 HEREUNDER DURING THE TWELVE MONTHS PRIOR TO THE EVENT GIVING RISE TO LIABILITY.
7.3. Exceptions to Limitations. The limitations of liability in Section 7.2 apply to the fullest extent permitted by applicable law, except that there is no limitation on loss, claims, or damages directly arising out of: (i) violations of a party's intellectual property rights by the other party; or (ii) violations of a party’s confidentiality obligations as set forth in Section 4 of this Agreement; or (iii) a party’s indemnification obligations.
The term of each Services order will be as set forth on the SOW. Termination of an SOW will not terminate this Agreement. Either party may terminate this Agreement or any SOW (i) immediately in the event of a material breach of this Agreement or any such SOW by the other party that is not cured within thirty days of written notice thereof from the other party, or (ii) immediately if the other party ceases doing business, or is the subject of a voluntary or involuntary bankruptcy, insolvency or similar proceeding that is not dismissed within sixty (60) days of filing. All provisions of this Agreement which by their nature are intended to survive the termination of this Agreement shall survive such termination. Unless either party provides the other with written notice of its election not to renew the term for any Managed Services at least thirty days prior to such renewal date, the term for any Managed Services will renew for a term of one year at the rate listed on the applicable Order Form. Rapid7 reserves the right to change the rates, applicable charges, and usage policies and to introduce new charges, listed on such Order Form upon providing Customer written notice thereof (which may be provided by e-mail) at least 60 days prior to the end of the then current term for any Managed Services.
9.1. By Rapid7. Rapid7 will indemnify Customer from and against all costs, liabilities, losses, and expenses (including, but not limited to, reasonable attorneys’ fees) (collectively, “Losses”) arising out of a third party claim alleging that the Services infringe any intellectual property rights of such third party. Notwithstanding the foregoing, in no event shall Rapid7 have any obligations or liability under this Section arising from: (i) use of any Services in a manner not anticipated by this Agreement or in combination with materials not furnished by Rapid7, and (ii) any content, information, or data provided by Customer or other third parties. If the Services are or are likely to become subject to a claim of infringement or misappropriation, then Rapid7 will, at its sole option and expense, either: (i) obtain for the Customer the right to continue using the Services; (ii) replace or modify the Services to be non-infringing and substantially equivalent to the infringing Services; or (iii) if options (i) and (ii) above cannot be accomplished despite the reasonable efforts of Rapid7, then Rapid7 may terminate Customer’s rights to use the infringing Services and will refund pro-rata any prepaid fees for the infringing portion of the Services. THE RIGHTS GRANTED TO CUSTOMER UNDER THIS SECTION 9.1 SHALL BE CUSTOMER’S SOLE AND EXCLUSIVE REMEDY FOR ANY ALLEGED INFRINGEMENT BY THE SERVICES OF ANY PATENT, COPYRIGHT, OR OTHER PROPRIETARY RIGHT.
9.2. Indemnification by Customer. Customer will indemnify, defend, and hold harmless Rapid7 from and against all Losses arising out of a third party claim regarding: (i) Customer’s violation of any representations and warranties made in Sections 2.4 and 5.2 of this Agreement; or (ii) Customer’s violation of applicable law.
10. GENERAL PROVISIONS
10.1. Miscellaneous. (a) This Agreement shall be construed in accordance with and governed for all purposes by the laws of the State of Delaware (for customers located in the United States), or England & Wales (for customers located outside the United States), each excluding its respective choice of law provisions and each party consents and submits to the jurisdiction and forum of the state and federal courts in the State of Delaware (for customers located in the United States) or London, England (for customers located outside the United States) all questions and controversies arising out of this Agreement and waives all objections to venue and personal jurisdiction in these forums for such disputes; (b) this Agreement, along with the accompanying Order Form(s) constitute the entire agreement and understanding of the parties hereto with respect to the subject matter hereof and supersedes all prior agreements and undertakings, both written and oral; (c) this Agreement and each Order Form may not be modified except by a writing signed by each of the parties; (d) in case any one or more of the provisions contained in this Agreement shall for any reason be held to be invalid, illegal, or unenforceable in any respect, such invalidity, illegality, or unenforceability shall not affect any other provisions of this Agreement but rather this Agreement shall be construed as if such invalid, illegal, or other unenforceable provision had never been contained herein; (e) Customer shall not assign its rights or obligations hereunder without Rapid7's advance written consent; (f) subject to the foregoing subsection (e), this Agreement shall be binding upon and shall inure to the benefit of the parties hereto and their successors and permitted assigns; (g) no waiver of any right or remedy hereunder with respect to any occurrence or event on one occasion shall be deemed a waiver of such right or remedy with respect to such occurrence or event on any other occasion; (h) nothing in this Agreement, express or implied, is intended to or shall confer upon any other person any right, benefit or remedy of any nature whatsoever under or by reason of this Agreement, including but not limited to any of Customer’s own clients, customers, or employees; (i) the headings to the sections of this Agreement are for ease of reference only and shall not affect the interpretation or construction of this Agreement; and (j) in the event of a conflict between the terms of this Agreement and the terms of an SOW, the terms in the SOW shall take precedence.
10.2. Injunctive Relief. Notwithstanding any other provision of this Agreement, both parties acknowledge that any breach of this Agreement may cause the other party irreparable and immediate damage for which remedies other than injunctive relief may be inadequate. Therefore, the parties agree that, in addition to any other remedy to which the disclosing party may be entitled hereunder, at law or equity, the disclosing party shall be entitled to seek an injunction to restrain such use in addition to other appropriate remedies available under applicable law.
10.3. Relationship of the Parties. Rapid7 and Customer are independent contractors, and nothing in this Agreement shall be construed as making them partners or creating the relationships of principal and agent between them, for any purpose whatsoever. Neither party shall make any contracts, warranties, or representations or assume or create any obligations, express or implied, in the other party’s name or on its behalf.
10.4. Force Majeure. Neither party will be liable for inadequate performance to the extent caused by a condition (for example, natural disaster, act of war or terrorism, riot, labor condition, or internet disturbance) that was beyond the party's reasonable control.
10.5. No reliance. Customer represents that it has not relied on the availability of any future feature or version of the Services or any future product or service in executing this Agreement or purchasing any Services hereunder.
10.6. Notices. Unless specified otherwise herein, (i) all notices must be in writing and addressed to the attention of the other party's legal department and primary point of contact and (ii) notice will be deemed given: (a) when verified by written receipt if sent by personal courier, overnight courier, or when received if sent by mail without verification of receipt; or (b) when verified by automated receipt or electronic logs if sent by email. When sent by email, notices must be sent to Rapid7 at firstname.lastname@example.org.
10.7. Publicity. Customer acknowledges that Rapid7 may use Customer’s name and logo for the purpose of identifying Customer as a customer of Rapid7 products and/or services. Rapid7 will cease using the customer’s name and logo upon written request.
10.8. Compliance with Law. Each party agrees to comply with all applicable federal, state, and local laws and regulations including but not limited to export law, and those governing the use of network scanners, vulnerability assessment software products, encryption devices, user monitoring, and related software in all jurisdictions in which systems are scanned, scanning is controlled, or users are monitored.