Master Services Agreement
Last updated: January 24, 2023
PLEASE READ THIS MASTER SERVICES AGREEMENT (the “MSA”) CAREFULLY BEFORE USING THE SERVICES OFFERED BY BASIS THEORY, INC. (“BASIS THEORY”). BY MUTUALLY EXECUTING ONE OR MORE DATA SERVICES PURCHASE AGREEMENTS WITH BASIS THEORY WHICH REFERENCE THIS MSA (EACH, A “PURCHASE AGREEMENT”), YOU (“CUSTOMER”) AGREE TO BE BOUND BY THIS MSA (TOGETHER WITH ANY PURCHASE AGREEMENT, THE “AGREEMENT”) TO THE EXCLUSION OF ALL OTHER TERMS. IN ADDITION, ANY PURCHASE AGREEMENT THAT YOU SUBMIT VIA BASIS THEORY’S STANDARD ONLINE PROCESS AND IS ACCEPTED BY BASIS THEORY WILL BE DEEMED TO BE MUTUALLY EXECUTED. IN THIS AGREEMENT, THE TERM “PARTY” WILL REFER TO EITHER THE CUSTOMER OR BASIS THEORY, AND THE TERM “PARTIES” WILL REFER TO BOTH THE CUSTOMER AND Basis Theory.
1. Data Services Agreement; Access to the Service.
Upon mutual execution, each Purchase Agreement will be incorporated into and form a part of the Agreement. For each Purchase Agreement, subject to Customer’s compliance with the terms and conditions of this Agreement (including any limitations and restrictions set forth on the applicable Purchase Agreement) Basis Theory grants Customer a worldwide, non-exclusive, limited, personal, non-sublicensable, non-transferable right (other than as specified below) and license to internally access and use the Basis Theory product(s) and/or service(s) specified in such Purchase Agreement and associated technical documentation (collectively, the “Service,” or “Services”) during the applicable Purchase Agreement Term (as defined below) for the internal business purposes of Customer, only as provided herein and only in accordance with Basis Theory’s applicable official user documentation for such Service. For the avoidance of doubt, Customer may grant access to the Services to those individuals authorized by Customer or on Customer’s behalf, who are Customer’s employees, agents or contractors.
2. Support & Maintenance.
Subject to Customer’s payment of all fees as set forth in the applicable Purchase Agreement, Basis Theory will provide support and maintenance for the Services in accordance with Exhibit A: Basis Theory Support and Availability Policy.
3. Service Updates.
From time to time, Basis Theory may provide changes, upgrades, patches, enhancements, or fixes for the Services to its customers generally without additional charge (“Updates”), and such Updates will become part of the Services and subject to this Agreement; provided that Basis Theory will have no obligation under this Agreement or otherwise to provide any such Updates. Customer understands that Basis Theory may cease supporting old versions or releases of the Services at any time in its sole discretion; provided that Basis Theory will (a) make available, in a standard and reasonably accessible location on Basis Theory’s website, change logs listing all Updates, and (b) use commercially reasonable efforts to give Customer reasonable prior notice of any major Updates. If any such Update results in the discontinuation or material degradation of the core Services under an applicable Purchase Agreement, Customer may initiate its remedy for material breach in writing as set forth in Section 10. For the avoidance of doubt, any new products or services offered by Basis Theory and accepted by Customer will become part of the Services, and such new products or services so accepted by Customer, along with the then agreed-upon pricing for such products or services, will become subject to the Agreement without the need for the parties to execute a new Purchase Agreement.
4. Ownership; Feedback.
As between the parties, Basis Theory retains all right, title, and interest in and to the Services, and all software, products, works, and other intellectual property and moral rights related thereto or provided by Basis Theory for the purposes of this Agreement, including any copies and derivative works of the foregoing. Any software that is distributed or otherwise provided to Customer hereunder (including without limitation any software identified on a Purchase Agreement) will be deemed a part of the Services and subject to all of the terms and conditions of this Agreement. No rights or licenses are granted except as expressly and unambiguously set forth in this Agreement. Customer may (but is not obligated to) provide suggestions, comments or other feedback to Basis Theory with respect to the Service (“Feedback”). Feedback, even if designated as confidential by Customer, will not in and of itself create any confidentiality obligation for Basis Theory notwithstanding anything else, provided, however, that any Confidential Information (as defined below) included in such Feedback will remain and be treated as such. Basis Theory acknowledges and agrees that all Feedback is provided “AS IS” and without warranty of any kind. Customer will, and hereby does, grant to Basis Theory a non-exclusive, worldwide, perpetual, irrevocable, transferable, sublicensable, royalty-free, fully paid-up license to use and exploit the Feedback for any purpose. Nothing in this Agreement will impair either party’s right to develop, acquire, license, market, promote or distribute products, software or technologies that perform the same or similar functions as, or otherwise compete with any products, software or technologies that the other party may develop, produce, market, or distribute.
5. Fees; Payment.
Customer will pay Basis Theory fees for the Service as set forth in each Purchase Agreement (“Fees”). Unless the applicable Purchase Agreement provides otherwise, any periodic fixed Fee set forth in the applicable Purchase Agreement will first be invoiced immediately upon the execution of the Purchase Agreement, and subsequently at the interval(s) specified in the Purchase Agreement. Unless the applicable Purchase Agreement provides otherwise, all usage-based Fees will be invoiced monthly in arrears. All invoices issued under this Agreement are payable in U.S. dollars within thirty (30) days from date of invoice. A Customer payment method may be added in the Basis Theory Customer Portal, and the payment will be initiated automatically. Past due invoices are subject to interest on any outstanding balance of the lesser of 1% per month or the maximum amount permitted by law. Customer will be responsible for all taxes associated with Service (excluding taxes based on Basis Theory’s income). All Fees paid are non-refundable and are not subject to set-off. If Customer exceeds any user or usage limitations set forth on a Purchase Agreement, then (a) Basis Theory will invoice Customer for such additional users or usage at the overage rates set forth on the Purchase Agreement (or if no overage rates are set forth on the Purchase Agreement, at Basis Theory’s then-current standard overage rates for such usage), in each case on a pro-rata basis from the first date of such excess usage through the end of the Purchase Agreement Initial Term or then-current Purchase Agreement Renewal Term (as applicable), and (b) if such Purchase Agreement Term renews (in accordance with Section 10 below), such renewal will include the additional fees for such excess users and usage.
Except as expressly set forth in this Agreement, Customer will not (and will not permit any third party to), directly or indirectly: (a) reverse engineer, decompile, disassemble, or otherwise attempt to discover the source code, object code, or underlying structure, ideas, or algorithms of the Service (except to the extent applicable laws specifically prohibit such restriction); (b) modify, translate, or create derivative works based on the Service; (c) copy, rent, lease, distribute, pledge, assign, or otherwise transfer or encumber rights to the Service; (d) use the Service for the benefit of a third party; (e) remove or otherwise alter any proprietary notices or labels from the Service or any portion thereof; (f) use the Service to build an application or product that is competitive with any Basis Theory product or service; (g) interfere or attempt to interfere with the proper working of the Service or any activities conducted on the Service; (h) bypass any measures Basis Theory may use to prevent or restrict access to the Service (or other accounts, computer systems or networks connected to the Service); or (i) “crawl,” “scrape,” or “spider” any page, data, or portion of or relating to the Service (or any information, data or content made available through the Service), whether through use of manual or automated means. Customer is responsible for all of Customer’s activity in connection with the Service, including but not limited to uploading Customer Data (as defined below) onto the Service. Customer (i) will use the Service in compliance with all applicable local, state, national and foreign laws, treaties and regulations in connection with Customer’s use of the Service (including those related to data privacy, international communications, export laws and the transmission of technical or personal data laws), and (ii) will not use the Service in a manner that violates any third-party intellectual property, contractual or other proprietary rights.
7. Customer Data.
8. Representations and Warranties.
We’re always trying to improve our Services, so they may change over time. We may suspend or discontinue any part of the Services, or we may introduce new features or impose limits on certain features or restrict access to parts or all of the Services. We’ll try to give you notice when we make a material change to the Services that would adversely affect you, but this isn’t always practical. We reserve the right to remove any Content from the Services at any time, for any reason (including, but not limited to, if someone alleges you contributed that Content in violation of these Terms), in our sole discretion, and without notice.
8.1 Each Party represents and warrants towards the other Party that (a) such Party has the full power and authority to execute, deliver and perform this Agreement, (b) this Agreement is valid, binding and enforceable against the Party in accordance with its terms and no provision requiring such Party’s performance is in conflict with its obligations under any constitutional document, charter or any other agreement (of whatever form or subject) to which such Party is a party or by which it is bound; (c) such Party is duly organized, authorized and in good standing under the laws of the state, region or country of its organization and is duly authorized to do business in all other states, regions or countries in which the Party’s business make such authorization necessary or required; and (iv) such Party will comply with all applicable laws, ordinances, rules, regulations, orders, licenses, permits and other governmental and regulatory requirements in the performance of this Agreement.
8.2 Basis Theory represents and warrants that: (a) it does, and will continue to throughout the Term (as defined below), implement, maintain and use technical, physical and administrative safeguards to protect all Customer Data, that are at least as rigorous as accepted industry practices and standards for information security, and as required under all applicable privacy and data security laws; and (b) without limiting any other provision of this Agreement, it is, and will continue to be throughout the Term, fully compliant with the current applicable PCI DSS, including without limitation establishing, implementing and maintaining a comprehensive information security program that assures Basis Theory and its personnel’s compliance with the foregoing. Basis Theory will promptly provide, at the request of Customer, current certification of compliance with the PCI DSS by an authority commonly recognized by the payment card industry for such purpose. Subject to Section 8.3, Basis Theory will further assist in Customer’s compliance efforts with the PCI DSS or applicable privacy and data security laws in good faith, including with promptly providing requested information, documentation and data reasonably necessary for Customer’s compliance.
8.3 Customer represents and warrants that: (a) it does, and will continue to throughout the Term (as defined below), implement, maintain and use technical, physical and administrative safeguards to protect all Customer Data, that are at least as rigorous as accepted industry practices and standards for information security, and as required under all applicable privacy and data security laws; (b) without limiting any other provision of this Agreement, it is, and will continue to be throughout the Term, fully compliant with the current applicable PCI DSS, with respect to any PCI DSS requirement for which it may be directly responsible; and (c) will not (i) rely on, or represent to any third party that it relies on, any of Basis Theory’s services for Customer’s compliance with PCI DSS or any other applicable privacy or data security laws without Basis Theory’s specific written consent, or (ii) alter the scope of the agreed-upon compliance assistance from Basis Theory in its disclosure to any third party without Basis Theory’s specific written consent. Customer will further assist in Basis Theory’s compliance efforts with PCI DSS or applicable privacy and data security laws in good faith, including with promptly providing requested information, documentation and data reasonably necessary for Basis Theory’s compliance.
9. Third Party Services.
Customer acknowledges and agrees that the Service may operate on, with or using application programming interfaces (APIs) and/or other services operated or provided by third parties (“Third-Party Services”), including without limitation through integrations or connectors to such Third-Party Services that are provided by Basis Theory. Basis Theory is not responsible for the operation of any Third-Party Services nor the availability or operation of the Service to the extent such availability and operation is dependent upon Third-Party Services. Customer is solely responsible for procuring any and all rights necessary for it to access Third Party Services (including any Customer Data or other information relating thereto) and for complying with any applicable terms or conditions thereof. Basis Theory does not make any representations or warranties with respect to Third Party Services or any third-party providers. Any exchange of data or other interaction between Customer and a third-party provider is solely between Customer and such third party provider and is governed by such third party’s terms and conditions.
10. Term; Termination.
This Agreement will commence upon the date of the first Purchase Agreement, and, unless earlier terminated in accordance herewith, will last until the expiration of all Purchase Agreement Terms. For each Purchase Agreement, unless otherwise specified therein, the “Purchase Agreement Term” will begin as of the effective date set forth on such Purchase Agreement, and unless earlier terminated as set forth herein, (x) will continue for the initial term specified on such Purchase Agreement (the “Purchase Agreement Initial Term”), and (y) following the Purchase Agreement Initial Term, will automatically renew for additional successive periods of equal duration to the Purchase Agreement Initial Term (each, a “Purchase Agreement Renewal Term”) unless either party notifies the other party of such party’s intention not to renew no later than thirty (30) days prior to the expiration of the Purchase Agreement Initial Term or then-current Purchase Agreement Renewal Term, as applicable. In the event of a material breach of this Agreement by either party, the non-breaching party may terminate this Agreement by providing written notice to the breaching party, provided that the breaching party does not materially cure such breach within thirty (30) days of receipt of such notice. Without limiting the foregoing, Basis Theory may suspend or limit Customer’s access to or use of the Service if (a) Customer’s account is more than sixty (60) days past due, or (b) Customer’s use of the Service results in (or is reasonably likely to result in) damage to or material degradation of the Service which interferes with Basis Theory’s ability to provide access to the Service to other customers; provided that in the case of subsection (b): (i) Basis Theory will use reasonable good faith efforts to work with Customer to resolve or mitigate the damage or degradation in order to resolve the issue without resorting to suspension or limitation; (ii) prior to any such suspension or limitation, Basis Theory will use commercially reasonable efforts to provide notice to Customer describing the nature of the damage or degradation; and (iii) Basis Theory will reinstate Customer’s use of or access to the Service, as applicable, if Customer remediates the issue within thirty (30) days of receipt of such notice. Such periods during which the Services were suspended will not account towards the Term. All provisions of this Agreement which by their nature should survive termination will survive termination, including, without limitation, accrued payment obligations, ownership provisions, warranty disclaimers, indemnification and limitations of liability. In the case of expiration or termination of this Agreement, upon request by Customer made before, or within thirty (30) days after, the effective date of expiration or termination, Basis Theory will make available to Customer a complete download of all Customer Data in a file or database format in Basis Theory’s discretion. All data exports must follow the regulated standards for that data’s classification. For clarity, any services provided by Basis Theory to Customer, including the data export set out above, and any assistance in exporting the Customer Data, will be billable at Basis Theory’s standard rates then in effect.
Each party (“Indemnitor”) will defend, indemnify, and hold harmless the other party, its affiliates and each of its and its affiliates’ employees, contractors, directors, suppliers and representatives (collectively, the “Indemnitee”) from all liabilities, claims, and expenses paid or payable to an unaffiliated third party (including reasonable attorneys’ fees) (“Losses”), that arise from or relate to any claim that (a) in the case of Customer as Indemnitor, the Customer Data or Customer’s use of the Service infringes, violates, or misappropriates any third party intellectual property or proprietary right or violates any applicable law, or Customer is in breach of the representations and warranties set forth in Section 8.3 above, or (b) in the case of Basis Theory as Indemnitor, the Service infringes, violates, or misappropriates any third party intellectual property or proprietary right or applicable law, or Basis Theory is in breach of the representations and warranties set forth In Section 8.2 above (including any Incident (as defined in Exhibit B: Data Security Policy) resulting from such breach of Section 8.2 by Basis Theory, so long as such Incident is not caused by the acts and omissions of Customer). Each Indemnitor’s indemnification obligations hereunder will be conditioned upon the Indemnitee providing the Indemnitor with: (i) prompt written notice of any claim (provided that a failure to provide such notice will only relieve the Indemnitor of its indemnity obligations if the Indemnitor is materially prejudiced by such failure); (ii) the option to assume sole control over the defense and settlement of any claim (provided that the Indemnitee may participate in such defense and settlement at its own expense); and (iii) reasonable information and assistance in connection with such defense and settlement (at the Indemnitor’s expense); however, failure to perform any or all of the obligations set forth in subsections (i)-(iii) above will not relieve the Indemnitor from its indemnification obligations to the extent such failure did not prejudice the Indemnitor. The foregoing obligations of Basis Theory do not apply with respect to the Service or any information, technology, materials or data (or any portions or components of the foregoing) to the extent (A) not created or provided by Basis Theory (including without limitation any Customer Data), (B) made in accordance to Customer specifications, (C) modified after delivery by Basis Theory without Theory Basis’ approval or not in accordance with its instructions, (D) combined with other products, processes or materials not provided by Basis Theory (where the alleged Losses arise from or relate to such combination), (E) where Customer continues allegedly infringing activity after being notified thereof or after being informed of modifications that would have avoided the alleged infringement, or (F) Customer’s use of the Service is not strictly in accordance herewith.
12. Confidential Information.
Each party (the “Receiving Party”) understands that the other party (the “Disclosing Party”) has disclosed or may disclose information relating to the Disclosing Party’s business (hereinafter referred to as “Confidential Information” of the Disclosing Party). The Receiving Party agrees: (a) without limiting any other provision of this Agreement, to take reasonable precautions to protect such Confidential Information; and (b) not to use or divulge to any third person any such Confidential Information; and (c) that due to the unique nature of the Proprietary Information, any breach of this agreement would cause irreparable harm to the Disclosing Party for which damages are not an adequate remedy, and that Disclosing Party will therefore be entitled to equitable relief in addition to all other remedies available at law. The Disclosing Party agrees that the foregoing will not apply with respect to any Confidential Information that the Receiving Party can document (i) is or becomes generally available to the public; or (ii) was without restriction rightfully in its possession or known by it prior to receipt from the Disclosing Party; or (iii) was rightfully disclosed to it without restriction by a third party; or (iv) was independently developed without use of any Confidential Information of the Disclosing Party. If the Receiving Party is required by law to make any disclosure of such Confidential Information, it may do so to the extent of such requirement, provided that it first gives written notice to the Disclosing Party thereof (if legally permitted). Each Party will be responsible for any breach of its confidentiality obligations by its respective employees and agents. Upon termination of this Agreement for any reason, or upon the Disclosing Party’s request at any time, the Receiving Party will promptly return to the disclosing party all originals and copies of any of the Disclosing Party’s Confidential Information and destroy all information, records and materials developed therefrom
EXCEPT AS EXPRESSLY SET FORTH HEREIN, THE SERVICE IS PROVIDED “AS IS” AND “AS AVAILABLE” AND ARE WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES IMPLIED BY ANY COURSE OF PERFORMANCE, USAGE OF TRADE, OR COURSE OF DEALING, ALL OF WHICH ARE EXPRESSLY DISCLAIMED.
14. Limitation of Liability.
EXCEPT FOR THE PARTIES’ INDEMNIFICATION OBLIGATIONS AND FOR A PARTY’S BREACH OF SECTION 12 (CONFIDENTIAL INFORMATION), BASIS THEORY’S BREACH OF ITS DATA PRIVACY OR DATA SECURITY OBLIGATIONS INCLUDING THOSE SET FORTH IN EXHIBIT B: DATA SECURITY POLICY, OR A PARTY’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, IN NO EVENT WILL EITHER PARTY, NOR ITS DIRECTORS, EMPLOYEES, AGENTS, PARTNERS, SUPPLIERS OR CONTENT PROVIDERS, BE LIABLE UNDER CONTRACT, TORT, STRICT LIABILITY, NEGLIGENCE OR ANY OTHER LEGAL OR EQUITABLE THEORY WITH RESPECT TO THE SUBJECT MATTER OF THIS AGREEMENT (A) FOR ANY LOST PROFITS, DATA LOSS, COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR SPECIAL, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES OF ANY KIND WHATSOEVER, SUBSTITUTE GOODS OR SERVICES (HOWEVER ARISING), (B) FOR ANY BUGS, VIRUSES, TROJAN HORSES, OR THE LIKE (REGARDLESS OF THE SOURCE OF ORIGINATION), OR (C) FOR ANY DIRECT DAMAGES IN EXCESS OF (IN THE AGGREGATE) THE FEES PAID (OR PAYABLE) BY CUSTOMER TO BASIS THEORY HEREUNDER IN THE TWELVE (12) MONTHS PRIOR TO THE EVENT GIVING RISE TO A CLAIM HEREUNDER.
15. General Provisions.
15.1 Entire Agreement
This Agreement (including all Purchase Agreement(s)) represents the parties’ entire understanding relating to the Services, and supersede any prior or contemporaneous, conflicting or additional communications. Customer acknowledges that this Agreement is a contract between Customer and Basis Theory, even though it may be electronic and not physically signed by Customer and Basis Theory, and it governs Customer’s use of the Service and takes the place of any prior agreements between Customer and Basis Theory. We may change the terms of this Agreement (but not the applicable Purchase Agreement(s), which will require the parties’ mutual written consent to be modified) or any other terms or policies at any time at our sole discretion. We will not apply any revisions to this Agreement retroactively without notice. However, once posted at the Legal section of our webpage, any revised version of this Agreement will be immediately effective and your continued use of the Service will constitute your acceptance of the revised Agreement. It is your responsibility to check the Basis Theory Legal page regularly for modifications to the Agreement. If you do not agree to the revised Agreement do not continue using the Services. Any dispute between the parties will be governed by the version of the Agreement in place at the time of the dispute. Except as provided above, no modification or amendment of any provision of this Agreement will be effective unless agreed by both parties in writing, and no waiver of any provision of this Agreement will be effective unless in writing and signed by the waiving party.
The Agreement will be governed by and construed in accordance with the laws of the State of California, excluding its conflicts of law rules, and the parties consent to exclusive jurisdiction and venue in the state and federal courts located in San Francisco, California. The Uniform Computer Information Transactions Act will not apply to this Agreement. In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover costs and attorneys’ fees.
All notices under this Agreement will be in writing and will be deemed to have been duly given when received, if personally delivered or sent by certified or registered mail, return receipt requested; when receipt is electronically confirmed, if transmitted by facsimile or e-mail; or the day after it is sent, if sent for next day delivery by recognized overnight delivery service. Notices must be sent to the contacts for each party set forth on the Purchase Agreement. Either party may update its address set forth above by giving notice in accordance with this Section.
15.4 Force Majeure.
Except for payment obligations, neither party will be liable for any failure to perform its obligations hereunder where such failure results from any cause beyond such party’s reasonable control, including, without limitation, the elements; fire; flood; severe weather; earthquake; vandalism; accidents; sabotage; power failure; denial of service attacks or similar attacks; Internet failure; acts of God and the public enemy; acts of war; acts of terrorism; riots; civil or public disturbances; strikes lock-outs or labor disruptions; pandemics; epidemics; any laws, orders, rules, regulations, acts or restraints of any government or governmental body or authority, civil or military, including the orders and judgments of courts (each such event, a “Force Majeure Event”).
15.5 Relationship and Assignment.
No joint venture, partnership, employment, or agency relationship exists between Basis Theory and Customer as a result of this Agreement or use of the Services. Neither party may assign this Agreement without the prior written approval of the other, such approval not to be unreasonably withheld or delayed, provided that such approval will not be required in connection with a merger or acquisition of all or substantially all of the assets or business of the assigning party related to this Agreement. Any purported assignment in violation of this Section will be void. Basis Theory may utilize subcontractors in the performance of its obligations under this Agreement, but will remain responsible to Customer for any acts or omissions of such subcontractors.
Exhibit A: Basis Theory Support and Availability Policy
This Support and Availability Policy sets forth Basis Theory’s service level commitments with respect to the Services to be provided by Basis Theory to Customer under the Agreement.
As further described below, Basis Theory will exercise its commercially reasonable efforts to: (i) provide Customer with 99.90% availability to the Service (the “Service Availability”); and (ii) provide standard support to Customer.
If the Service becomes unavailable to Customer due to defects with the Service, Basis Theory will respond to Customer (i) within four (4) hours from Customer’s notification to Basis Theory of such unavailability, if during normal business hours (Monday-Friday, 8:00am – 6:00pm Central Time), or (ii) within four (4) hours of the start of the next business day, if outside of normal business hours. Basis Theory will also give Company access to a premier alerting and paging program that will enable Customer to page on-call engineers outside of normal business hours if the Service is unavailable, and Basis Theory will use commercial best efforts to resolve the issue outside of normal business hours. The Service Availability will be measured on a monthly basis, with all hours weighted equally, but the Service Availability measurement will exclude reasonable scheduled downtime for system maintenance as well as any downtime or performance issues resulting from third party connections, the acts and omissions of Customer, or Force Majeure Events. If the Service is unavailable to Customer due to defects with the Service beyond the Service Availability metric, then, as Customer’s sole and exclusive remedy (and Basis Theory’s sole liability), Basis Theory will provide Customer a credit for the subsequent Service billing cycle as follows:
In order to receive downtime credit, Customer must notify Basis Theory support within seven (7) days from the time of downtime, and failure to provide such notice will forfeit the right to receive downtime credit. All credits provided hereunder are nonrefundable. If Customer elects not to renew the Agreement, such that the above credit cannot be applied, Customer will have the option to receive up to one free month of Service as its sole remedy in lieu of such credit.
Customer may contact Basis Theory’s customer service through the Customer Portal or by emailing firstname.lastname@example.org for any defects with the Service.
Exhibit B: Data Security Policy
1. Security Measures
Basis Theory will comply with industry standard security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption and any other organizational and technical measures appropriate to protect against unauthorized access to Customer Data), and with all applicable laws regarding data privacy. At Customer’s request, but no more than on an annual basis, Basis Theory will provide Customer with an incident response policy, network security policy, and data flow diagram, in an industry standard format.
Once a year, and in any event after any substantial change is made to Basis Theory’s network infrastructure, application, or software/hardware, Basis Theory, at its sole expenses, will conduct an application security assessment and network vulnerability assessment performed by an external consultant (collectively, “Assessments”), and promptly address any material findings based on the known best practice. Basis Theory will respond promptly to any Customer inquiries or requests related to the Assessments. The summaries of such Assessments will be made available to Customer upon request.
Basis Theory will notify Customer of an Incident (as defined below) as soon as practicable, but no later than twenty-four (24) hours after Basis Theory becomes aware of it, and agrees to fully cooperate with Customer in Customer’s response to such Incident, including, without limitation: (i) assisting with any investigation, (ii) providing Customer with physical access to the facilities and operations affected (to the extent possible), (iii) facilitating interviews with Basis Theory’s employees and others involved in the matter, (iv) cooperating in the preparation and transmittal of any notice to be sent to third parties, and (v) making available all relevant records, logs, files, data reporting and other matters in Basis Theory’s control required to comply with applicable law, regulation, industry standards or as otherwise required by Customer. Basis Theory will use commercially reasonable efforts to remedy any Incident as soon as reasonably practicable and prevent any further Incident at Basis Theory’s expense in accordance with applicable privacy rights, laws, regulations and standards. Basis Theory will reimburse Customer for all costs required under applicable law to be incurred by Customer in responding to, and mitigating damages caused by, any Incident resulting from a breach by Basis Theory of Section 8.2 of this Agreement (including this Data Security Policy), including all such costs of notice and/or remediation. The incident response and indemnification obligations herein only apply to data specifically and explicitly secured by Basis Theory. In the event of an Incident, Basis Theory will promptly use its commercially reasonable efforts to prevent a recurrence of any such Incident. Basis Theory will promptly notify Customer if any notices are required under applicable law in connection with an Incident and allow Customer to assist in preparing and delivering the notices.
“Incident” means any act or omission that compromises either the security, confidentiality or integrity of Customer Data or the physical, technical, administrative or organizational safeguards put in place by Basis Theory that relate to the protection of the security, confidentiality or integrity of Customer Data and that results in the unauthorized access, use, disclosure or deletion of Customer Data.
4. Security Training.
Basis Theory will ensure that its personnel who handle Customer Data receive an appropriate level of formal training on handling sensitive data securely. Basis Theory will require all such personnel to acknowledge in writing that they have completed their security training obligations described.
5. Disaster Recovery Management.
Basis Theory will maintain a written disaster recovery plan and provide documentation of the same to Customer upon request, redacted for confidential information. Basis Theory will test that plan at least annually.
6. Disclosure of Customer Data.
Basis Theory will only share Customer Data as authorized or instructed by Customer (except as required under applicable law). Customer acknowledges, however, that Basis Theory may disclose metadata regarding Customer Data (which does not include the value of a monetary transaction) with third party service providers for the purposes of providing the Services.
Basis Theory will ensure the reliability of any employee, agent or contractor who may have access to Customer Data, ensuring that all such individuals have a need-to-know the Customer Data and are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
8. Retention of Customer Data.
Basis Theory may retain Customer Data solely to the extent required to comply with applicable laws, including after termination of Customer’s account, or as permitted under this Agreement.
9. No Sale of Customer Data.
Basis Theory will not Sell Personal Data (as the term “Sell” is defined under the California Consumer Privacy Act of 2018). Basis Theory is prohibited from retaining, using, or disclosing Customer Data for a commercial purpose other than providing the Services to Customer under the Agreement and from retaining, using, or disclosing Customer Data outside of the Agreement.
10. Data Processing.
Basis Theory will cease processing, as soon as reasonably practicable upon the termination or expiry of the Agreement (or, if sooner, the service to which it relates) and as soon as possible thereafter, securely wipe from its systems, unless and to the extent retention is required for compliance with applicable law.