These terms of service (the “Terms of Service”) govern the provision of the System and Services as described below by Benevity, Inc. (“Benevity”) to the client listed in the relevant Order Form, as described below (the “Client”).  These Terms of Service are effective as of the date specified in the relevant Order Form.

1. Definitions.

The following capitalized terms will have the following meanings whenever used in these Terms of Service.

1.1 “Agreement” means these Terms of Service, together with the Supplementary Documents.

1.2 “Client Data” means data in electronic form inputted by or collected from Client and End Users via the System, including, without limitation, Personal Information.

1.3 “End User” means any employee or consultant of Client, or any other individual approved by Client, who is authorized to use the System through Client’s System-access account or through a publicly available instance of Client’s System-access account.

1.4 “End User Terms of Use” means Benevity’s standard terms of use for End Users of applicable Benevity products.

1.5   “Intellectual Property” or “Intellectual Property Rights” means, collectively, patents, trade secrets, copyrights, trademarks, moral rights, databases, inventions, or improvements in any of the foregoing, and related rights, database rights, trade marks and related goodwill, trade names (whether registered or unregistered), and rights to apply for registration; (ii) proprietary rights in domain names; (iii) know-how and Confidential Information; (iv) applications, extensions and renewals in relation to any of these rights, in each case now existing or hereafter developed during the Term.

1.6   “Order Form” means an executed order form, to which these Terms of Service are incorporated by reference, allowing Client to access certain aspects of the System and listing the Services which will be provided by Benevity to Client.  

1.7   “Party” means either Benevity or Client, as applicable, and “Parties” means, collectively, Benevity and Client.

1.8   “Personal Information” means information about an identifiable individual as more particularly described in any applicable privacy laws, but will in any case include names, addresses, telephone numbers, e-mail addresses, demographic information, and any form of personally identifiable information.

1.9   “Privacy Policy” means Benevity’s standard privacy policy for End Users of applicable Benevity products.    

1.10   “Software and Service Information” means Benevity’s standard documentation governing Client’s access to and use of the System available online here.  

1.11   “Services” means those services provided by Benevity to Client from time to time under the applicable Order Form, all in accordance with these Terms of Service and as described in the Software and Service Information.

1.12   “Supplementary Documents” means, collectively, the Order Form, any Updated Order Form and the Software and Service Information.

1.13   “System” means Benevity’s proprietary cloud-based software-as-a-service software for enabling workplace pro-social programs, including without limitation workplace giving, volunteering and grants management, all as more particularly described in the Software and Service Information.  

1.14   “Term” is defined in Section 13.1 below. 2. 

1.15 Updated Order Form” means an executed amended and restated Order Form.           

2. The System.

2.1    Access and Use of the System. During the Term, Client may access and use those aspects, features and functions of the System listed in any applicable Order Form pursuant to the terms of the Agreement.

2.2   Additional Services. Benevity will provide the Services set forth in the applicable Order Form. If agreed to by the Parties and documented in an Updated Order Form or any written amendment to the Order Form , Benevity may provide additional services (including managed services) on such terms and conditions set out in such Order Form.

2.3   Support and Maintenance. Benevity will provide Client with support and maintenance for Client’s use of the System, as described in the Software and Service Information.

2.4   System Upgrades and Updates. Benevity may upgrade or update System features and functionality at any time, including without limitation, by removing System features and functions; provided that in no event will such update cause the System to cease substantially conforming to the functionality provided to Client pursuant to an Order Form as described further in the Software and Service Information. Benevity will provide Client with advance notice of any update to the System that materially changes functionality provided to Client pursuant to an Order Form. Subject to the support and maintenance obligations of Benevity as set forth in the Software and Service Information, Benevity reserves the right to suspend the operation of the System or Services at any time for maintenance and testing purposes on reasonable notice to Client and for reasonable durations and at reasonable times.

3. Fees.    

Client will pay all fees set forth in the Order Form. All such fees will be due and payable in full as of the date(s) set forth in the Order Form, and are non-refundable.

4. Client Data & Privacy.

4.1   Use of Client Data. Unless it receives Client’s (or, as applicable with respect to End User’s Personal Information, the End User’s) consent, Benevity will not access, process, or otherwise use Client Data other than in connection with the provision of the Services and to facilitate Client’s use and access to the System. Notwithstanding the foregoing, Benevity may disclose Client Data as required by applicable law or by proper legal or governmental authority. Unless prohibited by law, Benevity will give Client prompt notice of any such legal or governmental demand and reasonably cooperate with Client in any effort to seek a protective order or otherwise to contest such required disclosure, at Client’s expense.

4.2   Aggregate & Anonymized Data. Notwithstanding the above Section 4.1, nothing in the Agreement will restrict Benevity’s use, disclosure, reproduction, sale or publicity of any data that is aggregated with other anonymized data of a similar nature from other clients of Benevity in a manner that makes it unidentifiable as Personal Information or data relating to Client.

4.3   Personal Information Security Standards. Benevity will maintain the security and privacy of Personal Information as described in Exhibit A hereto.

4.4   Privacy Policy. The Privacy Policy applies only to End Users’ use of applicable Benevity products and does not apply to any third party website or service linked to the System or recommended or referred to through the System or by Benevity.

4.5   Data Accuracy. Benevity will have no responsibility or liability for the accuracy of data uploaded to the System by Client or End Users, including without limitation Client Data and Personal Information.

5. Client's Responsibilities & Restrictions.

5.1   Acceptable Usage. Client will not: (a) provide System passwords or other log-in information to any third party; (b) share non-public System features or content with any third party; or (c) access the System in order to build a competitive product or service, to build a product using similar ideas, features, functions or graphics of the System, or to copy any ideas, features, functions or graphics of the System. In the event that Benevity suspects that any breach of this Section 5.1 has occurred, including without limitation by End Users, Benevity may suspend Client’s or the particular End User’s access to the System immediately upon notice, in addition to such other remedies as Benevity may have. Client acknowledges that End Users are required to comply with the End User Terms of Use when using applicable Benevity products.

5.2   Client Content. Client will submit to Benevity information and content reasonably necessary for Benevity to perform the Services (the “Client Content”). Client is responsible for the accuracy of any and all Client Content that it submits to Benevity. Client acknowledges that Client’s timely cooperation, and suitably configured computer products, are essential to Benevity’s performance of the Services.

5.3   Unauthorized Access. Client will notify Benevity immediately of any known or suspected unauthorized use of the System or breach of its security and will cooperate with Benevity in an attempt to stop any such breach.

5.4   End Users & System Access. Client is responsible and liable for: (a) End Users’ access and use of the System; and (b) any access or use of the System through Client’s account, whether authorized or unauthorized, unless unauthorized access occurred due to Benevity’s own fault or negligence.

6. Intellectual Property.

6.1   Access and Use of the System. Client recognizes that the System is comprised of web-based hosted software-as-a-service and that it is protected by copyright and other Intellectual Property laws. Subject to the terms of the Agreement, Benevity grants Client a non-assignable (except as provided in the Agreement), non-exclusive, non-sublicensable, royalty-free, worldwide license to access and use the System, in accordance with the Agreement, for the Term and any transition assistance period described in Section 13.4 of these Terms of Service, as applicable.

6.2   Restrictions. Except as explicitly permitted in the Agreement, Client will not, and will not authorize any other party to: (a) modify, adapt, translate, reverse engineer, decompile, disassemble or otherwise attempt to discover the source code of the System or of any of Benevity’s other Intellectual Property; (b) assign, sublicense, pledge, lease, rent, sell, transfer, copy, distribute commercially or otherwise grant rights in any of Benevity’s Intellectual Property; (c) modify, make, sell or create unlicensed derivative works based upon Benevity’s Intellectual Property or otherwise commercially exploit any of Benevity’s Intellectual Property; or (d) remove any product identification, copyright, trademark or other notice which may appear on or in connection with Benevity’s products or Services. Furthermore, Client agrees to use the Services solely for its internal business purposes as contemplated by the Agreement. Except for, and subject to the limited rights expressly granted in the Agreement for Client to utilize the System and the Services, Benevity reserves all rights, title and interest in and to the System and the Services, including all related Intellectual Property Rights. No other rights are granted to Client under the Agreement other than as may be expressly set forth in the Agreement.

6.3   Ownership. The Agreement does not transfer from Benevity to Client the ownership of any Benevity Intellectual Property Rights or any Benevity Confidential Information.  All ownership of the Benevity Intellectual Property Rights (including without limitation, the System) and Benevity Confidential Information will remain solely with Benevity. Similarly, the Agreement does not transfer from Client to Benevity any ownership of Client Intellectual Property Rights or Client Confidential Information, and all ownership of Client Intellectual Property Rights and Client Confidential Information will remain solely with Client.

6.4   Reservation of Intellectual Property Rights. Other than as expressly set forth in the Agreement, no license or other rights in the Benevity Intellectual Property Rights are granted to Client and all such rights are hereby expressly reserved by Benevity.

7. Confidential Information.

7.1   “Confidential Information” refers to the following items one Party (the “Disclosing Party”) discloses to the other (the “Receiving Party”): (a) any document marked  “Confidential”; (b) any information the Disclosing Party orally designates as “Confidential” at the time of disclosure, provided that the Disclosing Party confirms such designation in writing within 30 business days; (c) the Software and Service Information; and (d) information that reasonably should be understood to be confidential or proprietary given the nature of the information and the circumstances of disclosure. Notwithstanding the foregoing, Confidential Information does not include information that: (i) was rightfully in the Receiving Party’s possession at the time of disclosure as shown by the Receiving Party’s written records, unless such information was subject to a confidentiality restriction at the time it was originally disclosed; (ii) is independently developed by the Receiving Party without use of or reference to the Disclosing Party’s Confidential Information; or (iii) becomes known publicly, before or after disclosure, other than as a result of the Receiving Party’s action or inaction.  

7.2   Non-disclosure. The Receiving Party will not use Confidential Information for any purpose other than in connection with its performance of its rights and obligations under the Agreement (the “Purpose”). The Receiving Party: (a) will not disclose the Disclosing Party’s Confidential Information to any of its employees, contractors and/or advisors unless such person or party needs access in order to facilitate the Purpose and is bound by confidentiality obligations with terms no less restrictive than those of this Section 7; and (b) will not disclose the Disclosing Party’s Confidential Information to any other third party without the Disclosing Party’s prior written consent. Without limiting the generality of the foregoing, the Receiving Party will protect the Disclosing Party’s Confidential Information with the same degree of care it uses to protect its own confidential information of similar nature and importance, but with no less than reasonable care. The Receiving Party will promptly notify the Disclosing Party of any misuse or misappropriation of Confidential Information that comes to its attention. Notwithstanding the foregoing, the Receiving Party may disclose Confidential Information as required by applicable law or by proper legal or governmental authority. The Receiving Party will give the Disclosing Party prompt notice of any such legal or governmental demand and reasonably cooperate with the Disclosing Party in any effort to seek a protective order or otherwise to contest such required disclosure, at the Disclosing Party’s expense.

7.3   Injunction. Both Parties agree that breach of this Section 7 would cause the other Party irreparable harm, for which monetary damages would not provide adequate compensation, and that in addition to any other remedy, either Party will be entitled to injunctive relief against such breach or threatened breach, without proving actual damage or posting a bond or other security.

7.4   Termination & Return. Upon termination of the Agreement, the Receiving Party will return or certify the destruction of all copies of Confidential Information to the Disclosing Party.

7.5   Feedback Disclaimer.  From time to time, Client or End Users may choose to submit Feedback (as defined below) to Benevity. Benevity has not agreed to and does not agree to treat as confidential any Feedback Client or End Users provide to Benevity, and nothing in this Agreement or in the parties’ dealings arising out of or related to this Agreement will restrict Benevity’s right to use, profit from, disclose, publish, keep secret, or otherwise exploit Feedback, without compensating or crediting Client or End Users. “Feedback” refers to any suggestion or idea for improving or otherwise modifying any of Benevity’s System or Services.

8. Representations & Warranties.

8.1   Validity and Infringement. Benevity represents and warrants that it is the owner of the System and of each and every component thereof, or the recipient of a valid license thereto, and that it has and will maintain the full power and authority to grant the rights granted in the Agreement without the further consent of any third party, and that the System does not violate, infringe or misappropriate any third party Intellectual Property Rights. Benevity’s representations and warranties in the preceding sentence do not apply to use of the System by Client or End Users in combination with hardware or software not provided by Benevity. In the event of a breach of the warranty in this Section 8.1, Benevity, at its own expense, will promptly take at least one of the following actions: (a) secure for Client the right to continue using the System; (b) replace or modify the System to make it noninfringing while still providing substantially the equivalent functionality; or (c) if Benevity determines that it is unable to take the actions outlined in sub-clauses (a) and/or (b) above through commercially reasonable efforts, terminate the Agreement, together with Client’s right to access and use the System and provide a pro-rated refund to Client (i.e. a refund of those fees that were prepaid by Client in respect of the period following such termination). Other than for Benevity’s obligations to provide indemnity where applicable, the preceding sentence states Benevity’s sole obligation and liability, and Client’s sole remedy, for breach of the warranty in this Section 8.1 and for potential or actual Intellectual Property infringement by the System.

8.2   Services by Benevity. Benevity represents and warrants that: (i) the Services will be performed in a professional and workmanlike manner consistent with generally accepted industry standards; (ii) that the Services and the System will substantially conform to the description of the Services and the System contained in the Agreement; provided, however, that as a condition of such conformance, the Services and the System must be used in the infrastructure and manner for which they were designed as designated by Benevity, and in compliance with the Agreement. In the event of material nonconformities to the description of the Services and the System contained in the Agreement, Benevity, at its own expense, will use commercially reasonable efforts to correct any such non-conformities in the Services or the System, as applicable. If Benevity determines that it is unable to correct the non-conformities through commercially reasonable efforts, Benevity will, as its sole obligation with respect to such non-conformities, upon Client’s written request, terminate Client’s rights to access or use the non-conforming Services or System and equitably adjust the fees for the Services or System impacted by such termination. This Section 8.2 states Benevity’s sole obligation and liability, and Client’s sole remedy, for breach of the warranty in this Section 8.2. For clarity, Client is solely responsible for providing, at its own expense, all network access to the System and the Services, including, without limitation, acquiring, installing and maintaining all telecommunications equipment, hardware, software and other equipment as may be necessary to connect to, access and use the System and the Services.

8.3   Generally. Each Party represents and warrants that: (i) it will at all times comply with all applicable laws and regulations in the performance of the Agreement; (ii) the execution, delivery and performance of the Agreement have been duly authorized by all appropriate corporate action of such Party and the Agreement constitutes a valid, binding and enforceable obligation; and (iii) neither the execution, delivery, nor performance of the Agreement will conflict with or violate any other agreement, license, contract, instrument or other commitment or arrangement to which such Party is bound.


9. Indemnification.

9.1    Indemnity. Benevity will indemnify, defend, and hold harmless Client, its applicable affiliates, and their respective officers, directors, shareholders, employees and agents (each, a “Client Indemnitee”) from and against all claims, suits, actions or proceedings (each, a “Claim”), asserted by any third party against Client or a Client Indemnitee for any actual or alleged patent or copyright infringement by the System, whether arising from or in connection with a demand, action, regulatory action, lawsuit, proceeding, judgment, settlement, appeal or other post judgment proceeding and whether asserted in contract, tort, strict liability or otherwise.

9.2    Indemnification Process. The obligations of indemnification under these Terms of Service are subject to the condition that Client give Benevity: (1) prompt written notice of any actual or threatened Claim for which indemnity may be sought; (2) at Benevity’s option, sole control of the defense and settlement thereof; provided however, that Benevity’s rights under this Section 9.2 are contingent on its agreement that it will not settle any Claim without the Client’s prior written consent unless that settlement includes a full and final release of all Claims against the Client Indemnitee and does not impose any material obligations on the Client Indemnitee, other than the obligation to cease using the affected software, goods, services or other applicable items provided by the indemnifying party; and (3) reasonable information and cooperation in the defense and settlement of the indemnified matter. Client may, at its own expense, participate in the defense and settlement of a Claim with counsel of its own choosing.

9.3    Exceptions. The indemnification obligations described in these Terms of Service will not apply to a Claim to the extent that the Claim was caused by: (a) the Client or Client Indemnitee’s negligent acts or omissions; (b) the Client or Client Indemnitee’s breach of any representation, warranty, covenant or provision in the Agreement; (c) the Client or a Client Indemnitee’s willful misconduct; (d) the Client or a Client Indemnitee’s violation of any applicable law; (e) Benevity’s compliance with specifications or detailed written instructions submitted by Client or by a Client Indemnitee, but only if the Claim would not have arisen but for that compliance; (f) modification of the System or Services by Client or by a Client Indemnitee without Benevity’s written consent or direction; (g) the combination of the System or Services by Client or by a Client Indemnitee with any goods or services not provided by Benevity; and/or (h) the continued use by Client or by a Client Indemnitee of the System or Services after Client being notified by Benevity that such System or Services may be infringing.

9.4    Exclusive Remedy. This Section 9 states Benevity’s sole liability, and the Client and the Client Indemnitee’s exclusive remedy, for any type of Claim or threatened Claim described in this Section 9.

10. Limitation of Liability.

10.1    Limitation of Liability.

(a) Except for: (i) the indemnification obligations set out in section 9; (ii) a breach of the personal information security standards set out in section 4.3; (iii) a breach of the confidentiality obligations set out in section 7; (iv) Client’s obligations to pay the fees properly incurred under the agreement; or (v) fraud or willful misconduct, in no event will a Party’s liability to the other exceed the subscription fees paid by Client for the services during the twelve (12) month period preceding the occurrence of the event or dispute which gave rise to the applicable claim for damages.

(b)In no event will a Party’s liability to the other exceed five (5) times the subscription fees paid by Client for the services during the twelve (12) month period preceding the occurrence of the event or dispute which gave rise to the applicable claim for damages that arise from (i) the indemnification obligations set out in section 9; (ii) a breach of the personal information security standards set out in section 4.3 or (iii) a breach of the confidentiality obligations set out in section 7.

10.2    Exclusion of Consequential Damages. In no event will either Party be liable to the other Party for any consequential, indirect, special, incidental, or punitive damages arising out of or related to the agreement. 

10.3    Clarifications & Disclaimers. The liabilities limited by this section 10 apply to liability regardless of the form of action, whether in contract, tort, strict product liability, negligence, or otherwise, even if a Party is advised in advance of the possibility of the damages in question and even if such damages were foreseeable and even if a Party’s remedies fail of their essential purpose. If applicable law limits the application of the provisions of this Section 10, the applicable Party’s liability will be limited to the maximum extent permissible. The liability limits and other rights set forth in this Section 10 apply likewise to a Party’s affiliates, licensors, suppliers, advertisers, agents, sponsors, third party charitable foundations, directors, officers, employees, consultants, and other representatives.

11. Records Retention.

Benevity will maintain complete and accurate records of all applicable transactions, during the Term and for a period of seven (7) years following termination of the Agreement, regardless of the reason for termination.

12. Insurance.

Benevity will, at its own expense, obtain and maintain appropriate levels of insurance, as determined by Benevity, to protect Client’s interests and obligations connected with performance under these Terms of Service. Benevity will within thirty (30) days of Client’s written request, provide Client with a certificate of insurance evidencing such coverage, provided that the existence of such coverage will in no way expand or limit Benevity’s liability hereunder.

13. Term & Termination.

13.1    Term. The term of the Agreement will commence on the Effective Date (as set forth in the Order Form) and continue for the period set forth in the Order Form or, if none, for two (2) years. Thereafter, the term will automatically renew for successive one (1) year periods, unless either Party refuses such renewal by providing written notice to the other Party at least 60 days prior to the upcoming renewal date (collectively, the “Term”). As well, Client may terminate the Agreement at any time for any reason by providing Benevity with forty five (45) days advance written notice.

13.2    Default.  In the event that any Party: (i) defaults in the performance of any of its material duties or obligations under the Agreement and does not substantially cure such default, if the default is capable of being cured, within thirty (30) business days after being given written notice specifying the default, or (ii) materially breaches the Agreement in a manner that cannot be remedied, such as a material breach of the Parties’ data privacy or confidentiality restriction obligations, or (iii) commences bankruptcy or dissolution proceedings, has a receiver appointed for a substantial part of its assets, or ceases to operate in the ordinary course of business, the non-defaulting Party may, by giving written notice to the defaulting Party, terminate the Agreement for cause.

13.3    Effects of Termination. For clarity, upon termination of the Agreement, any Order Form then in effect between the Parties will also automatically terminate, and Client will cease all use of the System, subject to Section 13.4. The following provisions will survive termination or expiration of the Agreement: (a) any obligation of Client to pay fees incurred before termination; (b) the following Sections of these Terms of Service: 7 (Confidential Information), 8.4 (Warranty Disclaimers), 9 (Indemnification), 10 (Limitation of Liability) and 13.4 (Transition Assistance); and (c) any other provisions of the Agreement that, by their nature, are intended to survive the termination or expiration of the Agreement.

13.4    Transition Assistance. Upon Client’s request during the Termination Assistance Period (as defined below), Benevity will provide Termination Assistance Services (as defined below) at Benevity’s reasonable rates then in effect for such services in order to minimize the disruption to Client’s business operations as a result of the expiration or termination of the Agreement, unless Benevity has terminated the Agreement pursuant to Section 13.2. The Parties will reasonably cooperate with one another in good faith and in a timely manner so as to ensure an orderly transition of services to Client or another service provider. “Termination Assistance Period” means a period of time during which Benevity will provide the Termination Assistance Services, commencing on the date a determination is made pursuant to the Agreement that there will be an expiration or termination of the Agreement and continuing for (i) up to six (6) months (as designated by Client) after the expiration or termination of the Agreement, and (ii) at the end of such six (6) month period, any additional period agreed to in writing by Benevity. “Termination Assistance Services” means (i) a continuation of the Services and access to and use of the System, to the extent Client requests such Services during the Termination Assistance Period, and (ii) Benevity’s reasonable cooperation with Client or another service provider designated by Client in facilitating the transfer of services to Client or such other service provider.

14. Miscellaneous.

14.1    Independent Contractors. Benevity and Client are independent principals in all relationships and actions under and contemplated by the Agreement. The Agreement will not be construed to create any employment relationship, partnership, joint venture, or agency relationship between or among the Parties or to authorize any Party to enter into any commitment or agreement binding on the other Party, except as specifically provided in the Agreement.

14.2    Subcontractors. Benevity may engage subcontractors to perform any of its obligations under the Agreement, provided however that any such subcontracting will not release Benevity from its responsibility for its obligations under the Agreement, and Benevity will be responsible for the work and activities of such subcontractors, including their compliance with the terms and conditions of the Agreement.

14.3    No Exclusivity.  The Parties have no exclusivity obligation of any kind or nature to the other in connection with the subject matter of the Agreement, and neither Party is prevented from entering into agreements with third parties that are similar to the Agreement.  

14.4    Notices. Each Party may send notices pursuant to the Agreement to the other Party’s physical address and/or email address as set forth in an Order Form (or to such other addresses which any Party will designate in writing to the other Party in accordance with this Section), and such notice will be delivered personally or sent by certified mail (postage prepaid, return receipt requested), by a recognized overnight courier, or via email.  A notice sent to a physical address in accordance with this Section will be deemed received on the date of delivery or, if sent by certified mail, on the earlier of the other Party’s receipt of it or the third business day after mailing it. A notice sent via email in accordance with this Section will be deemed received on the following business day after it is sent.

14.5    Force Majeure. No delay, failure, or default, other than a failure to pay fees when due, will constitute a breach of the Agreement to the extent caused by acts of war, terrorism, hurricanes, earthquakes, strikes or other labor disputes, riots or other acts of civil disorder, embargoes, or other causes beyond the performing party’s reasonable control.

14.6    Assignment & Successors. No Party to the Agreement may assign its rights or obligations under the Agreement without the prior written consent of the other Party, which consent will not be unreasonably withheld or delayed.  This provision will not apply in the case of: (a) the sale of all of the stock or substantially all of the assets of a Party, (b) a merger or corporate reorganization of a Party, in either case, where the obligations under the Agreement are assumed by the successor entity, or (c) an assignment to an affiliate of a Party, provided that in the case of such assignment to Client’s affiliate, the entity is not a direct or indirect competitor of Benevity.  Subject to this Section 14.6, the Agreement will be binding upon and inure to the benefit of the Parties’ respective successors and assigns.

14.7    Severability. If any provision of the Agreement is declared invalid by a court of competent jurisdiction, such provision will be ineffective only to the extent of such invalidity, so that the remainder of that provision and all remaining provisions of the Agreement will continue in full force and effect.

14.8    No Waiver. Neither Party will be deemed to have waived any of its rights under the Agreement by lapse of time or by any statement or representation other than by an authorized representative in an explicit written waiver. No waiver of a breach of the Agreement will constitute a waiver of any other breach of the Agreement.

14.9    Choice of Law & Jurisdiction: The Agreement will be governed solely by the internal laws of the State of New York, including without limitation applicable federal law, without reference to: (a) any conflicts of law principle that would apply the substantive laws of another jurisdiction to the Parties’ rights or duties; or (b) the 1980 United Nations Convention on Contracts for the International Sale of Goods. The Parties consent to the personal and exclusive jurisdiction of the federal and state courts of New York, New York.

14.10    Construction. Each Party acknowledges that it has read and reviewed the Agreement in its entirety, and has agreed to all of its terms. The Parties agree that the Agreement will not be construed in favor of or against either Party by reason of such Party having been the drafter of the Agreement.

14.11    Entire Agreement. The Agreement constitutes the entire agreement between the Parties regarding the subject matter hereof, and supersedes all proposals, oral or written, all negotiations, conversations or discussions between or among the Parties relating to the subject matter of the Agreement and all past dealing or industry custom. Each of the Supplementary Documents are hereby incorporated by reference into these Terms of Service as if fully stated in these Terms of Service.  In the event of any inconsistency or conflict between the terms and conditions of these Terms of Service and any term or condition of any Supplementary Document, the terms and conditions of these Terms of Service will govern and control, other than to the extent that the applicable Supplementary  Document explicitly states that it supersedes regarding a given matter.

14.12    Amendment. The Agreement may be amended only by way of a written amendment signed by authorized representatives of each Party. Notwithstanding the foregoing provisions of this Section 14.12, Benevity may revise the Privacy Policy and/or the End User Terms of Use at any time by posting a new version of it, either on the System or on Benevity’s website, and such new version will become effective on the date it is posted.

Exhibit A

Benevity Information Security and Controls

A.    Controls - General Responsibilities

1.     Benevity has developed and implemented and will maintain and monitor a comprehensive, written information security program (“Program”) that includes appropriate administrative, technical, physical, organizational and operational safeguards and other security measures to protect against known or reasonably anticipated threats or hazards to the confidentiality, integrity and/or security of Client Data and that complies with applicable  Data protection laws at each location from which Benevity provides the services, covering all Benevity Spark (including volunteering and Missions) and Benevity Grants systems.  Benevity must protect Client Data regardless of the media or device in or upon which it is stored, maintained and/or processed. 

2.     Personal Information: Benevity will act solely as a “data processor” (or equivalent term under applicable data protection laws), such that it will carry out the instructions of Client (the “data controller”) with respect to its use, disclosure, and other handling of such Personal Information. Benevity will be permitted to utilize such of the Personal Information of users as necessary to facilitate the delivery of tax receipts and as may be authorized by the notification and privacy settings of such user in their respective personal profiles (if applicable). Benevity will not claim ownership of the user’s Personal Information. Benevity will not use Personal Information other than to perform the services in accordance with the Agreement, and will not share, store, sell, remarket, transfer (except in a corporate merger or acquisition) or otherwise disclose Personal Information  for any purpose other than in accordance with the privacy instructions provided by Users via the system (if applicable).  Benevity stores Client Data including Personal Information with its Privacy Shield-certified hosting provider located in the United States. 

Benevity will use such reasonable degree of care as is appropriate to avoid unauthorized use or disclosure of Personal Information, including following Benevity’s own security and privacy policies and procedures, which Benevity represents as complying with applicable Data protection laws and being no less rigorous than accepted practices in the industry and in accordance with the Program as detailed in this Annex.  

3.     Benevity employs and will continue to employ personnel to monitor ongoing compliance with the Program.

4.     Benevity will review and, as appropriate, revise the Program at least annually or whenever there is a material change in Benevity’s business practices or IT environment that may reasonably affect the security or integrity of Client Data.

5.     Benevity will ensure all employees undergo security awareness training upon hire and annually thereafter.

6.     On an annual basis and upon request, Benevity will provide Client with a copy of its then-current security package. The security package will contain at a minimum: a copy of Benevity’s current SSAE 18 SOC 1 Type 2 audit report, the SSAE 18 SOC 2 Type 2 report issued by Benevity’s hosting provider, PCI DSS Attestations of Compliance from its third party payment processing vendors and a completed industry- standard information security questionnaire.

B.    Physical Security

1.     Benevity’s office locations from which Client Data is accessed will conform to the following baseline of physical security controls:

·       Swipe card access at all office entrances.

·       Video monitoring with footage retained for 90 days.

·       Physical intrusion alarm systems with professional monitoring.

2.     Visitors to Benevity’s offices will be required to sign in, will be issued visitor identification badges or stickers, and will be escorted by a Benevity employee at all times.

3.     Access to Benevity’s systems hosting Client Data will be restricted to Benevity owned devices which are centrally managed and monitored by Benevity’s Security Operations team.

4.     As part of its vendor management practices, Benevity shall ensure that its hosting provider’s physical security controls are appropriate for an enterprise Data center housing confidential information including access and environmental controls, security monitoring and visitor protocols.

C.     Personnel Security

1.     Benevity will ensure that subject to applicable laws, all employees undergo background screening which includes, at a minimum:

a.     Identity verification

b.     Criminal records check

2.     All Benevity employees and contractors shall be required to sign confidentiality agreements whose scope includes Client Data.

3.     Employees will be required to comply with Benevity’s policies, including but not limited to:

a.     Privacy Policy

b.     Conduct and business ethics policy

4.     Employees with access to Personal Information will receive privacy awareness training.

D.    Authentication

1.     All technology platforms providing access to Client Data must authenticate (verify) the identity of users (or remote systems) prior to initiating a session or transaction.  Benevity must require at a minimum password authentication and must enforce the use of strong passwords and password management practices meeting Information Security industry best practices.  All Benevity personnel must be held accountable for all activity associated with the use of their User ID and password.

E.     Access Management

1.     Benevity will maintain an access management process to ensure that employee access is controlled and monitored throughout the access management lifecycle including new user provisioning, employee role changes and deprovisioning of terminated users.

2.     Benevity will perform periodic access reviews for all systems and applications containing Client Data to ensure access is appropriate. Any inappropriate access identified as part of the access reviews will be promptly remediated.

F.     Change Management

1.     Benevity will maintain a change management process to ensure that changes to its infrastructure, applications and Client Data undergo appropriate authorization, testing, approval for migration to a production environment and post-implementation monitoring.

G.    Encryption

1.     Benevity encrypts Client Data in transit across any external networks and at rest using current industry standard cryptographic algorithms.

2.     Benevity will perform appropriate management of all cryptographic key material to ensure its confidentiality and will rotate encryption keys associated with Client Data according to best practices.

H.    Data Segregation

1.     Benevity’s solutions are offered as multi-tenant Software-as-a-Service (SaaS) applications. Client Data will be logically and/or physically segregated from that of other clients at all times.

I.      Network Security

1.     Benevity will employ industry standard network security controls on its networks containing Client Data to prevent unauthorized access. These controls will include at a minimum:
a) Firewall
b) Intrusion Prevention System

c) File Integrity Monitoring

d) Anti-Malware Software on production hosts and Benevity issued workstations

2.     Where applicable, network security solutions will have their definitions/signatures updated on a frequent basis with automatic updates enabled.

J.      Logging, Monitoring and Security Incident Management

1.     Benevity will maintain electronic logs of user activity and security events at the network, operating system, Database and application levels.

2.     Benevity centralizes its logs in a Security Incident and Event Management (SIEM) system to facilitate correlation and monitoring of logs.

3.     Logs and any security event alerting will be monitored by Benevity’s Security Operations team.

4.     Logs will be maintained for a minimum of one year and pertinent logging will be shared with Client in the event of a Security Incident involving Client’s Data. A “Security Incident” is defined as unauthorized access, use, disclosure, modification, or destruction of Client Data (including Client Personal Information) or interference with system operations in an information system maintained by Benevity that contains Client Data. The inadvertent unauthorized access of Client Data by a Benevity employee or subcontractor performing Services under the Agreement is not a security breach so long as the employee or subcontractor ends access as soon as the access is discovered, and the inadvertent access is reported to Client immediately.

5.     Benevity will maintain a Security Incident Management Plan to be followed in the event of an Information Security Incident. The plan will contain procedures for incident identification, classification, investigation, resolution and reporting/notification.

6.     In the event of a Security Incident involving Client’s Data, Benevity will notify Client as soon as it is discovered, and in any event, no longer than 24 hours. 

K.    Vulnerability Management

1.     Benevity will perform network vulnerability scans of its network containing Client Data on a bi-weekly basis.

2.     A reputable third party will be engaged to perform network penetration testing against Benevity’s network on a semi-annual basis.

3.     Benevity will complete application vulnerability scanning on a continuous basis.

4.     Any network or application vulnerabilities surfaced by Benevity’s internal or third party testing will be tracked and remediated in accordance with Benevity’s Vulnerability Management Process.

5.     Vulnerability reports from third party penetration testing and application vulnerability scanning will be made available to Client upon request along with the status of any vulnerabilities undergoing remediation.

L.     Business Continuity and Disaster Recovery

1.     Benevity will maintain a Business Continuity Plan that will also address disaster recovery capabilities. The business continuity plan will be regularly reviewed and will be updated in accordance with changes to the business.

2.     Benevity will maintain a Recovery Time Objective (RTO) of 4 (four) hours and a Recovery Point Objective (RPO) of 15 minutes.

3.     The disaster recovery aspect of the Business Continuity Plan will be tested on an annual basis at minimum.

4.     Benevity will make a copy of its current Business Continuity Plan available to Client upon request.

M.   Vendor Management

1.     Benevity will ensure that any and all agreements entered into with subservice providers who will transmit, process or store Client Data will include appropriate confidentiality clauses and security provisions no less stringent than its own.

2.     Prior to engaging any subservice provider who will have access to Client Data, and on an annual basis thereafter, Benevity will perform a vendor risk assessment to ensure the subservice provider’s security posture is commensurate with their access to Client Data.