Usage Agreement & Terms
Last updated December 12, 2017.
These Terms shall describe and govern the rights, responsibilities and restrictions of both the customer organization and the individual user (“User”) of the services and platforms provided by FortMesa, Inc. and shall collectively be referred to herein as Usage Agreement & Terms (“Terms”) or (“Agreement”).
These Terms are a written contractual agreement and altogether form a binding contract.
“FortMesa”, “We,” “our” and “us” refers to FortMesa, Inc. “Customer”, “User”, “You”, “Your” refers to both the Customer organization and the Customer appointed User. “Platform” or “Services” refers to any web property, software application, electronic or paper collateral or correspondence created, provided, licensed, supported, sent or received by us.
Security Scope or Instance
Our products allow the Customer to manage multiple distinct scopes, contexts, silos or Instances of our software (herein “Instance”). In these cases although each distinct Instance of our software shall be treated individually, the Customer may remain the same. Further, Users may be associated with multiple distinct Instances, or even multiple Customers (such as is the case with a consultant or contractor).
By logging onto our platform and utilizing our services, or confirming an invitation to be associated with a Customer Instance of our platform, You agree to accept the current Terms listed herein. Agreement to these terms should be both on behalf of the User and on behalf of the Customer. Further, You agree that You have read fully and understand all Terms, You also shall accept any future Terms posted to our website. Any revision to these Terms by us will be preceded by a notification; continued usage of our platform or failure to delete Your platform Instance within 14 days following such notification will confirm acceptance of any changes to these Terms. Make sure You are authorized to accept such Terms before continuing.
Customer Organization & User Initiatives
The Customer is always the Information System Owner (“Instance Owner”) described to us through the use of our platform notwithstanding the custodial nature the User may have with the Customer. This means if the User is contracted by the Instance Owner to a scope-defined purpose it is recognized he or she is acting on behalf of the information Instance Owner per the guidance contained in NIST publication SP800-18. Such examples where the User may not be the Customer include but are not limited to that of a time-limited consultant, a managed services contractor, or a value-added reseller. Pursuant to this definition of ownership the Customer may assert its ownership or revoke User access at any time. We reserve the exclusive right to use our own judgement both in interpreting the definition of Instance Owner as well as deciding the identity of the Customer.
Customer Organization Assumptions
If You use a corporate email domain and unless otherwise determined by us we may by default assume the Customer is the owner of Your corporate email domain.
Customer Organization Initiated Actions
The Customer may create, update/modify or delete data created by the User. Further, the Customer may re-provision, suspend, remove or otherwise manage access to User access to data. The Customer shall also be the owner of any data created or input by the User.
All orders or subscriptions belong to their respective Customer (not to Users). User count-based subscriptions shall be based on named associated Users to the Customer Instance. A User account may be associated with multiple Customer organizations or Instances, in these cases the User will require a subscription for each Customer Instance with which they are associated.
- A Customer may have multiple Instances.
- An Instance always belongs to one Customer.
- A User may be associated with multiple Instances or Customers.
- Each User association requires a subscription.
User or Customer Feedback
We may respond positively to Feedback, suggestions or requests (“Feedback”) by responsively improving our platform. You agree that such Feedback becomes our sole and exclusive property. You hereby assign, transfer and convey to us, our successors and assigns, the entire exclusive worldwide right, title and interest in and to the Feedback, including but not limited to copyrights, trademarks, patents, and any and all other intellectual property rights therein, including any and all renewals, extensions or revival thereof, and in and to all works based upon, derived from, or incorporating the Feedback, throughout the world.
We work with some of the best security solution vendors on the planet to curate a collection of marketplace products and solutions that complement the Customer’s use of our platform (collectively “FortMesa Marketplace”). Although we believe in all the solutions we include as FortMesa Marketplace products we do not warranty or support these products and make no claims regarding merchantability or performance. Any FortMesa Marketplace products resold by us shall be considered sold “as-is”. Customers understand that any claims related to the purchase or use of FortMesa Marketplace products should be forwarded to the relevant original product manufacturer, distributor, or provider.
Availability and SLA
1000% SLA Guarantee
In cases where we explicitly claim or confirm our fault for loss of Platform or System availability without notifying You in advance (unplanned downtime) Customers may seek a service credit by contacting us within 30 days of occurrence of availability loss. The credit shall be a pro-rated service or subscription charge for the period of outage times ten (10) but shall never exceed the equivalent of a one (1) month service credit. Note that this guarantee applies only to FortMesa proprietary Platform or System and not any third-party component thereof or any third-party Platform or System which we utilize in the provision of Services over which FortMesa has no control.
We make our services available for use by You at our discretion and we reserve the right to disable function, de-provision service, remove data, or suspend User or Customer access for any reason. Further, You waive all implied, inferred or explicit rights or warranties regarding availability or product fitness for any purpose. Also, You waive all rights to seek incidental, special or consequential damages related to availability or fitness failures of our product or Platform.
All payments are due immediately upon signup or order and should always be considered advance payments. In cases where we at our option agree to email or paper invoicing the payment terms shall be NET 30 where unpaid / overdue balances are subject to an 18% APR default rate and at our option may be forwarded or sold to a collections agent at any time.
Unless otherwise stated all quoted fees are exclusive of taxes, levies, duties or other state assessments including but not limited to value added tax, sales tax, or use taxes.
Conditions of non-payment or late-payment
Customer understands and agrees that its service may be downgraded (capability restricted) or disabled upon non-payment or late-payment. Disability for non-payment or late-payment may result in loss of service availability or removal / deletion of Customer owned data.
Period & Renewal
This Agreement shall continue and will auto-renew until terminated by either party.
Either party may terminate this agreement at any time and for any reason with not less than 30 days notice prior to the effective termination date. The rights and obligations of this Agreement will continue after expiration or termination of this Agreement and will bind the parties and their legal representatives, successors, heirs, and assigns.
For security reasons we maintain no User authentication directory and depend solely on Customer managed systems to grant/approve/deny/revoke access to our Platform. You understand that we check for this access right with the Customer identity provider (IdP) only once per session and are not responsible for intra-session access termination.
We maintain authorization lists for usage in various ways within our application; however it is solely the Customer’s responsibility to review, amend, correct or remove authorization records to their provisioned Instances. We make no claims regarding the accuracy or integrity of these authorization lists except where we ensure Your Instance is use-restricted to Your associated Users.
Access Accounting & Audit
We record and maintain extensive accounting records regarding the use of our products by You. You agree that audit responsibility for these accounting records is solely Your responsibility. Further, You understand that although we work hard to ensure Customer access to accounting reports are useful they may not be exhaustive or complete.
Additionally, You understand and agree that all our accounting records are exclusively retained and managed according to our internal record retention policies up to and including permanent storage. All accounting records are entirely our property and are not subject to the same removal policies or terms as customer provisioned data. Under no circumstances should accounting records be considered Customer owned data nor should they be subject to the confidentiality agreement below.
In any case where we use or disclose this data for any purpose except to provide service to the Customer or satisfy a valid legal requirement we will de-identify (see De-identification) it before use or disclosure, unless we are under a legal requirement to do otherwise..
Data Ownership and Intellectual Property Rights
The Customer owns all data explicitly entered, input or imported into our Platform and You grant us a nonexclusive, worldwide, term-restricted license to use, copy, process, distribute or export all Customer data in the course of providing, maintaining, improving and supporting our Platform; this license term shall remain in effect as long as Customer Instances are provisioned for use. Additionally, aggregated, de-identified (see De-Identification) data ownership rights shall permanently become our property and shall survive the termination of this Agreement.
Our Intellectual Property
We own all services, software components and processes utilized by our Platform. We grant the Customer a non-transferrable, non-exclusive, non-assignable term-restricted license for You (both the Customer and User) to use our Platform as intended by us and solely as necessary to use our Services. We retain all rights not explicitly stated herein
- FortMesa and Customer agree to the following terms governing the confidentiality of certain information one party (“Data Owner”) may disclose to the other party (“Data Recipient”). For purposes of this Agreement, “Confidential Information” means all information disclosed by the Data Owner to the Data Recipient during the term and in the course of this Agreement, in whatever form transmitted. Confidential Information shall not include any information of Data Owner that: (i) is already known to Data Recipient at the time of its disclosure as established by documentary evidence; (ii) is or becomes publicly known through no wrongful act of Data Recipient; (iii) is material provided to Customer as a deliverable pursuant to the Agreement; (iv) is designated non-confidential by express written consent of the Data Owner; (v) is independently developed by Data Recipient as established by documentary evidence; or (vi) is ordered to be or otherwise required to be disclosed by the Data Recipient by a court of law or other governmental body provided, however, that the Data Owner is notified of such order or requirement and given a reasonable opportunity to file a motion for a protective order or otherwise intervene. (vii) is retained for the purpose of data aggregation by FortMesa as specified in these Terms subject to the requirement it is de-identified before use or disclosure.
- All Confidential Information in whatever form (including, without limitation, information in computer software or held in electronic storage media) shall be and remain property of Data Owner except where otherwise specified herein. All such Confidential Information shall be returned to Data Owner or destroyed promptly within thirty (30) days of the written request thereof, or within thirty (30) days of termination of this Agreement by either party, and shall not be retained in any form by Data Recipient except where required by law, regulation or other authority or otherwise specified herein.
- Data Recipient shall not disclose any Confidential Information to any person or entity except employees or subcontractors of Data Recipient who have a need to know and who have been informed of Data Recipient’s obligations under this Agreement and have agreed to abide by the obligations under this Agreement. Data Recipient shall only use the Confidential Information for the purpose of this contract. Data Recipient shall use not less than the same degree of care to avoid disclosure of Confidential Information as Data Recipient uses for its own confidential information of like importance and, at a minimum, shall exercise reasonable care. The Data Recipient shall store the Confidential Information only in a secure place, and the Data Recipient shall be responsible for any use or disclosure of Confidential Information by any of its employees, agents or representatives. All obligations of confidentiality under this Agreement shall survive termination with respect to Confidential Information disclosed prior to termination.
- The parties agree that, in the event of a breach or threatened breach of the terms of this Confidentiality provision, Data Owner shall be entitled to injunctive relief in addition to and not in lieu of any other legal or equitable relief including money damages. The parties acknowledge that Confidential Information is valuable and unique and that disclosure will result in irreparable injury to Data Owner.
Liability, Indemnity, Damages and General Provisions
Except where otherwise stated herein, neither the Customer’s nor FortMesa’s liability shall exceed the prior twelve (12) months cumulative subscription and non-FortMesa Marketplace order fees.
Each Party will indemnify, defend and hold harmless the other Party, its officers, directors, employees, and agents from and against all damage, liability, cost or expense Claims resulting from: (i) a Party’s material breach of this Agreement; or (ii) A Party supplying the other with information or materials infringing on any third party’s Intellectual Property Rights or (iii) any action taken or permitted by the other Party in good faith in reliance upon information received from a Party in connection with the other Party’s obligations and responsibilities for performance under this Agreement “Intellectual Property Rights” means all patent, copyright, trademark, trade secret, Internet domain name and other intellectual and intangible property rights. (iv) an indemnified party may choose its own counsel at its own cost (v) an indemnified party must approve any and all settlements related to indemnification.
Neither party will be liable for any special or consequential damages (including lost profits or savings) or incidental damages, even if informed of their possibility.
Failure of a party to timely perform any obligation under this Agreement caused by governmental restrictions, labor disputes, emergency, or other causes beyond the reasonable control of the Party and which could not have been avoided by the party’s use of due care shall not be deemed a breach of this Agreement.
This Agreement shall not render FortMesa or its affiliated, officers, directors, employees, agents, or contractors (each, an “FortMesa Affiliates”), an employee, partner, agent of, or joint venture with the Customer for any purpose. A FortMesa affiliate is and will remain an independent contractor in [his or her] relationship to the Customer.
In the world of information security data sharing provides a unique opportunity to extract meaning, correlations and trends that are not possible to derive from Customer or User limited sets of data. Thus, we reserve the right to use this data in ways we think can provide value to us, the Customer, the User, the public, or other entities or groups we determine.
We are aware data aggregation and de-identification is a controversial topic and it is often done poorly or in ways that provide no value for the originator of data. In our efforts to remain transparent the following should be understood regarding data De-Identification at FortMesa.
In some states or territories we are limited in how we can utilize Your data. We strive to comply with all statutes and as such will observe the laws of any jurisdiction we do business. Thus, in any cases where we de-identify Your data for use or disclosure for reasons other than to support Your use of our platform we will first filter data received from Customer organizations with registered addresses (as specified by the Customer on a per Instance basis) outside the regions we have already evaluated for restrictions or prohibitions on data sharing.
After filtering for excluded data we will append an identifier specific randomly generated nonce at least as large as our hash result (destroyed after export), and then apply a one-way cryptographic hash algorithm (SHA-384 or stronger). This is an industry standard approach and resists data recovery attempts that rely on reversing encryption or chosen/known-plaintexts.
Fields we currently consider identifiable are IP addresses, Customer/Instance/User/Asset names and descriptions as well as Customer/User physical or electronic (email) contact addresses or phone numbers. Please let us know if You would like us to evaluate other data types for identifiability.
- Any written notices between parties shall be if to Customer using the organizational information recorded by the Customer in associated platform instances, and if to FortMesa to the contact method specified below.
- This Agreement shall be construed and enforced according to laws of New York State. Further, the New York courts of Albany or Columbia County (or, if there is exclusive federal jurisdiction, the federal court located in Albany, New York) shall have exclusive jurisdiction and venue over any dispute arising out of or relating to this Agreement, and each party hereby consents to the jurisdiction and venue of such courts.
- Neither party may assign This Agreement without the other party’s written consent.
- No forbearance, waiver of rights or delay by either party in enforcing the provisions of this Agreement will prejudice or restrict the rights of that party.
- This Agreement supersedes all prior arrangements, agreements and understandings between the parties.
- This Agreement is the entire agreement between the parties and may be altered or amended only in a written instrument signed by both parties.
- The invalidity or unenforceability of any provisions of this Agreement shall not affect the validity or enforceability of any other provision of this Agreement, which shall remain in full force and effect.