Credential Provider Subscription Agreement

THIS SUBSCRIPTION AGREEMENT (THIS “AGREEMENT”) IS BY AND BETWEEN PING IDENTITY CORPORATION (“PING IDENTITY”) AND THE COMPANY OR ENTITY ON WHOSE BEHALF YOU ARE ACCEPTING THIS AGREEMENT (“CUSTOMER”). YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND CUSTOMER TO THE TERMS OF THIS AGREEMENT. THE PRODUCTS (DEFINED BELOW) PROVIDED UNDER THIS AGREEMENT ARE A UNIQUE OFFERING BY PING IDENTITY THAT ARE BEING OFFERED FREE OF CHARGE FOR A PUBLIC INTEREST USE, AND NO EXISTING AGREEMENTS BETWEEN PING IDENTITY AND CUSTOMER, IF ANY, SHALL APPLY TO OR SUPERSEDE THIS AGREEMENT. PING IDENTITY PROVIDES THE PRODUCTS SOLELY ON THE TERMS AND CONDITIONS SET FORTH HEREIN.

BY AGREEING TO THE TERMS OF THIS AGREEMENT OR BY ACCESSING, USING OR INSTALLING ANY PART OF THE PRODUCTS, CUSTOMER EXPRESSLY AGREES TO AND CONSENTS TO BE BOUND BY ALL OF THE TERMS OF THIS AGREEMENT, INCLUDING THE DPA. IF CUSTOMER DOES NOT AGREE TO ANY OF THE TERMS OF THIS AGREEMENT, CUSTOMER IS PROHIBITED FROM ACCESSING, DOWNLOADING, INSTALLING, ACTIVATING OR USING THE PRODUCTS.

THE EFFECTIVE DATE OF THIS AGREEMENT IS THE DATE ON WHICH CUSTOMER ACCEPTS THESE TERMS, WHICH MAY BE BY CLICKING “ACCEPT” OR THE SIMILARLY LABELED BUTTON INDICATING ASSENT (THE “EFFECTIVE DATE”). COLLECTIVELY, PING IDENTITY AND CUSTOMER MAY BE REFERRED TO AS THE “PARTIES” OR IN THE SINGULAR AS A “PARTY”.

For good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:

1. Definitions.

“Administrator” is an individual who has been granted administrative permissions by Customer to the Service.

“Affiliate(s)” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

“Business Associate Agreement” means those certain Business Associate Agreement terms that are entered into by and between the Customer and Ping Identity and incorporated into this Agreement, attached hereto as Exhibit A.

“Customer Data” means all electronic data or information submitted by Customer to the Service. Customer Data may include Personal Data.

“Data Protection Laws and Regulations” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC; (ii) California Consumer Privacy Act of 2018 (the “CCPA”); and (iii) any other similar data protection laws in any other applicable territory, each as amended, replaced, or superseded.

“Documentation” means the manuals and instructions relating to the use and operation of the Service and Software made generally available by Ping Identity on its website, or otherwise provided to Customer by Ping Identity.

“Malicious Code” means viruses, worms, Trojan horses and other harmful or malicious code, files, scripts, agents or programs.

“Personal Data” has the meaning ascribed to it under the DPA.

“Products” means the Software, Service, Trial Products (defined in Section 2.3) and Beta Versions (defined in Section 2.4).

“Service” means web-based or mobile application currently known as “ShoCard” that provides assistance with COVID-19 vaccination and testing credentialing, and other testing or reporting, as provided or made available by Ping Identity. The mobile application downloaded and used by Users in connection with the Service is provided to Users under the terms of use for such mobile application and is not offered to Users under the terms of this Agreement.

“Software” means that proprietary downloadable software programs, including the interface known as “ShoCard” provided to Customer as a downloadable software program that is offered for COVID-19 vaccination or testing credentialing, and other testing or reporting, as provided by Ping Identity or otherwise downloaded or installed by Customer.

“User” means any Administrator and any individual authorized by Customer to receive credentials or other information from Customer through the Service.

2. General.

2.1 Provision of Service. Subject to the terms and conditions of this Agreement, Ping Identity shall make the Service available to Customer so that Customer may utilize the Service, solely for Customer’s business use, all in accordance with this Agreement and the Documentation. Customer agrees that its use of the Products is neither contingent upon the delivery of any future functionality or features nor dependent upon any oral or written public comments made by Ping Identity with respect to future functionality or features.

2.2 License Grant. Subject to the terms and conditions of this Agreement, Ping Identity hereby grants Customer, during the Term, a limited, non-exclusive, non-sublicenseable, non-transferable license to install, use and/or access the Software solely for Customer’s business use, all in accordance with this Agreement and the Documentation.

2.3 Evaluation and Developer Licenses. If Ping Identity provides Customer with a trial, evaluation or developer license to the Products (the “Trial Products”), Customer agrees to use the Trial Products solely for evaluation purposes, in a non-production environment, for a thirty (30) day evaluation period unless a different period is otherwise agreed to in writing by Ping Identity (the “Trial Period”). At the end of the Trial Period, Customer’s right to use the Trial Products automatically expires and Customer agrees to uninstall the Trial Products and return to Ping Identity all copies or partial copies of the Trial Products and, upon request, certify to Ping Identity in writing that all copies or partial copies of the Trial Products have been deleted from Customer’s computer libraries and/or storage devices and destroyed. If Customer desires to continue its use of the Trial Products beyond the Trial Period, Customer shall contact Ping Identity to acquire a license to, or subscription for, the Trial Products for the applicable fee.

2.4 Beta Versions. If Ping Identity and Customer mutually agree in writing, Customer may receive beta, preview or other pre-release Products or features from Ping Identity (“Beta Versions”). Beta Versions may not have been tested or debugged and are experimental, and any documentation may be in draft form. Ping Identity may change or discontinue Beta Versions at any time without notice.

2.5 IN ADDITION TO ANY DISCLAIMERS IN SECTION 8.4, ANY TRIAL PRODUCTS AND BETA VERSIONS ARE PROVIDED ON AN “AS-IS” AND “AS AVAILABLE” BASIS AT CUSTOMER’S SOLE RISK. PING IDENTITY SHALL NOT HAVE ANY LIABILITY FOR CUSTOMER’S USE OF THE TRIAL PRODUCTS OR BETA VERSIONS UNDER THIS AGREEMENT UNDER ANY THEORY OF LIABILITY. Ping Identity does not provide support for Trial Products or Beta Versions. Trial Products and Beta Versions may be subject to reduced or different security, compliance and privacy commitments. The following Sections of this Agreement shall not apply to Trial Products or Beta Versions: 8.1, 9.1 and 10.1.

2.6 Delivery and Installation.

(a) Delivery and Installation. Ping Identity will deliver the Product to Customer by electronic download or authorized link unless otherwise agreed by the parties. Customer will be solely responsible for installing any Software as permitted under this Agreement. All Software will be deemed accepted upon delivery.

(b) Ping Identity Assistance. In the event that Customer requires any administration, training, installation, health check, or similar services with respect to the Products, such services shall be provided by Ping Identity at Ping Identity’s then-current time and material rates and under a separate agreement.

2.7 Updates; No Support or Maintenance for Products.

(a) Ping Identity may extend, enhance or otherwise modify or update the Service or Software, including removing features or functionality, at any time without notice (collectively, “Updates”). Ping Identity is under no obligation to make or provide any Updates.

(b) Ping Identity is not obligated to provide any maintenance, technical or other support for the Products. Ping Identity makes no guarantees to Customer or any User in relation to the availability or uptime of the Products. Ping Identity does not guarantee the availability, accuracy, completeness, reliability or timeliness of any data or information displayed in connection with the Products, or in connection with the interaction of the Software or Service with any application that may be separately downloaded by Users to use in connection with the Service. It is Customer’s obligation and responsibility to maintain appropriate alternate backups of all content, data, and information, including but not limited to, any Customer Data or other content that Customer may provide to Ping Identity in connection with the Products.

3. Use Guidelines; Restrictions. Customer shall use the Products solely for its own business purposes in accordance with this Agreement. Customer shall not: (i) license, sublicense, sell, resell, rent, lease, transfer, assign, distribute, time share, operate as a service bureau or managed service, or otherwise commercially exploit or make the Products available to any third party except as expressly contemplated by this Agreement; (ii) modify, copy, adapt, alter, translate or create derivative works of the Products; (iii) frame or mirror any content forming part of the Service, other than on Customer’s own intranets or otherwise for its own internal business purposes; (iv) reverse engineer, decompile or disassemble the Products (or otherwise attempt to derive the source code or underlying ideas or algorithms of the Software); (v) take any action that would cause the Products (including any license key) to be placed in the public domain; (vi) remove, alter, or obscure any proprietary notices of Ping Identity, its licensors or supplier included in the Products; (vii) send spam or otherwise duplicative or unsolicited messages in violation of applicable laws through the Products; (viii) send or store infringing, obscene, threatening, libelous, or otherwise unlawful or tortious material, including material that is harmful to children or violates third-party privacy rights; (ix) send or store Malicious Code; (x) interfere with or disrupt the integrity or performance of the Products or the data contained therein, including conducting any load or penetration testing on the Products; (xi) access the Products in order to (a) build a competitive product or service, or (b) copy any ideas, features, functions or graphics of the Products; (xii) publish or disclose to any third party any opinions relating to, or test results, benchmarking or comparative study involving any Product without the prior written consent of Ping Identity, or (xiii) attempt to gain unauthorized access to the Products or its related systems or networks.

4. Fees & Suspension; Audit.

4.1 Fees and Payment Terms. Initially, there are no fees associated with Customer’s use of the Software and Service for the purposes of providing vaccination and testing credentials related to the COVID-19 pandemic. To the extent any fees apply in the future, Ping Identity will contact Customer and Customer and Ping Identity will enter into an ordering document (“Ordering Document”) for such Software and Services associated with such fees. All payment terms for any purchased Software or Services shall be set forth in the applicable Ordering Document.

4.2 Suspension of Service. Ping Identity reserves the right to suspend access to and use of the Products provided to Customer if: (i) Ping Identity reasonably believes that suspension of the Products is necessary to comply with the law or requests of governmental entities; (ii) Ping Identity reasonably determines that Customer’s use of the Products is in violation of this Agreement or any applicable law or poses any security or vulnerability risk to Ping Identity or the Products; (iii) Customer fails to meet it payment obligations under an Ordering Document; or (iv) Ping Identity otherwise deems suspension advisable in its sole discretion. Ping Identity will endeavor to give advance notice of the suspension, to the extent it is able, taking into account the nature of the underlying cause. Ping Identity will restore access to the impacted Product as soon as the underlying cause is mitigated.

4.3 Audit of Software Usage. Ping Identity will have the right, upon reasonable prior written notice to Customer, to audit Customer’s equipment on which the Software is installed, and all related back-up files, to verify compliance with this Agreement. Any such audit will be conducted during normal business hours in a manner so as not to unreasonably interfere with Customer’s normal operations. The audit will be conducted at Ping Identity’s expense unless the audit reveals a material non-compliance with the terms of this Agreement by Customer, in which case Customer will reimburse Ping Identity for all reasonable costs and expenses associated with such audit.

5. Confidentiality.

5.1 Definition of Confidential Information. As used herein, “Confidential Information” means all confidential and proprietary information of a Party (the “Disclosing Party”) disclosed or made available to the other Party (the “Receiving Party”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information or the circumstances of disclosure, including without limitation, the terms and conditions of this Agreement, the Products, business and marketing plans, technology and technical information, pricing information, financial results and information, product designs, product roadmaps, results of penetration testing, security reports or audits and business processes. Confidential Information shall not include any information that: (i) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party; (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party; (iii) was independently developed by the Receiving Party without breach of any obligation owed to the Disclosing Party; or (iv) is received from a third party without breach of any obligation owed to the Disclosing Party. Confidential Information specifically excludes Customer Data and Personal Data. Customer Data and Personal Data obligations are set forth in Section 6 below.

5.2 Confidentiality. The Receiving Party shall not disclose or use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement, except with the Disclosing Party’s prior written permission. The Receiving Party may disclose Confidential Information to its Affiliates and service providers on a need-to-know basis, and such Affiliates and service providers may use such Confidential Information, in each case only for the purposes of fulfilling Receiving Party’s obligations under this Agreement. The Receiving Party shall be liable to the Disclosing Party for all actions and omissions of its Affiliates and service providers with respect to such information as if such actions and omissions were those of the Receiving Party hereunder.

5.3 Protection. The Receiving Party agrees to protect the confidentiality of the Confidential Information of the Disclosing Party in the same manner that it protects the confidentiality of its own proprietary and confidential information of like kind (but in no event using less than reasonable care), and promptly notify the Disclosing Party upon discovery of any unauthorized access or acquisition of Confidential Information and reasonably cooperate with the Disclosing Party’s efforts to prevent, investigate and remediate the breach of confidentiality.

5.4 Compelled Disclosure. If the Receiving Party is compelled by law to disclose Confidential Information of the Disclosing Party, it shall provide the Disclosing Party with prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure.

5.5 Remedies. If the Receiving Party discloses or uses (or threatens to disclose or use) any Confidential Information of the Disclosing Party in breach of confidentiality protections hereunder, the Disclosing Party shall have the right, in addition to any other remedies available to it, to seek injunctive relief to enjoin such acts, it being specifically acknowledged by the Parties that any other available remedies are inadequate.

6. Data.

6.1 Use of Customer Data. Ping Identity shall only use Customer Data as set forth in this Agreement and as necessary to operate the Service. As between Ping Identity and Customer, Customer owns all rights, title and interest in and to all Customer Data, provided that Customer agrees that once any Customer Data (e.g. a credential) is provided to a User, the User will have ownership of such Customer Data and the right to share such Customer Data with third parties unless revoked by Customer through the Service.

6.2 Customer Responsibilities. Customer is solely responsible for all activities that occur in its account in the Service and for transactions between Customer and its Users. Customer warrants that it shall (i) ensure the accuracy, quality, integrity, legality, reliability, and appropriateness of all Customer Data submitted by it to the Service, as well as for updating and/or revoking any such Customer Data through the Service to ensure continued accuracy, quality, integrity, legality and reliability; (ii) prevent unauthorized access to, or use of, the Service, and notify Ping Identity promptly of any such unauthorized access or use; and (iii) verify the identity of Users before providing any data or information regarding such User to the Service. If Customer becomes aware of any violation of Customer’s obligations under this Agreement by any User, Customer will promptly notify Ping Identity and work with Ping Identity to promptly terminate access of any such User to the Service.

6.3 Nature of Customer Data. Customer agrees that it has sole control over the nature and scope of the Customer Data processed by the Products, and the origin or location of Users. Customer represents and warrants that it will not transmit or upload through the Products or otherwise expose Ping Identity to any cardholder data (as regulated by the Payment Card Industry Security Standards Council) as a part of using the Products or otherwise under this Agreement.

6.4 Information Security. Ping Identity will implement and maintain reasonable and appropriate technical, administrative and physical security measures designed to protect against unauthorized access to or use of Customer Data. Ping Identity shall, at a minimum, maintain the security of the Service and the Customer Data in accordance with the security exhibit available at https://www.pingidentity.com/security-exhibit (the “Security Exhibit”).

6.5 Data Privacy Addendum. The Data Privacy Addendum located at https://www.pingidentity.com/data-privacy-addendum (the “DPA”) is incorporated by reference into this Agreement and governs each Parties’ obligations in connection with the processing of Personal Data. This Agreement, and Customer’s use of the Service’s features and functionality, are Customer’s complete set of instructions to Ping Identity in relation to the processing of Personal Data.

6.6 Intelligence Service Features. Ping Identity may collect and utilize Customer Data and information derived from Customer’s use of the Products internally to improve and develop its product offerings. In addition, Ping Identity owns any statistical usage data derived from the operation of the Products that has been aggregated and de-identified so that results are non-personally identifiable with respect to Customer or any User (“Aggregated Data”), and nothing herein will prohibit Ping Identity from using Aggregated Data in the operation of Ping Identity’s business. For clarity, Ping Identity may only disclose Aggregated Data externally in a de-identified (anonymous) form that does not identify Customers or any Users, and that is stripped of all persistent identifiers (such as device identifiers, IP addresses, and cookie IDs). Ping Identity will retain, and Customer expressly disclaims, all intellectual property and other rights in any products or services Ping Identity develops pursuant to the usage rights herein.

7. Proprietary Rights.

7.1 Reservation of Rights. Subject to the limited rights expressly granted hereunder, Ping Identity reserves all rights, title and interest in and to the Products (and any enhancements, modifications, or derivative works thereof, or other software development performed by Ping Identity), including all related intellectual property rights. No rights are granted to Customer hereunder other than as expressly set forth herein.

7.2 Suggestions. If Customer or its Users provides any feedback, comments, suggestions, ideas, requests, or recommendations for modifications or improvements to Ping Identity regarding the Products (collectively, “Feedback”), Customer hereby assigns all rights, title, and interest in any such Feedback to Ping Identity to be used for any purpose.

8. Warranties & Disclaimers.

8.1 Warranties. Each Party represents that it has the legal power to enter into this Agreement. Ping Identity warrants that it will provide the Products in a manner consistent with industry standards applicable to the provision thereof. Customer represents and warrants that (i) it has the necessary authority to provide the Customer Data and data regarding Customer’s Users to Ping Identity; (ii) Customer has complied and will comply with applicable laws, including all applicable Data Protection Laws and Regulations with respect to its use of the Products; and (iii) Customer has provided appropriate notice to Users and obtained all consents or authorizations necessary with respect to its use of the Products, including for disclosures of the User’s Personal Data to Ping Identity and its service providers.

8.2 Disclaimer. THE EXPRESS WARRANTIES IN THIS AGREEMENT ARE IN LIEU OF ALL OTHER WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, REGARDING THE PRODUCTS AND PING IDENTITY EXPRESSLY DISCLAIMS ALL OTHER WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT OF THIRD-PARTY RIGHTS. PING IDENTITY DOES NOT WARRANT THAT THE FUNCTIONS CONTAINED IN THE PRODUCTS WILL MEET CUSTOMER’S REQUIREMENTS, OR THAT THE OPERATION AND RESULTS OF THE PRODUCTS WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT DEFECTS IN THE PRODUCTS WILL BE CORRECTED. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY PING IDENTITY OR ITS AUTHORIZED REPRESENTATIVES SHALL CREATE A WARRANTY OR IN ANY WAY INCREASE THE SCOPE OF ANY WARRANTY HEREIN.

9. Indemnification.

9.1 Indemnification by Ping Identity. Subject to the limitations of liability in this Agreement, Ping Identity will defend at its own expense any action against Customer brought by a third party alleging that the Products, in each case, as delivered and used in accordance with this Agreement, infringe any U.S. patents issued as of the Effective Date or any copyrights or misappropriate any trade secrets, in each case, of a third party, and Ping Identity will indemnify and hold Customer harmless against those costs and damages finally awarded against Customer in any such action that are specifically attributable to such claim or those costs and damages agreed to in a monetary settlement of such action. The foregoing obligations are conditioned on Customer’s compliance with the Indemnification Conditions (defined below). If the Products become, or in Ping Identity’s opinion are likely to become, the subject of an infringement claim, Ping Identity may, at its option and expense, either: (i) procure for Customer the right to continue using the Products; (ii) replace or modify the Products so that they become non-infringing; or (iii) terminate the subscription to the infringing Products and refund Customer any unused, prepaid fees for the infringing Products covering the remainder of the subscription term after the date of termination. Notwithstanding the foregoing, Ping Identity will have no obligation or liability under this Section 9.1 or otherwise with respect to any infringement claim based upon: (a) any use of the Products not in accordance with this Agreement; (b) any use of the Products in combination with products, equipment, software, or data not supplied or approved in writing by Ping Identity if such infringement would have been avoided but for the combination with other products, equipment, software or data; (c) any use of a prior release of the Software after a more current release has been made available to Customer; or (d) any modification of the Products by any person other than Ping Identity. This Section 9.1 states Ping Identity’s entire liability and Customer’s exclusive remedy for any claims of infringement.

9.2 Indemnification by Customer. Subject to the terms of this Agreement, Customer will defend at its own expense any action against Ping Identity brought by a third party (including any User) related to the Customer Data or Customer’s misuse of the Products (provided it is not due to Ping Identity’s breach of this Agreement), and Customer will indemnify and hold Ping Identity harmless against those costs and damages finally awarded against Ping Identity in any such action that are specifically attributable to such claim or those costs and damages agreed to in a monetary settlement of such action. The foregoing obligations are conditioned on Ping Identity’s compliance with the Indemnification Conditions (defined below).

9.3 Indemnification Conditions. “Indemnification Conditions” means the following conditions, which a Party must comply with to be entitled to the defense and indemnification obligations of the other Party under this Agreement. The indemnified Party must (i) notify the indemnifying Party promptly in writing of such claim or allegation, setting forth in reasonable detail the facts and circumstances surrounding the claim; (ii) give the indemnifying Party sole control of the defense thereof and any related settlement negotiations, including not making any admission of liability or take any other action that limits the ability of the indemnifying Party to defend the claim; and (iii) cooperating and, at the indemnifying Party’s request and expense, assisting in such defense.

10. Limitation of Liability.

10.1 Limitation of Liability. PING IDENTITY’S CUMULATIVE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT (WHETHER IN CONTRACT OR TORT OR UNDER ANY OTHER THEORY OF LIABILITY) SHALL NOT EXCEED THE TOTAL AMOUNT OF FEES PAID OR PAYABLE BY CUSTOMER HEREUNDER IN THE 12 MONTHS PRECEDING THE INCIDENT.

10.2 Exclusion of Consequential and Related Damages. IN NO EVENT SHALL PING IDENTITY HAVE ANY LIABILITY TO CUSTOMER FOR (i) ERROR OR INTERRUPTION OF USE, LOSS OR INACCURACY OR CORRUPTION OF DATA, (ii) COST OF PROCUREMENT OF SUBSTITUTE GOODS, SERVICES, RIGHTS, OR TECHNOLOGY (iii) ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES OR (iv) LOSS OF REVENUES AND LOSS OF PROFITS, HOWEVER CAUSED AND, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, WHETHER OR NOT PING IDENTITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

11. Term & Termination.

11.1 Term of Agreement. Unless earlier terminated as described below, this Agreement commences on the Effective Date and will continue for the initial term of twelve (12) months (“Initial Term”). Following the Initial Term, this Agreement shall renew automatically for subsequent 12-month terms (each a “Renewal Term” and together with the Initial Term, the “Term”). Either Party may elect not to renew this Agreement by providing written notice to the other Party thirty (30) days prior to the start of then-applicable Term, or to otherwise terminate this Agreement for its convenience at any time upon written notice.

11.2 Termination for Cause. Either Party may terminate this Agreement for cause: (i) upon thirty (30) days written notice of a material breach of this Agreement by the other Party if such breach remains uncured at the expiration of such period; or (ii) if the other Party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors.

11.3 Effects of Termination. Upon expiration or termination of this Agreement all rights to use the Products (including all licensed rights for the Software) granted in this Agreement will immediately cease to exist and Customer must promptly discontinue all use of the Products. Upon a Party’s written request, the other Party will erase, delete or destroy all copies of Confidential Information of the other Party whether or not modified or merged into other materials, and certify in writing to Ping Identity that Customer has fully complied with these requirements. A Party may retain archived copies of Confidential Information or copies that are incapable of being destroyed because it would be unduly burdensome or cost prohibitive, provided that all such copies remain subject to the restrictions herein for so long as they are retained.

11.4 Outstanding Fees. If any fees are applicable, termination shall not relieve Customer of the obligation to pay any fees accrued or payable to Ping Identity prior to the effective date of termination. If applicable, upon any termination for cause by Customer, Ping Identity shall refund Customer any unused, prepaid fees covering the remainder of the subscription term after the date of termination. If this Agreement is terminated by Ping Identity for cause, Customer shall remain responsible for any payments set forth on any outstanding Ordering Documents, regardless of whether such amounts have been invoiced or are payable at the time of such termination.

11.5 Surviving Provisions. Any provisions that are by their nature intended to survive termination of this Agreement will continue to survive following termination.

12. General Provisions.

12.1 Relationship of the Parties. The Parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the Parties. Neither Party will have the power to bind the other or incur obligations on the other Party’s behalf without the other Party’s prior written consent.

12.2 No Third-Party Beneficiaries. There are no third-party beneficiaries to this Agreement.

12.3 Open Source Software. Certain items of software embedded within the Products are subject to “open source” or “free software” licenses (“Open Source Software”). Some of the Open Source Software is owned by third parties. Nothing in this document limits Customer’s rights or obligations under the terms and conditions of any applicable end user license for the Open Source Software. In no event do any authors of any Open Source Software provide any warranties with respect to such Open Source Software and such authors disclaim liability of any kind for any use of the Open Source Software. The terms of the licenses for the Open Source Software shall not impose any additional restrictions on your use of the Products as permitted by this Agreement or negate or amend any of our responsibilities with respect to the Products.

12.4 Notices. All notices under this Agreement shall be in writing and may be sent by electronic mail. Notices shall be deemed to have been given upon the second business day after sending by email. Notices to Ping Identity shall be sent to legal@pingidentity.com. Notices to Customer, unless otherwise indicated by Customer, may be sent to the individual that executed this Agreement on behalf of Customer and/or an Administrator by email.

12.5 Waiver and Cumulative Remedies. Failure by either Party to enforce any provision of this Agreement will not be deemed a waiver of future enforcement of that or any other provision of this Agreement. Other than as expressly stated herein, the remedies provided herein are in addition to, and not exclusive of, any other remedies of a Party at law or in equity.

12.6 Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be unenforceable the provision shall be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions of this Agreement shall remain in force and effect.

12.7 Third-Party Services. The Products may be used by Customer to interface with certain third-party services and applications (“Third-Party Services”). Ping Identity makes no warranty regarding the operation or functionality of such Third-Party Services. Ping Identity does not guarantee that the Products will interoperate with any particular Third-Party Service, and Ping Identity will not provide any support to any Third-Party Services.

12.8 Assignment. Customer may not assign or transfer, by operation of law or otherwise, any of its rights under this Agreement (including its licenses with respect to the Software) to any third party without Ping Identity’s prior written consent, which consent shall not be unreasonably withheld. Any attempted assignment or transfer in violation of the foregoing will be null and void. Ping Identity shall have the right to assign this Agreement to any successor to its business or assets to which this Agreement relates, whether by merger, sale of assets, sale of stock, reorganization or otherwise. All provisions of this Agreement shall be binding upon, inure to the benefit of and be enforceable by and against the respective successors and permitted assigns of Ping Identity and Customer.

12.9 Applicable Law and Venue. The laws of the State of Colorado, USA (without regard to any conflict of laws principles that would require the application of the laws of any other jurisdiction) govern this Agreement and all matters arising out of or relating to this Agreement, including, without limitation, validity, interpretation, construction, performance, and enforcement. Any dispute, action, claim or cause of action arising out of, relating to, or in connection with this Agreement or the Products shall be only brought in and is subject to the exclusive jurisdiction of the state and federal courts located in Denver, Colorado USA. Each Party waives, to the fullest extent of the law, any objection to venue in such courts, and each Party hereby irrevocably submits and consents to the exclusive jurisdiction of such courts. To the extent permitted by law, the Parties expressly waive any right to trial by jury.

12.10 Governing Language. The governing language for this Agreement and for negotiation and resolution of any disputes related to this Agreement is the English language.

12.11 U.S. Government End Users. If Customer is a branch or agency of the United States Government, the following provision applies. The Software is comprised of “commercial computer software” and “commercial computer software documentation” as such terms are used in 48 C.F.R. 12.212 and qualify as “commercial items” as defined in 48 C.F.R. 2.101. Ping Identity provides the Products for ultimate federal government end use solely in accordance with the following: Government technical data and software rights related to the Products include only those rights customarily provided to the public as defined in this Agreement. This customarily commercial license is provided in accordance with FAR 12.211 (Technical Data) and FAR 12.212 (Software) and, for Department of Defense transactions, DFAR 252.227-7015 (Technical Data – Commercial Items) and DFAR 227.7202-3 (Rights in Commercial Computer Software or Computer Software Documentation). This section is in lieu of, and supersedes, any other FAR, DFARS, or other clause or provision that addresses government rights in computer software or technical data. If a government agency has a need for rights not conveyed under this Agreement, it must negotiate with Ping Identity to determine if there are acceptable terms for transferring such rights, and a mutually acceptable written addendum specifically conveying such rights must be included in an amendment to this Agreement.

12.12 Marketing and Publicity. Ping Identity may identify Customer as a customer of Ping Identity on Ping Identity’s website as well as within any written and/or electronic marketing material relating to Ping Identity’s products and/or services.

12.13 Force Majeure. Neither Party will be liable for any failure in performance due to circumstances beyond such Party’s reasonable control, including without limitation, acts of God; acts of government; flood; fire; earthquakes; civil unrest; acts of terror, strikes or other labor problems, computer, telecommunications, Internet service provider or hosting facility failures or delays involving hardware, software or power systems not within such Party’s possession or reasonable control, and denial of service attacks. For the avoidance of doubt, a force majeure event shall not include (a) financial distress, (b) changes in the market prices or conditions, or (c) a Party’s financial inability to perform its obligations hereunder.

12.14 Anti-Bribery. Ping Identity agrees not to provide, and Customer agrees that it has not received or been offered any illegal or improper bribe, kickback, payment, gift, or thing of value from any Ping Identity employees or agents in connection with this Agreement. Reasonable gifts and entertainment provided in the ordinary course of business do not violate the above restriction. If either Party learns of any violation of the above restriction, such Party will use reasonable efforts to promptly notify the other Party.

12.15 Headings. Headings used in this Agreement are provided for convenience only and will not in any way affect the meaning or interpretation of each section.

12.16 Entire Agreement. This Agreement, including all exhibits hereto, the DPA, and the Business Associate Agreement, constitutes the final agreement between the Parties, and is the complete and exclusive expression of the Parties’ agreement on the matters contained in this Agreement. All exhibits and Ordering Documents are incorporated into this Agreement by reference. All prior agreements (including any click-through agreement associated with the Products), proposals or representations, written or oral, concerning the subject matter contained in this Agreement, are expressly superseded by this Agreement. The Parties expressly agree that any existing agreements between the Parties related to products of Ping Identity other than the Products are not superseded by this Agreement and also that no such agreements supersede this Agreement with respect to the Products. Any prior non-disclosure, confidentiality, or similar agreement between the Parties is expressly superseded by this Agreement and the confidential or proprietary information previously disclosed thereunder shall become “Confidential Information” under the terms of this Agreement as if originally disclosed hereunder. In entering this Agreement, neither Party has relied upon any statement, representation, warranty or agreement of the other Party except for those expressly contained in this Agreement. Notwithstanding any language to the contrary therein, no terms or conditions stated in a Customer purchase order or in any other Customer order documentation shall be incorporated into or form any part of this Agreement, and all such terms or conditions are specifically and expressly rejected by Ping Identity and shall be null and void. The U.N. Convention on the International Sale of Goods shall not apply to this Agreement.

12.17 Modifications. Ping Identity may revise and update this Agreement from time to time in its sole discretion, and such updates will be posted to the following address: https://www.pingidentity.com/en/legal/project-covid-freedom-agreement.html or otherwise notified to Customer via reasonable means, including without limitation notice by email to any Administrator of Customer. All changes are effective immediately when posted or notified, and apply to all access to and use of Products thereafter. However, any changes to the dispute resolution provisions set forth herein will not apply to any disputes for which the Parties have actual notice on or before the date the change is posted on the above referenced website address or otherwise notified as set forth above. Customer’s continued use of the Products following the posting of revised agreement means that Customer accept and agree to the changes. In the event that Customer does not agree with the changes Customer shall notify Ping Identity in writing that is electing to terminate this Agreement with immediate effect. Customer is expected to check this above referenced website address from time to time so that it is aware of any changes, as they are binding on Customer.

Exhibit A

Business Associate Agreement

Definitions

Terms used in this Business Associate Agreement (this “BAA”) that are defined in the HIPAA Rules shall have the meaning assigned to them in the HIPAA Rules except as set forth below.

Specific definitions:

(a) Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to this BAA, shall mean Ping Identity.

(b) Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to this BAA, shall mean Customer.

(c) Electronic Protected Health Information. “Electronic Protected Health Information” shall have the same meaning as the term “electronic protected health information” at 45 CFR 160.103 but is limited to that electronic protected health information received, created, transmitted or maintained by Business Associate for or on behalf of Covered Entity in the course of providing services to Covered Entity.

(d) HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

(e) Protected Health Information/PHI. Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” at 45 CFR 160.103 but is limited to that protected health information received, created, transmitted or maintained by Business Associate for or on behalf of Covered Entity in the course of providing services to Covered Entity.

Obligations and Activities of Business Associate

Business Associate agrees to:

(a) Not use or disclose Protected Health Information other than as permitted or required by the Agreement or as required by law;

(b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent use or disclosure of Protected Health Information other than as provided for by the Agreement;

(c) Report to Covered Entity any use or disclosure of Protected Health Information not provided for by the Agreement of which it becomes aware, including breaches of unsecured Protected Health Information as required at 45 CFR 164.410, and any security incident of which it becomes aware; provided, however, that Covered Entity and Business Associate acknowledge the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service, and any combination of the above, so long as no such incident results in unauthorized access, use, or disclosure of Electronic Protected Health Information;

(d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate agree to the substantially similar restrictions, conditions, and requirements that apply to Business Associate with respect to such information;

(e) To the extent Business Associate maintains PHI in a designated record set, make available Protected Health Information in the designated record set to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524;

(f) To the extent Business Associate maintains PHI is a designated record set, make any amendment(s) to Protected Health Information in the designated record set as directed or agreed to by Covered Entity pursuant to 45 CFR 164.526;

(g) Maintain and make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528;

(h) To the extent Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s); and

(i) Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.

Permitted Uses and Disclosures by Business Associate

(a) Business Associate may use or disclose Protected Health Information as necessary to perform the services it provides to Covered Entity and Users and as otherwise set forth in the Agreement.

(b) Business Associate may use or disclose Protected Health Information as required by law.

(c) Business Associate may not use or disclose Protected Health Information in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity except for the specific uses and disclosures set forth below.

(d) Business Associate may use Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.

(e) Business Associate may disclose Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided the disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

(f) If necessary for the performance of services to Covered Entity, Business Associate may use PHI for de-identification under 45 CFR 164.514 or to provide data aggregation and analysis services to Covered Entity as permitted by 45 CFR 164.504.

Permissible Requests by Covered Entity

Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity.

Termination

(a) Termination by Covered Entity. Covered Entity may terminate this Agreement with written notice to Business Associate if it determines that Business Associate has violated a material term of this Agreement. Alternatively, at its election, Covered Entity may provide Business Associate with written notice and afford Business Associate an opportunity to cure the alleged violation within the time specified by Covered Entity.

(b) Obligations of Business Associate Upon Termination.

Upon termination of this Agreement for any reason, Business Associate, with respect to Protected Health Information shall:

1. Return or, if instructed by Covered Entity, destroy all PHI if it is feasible to do so, in a manner consistent with HIPAA, except for PHI that is held by a User as contemplated by the Agreement.

2. If Business Associate determines that it is not feasible to return or destroy PHI, other than with respect to PHI retained by Users, Business Associate will notify Covered Entity in writing, including (1) a statement that Business Associate determined that it is not feasible to return or destroy the PHI in its possession, and (2) the specific reasons for such determination. Thereafter, Business Associate may retain the PHI and shall extend any and all protections, limitations and restrictions contained in the BAA to such PHI and shall limit further uses and/or disclosures of such PHI to the purposes that make its return or destruction not feasible for so long as Business Associate retains the PHI.

3. Recover any PHI in the possession of its subcontractors. If it is not feasible for Business Associate to obtain, from any subcontractor any PHI in possession of the subcontractor, Business Associate must provide a written explanation to Covered Entity and require the subcontractors to agree in writing to extend any and all protections, limitations and restrictions contained in this Agreement, and to limit any further uses and/or disclosures to purposes that make the return or destruction of the PHI infeasible for so long as the subcontractor retains the PHI.