Terms and Conditions of Use

Last Updated: 4 April 2022

These terms of use (this “Agreement”) constitute a legal agreement between you, either as an individual, company or other legal entity (in any capacity referred to herein as “Client”) and Keyfactor, Inc., a Delaware corporation (“Keyfactor”). If you are accepting this Agreement on behalf of your company or organization, you represent that you are authorized to accept these terms on behalf of such company or organization. This Agreement governs your use of Software, Keyfactor-Hosted Services, Client-Hosted Services, Documentation, Keyfactor Services and Professional Services (as those terms are defined below). Keyfactor and Client may be collectively referred to herein as the “Parties”, and each may be referred to individually as a “Party”.



“Affiliate” means any legal entity directly or indirectly controlling, controlled by, or under common control with a party hereto, for so long as such control lasts. Control of a legal entity shall exist through the: (i) direct or indirect control of more than 50% of the nominal value of the issued equity share capital of such legal entity; or (ii) control of more than 50% of such legal entity’s equity shares entitling the holders of such shares to vote for the election of directors or persons performing similar functions.

Aggregated Anonymized Data” means data and information derived from Client’s use of the Keyfactor Services that is used by Keyfactor in an aggregate and anonymized manner in order to improve the provision and operation of the Keyfactor Services.

Authorized User(s)” means Client’s employees, consultants, contractors, affiliates and agents (i) who are authorized by Client to access and use the Keyfactor Services under the rights granted to Client pursuant to this Agreement and (ii) for whom access to the Keyfactor Services has been purchased hereunder. For Keyfactor Services that are specifically designed to allow Client’s customers, suppliers or other third parties to access the Keyfactor Services to interact with Client, such third parties will be considered “Authorized Users” subject to the terms of this Agreement.

“CCPA” means the California Consumer Privacy Act of 2018, a sweeping piece of legislation designed to give California consumers increased control over their Personal Information and which requires that affected companies comply with certain requirements, facilitate consumer data requests, update their privacy policies and assure that their vendors comply as well.

Client Data” means, other than Aggregated Anonymized Data, information, data, and other content, including Client Personal Data (as that term is defined in the GDPR) and/or Client Personal Information (as that term may be defined in the CCPA, PIPEDA and/or other U.S. state-based legislation or comparable legislation in Canada), in any form or medium, that is submitted, posted, or otherwise transmitted by or on behalf of Client or an Authorized User through the Keyfactor Services.

Client-Hosted Services” means Keyfactor Services accessed by Client through use of downloaded Software.

Data Protection and Privacy Laws”  means all federal, state, provincial, foreign, national and international laws, rules, regulations, directives and governmental or data protection authority decisions, in each case, having the force of law, applicable to the collection, processing, use, storage, transmission and/or disclosure of Personal Data, Personal Information, personally identifiable information, sensitive personal information and Special Categories of Personal Data, including, without limitation, the GDPR, the Privacy and Electronic Communications Directive 2002, as amended (or “ePrivacy Directive”), the (UK) Data Protection Act 2018, the UK GDPR (2021), the (Swiss) Federal Act on Data Protection of 19 June 1992, The Privacy Act (Australia) 1988, PIPEDA, the California Consumer Privacy Act of 2018 (“CCPA”), Japan Act on the Protection of Personal Information Protection (“APPI”), theColorado Privacy Act, the Virginia Consumer Data Protection Act (“VCDPA”) and the Utah Consumer Privacy Act, etc., all of which as they may be amended, supplemented and/or superseded from time to time.

Documentation” means Keyfactor’s user manuals, handbooks, and guides relating to the Keyfactor Services provided by Keyfactor to Client either electronically or in hard copy form/end user documentation relating to the Keyfactor Services.

“Effective Date” means the date Client’s subscription begins pursuant to the terms of the applicable Order Form.

“Force Majeure Event” shall have the meaning given in Section 9(c).

“GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as may be amended from time to time, which lays down rules relating to the protection of natural persons with regard to the processing of Personal Data and rules relating to the free movement of personal data.

Intellectual Property Rights” means copyrights (including rights in software), patents, trademarks, trade names, service marks, business names (including internet domain names), design rights, database rights, semi-conductor topography rights, rights in undisclosed or confidential information (such as know-how, trade secrets and inventions, whether patentable or not) and all other intellectual property or similar proprietary rights of whatever nature (whether registered or not and including applications to register or rights to apply for registration) which may now or in the future subsist anywhere in the universe.

“Keyfactor Cloud Service” means the combination of hardware and software owned, licensed, subscribed to, or managed by Keyfactor to which Keyfactor grants Client and Authorized Users access as part of the Keyfactor-Hosted Services that are described in an Order Form.

“Keyfactor-Hosted Services” means Keyfactor Services accessed by Client through the Keyfactor Cloud Service.

Keyfactor IP” means the Keyfactor Services, the Documentation, and any and all intellectual property provided to Client or any Authorized User in connection with the foregoing, including, but not limited to the Keyfactor platforms and related integration. For the avoidance of doubt, Keyfactor IP includes Aggregated Anonymized Data and any information, data, or other content derived from Keyfactor’s monitoring of Client’s access to or use of the Keyfactor Services but does not include Client Data.

“Keyfactor Services” means the services described in an Order Form.

“Order Effective Date” means the date Client’s subscription begins pursuant to the terms of the applicable Order Form.

“Order Form” means ordering documentation used to purchase Software, Keyfactor-Hosted Services, Client-Hosted Services, Keyfactor Services and/or Professional Services. For the avoidance of doubt, the term Order Form shall include any ordering instrument—whether a Keyfactor sales order form or quote provided to Client directly, or an invoice or other ordering document provided to Client by a Keyfactor-authorized reseller, if applicable—that Client and Keyfactor and/or Client and the authorized reseller utilize to facilitate Client’s purchase of the applicable Software or Services.

“Personal Data” means any information relating to an identified or identifiable natural person (i.e., Data Subject) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

“Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

“PIPEDA” means the Personal Information Protection and Electronic Documents Act, as may be amended from time to time, a Canadian Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions.

“Professional Services” means the professional services described in any Statement of Work that may be agreed to between Client and Keyfactor. Professional Services shall be limited to training, implementation and implementation related services as well as any comparable services to which the Parties may agree from time to time. In the event Client desires to engage Keyfactor to provide consulting services, data management services or for the creation of custom deliverables, Client and Keyfactor shall enter into an amendment to this Agreement and a new Order Form for such services.

“Purchase Order” means any order that Client issues to Keyfactor under this Agreement for the purpose of purchasing Keyfactor Services.

“Software” means downloadable software utilized for providing Client-Hosted Services.

“Standard Contractual Clauses” or “SCCs” means the Standard Contractual Clauses for the transfer of personal data to third countries as published in the Decision of the European Commission of 4 June 2021 (Decision 2021/914) pursuant to the General Data Protection Regulation (EU) 2016/679.

Statement of Work” means a document that establishes the scope of Professional Services to be performed, defines the context, describes specific tasks, activities and deliverables, and identifies the responsibilities of the Parties.

“Term” shall have the meaning given in Section 7(a).


A. Access to the Keyfactor Services. The Keyfactor Services may be provided as either Client-Hosted Services or Keyfactor-Hosted Services, as designated in the applicable Order Form. Keyfactor shall provide to Client the passwords and network links, as applicable, necessary to enable Client to access the Keyfactor Services. Subject to and conditioned on Client’s payment of fees and compliance with all other terms and conditions of this Agreement, Keyfactor hereby grants Client a non-exclusive, non-transferable [except in compliance with Section 9(g)] internal license to access and use the Keyfactor Services during the Term, solely for use by Authorized Users in accordance with the terms and conditions herein. Where the Keyfactor Services have been offered as a Keyfactor-Hosted Service, that license will extend to the use of the Keyfactor Cloud Services environment for the term of that Keyfactor Service as set forth in the Order Form. If Client is subscribing to Client-Hosted Services, subject to the terms and conditions of this Agreement, Keyfactor grants Client a non-exclusive, non-sublicensable and non-transferable license to install and use the Software during the Term in accordance with this Agreement and the Documentation. Client-Hosted Services may only be downloaded to the number of Client’s servers authorized in the Order Form, and they may not be replicated.

B. Documentation License. Subject to the terms and conditions contained in this Agreement, Keyfactor hereby grants to Client a non-exclusive, non-sublicensable, non-transferable [except in compliance with Section 9(g)] license to use the Documentation during the Term solely for Client’s internal business purposes in connection with its use of the Keyfactor Services. Client may, for the purposes of training, translation, Client’s internal backup, operational support or internal distribution, as well as any other business purpose reasonably related to the Client’s use of the Keyfactor Services under the Agreement, copy or allow others to copy any part of the Documentation or other printed material provided with the Keyfactor Service.

C. Use Restrictions. Client shall not, and shall procure that its Authorized Users shall not, use the Keyfactor Services for any purpose beyond the scope of the access granted in this Agreement. Client shall not at any time, either directly or indirectly, and shall not permit any person to:

1. Copy, modify, or create derivative works or improvements of the Keyfactor Services or Documentation, in whole or in part;
2. Rent, lease, lend, sell, license, sublicense, assign, distribute, publish, transfer, or otherwise make available the Keyfactor Services or Documentation;
3. Reverse engineer, disassemble, decompile, decode, adapt, make machine code human readable or otherwise attempt to derive or gain access to any software component of the Keyfactor Services, in whole or in part;
4. Remove any proprietary notices from the Keyfactor Services or Documentation;
5. Use the Keyfactor Services or Documentation in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of any person, or that violates any applicable law;
6. Permit anyone who is not an Authorized User to access or use the Keyfactor Services, including for purposes of accessing or using any data, information or reports generated by the Keyfactor Services;
7. Falsely imply any sponsorship or association with Keyfactor;
8. Commercially exploit the Keyfactor Services or provide access to such Services to third parties without Keyfactor’s prior written authorization;
9. Introduce, transmit or store malicious or harmful code in the Keyfactor Services;
10. Create, benchmark, gather or use intelligence from or about the Keyfactor Services for a competitive offering;
11. Infringe upon or misappropriate another’s IPR, Personal Information or Personal Data, including, without limitation, by failing to obtain such third party’s permission to upload, transfer or display works of authorship into the Keyfactor Services; or
12. Fail to comply with any laws, rules or regulations applicable to Client’s or its Authorized Users’ use of the Keyfactor Services.


Keyfactor reserves the right to take appropriate measures—up through and including termination of the Services—following Client’s or an Authorized User’s violation of any provision of this Section. Should Client fail to address and resolve such violation upon the expiration of thirty (30) days’ notice, Keyfactor may terminate its Agreement with Client and reserves the option to pursue any additional remedies available.

D. Hosting Restrictions. Client agrees that it will not knowingly or intentionally use or permit the use of the Keyfactor Services—including by uploading, emailing, posting, publishing or otherwise transmitting any material, whether Client Data, Keyfactor Service-generated work product or report, third-party content, or other data—for any purpose that may:

1. Menace or harass any person or cause damage or injury to any person or property;
2. Involve the publication of any material that it knows to be false, defamatory, harassing or obscene;
3. Violate privacy rights or promote bigotry, racism, hatred or harm;
4. Constitute unsolicited bulk e-mail, “junk mail”, “spam” or chain letters;
5. Constitute an infringement of intellectual property or other proprietary rights;
6. Frame, scrape, link or mirror any content forming a part of the Keyfactor Service, other than Client’s own intranets or otherwise for its own internal use;
7. Result in the upload to the Keyfactor Service or use of the Keyfactor Service to send or store viruses, worms, time-bombs, Trojan horses or other harmful or malicious code; or
8. Otherwise violate applicable laws, ordinances or regulations.


In addition to any other rights afforded to Keyfactor under this Agreement, Keyfactor reserves the right, but has no obligation, to take remedial action (up through and including removing offensive material, disabling access to such material and/or terminating its Agreement with Client). Keyfactor shall not be liable for any losses in business, customers, revenue, time, etc., that Client may incur should Keyfactor take such action. Client shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness and ownership of all Client Data.

E. Reservation of Rights. Keyfactor reserves all rights not expressly granted to Client in this Agreement. Except for the limited rights and licenses expressly granted under this Agreement, nothing in this Agreement grants, by implication, waiver, estoppel, or otherwise, to Client or any third party any Intellectual Property Rights or other right, title, or interest in or to the Keyfactor IP.

F. Suspension. Notwithstanding any provision in this Agreement to the contrary, Keyfactor may suspend Client’s and any Authorized User’s access to any portion or all of the Keyfactor Services if Keyfactor determines that:

1. Client’s or an Authorized User’s access to or use of the Keyfactor Services is the source of a threat to or attack upon any Keyfactor IP;
2. Client’s or any Authorized User’s use of the Keyfactor IP materially: (a) violates the license terms; or (b) disrupts or poses a security risk to the Keyfactor IP or to any other Client or vendor of Keyfactor;
3. Client, or any Authorized User, is using the Keyfactor IP for fraudulent or illegal activities;
4. Subject to applicable law, Client has ceased to continue its business in the ordinary course, made an assignment for the benefit of creditors or similar disposition of its assets, or become the subject of any bankruptcy, reorganization, liquidation, dissolution, or similar proceeding; or
5. Keyfactor’s provision of the Keyfactor Services to Client or any Authorized User is prohibited by applicable law.


In the event of a suspension of service pursuant to this Section 2, Keyfactor shall immediately provide written notice of the service suspension to Client and provide updates regarding resumption of access to the Keyfactor Services following any service suspension. Keyfactor shall resume providing access to the Keyfactor Services immediately after it receives confirmation that the event giving rise to the service suspension is cured. Keyfactor will have no liability for any damage, liabilities, losses (including any loss of data or profits), or any other consequences that Client or any Authorized User may incur as a result of a service suspension in accordance with this Section 2.


A. General. Client is responsible and liable for all uses of the Keyfactor Services and Documentation that arise out of Client’s provision of access to such Services and Documentation to Client’s employees and other Authorized Users. The foregoing clause applies whether Client provides direct or indirect access to Keyfactor Services to such Authorized Users and whether Client’s provision of such access or use is permitted in conformity with or in violation of the provisions of this Agreement. Without limiting the generality of the foregoing, Client is responsible for all acts and omissions of Authorized Users as it relates to their access to and use of Keyfactor Services. Any act or omission by an Authorized User that would constitute a breach of this Agreement if undertaken by Client will be deemed a breach of this Agreement by Client. Client shall use commercially reasonable efforts to make all Authorized Users aware of this Agreement’s provisions as applicable to such Authorized User’s use of the Keyfactor Services and shall use commercially reasonable efforts to cause Authorized Users to comply with such provisions.

B. Payment of Fees. Client agrees to pay all fees in accordance with each Order Form. If Client purchases Keyfactor Services through a reseller, Client agrees that it will pay the reseller in keeping with the fee structure and timeframe established and agreed upon in the contract between Client and the reseller. Client further acknowledges and agrees, however, that Keyfactor may suspend and/or terminate Client’s rights to use Keyfactor Services if: (i) Client fails to pay all fees directly to Client in accordance with each applicable Order Form; or, (ii) if Client purchases access to the Keyfactor Services through a reseller, Client fails to pay such reseller for the Services in the timeframe and in the amounts to which the parties have agreed.


A. From time to time during the Term, either Party may disclose or make available to the other Party information about its business affairs, products, customers, services, confidential intellectual property, trade secrets, third-party confidential information, Personal Information, Personal Data and other sensitive or proprietary information. Such information, all of which the Parties shall treat as confidential, may be disclosed or made available to the receiving Party in any of the following formats: orally, in writing or media-based; electronic, paper-based or other form; and marked “confidential” or unmarked, designated confidential or not so designated, or identified as “confidential” or not so identified (collectively, “Confidential Information”). For the avoidance of doubt, Confidential Information shall include any information that a receiving Party knows or should reasonably recognize and understand to be confidential and/or proprietary owing to, by way of example but not limitation, the circumstances surrounding the other Party’s disclosure of the information or the character or nature of the information. Confidential Information does not mean and shall not include information that, at the time of disclosure is:

1. In the public domain in the absence of the receiving Party’s breach of any obligation owed to the disclosing Party and in the absence of any wrongdoing by the receiving Party or any third party;
2. Rightfully in the possession of the receiving Party prior to disclosure by the disclosing Party;
3. Lawfully obtained by the receiving Party on a non-confidential basis from a third party; or
4. Independently developed by the receiving Party without reference to the disclosing Party’s Confidential Information.


B. The receiving Party shall not disclose the disclosing Party’s Confidential Information to any person or entity, except to the receiving Party’s employees or other Authorized Users who need to know the Confidential Information in order to enable the receiving Party to exercise its rights or perform its obligations under this Agreement. The receiving Party is, however, permitted to disclose relevant aspects of such Confidential Information to its officers, employees, attorneys and auditors by a public accounting firm and/or law enforcement agencies, on a need-to-know-basis, in order to perform its obligations under the Agreement, provided that the receiving Party obligates all such persons or entities to protect the Confidential Information to at least the same extent as required under this Section 4 (including during the terms of their employment or engagement and thereafter). The receiving Party shall implement technical, managerial, organizational and operational measures to mitigate risks and implement the controls necessary to protect the confidentiality of the other Party’s Confidential Information. Such controls shall be no less protective than those measures it uses to protect the confidentiality of its own confidential or proprietary information of a similar nature (and, in no event, less than commercially reasonable measures). The receiving Party shall give the disclosing Party notice immediately upon learning of any unauthorized use or disclosure of Confidential Information. Notwithstanding the foregoing, each Party may disclose Confidential Information to the limited extent required:

1. To comply with the order of a court, other governmental or regulatory body, or as otherwise necessary to comply with applicable law, provided that the Party making the disclosure pursuant to the order shall first have given sufficient written notice to the other Party to allow such Party an opportunity to obtain a protective order. Failing that, the Party making the disclosure shall also make a commercially reasonable effort to obtain a protective order on behalf of the other Party. To the extent not prohibited by law, the receiving Party shall promptly provide to the disclosing Party notice of all available details of the legal requirement and shall reasonably cooperate with the disclosing Party’s efforts to challenge the disclosure, seek an appropriate protective order, or pursue such other legal action as the disclosing Party may deem appropriate.; or
2. To enforce a Party’s rights under this Agreement, including to make required court filings.


C. On the expiration or termination of this Agreement, the receiving Party shall, at the disclosing Party’s written election, promptly return to the disclosing Party all copies, whether in written, electronic, or other form or media, of the disclosing Party’s Confidential Information, and/or destroy all such copies and upon request of the disclosing Party certify in writing to the disclosing Party that such Confidential Information has been destroyed. Each Party’s obligations of non-disclosure with regard to Confidential Information are effective as of the Effective Date and will expire five (5) years from the date first disclosed to the receiving Party; provided, however, that, with respect to any Confidential Information that constitutes a trade secret (as determined under applicable law), such obligations of non-disclosure will survive the termination or expiration of this Agreement for as long as such Confidential Information remains subject to trade secret protection under any applicable law worldwide.

D. Where the receiving Party may be considered a Processor or Sub-Processor (as those terms may be defined and/or understood under the GDPR), such receiving Party shall implement appropriate technical and organizational measures to provide an adequate level of security and protect Personal Data against unauthorized or unlawful processing or a Personal Data Breach as those terms are defined in the GDPR.


A. Keyfactor IP.Client acknowledges that, as between Client and Keyfactor, Keyfactor owns all right, title, and interest, including all Intellectual Property Rights, in and to the Keyfactor IP, including, but not limited to, the Keyfactor platforms and related integrations.

B. Client Data. Keyfactor acknowledges that, as between Keyfactor and Client, Client owns all right, title, and interest, including all Intellectual Property Rights, in and to Client DataClient hereby grants to Keyfactor a non-exclusive, royalty-free, worldwide license to reproduce, distribute, transmit, store and otherwise use and display Client Data and perform all acts with respect to Client Data as may be necessary for Keyfactor to provide the Keyfactor Services to Client, and a non-exclusive, perpetual, irrevocable, royalty-free, worldwide license to reproduce, distribute, modify, and otherwise use and display Client Data incorporated within the Aggregated Anonymized Data.

C. Trademarks and Logos. Except where otherwise stated in an Order Form, Client hereby grants Keyfactor the right to utilize Client’s name, logo and/or trademarks—as well as statements and/or testimonials about Client’s experience(s) with Keyfactor and Keyfactor Services—for reference purposes and in connection with certain promotional materials that Keyfactor may disseminate to the public (e.g., advertising, print marketing and online marketing materials). Keyfactor may utilize Client’s name, logo and trademarks without providing notice to Client of its intent to do so or requesting Client’s consent.

D. Feedback. From time to time, Client may choose to submit comments, information, questions, data, ideas, description of processes, or other information to Keyfactor, including in the course of receiving support or maintenance (“Feedback”). Keyfactor may in connection with any of its products or services freely use, copy, disclose, license, distribute and exploit any Feedback in any manner without any obligation, royalty or restriction based on intellectual property rights or otherwise. No Feedback will be considered Client’s Confidential Information, and nothing in this Agreement limits Keyfactor’s right to independently use, develop, evaluate, or market products, whether incorporating Feedback or otherwise.


A. Keyfactor’s Indemnification of Client.

  1. Keyfactor shall indemnify, defend, and hold harmless Client from and against any and all losses, damages, liabilities, costs (including reasonable attorneys’ fees) (”Losses”) incurred by Client resulting from any third-party claim, suit, action, or proceeding (”Third-Party Claim”) arising out of an allegation that the Keyfactor Services, or any use of the Keyfactor Services in accordance with this Agreement, infringes or misappropriates such third party’s Intellectual Property Rights, provided that Client promptly notifies Keyfactor in writing of the claim, cooperates with Keyfactor, and allows Keyfactor to exercise sole authority to control the defense and settlement of such claim.
  2. If such a claim is made or appears possible, Client agrees to permit Keyfactor, at Keyfactor’s sole discretion, to: (a) modify or replace the Keyfactor Services, or component or part thereof, thereby rendering it non-infringing; or (b) obtain the right for Client to continue use of the Keyfactor Services. If Keyfactor determines that it cannot make either alternative available through commercially reasonable efforts, Keyfactor may terminate this Agreement, in its entirety or with respect to the affected component or part, effective immediately on written notice to Client.
  3. This Section 6(a) will not apply to the extent that the alleged infringement arises out of: (a) Client’s or an Authorized User’s use of the Keyfactor Services in combination with data, software, hardware, equipment, or technology neither provided by Keyfactor nor authorized by Keyfactor in writing; (b) Client’s or an Authorized User’s modifications to the Keyfactor Services that are neither developed nor authorized in writing by Keyfactor; (c) Client’s or an Authorized User’s performance work upon or in connection with the Keyfactor Services at Client’s or an Authorized User’s detailed instruction or in accordance with the Client’s or an Authorized User’s specified design in the absence of Keyfactor’s express written authorization or instruction; or (d) Client’s or an Authorized User’s access, use, processing, storage and/or transfer of that which Client purports to be Client Data but which, in fact, constitutes third-party intellectual property, confidential information, Personal Information or Personal Data that such third party has not authorized Client to process in the Keyfactor Services.


B. Client’s Indemnification of Keyfactor.

Client shall indemnify, hold harmless, and, at Keyfactor’s option, defend Keyfactor from and against any Losses resulting from any Third-Party Claim that Client Data, or any use of Client Data in accordance with this Agreement, infringes or misappropriates such third party’s Intellectual Property Rights and any Third-Party Claims based on Client’s or any Authorized User’s:

1.   Negligence or willful misconduct;
2.   Use of the Keyfactor Services in a manner not authorized by this Agreement;
3.   Use of the Keyfactor Services in combination with data, software, hardware, equipment or technology not provided by Keyfactor or authorized by Keyfactor in writing; or
4.    Modifications to the Keyfactor Services not made by Keyfactor;


provided that Client may not settle any Third-Party Claim against Keyfactor unless Keyfactor consents to such settlement, and further provided that Keyfactor shall have the right, at its option, to defend itself against any such Third-Party Claim or to participate in the defense thereof by counsel of its own choice.

C. Sole Remedy/Limitation of Liability.






D. SaaS Representations and Warranties. Keyfactorrepresents and warrants to Client that Keyfactor: (i) has the right, power, and ability to enter into and perform under this Agreement; (ii) has all necessary rights to grant the rights that it has granted to Client and its Authorized Users under this Agreement; (iii) will perform and provide all Services contemplated under this Agreement in compliance with all applicable laws; and (iv) will maintain all licenses, permits and other permissions necessary to provide the Services. Keyfactor further warrants that the Keyfactor-Hosted Services will substantially conform in all material respects with the provisions of the Documentation. Keyfactor may modify the Documentation in its sole discretion, provided that Keyfactor shall not materially decrease the functionality of the Services during the Term. As Client’s sole and exclusive remedy and Keyfactor’s entire liability for any breach of this Section 6.D (SaaS Representations and Warranties), Keyfactor will: (i) use reasonable efforts to fix, provide a work around, or otherwise repair or replace the Services affected; or (ii) if unable to provide a solution described in Section 6.D.i, terminate the Order(s) affected, portion(s) of the Order(s) affected, or this Agreement, if applicable, and refund to Client (or the authorized reseller) a pro rata amount of the fees paid to Keyfactor for the applicable unused subscription Term of the defective Services.


A. Term. The initial term of an Order Form executed pursuant to this Agreement begins on the Order Effective Date set forth in the Order Form and, unless terminated earlier pursuant to this Agreement’s express provisions, will continue in effect for the specified number of years from such date described therein (i.e., the “Initial Term”). This Agreement, and any active Order Form(s), shall automatically renew for succeeding Terms equal to the length of the Initial Term (each a “Renewal Term”) unless either Party provides written notice to the other at least sixty (60) days prior to the expiration of any Current Term of such Party’s intention not to renew.

B. Termination. In addition to any other express termination right set forth in this Agreement:

 1. Keyfactor may terminate this Agreement, effective on written notice to Client, if Client breaches any of its obligations under Section 2 (Access and Use) or Section 4 (Confidential Information).
 2. Either Party may terminate this Agreement, effective on written notice to the other Party, if the other Party materially breaches this Agreement, and such breach: (a) is incapable of cure; or (b) being capable of cure, remains uncured thirty (30) days after the non-breaching Party provides the breaching Party with written notice of such breach.
 3. Either Party may terminate this Agreement, effective immediately upon written notice to the other Party, if the other Party: (a) becomes insolvent or is generally unable to pay, or fails to pay, its debts as they become due; (b) files or has filed against it, a petition for voluntary or involuntary bankruptcy or otherwise becomes subject, voluntarily or involuntarily, to any proceeding under any domestic or foreign bankruptcy or insolvency law; (c) makes or seeks to make a general assignment for the benefit of its creditors; or (d) applies for or has appointed a receiver, trustee, custodian, or similar agent appointed by order of any court of competent jurisdiction to take charge of or sell any material portion of its property or business.


C. Effect of Expiration or Termination.

  1. Client’s Obligations to Keyfactor. Upon expiration or earlier termination of this Agreement, Client shall immediately discontinue use of the Keyfactor IP. Without limiting Client’s obligations under Section 2 (Access and Use) or Section 4 (Confidential Information) of this Agreement, Client shall, at Keyfactor’s written election, delete, destroy, and/or return all copies of the Keyfactor IP. Client shall also, upon Keyfactor’s request, certify in writing to Keyfactor that the Keyfactor IP has been deleted or destroyed.
  2. Keyfactor’s Obligations to Client. Keyfactor shall, whether upon expiration or earlier termination of this Agreement, immediately discontinue use of the Client Data. Without limiting Keyfactor’s obligations under Section 4 of this Agreement, Keyfactor shall, at Client’s written election, delete, destroy, and/or return all copies of the Client Data. Keyfactor shall also, upon Client’s request, certify in writing to Client that the Client Data has been deleted or destroyed.


D. Survival. This Section 7 (Survival) and Sections 1 (Definitions), 4 (Confidential Information), 5 (Intellectual Property Ownership; Feedback), 6 (Indemnification), 8 (Security/Privacy) and 9 (Miscellaneous) survive any termination or expiration of this Agreement. No other provisions of this Agreement survive the expiration or earlier termination of this Agreement. In the event of a conflict between the Section numbers referenced herein and the name of the Section (in parenthesis), the latter shall prevail.


A. Security. Keyfactor implements security procedures to help protect Client Personal Data and Client Personal Information against security attacks. Subject to Keyfactor’s taking commercially reasonable measures to secure Client Personal Information as well as appropriate technical and organizational measures to secure Client Personal Data for transport, however, Client understands that use of the Keyfactor Services necessarily involves transmission of Client Personal Data and Client Personal Information over networks that are not owned, operated or controlled by Keyfactor. Notwithstanding the foregoing, Keyfactor acknowledges and confirms that it has in place and will maintain throughout the term of this Agreement appropriate technical and organizational measures to help secure Client Personal Data against accidental, unauthorized or unlawful processing, destruction, loss, damage or disclosure as well as adequate security programs and procedures to ensure that unauthorized persons or parties do not have access to any equipment used to process such information or data. Keyfactor also agrees that it shall:

1. Scan the Keyfactor Services for any code or device which is designed or intended to impair the operation of any computer or database or prevent or hinder access to, or the operation of, any program or data, using detection software generally accepted in the industry;
2. Secure its computing environments according to generally accepted industry standards to ensure that the Keyfactor Services cannot be accessed by any unauthorized person or malicious software; and
3. Promptly remedy and notify Client of any security breach of Client Personal Information or Personal Data Breach of Client Personal Data about which Keyfactor becomes aware.


B. Privacy. The Parties acknowledge that, in addition to other data protection legislation that may govern Keyfactor’s processing of Client Personal Information, personally identifiable information or Client Personal Data (as those terms are defined in applicable regulatory frameworks), the GDPR, the CCPA and/or PIPEDA may apply to some or all of the Client Personal Data or Client Personal Information. Where Client Personal Data includes the Personal Data of citizens and/or residents of the European Union, European Economic Area, United Kingdom and/or Switzerland, the Parties agree that they will enter into the Standard Contractual Clauses, and/or other applicable transfer mechanisms, prior to transferring such Personal Data outside the territorial boundaries of those regions or countries. Client Data may include Personal Information and/or Personal Data such as names, contact details, location data, online identifiers (e.g., IP addresses), among other types of Personal Information and/or Personal Data. Consequently, the Parties agree to the following:

1. Keyfactor may, by way of example and without limitation, be acting as the Processor of such Client Personal Data as that term is defined under the GDPR. Keyfactor shall comply with all applicable Data Protection and Privacy Laws in the processing of Client Personal Data. Keyfactor shall not process Client Personal Data other than on Client’s documented instructions unless processing is required by applicable laws to which Keyfactor is subject, in which case Keyfactor shall, to the extent permitted by applicable law, inform Client of that legal requirement before the relevant processing of that Client Personal Data.
2. Keyfactor shall give Client prior written notice of the appointment of any new Sub-Processor that would possess access to Client Personal Data, including full details of the processing to be undertaken by the Sub-Processor. If, within fourteen (14) days of Keyfactor’s issuance of such notice, Client should notify Keyfactor in writing that it objects to the proposed appointment, Keyfactor shall work with Client in good faith to make available a commercially reasonable change in the provision of the Keyfactor Services which circumvents the use of that proposed Sub-Processor. Where Keyfactor cannot effectuate such a change within fourteen (14) days of Keyfactor’s receipt of Client’s notice, Client may, by written notice to Keyfactor with immediate effect, terminate the Agreement to the extent that it relates to the Keyfactor Services that require the use of the proposed Sub-Processor.
3. Keyfactor shall ensure that the arrangement between Keyfactor and any Sub-Processor that is governed by a written contract includes terms that offer at least the same level of protection for Client Personal Data as those set out in this Agreement.
4. Keyfactor shall, taking into account the nature of the processing and by appropriate technical and organizational measures, assist Client with responding to data subjects’ requests to exercise their rights under the Data Protection and Privacy Laws. Keyfactor shall promptly notify Client if it receives a request from a data subject under any Data Protection and Privacy Law in respect of Personal Data contained in Client Data. Keyfactor shall also refrain, with the exception of acknowledging receipt of the same, from responding to such requests except on the documented instructions of Client or as required by applicable laws to which Keyfactor is subject. In such an event, Keyfactor shall, to the extent permitted by applicable laws, inform Client of that legal requirement before Keyfactor responds to the request.
5. Keyfactor shall, taking into account the nature of the processing and the information available to Keyfactor, provide reasonable assistance to Client in ensuring compliance with the Parties’ obligations pertinent to securing Client Personal Data, breach notification matters and data protection impact assessments, where and to the extent applicable.
6. Keyfactor represents and warrants that it will perform the Services in a manner that complies with applicable laws and regulations. Keyfactor will also notify Client in writing and without undue delay if it becomes aware of a Personal Data Breach involving Client Personal Data.


A. Entire Agreement. This Agreement, and any other document(s) incorporated herein by reference, constitute the sole and entire agreement of the Parties with respect to the subject matter of this Agreement. Such Agreement supersedes all prior and contemporaneous understandings, agreements, and representations and warranties, whether written or oral, with respect to such subject matter. In the event of any inconsistency between the statements made in the body of this Agreement and any other documents incorporated herein by reference, the provisions in the body of this Agreement shall govern.

B. Notices. All notices, requests, consents, claims, demands, waivers, and other communications hereunder (each, a “Notice”) must be in writing and addressed to the Parties at the addresses set forth in the Agreement or, if appropriate, the Order Form (or to such other address as a Party may designate by giving Notice to the other Party from time to time in accordance with this Section). All Notices must be delivered: (1) by personal delivery, nationally recognized overnight courier (with all fees pre-paid); or (2) email (with confirmation of receipt; or (3) via certified or registered mail (in each case, return receipt requested, postage pre-paid). Except as otherwise expressly provided in this Agreement, a Notice is effective only: (1) upon receipt and acknowledgment by the receiving Party; and (2) if the Party giving the Notice has complied with the requirements of this Section.

C. Force Majeure. Except for the obligation of payment, in no event shall either Party be liable to the other Party, or be deemed to have breached this Agreement, for any failure or delay in performing its obligations under this Agreement, if and to the extent such failure or delay is caused by any circumstances beyond such Party’s reasonable control. Such circumstances shall include, though not necessarily be limited to: acts of God; communication line failures; power failures; flood, fire, earthquake, explosion, other natural or man-made disasters; all occurrences similar to the foregoing; war, terrorism, invasion, riot or other civil unrest; strikes, labor stoppages or slowdowns, or other industrial disturbances; acts or failures to act of any governmental or regulatory body (whether civil, military, domestic or foreign); governmental regulations superimposed after the fact; proclamations by governmental, quasi-governmental or duly-recognized local, regional, national or international public health agencies or organizations pertaining to the emergence or re-emergence of epidemics or pandemics, or the implementation of associated quarantines; or passage of law or any action taken by a governmental or public authority, including imposing an embargo (any or all of the foregoing, a “Force Majeure Event”). The affected Party shall notify the other Party in writing within ten (10) days after the beginning of any such event that would affect its performance. Notwithstanding the foregoing, if a Party’s performance of its obligations under this Agreement is delayed for a period exceeding thirty (30) days from the date that such Party issues notice to the other Party about the occurrence of a Force Majeure Event, the non-affected Party shall have the right, without any liability to the other Party, to terminate this Agreement.

D. Equitable Relief. Each Party acknowledges and agrees that a breach by such Party of any of its obligations under Section 4 (Confidential Information) or, in the case of Client, Section 2 (Access and Use), would cause the other Party irreparable harm for which monetary damages would not be an adequate remedy. The Parties further agree that, in the event of such a breach, the other Party would be entitled to pursue equitable relief, including, where and to the extent permitted under applicable law, a restraining order, an injunction, specific performance and any other relief that may be available from a court of competent jurisdiction. The Party seeking relief would possess the right to do so without the necessity of: posting a bond or other security; proving actual damages; or proving that monetary damages are not an adequate remedy. Such remedies are not exclusive and would be available to the Party seeking relief in addition to all other remedies that may be available at law, in equity or otherwise.

E. Severability. Should any provision of this Agreement be held invalid, illegal or unenforceable in any jurisdiction, such invalidity, illegality, or unenforceability shall not affect the validity, legality or enforceability of any other term or provision of this Agreement, nor shall it invalidate or render unenforceable such term or provision in any other jurisdiction. Following a determination by any court or tribunal of competent jurisdiction that any term or other provision of this Agreement is invalid, illegal, or unenforceable, the Parties shall negotiate in good faith to modify such term or provision so as to achieve their original intent as closely as possible and in order that the transactions contemplated hereunder be consummated as originally contemplated to the greatest extent possible.

F. Governing Law; Submission to Jurisdiction. This Agreement is governed by and construed in accordance with the laws of the State of Ohio without giving effect to any choice or conflict of law provision or rule that would require or permit the application of the laws of any jurisdiction other than those of the State of Ohio. Any legal suit, action, or proceeding arising out of or related to this Agreement or the licenses granted hereunder will be instituted exclusively in the federal courts of the United States or the courts of the State of Ohio, in each case located in the city of Cleveland and County of Cuyahoga, and each Party irrevocably submits to the exclusive jurisdiction of such courts in any such suit, action, or proceeding.

G. Assignment. Neither Party may assign any of its rights or delegate any of its obligations hereunder to another party, in each case whether voluntarily, involuntarily, by operation of law or otherwise, without issuing prior notice of such Party’s intent to assign its obligations such other party; provided, however, that either Party shall have the right, upon written notice to the other Party, to assign this Agreement to any person or entity that acquires all or substantially all of such Party’s business or assets. For the avoidance of doubt, Keyfactor shall have the right to renegotiate the terms of this Agreement with any assignee entity and/or successor company should the size, scope, type and/or nature of the Keyfactor Services, or usage of such Keyfactor Services, change as a result of such assignment. The foregoing holds true whether the assignment occurs through a merger, acquisition, consolidation, sale or other transaction. Keyfactor also reserves the right to enter into new agreements with entities that emerge from Client as a result of partial or full divestitures. For the avoidance of doubt, Keyfactor’s consent to an assignment shall not constitute a waiver of any claims it may have under this Agreement nor shall Keyfactor’s consent otherwise amend or modify any of the terms and conditions of the Agreement. Any purported assignment or delegation in violation of this Section will be invalid. No assignment or delegation will relieve the assigning or delegating Party of any of its obligations hereunder. This Agreement is binding upon and inures to the benefit of the Parties and their respective permitted successors and assigns.

H. Export Regulation. The Keyfactor Services utilize software and technology that may be subject to United States export control laws, including the United States Export Administration Act and its associated regulations. Client shall not, directly or indirectly, export, re-export, or release the Keyfactor Services or the underlying software or technology to, or make the Keyfactor Services or the underlying software or technology accessible from, any jurisdiction or country to which export, re-export, or release is prohibited by law, rule, or regulation. Client shall comply with all applicable federal laws, regulations, and rules, and complete all required undertakings (including obtaining any necessary export license or other governmental approval), prior to exporting, re-exporting, releasing, or otherwise making the Keyfactor Services or the underlying software or technology available outside the United States.

I. Prohibition on Corrupt Practices.

  1. Each of the Parties represents, warrants, and undertakes that it shall not engage in corrupt, unfair or fraudulent practices in connection with the provision or use of the Keyfactor Services hereunder. Such practices shall include, though not be limited to, any circumstance in which a Party or an individual counted among its personnel or Authorized Users, either directly or indirectly, accepts bribes or makes offers, payments, or promises to pay money, gifts, or anything of value to any person, including, but not limited to, an executive, official, employee or agent of the following:
a) A governmental department, agency or instrumentality;
b) A wholly or partially government-owned or controlled or privately-owned or controlled company or business;
c) A political party (collectively, with (1) and (2) above, “Public Officials”); or
d) Any person about whom the Party or Authorized User knows or has reason to know will offer, pay or give all or a portion of such money, gift, or thing of value, whether directly or indirectly, to a Public Official, for the purpose of influencing any act, decision or failure to act by such person or other Public Officials or securing an improper advantage in order to obtain, retain or direct business.


  1. Each Party agrees that it will notify the other Party within five (5) business days should it discover that a member of its personnel or other Authorized User has tendered an offer, promise, or payment in violation of this Section. Each Party agrees that it will record any and all payments to governmental entity for permits, licenses, expediting charges, or any similar fees, and retain original receipts of all purchases from such governmental entities as well as, where available, scheduled rate cards for such fees. In addition to the foregoing, Keyfactor represents and warrants that:
a) The information provided to Client for the purpose of fulfilling its anti-bribery and corruption obligations is complete, accurate and not misleading;
b) It is not subject to sanctions; and
c) It is not the subject of any allegations of bribery or corruption.


  1. Keyfactor hereby agrees to notify Client immediately on learning Keyfactor or its personnel, directly or indirectly, are subject to regulatory enforcement or scrutiny, judicial or law enforcement investigation or litigation of any kind relating to corrupt (including bribery), unfair or fraudulent practices, including, but not limited to, in connection with the provision of Keyfactor Services hereunder.


J. Maintaining Adequate Procedures. It shall be a requirement that Keyfactor has in place and maintains its own adequate training, policy and procedures for the prevention of corrupt, unfair or fraudulent practices in connection with the provision of the Keyfactor Services hereunder. Keyfactor hereby agrees to:

1. Implement and maintain adequate training, policies and procedures for the prevention of corrupt (including bribery), unfair or fraudulent practices that meet or exceed the requirements to comply with applicable anti-bribery and corruption laws, rules and regulations; and
2. Notify Client of the absence or failing of training, policies and/or procedures relating to the prevention of corrupt (including bribery), unfair or fraudulent practices in connection with the provision of the Keyfactor Services hereunder.


K. Ethics and Social Responsibility. Each Party represents and warrants that it shall comply with all local, state, provincial, national and international laws applicable to such Party under the Agreement (including any amendments made to those laws during the term of this Agreement) pertaining to:

  1. Human rights and individual fundamental freedoms, including, by way of example, prohibitions against (a) child labor and any other form of forced or compulsory labor and (b) discrimination in the workplace as well as it such Party’s dealings with its suppliers or subcontractors;
  2. Embargoes, arms, drug trafficking and terrorism;
  3. Trade, import and export licenses and customs requirements;
  4. The health and safety of employees;
  5. Employment, immigration and the ban on the use of undocumented workers;
  6. Environmental protections;
  7. White-collar crime, including, without limitation, corruption, bribery, fraud, theft, misuse of company property, counterfeiting, forgery, use of falsified documents, and any related offenses;
  8. Anti-money laundering measures; and
  9. Antitrust and unfair competition laws.

Should Client require that Keyfactor perform work on Client’s premises, Keyfactor shall comply with applicable health, safety and/or security rules to which the Parties may subsequently agree in writing and shall procure that its own suppliers and subcontractors, as well as any other third party present on said site at Keyfactor’s request, shall also comply with such rules.

L. Amendment and Modification; Waiver. No amendment to or modification of this Agreement is effective unless it is in writing and signed by an authorized representative of each Party. No waiver by any Party of any of the provisions hereof will be effective unless explicitly set forth in writing and signed by the Party so waiving. Except as otherwise set forth in this Agreement:

1. No failure to exercise, or delay in exercising, any rights, remedy, power, or privilege arising from this Agreement will operate or be construed as a waiver thereof; and
2. No single or partial exercise of any right, remedy, power, or privilege hereunder will preclude any other or further exercise thereof or the exercise of any other right, remedy, power, or privilege.
3. The terms of this Agreement will supersede any conflicting portions in any Purchase Orders, work orders, schedules and/or addenda issued pertaining to the Keyfactor Services provided hereunder except where such documents have been reviewed, agreed upon and signed by duly authorized representatives of both Parties.