Medallia Master Subscription Agreement

last updated: June 2021

This Medallia Master Subscription Agreement (the “Agreement”) is effective as of the date it is published (the “Effective Date”) and is between CheckMarket B.V., a wholly owned subsidiary of Medallia, Inc. (“Medallia”) and the party that uses Medallia Products as defined herein (“Customer”). Medallia provides experience management products (the “Medallia Products”). This Agreement establishes the terms and conditions for the purchase and provision of subscriptions to Medallia Products and related professional services provided by Medallia (“Professional Services”).

1. Orders

a. General

This Agreement does not itself obligate the parties to purchase or provide subscriptions to Medallia Products or Professional Services. Such obligations will be documented in ordering documents that describe the relevant Medallia Products or Professional Services scope and the related fees (an “Order”). If Customer exceeds the usage provided in a trial offering or Order, Medallia will either (i) work with Customer to execute an Order for the excess usage; or (ii) curtail Customer’s access to the Medallia Products. An explicit conflict between these agreements will be resolved according to the following order of precedence: (1) an Order; and (2) this Agreement.

b. CheckMarket Trial Offerings

The scope of the trial offering is indicated in Customer’s trial registration. If Customer registers for a trial offering of Medallia Products and/or Professional Services, additional terms and conditions applicable to the trial may appear in the trial registration process. Any such additional terms are incorporated into this Agreement. Medallia reserves the right in its sole discretion to terminate or discontinue trial offerings at any time without prior notice.

Unless otherwise agreed in writing between the parties, all trials are (i) free of charge; (ii) have a term of thirty (30) days; and (iii) are limited to twenty-five (25) email invitations and twenty-five (25) respondents.

2. Provision of Medallia Products

Medallia will make Medallia Products available to Customer through the web browsers and mobile applications specified on the Order and will maintain the hardware and software necessary to provide Medallia Products. Details of the relevant Medallia Products and the applicable service level agreement and support terms will be as set forth in the applicable product, services descriptions, and relevant self-service documents (the “Documentation”). Medallia will provide Customer with access to every product improvement consistent with the scope established in the Order, when and if generally available.

3. Medallia Products and Professional Services Warranty

a. Express Warranties

Medallia Products will perform in a manner consistent with the Documentation, this Agreement and Order(s) (the “Solution Warranty”). Professional Services will be provided in a true and workmanlike manner, consistent with this Agreement and the Order (the “Services Warranty”). A trial offering is provided “as is” and any warranties, including the Solution Warranty and Services Warranty, are explicitly disclaimed.

b. Remedy for Failure of the Solution Warranty

Upon receipt of written notice of a Solution Warranty breach, Medallia will provide a correction at no charge. If Medallia cannot correct the breach within forty-five (45) days from receipt of the warranty notice, then Customer may terminate the affected Order at any time within the next thirty (30) days and receive: (i) if the breach notice was received fewer than ninety (90) days after the Effective Date, a refund of applicable subscription fees paid; or (ii) if the notice was received at any other time, a prorated refund of subscription fees from the date of the warranty notice. This is Customer’s sole and exclusive remedy for a breach of the Solution Warranty.

c. Remedy for Failure of the Professional Services Warranty

Upon receipt of written notice of a Services Warranty breach, Medallia will re-perform the Professional Services as necessary to correct the breach.  If Medallia cannot correct the breach within forty-five (45) days from receipt of the warranty notice, then Customer may terminate the affected portion of the Order at any time within the next thirty (30) days and receive a refund of Professional Services fees paid for nonconforming or unperformed Professional Services. This is Customer’s sole and exclusive remedy for a breach of the Professional Services Warranty.

d. Disclaimer of Other Warranties

EXCEPT AS EXPRESSLY PROVIDED HEREIN, AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MEDALLIA PROVIDES MEDALLIA PRODUCTS AND PROFESSIONAL SERVICES “AS IS,” MAKES NO WARRANTY OF ANY KIND EXPRESS OR IMPLIED WITH REGARD TO MEDALLIA PRODUCTS OR PROFESSIONAL SERVICES, AND DISCLAIMS ALL OTHER WARRANTIES, SUCH AS: (I) WITHOUT PREJUDICE TO CUSTOMER’S RIGHT TO SERVICE CREDITS, IF APPLICABLE, FOR A FAILURE TO MEET MEDALLIA’S UPTIME COMMITMENTS, ANY WARRANTY THAT MEDALLIA PRODUCTS AND PROFESSIONAL SERVICES WILL BE ERROR FREE OR UNINTERRUPTED; AND (II) THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.

4. Use of Medallia Products

a. General Obligations

Other than using Medallia Products and its functionalities under an Order or trial offering, Customer may not: (i) copy, modify, distribute, sell, or lease any part of Medallia Products or included software, or reverse engineer or attempt to extract the source code of that software, unless laws prohibit those restrictions; (ii) use Medallia Products functionality to infringe upon the intellectual property rights of others, or to commit an unlawful activity; and (iii) provide, make available to, or permit individuals other than Customer’s authorized users, to use or access the Medallia Products, in whole or in part.

b. Compliance Obligations

Customer will access Medallia Products only for its internal business purposes and will use industry standard practices to restrict the unauthorized use of Medallia Products credentials. Customer will be responsible for ensuring that its use of Medallia Products and the delivery of Customer Data to Medallia are allowed under applicable laws, regulations, and agreements. This responsibility includes but is not limited to: (i) ensuring that Customer’s use of Medallia Products is allowed by applicable law and does not violate any Customer privacy policy, terms-of-use or other agreements to which Customer is a party; (ii) securing and maintaining any required consents; (iii) ensuring the validity of any customer contact information provided to Medallia; and (iv) timely informing Medallia of opt out requests received after delivery of the Customer Data to Medallia.  Customer shall not configure Medallia Products to collect bank account numbers, payment card or credit card information, bank transaction information, government identification numbers including (but not limited to) social security numbers, state identification numbers, and passport numbers, and sensitive personal information including (but not limited to) religious beliefs, health, sexual orientation, race, and union membership and Medallia will not be liable for non-compliance under laws and regulations that applies to the processing of the foregoing categories of data. Customer assumes sole responsibility for results obtained from the use of the Medallia Products and for conclusions drawn or decisions taken from such use, and Customer relies on the results obtained from the use of the Medallia Products at their own risk.

c. Third Party Services

If Customer integrates, or directs Medallia to integrate, Medallia Products with any third party service (e.g., another Customer managed software solution) Customer acknowledges that such third party service might access, use or retain Customer Data and Customer permits the third party service provider to do so. Medallia shall not be responsible and liable for data transfers to third party services or the Customer’s use of any such services. If Customer uses any third party service in connection with Medallia Products or uses Medallia Products to link or direct online traffic to third-party websites, Customer shall ensure that such use complies with the terms of use of those third party services.

5. Ownership and Use Rights

a. Customer Data

As between Customer and Medallia, Customer retains all right, title and interest in all data delivered to Medallia by Customer or collected by Medallia on behalf of Customer (the “Customer Data”), including any personal data as defined by applicable data privacy laws (“Personal Data”). Customer grants Medallia a nonexclusive, worldwide, limited license to the Customer Data for the purposes of: (i) providing and improving Medallia Products and Professional  Services, provided that the improvements are not derived from the use of Personal Data; and (ii) developing and publishing broadly applicable experience management insights (such as industry experience management benchmarks, if applicable, provided that only aggregated or de-identified Customer Data is used).

b. Medallia Products

Medallia owns Medallia Products, including all features, functionalities, configurations, designs, templates, and other proprietary elements contained therein and all modifications, improvements, and derivative works thereof. Medallia will provide Customer with access to Medallia Products as described in the Order or trial offering (during the term set forth in the Order or trial offering) for its internal business purposes. If Customer uses a Medallia API or software developer kit (“SDK”), Medallia grants Customer a non-exclusive, worldwide, limited license for use of such API or SDK for the purpose of enabling Customer to use Medallia Products. Customer will not remove, obscure, or alter Medallia’s copyright notice, or other proprietary rights notices affixed to or contained within Medallia Products or any related documentation. Customer grants Medallia a worldwide, perpetual, exclusive, transferable, irrevocable, royalty-free license to use feedback provided by Customer to Medallia related to the Medallia Products and agrees that Medallia may incorporate similar development ideas to its products and services from such feedback.

c. Documentation

Medallia owns all right, title and interest in the Documentation and all derivative works thereof. Medallia grants Customer a non-exclusive, worldwide limited license to use and copy the Documentation for internal business purposes during the term of an Order or trial offering.

d. Trademarks

Customer grants Medallia a limited, non-exclusive license to mark Customer surveys and reports and Customer’s instance of Medallia Products with Customer’s trademarks, when requested by Customer and subject to Customer approval for consistency with its branding guidelines.

e. Reserved Rights

Customer and Medallia each reserve all intellectual property rights not explicitly granted herein.

6. Payments

a. Invoicing

Fees due and payable for Medallia Products and Professional Services will be stated on the Order or under the Billing tab via the Customer Account page if Customer purchases a plan via the CheckMarket website. Customer agrees to timely pay all fees. Fees are non-cancelable and non-refundable other than as explicitly stated in this Agreement.

b. Taxes

Invoiced amounts are payable in full, without reduction for transaction taxes (e.g., value added taxes, consumption taxes, goods and services taxes, GST/HST, excise, sales, use or similar taxes, and withholding taxes). Customer is required to pay all such transaction taxes, either directly or by increasing payments to Medallia to offset taxes that Customer is required to deduct from payments. If Medallia has a legal obligation to pay or collect such transaction taxes, the appropriate amount will be invoiced to and paid by Customer, unless Customer provides Medallia with a valid tax exemption certificate.

7. Term and Termination

a. Term

The term of this Agreement is from the Effective Date through the later of: (i) the last day of the trial offering; or (ii) the last to expire Order or subscription.

b. Termination for Cause

Either party may terminate this Agreement or Order within thirty (30) days upon the occurrence of either of the following: (a) in the event the other party fails to cure any material breach of this Agreement or the relevant Order within thirty (30) days after receipt of written notice; or (b) if the other party files or has filed against it any bankruptcy or similar proceeding or enters into any form of arrangement with its creditors that is not removed within sixty (60) days of filing.

c. Termination of CheckMarket Monthly Subscription

For Customers who have purchased a monthly subscription to CheckMarket, Customer may terminate its access to CheckMarket at any time, effective the following month, by effectuating termination by completing the requirements in the “Close My Account” tab under “My Account”.

d. Transfer of Customer Data Upon Termination

For trial offering Customers, until termination of this Agreement, Customer may download customer feedback collected through and, at the time of termination, stored within the Medallia Products. For customers under an Order Form, Medallia will make customer feedback collected through and, at the time of termination, stored within the Medallia products available for secure download by Customer in a standard flat file format for at least thirty (30) days (the “Data Transfer Period”). Within sixty (60) days of the end of the Data Transfer Period, Medallia will remove all Customer Data from Medallia Products.

8. Insurance

Medallia will maintain insurance policies providing at least the following coverage and will provide a certificate of insurance upon request:

  1. Technology Errors & Omissions / Professional liability with a limit of at least $5 Million;
  2. Cyber/Network and Information Security liability with a limit of at least $5 Million;
  3. Commercial General liability with a limit of at least $1 Million;
  4. Automobile liability with a limit of at least $1 Million;
  5. Workers Compensation and Employer’s liability with a limit of at least $1 Million;
  6. Umbrella liability with a limit of at least $5 million.

9. Privacy, Security, and Audits

a. Compliance with Data Protection Laws

In processing Personal Data in the Medallia Products and through the Professional Services to Customer, Medallia shall comply with relevant obligations under applicable privacy and data protection laws, including  the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts (201 CMR 17.00), the California Consumer Privacy Act of 2018 (the “CCPA”), and other applicable United States data protection laws at the state level, and implementing national legislation, and Regulation 2016/679 (also known as GDPR). Medallia shall not (i) sell Personal Data as defined under the CCPA, or (ii) retain, use, or disclose Personal Data for any purpose other than for the specific purpose of providing the Medallia products and performing Professional Services. .

b. Data Processing Agreement

Medallia offers a data processing agreement that defines Medallia’s and Customer’s obligations under GDPR, and includes the EU’s approved Standard Contractual Clauses for the handling of data collected in the European Economic Area and Switzerland outside of those areas. If Customer has a need for this agreement, Customer should request it from Customer’s Medallia account representative or accessing the agreement under the Customer Account page for Customers who have purchased CheckMarket.

c. Security Obligations

Medallia shall implement and maintain appropriate technical and organizational security measures to protect Customer Data from Security Incidents and to preserve the security and confidentiality of Customer Data, in accordance with Medallia’s security standards described in Exhibit A (Security Measures).

d. Security Incident Response

Medallia shall respond to Security Incidents as described in Exhibit A.

e. General Performance Audits

Customer may, no more than once per year, audit Medallia’s performance under this Agreement and each Order, and Medallia will maintain records sufficient for such audits, including service hours provided, uptime, and the results of security and disaster recovery tests.

f. Security Audits

Certain Medallia Products are regularly audited by independent third parties and/or internal auditors. Upon request, Medallia shall supply (on a confidential basis) a summary copy of its audit report(s), if applicable, as well as written responses (on a confidential basis), not more than once per year, to all reasonable security and audit questionnaires that are necessary to confirm Medallia’s compliance with this Agreement. Except with regard to trial offerings, Medallia shall permit Customer (or its appointed third party auditors) to carry out an audit of Medallia’s processing of Customer Data under this Agreement following: (i) a Security Incident or (ii) upon the instruction of a data protection authority.

g. Audit Procedure

Each audit requires at least thirty days’ prior notice, except in the event of a Security Incident or upon instruction of a data protection authority. Audits will take place on a mutually agreed date during Medallia’s normal business hours, and Customer will cause its representative or agent to employ such reasonable procedures and methods as are necessary and appropriate in the circumstances to minimize interference with Medallia’s normal business operations. Onsite audits are limited to two business days.

h. Data Collection

Medallia Products enable Customer to import and collect a wide range of information about Customer’s customers or end users. The types of data that are imported and collected in Medallia Products will be within Customer’s control, and will be specified during implementation and use of each product. Unless approved by Medallia’s data protection attorneys, Customer shall not configure the Medallia Products to collect bank account numbers, payment card or credit card information, bank transaction information, government identification numbers including (but not limited to) social security numbers, state identification numbers, and passport numbers, and sensitive personal information including (but not limited to) religious beliefs, health, sexual orientation, race, and union membership and Medallia will not be liable for non-compliance under laws and regulations that applies to the processing of the foregoing categories of data. This provision shall not apply to Protected Health Information as defined by HIPAA, as long as Customer has signed a Business Associate Agreement with Medallia.

10. Confidentiality

a. Controlling Statement of Obligations

The terms of this Confidentiality provision supersede any nondisclosure or confidentiality agreement entered into by the parties prior to the Effective Date of this Agreement.

b. Confidential Information

Confidential Information means all information provided by a disclosing party to a receiving party that a reasonable industry participant would deem to be confidential, including for example: (i) all information that is marked confidential; (ii) the terms of each Order; (iii) features and functionality of Medallia Products and related documentation; and (iv) Customer Data.

Confidential Information does not include information that is independently developed, that becomes public knowledge through no fault of the receiving party, or that is received from a third party under circumstances that do not create a reasonable suspicion that it has been misappropriated or improperly disclosed.

c. Use and Disclosure Restrictions

A receiving party will use commercially reasonable efforts to protect Confidential Information it receives and will use Confidential Information only as necessary to perform its obligations and exercise its rights under this Agreement and each Order. A receiving party will not disclose Confidential Information to third parties other than as permitted under this Agreement or as compelled by a court or regulator of competent authority (and then while taking all reasonable steps to inform the disclosing party prior to disclosure and to limit the scope of the disclosure).

11. Indemnification

a. Intellectual Property Indemnification by Medallia

Medallia will defend Customer against claims, causes of action, and investigations by third parties or government agencies and will pay the resulting judgments, fines, settlements, court costs, and attorneys fees (to “Indemnify”) for third party claims alleging that  Medallia Products infringe a third-party patent, copyright, or trademark or misappropriate a third-party trade secret, subject to the following limitations: (i) if the alleged infringement arises from a modification or alteration by Customer or the unauthorized use of Medallia Products; (ii) if the alleged infringement arises from a violation of Customer’s obligations in this Agreement and Documentation; or  (iii) if the alleged infringement arises from the combination or use of Medallia Products with any product or process not provided by Medallia, and if Medallia would not be liable for inducement or contribution for such infringement, then Medallia will have no obligation to Indemnify.

If Customer establishes a reasonable belief that use of Medallia Products will be enjoined, then Medallia will use commercially reasonable efforts to substitute the affected functionality with a non-infringing alternative or to procure a license to allow for the continued use of the affected functionality. If use of Medallia Products is enjoined and if Medallia has not provided a non-infringing alternative, then Customer may, within thirty (30) days of the date of the injunction, terminate the affected Order immediately upon written notice and receive a refund of the unused portion of prepaid fees.

b. Data Breach Indemnification by Medallia

Medallia will Indemnify Customer for third party claims arising from the improper access, use, or disclosure of personally identifiable Customer Data caused by: (i) Medallia’s breach of its obligations under this Agreement; or (ii) the willful misconduct or gross negligence of Medallia personnel or any third party under Medallia’s control (the “Data Indemnities”). To the extent that the Data Indemnities apply to any government agency fines or court judgments, the Data Indemnities only cover the amounts of any such fines or awards under such judgements that are directly attributable by the relevant government agency or court to the failure of Medallia to comply with its obligations under this Agreement and the DPA (where applicable).

c. Indemnification by Customer

Customer shall Indemnify Medallia from third-party claims arising out of: (i) Customer’s or any of its employees and agents  use of Medallia Products in violation of the terms  of this Agreement; and (ii) alleged  infringement of a third-party patent, copyright, or trademark or misappropriation of a third-party trade secret arising out of (A) an unauthorized modification or alteration by Customer of Medallia Products; or (B) an unauthorized combination or use of Medallia Products with any product or process not provided or authorized by Medallia.

d. Indemnification Requirements and Procedure

The party seeking indemnification (the “Indemnified Party”) will provide timely notice to the party from which it seeks indemnification (the “Indemnifying Party”)  (although untimely notice will relieve the Indemnifying Party of its indemnification obligations only commensurate with actual prejudice suffered as a result) and will provide reasonable assistance to Indemnifying Party at the Indemnifying Party’s  expense.  Except in relation to a claim, cause of action, investigation or enforcement activity (including any resulting fine) by a government agency under the Data Indemnities, the Indemnifying Party will have sole control over the defense, but the Indemnified Party will have the right to participate at its own cost.

The Indemnified Party shall take reasonable steps to mitigate the amount of any losses suffered as a result of an event that may give rise to a claim by the Indemnified Party against the Indemnifying Party.

The Indemnified Party will not admit liability, nor pay any amounts to third parties, without first obtaining the Indemnifying Party’s written consent (such consent to not be unreasonably withheld or delayed).

Where the Indemnified Party makes, or anticipates making, a claim relating to a claim, cause of action, investigation or enforcement activity (including any resulting fine) by a government agency, it must consult with the Indemnifying Party throughout such matter (including by way of provision of relevant documentation and correspondence) and have reasonable regard to any representations made by the Indemnifying Party to the government agency in respect of the matter and keep the Indemnifying Party informed as to the progression of the investigation or enforcement activity. This consultation must be made within sufficient time to enable the Indemnifying Party to respond before any final decision is made.

12. Limitation of Damages and Liability

a. Limitation of Damages

NEITHER PARTY WILL BE LIABLE TO THE OTHER FOR CONSEQUENTIAL, SPECIAL, INCIDENTAL, PUNITIVE, EXEMPLARY, OR INDIRECT DAMAGES OR FOR LOST PROFITS, LOST REVENUES, HARM TO GOODWILL, OR THE COSTS OF PROCURING REPLACEMENT SERVICES, REGARDLESS OF WHETHER SUCH DAMAGE WAS FORESEEABLE. THIS LIMITATION WILL APPLY TO ALL CLAIMS UNDER ALL THEORIES OF LAW AND EQUITY, EXCEPT WHERE PROHIBITED BY LAW.

b. Limitation of Liability

EXCEPT IN THE EVENT OF GROSS NEGLIGENCE;  WILLFUL MISCONDUCT; FOR FEES OWED IN EXCESS OF THE BELOW LIMIT; AND WHERE PROHIBITED BY LAW, THE CUMULATIVE LIABILITY OF EITHER PARTY TO THE OTHER WILL BE LIMITED TO THE FEES PAID OR PAYABLE UNDER THIS AGREEMENT FOR THE 12 MONTHS PRECEDING THE FILING OF THE CLAIM, FOR ALL OTHER CLAIMS.

13. Marketing

Medallia may include Customer’s name and logo on Medallia’s public customer list. Other than for trial offerings, Customer agrees to partner with Medallia on co-marketing and public relations activities to demonstrate the launch and success of Customer’s program (e.g., press release, case study, testimonial, video).  Customer grants Medallia a limited, non-exclusive, worldwide license to use its trademark for these purposes.

14. General Terms

a. Authority

Each party warrants that it has the authority to enter into this Agreement and each Order.

b. Assignment

Neither this Agreement nor any Order may be assigned without written consent (such consent not to be unreasonably withheld or delayed) and any such attempted assignment will be void.

c. Survival

All terms that must survive termination in order to have their customary effect, including terms related to confidentiality, indemnification, limitation of damages and liability, and post termination data transfer will survive termination or expiration of this Agreement.

d. Force Majeure

No party will be deemed to have breached this Agreement or any Order if its failure to perform was caused by events beyond that party’s reasonable control, such as mass failure of internet infrastructure, civil unrest, and natural disasters.

e. Independent Contractors

The parties are independent contractors. Neither party has the right to bind the other, and neither party will make any contrary representation to a third party.

f. Severability

If any clause of this Agreement or any part thereof is rendered void or unenforceable by any court or authority of competent jurisdiction then that clause will be limited to the minimum extent necessary so that this Agreement will otherwise remain in effect.

g. Export Compliance

Customer will comply with the export control and economic sanctions laws and regulations of the United States, United Kingdom, and other applicable jurisdictions.  Consistent with that obligation, Customer will not make Medallia Products available to any person or entity that is: (i) located in a country that is subject to a United States, United Kingdom, or other applicable government, (ii) listed on any United States, United Kingdom, or European Union government list of prohibited or restricted parties, or (iii) engaged in activities directly or indirectly related to the proliferation of weapons of mass destruction.

h. Arbitration, Governing Law and Forum

Disputes arising from this Agreement will be settled by arbitration administered by the International Chamber of Commerce under its procedural Rules of Arbitration and the substantive law of England and Wales, and judgment on the award rendered by the arbitrator(s) may be entered into any court with jurisdiction. The arbitration shall be conducted in London, United Kingdom in the English language.  This provision will not impair either party’s ability to receive injunctive or other equitable relief from any court with jurisdiction. The United Nations Convention on Contracts for the International Sale of Goods does not apply to this Agreement.

i. No Waiver

The failure of a party to timely enforce an obligation under this Agreement or Order will only be construed as a waiver if given in writing and will not act to waive any other obligation, including any future occurrence of the waived obligation.

j. Complete Agreement

Documentation that accompanies the Order constitute part of this Agreement. This Agreement and each Order including relevant Documentation contains the full agreement of the parties (superseding all prior or contemporaneous agreements). Notwithstanding anything to the contrary therein, terms or conditions stated in Customer order documentation (e.g., a Customer purchase order) will be null and void. Neither party enters into this Agreement, trial offerings, or Orders based on representations not stated in these documents, and there will be no presumption against either party as the drafter thereof. Medallia may modify this Agreement at any time by publishing an updated version online. Continued use of the Medallia Products after a new version is posted constitutes binding acceptance of the terms therein.

k. Subcontractors

Medallia may utilize subcontractors provided that: (i) Medallia has bound the subcontractor to agreements requiring it to conform to law, regulation, industry standards, and the quality, confidentiality, and privacy standards reflected in this Agreement; and (ii) Medallia remains responsible for delivery of the scope established in the Order or trial offering.

l. Notices

Notifications required under this Agreement or an Order in relation to breach, disputed payments, audit, or indemnification will be provided in writing to the legal departments of the parties to the addresses identified in an Order or trial registration. Other notifications can be submitted via email. Notifications will be effective as of the date of delivery.

Attachment A

Security Measures

Medallia maintains and manages a comprehensive written security program designed to protect: (a) the security and integrity of Customer Data; (b) against threats and hazards that may negatively impact Customer Data; and (c) against unauthorized access to Customer Data. Medallia’s security program includes the following:

1. Risk Management

  1. Conducting an annual risk assessment designed to identify threats and vulnerabilities in the administrative, physical, legal, regulatory, and technical safeguards used in the Medallia Products.
  2. Maintaining a documented risk remediation process to assign ownership of identified risks, establish remediation plans and timeframes, and provide for periodic monitoring of progress.

2. Information Security Program

  1. Maintaining a documented comprehensive information security program. This program will include policies and procedures aligning with industry best practices, such as ISO 27001/27002.
  2. Such information security program shall include, as applicable: (i) adequate physical security of all premises in which Customer Data will be processed and/or stored; (ii) reasonable precautions taken with respect to Medallia personnel employment; and (iii) an appropriate network security program.
  3. These policies will be reviewed and updated by Medallia management annually.

3. Organization of Information Security

  1. Assigning security responsibilities to appropriate Medallia individuals or groups to facilitate protection of the Medallia Products environment and associated assets.
  2. Establishing information security goals to be met.

4. Human Resources Security

  1. Medallia employees undergo comprehensive screening during the hiring process.  Background checks and reference validation will be performed to determine whether candidate qualifications are appropriate for the proposed position.  Subject to any restrictions imposed by applicable law and based on jurisdiction, these background checks include criminal background checks, employment validation, and education verification as applicable.
  2. Ensuring all Medallia employees are subject to confidentiality and non-disclosure commitments before access is provisioned to Medallia Products and/or Customer Data.
  3. Ensuring applicable Medallia employees receive security and privacy awareness training designed to provide such employees with information security knowledge to provide for the security, availability, and confidentiality of Customer Data.
  4. Upon Medallia employee separation or change in roles, Medallia shall ensure any Medallia employee access is revoked in a timely manner and all  Medallia assets, both information and physical, are returned.

5. Asset Management

  1. Maintaining asset and information management policies and procedures. This includes ownership of assets, an inventory of assets, classification guidelines, and handling standards pertaining to Medallia assets.
  2. Maintaining media handling procedures to ensure media containing Customer Data is encrypted and stored in a secure location subject to strict physical access controls.
  3. When a storage device has reached the end of its useful life, procedures include a decommissioning process that is designed to prevent Customer Data from being exposed to unauthorized individuals using the techniques recommended by NIST to destroy data as part of the decommissioning process.
  4. If a hardware device is unable to be decommissioned using these procedures, the device will be virtually shredded, degaussed, purged/wiped, or physically destroyed in accordance with industry-standard practices.  Devices used in the administration of the Medallia Products that have been decommissioned will be subjected to these or equally effective standards.

6. Access Controls

  1. Maintaining a logical access policy and corresponding procedures. The logical access procedures will define the request, approval and access provisioning process for Medallia personnel. The logical access process will restrict Medallia user (local and remote) access based on the principle of least privilege for applications and databases. Medallia user access recertification to determine access and privileges will be performed periodically. Procedures for onboarding and off-boarding Medallia personnel users in a timely manner will be documented. Procedures for Medallia personnel user inactivity threshold leading to account suspension and removal threshold will be documented.
  2. Limiting access to Customer Data to its personnel who have a need to access Customer Data as a condition to Medallia’s performance of the services under this Agreement. Medallia shall utilize the principle of “least privilege” and the concept of “minimum necessary” when determining the level of access for all Medallia users to Customer Data. Medallia shall require strong passwords subject to complexity requirements and periodic rotation.

7. System Boundaries

  1. The systems that compose a functioning Medallia cloud platform for the Products are limited to shared components such as network devices, servers, and software that are physically installed and operating within Medallia’s Internet-enabled network infrastructure. This system boundary also includes the network connectivity, power, physical security, and environmental services provided by the third-party provider that owns and operates the data centers in which this network infrastructure is collocated.
  2. Medallia is not responsible for any system components that are not within this system boundary, including network devices, network connectivity, workstations, servers, and software owned and operated by the Customer or other third parties. Medallia may provide support for these components at its reasonable discretion.

8. Encryption

  1. Customer maintains ownership of the encryption all Customer Data uploaded to their Products through the full lifecycle period.  Customer Data may be uploaded via SFTP, TLS/SSL, or through an Medallia services API over a TLS/SSL connection to the Medallia cloud platform. Medallia will configure TLS and/or SSL certificates.
  2. Customer Data shall be encrypted at rest at the storage-level.

9. Physical and Environment Security

  1. Medallia products and customer data are hosted at providers who have demonstrated compliance with one or more of the following standards (or a reasonable equivalent): International Organization for Standardization (“ISO”) 27001 and/or American Institute of Certified Public Accountants (“AICPA”) Service Organization Controls (“SOC”) Reports for Services Organizations. These providers provide Internet connectivity, physical security, power, and environmental systems and services for the Medallia cloud platform used for the Products.
  2. An N-tiered architecture is used to support presentation, application, processing, and data services. For enhanced security in the Medallia cloud platform, technologies such as firewalls, intrusion detection and prevention, and vulnerability management are used.

10. Operations Security

  1. Maintaining documented Medallia cloud operating procedures.
  2. Maintaining change and release management controls to ensure changes to products production systems made by Medallia are properly authorized and reviewed prior to implementation.
  3. Monitoring usage, security events, and capacity levels within the Medallia cloud to manage availability and proactively plan for future capacity requirements.
  4. Utilizing virus and malware protection software a, which are configured to meet common industry standards designed to protect Medallia systems and Customer Data from virus infections or similar malicious payloads.
  5. Implementing disaster recovery and business continuity procedures. These will include periodic replication of Customer Data to a secondary data center in a geographically disparate location from the primary data center.
  6. Maintaining a system and security logging process to capture critical system logs. These logs shall be maintained for at least six months and reviewed on a periodic basis.
  7. Ensuring systems processing and storing customer data are appropriately configured and hardened.
  8. Ensuring servers, operating systems, and supporting software used in the Medallia cloud for Products receive Critical and High security patches within a timely manner, In the event any such security patch would materially adversely affect the Products, then Medallia will use commercially reasonable efforts to implement compensating controls until a security patch is available that would not materially adversely affect the Products.
  9. Conducting third-party external application penetration tests periodically.

11. Supplier Relationships

  1. Maintaining a Vendor Management Program to evaluate and mitigate risks for any third parties that host or process customer data.

12. Security Incident

  1. Employing incident response standards that are based upon applicable industry standards, such as ISO 27001:2013 and National Institute for Standards and Technology (“NIST”), or equivalent in order to maintain the information security components of the Products environment.
  2. Responses to these incidents follow the Medallia documented incident response sequence.  This sequence includes the incident trigger phase, evaluation phase, escalation phase, response phase, recovery phase, de-escalation phase, and post incident review phase.
  3. Medallia will notify Customer of a Security Incident as required pursuant to applicable law but in no event later than 72 hour after a Security Incident.  A “Security Incident” means a determination by Medallia of an actual disclosure of unencrypted Customer Data to an unauthorized person or entity.

13. Information Security Aspects of Business Continuity Management

  1. Maintaining a business continuity and disaster recovery plan.
  2. Reviewing and testing this plan annually.