MPARTICLE PLATFORM TERMS OF SERVICE

Version Date: August 16, 2022

For notice regarding updates to the legal terms and conditions please click here.

PLEASE REVIEW THESE TERMS CAREFULLY. ONCE ACCEPTED, THESE TERMS WILL BECOME A BINDING LEGAL COMMITMENT BETWEEN YOU AND MPARTICLE, INC. (ON BEHALF OF ITSELF AND ITS AFFILIATES). IF YOU DO NOT AGREE TO BE BOUND BY THESE TERMS, YOU SHOULD NOT ACCEPT THESE TERMS, CREATE AN ACCOUNT, OR USE THE MPARTICLE PLATFORM (AS DEFINED BELOW).

In these mParticle Platform Terms of Service (referred to herein as, this “Agreement” or these “Terms”), the term “you” or “Customer” refers to you. The term “mParticle” refers to mParticle, Inc., a corporation organized under the laws of the State of Delaware, U.S.A. Each of mParticle and Customer may be referred to herein individually as a “Party” or collectively as the “Parties.”     

If you are creating an account to use the mParticle Platform on behalf of an organization, then you are agreeing to this Agreement for that organization and representing to mParticle that you have the authority to bind that organization to this Agreement (and, in which case, the term “Customer” refers to that organization). 

If you have a separate signed agreement with mParticle, Indicative, Inc., a corporation organized under the laws of the State of Delaware, U.S.A. and a wholly owned subsidiary of mParticle, and/or Vidora, LLC, a limited liability company organized under the laws of the State of Delaware, a wholly owned subsidiary of mParticle and the successor-in-interest by way of merger to Vidora Corp., for your use of the mParticle, Indicative or Cortex services, respectively, this Agreement will not apply to you, unless that signed agreement does not cover a particular service, in which case, this Agreement applies solely to your use of that particular service.

For existing customers of the mParticle Platform (including the mParticle or Indicative services) or Cortex service that agreed to the previous version of the mParticle Terms of Service or Vidora Terms of Service, respectively, this Agreement is effective immediately. For new customers of the mParticle Platform, this Agreement is effective upon your approval or acknowledgement of this Agreement. mParticle may update this Agreement from time to time, with or without specific notice to you; provided that if mParticle provides specific notice to you, such notice shall be made in accordance with Section 11.9 of this Agreement. If mParticle makes any changes to this Agreement, it will change the effective date above. Historical versions of this Agreement can be found at the end of this Agreement. Customer agrees that its continued use of the mParticle Platform after such changes have been published will constitute Customer’s acceptance of such revised agreement. If you do not agree to an updated version of this Agreement, you must stop using the mParticle Platform immediately. Please visit this section of our website periodically in order to keep up to date with changes to this Agreement.

Finally, this Agreement governs your use of the mParticle Platform. For provisions governing your use of the mParticle website, see the mParticle Website Terms of Service

BACKGROUND

mParticle is a software technology company that has developed a software-as-a-service platform enabling enterprises to (1) collect, organize, synchronize and analyze data from applications, websites, connected devices, and offline data sources and (2) distribute such data to various service providers, including analytics, artificial intelligence, monetization, data warehousing and other services.  As such, mParticle functions as a core data and services orchestration layer for enterprises.  Customer desires to subscribe to the mParticle Platform (as defined below), and mParticle is willing to provide the mParticle Platform, in accordance with this Agreement, which consists of the Terms and Conditions below, all exhibits and attachments hereto and any applicable Order Form(s) (an “Order”). 

TERMS AND CONDITIONS

1. PROVISION AND USE OF THE MPARTICLE PLATFORM

1.1 mParticle Platform.  Subject to and in consideration for the Customer paying the Fees (as defined below), mParticle will make its software platform, consisting of the core customer data platform (the “mParticle Service”), data analytics platform (the “Indicative Service”) and artificial intelligence platform (the “Cortex Service”), available to Customer (the “mParticle Platform”) pursuant to this Agreement and the applicable Order during the Term (as defined below). For purpose of clarity, the “mParticle Platform” shall include the mParticle SDK and mParticle APIs (each as defined below). Once Customer identifies an administrative user name and password and such administrative account is provisioned, Customer shall have access to and can utilize the mParticle Platform.  Subject to the terms and conditions of this Agreement, mParticle hereby grants Customer a limited, non-exclusive, non-transferable, non-sublicensable right and license to access and use the mParticle Platform during the Term solely for Customer’s internal business purposes.  mParticle will provide the mParticle Platform in accordance with Applicable Laws (as defined below) related to the provision of the mParticle Platform to mParticle’s customers generally, and without regard for Customer’s particular use of the mParticle Platform, subject to Customer’s use in accordance with this Agreement. For purposes of this Agreement, “Applicable Laws” means all applicable laws, rules, regulations related to Customer’s use and mParticle’s provision of the mParticle Platform. 

1.2 mParticle SDK.  Subject to and in consideration for the Customer paying the Fees, mParticle will make its software development kit (in object code format only) available to Customer via the mParticle Platform (the “mParticle SDK”).  Subject to the terms and conditions of this Agreement, mParticle hereby grants Customer a limited, non-exclusive, non-transferable, non-sublicensable right and license during the Term to (a) download and use the mParticle SDK for Customer’s internal business purposes; (b) incorporate the mParticle SDK into Customer’s web and/or mobile applications and connected devices set forth in the Order (collectively, the “Supported Customer Properties”); (c) distribute and otherwise make available the mParticle SDK as incorporated in the Supported Customer Properties; and (d) send data server-to-server via mParticle’s Application Programming Interfaces (“mParticle APIs”).  

1.3 License Grant Restrictions and Requirements. The following restrictions and requirements shall apply to Customer’s use of the mParticle Platform:

(a) Restricted Access.  Unless otherwise authorized by mParticle in writing, the Customer shall only provide access to the mParticle Platform to persons who are either employees or contractors of Customer or its Affiliates (subject to the terms set forth in Section 1.7 below), and provided such access is only given to the extent reasonably required to enable the Customer or its Affiliates to use the mParticle Platform in accordance with this Agreement (each, an “Authorized User”).   

(b) Restrictions. Except as expressly permitted hereunder, Customer will not, and will not permit or authorize any third party to: (i) reverse engineer, decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas or algorithms of any of the mParticle Platform; (ii) modify, translate or create derivative works based on any of the mParticle Platform; (iii) copy (except for archival purposes), rent, lease, distribute, pledge, assign or otherwise transfer or allow any lien, security interest or other encumbrance on any of the mParticle Platform; (iv) use any of the mParticle Platform for timesharing or service bureau purposes or (except as expressly permitted by the mParticle Platform) otherwise for the benefit of a third party; (v) hack, manipulate, interfere with or disrupt the integrity or performance of or otherwise attempt to gain unauthorized access to any of the mParticle Platform or its related systems, hardware or networks or any content or technology incorporated in any of the foregoing; (vi) remove or obscure any proprietary notices or labels of mParticle or its suppliers on any of the mParticle Platform; (vii) access all or any part of the mParticle Platform to build a product or service which competes with the mParticle Platform; (viii) knowingly input, upload or transmit any thing or device (including any software, code, file or program) that may prevent, impair or otherwise adversely affect the operation of any computer software, hardware or network, or adversely affect the user experience through the mParticle Platform or the systems of mParticle, or do anything which may damage, destroy, disrupt, disable, impair, interfere with or otherwise impede or harm the mParticle Platform or the systems of mParticle; or (ix) use the mParticle Platform in a way which infringes or otherwise violates the intellectual property rights of a third party.

(c) Requirements.  Customer shall use, and shall procure that each Authorized User shall use, the mParticle Platform in accordance with (i) the documentation made available by mParticle to Customer from time to time, including the technical documentation available at https://docs.mparticle.com/ (for the mParticle Service), https://support.indicative.com/ (for the Indicative Service) and https://www.vidora.com/docs/ (for the Cortex Service); (ii) all Applicable Laws; and (iii) the terms of this Agreement.

1.4 Access Credentials and mParticle API Keys. Customer and Customer’s Authorized Users are solely responsible for the confidentiality and use of their username and password (“Access Credentials”) and mParticle API keys (“mParticle API Keys”). Customer shall immediately notify mParticle if any Access Credentials and/or mParticle API Keys have been stolen or compromised. Customer acknowledges and agrees that Customer shall be responsible for all activities and all loss, damage and expense incurred by mParticle that occur under Customer’s and Authorized Users’ Access Credentials and mParticle API Keys, including but not limited to, any misuse, communications, or any data (including Customer Data) entered through such Access Credentials and mParticle API Keys by Customer or permitted by Customer’s failure to keep its Access Credential and mParticle API Keys confidential, unless such loss, damage or expense arising out of the unauthorized use of Access Credentials and/or mParticle API Keys is caused by mParticle’s breach of this Agreement. 

1.5 Service Limitations

(a) mParticle Service. Customer’s use of the mParticle Service is subject to the service level limitations located at http://docs.mparticle.com/guides/default-service-limits/ (the “Service Level Limitations”).  The Service Level Limitations are provided as an upper bound designed to detect possible errors in data ingestion and damage to the mParticle Service and is in no way intended to decrease the number of MTUs (as defined below) for which Customer has contracted.  If the Service Level Limitations are exceeded, mParticle reserves the right to throttle and/or cap Customer’s use of the mParticle Service.     

(b) Indicative Service. Customer shall use any data storage functionality provided as part of the Indicative Service to store only Customer Data that is necessary to take full advantage of the Indicative Service.  Customer acknowledges that mParticle may restrict data ingestion if data does not reflect the most efficient manner in which to store or use the Indicative Service, or if data is stored for a purpose other than utilization of the Indicative Service.

(c) Sensitive Data.  Customer will not use the mParticle Platform to collect, transmit, provide, or otherwise make available “sensitive information”, “sensitive data” or “special categories of personal data”, as these terms are defined under Applicable Laws related to data protection and privacy (collectively, “Sensitive Data”) including, but not limited to, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences.

1.6 Privacy; Data Security. Each of the Parties shall comply with the privacy and security obligations set forth in the mParticle Platform Privacy and Security Rider attached hereto as Exhibit A (the “Privacy Rider”).  

1.7 Customer Affiliates. For purposes of this Agreement, “Affiliate” means any entity that directly or indirectly controls or is controlled by, or is under common control with, the party specified, where for purposes of this definition, “control” means direct or indirect ownership of more than fifty percent (50%) of the voting interests of the subject entity.  An Affiliate of Customer may use the mParticle Platform in accordance with this Agreement and, unless otherwise agreed to in writing with mParticle, a separate Order between mParticle and such Affiliate. Customer represents and warrants that it has sufficient rights and the authority to make this Agreement binding upon each Affiliate of Customer. Customer and each Affiliate of Customer will be jointly and severally liable for the acts and omissions of such Affiliate in connection with this Agreement and such Affiliate’s use of the mParticle Platform. Any claim by an Affiliate of Customer hereunder will only be brought against mParticle by Customer on behalf of such Affiliate.

1.8 mParticle Affiliates.  mParticle’s Affiliates may provide the mParticle Platform, or a portion thereof, to Customer in accordance with this Agreement and any applicable Order.  mParticle will (a) be responsible for the portions of the mParticle Platform provided by mParticle Affiliates; and (b) not be relieved of its obligations under this Agreement if mParticle’s Affiliates provide the mParticle Platform or a portion thereof.  Notwithstanding the foregoing, mParticle has the right to enforce this Agreement against Customer and any Customer Affiliate.  

2. Ownership; Reservation of Rights  

2.1 Customer Data.  Customer shall own all right, title and interest in and to the data derived or collected by the mParticle SDK incorporated into the Supported Customer Properties, integration via a data warehouse connection and/or any data inputted by Customer into the mParticle Platform (“Customer Data”).  Customer hereby grants to mParticle a perpetual, non-exclusive, worldwide, royalty-free, fully paid up, sublicensable, right and license to copy, distribute, display and create derivative works of and use the Customer Data to perform mParticle’s obligations under this Agreement.  Customer reserves any and all right, title and interest in and to the Customer Data, other than the license expressly granted to mParticle under this Agreement. Customer acknowledges that mParticle may, in its discretion, archive or delete Customer Data made available to the Indicative Service that is two (2) or more years old such that this archived Indicative Customer Data is not readily accessible through the Indicative Service or outside the scope of the Order for the Indicative Service.  Except as expressly permitted hereunder or as authorized by Customer in connection with its use of the mParticle Platform, mParticle will not, and will not authorize any third party to: (a) rent, sublicense, transfer, disclose, use, or grant any rights in, or share or provide access to any Customer Data, in any form, collected and created under this Agreement; or (b) collect, use, combine, aggregate, or commingle the Customer Data for the benefit of any third party. 

2.2 mParticle Platform Ownership; Reservation Of Rights.  Customer acknowledges and agrees that, as between the Parties, mParticle retains all right, title, and interest in and to the mParticle Platform, all copies or parts thereof (by whomever produced) and all intellectual property rights therein.  Customer shall acquire no rights, title, or interest in or to the mParticle Platform or any copies thereof (by whoever produced), other than the limited licensed rights expressly granted by mParticle under this Agreement.  Customer will not remove, obscure, or alter any intellectual property rights notices relating to the mParticle Platform.

2.3 mParticle Usage Data.  Customer acknowledges that mParticle collects data about its customers’ usage of the mParticle Platform (“mParticle Usage Data”) and uses it for the sole purpose of generating insights about the use of the mParticle Platform to support and improve the mParticle Platform generally. For avoidance of doubt, mParticle Usage Data will not contain any Customer Data collected by Customer and ingested by the mParticle Platform.  mParticle may use aggregated mParticle Usage Data that does not identify Customer or any of its users for the purpose of describing its products in marketing materials (e.g., total volume of data processed by the mParticle Platform).

2.4 Feedback.  Customer may from time to time provide suggestions, comments for enhancements or functionality or other feedback (“Feedback”) to mParticle with respect to the mParticle Platform.  mParticle may determine whether or not to proceed with the development of the requested enhancements, new features or functionality.  Customer hereby grants mParticle a royalty-free, fully paid up, worldwide, transferable, sublicensable, irrevocable, perpetual license to (a) copy, distribute, transmit, display, perform, and create derivative works of the Feedback; and (b) use the Feedback and/or any subject matter thereof, including without limitation, the right to develop, manufacture, have manufactured, market, promote, sell, have sold, offer for sale, have offered for sale, import, have imported, rent, provide and/or lease products or services which practice or embody, or are configured for use in practicing, the Feedback and/or any subject matter of the Feedback.

3. FEES; PAYMENT TERMS

3.1 Fees. Customer will pay mParticle all fees and other amounts due to mParticle under or in connection with this Agreement (“Fees”) at such times as indicated on the Order, as set forth elsewhere in this Agreement or, where no such time period is stipulated in the Order or the Agreement, within thirty (30) days after Customer’s receipt of invoice. Unless otherwise stated in the Order, all Fees are payable in U.S. Dollars. The Fees for access and use of the mParticle Platform are based on annual credits or a base number of MTUs and/or events, in each case set forth in the Order or other applicable pricing terms.  If Customer uses any services not set forth in an Order, Customer will be charged the applicable rates available on mParticle’s website and/or in the applicable special program terms referenced in Section 9 below.  

(a) Credit-Based Pricing. If the applicable Order indicates Fees are based on annual credits (to account for a combination of events processed, storage periods and data evaluation), mParticle shall charge Customer Fees based on the pricing set forth therein, subject to payment of additional Fees for Customer’s purchase of additional annual credits and payment of overages, in each case as set forth in such Order.  

(b) Event/MTU-Based Pricing. If the applicable Order indicates Fees are based on a number of MTUs and/or events, mParticle shall calculate and bill overage fees for the mParticle Platform (“Overage Fees”) monthly in arrears for MTU and/or events usage in excess of this base number of MTUs and/or events (“Monthly Overage”). The Order may specify a single rate for Overage Fees in which case all Monthly Overages will be charged at that rate. Alternatively, the Order may specify tiered pricing. In such event, if Customer’s usage increases and elevates Customer from a lower tier to a higher tier, the pricing for the higher tier shall become the pricing for the remainder of the Term (unless usage increases afterward to an even higher tier). There will be no reversion to lower tiers. For each month in which Customer moves from a lower tier to a higher tier, mParticle shall invoice the Customer for the difference between the Fees for the new tier and the amount already paid for lower tiers, prorated for the remainder of the Term. As used herein, (i) “MTU” means an mParticle ID that has any activity in a calendar month, and (ii) “mParticle ID” means a single user-profile record created for a specified workspace as governed by Customer’s desired identity strategy.     

3.2 Late Payment. If payment of any Fees (including any reimbursement of expenses) is not made when due, without prejudice to any other right or remedy available to mParticle, following written notice by mParticle to Customer, interest shall accrue at a rate equal to the lesser of one and one-half percent (1.5%) per month or the highest legal rate permitted by Applicable Law, and Customer will pay all reasonable expenses of collection.  In addition, if any past due payment of Fees has not been received by mParticle within ten (10) days from the time such payment is due, following written notice by mParticle to Customer, mParticle may suspend access to the mParticle Platform until such payment is made in full. 

3.3 Net of Taxes.  All amounts payable by Customer to mParticle hereunder are exclusive of any sales, use and other taxes or duties, however designated, including without limitation, withholding taxes, royalties, know-how payments, customs, privilege, excise, sales, use, value-added and property taxes (collectively “Taxes“).  Customer shall be solely responsible for payment of any Taxes, except for those taxes based on the income of mParticle.  Customer will not withhold any Taxes from any amounts due to mParticle, and all amounts payable by Customer under this Agreement shall be paid in full without any set-off, counterclaims or deductions (“Reductions“). If any Reductions are required by Applicable Law, the Customer shall, when making the payment to which the reduction relates, pay to mParticle such additional amount as will ensure that mParticle receives the same total amount that it would have received if no such reduction had been required. 

3.4 Reimbursable Expenses. Customer will reimburse mParticle for travel and other related expenses associated with ongoing support, such as Quarterly Business Reviews (QBRs) and on-site visits, provided that Customer approves such activities via email in advance (such approval not to be unreasonably withheld or delayed) and mParticle complies with any applicable Customer travel and expense policy provided to mParticle from time to time.

4. TERM, TERMINATION

4.1 Term.  This Agreement shall be effective from the Effective Date and shall, unless terminated earlier in accordance with the terms of this Agreement, continue until the end of the initial term as set forth on the Order or if an Order has not been signed with mParticle, the initial term shall be thirty (30) days (the “Initial Term”). Upon the expiration of the Initial Term, this Agreement shall automatically renew for additional, successive twelve (12) month terms for those Customers subject to an Order (unless otherwise set forth in the Order) or additional, successive thirty (30) day terms for those Customers not subject to an Order (each, a “Renewal Term”), unless either Party delivers to the other Party written notice at least thirty (30) days prior to the end of the Initial Term or the applicable Renewal Term of the Party’s intent not to renew this Agreement. If this Agreement is not renewed under this Section 4.1, this Agreement shall terminate automatically upon the expiration of the Initial Term or the applicable Renewal Term (as the case may be). For purposes of this Agreement, “Term” shall mean the Initial Term together with any subsequent Renewal Terms. Notwithstanding anything to the contrary in this Section, if Customer is participating in any of the Special Programs referenced in Section 9 below, the “Term” shall be set forth in applicable terms and conditions for such Special Program.   

4.2 Termination; Effect of Termination; Suspension.  In addition to any other remedies it may have, either Party may terminate this Agreement (a) by written notice to the other Party with at least thirty (30) days’ prior written notice (provided, if there are any Orders in effect, this Agreement will not terminate until all such Orders have expired or have been terminated in accordance with the terms therein); (b) if the other Party breaches any of the terms or conditions of this Agreement in any material respect and such breach is incapable of cure or, where such breach is capable of cure, fails to cure such breach within fifteen (15) days’ notice (or ten (10) days in the case of nonpayment by Customer of Fees) after receiving notice thereof; and (c) unless otherwise prohibited by Applicable Law, by written notice to the other Party in the event of the other Party’s liquidation, commencement of dissolution proceedings, or any other proceeding relating to a receivership, failure to continue business, assignment for the benefit of creditors, or becoming the subject of bankruptcy. Notwithstanding the foregoing, mParticle shall have the right to terminate this Agreement at any time for convenience upon written notice to Customer if Customer is participating in any of the special programs referenced in Section 9 below. Subject to Section 4.3, upon any termination or expiration of this Agreement for any reason (and except as expressly provided for otherwise in this Agreement): (i) mParticle shall promptly delete or erase the Customer Data or the encryption key to the Customer Data; (ii) all rights granted hereunder and all obligations of mParticle to provide the mParticle Platform shall immediately terminate and Customer shall cease use of the mParticle Platform; and (iii) Customer will pay all Fees due and owing up to the date of such termination or expiration (as applicable). Without limiting mParticle’s right to terminate this Agreement, mParticle may also suspend Customer’s access to the mParticle Platform, with or without notice to Customer, upon any actual, threatened or reasonably suspected breach of this Agreement or violation of Applicable Law, or upon any other conduct deemed inappropriate or detrimental to the mParticle Platform by mParticle (including, but not limited to, unauthorized takeover or other malicious activity on Customer’s account).

4.3 Survival.  Upon expiration or termination of this Agreement, all obligations in this Agreement shall terminate, provided that any provision of this Agreement that expressly or by implication is intended to come into or continue in force on or after its termination shall remain in full force and effect, including Sections 2.2 (mParticle Platform Ownership), 2.3 (mParticle Usage Data), 2.4 (Feedback), 3 (Fees; Payment Terms), 4.2 (Termination; Effect of Termination), 5 (Confidentiality), 6.4 (Disclaimer), 7 (Limitations of Liability; Indemnification), 9 (Special Programs), 11 (General), and this 4.3 (Survival). 

5. CONFIDENTIALITY 

5.1 Definition of Confidential Information. As used herein, “Confidential Information” means any non-public information or data, regardless of whether it is in tangible form, disclosed by either Party (the “Disclosing Party”) to the other Party (the “Receiving Party”) that the Disclosing Party has either marked as confidential or proprietary, the Disclosing Party has identified in writing as confidential or proprietary within thirty (30) days of disclosure to the Receiving Party, or that a prudent business person in Receiving Party’s position would conclude is confidential given the nature of the information or the circumstances surrounding its disclosure; provided, however, that a Disclosing Party’s business plans, strategies, technology, research and development, current and prospective customers, billing records, and products or services shall be deemed Confidential Information of the Disclosing Party even if not so marked or identified. For the avoidance of doubt, mParticle’s Confidential Information includes, without limitation, the mParticle Platform and the terms of this Agreement. Notwithstanding the foregoing, “Confidential Information” does not include information that: (a) is known to the Receiving Party prior to receipt from the Disclosing Party directly or indirectly from a source other than one having an obligation of confidentiality to the Disclosing Party; (b) becomes known (independently of disclosure by the Disclosing Party) to the Receiving Party directly or indirectly from a source other than one having an obligation of confidentiality to the Disclosing Party; (c) becomes publicly known or otherwise ceases to be secret or confidential, except through a breach of this Agreement by the Receiving Party; or (d) is independently developed by Receiving Party without use of the Confidential Information of the Disclosing Party.

5.2 Use and Non-disclosure of Confidential Information. Each Party acknowledges that the Confidential Information constitutes valuable trade secrets and proprietary information of a Party, and each Party agrees that it shall use the Confidential Information of the other Party solely in accordance with the provisions of this Agreement and it will not disclose, or permit to be disclosed, the same directly or indirectly, to any third party without the other Party’s prior written consent, except as otherwise permitted hereunder.  The Receiving Party will protect the confidentiality of the Disclosing Party’s Confidential Information using the same degree of care that it uses to protect the confidentiality of its own confidential information, but in no event less than reasonable care.  Notwithstanding any provision of this Agreement, either Party may disclose Confidential Information, in whole or in part (a) to its employees, officers, directors, professional advisers (e.g., attorneys, auditors, financial advisors, accountants and other professional representatives), existing and prospective investors or acquirers contemplating a potential investment in or acquisition of a Party, sources of debt financing, acquirers and/or subcontractors who have a need to know and are legally bound to keep such Confidential Information confidential by confidentiality obligations or, in the case of professional advisors, are bound by legal duties to keep such Confidential Information confidential consistent with the terms of this Agreement; and (b) as reasonably deemed by a Party to be required by Applicable Law (in which case each Party shall provide the other with prior written notification thereof, shall provide such Party with the opportunity to contest such disclosure, and shall use its reasonable efforts to minimize such disclosure to the extent permitted by Applicable Laws.).  Each Party shall promptly notify the other in writing if it becomes aware of any violations of the confidentiality obligations set forth in this Agreement.  

5.3 Equitable Relief; Return and Destruction of Confidential Information. In the event of actual or threatened breach of the provisions of this Section, the non-breaching Party will be entitled to seek immediate injunctive and other equitable relief, without waiving any other rights or remedies available to it.  Upon the termination of this Agreement and except as expressly provided otherwise in this Agreement, the Receiving Party agrees to promptly return to the Disclosing Party or destroy all Confidential Information of the Disclosing Party that is in the possession of the Receiving Party and, if requested by the Disclosing Party, certify the return or destruction of all such Confidential Information and embodiments thereof. 

6. REPRESENTATIONS, WARRANTIES AND DISCLAIMER 

6.1 Mutual Representations and Warranties.  Each Party represents and warrants to the other Party that (a) such Party has the required power and authority to enter into this Agreement and to perform its obligations hereunder; (b) the execution of this Agreement and performance of its obligations thereunder do not and will not violate any other agreement to which it is a party; and (c) this Agreement constitutes a legal, valid and binding obligation of such Party when signed by the other Party.

6.2 Sanctions Lists.  Customer hereby represents, warrants and covenants to mParticle that: (a) Customer will not, and will not allow any Authorized User to, export or re-export the mParticle Platform except in compliance with the U.S. Export Administration Act and the related rules and regulations and similar non-U.S. government restrictions, if applicable; (b) Customer will not, and will not allow any Authorized User to, remove or export from the United States or allow the export or re-export of the mParticle Platform (i) into (or to a national or resident of) any embargoed or terrorist-supporting country, (ii) to anyone on the U.S. Commerce Department’s Table of Denial Orders or U.S. Treasury Department’s list of Specially Designated Nationals, (iii) to any country to which such export or re-export is restricted or prohibited, or as to which the U.S. government or any agency thereof requires an export license or other governmental approval at the time of export or re-export without first obtaining such license or approval, or (iv) otherwise in violation of any export or import laws; and (c) Customer is not, and will ensure each Authorized User is not, located in, under the control of, or a national or resident of any prohibited country or on any prohibited party list referred to in subsection (b) immediately above. Customer will immediately discontinue its use of, and will remove its Authorized User’s access to, the mParticle Platform if Customer or any Authorized User is in violation of this Section 6.2.  Notwithstanding anything to the contrary in this Agreement, mParticle may terminate this Agreement and any Order immediately if Customer is in violation of this Section 6.2

6.3 Uptime.   mParticle shall use reasonable efforts consistent with prevailing industry standards to provide the mParticle Platform in a manner that minimizes errors and interruptions in accessing the mParticle Platform.  mParticle Platform may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, either by mParticle or by third-party providers, or because of other causes beyond mParticle’s reasonable control, but mParticle shall use reasonable efforts to provide advance notice in writing or by email of any scheduled service disruption within mParticle’s control. 

6.4 Disclaimer.  WITHOUT LIMITING MPARTICLE’S EXPRESS WARRANTIES AND OBLIGATIONS HEREUNDER, (A) THE MPARTICLE PLATFORM IS PROVIDED ON AN “AS-IS” BASIS, AND MPARTICLE HEREBY DISCLAIMS ANY AND ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED (EITHER IN FACT OR BY OPERATION OF LAW), OR STATUTORY, AS TO ANY MATTER WHATSOEVER, INCLUDING, BUT NOT LIMITED TO, ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, QUALITY, ACCURACY, TITLE, AND NON-INFRINGEMENT; AND (B) CUSTOMER ASSUMES SOLE RESPONSIBILITY FOR RESULTS OBTAINED FROM THE RECEIPT AND USE OF, AND FOR CONCLUSIONS OR INFERENCES DRAWN FROM SUCH USE OF, THE MPARTICLE PLATFORM. FOR PURPOSE OF CLARITY, MPARTICLE WILL HAVE NO LIABILITY WHATSOEVER IN CONNECTION WITH ANY SENSITIVE DATA INGESTED INTO THE MPARTICLE PLATFORM OR ANY SECURITY INCIDENT RELATED THERETO.   MPARTICLE DOES NOT WARRANT THAT THE MPARTICLE PLATFORM IS ERROR-FREE OR THAT OPERATION THEREOF WILL BE SECURE OR UNINTERRUPTED.  NEITHER PARTY WILL HAVE THE RIGHT TO MAKE OR PASS ON ANY REPRESENTATION OR WARRANTY ON BEHALF OF THE OTHER PARTY TO ANY THIRD PARTY.    

7. LIMITATIONS OF LIABILITY; INDEMNIFICATION

7.1 Disclaimer of Consequential Damages.  THE PARTIES HERETO AGREE THAT, NOTWITHSTANDING ANY OTHER PROVISION IN THIS AGREEMENT, EXCEPT FOR CUSTOMER’S BREACH OF SECTION 1 (PROVISION AND USE OF THE MPARTICLE PLATFORM) ABOVE, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY SPECIAL, INDIRECT, RELIANCE, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND, LOST OR DAMAGED DATA, LOST PROFITS OR REVENUE, LOSS OF ANTICIPATED SAVINGS, OR LOSS OF OR DAMAGE TO GOODWILL (COLLECTIVELY, AN “EXCLUDED LOSS”), WHETHER ARISING IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, EVEN IF A PARTY HAS BEEN NOTIFIED OF THE POSSIBILITY THEREOF. THE FOREGOING DISCLAIMER WILL NOT APPLY TO THE EXTENT PROHIBITED BY APPLICABLE LAW.   NOTWITHSTANDING THE FOREGOING, THE FOLLOWING WILL NOT BE DEEMED TO BE AN EXCLUDED LOSS FOR PURPOSES OF THIS AGREEMENT: (A) ANY AMOUNTS PAYABLE BY AN INDEMNIFIED PARTY TO A THIRD PARTY PURSUANT TO A JUDGMENT OR TO A SETTLEMENT AGREEMENT APPROVED IN ACCORDANCE WITH SECTION 7.6 (INDEMNIFICATION PROCEDURE) BELOW, LIABILITY FOR WHICH FALLS WITHIN THE INDEMNIFYING PARTY’S INDEMNIFICATION OBLIGATIONS UNDER THIS AGREEMENT; AND (B) ALL FEES PAYABLE BY CUSTOMER UNDER THIS AGREEMENT.

7.2 General Cap on Liability.  NOTWITHSTANDING ANY OTHER PROVISION OF THIS AGREEMENT, EXCEPT FOR (A) CUSTOMER’S BREACH OF SECTION 1 (PROVISION AND USE OF THE MPARTICLE PLATFORM) ABOVE, AND (B) LIABILITY ARISING FROM A PARTY’S INDEMNIFICATION OBLIGATIONS SET FORTH IN SECTION 7.4 AND SECTION 7.5 BELOW, AS APPLICABLE, UNDER NO CIRCUMSTANCES WILL EITHER PARTY’S AGGREGATE LIABILITY FOR DIRECT DAMAGES ARISING UNDER OR RELATING TO THIS AGREEMENT (INCLUDING BUT NOT LIMITED TO WARRANTY CLAIMS), REGARDLESS OF THE FORUM AND REGARDLESS OF WHETHER ANY ACTION OR CLAIM IS BASED ON CONTRACT, TORT, OR OTHERWISE, EXCEED THE TOTAL FEES PAID BY CUSTOMER TO MPARTICLE UNDER THIS AGREEMENT DURING THE TWELVE (12) MONTH PERIOD PRECEDING THE EVENT OR CIRCUMSTANCES GIVING RISE TO SUCH LIABILITY. 

7.3 Independent Allocations of Risk.  EACH PROVISION OF THIS AGREEMENT THAT PROVIDES FOR A LIMITATION OF LIABILITY, DISCLAIMER OF WARRANTIES, OR EXCLUSION OF DAMAGES IS TO ALLOCATE THE RISKS OF THIS AGREEMENT BETWEEN THE PARTIES.  EACH OF THESE PROVISIONS IS SEVERABLE AND INDEPENDENT OF ALL OTHER PROVISIONS OF THIS AGREEMENT, AND EACH OF THESE PROVISIONS WILL APPLY EVEN IF THEY HAVE FAILED OF THEIR ESSENTIAL PURPOSE. 

7.4 Indemnification by mParticle.  

(a) Indemnity.  mParticle shall indemnify, defend and hold harmless (“Indemnify”) Customer and its Affiliates and its and their respective officers, directors and employees (“Customer Indemnified Parties”) from any and all losses, liabilities, penalties, costs and expenses, including reasonable attorneys’ fees (collectively, the “Liabilities”) incurred by the Customer Indemnified Parties in connection with any third-party action, demand, claim, or proceeding (each, a “Claim”) arising from the use of the mParticle Platform in accordance with this Agreement infringing or misappropriating any third-party intellectual property rights (an “Infringement Claim”). 

(b) Limitations on Infringement Claims.  Notwithstanding the foregoing, mParticle shall have no liability or obligation under this Section with respect to any Liability for an Infringement Claim if such Liability is caused in whole or in part by (i) modification of the mParticle Platform by any party other than mParticle without mParticle’s express consent; (ii) the combination, operation, or use of the mParticle Platform with other product(s), data or services where the mParticle Platform would not by itself be infringing; or (iii) unauthorized or improper use of the mParticle Platform.  If the use of the mParticle Platform by Customer has become, or in mParticle’s opinion is likely to become, the subject of any Infringement Claim, mParticle may at its option and expense (A) procure for Customer the right to continue using the mParticle Platform as set forth hereunder; (B) replace or modify the mParticle Platform to make it non-infringing so long as the mParticle Platform has at least equivalent functionality; (C) substitute an equivalent for the mParticle Platform; or (D) if options (A)-(C) are not reasonably practicable, terminate this Agreement.  

(c) Exclusive Liability.  This Section 7.4 states mParticle’s entire obligation and Customer’s sole remedies in connection with any Infringement Claim. 

7.5 Indemnification by Customer.   Customer shall Indemnify mParticle and its Affiliates and its and their respective officers, directors and employees (“mParticle Indemnified Parties”) from Liabilities incurred by the mParticle Indemnified Parties in connection with any Claim arising from or related to: (a) a breach by Customer of Section 1 (Provision and Use of the mParticle Platform); (b) any use by Customer of the mParticle Platform in violation of this Agreement; (c) a breach by Customer of Section 3.3 of the Privacy Rider; or (d) the use by mParticle of Customer Data in accordance with this Agreement. 

7.6 Indemnification Procedure. If a Customer Indemnified Party or a mParticle Indemnified Party (each, an “Indemnified Party”) becomes aware of any Claim it believes it should be indemnified under Section 7.4 or Section 7.5, as applicable, the Indemnified Party will give the other Party (the “Indemnifying Party”) prompt written notice of such Claim; provided, however, any failure to give such prompt notice will not relieve the Indemnifying Party of its obligations under this Section 7 except to the extent the Indemnifying Party was actually and materially prejudiced by such failure.  The Indemnified Party will cooperate, at the expense of the Indemnifying Party, with the Indemnifying Party and its counsel in the defense and the Indemnified Party will have the right to participate fully, at its own expense, in the defense of such Claim with counsel of its own choosing.  Notwithstanding anything to the contrary in this Section 7, the Indemnifying Party will not settle any Claims for which it has an obligation to indemnify pursuant to this Section 7 admitting liability or fault on behalf of the Indemnified Party, or create any obligation on behalf of the Indemnified Party, without the Indemnified Party’s prior written consent, which will not be unreasonably withheld or delayed.

8. PROFESSIONAL SERVICES

mParticle offers its customers use of its customer solutions group for assistance in implementation, training, customization, and other services applicable to Customer’s use of the mParticle Platform (the “Professional Services”).  Any Professional Services to be provided by mParticle to Customer will be set forth in a statement of work, a copy of which may be attached to an Order as an exhibit or separately that references this Agreement and is signed by authorized representatives of the Parties (each, a “Professional Services SOW”).  Each Professional Services SOW (a) will describe the Professional Services to be provided by mParticle, the fees to be paid by Customer for such Professional Services, and any other terms and conditions that may be agreed to by the Parties with respect to such Professional Services; and (b) is deemed incorporated into, and made a part of, this Agreement and will be governed by the terms and conditions of this Agreement.  To the extent any provision set forth in a Professional Services SOW conflicts with any provision set forth in this Agreement, the provision set forth in this Agreement will take precedence.  Unless otherwise expressly provided in a Professional Services SOW, all rights, title, and interest to and in any work product developed pursuant to the Professional Services (including, but not limited to, all copyrights, patents, trademarks, and other intellectual property rights relating thereto) will be owned by mParticle and will be deemed to be included in the definition of mParticle Platform licensed to Customer on the terms set forth herein

9. SPECIAL PROGRAMS

This Section 9 applies to customers engaged in mParticle special programs, the terms and conditions of which shall be set forth in an email or document sent from mParticle to Customer and/or as set forth on the mParticle website (collectively, “Special Programs”).  Notwithstanding anything to the contrary set forth herein, by participating in a Special Program, Customer acknowledges and agrees that mParticle can terminate or discontinue such Special Program at any time in its sole discretion, with or without notice to Customer.

9.1 Free Trial Program. mParticle offers a Free Trial Program (the “Trial Program”), subject to the eligibility requirements and parameters communicated through email, a document or a website when the Customer signed up (the “Trial Terms”). As long as Customer is participating in the Trial Program and abides by the Trial Terms: (a) unless otherwise agreed to in writing by Customer and mParticle, there shall be no Fees payable by Customer to mParticle for access to the mParticle Platform in connection with the Trial Program and Section 3 above will not apply; and (b) the general cap on liability in Section 7.2 shall be US$1,000.00. In the event of a conflict between this Section 9.1 and the Trial Terms, on the one hand, and the other terms of this Agreement, on the other hand, this Section 9.1 and the Trial Terms will control. If Customer converts from the Trial Program to a paid version of the mParticle Platform, this Section 9.1 will no longer apply to Customer. 

9.2  Accelerator Program.  mParticle offers an Accelerator Program (“Accelerator Program”), subject to the eligibility requirements and parameters set forth at https://www.mparticle.com/lpg/accelerator (the “Accelerator Terms”). As long as Customer is participating in the Accelerator Program and abides by the Accelerator Terms: (a) unless otherwise agreed to in writing by Customer and mParticle, there shall be no Fees payable by Customer to mParticle for access to the mParticle Platform in connection with the Accelerator Program and Section 3 above will not apply; and (b) the general cap on liability in Section 7.2 shall be US$1,000.00. In the event of a conflict between this Section 9.2 and the Accelerator Terms, on the one hand, and the other terms of this Agreement, on the other hand, this Section 9.2 and the Accelerator Terms will control. If Customer converts from the Accelerator Program to a paid version of the mParticle Platform, this Section 9.2 will no longer apply to Customer.

9.3 Growth Program. In the event Customer no longer qualifies for the Accelerator Program, mParticle may contact Customer to determine if Customer wishes to engage in mParticle’s growth program (“Growth Program”).  If Customer wishes to participate in the Growth Program, the Parties will enter into an Order. At its discretion, mParticle may increase the pricing on the Order at any time by giving Customer at least thirty (30) days prior written notice (which may be sent by email or through the mParticle Platform user interface). To participate in the Growth Program, Customer shall supply mParticle with a credit card or another form of payment to pay the fees due hereunder. Customer hereby authorizes mParticle to keep such credit card or other form of payment on file and charge it for fees due from Customer hereunder as and when due. Customer represents and warrants that Customer has the right to allow mParticle to do all of the foregoing. In the event that mParticle is not able to process the fees owned hereunder when due by charging such credit card or form of payment, mParticle may suspend Customer’s access to the mParticle Platform until such payment is made by another method and a new credit card on file is provided. mParticle may terminate this Agreement upon ten (10) days’ prior written notice if there has been more than one instance of late payment. For the avoidance of doubt, Section 3 above shall otherwise apply. In the event of a conflict between this Section 9.3 (“Growth Terms”) and the other terms of this Agreement, the Growth Terms will control.

9.4 Tech For Black Founders Program. mParticle offers a Tech For Black Founders Program (“TBF Program”), subject to the eligibility requirements and parameters set forth at https://www.mparticle.com/resources/tech-for-black-founders (“TBF Terms”). As long as Customer is eligible for and fits within the parameters of the TBF Program: (a) unless otherwise agreed to in writing by Customer and mParticle, there shall be no Fees payable by Customer to mParticle for access to the mParticle Platform in connection with the TBF Program and Section 3 above will not apply; and (b) the general cap on liability in Section 7.2 shall be US$1,000.00. In the event of a conflict between this Section 9.4 and the TBF Terms, on the one hand, and the other terms of this Agreement, on the other hand, this Section 9.4 and the TBF Terms will control. In the event Customer no longer qualifies for the TBF Program, mParticle may contact Customer to determine if Customer wishes to engage in mParticle’s Growth Program, governed by the Growth Terms in Section 9.3, or purchase a mParticle full paid product and, in either event, this Section 9.4 will no longer apply to Customer.

9.5 Other Special Programs. mParticle may adopt other Special Programs from time to time (“Other Special Programs”) subject to the eligibility requirements and parameters communicated through email, a document or a website when the Customer signed up (the “Other Special Program Terms”). As long as Customer is participating in the Other Special Programs and abides by the Other Special Program Terms: (a) any Fees payable by Customer to mParticle for access to the mParticle Platform shall be set forth in the Other Special Program Terms; and (b) the general cap on liability in Section 7.2 shall be US$1,000.00. In the event of a conflict between this Section 9.5 and the Other Special Program Terms, on the one hand, and the other terms of this Agreement, on the other hand, this Section 9.5 and the Other Special Program Terms will control. If Customer converts from an Other Special Program to a paid version of the mParticle Platform, this Section 9.5 will no longer apply to Customer.

10. PROOF OF CONCEPT ENGAGEMENT

This Section 10 shall apply to any proof of concept engagement or demo of the mParticle Platform by Customer (a “POC”). mParticle will make an account available to Customer for the purposes of use case testing in connection with the demo or POC. Any POC to be provided by mParticle to Customer will be set forth in a statement of work or similar document that references this Agreement and is signed by authorized representatives of the Parties (each, a “POC SOW”).  Each POC SOW will describe the POC to be provided by mParticle to Customer (including testing parameters and clearly defined, mutually agreed-upon measures of success) and any other terms and conditions that may be agreed to by the Parties with respect to such POC.  Each POC SOW is deemed incorporated into, and made a part of, this Agreement and will be governed by the terms and conditions of this Agreement, except the general cap on mParticle’s liability in Section 7.2 shall be US$1,000.00.  To the extent any provision set forth in a POC SOW conflicts with any provision set forth in this Agreement, the provision set forth in this Agreement will take precedence.  Unless otherwise expressly provided in a POC SOW, all rights, title, and interest to and in any work product developed pursuant to the POC (including, but not limited to, all copyrights, patents, trademarks, and other intellectual property rights relating thereto) will be owned by mParticle and will be deemed to be included in the definition of mParticle Platform and licensed to Customer on the terms set forth herein. If Customer desires to subscribe to the mParticle Platform following the completion of the POC, the Parties shall execute and deliver an Order referencing this Agreement.   

11. GENERAL

11.1 Severability. If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable.  

11.2 Assignment. Neither Party may assign this Agreement or assign or delegate its rights or obligations under the Agreement without the other Party’s prior written consent; provided however, that either Party may assign this Agreement to an acquirer of or successor to all or substantially all of its business or assets to which this Agreement relates, whether by merger, sale of assets, sale of stock, reorganization or otherwise.  Any assignment or attempted assignment by either Party other than in accordance with this Section 11.2 shall be null and void.  

11.3 Third Party Beneficiaries. This Agreement does not confer any benefits on any third party unless it expressly states that it does. 

11.4 Entire Agreement. The Parties agree that this Agreement is the complete and exclusive statement of the mutual understanding of the Parties and supersedes all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement.  

11.5 Waiver; Amendment.  The waiver by a Party of any term, provision or of a Party’s breach of this Agreement will not be effective unless such waiver is in writing and signed by the Party against whom such waiver is asserted. No waiver by a Party of a breach of this Agreement by the other Party will constitute a waiver of any other or subsequent breach by such other Party, and no failure or delay by either Party in exercising any right, power or privilege under this Agreement will operate as a waiver of it. This Agreement may be modified only by mutual written agreement of authorized representatives of the Parties.

11.6 Relationship of the Parties. No agency, partnership, joint venture, or employment is created as a result of this Agreement and a Party does not have any authority of any kind to bind the other Party in any respect whatsoever.  

11.7 Injunctive Relief. Customer acknowledges that any unauthorized use of the mParticle Platform will cause irreparable harm and injury to mParticle for which there is no adequate remedy at law. In addition to all other remedies available under this Agreement, at law or in equity, Customer further agrees that mParticle shall be entitled to injunctive relief in the event Customer uses the mParticle Platform in violation of the limited license granted herein or uses the mParticle Platform in any way not expressly permitted by this Agreement.  

11.8 Cumulative Rights. The rights and remedies expressly conferred by the Agreement are cumulative and additional to any other rights or remedies a Party may have.

11.9 Notices. mParticle will provide all notices to Customer under this Agreement by pre-paid first class mail, air courier or e-mail to the mailing or e-mail address Customer provided to mParticle on the applicable Order, or during Customer’s registration for the mParticle Platform, or to a substitute, updated mailing or e-mail address that Customer has provided to mParticle for these purposes. Customer is responsible for keeping its mailing and e-mail address current with mParticle. Except as otherwise specified in this Agreement, all notices to be given to mParticle under this Agreement must be in writing and sent by email to legal@mparticle.com, or by prepaid first class mail or air courier to mParticle at 257 Park Avenue South, 9th Floor, New York, New York 10010, U.S.A., or to a substitute, updated address notified by mParticle, marked “Attention: Legal Department.” Notices will be deemed to have been duly given when received, if personally delivered; when receipt is electronically confirmed, if transmitted by facsimile or email; the day after it is sent, if sent for next day delivery by recognized overnight delivery service; and upon receipt, if sent by certified or registered mail, return receipt requested. The foregoing notice provisions do not apply to the service of any proceedings or any documents in any legal action related to this Agreement. 

11.10 Publicity. Each Party agrees that it will not, without prior written consent of the other, issue a press release regarding their business relationship.  Notwithstanding the foregoing, mParticle may (a) create demonstration and marketing materials and information which includes Customer Data solely in anonymized or aggregated format and disclose and otherwise make such materials and information available solely in connection with marketing and demonstrating the mParticle Platform; and (b) mention Customer and the relationship between mParticle and Customer in mParticle’s marketing collateral, website, and other promotional and marketing materials.  

11.11 Force Majeure. Each Party shall be excused from performance for any period during which, and to the extent that, it is prevented from performing any obligation or service, in whole or in part, as a result of a cause beyond its reasonable control and without its fault or negligence (other than Customer’s obligation to pay Fees), including, but not limited to, acts of God, acts of war, epidemics, fire, communication line failures, power failures, earthquakes, floods, blizzard, or other natural disasters (but excluding failure caused by a Party’s financial condition or any internal labor problems (including strikes, lockouts, work stoppages or slowdowns, or the threat thereof)) (a “Force Majeure Event”).  Upon the occurrence of any Force Majeure Event, the affected Party shall give the other Party written notice thereof as soon as reasonably practicable of its failure of performance, describing the cause and effect of such failure, and the anticipated duration of its inability to perform. Delays in performing obligations due to a Force Majeure Event shall automatically extend the deadline for performing such obligations for a period equal to the duration of such Force Majeure Event; provided, however, the Party affected by a Force Majeure Event will take all reasonable actions to minimize the consequences and cause the cessation of any such event. Except as otherwise agreed upon by the Parties in writing, in the event such non-performance due to a Force Majeure Event continues for a period of thirty (30) days or more, either Party may terminate this Agreement by giving written notice thereof to the other Party. 

11.12 Governing Law; Jurisdiction. This Agreement shall be governed by the laws of the State of New York, U.S.A., without regard to its conflict of laws provisions.  For all disputes relating to this Agreement, each Party submits to the exclusive jurisdiction of the state and federal courts located in the Borough of Manhattan in the City of New York, New York, U.S.A, and waives any jurisdictional, venue, or inconvenient forum objections to such courts.  In any action or proceeding to enforce rights under this Agreement, the prevailing Party will be entitled to recover costs and attorneys’ fees.  

11.13 Interpretation. The terms “including”, “include”, “in particular”, “for example” or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms. A reference to a statute or statutory provision shall be a reference to it as amended, extended or re-enacted from time to time, and shall also include all subordinate legislation made from time to time under that statute or statutory provision. Any reference to the requirement for something to be given, received or similar in “writing” or “written” shall include and permit this to be done by e-mail provided such e-mail is sent to an authorized representative of that Party.  Unless the context requires otherwise, words importing the singular number include the plural and vice versa; words importing gender include all genders. The headings used in this Agreement and its division into sections, schedules, exhibits, appendices, and other subdivisions do not affect its interpretation. The Parties have each participated in the drafting and negotiation of this Agreement. Accordingly, any rule of legal interpretation to the effect that any ambiguity is to be resolved against the drafting party will not apply in interpreting this Agreement.

EXHIBIT A

MPARTICLE PLATFORM PRIVACY AND SECURITY RIDER

This mParticle Platform Privacy and Security Rider (this “Rider”) is incorporated into and made a part of the mParticle Platform Terms of Service to which this Rider is attached (the “Agreement”). Any capitalized term used but not defined in this Rider will have the meaning ascribed to it in the Agreement and any sections referenced herein shall refer to sections of this Rider unless otherwise indicated. For the purposes of this Rider only, and except where otherwise indicated, references to “Customer” shall include Customer and its Affiliates authorized to use the mParticle Platform pursuant to Section 1.7 of the Agreement. 

The Parties agree as follows:

1. Definitions

1.1 “CCPA” means the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 et seq.), as may be amended, superseded or replaced.

1.2 “Data Protection Laws” means all data protection and privacy laws, regulations and secondary legislation applicable to the respective Party in its role in the processing of Personal Data under the Agreement, including, to the extent applicable, European Data Protection Laws and the CCPA, as may be amended, superseded or replaced.  

1.3 “Europe” means, for the purposes of this Rider, the European Economic Area and/or its member states, the United Kingdom and/or Switzerland.

1.4 “European Data Protection Laws” means (a) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR“); (b) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (c) applicable national implementations of (a) and (b); (d) in respect of the United Kingdom, the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR“) and the Data Protection Act 2018 (together the “UK Privacy Laws“); and (e) the Swiss Federal Data Protection Act (“Swiss DPA“).

1.5 “Personal Data” means any information that is protected as “personal data”, “personal information” or “personally identifiable information” under Data Protection Laws that mParticle processes on behalf of Customer under the Agreement, as more particularly described in Annex I of this Rider. 

1.6 “Restricted Transfer” means: (a) where the GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area that is not subject to an adequacy determination by the European Commission; (b) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country that is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (c) where the Swiss DPA applies, a transfer of Personal Data to a country outside of Switzerland that is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.

1.7 “Security Incident” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed by mParticle under this Rider. A “Security Incident” will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

1.8 “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of Personal Data to third countries annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 and currently located at https://ec.europa.eu/info/system/files/1_en_annexe_acte_autonome_cp_part1_v5_0.pdf.

1.9 “Sub-processor” means any third party that has access to Personal Data and is engaged by mParticle to assist in fulfilling its obligations with respect to providing the mParticle Platform under the Agreement.  The term “Sub-processor” may include mParticle Affiliates, but shall exclude mParticle employees, contractors and consultants.  

1.10 “UK Addendum” means the “UK Addendum to the EU Standard Contractual Clauses” issued by the Information Commissioner’s Office under s.119A(1) of the UK Data Protection Act 2018.

1.11 Other Defined Terms. The lower case terms “controller”, “processor”, “process”, “processing” and “data subject” have the meanings given to them in applicable Data Protection Laws or if not defined therein, the GDPR, and the term “service provider” has the meaning set forth in the CCPA.

2. Scope of this Rider 

2.1 This Rider applies where and only to the extent mParticle processes Personal Data on behalf of Customer that is subject to Data Protection Laws as a processor (for the purposes of European Data Protection Law) or service provider (for the purposes of the CCPA) in the course of providing the mParticle Platform pursuant to the Agreement.

2.2 Any processing of Personal Data under the Agreement shall be performed in accordance with Data Protection Laws. However, mParticle is not responsible for compliance with any Data Protection Laws applicable to Customer or Customer’s industry that is not applicable to mParticle.

3. Processing of Personal Data 

3.1 Permitted Purposes. mParticle shall process Personal Data in accordance with Customer’s documented lawful instructions, except where required by Applicable Law). For these purposes, Customer instructs mParticle to process Personal Data for the following purposes: (a) to perform any steps necessary for the performance of the Agreement; (b) to provide, maintain and improve the mParticle Platform in accordance with the Agreement including, but not limited to, the collection or use by mParticle of mParticle Usage Data; (c) processing initiated by end users in their use of the mParticle Platform; (d) to comply with other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement (including this Rider); and (e) to comply with mParticle’s legal obligations under Applicable Law, including Data Protection Laws (collectively and individually the “Permitted Purpose“). 

3.2 Processing Instructions. The Parties agree that the Agreement (including this Rider), and Customer’s use of the mParticle Platform in accordance with the Agreement, set out Customer’s complete and final processing instructions and (if applicable) include and are consistent with all instructions from third party controllers. Any processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and mParticle. Customer shall ensure its instructions are lawful and that the processing of Personal Data in accordance with such instructions will not violate Data Protection Laws.

3.3 Customer Responsibilities. Where applicable, Customer shall be responsible for any communications, notifications, assistance and/or authorizations that mParticle may be required to provide to or receive from a third party controller.  Customer is responsible for determining whether the mParticle Platform is appropriate for the storage and processing of Personal Data under Data Protection Laws. Customer further agrees that: (a) it will comply with its obligations under Data Protection Laws regarding its use of the mParticle Platform and the processing of Personal Data; (b) it has provided notice and obtained all consents, permissions and rights necessary for mParticle and its Sub-processors to lawfully process Personal Data for the purposes contemplated by the Agreement (including this Rider); and (c) it will notify mParticle if it is unable to comply with its obligations under Data Protection Laws or its processing instructions will cause mParticle or its Sub-processors to be in breach of Data Protection Laws.

4. Sub-processors

4.1 Customer acknowledges and agrees that mParticle may engage Sub-processors in order to provide the mParticle Platform. Customer specifically authorizes the engagement of those Sub-processors listed at https://docs.mparticle.com/guides/approved-subcontractors/ (for the mParticle Service),       https://support.indicative.com/hc/en-us/articles/4856240377357-Indicative-Subprocessors (for the Indicative Service), and https://www.vidora.com/docs/approved-sub-processors/ (for the Cortex Service) or such other successor URL(s) notified to Customer from time to time (together, the “Sub-processor Lists“). mParticle will restrict Sub-processors’ access to Personal Data to what is necessary to assist mParticle in providing or maintaining the mParticle Platform and will remain responsible for any acts or omissions of Sub-processors to the extent they cause mParticle to breach its obligations under this Rider.   

5. Security

5.1 Security Measures. mParticle shall implement and maintain appropriate technical and organizational security measures designed to protect Personal Data from Security Incidents and preserve the security and confidentiality of Personal Data, in accordance with the measures described in Annex II (“Security Measures“). Customer acknowledges that the Security Measures are subject to technical progress and development and that mParticle may update or modify the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the mParticle Platform.

5.2 Access and Confidentiality. mParticle restricts its personnel from processing Personal Data without authorization and shall ensure that any person who is authorized by mParticle to process Personal Data is under an appropriate obligation of confidentiality (whether a contractual or statutory duty).   

5.3 Customer Responsibilities. Notwithstanding the above, Customer is responsible for reviewing the information made available by mParticle relating to data security and making an independent determination as to whether the mParticle Platform meets Customer’s requirements and legal obligations under Data Protection Laws. Customer further agrees that Customer is responsible for its secure use of the mParticle Platform, including securing its account authentication credentials and taking any appropriate steps to backup any Personal Data processed in connection with the mParticle Platform.  

5.4 Security Incidents. Upon becoming aware of a Security Incident, mParticle shall notify Customer without undue delay and, where feasible, within 72 hours. mParticle shall provide Customer with timely information relating to the Security Incident as it becomes known or is reasonably requested by Customer to fulfill its obligations under Data Protection Laws. mParticle will also take reasonable steps to contain, investigate, and mitigate any Security Incident.

6. Audits

6.1 mParticle shall provide written responses (which may include audit report summaries/extracts) to all reasonable requests made by Customer for information relating to mParticle’s processing of Personal Data, including responses to information and security audit questionnaires submitted to it by Customer and that are necessary to confirm mParticle’s compliance with this Rider, provided that Customer will not exercise this right more than once per calendar year or when Customer is expressly requested or required to provide this information to a supervisory authority, or mParticle has experienced a Security Incident, or on another reasonably similar basis. Nothing herein shall be construed to require mParticle to provide: (a) trade secrets or any proprietary information; (b) any information that would violate mParticle’s confidentiality obligations, contractual obligations, or Applicable Law; or (c) any information, the disclosure of which could threaten, compromise, or otherwise put at risk the security, confidentiality, or integrity of mParticle’s infrastructure, networks, systems, or data.

7. International Transfers

7.1 Customer acknowledges and agrees that mParticle and its Affiliates and Sub-processors may transfer and process Personal Data to and in the United States and the other locations in which mParticle, its Affiliates or its Sub-processors maintain data processing operations as more particularly described in the Sub-Processor Lists. mParticle shall ensure that such transfers are made in compliance with Data Protection Laws and this Rider. 

7.2 If an Order or submission form indicates that Customer Data will be localized in the EU or Australia for the mParticle Service, Customer Data will be stored and processed in the EU or Australia (as applicable) solely in connection with Customer’s use of the mParticle Service; provided, however, that if mParticle customer service or technical personnel needs to access Customer Data to perform its obligations to Customer, such personnel may be physically located outside the EU or Australia (as applicable) and therefore technically a small amount of data may be processed outside the EU or Australia, as applicable, and, as such, the Parties hereby enter into Standard Contractual Clauses to account for such transfers. For purpose of clarity, this Section 7.2 will not apply to the Indicative Service or Cortex Service.

8. Deletion or Return of Personal Data

8.1 Upon termination or expiry of the Agreement, at Customer’s written election, mParticle shall delete or return all Personal Data in its possession or control in accordance with the terms of the Agreement. This requirement shall not apply to the extent mParticle or its Affiliates or Sub-processors are required by Applicable Law to retain some or all of the Personal Data, or to Personal Data archived on back-up systems, which shall be securely isolated and protected from any further processing (to the except permitted by Applicable Law). The Parties agree that the certification of deletion of Personal Data described in Clause 8.5 and 16 (d) of the SCCs shall be provided by mParticle to Customer only upon Customer’s written request.

9. Cooperation

9.1 Data subject requests. To the extent that Customer is unable to independently access the relevant Personal Data within the mParticle Platform, mParticle shall, taking into account the nature of the processing, provide reasonable cooperation to assist Customer in responding to any requests from individuals relating to the processing of Personal Data under the Agreement. In the event that any such request is made to mParticle directly, mParticle shall promptly notify Customer and will not respond to the request directly except to direct the data subject to the Customer without Customer’s prior authorization, unless and to the extent legally compelled to do so. 

9.2 Law enforcement requests. If a law enforcement agency sends mParticle a demand for Personal Data (including through a subpoena or court order), mParticle will attempt to redirect the law enforcement agency to request that Personal Data directly from Customer. As part of this effort, mParticle may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Personal Data to a law enforcement agency, then mParticle will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy, unless mParticle is legally prohibited from doing so.

9.3 General cooperation. Each Party will reasonably cooperate with the other in any activities contemplated by this Rider and to enable each Party to comply with its respective obligations under Data Protection Laws.

10. Jurisdiction Specific Terms

10.1 California (CCPA). To the extent that Personal Data is subject to the CCPA, mParticle agrees that it shall process Personal Data as a service provider and shall not (a) retain, use or disclose Personal Data for any purpose other than the purposes set out in the Agreement and this Rider and as permitted by the CCPA; or (b) “sell” personal information (as defined and interpreted within the requirements of the CCPA). The Parties agree that Customer’s transfer of Personal Data to mParticle is not a sale, and Customer provides no monetary or other valuable consideration to mParticle in exchange for the Personal Data.

10.2 Europe

10.2.1 To the extent that Personal Data is subject to European Data Protection Laws, the terms in this Section 10.2 shall apply in addition to the terms in the remainder of this Rider.

10.2.2 Processing Instructions. Without prejudice to Section 3.3 (Customer Responsibilities), mParticle shall notify Customer in writing, unless prohibited from doing so under Data Protection Laws, if it becomes aware or believes that any processing instructions from Customer violate European Data Protection Laws.

10.2.3 Sub-processor Obligations. mParticle shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Personal Data as required by this Rider (to the extent applicable, considering the nature of the services provided by the Sub-processor).  

10.2.4 Changes to Sub-processors. mParticle will provide at least thirty (30) days’ prior notice via updating the Sub-processor Lists (or such other notification mechanism made available by mParticle) if it intends to make any changes to its Sub-processors. Customer may object in writing to mParticle’s appointment of a new Sub-processor on reasonable grounds relating to data protection (e.g., if making Personal Data available to the Sub-processor would violate European Data Protection Laws or weaken the protections for Personal Data) by notifying mParticle in writing to legal@mparticle.com within ten (10) days of receiving notification from mParticle. In such event, the Parties shall discuss Customer’s concerns in good faith with a view to achieving a mutually acceptable resolution. If the Parties cannot reach a mutually acceptable resolution, mParticle shall, at its sole discretion, either not appoint the Sub-processor, or permit Customer to suspend or terminate the affected portion of the mParticle Platform in accordance with the Agreement without liability to either Party (but without prejudice to any fees incurred by Customer prior to suspension or termination).

10.2.5 Application of the Standard Contractual Clauses. The Parties agree that when the transfer of Personal Data from Customer (as “data exporter”) to mParticle (as “data importer”) is a Restricted Transfer and European Data Protection Laws require that appropriate safeguards are put in place, such transfer shall be subject to the appropriate Standard Contractual Clauses, which shall be deemed incorporated into and form a part of this Rider, as follows:

(a) the SCCs shall apply, completed as follows:

(i) Module Two (Controller to Processor) will apply;

(ii) in Clause 7, the optional docking clause will not apply;

(iii) in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Section 10.2.4;

(iv) in Clause 11, the optional language will not apply;

(v) in Clause 17, Option 1 will apply, and the SCCs will be governed by the laws of Ireland;

(vi) in Clause 18(b), disputes shall be resolved before the courts of the EU Member State selected above;

(vii) Annex I of the SCCs shall be deemed completed with the information set out in Annex I to this Rider; and

(viii) Subject to Section 5.1, Annex II of the SCCs shall be deemed completed with the information set out in Annex II to this Rider;

(b) in relation to Personal Data that is protected by the UK GDPR, the SCCs as implemented under sub-paragraph (a) above will apply with the following modifications:  

(i) the SCCs shall be deemed amended as specified by Part 2 of the UK Addendum;

(ii) tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed respectively with the information set out in Annexes I and II and Section 4.1 of this Rider (as applicable); and 

(iii) table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party”.

(c) in relation to transfers of Personal Data protected by the Swiss DPA, the SCCs will also apply in accordance with paragraph (a) above, with the following modifications:

(i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA;

(ii) references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA; 

(iii) references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland” or “Swiss law”; 

(iv) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland);

(v) Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner; 

(vi) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; 

(vii) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland;

(viii) Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland; and

(ix) the SCCs shall also protect the data of legal entities until the entry into force of the revised Swiss Federal Data Protection Act.

(d) It is not the intention of either Party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the SCCs conflict with any provision of the Agreement (including this Rider) the SCCs shall prevail to the extent of such conflict.

10.26 Alternative Transfer Arrangements. To the extent mParticle adopts an alternative lawful data export mechanism for the transfer of Personal Data not described in this Rider (“Alternative Transfer Mechanism“), the Alternative Transfer Mechanism shall, upon notice to Customer, apply instead of any applicable transfer mechanism described in this Rider (but only to the extent such Alternative Transfer Mechanism complies with European Data Protection Laws and extends to the territories to which Personal Data is transferred) and Customer agrees to execute such other and further documents and take such other and further actions as may be reasonably necessary to give legal effect such Alternative Transfer Mechanism. 

10.2.7 Data Protection Impact Assessments. To the extent mParticle is required under applicable European Data Protection Laws, mParticle shall provide reasonably requested information regarding mParticle’s processing of Personal Data under the Agreement to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

 11. Limitation of Liability

11.1 Any claim or remedy Customer or its Affiliates may have against mParticle and its Affiliates and their respective employees, agents and Sub-processors, arising under or in connection with this Rider (including the Standard Contractual Clauses), whether in contract, tort (including negligence) or under any other theory of liability, shall be subject to the limitations and exclusions of liability in the Agreement. Accordingly, any reference in the Agreement to the liability of a Party means the aggregate liability of that Party and all of its Affiliates under and in connection with the Agreement and this Rider together.

11.2 mParticle will have no liability whatsoever in connection with any Sensitive Data ingested into the mParticle Platform by Customer contrary to the provisions in the Agreement and this Rider.

12. Miscellaneous

12.1 Each Party acknowledges that the other Party may disclose this Rider (including the Standard Contractual Clauses) and any relevant privacy provisions in the Agreement to the U.S. Department of Commerce, the Federal Trade Commission, a European data protection authority or any other U.S. or European judicial or regulatory body upon their request. 

12.2 In the event of a conflict between the Agreement and this Rider, this Rider shall take precedence with respect to any terms as they relate to mParticle’s processing of any Personal Data. 

12.3 Notwithstanding anything else to the contrary in the Agreement and without prejudice to Section 3.2, mParticle may periodically make modifications to this Rider as may be required to comply with Data Protection Laws.

12.4 The provisions of this Rider are severable. If any phrase, clause or provision or Annex (including the Standard Contractual Clauses) is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the rest of this Rider or the remainder of the Agreement, which shall remain in full force and effect. 

12.5 This Rider shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws or the Standard Contractual Clauses. 

ANNEX I

A. LIST OF PARTIES

Data exporter:  

  • Name of the data exporter: The entity identified as the “Customer” in the Agreement and Rider.
  • Address: The address for the Customer associated with its mParticle account or otherwise specified in the Agreement. 
  • Contact person’s name, position and contact details: The contact details associated with Customer’s account, or otherwise specified in this Rider or the Agreement. 
  • Activities relevant to the data transferred: The activities specified in Annex I(B) below. 
  • Role (Controller/Processor): Controller.
  • Signature and date: See signature page of the Agreement.

Data importer: 

  • Name of the data importer: The entity identified as mParticle in the Agreement and Rider.
  • Address: The address specified in the Agreement.
  • Contact person’s name, position and contact details: Legal Department, legal@mparticle.com
  • Activities relevant to the data transferred: The activities specified in Annex I(B) below. 
  • Role (Controller/Processor): Processor.
  • Signature and date: See signature page of the Agreement.

B. DESCRIPTION OF THE PROCESSING / TRANSFER

Categories of data subjects

The personal data transferred concern the following categories of data subjects (please specify):

Past, present, or future employees, agents, or representatives of the data exporter, its customers, the past, present, or future employees, agents, or representatives of its customers, and other data subjects whose data may be provided pursuant to the Agreement.

Categories of personal data transferred

The personal data transferred concern the following categories of data (please specify):

Personal data may include names, email addresses and pseudonymous personal data such as IP Addresses and mobile advertising ID collected from the mobile applications and other digital property owned or controlled by data exporter.

Sensitive data transferred (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

N/A. Customer will not use the mParticle Platform to collect, transmit or provide sensitive data, or otherwise make available sensitive data to the mParticle Platform.

Frequency of the transfer

Personal Data may be transferred on a continuous or one-off basis depending on the Customer’s use of the mParticle Platform and the Customer’s processing instructions.

Subject matter of the processing

Personal Data. 

Nature of the processing

The provision of the mParticle Platform as described in the Agreement and initiated by the Customer from time to time.

Duration of the processing

The duration of the Agreement plus the period from the expiry of the Agreement until deletion of the Personal Data by mParticle in accordance with the Agreement.

Purposes of the data transfer and further processing

The Permitted Purposes (as defined in this Rider).

Period for which the Personal Data will be retained, or if that is not possible the criteria used to determinate that period, if applicable

The data exporter determines the duration of processing in accordance with the Agreement and this Rider.

C. COMPETENT SUPERVISORY AUTHORITY

The data exporter’s competent supervisory authority will be determined in accordance with the GDPR. 

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):

mParticle Service

The following technical and organisational security measures apply solely to the mParticle Service. 

As a cloud-native company, the mParticle Service makes extensive use of the Amazon AWS platform and the wide range of security features that AWS provides.

AWS uses a ‘Shared Responsibility Model’, where Amazon is responsible for securing the underlying infrastructure and networks and the mParticle Service secures the data that is hosted and code that runs in the environment.

All mParticle Service systems use TLS, where supported, to protect data in transit between end user devices, the mParticle Service and its partner services. Data is also encrypted at rest within the AWS environment using AES256 to encrypt mParticle’s EBS Volumes.

mParticle Service production secrets are protected using a combination of Hashicorp Vault, Amazon KMS and CloudHSM with role based access configured to prevent plaintext secrets ever being stored on disk.

The mParticle Service makes use of AWS Inspector to identify and report on known vulnerabilities in production hosts.

All mParticle’s staff engaged with the mParticle Service undergo background checks and annual sec training and must adhere to published internal security policies. Policy areas include:

  • Password strength and complexity
  • Encryption and key management
  • Device tooling and Monitoring
  • Secure development practices
  • Secrets Management
  • Disciplinary actions

mParticle enforces strict role-based access control with periodic audits to all mParticle Service systems (Corp and Prod) and operate using the principle of least privilege. mParticle’s staff engaged with the mParticle Service are only given the access that they require to do their job. By default, no such mParticle staff are able to access customer data as it is both physically and logically separated from mParticle’s corporate network. Developers are not granted access to the production infrastructure and all deploys are performed by the Operations Team.

mParticle engages a number of third party penetration testing companies to provide at least annual assessments of the mParticle Service’s security stance. These tests include web application, infrastructure and social engineering engagements.

mParticle’s dedicated security team makes use of monitoring and logging capabilities from all areas of the mParticle Service stack to identify malicious behavior with automated alerting in place to flag anomalies.

Only authorised devices are able to connect to mParticle’s corporate networks and all devices are forced to include the following protections:

  • Antivirus with automatic daily updates
  • DNS protection using Cisco Umbrella to protect against malicious sites
  • Full disk encryption. Every device is configured to use strong encryption to protect local data.
  • Endpoint protection/management tools – mParticle has tooling on every corporate system to ensure compliance and detect malicious behaviour.
  • Automatic password protected screensaver locks
  • Automatic account lockouts on number of authentication attempts

mParticle utilises Active Directory and ADFS for centralised authentication and supplement with multi factor authentication for access to sensitive mParticle Service systems including mParticle’s VPNs, AWS and Production environments. For 2FA, mParticle makes use of Duo, physical yubikeys and smart cards to limit access to individual hosts within production in combination with SSH keys via locked down bastion hosts.

mParticle conducts security audits of any third party vendors and sub-contractors engaged by mParticle in connection with the mParticle Service, and expects at least a comparable level of security from such vendors and sub-contractors.

Supplemental Measures implemented pursuant to The European Data Protection Board (EDPB) Recommendations 01/2020 on measures which supplement mParticle Service transfer tools to ensure compliance with the EU level of protection of personal data Version 2.0 and adopted on 18 June 2021 are available upon request.

A Transfer Impact Assessment for the mParticle Service and any additional supplemental measures implemented in connection therewith, as applicable, are available upon request.

Indicative Service

The following technical and organisational security measures apply solely to the Indicative Service.

As a cloud-native company, the Indicative Service makes extensive use of the Google Cloud Platform (GCP) platform and the wide range of security features that GCP provides. GCP uses a ‘Shared Responsibility Model’, where Google is responsible for securing the underlying infrastructure and networks and the Indicative Service secures the data that is hosted and code that runs in the environment.

All Indicative Service systems use TLS, where supported, to protect data in transit between end user devices, the Indicative Service application and its partner services. Data is also encrypted at rest within the GCP environment using AES256 to encrypt the Indicative Service’s Persistent Disks.

The Indicative Service makes use of Lacework to identify and report on known vulnerabilities in production hosts.

All mParticle engaged with the Indicative Service staff undergo background checks and annual sec training and must adhere to published internal security policies. Policy areas include:

  • Password strength and complexity
  • Encryption and key management
  • Device tooling and Monitoring
  • Secure development practices
  • Secrets Management
  • Disciplinary actions

mParticle enforces strict role-based access control with periodic audits to all Indicative Service systems (Corp and Prod) and operate using the principle of least privilege. mParticle’s staff engaged with the Indicative Service are only given the access that they require to do their job. By default, no such mParticle staff are able to access raw customer data as it is both physically and logically separated from mParticle’s corporate network. Developers are only granted access to production infrastructure on an as needed basis.

mParticle engages a number of third party penetration testing companies to provide at least annual assessments of the Indicative Service’s security stance. These tests include web application, infrastructure and social engineering engagements.

mParticle’s dedicated security team makes use of monitoring and logging capabilities from all areas of the Indicative Service stack to identify malicious behavior with automated alerting in place to flag anomalies.

Only authorised devices are able to connect to mParticle’s corporate networks and all devices are forced to include the following protections:

  • Antivirus with automatic daily updates
  • DNS protection using Cisco Umbrella to protect against malicious sites
  • Full disk encryption. Every device is configured to use strong encryption to protect local data.
  • Endpoint protection/management tools – Indicative has tooling on every corporate system to ensure compliance and detect malicious behaviour.
  • Automatic password protected screensaver locks
  • Automatic account lockouts on number of authentication attempts

For 2FA, mParticle makes use of Duo, physical yubikeys and smart cards to limit access to individual hosts within production in combination with SSH keys via locked down bastion hosts.

mParticle conducts security audits of any third party vendors and sub-contractors engaged by mParticle in connection with the Indicative Service, and expects at least a comparable level of security from such vendors and sub-contractors.

Supplemental Measures implemented pursuant to The European Data Protection Board (EDPB) Recommendations 01/2020 on measures which supplement Indicative Service transfer tools to ensure compliance with the EU level of protection of personal data Version 2.0 and adopted on 18 June 2021 are available upon request.

A Transfer Impact Assessment for the Indicative Service and any additional supplemental measures implemented in connection therewith, as applicable, are available upon request.

Cortex Service

The following technical and organisational security measures apply solely to the Cortex Service. 

As a cloud-native company, the Cortex Service makes extensive use of the Amazon AWS platform and the wide range of security features that AWS provides. AWS uses a ‘Shared Responsibility Model’, where Amazon is responsible for securing the underlying infrastructure and networks and the Cortex Service secures the data that is hosted and code that runs in the environment.

All Cortex Service systems use TLS, where supported, to protect data in transit from and to the customer’s data centers or clients to the Cortex Service. Customer Data is also encrypted at rest within the AWS environment (in both S3 and on the individual disks).

mParticle uses standard AWS security guidelines for the Cortex Service:

  • Only publicly accessible ports are those for HTTP/HTTPS (80/443)
  • All Customer Data is stored within Amazon AWS Virtual Private Cloud
  • Access to AWS EC2 instances run by mParticle is restricted to SSH and over VPN and with each individual’s private SSH key
  • All internal services (databases, internal APIs, application services, etc.) for the Cortex Service can only be accessed from within mParticle’s AWS infrastructure
  • Machine to machine communication within mParticle’s AWS infrastructure is restricted
  • Deployment of Cortex Service credentials is managed through Chef’s Encrypted Data Bag service (managed internally by the mParticle production operations team)

Access by mParticle employees to the Cortex Service infrastructure must be over a VPN, via SSH, and with each individual’s private SSH key. Password based access is not allowed, and passphrases are mandatory for private keys for ssh-based access.  Access by mParticle employees to compute and storage systems of the Cortex Service are governed by such employees’ specific IAM roles, and each employee is provisioned using AWS IAM. Limited employees have access to the AWS IAM portal and must use MFA when logging in.

All access by customers to the Cortex Service goes through mParticle’s external load balancers. The external facing web application and mParticle APIs for the Cortex Service use HTTPS. All data transferred into and out of the systems for the Cortex Service is over HTTPS. The Cortex Service provides standard methods for signing API requests, using the key and secret, for additional protection.

User behavior data for the Cortex Service is stored in S3 and internal databases:

  • S3 is accessible only through mParticle’s private keys
  • Internal databases are only accessible with internal credentials and from within the Cortex Service infrastructure
  • Encrypted at rest

A Transfer Impact Assessment for the Cortex Service and any additional supplemental measures implemented in connection therewith, as applicable, are available upon request.

History

[11/12/2017]