END USER LICENSE AGREEMENT

 

THIS END USER LICENSE AGREEMENT (“AGREEMENT”) IS BY AND BETWEEN CHEF SOFTWARE INC., LOCATED AT 619 WESTERN AVENUE, SUITE 400, SEATTLE WA 98104 (“CHEF” OR “US”) AND THE INDIVIDUAL OR LEGAL ENTITY (“END USER” OR “YOU”) WHO IS USING THE APPLICABLE SOFTWARE MADE AVAILABLE BY CHEF (“SOFTWARE”) OR PROFESSIONAL SERVICES (“SERVICES” AND TOGETHER WITH THE SOFTWARE, THE “PRODUCT”). THIS AGREEMENT GOVERNS ALL USE BY END USER OF THE PRODUCT.

BY EXECUTING THIS AGREEMENT, OR OTHERWISE USING THE PRODUCT, END USER EXPRESSLY ACCEPTS AND AGREES TO THE TERMS OF THIS AGREEMENT. IF YOU ARE AN INDIVIDUAL AGREEING TO THE TERMS OF THIS AGREEMENT ON BEHALF OF AN ENTITY, SUCH AS YOUR EMPLOYER, YOU REPRESENT THAT YOU HAVE THE LEGAL AUTHORITY TO BIND THAT ENTITY AND “END USER” SHALL REFER HEREIN TO SUCH ENTITY. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THE TERMS OF THIS AGREEMENT, YOU ARE NOT GRANTED PERMISSION TO ACCESS OR OTHERWISE USE THE PRODUCT.

This Agreement, including all referenced documents located at the URLs listed below is effective as of the date You (i) accept the Agreement by clicking “I Accept” or similar on Chef’s website or (b) download the Software, whichever is earlier.

  1. Definitions. Capitalized terms used herein have the following definitions:
    1. Affiliate” means any entity that is controlled by or under common control with End User, where “control” means the ability whether directly or indirectly to direct the affairs of another by means of ownership, contract or otherwise.
    2. Confidential Information” means any proprietary information received by the other party during, or prior to entering into, this Agreement that is identified as confidential at the time of disclosure or that a party reasonably should know is confidential or proprietary based on the circumstances surrounding the disclosure including, without limitation, the Software and any non-public technical and business information. Confidential Information does not include information that (a) is or becomes generally known to the public through no fault of or breach of this Agreement by the receiving party; (b) is rightfully known by the receiving party at the time of disclosure without an obligation of confidentiality; (c) is independently developed by the receiving party without use of the disclosing party’s Confidential Information; or (d) the receiving party rightfully obtains from a third party without restriction on use or disclosure.
    3. Documentation” means any on-line help files, instruction manuals, operating instructions and user manuals created and provided by Chef that describe the use of the Software and either accompany the Software or are available at https://docs.chef.io and https://www.habitat.sh/docs/overview
    4. “Habitat Supervisor” means a process manager in Chef Habitat that (i) starts and monitors the child app service defined in a package; and (ii) receives and acts upon configuration changes from other Habitat Supervisors to which it is connected.
    5. Intellectual Property Rights” means patent rights (including without limitation patent applications and disclosures), copyrights (including without limitation rights in audiovisual works and moral rights), trade secrets, trademarks, know-how, moral rights, and any other intellectual property rights recognized in any country or jurisdiction in the world.
    6. License Fee” means fees paid to Chef from End User in exchange for End User’s right to use and/or sublicense the Software as provided in this Agreement.
    7. “License Term” means the term during which End User is permitted to use the Software. 
    8. Node” means each individual component of End User’s system – physical or virtual (i.e., server, workstation, IP router, Virtual Machine, or other device or component) that is assessed, installed, configured, updated, scanned and/or managed through the use of the Software, including without limitation Habitat Supervisors. 
    9. “Services” means Support Services.
    10. Software” means the applicable software made available by Chef and referenced on an Order Form, including all updates, libraries, gems, databases, plug-ins, messaging services, authentication sub-functions, certificate management, and environments provided by Chef to End User during the applicable License Term.
    11. Support Services” means the technical support services described at https://www.chef.io/service-level-agreement/ or in any Order Form.
  2. License Grant and Support. During the applicable License Term, and subject to End User’s compliance with the terms and conditions of Sections 4, 10, 12, and 14, Chef grants to End User a worldwide, non-exclusive, non-transferable, non-sublicensable license to (a) install and use the Software only for the internal use of End User (“License”), (whether on premises or in the cloud, and including any information technology infrastructure for the benefit of End User’s customers) and limited to the number of Nodes for which End User and Partner are current in the payment of the applicable License Fee and, (b) to use the Documentation only for its internal operation and use.
    1. Support. During the applicable License Term, Chef will provide Support to End User as specified in the applicable Attachment or Order Form.
    2. Third Party Support. End User may also elect, at its discretion, to obtain separate support by a third party for all or some of its licensed Nodes (“Administered Nodes”).
      1. End User agrees that it will provide Chef the following information in connection with all Administered Nodes for all periods that it is using a third party to support Administered Nodes during the applicable License Term:
        1. End User identification number/name with third party
        2. Number of Administered Nodes for the prior month as of the 10th day of each following Month
      2. The License Term for the Software is independent of any support term for Administered Nodes that End User may elect with a third party.
      3. Failure by End User to provide the information in this Section 2(b) will be a material breach of this Agreement.
  3. Third Party Software. The Software includes components under license from third parties, including open source licenses (the “Third Party Components”). Third Party Components are subject to the terms of their accompanying licenses. Please see https://www.chef.io/3rd-party-licenses/ for more details. For avoidance of doubt, Chef’s warranty of the Software includes all Third Party Components to the extent embedded in, and used by, the Software.
  4. Restrictions. The License is limited. Except as otherwise expressly permitted in this Agreement, End User will not: (a) copy or use the Software in any manner except as expressly permitted in this Agreement; (b) use or deploy the Software on any Node in excess of the Nodes for which End User has paid the applicable License Fee; (c) transfer, sell, rent, lease, commercialize, lend, distribute, or sublicense the Software to any third party; (d) reverse engineer, disassemble, or decompile the Software (except to the extent such restrictions are prohibited by law); (e) alter or remove any proprietary notices in the Software; (f) make available to any third party the functionality of the Software or any license keys used in connection with the Software; or (g) use the Software for any purpose that is unlawful or prohibited by this Agreement or otherwise. If End User does not comply with the License terms or the foregoing restrictions, Chef may terminate the applicable License.
  5. Proprietary Rights.
    1. Software and Documentation. Other than the License granted in Section 2, Chef and its licensors retain all right, title and interest in and to the Software and Documentation and all components thereof, including all patent, copyright, trademark, and trade secret rights, whether such rights are registered or unregistered, and wherever in the world those rights may exist and in any derivatives, modifications and enhancements thereto (collectively, the “Chef Rights”). End User will not commit any act or omission, or permit or induce any third party to commit any act or omission, inconsistent with the Chef Rights. Chef or its licensors own all graphics, user and visual interfaces, images, code, applications, and text, as well as the design, structure, selection, coordination, expression, “look and feel”, and arrangement of the Software and its content, and the trademarks, service marks, proprietary logos and other distinctive brand features found in the Software (collectively, the “Chef Marks”). This Agreement does not permit End User to distribute any product or service using the Chef Marks, including in connection with any Third Party Components. Chef will retain title to all copies of the Software provided to End User or made by End User. There are no implied rights or licenses in this Agreement. All rights are expressly reserved by Chef.
  6. Delivery and Acceptance.
    1. Acceptance. Chef will make the Software available to End User electronically. Software will be deemed to be delivered to End User’s billing address unless End User provides written notice otherwise. The Software will be deemed accepted immediately upon delivery.
  7. Warranty.
    1. Services Warranty. Chef warrants to End User for a period of sixty 60 days after End User acceptance of Services or initial receipt of or access to the Software, as applicable (the “Warranty Period”) that: (a) the Services will be performed in a good and workmanlike manner. Chef’s sole obligation under the limited warranty set forth in this Section 7(a) is to use commercially reasonable efforts to correct any Services that do not comply with the warranties set forth in this Section 7(a) (e.g., by reperformance of any noncomplying Services); provided that End User gives Chef written notice of the noncompliance within the Warranty Period. If, after the expenditure of commercially reasonable efforts, Chef is unable to correct the noncompliance, Chef may choose to terminate the License and promptly refund End User a pro-rata portion of any prepaid License Fees based on the remainder of the License Term.
    2. Software Warranty. Chef warrants that the Software will perform in all material respects as specified in its accompanying Documentation under normal use for the duration of the Warranty Period. This warranty extends only to End User. To the maximum extent permitted by applicable law, End User’s exclusive remedy for a breach of this limited warranty is to return any allegedly defective Software, and Chef, at its option, will replace it or refund any fee paid for the Softwareprovided that End User gives Chef written notice of the noncompliance within the Warranty Period. Chef’s sole obligation under the limited warranty set forth in this Section 7(b) is to use its reasonable efforts to correct or replace any non-conforming Software once Chef has been made aware of such non-conformance or, in Chef’s sole discretion, to terminate this Agreement (in which event, End User will immediately stop using the Software) and refund the License Fees paid by End User to Chef up through the effective date of such termination.
    3. Exclusions. The warranties under Sections 7(a) and 7(b) do not apply to any noncompliance resulting from any: (a) use not in accordance with this Agreement or any applicable Order Form, including End User operation or use of the Software other than in accordance with applicable documentation or design or on hardware not recommended, supplied or approved by Chef; (b) modification, damage, misuse or other action of End User or any third party; or (c) combination with any goods, services or other items provided by End User or any third party. Further, Chef does not warrant that the Software or any other items furnished by Chef under this Agreement or any Order Form are free from non-material bugs, errors, defects or deficiencies.
    4. Disclaimer. EXCEPT FOR THE LIMITED WARRANTY IN SECTIONS 7(a) AND 7(b) ABOVE, THE SOFTWARE AND ANY SERVICES PROVIDED UNDER THIS AGREEMENT ARE PROVIDED “AS IS”, WITHOUT ANY WARRANTIES OF ANY KIND, INCLUDING BUT NOT LIMITED TO, WARRANTIES CONCERNING THE USE, INTER-OPERABILITY, OR PERFORMANCE OF THE SOFTWARE. CHEF DISCLAIMS ANY AND ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND/OR NON-INFRINGEMENT. CHEF DOES NOT WARRANT THAT THE SOFTWARE OR SERVICES WILL MEET END USER’S REQUIREMENTS OR THAT THE OPERATION THEREOF WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ERRORS WILL BE CORRECTED.
  8. Indemnification.
    1. Indemnification by Chef. Chef will indemnify End User and will pay any costs or damages that may be finally awarded in respect of any third party claims, proceedings, costs or damages, including actual attorneys’ fees and court costs and expenses in any such third party action, proceeding or case, and agreed settlements to the extent that the Software infringe any United States patent, or any copyright, trademark or other proprietary right of such third party; provided that End User: (a) promptly notifies Chef of the claim; (b) gives Chef all necessary information regarding the claim; (c) reasonably cooperates with Chef; and (d) allows Chef to control the defense and all related settlement negotiations; provided that, if any settlement requires a non-monetary obligation of an indemnified party (other than ceasing use of the Software), then such settlement will require the End User’s prior written consent, which consent will not be unreasonably withheld.
    2. Exclusions. Chef will have no liability for any infringement claim (a) based on modifications to the Software made by a party other than Chef or third party acting on behalf of Chef, if a claim would not have occurred but for such modifications, (b) based on the use of other than the then-current, unaltered version or release of the Software, unless the infringing portion is also in the then-current, unaltered version or release; (c) based on the use, operation or combination of the Software with non-Chef programs, data, equipment or documentation if such infringement would have been avoided but for such use, operation or combination; (d) attributable to any Third Party Components; or (e) based on End User’s use of the Software other than in accordance with this Agreement or the applicable Documentation.
    3. Sole Remedy. THE TERMS OF THIS SECTION 8 CONSTITUTE THE ENTIRE LIABILITY OF CHEF, AND END USER’S SOLE AND EXCLUSIVE REMEDY WITH RESPECT TO ANY INDEMNIFICATION CLAIMS OF ANY KIND.
    4. Indemnification by End User. End User will defend, indemnify, and hold harmless Chef and affiliates and all of their respective employees, agents, directors, officers, shareholders, attorneys, successors, and assigns from and against any third party claim arising from or in any way related to End User’s violation of (i) applicable laws, rules or regulations and/or (ii) the confidentiality provisions of this Agreement, including any liability or expense arising from all claims, losses, damages (actual and consequential), suits, judgments, litigation costs and attorneys’ fees, of every kind and nature. In such a case, Chef will provide End User with written notice of such claim, suit or action.
  9. Limitation of Liability.
    1. Indirect Damages. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, EXCEPT AS OTHERWISE PROVIDED SPECIFICALLY IN THIS AGREEMENT, IN NO EVENT WILL EITHER PARTY, ITS AFFILIATES, LICENSORS, OR THEIR RESPECTIVE OFFICERS, DIRECTORS, EMPLOYEES, CONTRACTORS OR AGENTS BE LIABLE TO THE OTHER PARTY OR TO ANY THIRD PARTY FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES OR FOR THE COST OF PROCURING SUBSTITUTE PRODUCTS OR SERVICES ARISING OUT OF OR IN ANY WAY RELATING TO OR IN CONNECTION WITH THIS AGREEMENT OR THE USE OF OR INABILITY TO USE THE SOFTWARE, DOCUMENTATION OR THE SERVICES PROVIDED BY CHEF HEREUNDER INCLUDING, WITHOUT LIMITATION, DAMAGES OR OTHER LOSSES FOR LOSS OF USE, LOSS OF BUSINESS, LOSS OF GOODWILL, WORK STOPPAGE, LOST PROFITS, LOSS OF DATA, COMPUTER FAILURE OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR LOSSES EVEN IF ADVISED OF THE POSSIBILITY THEREOF AND REGARDLESS OF THE LEGAL OR EQUITABLE THEORY (CONTRACT, TORT OR OTHERWISE) UPON WHICH THE CLAIM IS BASED.
    2. Aggregate Liability. IN NO EVENT WILL EITHER PARTY’S AGGREGATE LIABILITY FOR DIRECT DAMAGES, FROM ALL CAUSES OF ACTION AND UNDER ALL THEORIES OF LIABILITY, EXCEED THE TOTAL LICENSE FEES PAID BY END USER FOR CHEF PRODUCTS UNDER THIS AGREEMENT DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE ARISING OF A CLAIM.
    3. General. THESE LIMITATIONS APPLY EVEN IF THIS SECTION 9 IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR OTHER DAMAGES, SO THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY. IN SUCH EVENT, THE LIABILITY OF THE PARTIES WILL BE LIMITED TO THE GREATEST EXTENT PERMITTED BY APPLICABLE LAW.
    4. Exclusion – Violations of Law. The limits in Section 9(a) and Section 9(b) above do not apply to damages incurred by a party due to the other party’s violation of applicable laws.
  10. Confidentiality and Privacy. End User and Chef will maintain the confidentiality of Confidential Information. The receiving party of any Confidential Information of the other party agrees not to use such Confidential Information for any purpose except as necessary to fulfill its obligations and exercise its rights under this Agreement. The receiving party will protect the secrecy of and prevent disclosure and unauthorized use of the disclosing party’s Confidential Information using the same degree of care that it takes to protect its own confidential information and in no event will use less than reasonable care. The terms of this Confidentiality section will survive termination of this Agreement. Upon termination or expiration of this Agreement, the receiving party will, at the disclosing party’s option, promptly return or destroy (and provide written certification of such destruction) the disclosing party’s Confidential Information.

    If the End User is located in the European Union then the following terms will apply:

    1. Definitions:  In this Section 10, the following terms will have the following meanings:
      1. Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
      2. Controller“, “Processor“, “Data Subject“, “Personal Data“, “Processing” (and “Process“) and “Special Categories of Personal Data” will have the meanings given in Applicable Data Protection Law;
      3. Applicable Data Protection Law” will mean: (i) prior to 25 May 2018, the EU Data Protection Directive (Directive 95/46/EC); and (ii) on and after 25 May 2018, the EU General Data Protection Regulation (Regulation 2016/679).
      4. Standard Contractual Clauses” means the contractual clauses set out in Exhibit 1 to this Agreement.
    2. Processing of Data:
      1. Applicability. This Agreement will apply only to the extent End User is established within the EEA or Switzerland and/or to the extent Chef processes Personal Data of Data Subjects located in the EEA or Switzerland on behalf of End User.
      2. Relationship of the parties:  The End User (the “Controller”) appoints Chef as a processor to Process the Personal Data that is the subject of the Agreement (the “Data”) for the purposes described in this Agreement and the Principal Agreement (or as otherwise agreed in writing by the parties) (the “Permitted Purpose”).  Each party will comply with the obligations that apply to it under Applicable Data Protection Law.
      3. Prohibited data:  The End User will not disclose any Special Categories of Data to Chef for processing.
      4. Purpose Limitation:  Chef will process the Data as a Processor as necessary to perform its obligations under this Agreement and any Order Form, and in accordance with the documented instructions of End User (the “Permitted Purpose”), except where otherwise required by any EU (or any EU Member State) law applicable to Chef.  The duration of the Processing, the nature and purpose of the Processing, the types of Data and categories of Data Subjects Processed under this Agreement are further specified in Appendix 1 to the Standard Contractual Clauses.  
      5. International transfers:  Chef will not transfer the Data (nor permit the Data to be transferred) outside of the European Economic Area (“EEA”) unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law.  Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorization in accordance with Applicable Data Protection Law, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission. The following transfer mechanisms listed below will apply, in the following order of precedence, to any transfers of Data under this Agreement from the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws and Regulations of the foregoing territories, to the extent such transfers are subject to such Data Protection Laws and Regulations; (1) Chef’s EU-U.S. and Swiss-U.S. Privacy Shield Framework self-certifications (the “EU-US and Swiss-US Privacy Shield Services”); (2) The Standard Contractual Clauses set forth in Exhibit 1 to this Agreement.
      6. Confidentiality of Processing:  Chef will ensure that any person it authorizes to process the Data (an “Authorized Person”) will protect the Data in accordance with Chef’s confidentiality obligations under this Agreement.
      7. Security:  Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Chef will implement technical and organizational measures to protect the Data (1) from accidental or unlawful destruction, and (2) loss, alteration, unauthorized disclosure of, or access to the Data (a “Security Incident”).
      8. Sub-Processing:  The End User consents to Chef engaging third party sub processors to process the Data for the Permitted Purpose provided that: (1) Chef maintains an up-to-date list of its sub processors and will provide such to End User upon End User’s written request; (2) Chef imposes data protection terms on any sub processor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law; and (3) Chef remains liable for any breach of this Clause that is caused by an act, error or omission of its sub processor.  The End User may object to Chef’s appointment or replacement of a sub processor, provided such objection is based on reasonable grounds relating to data protection. In such event, Chef will use reasonable efforts to make available to End User a change in the Services or recommend a commercially reasonable change to End User’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the End User. If Chef is unable to make available such change within a reasonable period of time, which will not exceed thirty (30) days, End User may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by Chef without the use of the objected-to new Sub-processor by providing written notice to Chef. Chef will refund End User any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on End User.
      9. Cooperation and Data Subjects’ Rights:  Chef will provide reasonable and timely assistance to the End User (at the End User’s expense) to enable the End User to respond to: (1) any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (2) any other correspondence, inquiry or complaint received from a Data Subject, regulator or other third party in connection with the processing of the Data.   In the event that any such request, correspondence, enquiry or complaint is made directly to Chef, Chef will promptly inform the End User providing full details of the same.
      10. Data Protection Impact Assessment:  If Chef believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, it will inform the End User and provide reasonable cooperation to the End User (at the End User’s expense) in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
      11. Security Incidents:  If Chef becomes aware of a confirmed Security Incident (as defined in Section 10(b)(vii) above), it will inform the End User without undue delay and will provide reasonable information and cooperation to the End User so that the End User can fulfill any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law.  Chef will further take such any reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and will keep the End User of all material developments in connection with the Security Incident.
      12. Deletion or Return of Data:  Upon termination or expiration of the Principal Agreement, Chef will (at the End User’s election) destroy or return to the End User all Data in its possession or control.  This requirement will not apply to the extent that Chef is required by applicable law to retain some or all of the Data, or to Data it has archived on back-up systems, which Data Chef will securely isolate and protect from any further processing except to the extent required by such law.
      13. Audit:  The End User acknowledges that Chef is regularly audited by independent third party auditors.  Upon request, Chef will supply a summary copy of its audit report(s) to the End User, which reports will be subject to the confidentiality provisions of this Agreement. Chef will also respond to any written audit questions submitted to it by the End User, provided that the End User will not exercise this right more than once per year.
  11. Software Usage Tracking.
    1. If and when End User adds additional Nodes to its License, End User will pay to Chef for such additional Nodes added to any License. Upon Chef’s request (such request not to be made more than twice during any 12 month period without good cause), End User agrees to promptly deliver to Chef (a) any usage files and reports generated by the Software to permit Chef to verify the number of Nodes actually used by End User during the applicable License Term; and/or (b) a certification signed by one of End User’s officers regarding the number of Nodes actually used by End User during the applicable License Term. Notwithstanding the foregoing, End User agrees to reasonably cooperate with Chef to verify the number of Nodes actually used by End User during the applicable License Term. If Chef confirms that End User has exceeded the number of Nodes for the applicable License Term, in addition to any other remedies available under this Agreement or applicable law, End User agrees to pay the then-current License Fees for the additional Nodes used by End User.
    2. Unless End User chooses to disable telemetry features in the Software, End User consents to Chef receiving data and information directly from the Software for the sole purpose of obtaining information regarding End User’s use of the Software (i.e., when End User installs an update or upgrade), as well as any Software bugs, errors, and other similar technical support issues. Chef will only use such data and information (“Software Usage and Technical Support Data”) for its own business purposes, including but not limited to the purposes of (i) providing the Support Services; and (ii) to gather information about how End User uses the Software, which may be combined with information about how others use the Software, in order to help Chef better understand trends and End Users’ needs in order to better consider new features, and (iii) improving the Software and End User’s use experience. Chef will use Software Usage and Technical Support Data solely in aggregate, anonymized form and solely for Chef’s own business purposes. For instructions on how to disable Chef’s access to the Software Usage and Technical Support Data, please refer to the Software Documentation or contact Chef Support.
  12. Export Compliance. As required by the laws of the United States and other countries, End User represents and warrants that End User: (a) understands that the Software and its components may be subject to export controls under the U.S. Commerce Department’s Export Administration Regulations (“EAR”); (b) is not located in a prohibited destination country under the EAR or U.S. sanctions regulations; (c) will not export, re-export, or transfer the Software to any prohibited destination or persons or entities on the U.S. Bureau of Industry and Security Denied Parties List or Entity List, or the U.S. Office of Foreign Assets Control list of Specially Designated Nationals and Blocked Persons, or any similar lists maintained by other countries, without the necessary export license(s) or authorization(s); (d) will not use or transfer the Software in connection with any nuclear, chemical or biological weapons, missile technology, or military end-uses where prohibited by an applicable arms embargo, unless authorized by the relevant government agency by regulation or specific license; and (e) understands that countries including the United States may restrict the import, use, or export of encryption products (which may include the Software and the components) and agrees that End User will be solely responsible for compliance with any such import, use, or export restrictions.
  13. FCPA Compliance and No Unlawful Payments. Neither the End User nor any of its subsidiaries nor, to the End User’s knowledge, any other person associated with or acting on behalf of the End User or any of its subsidiaries, including, without limitation, any director, officer, agent, employee or affiliate of the End User or any of its subsidiaries (“Representatives”) has (i) used any corporate funds for any unlawful contribution, gift, entertainment or other unlawful expense relating to political activity or to influence official action; (ii) made any direct or indirect unlawful payment to any foreign or domestic government official or employee from corporate funds; (iii) made any bribe, rebate, payoff, influence payment, kickback or other unlawful payment; or (iv) violated or is in violation of any provision of the U.S. Foreign Corrupt Practices Act of 1977, as amended, and the rules and regulations thereunder; and the End User has instituted and maintains policies and procedures designed to ensure compliance therewith. Further, End User will, and will cause its Representatives to, comply with the FCPA, including maintaining and complying with all policies and procedures to ensure compliance with this Act.
  14. Additional Obligations. Each Party will comply with all applicable local, state, national, and international laws and regulations with respect to its rights and obligations under this Agreement. End User further agrees that its purchase under this Agreement is neither contingent on the delivery of any future functionality or features nor dependent on any oral or written public comments made by Chef regarding future functionality or features of the Software. By downloading, accessing, or using the Software, End User represents that it is at least the legal age of majority.
  15. S. Government. The Software is “Commercial Computer Software” as defined under FAR 252.227-7014. If End User is subject to the Defense Federal Acquisition Resolutions (DFAR), the Software and Documentation are licensed pursuant to Chef’s standard commercial license according to DFARS 227.7202. For all other government entities, use, duplication, or disclosure of the Software and Documentation by the U.S. Government is subject to restrictions set forth in subparagraph (b)(2) of 48 CFR 52.227-19, as applicable.
  16. General
    1. Neither party will be liable for any delay or failure in performance (except for any payment obligations) due to causes beyond its reasonable control.
    2. Neither party may assign this Agreement except upon the advance written consent of the other party, except that either party may assign this Agreement in connection with a merger, reorganization, acquisition or other transfer of all or substantially all of such party’s voting securities or the assets governed by this Agreement; provided, that: (a) the assignor or assignee provides reasonably prompt written notice of such assignment to the non-assigning party; and (b) the assignee is capable of fully performing the obligations of the assignor under the Agreement. Any attempt to assign this Agreement, without such consent, will be null and of no effect. Subject to the foregoing, this Agreement will bind and inure to the benefit of each party’s successors and permitted assigns.
    3. If for any reason a court of competent jurisdiction finds any provision of this Agreement invalid or unenforceable, that provision of the Agreement will be enforced to the maximum extent permissible and the other provisions of this Agreement will remain in full force and effect.
    4. The failure by either party to enforce any provision of this Agreement will not constitute a waiver of future enforcement of that or any other provision. All waivers must be in writing and signed by both parties.
    5. All notices permitted or required under this Agreement will be in writing and will be delivered in person, by confirmed facsimile, overnight courier service or mailed by first class, registered or certified mail, postage prepaid. Such notice will be deemed to have been given upon receipt.
    6. This Agreement will be governed by the laws of the State of Washington, U.S.A., excluding its conflicts of law rules.
    7. The parties expressly agree that the UN Convention for the International Sale of Goods (CISG) or the Uniform Computer Information Transactions Act (UCITA) will not apply.
    8. Any amendment or modification to the Agreement must be in writing signed by both parties.
    9. Except as expressly set forth in this Agreement, the exercise by either party of any of its remedies under this Agreement will be without prejudice to its other remedies under this Agreement or otherwise.
    10. The parties to this Agreement are independent contractors and this Agreement will not establish any relationship of partnership, joint venture, employment, franchise, or agency between the parties. Neither party will have the power to bind the other or incur obligations on the other’s behalf without the other’s prior written consent.

EXHIBIT 1

STANDARD CONTRACTUAL CLAUSES

These Clauses are deemed to be amended from time to time, to the extent that they relate to a Restricted Transfer which is subject to the Data Protection Laws of a given country or territory, to reflect (to the extent possible without material uncertainty as to the result) any change (including any replacement) made in accordance with those Data Protection Laws (i) by the Commission to or of the equivalent contractual clauses approved by the Commission under EU Directive 95/46/EC or the GDPR (in the case of the Data Protection Laws of the European Union or a Member State); or (ii) by an equivalent competent authority to or of any equivalent contractual clauses approved by it or by another competent authority under another Data Protection Law (otherwise).

Standard Contractual Clauses (processors)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

Name of the data exporting organization: See customer name and address on Page 1 to this Agreement.

Tel.: ____________; fax: __________________; e-mail:  __________________________

Other information needed to identify the organization:  N/A (the data exporter)

And

Name of the data importing organization: Chef Software Inc.

Address: 619 Western Avenue, Suite 400, Seattle Washington 98104

Tel.: 206-508-4799; e-mail: privacy@chef.io

Other information needed to identify the organization: N/A

(the data importer)

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Background

The data exporter has entered into an Agreement (“Agreement”) with the data importer. Pursuant to the terms of the Agreement, it is contemplated that Services provided by the data importer will involve the transfer of personal data to data importer. Data importer is located in a country not ensuring an adequate level of data protection. To ensure compliance with Directive 95/46/EC and applicable data protection law, the controller agrees to the provision of such Services, including the processing of personal data incidental thereto, subject to the data importer’s execution of, and compliance with, the terms of these Clauses.

 

Clause 1
Definitions

For the purposes of the Clauses:

  1. ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ will have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
  2. the data exporter’ means the controller who transfers the personal data;
  3. ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
  4. ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
  5. the applicable data protection law means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
  6. ‘technical and organizational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2
Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3
Third-party beneficiary clause

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
  2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
  3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor will be limited to its own processing operations under the Clauses.
  4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4
Obligations of the data exporter

The data exporter agrees and warrants:

  1. that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
  2. that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
  3. that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;
  4. that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
  5. that it will ensure compliance with the security measures;
  6. that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
  7. to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
  8. to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
  9. that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
  10. that it will ensure compliance with Clause 4(a) to (i).

Clause 5
Obligations of the data importer

The data importer agrees and warrants:

  1. to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  2. that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  3. that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;
  4. that it will promptly notify the data exporter about:
    1. any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
    2. any accidental or unauthorized access, and
    3. any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
  5. to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
  6. at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which will be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
  7. to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which will be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
  8. that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
  9. that the processing services by the subprocessor will be carried out in accordance with Clause 11;
  10. to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6
Liability

  1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
  2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
  3. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
  4. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor will be limited to its own processing operations under the Clauses.

Clause 7
Mediation and jurisdiction

  1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
    1. to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
    2. to refer the dispute to the courts in the Member State in which the data exporter is established.
  2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8
Cooperation with supervisory authorities

  1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
  2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
  3. The data importer will promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter will be entitled to take the measures foreseen in Clause 5 (b).

Clause 9
Governing Law

The Clauses will be governed by the law of the Member State in which the data exporter is established.

Clause 10
Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11
Subprocessing

  1. The data importer will not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it will do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfill its data protection obligations under such written agreement the data importer will remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
  2. The prior written contract between the data importer and the subprocessor will also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor will be limited to its own processing operations under the Clauses.
  3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 will be governed by the law of the Member State in which the data exporter is established.
  4. The data exporter will keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which will be updated at least once a year. The list will be available to the data exporter’s data protection supervisory authority.

Clause 12
Obligation after the termination of personal data processing services

  1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor will, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or will destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
  2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix

Data exporter

The data exporter is (i) the legal entity that has executed the Standard Contractual Clauses as a Data Exporter and (ii) all Affiliates (as defined in the Agreement) of Data Exporter.

Data importer

The data importer is Chef Software Inc. – a provider of enterprise automation software to organizations which processes Data upon the instruction of the data exporter in accordance with the terms of the Principal Agreement

Data subjects

The personal data transferred concern the following categories of data subjects:

Data exporter may submit Data to Chef, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Data relating to the following categories of Data Subjects:

  • Prospects, customers, business partners and vendors of Chef (who are natural persons)
  • Employees or contact persons of Chef’s prospects, customers, business partners and vendors
  • Employees, agents, advisors, freelancers of Chef (who are natural persons)
  • End User’s Users authorized by End User to use the Services

Categories of data

The personal data transferred concern the following categories of data:

Data exporter may submit Data to Chef, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of Data:

  • First and last name
  • Title/Position
  • Employer
  • Contact information (company, email, phone, physical business address)
  • ID data
  • Professional life data
  • Personal life data
  • IP Addresses, Cookies, Usage data, etc.
  • Localization data

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data:  None

APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):

Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of the Data Processed in accordance with the Agreement and as otherwise made reasonably available by data importer upon written request from End User. Data Importer will not materially decrease the overall security of the Services during a License Term.