Purchase Order Terms and Conditions
Effective January 15, 2021
HashiCorp, Inc., acting on its behalf and on behalf of its Affiliates is referred to as "HashiCorp", the Vendor, identified on the face of this Purchase Order is referred to as "Vendor", and this purchase order is referred to as Order. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1. DELIVERY AND ACCEPTANCE
The time of delivery stated is of the essence of this Order. The date specified for delivery is the required delivery date at the HashiCorp's shipping address or location as provided in the Order (F.O.B. Destination), unless otherwise specifically noted hereon, and HashiCorp reserves the right to refuse any goods and to cancel all or any part hereof if Vendor fails to deliver all or any part of any goods in accordance with the terms specified herein. If Vendor's deliveries will not meet agreed schedules, HashiCorp may require Vendor to ship via a more rapid route or carrier in order to expedite such delivery and any difference in cost caused by such change shall be paid by Vendor provided, nevertheless, that such right shall be in addition to any other rights and remedies of HashiCorp. Acceptance of any part of the Order shall not bind HashiCorp to accept future shipments nor deprive it of the right to return goods already accepted and shall not be deemed to be a waiver of HashiCorp's right to cancel or return all or any goods because of failure to conform to Order or by reason of defects, latent or patent, or other breach of warranty, or to make any claim for damages, including manufacturing cost or loss of profits, injury to reputation or other special, consequential and incidental damages. Such rights shall be in addition to any other remedies provided hereunder or provided by law or otherwise. Delivery shall not be deemed to be complete until goods have been actually received and accepted by HashiCorp, notwithstanding delivery to any carrier, or until orders for services have been performed, received and accepted.
2. ACCEPT / MODIFICATION OF TERMS
This Order may be accepted only by Vendor's Order to all of the terms and conditions of this Order. Acceptance may be made by signing the acknowledgement copy hereof and returning it or by part performance hereunder, and any such acceptance shall constitute an unqualified Order to the terms and conditions set forth herein unless otherwise modified in writing by the parties. Acceptance of this Order is limited to the terms and conditions stated therein. Any additions, deletions or differences in the terms proposed by Vendor are objected to and hereby rejected, unless HashiCorp agrees otherwise in writing. No additional or different terms and conditions proposed by the Vendor in accepting this Order shall be binding upon HashiCorp unless accepted in writing by HashiCorp and no other addition, alteration or modification to, and no waiver of any of the provisions herein contained shall be valid unless made in writing and executed by HashiCorp and Vendor.
3. PACKING AND SHIPPING
If applicable, the goods purchased hereunder must be suitably packed and prepared for shipment to secure the lowest transportation rates or appropriately packed to comply with any specific transportation specifications of HashiCorp, and in all cases, to comply with carrier's regulations. All charges for packing, crating and transportation are included in the price of the goods set forth herein and will be paid by Vendor except as otherwise specifically stated on the Order. A Packing List shall accompany each box or package shipment showing the Order number specified hereon as well as the item number and a description of the goods. In the event that no such Packing List accompanies any shipment, the count or weight or other measure of HashiCorp shall be final and conclusive. HashiCorp shall not be obligated to accept any shipments in excess of the ordered quantity and any excess or advance shipments may be returned to Vendor at Vendor's expense.
Vendor shall invoice to receive payments. Invoices shall contain the following information: HashiCorp requester name, Order number, item number, description of articles, sizes, quantities, unit prices and extended totals. Invoices submitted hereunder will be paid within 60 days after receipt of the invoices or acceptance of delivered items by the HashiCorp, whichever occurs later, unless otherwise specified on the face of this Order. Invoices shall be submitted to HashiCorp within five (5) days of delivery date. Failure to invoice within the given period without prior notification will jeopardize timely payment of the invoice. Any invoices not submitted within one hundred and twenty (120) days of delivery date, will be rejected by HashiCorp. Any adjustment in Vendor's invoices due to shortages, late delivery, rejections, or other failure to comply with the requirements of this Order may be made by HashiCorp before payment. Cash discounts will be taken from date of final acceptance of delivered items, or date of acceptable invoice, whichever is later. Payment shall not constitute final acceptance. HashiCorp may offset against any payment hereunder any amount owed to HashiCorp by Vendor.
Vendor represents and warrants to HashiCorp: (1) that all goods delivered pursuant hereto will be new, unless otherwise specified, and free from defects in material and workmanship; (2) that all goods will conform to applicable specifications, instructions, drawings, and standards of quality and performance, and that all items will be free from defects in design and suitable for their intended purpose; (3) that the goods covered by this Order are fit and safe for consumer use, if so intended; (4) that the Vendor is not under any pre-existing obligation in conflict or in any way inconsistent with the provisions of this Order. Vendor represents and warrants that Vendor’s performance of all the terms of this Order will not breach any agreement to keep in confidence proprietary information acquired by Vendor in confidence or in trust prior to commencement of this Order; (5) that it has the power and authority to enter into this Order. All the representations and warranties of Vendor together with its service warranties and guarantees, if any, shall be available to HashiCorp and (if applicable) to HashiCorp's customers. Vendor agrees to indemnify and hold HashiCorp harmless from all claims, liability loss, damage and expense including special, consequential and incidental damages incurred or sustained by HashiCorp by reason of any breach of any warranty with respect to the goods which are purchased in accordance herewith. The foregoing warranties shall survive any delivery, inspection, acceptance or payment to HashiCorp.
Vendor shall assure himself and shall satisfy the HashiCorp by means of appropriate inspection, tests and quality management systems that the goods and any part thereof conforms to the requirements of the Order. Vendor is responsible for satisfying the quality assurance requirements of the Order. If requested, the Vendor shall submit to the purchaser, as applicable, his quality manuals, program plans and procedures. All goods supplied and services performed pursuant hereto shall be subject to inspection and test by HashiCorp and its agents and by its customers at all times and places, whether during or after manufacture as to goods, or performance as to services, and notwithstanding the terms of delivery or payment or, as to goods, that title has not yet passed to HashiCorp or to its customers. Said HashiCorp inspections may include on-site audits of the Vendor's quality management system and supporting records at the discretion of HashiCorp. In the event that goods supplied are not performed in accordance with the specifications and instructions of HashiCorp, HashiCorp may require prompt correction thereof, or as to services, require that the services be rendered again at Vendor's expense or, as to goods, require that the goods be replaced at Vendor's expense. If such defects exist or if Vendor is unable or refuses to replace the goods or render the services again promptly, HashiCorp may, by contract or otherwise, replace such goods or obtain such services and charge Vendor or deduct from amounts owed by HashiCorp to Vendor the costs, expenses and losses including incidental and consequential damages incurred thereby which are in excess of Vendor's price for such goods or services. After notification to Vendor that goods are defective all risk of loss with respect to such goods shall be in Vendor and Vendor shall pay all packing and shipping charges in connection with defective goods returned by HashiCorp. HashiCorp's approval of design furnished by Vendor shall not relieve Vendor of its obligations herein. The goods covered by this Order are intended for the manufacture and sale of HashiCorp's established products in which HashiCorp has built a substantial and valuable reputation for quality and efficiency and any defect in the goods hereunder may occasion special damage to HashiCorp. All rights and remedies of HashiCorp hereunder shall be in addition to any other remedies provided by law.
7. CHANGES AND SUSPENSION
HashiCorp may, by written notice to Vendor at any time before complete delivery is made under this Order, make changes within the general scope of this Order by issuing a Change Order in any one or more of the following: (a) drawings, designs or specifications; (b) quantity; (c) delivery; (d) method of shipment or routing; and (e) make changes in the amount of HashiCorp furnished property; or HashiCorp for any reason may direct Vendor to suspend, in whole or in part, delivery of goods or performance of services hereunder to such period of time as may be determined by HashiCorp to be necessary or desirable. If any such change or suspension causes a material increase or decrease in the cost of, or the time required for the performance of any part of the work under this Order, an equitable adjustment shall be made in the Order price or delivery schedule, or both, provided Vendor shall have notified HashiCorp in writing of any claim for such adjustment within seven (7) days from the date of such notice from HashiCorp or from the date of any act of HashiCorp which Vendor considers constitutes such a change. No such adjustment or any other notification of the terms of this Order will be allowed unless authorized by HashiCorp by means of a written revision to this Order. Vendor shall proceed with the work as changed without interruption and without awaiting settlement of any such claim.
Except as may be otherwise provided in this Order, the price(s) set forth herein shall be exclusive of all applicable Federal, State and local taxes and duties (collectively referred to as “Taxes and Duties”). However, it will be Vendor’s responsibility to invoice HashiCorp for any applicable Taxes and Duties and remit said collections to the relevant tax authorities.
9. CONFIDENTIAL INFORMATION
Vendor agrees, at all times during the term of this Order and thereafter, to hold in strictest confidence, and not to use, except for the benefit of HashiCorp to the extent necessary to perform its obligations hereunder, and not to disclose to any person, firm, corporation or other entity, without written authorization from HashiCorp in each instance, any Confidential Information (as defined below) that Vendor obtains, accesses or creates during the term of this Order, whether or not during working hours, until such Confidential Information becomes publicly and widely known and made generally available through no wrongful act of Vendor. Vendor further agrees not to make copies of such Confidential Information except as authorized by HashiCorp. “Confidential Information” means information and physical material not generally known or available outside the Company and information and physical material entrusted to the Company in confidence by third parties. Confidential Information includes, without limitation: (i) HashiCorp inventions; (ii) technical data, trade secrets, know-how, research, product or service ideas or plans, software codes and designs, developments, inventions, laboratory notebooks, processes, formulas, techniques, lists of, or information relating to, Vendors and customers, pricing methodologies, cost data, market share data, marketing plans, licenses, contract information, business plans, financial forecasts, historical financial data, budgets or other business information disclosed to Vendor and its personnel by HashiCorp either directly or indirectly, whether in writing, electronically, orally, or by observation. In the event that HashiCorp and the Vendor execute any confidentiality or non-disclosure agreement, the terms of such confidentiality or non-disclosure agreement shall be referenced herein and form part of this Order.
10. INDEPENDENT CONTRACTOR
Vendor’s relationship with HashiCorp will be that of an independent contractor and not that of an employee. Vendor may, at Vendor’s own expense, employ or engage the services of such personnel. Personnel are not and shall not be employees of HashiCorp, and Vendor shall be wholly responsible for the work by its personnel such that the results are satisfactory to HashiCorp. Vendor acknowledges and agrees that Vendor and its personnel have no authority to enter into contracts that bind HashiCorp or create obligations on the part of HashiCorp without the prior written authorization of HashiCorp. Vendor acknowledges and agrees that Vendor and its personnel shall not be eligible for any HashiCorp employee benefits and, to the extent Vendor and its personnel otherwise would be eligible for any HashiCorp employee benefits but for the express terms of this Order, Vendor (on behalf of itself and its Personnel) hereby expressly declines to participate in such employee benefits. Vendor shall have full responsibility for applicable withholding taxes for all compensation paid to Vendor under this Order, and for compliance with all applicable labor and employment requirements with respect to Vendor’s self-employment, sole proprietorship or other form of business organization. Vendor agrees to indemnify, defend and hold HashiCorp harmless from any liability for, or assessment of, any claims or penalties with respect to such withholding taxes, labor or employment requirements, including any liability for, or assessment of, withholding taxes imposed on HashiCorp by the relevant taxing authorities with respect to any compensation paid to Vendor.
11. RESPONSIBILITY FOR PROPERTY
Any property of HashiCorp or its customers which in connection with this Order is in possession or control of Vendor or Vendor's subcontractors, personnel or agents, shall be returned to HashiCorp in the condition in which it was received by Vendor, except for ordinary wear and tear and except to the extent that such property has been incorporated into goods delivered hereunder or has been consumed in the production of such goods. Risk of loss with respect to all such property shall be in Vendor.
Vendor shall be solely responsible for such insurance coverage as HashiCorp deems necessary to protect it against any form of insurable risks related to the Services. However, at a minimum, Vendor shall procure and maintain for the duration of the contract insurance general liability coverage in an amount of at least $1,000,000 per occurrence, $2,000,000 general aggregate, against claims for injuries to persons or damages to property that may arise from or in connection with the goods, and cyber liability insurance (or comparable “tech e&o” or “privacy liability” insurance), if applicable, of at least $5,000,000 per claim/in the aggregate. The cost of such insurance shall be borne by Vendor.
13. ASSIGNMENT AND SUBCONTRACTS
This Order is not assignable and shall not be assigned by Vendor without the prior written consent of HashiCorp. Further, Vendor agrees to obtain HashiCorp's approval before subcontracting this Order or any substantial portion thereof; provided, however, that this limitation shall not apply to the purchase of standard commercial supplies or raw materials.
14. USE OF DESIGN, DATA, ETC.
Vendor agrees that it will keep confidential the features of any equipment tools, gauges, patterns, designs, drawings, engineering data or other technical or proprietary information furnished by HashiCorp and use such items only in the production of items under this Order or other orders from HashiCorp and not otherwise, unless HashiCorp's written consent is first obtained. Upon completion or termination of this Order, Vendor shall return all such items to HashiCorp or make such other disposition thereof as may be directed or approved by HashiCorp.
15. RESPONSIBILITY FOR SUPPLIES
Except as otherwise provided in the Order, Vendor shall bear the risk of loss of, or damage to, the supplies covered by this Order until delivered to HashiCorp's facilities (or to such other place as may be designated on the face of this Order) and accepted by HashiCorp. Vendor shall also bear the risk of loss of, or damage to rejected supplies after receipt of HashiCorp's notice of rejection, provided, however, that HashiCorp shall bear such risk as to loss or damage caused by the willful or negligent acts of its officers, agents or employees acting within the scope of their employment. HashiCorp shall have a reasonable time after delivery to inspect and to accept or reject.
16. NOTICE OF LABOR DISPUTES
Whenever the Vendor has knowledge that any actual or potential labor dispute is delaying or threatens to delay the timely performance of this Order, Vendor shall immediately gave notice thereof, including all relevant information with respect thereto, to HashiCorp.
(a) HashiCorp may, by written notice to default to Vendor, terminate the whole or any part of this Order in any one of the following circumstances: (i) Vendor fails to make delivery of the supplies or to perform the services within the time specified herein or any extension thereof; or (ii) If Vendor fail to perform any of the other provisions of this Order or so fails to make progress as to endanger performance of this Order in accordance with its terms, and in either of these two circumstances does not cure such failure within a period of five (5) days, or such longer period as HashiCorp may authorize in writing, after receipt of notice from HashiCorp specifying such failure. (iii) Vendor becomes insolvent or the subject of proceedings under any law relating to bankruptcy or the relief of debtors or admits in writing its inability to pay its debts as they become due; or (iv) If Vendor fails to provide HashiCorp, within a reasonable time after demand by HashiCorp, written assurance of due performance by Vendor. (b) If this Order is so terminated by Vendor, HashiCorp may procure or otherwise obtain, upon such terms and in such manner as HashiCorp may deem appropriate, supplies or services similar to those terminated. Vendor, subject to the exceptions set forth below, shall be liable to HashiCorp for any excess costs of such similar supplies or services. (c) Vendor shall transfer title and deliver to HashiCorp, in the manner and to the extend requested in writing by HashiCorp at or after termination such complete articles, partially completed articles and materials, parts, tools, dies, patterns, jigs, fixtures, plans, drawings, information and contract rights as Vendor has produced or acquired for the performance of the terminated part of this Order and HashiCorp will pay Vendor the contract price for completed articles delivered to and accepted by HashiCorp and the fair value of the other property of Vendor so requested and delivered. (d) Vendor shall continue performance of this Order to the extent not terminated. HashiCorp shall have no obligations to Vendor in respect to the terminated part of this Order except as herein provided. HashiCorp's rights as set forth herein shall be in addition to HashiCorp's rights in case of Vendor's default, whether set forth in this Order or not. (e) Vendor shall not be liable for damages resulting from default due to causes beyond Vendor's control and without Vendor's fault or negligence, provided, however, that if Vendor's default is caused by the default of a subcontractor or Vendor, such default must arise out of causes beyond the control of both Vendor and his subcontractor or Vendor, and without the fault or negligence of either of them and, provided further, the supplies or services to be furnished by the subcontractor or Vendor were not obtainable from other sources.
18. RELEASE OF INFORMATION
Vendor agrees that prior to the issuance of any publicity or publication of any advertising which in either case makes reference to this Order, or to HashiCorp, Vendor will obtain the written permission of HashiCorp with respect thereto.
Vendor will indemnify and hold HashiCorp harmless from and against any and all third party claims, costs, damages, losses, liabilities and expenses (including attorneys’ fees and costs) (collectively, “Third Party Claims”) to the extent arising out of or in connection with (i) the negligent acts, omissions, or willful misconduct of Vendor or its personnel; (ii) a claim alleging that use of the HashiCorp inventions infringes a patent, copyright, trademark, or trade secret, privacy, or publicity rights of a third party; (iii) Vendor’s breach of any applicable law, statute, regulation, or of its obligations and warranties under this Order, the non disclosure agreement (if any) signed between the parties and/or the data protection agreement (if any) signed between the parties; (iv) any death, bodily injury, or property damage caused or incurred by Vendor or its personnel in the course of performing services under this Order. If any Third Party Claim is commenced with respect to which the HashiCorp is entitled to indemnification under this section, HashiCorp will provide notice thereof to Vendor. The Vendor will be entitled, if it so elects in a notice promptly delivered to HashiCorp, to immediately take control of the defense, settlement, and investigation of any Third Party Claim and to employ and engage attorneys reasonably acceptable to HashiCorp to handle and defend the same, at the Vendor’s sole cost. HashiCorp will cooperate in all reasonable respects, at Vendor’s cost and request, in the investigation, trial and defense of such Third Party Claim and any appeal arising therefrom. The Vendor will not consent to the entry of any judgment or enter into any settlement with respect to a Third Party Claim without HashiCorp’s prior written consent. The HashiCorp may also, at its own cost, participate through its attorneys or otherwise in such investigation, trial and defense of any Third Party Claim and related appeals. If the Vendor does not assume full control over the defense of a Third Party Claim as provided in this section, the HashiCorp will have the right to defend the Third Party Claim in such manner as it may deem appropriate, at the reasonable cost and expense of the Vendor.
20. LIMITATION OF LIABILITY
EACH PARTY’S AGGREGATE LIABILITY SHALL NOT EXCEED TWO TIMES THE AMOUNTS ACTUALLY PAID BY AND/OR DUE FROM HASHICORP HEREUNDER. NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, PUNITIVE, SPECIAL, EXEMPLARY, INCIDENTAL, CONSEQUENTIAL OR SIMILAR DAMAGES ARISING OUT OF OR RELATING TO THIS ORDER EVEN IF SUCH PARTY HAS BEEN PREVIOUSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. NOTWITHSTANDING THE FOREGOING, THE EXCLUSIONS AND LIMITATIONS IN THIS SECTION 20 SHALL NOT APPLY TO VENDOR’S INDEMNIFICATION OBLIGATION UNDER SECTION 19 (“INDEMNIFICATION”), BREACH OF ITS OBLIGATIONS UNDER SECTION 9 (“CONFIDENTIAL INFORMATION”), SECTION 26 (“DATA SECURITY”), OR BODILY INJURY, DEATH OR DAMAGE TO REAL OR TANGIBLE PERSONAL PROPERTY AS A RESULT OF VENDOR’S ACTS OR OMISSIONS.
21. PATENTS AND DATA
(a) If any experimental, developmental or research work is called for or required hereunder, Vendor agrees to and hereby goes grant to HashiCorp an irrevocable, non-exclusive, fully transferable, royalty free license to make, have made, use and sell any invention, improvement or discovery (whether or not patentable) that Vendor conceives or first actually reduces to practice in the performance of this Order. (b) Vendor agrees to and hereby does grant to HashiCorp: (i) an irrevocable, non-exclusive, fully transferable, royalty-free license to reproduce, translate, publish, use and dispose of, and to authorize others to do so, any copyrighted or copyrightable material ordered as articles or incorporated in or supplied as a supplement with, any articles; and (ii) (ii) the right to reproduce, use and disclose for any purpose all or any part of the reports, drawings, blueprints, data and technical information delivered or specified to be delivered by Vendor to HashiCorp under this Order.
22. TERMINATION FOR CONVENIENCE
Either party may terminate this Order for material breach of the other party if such breach remains uncured for thirty (30) days after written notice to the other party; and, HashiCorp may terminate this Order at any time upon five (5) days prior written notice. In the event of such termination, Vendor shall be paid for any portion of the products or services that have been performed in accordance with this Order prior to notice of termination, and Vendor shall deliver to HashiCorp all inventions in any stage of completion at the time of termination. In the event HashiCorp has prepaid any fees, the fees will be refunded within fourteen (14) days on a pro-rata basis for any services not performed or any fees not incurred as of the date of termination. 23. COMPLIANCE WITH LAW Each party acknowledges that it is aware of, understands and has complied and will comply with, all applicable U.S. and foreign anti-corruption laws, including without limitation, the U.S. Foreign Corrupt Practices Act ("FCPA") and the U.K. Bribery Act. Each party to this Order shall comply with all applicable export laws and regulations to ensure no Confidential Information or any portion thereof is exported, directly or indirectly, in violation of applicable export laws. Each party agrees to flow down the provisions of this Article to Vendors of any type with relation to this Order.
24. GOVERNING LAW
The validity, interpretation, construction and performance of this Order shall be governed by the local, state and federal laws of the State of California and the United States, without giving effect to the principles of conflict of laws. Neither the United Nations Convention of Contracts for the International Sale of Goods nor the Uniform Computer Information Transactions Act will apply to the Order.
25. NON-WAIVER OF RIGHTS
The failure of HashiCorp to insist upon strict performance of any of the terms and conditions in this Order or to execute any rights or remedies shall not be construed as a waiver of its rights to assert any of same or rely on any such terms or conditions at any time thereafter. The invalidity in whole or in part of any term or condition of this Order shall not affect the validity of other parts hereof.
26. DATA SECURITY
If Vendor has access to or possession of HashiCorp’s Confidential Information, Vendor must establish and maintain sufficient safeguards against the destruction, loss, alteration of, or unauthorized access to HashiCorp’s Confidential Information in the possession of Vendor. Further, Vendor shall define and adhere to a coherent, complete set of information security policies, standards, and practices, which shall be in conformity with legal, regulatory, and contractual requirements and industry standard best practices. Vendor agrees to fully cooperate with HashiCorp’s reasonable requests for additional information pertaining to Vendor’s security environment. Vendor must permit HashiCorp to audit Vendor's compliance with this Section no more than once annually during regular business hours upon not less than five (5) business days’ notice to Vendor and provide HashiCorp copies of audits and system test results acquired by Vendor in relation to the data security policies and procedures designed to meet the requirements set forth above. Vendor shall notify HashiCorp of any material changes to its security policies, standards, and practices. In the event Vendor suffers or learns of any actual or suspected security breach has occurred in violation of Vendor’s security or confidentiality obligations under this Section or any unauthorized intrusions into Vendor’s or any of its subcontractor’s facilities or secure systems (collectively a “Security Breach”), then Vendor must immediately: (i) notify HashiCorp of the circumstances of the Security Breach; (ii) estimate the Security Breach’s effect on HashiCorp; (iii) specify the corrective action to be taken; and (iv) take corrective action to prevent further Security Breaches. The Vendor shall also comply with the terms of the Exhibit A (Third Party Security Exhibit).
27. ENTIRE ORDER
The parties hereby agree that this Order, any non disclosure agreement signed between the parties and any data protection addendum signed between the parties (if any), including all documents incorporated herein by reference, shall together constitute the entire Order and understanding between the parties hereto and shall supersede and replace any and all prior or contemporaneous representations, Orders or understandings of any kind, whether written or oral, relating to the subject matter hereof. Any term of this Order may be amended or waived only with the written consent of HashiCorp. This Order and all of Vendor’s rights and obligations hereunder are personal to Vendor and may not be transferred or assigned by Vendor at any time. HashiCorp may assign its rights under this Order to any entity that assumes HashiCorp’s obligations hereunder in connection with a merger or acquisition or sale or transfer of all or a substantial portion of HashiCorp’s assets to such entity. This Order may also be assigned by HashiCorp to a division or subsidiary entity that is owned or controlled by HashiCorp. Any notice required or permitted by this Order shall be in writing and shall be deemed sufficient upon receipt, when delivered personally or by courier, overnight delivery service or confirmed facsimile, 48 hours after being deposited in the regular mail as certified or registered mail (airmail if sent internationally) with postage prepaid, if such notice is addressed to the party to be notified at such party’s address or facsimile number as set forth above, or as subsequently modified by written notice. If one or more provisions of this Order are held to be unenforceable under applicable law, the parties agree to renegotiate such provision in good faith. In the event that the parties cannot reach a mutually agreeable and enforceable replacement for such provision, then (i) such provision shall be excluded from this Order, (ii) the balance of the Order shall be interpreted as if such provision were so excluded and (iii) the balance of the Order shall be enforceable in accordance with its terms.
EXHIBIT A: THIRD PARTY SECURITY EXHIBIT
The security requirements listed in this Security Exhibit apply to all Vendors that provide goods to HashiCorp that may require sharing of HashiCorp Confidential Information or data with such Vendors. Terms used but not defined here are defined in the Order.
- “Order” means the executed Order between Vendor and HashiCorp.
- “Data Privacy Incident” means any unauthorized or unlawful processing of Personal Information or any accidental loss or destruction of, or damage to Personal Information, including without limitation: (a) disclosure of Personal Information by Vendor in violation of the Order or applicable laws pertaining to privacy or data security, or (b) any other unauthorized access, acquisition, disclosure or use of Personal Information that has occurred or may have occurred, including, without limitation, any unauthorized access of which Vendor is notified of or suspects.
- “HashiCorp Data” means any data that is provided to Vendor by HashiCorp or on behalf of HashiCorp.
- “Personal Information” means any and all data supplied by HashiCorp, its employees or agents, or collected by Vendor pursuant to this Order which pertains to a specific person, and can be used to identify a specific person, including, without limitation, a person’s first name, last name, and e-mail address;
- “Security Incident” means any: (i) breach or suspected breach of the security of the Services or the systems used to provide the Services that may have resulted in the compromise of HashiCorp Data; or (ii) other unauthorized access to or use of HashiCorp Data, or Vendor's reasonable belief that access or use may have occurred.
- “Services” means the products provided by Vendor to HashiCorp.
- “Vendor” means those vendors who provide services to HashiCorp.
- “Vendor Systems” means vendor’s information systems, applications, databases, infrastructure, platforms, and networks (a) utilized to provide the Services, (b) collecting, storing, processing, transmitting, accessing or using HashiCorp Data, and/or (c) with access to, connection to, use of or otherwise interacting with HashiCorp Systems.
Information Security Program and Requirements
Vendor will take appropriate technical and organizational measures against unauthorized or unlawful processing of HashiCorp Data and against accidental loss or destruction of, or damage to, HashiCorp Data and will implement, maintain and comply with at all times a written information security program (“Information Security Program”), which will include policies, procedures and technical and physical controls to: (a) ensure the security, availability, integrity and/or confidentiality of Vendor Systems and HashiCorp Data; (b) identify and protect against potential threats or hazards to Vendor Systems and HashiCorp Data; (c) protect against unauthorized access to or use of, alteration and/or destruction of Vendor Systems and HashiCorp Data; (d) ensure secure disposal of HashiCorp Data; and, (e) ensure that HashiCorp is notified as required herein in the event of a Security Incident. In addition, Vendor will monitor, evaluate, and adjust, as appropriate, the Information Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of HashiCorp Data, internal or external threats to Vendor Systems or HashiCorp Data, and changes to information systems. Vendor will, at a minimum, comply with the safeguards and requirements set forth below to ensure the protection of Vendor Systems and HashiCorp Data, and include or address these safeguards and requirements in its Information Security Program.
Security Incident Notification
Vendor will notify HashiCorp in writing of any Security Incident within 24 hours of Vendor becoming aware of a Security Incident. This notification is required even if Vendor has not conclusively established the nature or extent of the Security Incident. Vendor will not communicate with any third party regarding a Security Incident, except as specified by HashiCorp, or as required by law. Vendor will take any action necessary to stop the Security Incident, and provide updates and a final written report to HashiCorp, describing in detail the Security Incident and Vendor’s response and corrective actions. Vendor will cooperate fully in HashiCorp’s investigation of the Security Incident and indemnify HashiCorp for any and all damages, losses, fees or costs (whether direct, indirect, special or consequential) incurred as a result of such incident, and remedy any harm or potential harm caused by such an incident. Upon HashiCorp’s request, Vendor will provide HashiCorp all on-going information related to the Security Incident, including, but not limited to, logs for forensic investigations, and engage, at its sole cost, a mutually agreeable third party to conduct the investigation.
a. Vendor will comply with all applicable legal requirements for privacy, data protection and confidentiality of communications. Such applicable legal requirements include the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts (201 CMR 17.00) and other applicable United States data protection laws at the state level, European Union Directive 95/46/EC and implementing national legislation, and Regulation 2016/679 (also known as GDPR), if applicable.
b. Vendor will (a) maintain compliance with SOC 2 or ISO 27001; (b) provide audit reports or evidence of these certifications to HashiCorp upon request; and (c) ensure that all Vendor subcontractors or third party delegates adhere to the same standards.
c. Vendor will allow HashiCorp, or its delegate, to perform an audit of the Vendor's systems and Information Security Program, upon thirty days’ notice and no more than once per year, or following a confirmed Security Incident.
d. Vendor will provide any additional information reasonably requested by HashiCorp in relation to the Order or Vendor’s compliance with this Appendix within five (5) business days.
Scanning, Testing and Validation
a. Vendor will allow HashiCorp, or HashiCorp’s delegate, to periodically test the security of the Services. When testing, HashiCorp or its delegate shall: (i) carefully conduct tests that are reasonably designed to safely uncover possible vulnerabilities without undue risk; and, (ii) make commercially reasonable efforts to tailor the tests as needed to specifically achieve the purpose of the test.
b. HashiCorp or its delegate may conduct the tests at any time during the term of the Order. HashiCorp will: (i) provide Vendor with reasonable notice prior to conducting the tests, (ii) promptly inform Vendor of any findings; and (iii) delay further disclosure until Vendor has had reasonable time to resolve issues identified in the findings.
c. Vendor will, at least once per year, perform a suite of independent third-party tests. These tests will be performed upon: (i) the Services; (ii) all aspects of Vendor’s internet-facing perimeter; and (iii) Vendor’s internal corporate network and internal systems. Vendor will, upon request, provide HashiCorp with details of the third-party tests performed.
d. Vendor will remediate all critical and high severity vulnerabilities that could affect the security of HashiCorp Data, of which Vendor becomes aware, within thirty days of becoming aware of the vulnerability. If Vendor cannot remediate within thirty days, Vendor will promptly inform HashiCorp, including details of the risk to HashiCorp arising from Vendor’s inability to remediate the vulnerability.
Technical Security Measures
a. Vendor will maintain an SSL Labs rating (please see https://www.ssllabs.com) of at least “A” for any external website used to store or access HashiCorp data. If Vendor’s rating falls below “A,” Vendor will: (a) notify HashiCorp if this rating is below “A” for three months; and (b) have three months from the date it notifies HashiCorp within which to increase its rating back to an “A”.
b. Vendor will implement and maintain secure user authentication protocols and access control measures in order to limit access to Vendor Systems and HashiCorp Data to authorized users.
c. Vendor will ensure HashiCorp Data is always encrypted in transit and at rest, and restrict access to HashiCorp data to authorized personnel only.
d. Vendor will encrypt backups, and restrict access to HashiCorp data to authorized personnel only.
e. Vendor will promptly apply any high or critical severity security patches to their production servers, endpoints, and endpoint management systems.
f. Vendor will maintain and follow a Secure Development Lifecycle (“SDL”) for the development of its products and services. Vendor will provide HashiCorp a copy of its SDL policy and process documents upon request.
g. Vendor will proactively monitor, detect, and alert its internal security team regarding suspicious or malicious activity within Vendor’s production and corporate environments.
h. Vendor will not move HashiCorp Data from Vendor’s production environment, unless specifically asked to do so by HashiCorp. Specifically, HashiCorp Data must not be downloaded to phones or laptops, used for testing purposes, and must not be shared with third parties. Vendor will delete HashiCorp Data permanently upon HashiCorp’s request.
i. Vendor will maintain and preserve security event-related logs for a minimum of one year.
j. Upon termination of the Order, Vendor will fully erase all of HashiCorp’s data in its possession, and/or return the data back to HashiCorp, within 30 days.