Contracts
- Master Subscription Agreement
- Wiz Security Addendum
- U.S. Government Addendum
- Data Processing Agreement
- Service and Support Levels Agreement (SLA)
- Preview Terms
- Tech Integration Agreement
- Wiz Privacy Addendum
- Wiz Communities Terms of Service
- Cookies Policy
- Privacy Policy
- Terms of Use
- Wiz Anti-Corruption and Bribery Policy
- Wiz Code of Conduct
- Wiz Acceptable Use Policy
Master Subscription Agreement
Effective November 23, 2023
DownloadTable of Contents
WIZ MASTER SUBSCRIPTION AGREEMENT
BY ACCEPTING THIS AGREEMENT OR ACCESSING OR USING THE SERVICES, YOU ARE ACCEPTING THE TERMS AND CONDITIONS OF THIS AGREEMENT, UNLESS A SEPARATE WRITTEN AGREEMENT IS IN EFFECT THAT SPECIFICALLY GOVERNS THE SUBJECT MATTER HEREOF. IF YOU DO NOT AGREE TO THIS AGREEMENT, YOU MAY NOT USE THE SERVICE. YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO ENTER INTO THIS AGREEMENT; IF YOU ARE USING THE SERVICE AS AN EMPLOYEE OR AGENT OF AN ORGANIZATION OR ENTITY, THEN YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO SIGN FOR AND BIND SUCH ORGANIZATION OR ENTITY IN ORDER TO ACCEPT THE TERMS OF THIS AGREEMENT. IF YOU DO NOT HAVE AUTHORITY TO BIND YOUR EMPLOYER OR OTHER LEGAL ENTITY, PLEASE DO NOT ACCEPT THIS AGREEMENT AND IMMEDIATELY REFRAIN FROM ACCESSING AND/OR USING THE SERVICES.
IF YOU ARE USING THE SERVICE AS A PROOF OF CONCEPT OR FOR EVALUATION PURPOSES, THE SERVICES ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND AND IN ACCORDANCE WITH THE TERMS OF SECTION (“EVALUATIONS”) BELOW.
This Master Subscription Agreement (the “Agreement”) is effective on the earlier of: the date of (i) the execution of an Order referencing this Agreement; or (ii) Customer’s use of the Services (the “Effective Date”), by and between Wiz (as defined in Section 21 below) and you or the entity you represent referenced in the Order or otherwise accessing the Services (the “Customer”) (each, a “Party” and collectively, the “Parties”). Customer may use the Services (as defined below) subject to the terms below.
- Ordering.
- Customer may place an order for Services directly with Wiz via an order form (a “Direct Order”). Direct Orders may be entered into by Wiz or Wiz Affiliates with Customer or Customer Affiliates. Each Direct Order is hereby incorporated into this Agreement by reference and shall be deemed to be a stand-alone agreement that incorporates by reference the terms of this Agreement (mutatis mutandis) whereby each signing entity to the Direct Order shall be considered to be either “Wiz” or “Customer” referenced herein. A Customer Affiliate will have the right to enter into an Order referencing this Agreement and thereby indicating its agreement to be bound by the terms of this Agreement as if it were an original party hereto. In such case, for purposes of such Order, such Customer Affiliate will be deemed to be the “Customer” hereunder. To the extent of any conflict or inconsistency between the terms and conditions of this Agreement and a Direct Order, this Agreement shall prevail (unless a Direct Order specifically states otherwise). “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- If Customer has purchased a subscription pursuant to the terms hereof from a partner, reseller or distributor authorized by Wiz (“Partner”), to the extent there is any conflict between this Agreement and the agreement entered between Customer and the respective Partner, including any purchase order (“Partner Order”), then, as between Customer and Wiz, this Agreement shall prevail. Any rights granted to Customer in such Partner Order which are not contained in this Agreement, apply only in connection with such Partner. In that case, Customer must seek redress or realization or enforcement of such rights solely with such Partner and not Wiz. An “Order” means a Direct Order or a Partner Order, as applicable.
- Subscription. Subject to the terms and conditions of this Agreement (including payment obligations), Wiz hereby grants Customer, in connection with each Order, a limited, non-exclusive, non-sublicensable, non-transferable and revocable (as provided herein) right to use the Wiz cloud security platform (“Platform”) in object code form, during the corresponding Subscription Term (as defined in an Order), solely for Customer's internal business purposes and in accordance with the subscriptions specified in the applicable Order. Unless otherwise indicated, the term “Platform” also includes all software, revisions, fixes, improvements and/or updates to the subscription type specified in an Order and any user manuals and documentation available within the Platform (“Documentation”) provided to Customer in connection with the operation of the Platform. Customer may only use the Platform in accordance with the Documentation, subject to any use limitations indicated in an Order, and applicable laws and regulations. The Platform and any related services provided to Customer and detailed in an Order shall be referred to as the “Services”.
- Fees. The Services are conditioned on Customer’s payment of the applicable fees as set forth in each Order (“Fees”) and Wiz reserves the right, following at least 15 days’ prior written notice to Customer, to suspend Customer’s access to the Services for non or late payment. Except as set forth in this Agreement or a Direct Order, all Fees and other amounts paid pursuant to this Agreement and an Order are non-refundable and without right of set off. Unless otherwise specified in an Order: (i) Customer will pay all amounts due under this Agreement in U.S. Dollars currency, (ii) Fees for the entire Subscription Term set out in the applicable Order are due at the commencement of such Subscription Term and payable as described in the Order; (iii) all Fees are due and payable within thirty (30) days of the date of Wiz’s invoice; (iv) any amount not paid when due shall accrue interest on a daily basis until paid in full at the lesser of: (a) the rate of one and a half percent (1.5%) per month; or (b) the highest amount permitted by applicable law; and (v) all amounts payable under each Order are exclusive of all sales, use, value-added, withholding, and other direct or indirect taxes, charges, levies and duties. Customer shall bear all value added, state, local, withholding, and other taxes or other charges applicable to the Services; provided that Wiz will be responsible for any taxes imposed on Wiz’s income, assets and/or workforce.
- Permitted Users. The Platform may be accessed solely by Customer or its Affiliates' employees or service providers who are explicitly authorized by Customer to use the Platform (each, a “Permitted User”). Customer will (i) ensure that Permitted Users comply with the terms of this Agreement at all times, (ii) maintain the confidentiality and security of their Wiz account credentials, and (iii) be fully responsible for any acts or omissions by a Permitted User. Customer must promptly notify Wiz upon becoming aware of any unauthorized access to or use of the Platform.
- Prohibited Uses. Except as specifically permitted herein, without the prior written consent of Wiz, Customer shall not, and shall not allow any Permitted User or any third party to, directly or indirectly: (i) copy, modify, create derivative works of or distribute any part of the Platform (including by incorporation into its products); (ii) sell, license (or sub-license), lease, assign, transfer, pledge, or share Customer's rights under this Agreement with any third party; (iii) disclose the results of any testing or benchmarking of the Platform to any third party; (iv) disassemble, decompile, reverse engineer or attempt to discover the Platform’s source code or underlying algorithms; (v) use the Platform for any use in competition with Wiz’s Services; (vi) use the Platform in a manner that violates or infringes any rights of any third party; (vii) remove or alter any trademarks or other proprietary notices related to the Platform; or (vii) circumvent, disable or otherwise interfere with security-related features of the Platform or features that enforce use limitations.
- Customer Data.
- As between the parties, Customer owns and retains all right, title and interest (including all intellectual property rights) in and to any data or information that originates, resides on, or is otherwise processed through Customer's systems and processed by Wiz in the provision of the Services (“Customer Data”). Customer has exclusive control and responsibility for determining what Customer Data it and its Permitted Users submit into the Services and for obtaining all necessary rights, consents and permissions for submission of Customer Data and processing instructions to Wiz. Customer hereby grants to Wiz a non-exclusive, worldwide, royalty-free right to use Customer Data to provide the Services and perform its obligations under this Agreement.
- If Customer Data contains personally identifiable information, to the extent applicable, the Parties shall comply with Wiz’s Data Processing Agreement (“DPA”), which is available at https://www.wiz.io/legal/data-processing-agreement and forms an integral part of this Agreement.
- Customer agrees not to process any Protected Health Information or other information that is subject to HIPAA (“HIPAA Data”) via the Services unless Customer has entered into a Business Associate Agreement (“BAA”) with Wiz. Wiz’s Business Associate Agreement shall be provided to Customer upon request. Unless a BAA is in place, Wiz will have no liability under this Agreement for HIPAA Data, notwithstanding anything to the contrary in this Agreement or in HIPAA. Upon mutual execution of the BAA, the BAA is incorporated by reference into this Agreement.
- Additional Service Terms.
- Evaluations. If Customer is using the Services for a free trial, proof of concept, evaluation, one-time assessment, or other similar purpose (“Evaluation”), such Evaluation is granted for a limited period of twenty-one (21) days, (or in the case of Wiz’s One-time free assessment for up to seven (7) days), unless Wiz agrees to an extension and in each case solely for the purpose of evaluating and testing the Services to determine whether to purchase a subscription for Customer’s internal use. Wiz may terminate Customer’s access to and use of any Evaluation at any time. Evaluations are provided “as is” without guaranteed support levels, indemnification, or warranty of any kind, whether express, implied, statutory, or otherwise. Notwithstanding Section 15 (Limitation of Liability) or any other provision of this Agreement, Wiz’s maximum aggregate liability under any Evaluation shall be capped at one thousand dollars US ($1,000 US).
- Account Data and Anonymized Data. Customer acknowledges and agrees that Wiz may collect and process information regarding the configuration, performance, security, access to and use of the Services by Customer including product usage metrics and findings generated by the Platform (“Account Data”) for its internal business purposes including to develop, improve, support, secure and operate the Services and to fulfill legal obligations. Notwithstanding the foregoing, nothing in this Agreement shall restrict Wiz’s use of Account Data that has been anonymized and/or aggregated, provided that such data does not in any way identify and cannot be reasonably associated with Customer, its Affiliates, Permitted Users or any individuals connected to Customer or Customer Confidential Information (“Anonymized Data”).
- Wiz Preview Features. From time to time, Wiz may make beta, pilot, or early access features, services or functionality available to Customer on a beta-testing basis (“Wiz Preview Feature(s)”) to try at no charge. Wiz makes no representations or warranties of any kind, whether express, implied, statutory, or otherwise regarding Wiz Preview Features, and Wiz shall have no liability of any kind arising out of or in connection with Wiz Preview Features. The SLA does not apply to Wiz Preview Features. Customer may choose to try Wiz Preview Features in its sole discretion, and Wiz, in its sole discretion, may (a) discontinue Wiz Preview Features at any time, and/or (b) elect not to make Wiz Preview Features generally available.
- Customer Integrations. The Services may provide Customer with the ability to integrate certain functionalities of the Platform with applications or services separately provided to Customer by third parties (“Third Party Services”) via API integrations built by either Wiz or the Third Party Service provider (“Third Party Integrations”); examples include ticketing and messaging applications, SIEM or SOAR tools, and security data management tools). Customer’s use of such Third Party Integrations is optional and Customer shall be required to take the steps set forth in the Documentation to enable a Third Party Integration. Customer acknowledges and agrees that: (a) the use of Third Party Services are subject to the terms and conditions agreed between Customer and each such Third Party Service provider; (b) Customer may be required to grant Wiz access to its Third Party Service account and/or to grant the Third Party Service provider access to its Wiz account; and (c) Customer Data may be transferred between Wiz and the Third Party Service provider as required and authorized by Customer for the interoperation with the Services. Since Wiz does not provide such third party applications or services, Wiz cannot guarantee the continued availability of such Third Party Integration and may cease supporting them at any time, including if the relevant third party ceases to make its application or service available for integration with the Services or changes the way it does so in a way that is not reasonably acceptable to Wiz. To the maximum extent permitted by law but without derogating from Wiz’s obligations under this Agreement, Wiz shall not bear and expressly disclaims all responsibility or liability of any kind relating to such Third Party Integrations, including, without limitation, for any disclosure of, access to or other processing of Customer Data by Third Party Service providers.
- Security. The Parties shall comply with the Wiz Security Addendum which is available at https://www.wiz.io/legal/security-addendum (“Security Addendum”).
- Warranties. Each Party represents and warrants that it is duly organized, validly existing and in good standing under the laws of its jurisdiction of incorporation or organization; and that the execution and performance of this Agreement will not conflict with other agreements to which it is bound or violate applicable law.
- Intellectual Property Rights. All right, title, and interest, including any intellectual property rights evidenced by or embodied in, attached, connected, and/or related to the Platform (and any and all improvements enhancements, corrections, modifications, alterations, revisions, extensions and updates and derivative works thereof) and any other products, deliverables or services provided by Wiz; are and shall remain owned solely by Wiz or its licensors. This Agreement does not convey to Customer any interest in or to the Platform other than a limited right to use the Platform in accordance with Section 2 (Subscription). Nothing herein constitutes a waiver of Wiz’s intellectual property rights under any law. Wiz reserves all rights not expressly granted herein to the Platform.
- Confidentiality. Each Party may have access to certain non-public information of the other Party, in any form or media, including without limitation trade secrets and other information related to the products, software, technology, data, know-how, or business of the other Party, and any other information that a reasonable person should have reason to believe is proprietary, confidential, or competitively sensitive (the “Confidential Information”). The receiving Party will use the same standard of care to protect the disclosing Party’s Confidential Information as it uses to protect its own Confidential Information, but no less than reasonable care. The receiving Party’s obligations under this Section, with respect to any Confidential Information of the disclosing Party, shall not apply to and/or shall terminate if such information: (a) was already lawfully known to the receiving Party at the time of disclosure by the disclosing Party; (b) was disclosed to the receiving Party by a third party who had the right to make such disclosure without any confidentiality restrictions; (c) is, or through no fault of the receiving Party has become, generally available to the public; or (d) was independently developed by the receiving Party without access to, or use of, the disclosing Party’s Confidential Information. Neither Party shall use or disclose the Confidential Information of the other Party except for performance of its obligations under this Agreement. The receiving Party shall only permit access to the disclosing Party's Confidential Information to its and/or its Affiliates’ respective employees, consultants, affiliates, service providers, agents, partners, and subcontractors having a need to know such information, and who are bound by at least equivalent obligations of confidentiality and non-disclosure as those under this Agreement (such recipients being “Authorized Recipients”). The receiving Party is responsible for the compliance of its Authorized Recipients with the confidentiality and non-disclosure obligations of this Agreement. The receiving Party will be allowed to disclose Confidential Information to the extent that such disclosure is required by law or by the order or a court of similar judicial or administrative body, provided that, to the extent permitted by applicable law, it notifies the disclosing Party of such required disclosure to enable disclosing party to seek a protective order or otherwise prevent or restrict such disclosure. Notwithstanding the foregoing, each Party can disclose the terms and existence of this Agreement to third parties in connection with a due diligence review (i.e., a potential investment in a Party or a going-public transaction) subject to such third parties being bound by at least equivalent obligations of confidentiality and non-disclosure as those under this Agreement. All right, title and interest in and to Confidential Information are and shall remain the sole and exclusive property of the disclosing Party.
- LIMITED WARRANTIES. Wiz represents and warrants that the Platform shall substantially perform in conformance with its Documentation. As the Customer's sole and exclusive remedy and Wiz's sole liability for breach of this warranty, Wiz shall use commercially reasonable efforts to repair the Platform and, if Wiz cannot do so within a reasonable time, not to exceed 30 days, Customer may terminate this Agreement and receive a pro-rata refund of any amounts pre-paid by Customer for the remaining unused period of the Term. The warranty set forth shall not apply if the failure of the Platform results from or is otherwise attributable to Customer or its Permitted User’s acts or omissions in violation of this Agreement. Wiz shall not be liable for any inaccuracy in the Service's output and/or delay and/or unavailability of the Services, caused due to (a) failure of Customer's Internet access or any public telecommunications network, or shortage of adequate power, (b) any incompatibility between the Customer's systems and the Platform and/or (c) maintenance within the Customer's systems affecting the operation of the Platform. OTHER THAN AS EXPLICITLY STATED IN THIS AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE PLATFORM, ITS RELATED SERVICES AND ANY OUTPUT RESULTED FROM THE USE OF THE PLATFORM ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. WIZ DOES NOT WARRANT THAT: (i) THE SERVICES WILL MEET CUSTOMER'S REQUIREMENTS, OR (ii) THE SERVICES WILL OPERATE ERROR-FREE. EXCEPT AS SET FORTH IN THIS AGREEMENT, WIZ EXPRESSLY DISCLAIMS ALL EXPRESS WARRANTIES AND ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, TITLE, NON- INFRINGEMENT, NON-INTERFERENCE, FITNESS FOR A PARTICULAR PURPOSE.
- Indemnification. Wiz agrees to defend, at its expense, any third party action or suit brought against the Customer alleging that the Platform, when used as permitted under this Agreement and each respective Order or Partner Order (as the case may be), infringes intellectual property rights of a third party (“IP Infringement Claim”); and Wiz will pay any damages awarded in a final judgment against the Customer that are attributable to any such claim, or that are otherwise agreed in a settlement with the prior written consent of Wiz, provided that (i) the Customer promptly notifies Wiz in writing of such claim; (ii) the Customer grants Wiz the sole authority to handle the defense or settlement of any such claim and provides Wiz with all reasonable information and assistance, at Wiz’s expense; and (iii) the Customer refrains from admitting any liability or otherwise compromising the defense in whole or in part, without the express prior written consent of Wiz. Wiz will not enter into any settlement that imposes any legal liability or financial obligation on Customer without Customer’s prior written consent.
- Term. This Agreement shall enter into force and effect on the Effective Date and, unless earlier terminated in accordance with Section 18, shall remain in full force and effect until all Orders expire or are terminated (the “Term”).
- Termination. Either Party may terminate an Order and/or this Agreement for cause with immediate effect if (a) the other Party breaches any material term or condition of an Order and/or this Agreement, and (b) such breach remains uncured thirty (30) days after the breaching Party receives written notice thereof. Upon termination or expiration of this Agreement and/or an Order: (i) all rights granted to Customer in the Platform shall expire, and Customer shall discontinue any further use and access thereof including deinstalling any Wiz provided software; (ii) Customer shall immediately delete and dispose of all copies of the Documentation in Customer’s or any of its representatives’ possession or control; and (iii) Wiz shall make available any Customer Data in Wiz’s possession available for Customer to download via the Platform for up to 90 days and thereafter Wiz shall delete such Customer Data, provided that Wiz may retain Customer Data (a) stored in backups for a limited period of time in accordance with its industry standard customer deletion and backup policy or (b) as otherwise required by applicable law, and in either case, any Customer Data so retained shall remain subject to the confidentiality, privacy and security obligations in this Agreement.. Section 5 (Prohibited Uses), Section 6 (Customer Data), Section 7 (Additional Service Terms). Section 8 (Security), Section 10 (Intellectual Property), Section 11 (Confidentiality), Section 12 (Limited Warranties), Section 13 (Limitation of Liability), Section 16 (Termination), Section 20 (Contracting Entity) and Section 21 (Miscellaneous) shall survive termination or expiration of this Agreement for any reason.
- Customer Reference. Unless stated otherwise in an Order, Wiz shall not use Customer’s name to identify Customer as a customer of Wiz on Wiz’s websites or public marketing materials without Customer’s prior written consent.
- Export Compliance. The Services may be subject to export laws and regulations of the United States and other jurisdictions. Wiz and Customer each represents that it is not on any U.S. government denied-party list. Customer will not permit any Permitted User to access or use any Service in a U.S. embargoed country or region (currently the Crimea, Luhansk or Donetsk regions, Cuba, Iran, North Korea, Sudan or Syria) or as may be updated from time to time, or in violation of any U.S. export law or regulation.
- Insurance. Wiz agrees to maintain no less than the following amounts of insurance during the term of this Agreement: (a) $2,000,000 USD in commercial general liability, per occurrence and in the aggregate; (b) $5,000,000 USD in technology errors and omissions/professional liability, per occurrence and in the aggregate, which may be combined with cyber liability; and (c) $5,000,000 USD in cyber-liability insurance, per occurrence and in the aggregate, which may be combined with technology errors and omissions/professional liability. All insurance policies will be issued by insurance companies with an AM Best Rating of no less than A-VII. Upon receipt of a written request, Wiz will provide Customer with a copy of its certificate of insurance evidencing the foregoing coverage.
- Contracting Entity. For the purposes of this Agreement “Wiz” means Wiz Inc., a company incorporated under the laws of the State of Delaware, having its principal place of business at One Manhattan West, 57th Floor, New York, NY 10001 or its Affiliates, as applicable. For clarity, unless a Direct Order specifies otherwise, the Wiz entity contracting with Customer hereunder will be (i) Wiz, Inc., if Customer is located outside of the UK or Europe or is purchasing via a cloud service provider marketplace; or (ii) Wiz Cloud Limited, a private limited company under the laws of England and Wales, if Customer is located in the UK or Europe and not purchasing via a cloud service provider.
- Miscellaneous. This Agreement, including any Order(s) and any exhibits attached or referred hereto, represents the complete agreement concerning the subject matter hereof and may be amended only by a written agreement executed by both Parties. The failure of either Party to enforce any rights granted hereunder or to take action against the other Party in the event of any breach hereunder shall not be deemed a waiver by that Party as to subsequent enforcement of rights or subsequent actions in the event of future breaches. If any provision of this Agreement is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. This Agreement represents the entire agreement of the Parties with respect to the subject matter hereof, and supersedes and replaces all prior and contemporaneous oral or written understandings, agreements and statements by the Parties with respect to such subject matter, including prior non-disclosure agreements or evaluation agreements. Without limiting the generality of the foregoing, this Agreement supersedes any terms or conditions (whether printed, hyperlinked, or otherwise) in any Customer's purchase order or other standardized business forms, which purport to supersede, modify or supplement this Agreement. Neither Party may assign its rights or obligations under this Agreement without the prior written consent of the other Party, which consent may not be unreasonably withheld or delayed. Notwithstanding the foregoing, this Agreement may be assigned by either Party to its Affiliate or in connection with a merger, consolidation, sale of all of the equity interests of the Party, or a sale of all or substantially all of the assets of the Party to which this Agreement relates. Subject to the foregoing, this Agreement will be binding on the parties and their permitted successors and assigns. This Agreement shall be governed by and construed under the laws of the state of New York, without reference to principles and laws relating to the conflict of laws. The competent courts of New York City, New York shall have the exclusive jurisdiction with respect to any dispute and action arising under or in relation to this Agreement. This Agreement does not, and shall not be construed to create any relationship, partnership, joint venture, employer-employee, agency, or franchisor-franchisee relationship between the Parties. Neither Party will be liable for any delay or failure to perform its obligations hereunder resulting from circumstances or causes beyond its reasonable control including, but not limited to on account of strikes, shortages, riots, insurrection, fires, flood, storms, explosions, acts of God, war, government or quasi-governmental authorities actions, acts of terrorism, earthquakes, or power outages. From time to time, Wiz may modify this Agreement. Unless otherwise specified by Wiz, changes become effective for Customer upon renewal of the then-current Subscription Term or upon the effective date of a new Order after the updated version of this Agreement goes into effect. Wiz will use reasonable efforts to notify Customer of the changes through communications via Customer’s Account, email or other means. Customer may be required to click to accept or otherwise agree to the modified Agreement before renewing a Subscription Term or upon the effective date of a new Order, and in any event continued use of any Wiz Services after the updated version of this Agreement goes into effect will constitute Customer’s acceptance of such updated version.
Effective November 23, 2023 to November 23, 2023
DownloadTable of Contents
WIZ MASTER SUBSCRIPTION AGREEMENT
BY ACCEPTING THIS AGREEMENT OR ACCESSING OR USING THE SERVICES, YOU ARE ACCEPTING THE TERMS AND CONDITIONS OF THIS AGREEMENT, UNLESS A SEPARATE WRITTEN AGREEMENT IS IN EFFECT THAT SPECIFICALLY GOVERNS THE SUBJECT MATTER HEREOF. IF YOU DO NOT AGREE TO THIS AGREEMENT, YOU MAY NOT USE THE SERVICE. YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO ENTER INTO THIS AGREEMENT; IF YOU ARE USING THE SERVICE AS AN EMPLOYEE OR AGENT OF AN ORGANIZATION OR ENTITY, THEN YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO SIGN FOR AND BIND SUCH ORGANIZATION OR ENTITY IN ORDER TO ACCEPT THE TERMS OF THIS AGREEMENT. IF YOU DO NOT HAVE AUTHORITY TO BIND YOUR EMPLOYER OR OTHER LEGAL ENTITY, PLEASE DO NOT ACCEPT THIS AGREEMENT AND IMMEDIATELY REFRAIN FROM ACCESSING AND/OR USING THE SERVICES.
IF YOU ARE USING THE SERVICE AS A PROOF OF CONCEPT OR FOR EVALUATION PURPOSES, THE SERVICES ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND AND IN ACCORDANCE WITH THE TERMS OF SECTION (“EVALUATIONS”) BELOW.
This Master Subscription Agreement (the “Agreement”) is effective on the earlier of: the date of (i) the execution of an Order referencing this Agreement; or (ii) Customer’s use of the Services (the “Effective Date”), by and between Wiz (as defined in Section 21 below) and you or the entity you represent referenced in the Order or otherwise accessing the Services (the “Customer”) (each, a “Party” and collectively, the “Parties”). Customer may use the Services (as defined below) subject to the terms below.
- Ordering.
- Customer may place an order for Services directly with Wiz via an order form (a “Direct Order”). Direct Orders may be entered into by Wiz or Wiz Affiliates with Customer or Customer Affiliates. Each Direct Order is hereby incorporated into this Agreement by reference and shall be deemed to be a stand-alone agreement that incorporates by reference the terms of this Agreement (mutatis mutandis) whereby each signing entity to the Direct Order shall be considered to be either “Wiz” or “Customer” referenced herein. A Customer Affiliate will have the right to enter into an Order referencing this Agreement and thereby indicating its agreement to be bound by the terms of this Agreement as if it were an original party hereto. In such case, for purposes of such Order, such Customer Affiliate will be deemed to be the “Customer” hereunder. To the extent of any conflict or inconsistency between the terms and conditions of this Agreement and a Direct Order, this Agreement shall prevail (unless a Direct Order specifically states otherwise). “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- If Customer has purchased a subscription pursuant to the terms hereof from a partner, reseller or distributor authorized by Wiz (“Partner”), to the extent there is any conflict between this Agreement and the agreement entered between Customer and the respective Partner, including any purchase order (“Partner Order”), then, as between Customer and Wiz, this Agreement shall prevail. Any rights granted to Customer in such Partner Order which are not contained in this Agreement, apply only in connection with such Partner. In that case, Customer must seek redress or realization or enforcement of such rights solely with such Partner and not Wiz. An “Order” means a Direct Order or a Partner Order, as applicable.
- Subscription. Subject to the terms and conditions of this Agreement (including payment obligations), Wiz hereby grants Customer, in connection with each Order, a limited, non-exclusive, non-sublicensable, non-transferable and revocable (as provided herein) right to use the Wiz cloud security platform (“Platform”) in object code form, during the corresponding Subscription Term (as defined in an Order), solely for Customer's internal business purposes and in accordance with the subscriptions specified in the applicable Order. Unless otherwise indicated, the term “Platform” also includes all software, revisions, fixes, improvements and/or updates to the subscription type specified in an Order and any user manuals and documentation available within the Platform (“Documentation”) provided to Customer in connection with the operation of the Platform. Customer may only use the Platform in accordance with the Documentation, subject to any use limitations indicated in an Order, and applicable laws and regulations. The Platform and any related services provided to Customer and detailed in an Order shall be referred to as the “Services”.
- Fees. The Services are conditioned on Customer’s payment of the applicable fees as set forth in each Order (“Fees”) and Wiz reserves the right, following at least 15 days’ prior written notice to Customer, to suspend Customer’s access to the Services for non or late payment. Except as set forth in this Agreement or a Direct Order, all Fees and other amounts paid pursuant to this Agreement and an Order are non-refundable and without right of set off. Unless otherwise specified in an Order: (i) Customer will pay all amounts due under this Agreement in U.S. Dollars currency, (ii) Fees for the entire Subscription Term set out in the applicable Order are due at the commencement of such Subscription Term and payable as described in the Order; (iii) all Fees are due and payable within thirty (30) days of the date of Wiz’s invoice; (iv) any amount not paid when due shall accrue interest on a daily basis until paid in full at the lesser of: (a) the rate of one and a half percent (1.5%) per month; or (b) the highest amount permitted by applicable law; and (v) all amounts payable under each Order are exclusive of all sales, use, value-added, withholding, and other direct or indirect taxes, charges, levies and duties. Customer shall bear all value added, state, local, withholding, and other taxes or other charges applicable to the Services; provided that Wiz will be responsible for any taxes imposed on Wiz’s income, assets and/or workforce.
- Permitted Users. The Platform may be accessed solely by Customer or its Affiliates' employees or service providers who are explicitly authorized by Customer to use the Platform (each, a “Permitted User”). Customer will (i) ensure that Permitted Users comply with the terms of this Agreement at all times, (ii) maintain the confidentiality and security of their Wiz account credentials, and (iii) be fully responsible for any acts or omissions by a Permitted User. Customer must promptly notify Wiz upon becoming aware of any unauthorized access to or use of the Platform.
- Prohibited Uses. Except as specifically permitted herein, without the prior written consent of Wiz, Customer shall not, and shall not allow any Permitted User or any third party to, directly or indirectly: (i) copy, modify, create derivative works of or distribute any part of the Platform (including by incorporation into its products); (ii) sell, license (or sub-license), lease, assign, transfer, pledge, or share Customer's rights under this Agreement with any third party; (iii) disclose the results of any testing or benchmarking of the Platform to any third party; (iv) disassemble, decompile, reverse engineer or attempt to discover the Platform’s source code or underlying algorithms; (v) use the Platform for any use in competition with Wiz’s Services; (vi) use the Platform in a manner that violates or infringes any rights of any third party; (vii) remove or alter any trademarks or other proprietary notices related to the Platform; or (vii) circumvent, disable or otherwise interfere with security-related features of the Platform or features that enforce use limitations.
- Customer Data.
- As between the parties, Customer owns and retains all right, title and interest (including all intellectual property rights) in and to any data or information that originates, resides on, or is otherwise processed through Customer's systems and processed by Wiz in the provision of the Services (“Customer Data”). Customer has exclusive control and responsibility for determining what Customer Data it and its Permitted Users submit into the Services and for obtaining all necessary rights, consents and permissions for submission of Customer Data and processing instructions to Wiz. Customer hereby grants to Wiz a non-exclusive, worldwide, royalty-free right to use Customer Data to provide the Services and perform its obligations under this Agreement.
- If Customer Data contains personally identifiable information, to the extent applicable, the Parties shall comply with Wiz’s Data Processing Agreement (“DPA”), which is available at https://www.wiz.io/legal/data-processing-agreement and forms an integral part of this Agreement.
- Customer agrees not to process any Protected Health Information or other information that is subject to HIPAA (“HIPAA Data”) via the Services unless Customer has entered into a Business Associate Agreement (“BAA”) with Wiz. Wiz’s Business Associate Agreement shall be provided to Customer upon request. Unless a BAA is in place, Wiz will have no liability under this Agreement for HIPAA Data, notwithstanding anything to the contrary in this Agreement or in HIPAA. Upon mutual execution of the BAA, the BAA is incorporated by reference into this Agreement.
- Additional Service Terms.
- Evaluations. If Customer is using the Services for a free trial, proof of concept, evaluation, one-time assessment, or other similar purpose (“Evaluation”), such Evaluation is granted for a limited period of twenty-one (21) days, (or in the case of Wiz’s One-time free assessment for up to seven (7) days), unless Wiz agrees to an extension and in each case solely for the purpose of evaluating and testing the Services to determine whether to purchase a subscription for Customer’s internal use. Wiz may terminate Customer’s access to and use of any Evaluation at any time. Evaluations are provided “as is” without guaranteed support levels, indemnification, or warranty of any kind, whether express, implied, statutory, or otherwise. Notwithstanding Section 15 (Limitation of Liability) or any other provision of this Agreement, Wiz’s maximum aggregate liability under any Evaluation shall be capped at one thousand dollars US ($1,000 US).
- Account Data and Anonymized Data. Customer acknowledges and agrees that Wiz may collect and process information regarding the configuration, performance, security, access to and use of the Services by Customer including product usage metrics and findings generated by the Platform (“Account Data”) for its internal business purposes including to develop, improve, support, secure and operate the Services and to fulfill legal obligations. Notwithstanding the foregoing, nothing in this Agreement shall restrict Wiz’s use of Account Data that has been anonymized and/or aggregated, provided that such data does not in any way identify and cannot be reasonably associated with Customer, its Affiliates, Permitted Users or any individuals connected to Customer or Customer Confidential Information (“Anonymized Data”).
- Wiz Preview Features. From time to time, Wiz may make beta, pilot, or early access features, services or functionality available to Customer on a beta-testing basis (“Wiz Preview Feature(s)”) to try at no charge. Wiz makes no representations or warranties of any kind, whether express, implied, statutory, or otherwise regarding Wiz Preview Features, and Wiz shall have no liability of any kind arising out of or in connection with Wiz Preview Features. The SLA does not apply to Wiz Preview Features. Customer may choose to try Wiz Preview Features in its sole discretion, and Wiz, in its sole discretion, may (a) discontinue Wiz Preview Features at any time, and/or (b) elect not to make Wiz Preview Features generally available.
- Customer Integrations. The Services may provide Customer with the ability to integrate certain functionalities of the Platform with applications or services separately provided to Customer by third parties (“Third Party Services”) via API integrations built by either Wiz or the Third Party Service provider (“Third Party Integrations”); examples include ticketing and messaging applications, SIEM or SOAR tools, and security data management tools). Customer’s use of such Third Party Integrations is optional and Customer shall be required to take the steps set forth in the Documentation to enable a Third Party Integration. Customer acknowledges and agrees that: (a) the use of Third Party Services are subject to the terms and conditions agreed between Customer and each such Third Party Service provider; (b) Customer may be required to grant Wiz access to its Third Party Service account and/or to grant the Third Party Service provider access to its Wiz account; and (c) Customer Data may be transferred between Wiz and the Third Party Service provider as required and authorized by Customer for the interoperation with the Services. Since Wiz does not provide such third party applications or services, Wiz cannot guarantee the continued availability of such Third Party Integration and may cease supporting them at any time, including if the relevant third party ceases to make its application or service available for integration with the Services or changes the way it does so in a way that is not reasonably acceptable to Wiz. To the maximum extent permitted by law but without derogating from Wiz’s obligations under this Agreement, Wiz shall not bear and expressly disclaims all responsibility or liability of any kind relating to such Third Party Integrations, including, without limitation, for any disclosure of, access to or other processing of Customer Data by Third Party Service providers.
- Security. The Parties shall comply with the Wiz Security Addendum which is available at https://www.wiz.io/legal/security-addendum (“Security Addendum”).
- Warranties. Each Party represents and warrants that it is duly organized, validly existing and in good standing under the laws of its jurisdiction of incorporation or organization; and that the execution and performance of this Agreement will not conflict with other agreements to which it is bound or violate applicable law.
- Intellectual Property Rights. All right, title, and interest, including any intellectual property rights evidenced by or embodied in, attached, connected, and/or related to the Platform (and any and all improvements enhancements, corrections, modifications, alterations, revisions, extensions and updates and derivative works thereof) and any other products, deliverables or services provided by Wiz; are and shall remain owned solely by Wiz or its licensors. This Agreement does not convey to Customer any interest in or to the Platform other than a limited right to use the Platform in accordance with Section 2 (Subscription). Nothing herein constitutes a waiver of Wiz’s intellectual property rights under any law. Wiz reserves all rights not expressly granted herein to the Platform.
- Confidentiality. Each Party may have access to certain non-public information of the other Party, in any form or media, including without limitation trade secrets and other information related to the products, software, technology, data, know-how, or business of the other Party, and any other information that a reasonable person should have reason to believe is proprietary, confidential, or competitively sensitive (the “Confidential Information”). The receiving Party will use the same standard of care to protect the disclosing Party’s Confidential Information as it uses to protect its own Confidential Information, but no less than reasonable care. The receiving Party’s obligations under this Section, with respect to any Confidential Information of the disclosing Party, shall not apply to and/or shall terminate if such information: (a) was already lawfully known to the receiving Party at the time of disclosure by the disclosing Party; (b) was disclosed to the receiving Party by a third party who had the right to make such disclosure without any confidentiality restrictions; (c) is, or through no fault of the receiving Party has become, generally available to the public; or (d) was independently developed by the receiving Party without access to, or use of, the disclosing Party’s Confidential Information. Neither Party shall use or disclose the Confidential Information of the other Party except for performance of its obligations under this Agreement. The receiving Party shall only permit access to the disclosing Party's Confidential Information to its and/or its Affiliates’ respective employees, consultants, affiliates, service providers, agents, partners, and subcontractors having a need to know such information, and who are bound by at least equivalent obligations of confidentiality and non-disclosure as those under this Agreement (such recipients being “Authorized Recipients”). The receiving Party is responsible for the compliance of its Authorized Recipients with the confidentiality and non-disclosure obligations of this Agreement. The receiving Party will be allowed to disclose Confidential Information to the extent that such disclosure is required by law or by the order or a court of similar judicial or administrative body, provided that, to the extent permitted by applicable law, it notifies the disclosing Party of such required disclosure to enable disclosing party to seek a protective order or otherwise prevent or restrict such disclosure. Notwithstanding the foregoing, each Party can disclose the terms and existence of this Agreement to third parties in connection with a due diligence review (i.e., a potential investment in a Party or a going-public transaction) subject to such third parties being bound by at least equivalent obligations of confidentiality and non-disclosure as those under this Agreement. All right, title and interest in and to Confidential Information are and shall remain the sole and exclusive property of the disclosing Party.
- LIMITED WARRANTIES. Wiz represents and warrants that the Platform shall substantially perform in conformance with its Documentation. As the Customer's sole and exclusive remedy and Wiz's sole liability for breach of this warranty, Wiz shall use commercially reasonable efforts to repair the Platform and, if Wiz cannot do so within a reasonable time, not to exceed 30 days, Customer may terminate this Agreement and receive a pro-rata refund of any amounts pre-paid by Customer for the remaining unused period of the Term. The warranty set forth shall not apply if the failure of the Platform results from or is otherwise attributable to Customer or its Permitted User’s acts or omissions in violation of this Agreement. Wiz shall not be liable for any inaccuracy in the Service's output and/or delay and/or unavailability of the Services, caused due to (a) failure of Customer's Internet access or any public telecommunications network, or shortage of adequate power, (b) any incompatibility between the Customer's systems and the Platform and/or (c) maintenance within the Customer's systems affecting the operation of the Platform. OTHER THAN AS EXPLICITLY STATED IN THIS AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE PLATFORM, ITS RELATED SERVICES AND ANY OUTPUT RESULTED FROM THE USE OF THE PLATFORM ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. WIZ DOES NOT WARRANT THAT: (i) THE SERVICES WILL MEET CUSTOMER'S REQUIREMENTS, OR (ii) THE SERVICES WILL OPERATE ERROR-FREE. EXCEPT AS SET FORTH IN THIS AGREEMENT, WIZ EXPRESSLY DISCLAIMS ALL EXPRESS WARRANTIES AND ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, TITLE, NON- INFRINGEMENT, NON-INTERFERENCE, FITNESS FOR A PARTICULAR PURPOSE.
- Indemnification. Wiz agrees to defend, at its expense, any third party action or suit brought against the Customer alleging that the Platform, when used as permitted under this Agreement and each respective Order or Partner Order (as the case may be), infringes intellectual property rights of a third party (“IP Infringement Claim”); and Wiz will pay any damages awarded in a final judgment against the Customer that are attributable to any such claim, or that are otherwise agreed in a settlement with the prior written consent of Wiz, provided that (i) the Customer promptly notifies Wiz in writing of such claim; (ii) the Customer grants Wiz the sole authority to handle the defense or settlement of any such claim and provides Wiz with all reasonable information and assistance, at Wiz’s expense; and (iii) the Customer refrains from admitting any liability or otherwise compromising the defense in whole or in part, without the express prior written consent of Wiz. Wiz will not enter into any settlement that imposes any legal liability or financial obligation on Customer without Customer’s prior written consent.
- Term. This Agreement shall enter into force and effect on the Effective Date and, unless earlier terminated in accordance with Section 18, shall remain in full force and effect until all Orders expire or are terminated (the “Term”).
- Termination. Either Party may terminate an Order and/or this Agreement for cause with immediate effect if (a) the other Party breaches any material term or condition of an Order and/or this Agreement, and (b) such breach remains uncured thirty (30) days after the breaching Party receives written notice thereof. Upon termination or expiration of this Agreement and/or an Order: (i) all rights granted to Customer in the Platform shall expire, and Customer shall discontinue any further use and access thereof including deinstalling any Wiz provided software; (ii) Customer shall immediately delete and dispose of all copies of the Documentation in Customer’s or any of its representatives’ possession or control; and (iii) Wiz shall make available any Customer Data in Wiz’s possession available for Customer to download via the Platform for up to 90 days and thereafter Wiz shall delete such Customer Data, provided that Wiz may retain Customer Data (a) stored in backups for a limited period of time in accordance with its industry standard customer deletion and backup policy or (b) as otherwise required by applicable law, and in either case, any Customer Data so retained shall remain subject to the confidentiality, privacy and security obligations in this Agreement.. Section 5 (Prohibited Uses), Section 6 (Customer Data), Section 7 (Additional Service Terms). Section 8 (Security), Section 10 (Intellectual Property), Section 11 (Confidentiality), Section 12 (Limited Warranties), Section 13 (Limitation of Liability), Section 16 (Termination), Section 19 (Contracting Entity) and Section 20 (Miscellaneous) shall survive termination or expiration of this Agreement for any reason.
- Customer Reference. Unless stated otherwise in an Order, Wiz shall not use Customer’s name to identify Customer as a customer of Wiz on Wiz’s websites or public marketing materials without Customer’s prior written consent.
- Export Compliance. The Services may be subject to export laws and regulations of the United States and other jurisdictions. Wiz and Customer each represents that it is not on any U.S. government denied-party list. Customer will not permit any Permitted User to access or use any Service in a U.S. embargoed country or region (currently the Crimea, Luhansk or Donetsk regions, Cuba, Iran, North Korea, Sudan or Syria) or as may be updated from time to time, or in violation of any U.S. export law or regulation.
- Insurance. Wiz agrees to maintain no less than the following amounts of insurance during the term of this Agreement: (a) $2,000,000 USD in commercial general liability, per occurrence and in the aggregate; (b) $5,000,000 USD in technology errors and omissions/professional liability, per occurrence and in the aggregate, which may be combined with cyber liability; and (c) $5,000,000 USD in cyber-liability insurance, per occurrence and in the aggregate, which may be combined with technology errors and omissions/professional liability. All insurance policies will be issued by insurance companies with an AM Best Rating of no less than A-VII. Upon receipt of a written request, Wiz will provide Customer with a copy of its certificate of insurance evidencing the foregoing coverage.
- Contracting Entity. For the purposes of this Agreement “Wiz” means Wiz Inc., a company incorporated under the laws of the State of Delaware, having its principal place of business at One Manhattan West, 57th Floor, New York, NY 10001 or its Affiliates, as applicable. For clarity, unless a Direct Order specifies otherwise, the Wiz entity contracting with Customer hereunder will be (i) Wiz, Inc., if Customer is located outside of the UK or Europe or is purchasing via a cloud service provider marketplace; or (ii) Wiz Cloud Limited, a private limited company under the laws of England and Wales, if Customer is located in the UK or Europe and not purchasing via a cloud service provider.
- Miscellaneous. This Agreement, including any Order(s) and any exhibits attached or referred hereto, represents the complete agreement concerning the subject matter hereof and may be amended only by a written agreement executed by both Parties. The failure of either Party to enforce any rights granted hereunder or to take action against the other Party in the event of any breach hereunder shall not be deemed a waiver by that Party as to subsequent enforcement of rights or subsequent actions in the event of future breaches. If any provision of this Agreement is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. This Agreement represents the entire agreement of the Parties with respect to the subject matter hereof, and supersedes and replaces all prior and contemporaneous oral or written understandings, agreements and statements by the Parties with respect to such subject matter, including prior non-disclosure agreements or evaluation agreements. Without limiting the generality of the foregoing, this Agreement supersedes any terms or conditions (whether printed, hyperlinked, or otherwise) in any Customer's purchase order or other standardized business forms, which purport to supersede, modify or supplement this Agreement. Neither Party may assign its rights or obligations under this Agreement without the prior written consent of the other Party, which consent may not be unreasonably withheld or delayed. Notwithstanding the foregoing, this Agreement may be assigned by either Party to its Affiliate or in connection with a merger, consolidation, sale of all of the equity interests of the Party, or a sale of all or substantially all of the assets of the Party to which this Agreement relates. Subject to the foregoing, this Agreement will be binding on the parties and their permitted successors and assigns. This Agreement shall be governed by and construed under the laws of the state of New York, without reference to principles and laws relating to the conflict of laws. The competent courts of New York City, New York shall have the exclusive jurisdiction with respect to any dispute and action arising under or in relation to this Agreement. This Agreement does not, and shall not be construed to create any relationship, partnership, joint venture, employer-employee, agency, or franchisor-franchisee relationship between the Parties. Neither Party will be liable for any delay or failure to perform its obligations hereunder resulting from circumstances or causes beyond its reasonable control including, but not limited to on account of strikes, shortages, riots, insurrection, fires, flood, storms, explosions, acts of God, war, government or quasi-governmental authorities actions, acts of terrorism, earthquakes, or power outages. From time to time, Wiz may modify this Agreement. Unless otherwise specified by Wiz, changes become effective for Customer upon renewal of the then-current Subscription Term or upon the effective date of a new Order after the updated version of this Agreement goes into effect. Wiz will use reasonable efforts to notify Customer of the changes through communications via Customer’s Account, email or other means. Customer may be required to click to accept or otherwise agree to the modified Agreement before renewing a Subscription Term or upon the effective date of a new Order, and in any event continued use of any Wiz Services after the updated version of this Agreement goes into effect will constitute Customer’s acceptance of such updated version.
Effective November 22, 2023 to November 23, 2023
DownloadTable of Contents
WIZ MASTER SUBSCRIPTION AGREEMENT
BY ACCEPTING THIS AGREEMENT OR ACCESSING OR USING THE SERVICES, YOU ARE ACCEPTING THE TERMS AND CONDITIONS OF THIS AGREEMENT, UNLESS A SEPARATE WRITTEN AGREEMENT IS IN EFFECT THAT SPECIFICALLY GOVERNS THE SUBJECT MATTER HEREOF. IF YOU DO NOT AGREE TO THIS AGREEMENT, YOU MAY NOT USE THE SERVICE. YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO ENTER INTO THIS AGREEMENT; IF YOU ARE USING THE SERVICE AS AN EMPLOYEE OR AGENT OF AN ORGANIZATION OR ENTITY, THEN YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO SIGN FOR AND BIND SUCH ORGANIZATION OR ENTITY IN ORDER TO ACCEPT THE TERMS OF THIS AGREEMENT. IF YOU DO NOT HAVE AUTHORITY TO BIND YOUR EMPLOYER OR OTHER LEGAL ENTITY, PLEASE DO NOT ACCEPT THIS AGREEMENT AND IMMEDIATELY REFRAIN FROM ACCESSING AND/OR USING THE SERVICES.
IF YOU ARE USING THE SERVICE AS A PROOF OF CONCEPT OR FOR EVALUATION PURPOSES, THE SERVICES ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND AND IN ACCORDANCE WITH THE TERMS OF SECTION (“EVALUATIONS”) BELOW.
This Master Subscription Agreement (the “Agreement”) is effective on the earlier of: the date of (i) the execution of an Order referencing this Agreement; or (ii) Customer’s use of the Services (the “Effective Date”), by and between Wiz (as defined in Section 21 below) and you or the entity you represent referenced in the Order or otherwise accessing the Services (the “Customer”) (each, a “Party” and collectively, the “Parties”). Customer may use the Services (as defined below) subject to the terms below.
- Ordering.
- Customer may place an order for Services directly with Wiz via an order form (a “Direct Order”). Direct Orders may be entered into by Wiz or Wiz Affiliates with Customer or Customer Affiliates. Each Direct Order is hereby incorporated into this Agreement by reference and shall be deemed to be a stand-alone agreement that incorporates by reference the terms of this Agreement (mutatis mutandis) whereby each signing entity to the Direct Order shall be considered to be either “Wiz” or “Customer” referenced herein. A Customer Affiliate will have the right to enter into an Order referencing this Agreement and thereby indicating its agreement to be bound by the terms of this Agreement as if it were an original party hereto. In such case, for purposes of such Order, such Customer Affiliate will be deemed to be the “Customer” hereunder. To the extent of any conflict or inconsistency between the terms and conditions of this Agreement and a Direct Order, this Agreement shall prevail (unless a Direct Order specifically states otherwise). “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- If Customer has purchased a subscription pursuant to the terms hereof from a partner, reseller or distributor authorized by Wiz (“Partner”), to the extent there is any conflict between this Agreement and the agreement entered between Customer and the respective Partner, including any purchase order (“Partner Order”), then, as between Customer and Wiz, this Agreement shall prevail. Any rights granted to Customer in such Partner Order which are not contained in this Agreement, apply only in connection with such Partner. In that case, Customer must seek redress or realization or enforcement of such rights solely with such Partner and not Wiz. An “Order” means a Direct Order or a Partner Order, as applicable.
- Subscription. Subject to the terms and conditions of this Agreement (including payment obligations), Wiz hereby grants Customer, in connection with each Order, a limited, non-exclusive, non-sublicensable, non-transferable and revocable (as provided herein) right to use the Wiz cloud security platform (“Platform”) in object code form, during the corresponding Subscription Term (as defined in an Order), solely for Customer's internal business purposes and in accordance with the subscriptions specified in the applicable Order. Unless otherwise indicated, the term “Platform” also includes all software, revisions, fixes, improvements and/or updates to the subscription type specified in an Order and any user manuals and documentation available within the Platform (“Documentation”) provided to Customer in connection with the operation of the Platform. Customer may only use the Platform in accordance with the Documentation, subject to any use limitations indicated in an Order, and applicable laws and regulations. The Platform and any related services provided to Customer and detailed in an Order shall be referred to as the “Services”.
- Fees. The Services are conditioned on Customer’s payment of the applicable fees as set forth in each Order (“Fees”) and Wiz reserves the right, following at least 15 days’ prior written notice to Customer, to suspend Customer’s access to the Services for non or late payment. Except as set forth in this Agreement or a Direct Order, all Fees and other amounts paid pursuant to this Agreement and an Order are non-refundable and without right of set off. Unless otherwise specified in an Order: (i) Customer will pay all amounts due under this Agreement in U.S. Dollars currency, (ii) Fees for the entire Subscription Term set out in the applicable Order are due at the commencement of such Subscription Term and payable as described in the Order; (iii) all Fees are due and payable within thirty (30) days of the date of Wiz’s invoice; (iv) any amount not paid when due shall accrue interest on a daily basis until paid in full at the lesser of: (a) the rate of one and a half percent (1.5%) per month; or (b) the highest amount permitted by applicable law; and (v) all amounts payable under each Order are exclusive of all sales, use, value-added, withholding, and other direct or indirect taxes, charges, levies and duties. Customer shall bear all value added, state, local, withholding, and other taxes or other charges applicable to the Services; provided that Wiz will be responsible for any taxes imposed on Wiz’s income, assets and/or workforce.
- Permitted Users. The Platform may be accessed solely by Customer or its Affiliates' employees or service providers who are explicitly authorized by Customer to use the Platform (each, a “Permitted User”). Customer will (i) ensure that Permitted Users comply with the terms of this Agreement at all times, (ii) maintain the confidentiality and security of their Wiz account credentials, and (iii) be fully responsible for any acts or omissions by a Permitted User. Customer must promptly notify Wiz upon becoming aware of any unauthorized access to or use of the Platform.
- Prohibited Uses. Except as specifically permitted herein, without the prior written consent of Wiz, Customer shall not, and shall not allow any Permitted User or any third party to, directly or indirectly: (i) copy, modify, create derivative works of or distribute any part of the Platform (including by incorporation into its products); (ii) sell, license (or sub-license), lease, assign, transfer, pledge, or share Customer's rights under this Agreement with any third party; (iii) disclose the results of any testing or benchmarking of the Platform to any third party; (iv) disassemble, decompile, reverse engineer or attempt to discover the Platform’s source code or underlying algorithms; (v) use the Platform for any use in competition with Wiz’s Services; (vi) use the Platform in a manner that violates or infringes any rights of any third party; (vii) remove or alter any trademarks or other proprietary notices related to the Platform; or (vii) circumvent, disable or otherwise interfere with security-related features of the Platform or features that enforce use limitations.
- Customer Data.
- As between the parties, Customer owns and retains all right, title and interest (including all intellectual property rights) in and to any data or information that originates, resides on, or is otherwise processed through Customer's systems and processed by Wiz in the provision of the Services (“Customer Data”). Customer has exclusive control and responsibility for determining what Customer Data it and its Permitted Users submit into the Services and for obtaining all necessary rights, consents and permissions for submission of Customer Data and processing instructions to Wiz. Customer hereby grants to Wiz a non-exclusive, worldwide, royalty-free right to use Customer Data to provide the Services and perform its obligations under this Agreement.
- If Customer Data contains personally identifiable information, to the extent applicable, the Parties shall comply with Wiz’s Data Processing Agreement (“DPA”), which is available at https://www.wiz.io/legal/data-processing-agreement and forms an integral part of this Agreement.
- Customer agrees not to process any Protected Health Information or other information that is subject to HIPAA (“HIPAA Data”) via the Services unless Customer has entered into a Business Associate Agreement (“BAA”) with Wiz. Wiz’s Business Associate Agreement shall be provided to Customer upon request. Unless a BAA is in place, Wiz will have no liability under this Agreement for HIPAA Data, notwithstanding anything to the contrary in this Agreement or in HIPAA. Upon mutual execution of the BAA, the BAA is incorporated by reference into this Agreement.
- Additional Service Terms.
- Evaluations. If Customer is using the Services for a free trial, proof of concept, evaluation, one-time assessment, or other similar purpose (“Evaluation”), such Evaluation is granted for a limited period of twenty-one (21) days, (or in the case of Wiz’s One-time free assessment for up to seven (7) days), unless Wiz agrees to an extension and in each case solely for the purpose of evaluating and testing the Services to determine whether to purchase a subscription for Customer’s internal use. Wiz may terminate Customer’s access to and use of any Evaluation at any time. Evaluations are provided “as is” without guaranteed support levels, indemnification, or warranty of any kind, whether express, implied, statutory, or otherwise. Notwithstanding Section 15 (Limitation of Liability) or any other provision of this Agreement, Wiz’s maximum aggregate liability under any Evaluation shall be capped at one thousand dollars US ($1,000 US).
- Account Data and Anonymized Data. Customer acknowledges and agrees that Wiz may collect and process information regarding the configuration, performance, security, access to and use of the Services by Customer including product usage metrics and findings generated by the Platform (“Account Data”) for its internal business purposes including to develop, improve, support, secure and operate the Services and to fulfill legal obligations. Notwithstanding the foregoing, nothing in this Agreement shall restrict Wiz’s use of Account Data that has been anonymized and/or aggregated, provided that such data does not in any way identify and cannot be reasonably associated with Customer, its Affiliates, Permitted Users or any individuals connected to Customer or Customer Confidential Information (“Anonymized Data”).
- Wiz Preview Features. From time to time, Wiz may make beta, pilot, or early access features, services or functionality available to Customer on a beta-testing basis (“Wiz Preview Feature(s)”) to try at no charge. Wiz makes no representations or warranties of any kind, whether express, implied, statutory, or otherwise regarding Wiz Preview Features, and Wiz shall have no liability of any kind arising out of or in connection with Wiz Preview Features. The SLA does not apply to Wiz Preview Features. Customer may choose to try Wiz Preview Features in its sole discretion, and Wiz, in its sole discretion, may (a) discontinue Wiz Preview Features at any time, and/or (b) elect not to make Wiz Preview Features generally available.
- Customer Integrations. The Services may provide Customer with the ability to integrate certain functionalities of the Platform with applications or services separately provided to Customer by third parties (“Third Party Services”) via API integrations built by either Wiz or the Third Party Service provider (“Third Party Integrations”); examples include ticketing and messaging applications, SIEM or SOAR tools, and security data management tools). Customer’s use of such Third Party Integrations is optional and Customer shall be required to take the steps set forth in the Documentation to enable a Third Party Integration. Customer acknowledges and agrees that: (a) the use of Third Party Services are subject to the terms and conditions agreed between Customer and each such Third Party Service provider; (b) Customer may be required to grant Wiz access to its Third Party Service account and/or to grant the Third Party Service provider access to its Wiz account; and (c) Customer Data may be transferred between Wiz and the Third Party Service provider as required and authorized by Customer for the interoperation with the Services. Since Wiz does not provide such third party applications or services, Wiz cannot guarantee the continued availability of such Third Party Integration and may cease supporting them at any time, including if the relevant third party ceases to make its application or service available for integration with the Services or changes the way it does so in a way that is not reasonably acceptable to Wiz. To the maximum extent permitted by law but without derogating from Wiz’s obligations under this Agreement, Wiz shall not bear and expressly disclaims all responsibility or liability of any kind relating to such Third Party Integrations, including, without limitation, for any disclosure of, access to or other processing of Customer Data by Third Party Service providers.
- Security. The Parties shall comply with the Wiz Security Addendum which is available at https://www.wiz.io/legal/security-addendum (“Security Addendum”).
- Warranties. Each Party represents and warrants that it is duly organized, validly existing and in good standing under the laws of its jurisdiction of incorporation or organization; and that the execution and performance of this Agreement will not conflict with other agreements to which it is bound or violate applicable law.
- Intellectual Property Rights. All right, title, and interest, including any intellectual property rights evidenced by or embodied in, attached, connected, and/or related to the Platform (and any and all improvements enhancements, corrections, modifications, alterations, revisions, extensions and updates and derivative works thereof) and any other products, deliverables or services provided by Wiz; are and shall remain owned solely by Wiz or its licensors. This Agreement does not convey to Customer any interest in or to the Platform other than a limited right to use the Platform in accordance with Section 2 (Subscription). Nothing herein constitutes a waiver of Wiz’s intellectual property rights under any law. Wiz reserves all rights not expressly granted herein to the Platform.
- Confidentiality. Each Party may have access to certain non-public information of the other Party, in any form or media, including without limitation trade secrets and other information related to the products, software, technology, data, know-how, or business of the other Party, and any other information that a reasonable person should have reason to believe is proprietary, confidential, or competitively sensitive (the “Confidential Information”). The receiving Party will use the same standard of care to protect the disclosing Party’s Confidential Information as it uses to protect its own Confidential Information, but no less than reasonable care. The receiving Party’s obligations under this Section, with respect to any Confidential Information of the disclosing Party, shall not apply to and/or shall terminate if such information: (a) was already lawfully known to the receiving Party at the time of disclosure by the disclosing Party; (b) was disclosed to the receiving Party by a third party who had the right to make such disclosure without any confidentiality restrictions; (c) is, or through no fault of the receiving Party has become, generally available to the public; or (d) was independently developed by the receiving Party without access to, or use of, the disclosing Party’s Confidential Information. Neither Party shall use or disclose the Confidential Information of the other Party except for performance of its obligations under this Agreement. The receiving Party shall only permit access to the disclosing Party's Confidential Information to its and/or its Affiliates’ respective employees, consultants, affiliates, service providers, agents, partners, and subcontractors having a need to know such information, and who are bound by at least equivalent obligations of confidentiality and non-disclosure as those under this Agreement (such recipients being “Authorized Recipients”). The receiving Party is responsible for the compliance of its Authorized Recipients with the confidentiality and non-disclosure obligations of this Agreement. The receiving Party will be allowed to disclose Confidential Information to the extent that such disclosure is required by law or by the order or a court of similar judicial or administrative body, provided that, to the extent permitted by applicable law, it notifies the disclosing Party of such required disclosure to enable disclosing party to seek a protective order or otherwise prevent or restrict such disclosure. Notwithstanding the foregoing, each Party can disclose the terms and existence of this Agreement to third parties in connection with a due diligence review (i.e., a potential investment in a Party or a going-public transaction) subject to such third parties being bound by at least equivalent obligations of confidentiality and non-disclosure as those under this Agreement. All right, title and interest in and to Confidential Information are and shall remain the sole and exclusive property of the disclosing Party.
- LIMITED WARRANTIES. Wiz represents and warrants that the Platform shall substantially perform in conformance with its Documentation. As the Customer's sole and exclusive remedy and Wiz's sole liability for breach of this warranty, Wiz shall use commercially reasonable efforts to repair the Platform and, if Wiz cannot do so within a reasonable time, not to exceed 30 days, Customer may terminate this Agreement and receive a pro-rata refund of any amounts pre-paid by Customer for the remaining unused period of the Term. The warranty set forth shall not apply if the failure of the Platform results from or is otherwise attributable to Customer or its Permitted User’s acts or omissions in violation of this Agreement. Wiz shall not be liable for any inaccuracy in the Service's output and/or delay and/or unavailability of the Services, caused due to (a) failure of Customer's Internet access or any public telecommunications network, or shortage of adequate power, (b) any incompatibility between the Customer's systems and the Platform and/or (c) maintenance within the Customer's systems affecting the operation of the Platform. OTHER THAN AS EXPLICITLY STATED IN THIS AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE PLATFORM, ITS RELATED SERVICES AND ANY OUTPUT RESULTED FROM THE USE OF THE PLATFORM ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. WIZ DOES NOT WARRANT THAT: (i) THE SERVICES WILL MEET CUSTOMER'S REQUIREMENTS, OR (ii) THE SERVICES WILL OPERATE ERROR-FREE. EXCEPT AS SET FORTH IN THIS AGREEMENT, WIZ EXPRESSLY DISCLAIMS ALL EXPRESS WARRANTIES AND ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, TITLE, NON- INFRINGEMENT, NON-INTERFERENCE, FITNESS FOR A PARTICULAR PURPOSE.
- Indemnification. Wiz agrees to defend, at its expense, any third party action or suit brought against the Customer alleging that the Platform, when used as permitted under this Agreement and each respective Order or Partner Order (as the case may be), infringes intellectual property rights of a third party (“IP Infringement Claim”); and Wiz will pay any damages awarded in a final judgment against the Customer that are attributable to any such claim, or that are otherwise agreed in a settlement with the prior written consent of Wiz, provided that (i) the Customer promptly notifies Wiz in writing of such claim; (ii) the Customer grants Wiz the sole authority to handle the defense or settlement of any such claim and provides Wiz with all reasonable information and assistance, at Wiz’s expense; and (iii) the Customer refrains from admitting any liability or otherwise compromising the defense in whole or in part, without the express prior written consent of Wiz. Wiz will not enter into any settlement that imposes any legal liability or financial obligation on Customer without Customer’s prior written consent.
- Term. This Agreement shall enter into force and effect on the Effective Date and, unless earlier terminated in accordance with Section 18, shall remain in full force and effect until all Orders expire or are terminated (the “Term”).
- Termination. Either Party may terminate an Order and/or this Agreement for cause with immediate effect if (a) the other Party breaches any material term or condition of an Order and/or this Agreement, and (b) such breach remains uncured thirty (30) days after the breaching Party receives written notice thereof. Upon termination or expiration of this Agreement and/or an Order: (i) all rights granted to Customer in the Platform shall expire, and Customer shall discontinue any further use and access thereof including deinstalling any Wiz provided software; (ii) Customer shall immediately delete and dispose of all copies of the Documentation in Customer’s or any of its representatives’ possession or control; and (iii) Wiz shall make available any Customer Data in Wiz’s possession available for Customer to download via the Platform for up to 90 days and thereafter Wiz shall delete such Customer Data, provided that Wiz may retain Customer Data (a) stored in backups for a limited period of time in accordance with its industry standard customer deletion and backup policy or (b) as otherwise required by applicable law, and in either case, any Customer Data so retained shall remain subject to the confidentiality, privacy and security obligations in this Agreement.. Section 5 (Prohibited Uses), Section 6 (Customer Data), Section 7 (Additional Service Terms). Section 8 (Security), Section 10 (Intellectual Property), Section 11 (Confidentiality), Section 12 (Limited Warranties), Section 13 (Limitation of Liability), Section 16 (Termination), Section 19 (Contracting Entity) and Section 20 (Miscellaneous) shall survive termination or expiration of this Agreement for any reason.
- Customer Reference. Unless stated otherwise in an Order, Wiz shall not use Customer’s name to identify Customer as a customer of Wiz on Wiz’s websites or public marketing materials without Customer’s prior written consent.
- Export Compliance. The Services may be subject to export laws and regulations of the United States and other jurisdictions. Wiz and Customer each represents that it is not on any U.S. government denied-party list. Customer will not permit any Permitted User to access or use any Service in a U.S. embargoed country or region (currently the Crimea, Luhansk or Donetsk regions, Cuba, Iran, North Korea, Sudan or Syria) or as may be updated from time to time, or in violation of any U.S. export law or regulation.
- Contracting Entity. For the purposes of this Agreement “Wiz” means Wiz Inc., a company incorporated under the laws of the State of Delaware, having its principal place of business at One Manhattan West, 57th Floor, New York, NY 10001 or its Affiliates, as applicable. For clarity, unless a Direct Order specifies otherwise, the Wiz entity contracting with Customer hereunder will be (i) Wiz, Inc., if Customer is located outside of the UK or Europe or is purchasing via a cloud service provider marketplace; or (ii) Wiz Cloud Limited, a private limited company under the laws of England and Wales, if Customer is located in the UK or Europe and not purchasing via a cloud service provider.
- Miscellaneous. This Agreement, including any Order(s) and any exhibits attached or referred hereto, represents the complete agreement concerning the subject matter hereof and may be amended only by a written agreement executed by both Parties. The failure of either Party to enforce any rights granted hereunder or to take action against the other Party in the event of any breach hereunder shall not be deemed a waiver by that Party as to subsequent enforcement of rights or subsequent actions in the event of future breaches. If any provision of this Agreement is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. This Agreement represents the entire agreement of the Parties with respect to the subject matter hereof, and supersedes and replaces all prior and contemporaneous oral or written understandings, agreements and statements by the Parties with respect to such subject matter, including prior non-disclosure agreements or evaluation agreements. Without limiting the generality of the foregoing, this Agreement supersedes any terms or conditions (whether printed, hyperlinked, or otherwise) in any Customer's purchase order or other standardized business forms, which purport to supersede, modify or supplement this Agreement. Neither Party may assign its rights or obligations under this Agreement without the prior written consent of the other Party, which consent may not be unreasonably withheld or delayed. Notwithstanding the foregoing, this Agreement may be assigned by either Party to its Affiliate or in connection with a merger, consolidation, sale of all of the equity interests of the Party, or a sale of all or substantially all of the assets of the Party to which this Agreement relates. Subject to the foregoing, this Agreement will be binding on the parties and their permitted successors and assigns. This Agreement shall be governed by and construed under the laws of the state of New York, without reference to principles and laws relating to the conflict of laws. The competent courts of New York City, New York shall have the exclusive jurisdiction with respect to any dispute and action arising under or in relation to this Agreement. This Agreement does not, and shall not be construed to create any relationship, partnership, joint venture, employer-employee, agency, or franchisor-franchisee relationship between the Parties. Neither Party will be liable for any delay or failure to perform its obligations hereunder resulting from circumstances or causes beyond its reasonable control including, but not limited to on account of strikes, shortages, riots, insurrection, fires, flood, storms, explosions, acts of God, war, government or quasi-governmental authorities actions, acts of terrorism, earthquakes, or power outages. From time to time, Wiz may modify this Agreement. Unless otherwise specified by Wiz, changes become effective for Customer upon renewal of the then-current Subscription Term or upon the effective date of a new Order after the updated version of this Agreement goes into effect. Wiz will use reasonable efforts to notify Customer of the changes through communications via Customer’s Account, email or other means. Customer may be required to click to accept or otherwise agree to the modified Agreement before renewing a Subscription Term or upon the effective date of a new Order, and in any event continued use of any Wiz Services after the updated version of this Agreement goes into effect will constitute Customer’s acceptance of such updated version.
Effective November 20, 2023 to November 22, 2023
DownloadTable of Contents
WIZ MASTER SUBSCRIPTION AGREEMENT
BY ACCEPTING THIS AGREEMENT OR ACCESSING OR USING THE SERVICES, YOU ARE ACCEPTING THE TERMS AND CONDITIONS OF THIS AGREEMENT, UNLESS A SEPARATE WRITTEN AGREEMENT IS IN EFFECT THAT SPECIFICALLY GOVERNS THE SUBJECT MATTER HEREOF. IF YOU DO NOT AGREE TO THIS AGREEMENT, YOU MAY NOT USE THE SERVICE. YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO ENTER INTO THIS AGREEMENT; IF YOU ARE USING THE SERVICE AS AN EMPLOYEE OR AGENT OF AN ORGANIZATION OR ENTITY, THEN YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO SIGN FOR AND BIND SUCH ORGANIZATION OR ENTITY IN ORDER TO ACCEPT THE TERMS OF THIS AGREEMENT. IF YOU DO NOT HAVE AUTHORITY TO BIND YOUR EMPLOYER OR OTHER LEGAL ENTITY, PLEASE DO NOT ACCEPT THIS AGREEMENT AND IMMEDIATELY REFRAIN FROM ACCESSING AND/OR USING THE SERVICES.
IF YOU ARE USING THE SERVICE AS A PROOF OF CONCEPT OR FOR EVALUATION PURPOSES, THE SERVICES ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND AND IN ACCORDANCE WITH THE TERMS OF SECTION (“EVALUATIONS”) BELOW.
This Master Subscription Agreement (the “Agreement”) is effective on the earlier of: the date of (i) the execution of an Order referencing this Agreement; or (ii) Customer’s use of the Services (the “Effective Date”), by and between Wiz (as defined in Section 21 below) and you or the entity you represent referenced in the Order or otherwise accessing the Services (the “Customer”) (each, a “Party” and collectively, the “Parties”). Customer may use the Services (as defined below) subject to the terms below.
- Ordering.
- Customer may place an order for Services directly with Wiz via an order form (a “Direct Order”). Direct Orders may be entered into by Wiz or Wiz Affiliates with Customer or Customer Affiliates. Each Direct Order is hereby incorporated into this Agreement by reference and shall be deemed to be a stand-alone agreement that incorporates by reference the terms of this Agreement (mutatis mutandis) whereby each signing entity to the Direct Order shall be considered to be either “Wiz” or “Customer” referenced herein. A Customer Affiliate will have the right to enter into an Order referencing this Agreement and thereby indicating its agreement to be bound by the terms of this Agreement as if it were an original party hereto. In such case, for purposes of such Order, such Customer Affiliate will be deemed to be the “Customer” hereunder. To the extent of any conflict or inconsistency between the terms and conditions of this Agreement and a Direct Order, this Agreement shall prevail (unless a Direct Order specifically states otherwise). “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- If Customer has purchased a subscription pursuant to the terms hereof from a partner, reseller or distributor authorized by Wiz (“Partner”), to the extent there is any conflict between this Agreement and the agreement entered between Customer and the respective Partner, including any purchase order (“Partner Order”), then, as between Customer and Wiz, this Agreement shall prevail. Any rights granted to Customer in such Partner Order which are not contained in this Agreement, apply only in connection with such Partner. In that case, Customer must seek redress or realization or enforcement of such rights solely with such Partner and not Wiz. An “Order” means a Direct Order or a Partner Order, as applicable.
- Subscription. Subject to the terms and conditions of this Agreement (including payment obligations), Wiz hereby grants Customer, in connection with each Order, a limited, non-exclusive, non-sublicensable, non-transferable and revocable (as provided herein) right to use the Wiz cloud security platform (“Platform”) in object code form, during the corresponding Subscription Term (as defined in an Order), solely for Customer's internal business purposes and in accordance with the subscriptions specified in the applicable Order. Unless otherwise indicated, the term “Platform” also includes all software, revisions, fixes, improvements and/or updates to the subscription type specified in an Order and any user manuals and documentation available within the Platform (“Documentation”) provided to Customer in connection with the operation of the Platform. Customer may only use the Platform in accordance with the Documentation, subject to any use limitations indicated in an Order, and applicable laws and regulations. The Platform and any related services provided to Customer and detailed in an Order shall be referred to as the “Services”.
- Fees. The Services are conditioned on Customer’s payment of the applicable fees as set forth in each Order (“Fees”) and Wiz reserves the right, following at least 15 days’ prior written notice to Customer, to suspend Customer’s access to the Services for non or late payment. Except as set forth in this Agreement or a Direct Order, all Fees and other amounts paid pursuant to this Agreement and an Order are non-refundable and without right of set off. Unless otherwise specified in an Order: (i) Customer will pay all amounts due under this Agreement in U.S. Dollars currency, (ii) Fees for the entire Subscription Term set out in the applicable Order are due at the commencement of such Subscription Term and payable as described in the Order; (iii) all Fees are due and payable within thirty (30) days of the date of Wiz’s invoice; (iv) any amount not paid when due shall accrue interest on a daily basis until paid in full at the lesser of: (a) the rate of one and a half percent (1.5%) per month; or (b) the highest amount permitted by applicable law; and (v) all amounts payable under each Order are exclusive of all sales, use, value-added, withholding, and other direct or indirect taxes, charges, levies and duties. Customer shall bear all value added, state, local, withholding, and other taxes or other charges applicable to the Services; provided that Wiz will be responsible for any taxes imposed on Wiz’s income, assets and/or workforce.
- Permitted Users. The Platform may be accessed solely by Customer or its Affiliates' employees or service providers who are explicitly authorized by Customer to use the Platform (each, a “Permitted User”). Customer will (i) ensure that Permitted Users comply with the terms of this Agreement at all times, (ii) maintain the confidentiality and security of their Wiz account credentials, and (iii) be fully responsible for any acts or omissions by a Permitted User. Customer must promptly notify Wiz upon becoming aware of any unauthorized access to or use of the Platform.
- Prohibited Uses. Except as specifically permitted herein, without the prior written consent of Wiz, Customer shall not, and shall not allow any Permitted User or any third party to, directly or indirectly: (i) copy, modify, create derivative works of or distribute any part of the Platform (including by incorporation into its products); (ii) sell, license (or sub-license), lease, assign, transfer, pledge, or share Customer's rights under this Agreement with any third party; (iii) disclose the results of any testing or benchmarking of the Platform to any third party; (iv) disassemble, decompile, reverse engineer or attempt to discover the Platform’s source code or underlying algorithms; (v) use the Platform for any use in competition with Wiz’s Services; (vi) use the Platform in a manner that violates or infringes any rights of any third party; (vii) remove or alter any trademarks or other proprietary notices related to the Platform; or (vii) circumvent, disable or otherwise interfere with security-related features of the Platform or features that enforce use limitations.
- Customer Data.
- As between the parties, Customer owns and retains all right, title and interest (including all intellectual property rights) in and to any data or information that originates, resides on, or is otherwise processed through Customer's systems and processed by Wiz in the provision of the Services (“Customer Data”). Customer has exclusive control and responsibility for determining what Customer Data it and its Permitted Users submit into the Services and for obtaining all necessary rights, consents and permissions for submission of Customer Data and processing instructions to Wiz. Customer hereby grants to Wiz a non-exclusive, worldwide, royalty-free right to use Customer Data to provide the Services and perform its obligations under this Agreement.
- If Customer Data contains personally identifiable information, to the extent applicable, the Parties shall comply with Wiz’s Data Processing Agreement (“DPA”), which is attached at Exhibit 1 and forms an integral part of this Agreement.
- Customer agrees not to process any Protected Health Information or other information that is subject to HIPAA (“HIPAA Data”) via the Services unless Customer has entered into a Business Associate Agreement (“BAA”) with Wiz. Wiz’s Business Associate Agreement shall be provided to Customer upon request. Unless a BAA is in place, Wiz will have no liability under this Agreement for HIPAA Data, notwithstanding anything to the contrary in this Agreement or in HIPAA. Upon mutual execution of the BAA, the BAA is incorporated by reference into this Agreement.
- Additional Service Terms.
- Evaluations. If Customer is using the Services for a free trial, proof of concept, evaluation, one-time assessment, or other similar purpose (“Evaluation”), such Evaluation is granted for a limited period of twenty-one (21) days, (or in the case of Wiz’s One-time free assessment for up to seven (7) days), unless Wiz agrees to an extension and in each case solely for the purpose of evaluating and testing the Services to determine whether to purchase a subscription for Customer’s internal use. Wiz may terminate Customer’s access to and use of any Evaluation at any time. Evaluations are provided “as is” without guaranteed support levels, indemnification, or warranty of any kind, whether express, implied, statutory, or otherwise. Notwithstanding Section 15 (Limitation of Liability) or any other provision of this Agreement, Wiz’s maximum aggregate liability under any Evaluation shall be capped at one thousand dollars US ($1,000 US).
- Account Data and Anonymized Data. Customer acknowledges and agrees that Wiz may collect and process information regarding the configuration, performance, security, access to and use of the Services by Customer including product usage metrics and findings generated by the Platform (“Account Data”) for its internal business purposes including to develop, improve, support, secure and operate the Services and to fulfill legal obligations. Notwithstanding the foregoing, nothing in this Agreement shall restrict Wiz’s use of Account Data that has been anonymized and/or aggregated, provided that such data does not in any way identify and cannot be reasonably associated with Customer, its Affiliates, Permitted Users or any individuals connected to Customer or Customer Confidential Information (“Anonymized Data”).
- Wiz Preview Features. From time to time, Wiz may make beta, pilot, or early access features, services or functionality available to Customer on a beta-testing basis (“Wiz Preview Feature(s)”) to try at no charge. Wiz makes no representations or warranties of any kind, whether express, implied, statutory, or otherwise regarding Wiz Preview Features, and Wiz shall have no liability of any kind arising out of or in connection with Wiz Preview Features. The SLA does not apply to Wiz Preview Features. Customer may choose to try Wiz Preview Features in its sole discretion, and Wiz, in its sole discretion, may (a) discontinue Wiz Preview Features at any time, and/or (b) elect not to make Wiz Preview Features generally available.
- Customer Integrations. The Services may provide Customer with the ability to integrate certain functionalities of the Platform with applications or services separately provided to Customer by third parties (“Third Party Services”) via API integrations built by either Wiz or the Third Party Service provider (“Third Party Integrations”); examples include ticketing and messaging applications, SIEM or SOAR tools, and security data management tools). Customer’s use of such Third Party Integrations is optional and Customer shall be required to take the steps set forth in the Documentation to enable a Third Party Integration. Customer acknowledges and agrees that: (a) the use of Third Party Services are subject to the terms and conditions agreed between Customer and each such Third Party Service provider; (b) Customer may be required to grant Wiz access to its Third Party Service account and/or to grant the Third Party Service provider access to its Wiz account; and (c) Customer Data may be transferred between Wiz and the Third Party Service provider as required and authorized by Customer for the interoperation with the Services. Since Wiz does not provide such third party applications or services, Wiz cannot guarantee the continued availability of such Third Party Integration and may cease supporting them at any time, including if the relevant third party ceases to make its application or service available for integration with the Services or changes the way it does so in a way that is not reasonably acceptable to Wiz. To the maximum extent permitted by law but without derogating from Wiz’s obligations under this Agreement, Wiz shall not bear and expressly disclaims all responsibility or liability of any kind relating to such Third Party Integrations, including, without limitation, for any disclosure of, access to or other processing of Customer Data by Third Party Service providers.
- Security. The Parties shall comply with the Wiz Security Addendum which is attached at Exhibit 2 (“Security Addendum”).
- Warranties. Each Party represents and warrants that it is duly organized, validly existing and in good standing under the laws of its jurisdiction of incorporation or organization; and that the execution and performance of this Agreement will not conflict with other agreements to which it is bound or violate applicable law.
- Intellectual Property Rights. All right, title, and interest, including any intellectual property rights evidenced by or embodied in, attached, connected, and/or related to the Platform (and any and all improvements enhancements, corrections, modifications, alterations, revisions, extensions and updates and derivative works thereof) and any other products, deliverables or services provided by Wiz; are and shall remain owned solely by Wiz or its licensors. This Agreement does not convey to Customer any interest in or to the Platform other than a limited right to use the Platform in accordance with Section 2 (Subscription). Nothing herein constitutes a waiver of Wiz’s intellectual property rights under any law. Wiz reserves all rights not expressly granted herein to the Platform.
- Confidentiality. Each Party may have access to certain non-public information of the other Party, in any form or media, including without limitation trade secrets and other information related to the products, software, technology, data, know-how, or business of the other Party, and any other information that a reasonable person should have reason to believe is proprietary, confidential, or competitively sensitive (the “Confidential Information”). The receiving Party will use the same standard of care to protect the disclosing Party’s Confidential Information as it uses to protect its own Confidential Information, but no less than reasonable care. The receiving Party’s obligations under this Section, with respect to any Confidential Information of the disclosing Party, shall not apply to and/or shall terminate if such information: (a) was already lawfully known to the receiving Party at the time of disclosure by the disclosing Party; (b) was disclosed to the receiving Party by a third party who had the right to make such disclosure without any confidentiality restrictions; (c) is, or through no fault of the receiving Party has become, generally available to the public; or (d) was independently developed by the receiving Party without access to, or use of, the disclosing Party’s Confidential Information. Neither Party shall use or disclose the Confidential Information of the other Party except for performance of its obligations under this Agreement. The receiving Party shall only permit access to the disclosing Party's Confidential Information to its and/or its Affiliates’ respective employees, consultants, affiliates, service providers, agents, partners, and subcontractors having a need to know such information, and who are bound by at least equivalent obligations of confidentiality and non-disclosure as those under this Agreement (such recipients being “Authorized Recipients”). The receiving Party is responsible for the compliance of its Authorized Recipients with the confidentiality and non-disclosure obligations of this Agreement. The receiving Party will be allowed to disclose Confidential Information to the extent that such disclosure is required by law or by the order or a court of similar judicial or administrative body, provided that, to the extent permitted by applicable law, it notifies the disclosing Party of such required disclosure to enable disclosing party to seek a protective order or otherwise prevent or restrict such disclosure. Notwithstanding the foregoing, each Party can disclose the terms and existence of this Agreement to third parties in connection with a due diligence review (i.e., a potential investment in a Party or a going-public transaction) subject to such third parties being bound by at least equivalent obligations of confidentiality and non-disclosure as those under this Agreement. All right, title and interest in and to Confidential Information are and shall remain the sole and exclusive property of the disclosing Party.
- LIMITED WARRANTIES. Wiz represents and warrants that the Platform shall substantially perform in conformance with its Documentation. As the Customer's sole and exclusive remedy and Wiz's sole liability for breach of this warranty, Wiz shall use commercially reasonable efforts to repair the Platform and, if Wiz cannot do so within a reasonable time, not to exceed 30 days, Customer may terminate this Agreement and receive a pro-rata refund of any amounts pre-paid by Customer for the remaining unused period of the Term. The warranty set forth shall not apply if the failure of the Platform results from or is otherwise attributable to Customer or its Permitted User’s acts or omissions in violation of this Agreement. Wiz shall not be liable for any inaccuracy in the Service's output and/or delay and/or unavailability of the Services, caused due to (a) failure of Customer's Internet access or any public telecommunications network, or shortage of adequate power, (b) any incompatibility between the Customer's systems and the Platform and/or (c) maintenance within the Customer's systems affecting the operation of the Platform. OTHER THAN AS EXPLICITLY STATED IN THIS AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE PLATFORM, ITS RELATED SERVICES AND ANY OUTPUT RESULTED FROM THE USE OF THE PLATFORM ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. WIZ DOES NOT WARRANT THAT: (i) THE SERVICES WILL MEET CUSTOMER'S REQUIREMENTS, OR (ii) THE SERVICES WILL OPERATE ERROR-FREE. EXCEPT AS SET FORTH IN THIS AGREEMENT, WIZ EXPRESSLY DISCLAIMS ALL EXPRESS WARRANTIES AND ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, TITLE, NON- INFRINGEMENT, NON-INTERFERENCE, FITNESS FOR A PARTICULAR PURPOSE.
- Indemnification. Wiz agrees to defend, at its expense, any third party action or suit brought against the Customer alleging that the Platform, when used as permitted under this Agreement and each respective Order or Partner Order (as the case may be), infringes intellectual property rights of a third party (“IP Infringement Claim”); and Wiz will pay any damages awarded in a final judgment against the Customer that are attributable to any such claim, or that are otherwise agreed in a settlement with the prior written consent of Wiz, provided that (i) the Customer promptly notifies Wiz in writing of such claim; (ii) the Customer grants Wiz the sole authority to handle the defense or settlement of any such claim and provides Wiz with all reasonable information and assistance, at Wiz’s expense; and (iii) the Customer refrains from admitting any liability or otherwise compromising the defense in whole or in part, without the express prior written consent of Wiz. Wiz will not enter into any settlement that imposes any legal liability or financial obligation on Customer without Customer’s prior written consent.
- Term. This Agreement shall enter into force and effect on the Effective Date and, unless earlier terminated in accordance with Section 18, shall remain in full force and effect until all Orders expire or are terminated (the “Term”).
- Termination. Either Party may terminate an Order and/or this Agreement for cause with immediate effect if (a) the other Party breaches any material term or condition of an Order and/or this Agreement, and (b) such breach remains uncured thirty (30) days after the breaching Party receives written notice thereof. Upon termination or expiration of this Agreement and/or an Order: (i) all rights granted to Customer in the Platform shall expire, and Customer shall discontinue any further use and access thereof including deinstalling any Wiz provided software; (ii) Customer shall immediately delete and dispose of all copies of the Documentation in Customer’s or any of its representatives’ possession or control; and (iii) Wiz shall make available any Customer Data in Wiz’s possession available for Customer to download via the Platform for up to 90 days and thereafter Wiz shall delete such Customer Data, provided that Wiz may retain Customer Data (a) stored in backups for a limited period of time in accordance with its industry standard customer deletion and backup policy or (b) as otherwise required by applicable law, and in either case, any Customer Data so retained shall remain subject to the confidentiality, privacy and security obligations in this Agreement.. Section 5 (Prohibited Uses), Section 6 (Customer Data), Section 7 (Additional Service Terms). Section 8 (Security), Section 10 (Intellectual Property), Section 11 (Confidentiality), Section 12 (Limited Warranties), Section 13 (Limitation of Liability), Section 16 (Termination), Section 19 (Contracting Entity) and Section 20 (Miscellaneous) shall survive termination or expiration of this Agreement for any reason.
- Customer Reference. Unless stated otherwise in an Order, Wiz shall not use Customer’s name to identify Customer as a customer of Wiz on Wiz’s websites or public marketing materials without Customer’s prior written consent.
- Export Compliance. The Services may be subject to export laws and regulations of the United States and other jurisdictions. Wiz and Customer each represents that it is not on any U.S. government denied-party list. Customer will not permit any Permitted User to access or use any Service in a U.S. embargoed country or region (currently the Crimea, Luhansk or Donetsk regions, Cuba, Iran, North Korea, Sudan or Syria) or as may be updated from time to time, or in violation of any U.S. export law or regulation.
- Contracting Entity. For the purposes of this Agreement “Wiz” means Wiz Inc., a company incorporated under the laws of the State of Delaware, having its principal place of business at One Manhattan West, 57th Floor, New York, NY 10001 or its Affiliates, as applicable. For clarity, unless a Direct Order specifies otherwise, the Wiz entity contracting with Customer hereunder will be (i) Wiz, Inc., if Customer is located outside of the UK or Europe or is purchasing via a cloud service provider marketplace; or (ii) Wiz Cloud Limited, a private limited company under the laws of England and Wales, if Customer is located in the UK or Europe and not purchasing via a cloud service provider.
- Miscellaneous. This Agreement, including any Order(s) and any exhibits attached or referred hereto, represents the complete agreement concerning the subject matter hereof and may be amended only by a written agreement executed by both Parties. The failure of either Party to enforce any rights granted hereunder or to take action against the other Party in the event of any breach hereunder shall not be deemed a waiver by that Party as to subsequent enforcement of rights or subsequent actions in the event of future breaches. If any provision of this Agreement is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. This Agreement represents the entire agreement of the Parties with respect to the subject matter hereof, and supersedes and replaces all prior and contemporaneous oral or written understandings, agreements and statements by the Parties with respect to such subject matter, including prior non-disclosure agreements or evaluation agreements. Without limiting the generality of the foregoing, this Agreement supersedes any terms or conditions (whether printed, hyperlinked, or otherwise) in any Customer's purchase order or other standardized business forms, which purport to supersede, modify or supplement this Agreement. Neither Party may assign its rights or obligations under this Agreement without the prior written consent of the other Party, which consent may not be unreasonably withheld or delayed. Notwithstanding the foregoing, this Agreement may be assigned by either Party to its Affiliate or in connection with a merger, consolidation, sale of all of the equity interests of the Party, or a sale of all or substantially all of the assets of the Party to which this Agreement relates. Subject to the foregoing, this Agreement will be binding on the parties and their permitted successors and assigns. This Agreement shall be governed by and construed under the laws of the state of New York, without reference to principles and laws relating to the conflict of laws. The competent courts of New York City, New York shall have the exclusive jurisdiction with respect to any dispute and action arising under or in relation to this Agreement. This Agreement does not, and shall not be construed to create any relationship, partnership, joint venture, employer-employee, agency, or franchisor-franchisee relationship between the Parties. Neither Party will be liable for any delay or failure to perform its obligations hereunder resulting from circumstances or causes beyond its reasonable control including, but not limited to on account of strikes, shortages, riots, insurrection, fires, flood, storms, explosions, acts of God, war, government or quasi-governmental authorities actions, acts of terrorism, earthquakes, or power outages. From time to time, Wiz may modify this Agreement. Unless otherwise specified by Wiz, changes become effective for Customer upon renewal of the then-current Subscription Term or upon the effective date of a new Order after the updated version of this Agreement goes into effect. Wiz will use reasonable efforts to notify Customer of the changes through communications via Customer’s Account, email or other means. Customer may be required to click to accept or otherwise agree to the modified Agreement before renewing a Subscription Term or upon the effective date of a new Order, and in any event continued use of any Wiz Services after the updated version of this Agreement goes into effect will constitute Customer’s acceptance of such updated version.
Effective November 17, 2023 to November 20, 2023
DownloadTable of Contents
WIZ MASTER SUBSCRIPTION AGREEMENT
BY ACCEPTING THIS AGREEMENT OR ACCESSING OR USING THE SERVICES, YOU ARE ACCEPTING THE TERMS AND CONDITIONS OF THIS AGREEMENT, UNLESS A SEPARATE WRITTEN AGREEMENT IS IN EFFECT THAT SPECIFICALLY GOVERNS THE SUBJECT MATTER HEREOF. IF YOU DO NOT AGREE TO THIS AGREEMENT, YOU MAY NOT USE THE SERVICE. YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO ENTER INTO THIS AGREEMENT; IF YOU ARE USING THE SERVICE AS AN EMPLOYEE OR AGENT OF AN ORGANIZATION OR ENTITY, THEN YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO SIGN FOR AND BIND SUCH ORGANIZATION OR ENTITY IN ORDER TO ACCEPT THE TERMS OF THIS AGREEMENT. IF YOU DO NOT HAVE AUTHORITY TO BIND YOUR EMPLOYER OR OTHER LEGAL ENTITY, PLEASE DO NOT ACCEPT THIS AGREEMENT AND IMMEDIATELY REFRAIN FROM ACCESSING AND/OR USING THE SERVICES.
IF YOU ARE USING THE SERVICE AS A PROOF OF CONCEPT OR FOR EVALUATION PURPOSES, THE SERVICES ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND AND IN ACCORDANCE WITH THE TERMS OF SECTION 8(“EVALUATIONS”) BELOW.
This Master Subscription Agreement (the “Agreement”) is effective on the earlier of: the date of (i) the execution of an Order referencing this Agreement; or (ii) Customer’s use of the Services (the “Effective Date”), by and between Wiz (as defined in Section 21 below) and you or the entity you represent referenced in the Order or otherwise accessing the Services (the “Customer”) (each, a “Party” and collectively, the “Parties”). Customer may use the Services (as defined below) subject to the terms below.
1. Ordering.
1.1 Customer may place an order for Services directly with Wiz via an order form (a “Direct Order”). Direct Orders may be entered into by Wiz or Wiz Affiliates with Customer or Customer Affiliates. Each Direct Order is hereby incorporated into this Agreement by reference and shall be deemed to be a stand-alone agreement that incorporates by reference the terms of this Agreement (mutatis mutandis) whereby each signing entity to the Direct Order shall be considered to be either “Wiz” or “Customer” referenced herein. A Customer Affiliate will have the right to enter into an Order referencing this Agreement and thereby indicating its agreement to be bound by the terms of this Agreement as if it were an original party hereto. In such case, for purposes of such Order, such Customer Affiliate will be deemed to be the “Customer” hereunder. To the extent of any conflict or inconsistency between the terms and conditions of this Agreement and a Direct Order, this Agreement shall prevail (unless a Direct Order specifically states otherwise). “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2 If Customer has purchased a subscription pursuant to the terms hereof from a partner, reseller or distributor authorized by Wiz (“Partner”), to the extent there is any conflict between this Agreement and the agreement entered between Customer and the respective Partner, including any purchase order (“Partner Order”), then, as between Customer and Wiz, this Agreement shall prevail. Any rights granted to Customer in such Partner Order which are not contained in this Agreement, apply only in connection with such Partner. In that case, Customer must seek redress or realization or enforcement of such rights solely with such Partner and not Wiz. An “Order” means a Direct Order or a Partner Order, as applicable.
2.2 Unless otherwise indicated, the term “Platform” also includes all software, revisions, fixes, improvements and/or updates to the subscription type specified in an Order and any user manuals and documentation available within the Platform (“Documentation”) provided to Customer in connection with the operation of the Platform. Customer may only use the Platform in accordance with the Documentation, subject to any use limitations indicated in an Order, and applicable laws and regulations. The Platform and any related services provided to Customer and detailed in an Order shall be referred to as the “Services”.
The Services are conditioned on Customer’s payment of the applicable fees as set forth in each Order (“Fees”) and Wiz reserves the right, following at least 15 days’ notice to Customer, to suspend Customer’s access to the Services for non or late payment. Except as set forth in this Agreement or a Direct Order, all Fees and other amounts paid pursuant to this Agreement and an Order are non-refundable and without right of set off. Unless otherwise specified in an Order: (i) Customer will pay all amounts due under this Agreement in U.S. Dollars currency, (ii) Fees for the entire Subscription Term set out in the applicable Order are due at the commencement of such Subscription Term and payable as described in the Order; (iii) all Fees are due and payable within thirty (30) days of the date of Wiz’s invoice; (iv) any amount not paid when due shall accrue interest on a daily basis until paid in full at the lesser of: (a) the rate of one and a half percent (1.5%) per month; or (b) the highest amount permitted by applicable law; and (v) all amounts payable under each Order are exclusive of all sales, use, value-added, withholding, and other direct or indirect taxes, charges, levies and duties. Customer shall bear all value added, state, local, withholding, and other taxes or other charges applicable to the Services; provided that Wiz will be responsible for any taxes imposed on Wiz’s income, assets and/or workforce.
4. Permitted Users. The Platform may be accessed solely by Customer or its Affiliates' employees or service providers who are explicitly authorized by Customer to use the Platform (each, a “Permitted User”). Customer will (i) ensure that Permitted Users comply with the terms of this Agreement at all times, (ii) maintain the confidentiality and security of their Wiz account credentials, and (iii) be fully responsible for any acts or omissions by a Permitted User. Customer must promptly notify Wiz upon becoming aware of any unauthorized access to or use of the Platform.
5. Prohibited Uses. Except as specifically permitted herein, without the prior written consent of Wiz, Customer shall not, and shall not allow any Permitted User or any third party to, directly or indirectly: (i) copy, modify, create derivative works of or distribute any part of the Platform (including by incorporation into its products); (ii) sell, license (or sub-license), lease, assign, transfer, pledge, or share Customer's rights under this Agreement with any third party; (iii) disclose the results of any testing or benchmarking of the Platform to any third party; (iv) disassemble, decompile, reverse engineer or attempt to discover the Platform’s source code or underlying algorithms; (v) use the Platform for any use in competition with Wiz’s Services; (vi) use the Platform in a manner that violates or infringes any rights of any third party; (vii) remove or alter any trademarks or other proprietary notices related to the Platform; or (vii) circumvent, disable or otherwise interfere with security-related features of the Platform or features that enforce use limitations.
6. Security. The Parties shall comply with the Wiz Security Addendum which is available at https://www.wiz.io/legal/security-addendum (“Security Addendum”).
If Customer chooses, in its sole discretion, to provide Feedback (defined below) to Wiz, nothing in this Agreement or in the parties’ dealings arising out of or related to this Agreement will restrict Wiz's right to use, profit from, disclose, publish, or otherwise exploit Feedback, without compensating or crediting Customer or the individual providing such Feedback. Customer’s Confidential Information shall not include Feedback, to the extent that such Feedback relates exclusively to Wiz’s products or services. “Feedback” means any feedback (e.g., questions, comments, suggestions or the like), whether orally or in writing, regarding any of the Services.
WIZ SHALL NOT BE RESPONSIBLE FOR ANY WARRANTIES AND REPRESENTATIONS MADE BY ANY PARTNER TO CUSTOMER, AND SUCH WARRANTIES AND REPRESENTATIONS ARE THE SOLE RESPONSIBILITY OF SUCH PARTNER.
(A) EXCEPT FOR ANY DAMAGES RESULTING FROM CUSTOMER'S VIOLATION OF WIZ'S INTELLECTUAL PROPERTY RIGHTS; NEITHER PARTY OR ITS AFFILIATES SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, OR ANY LOSS OF REVENUE, REPUTATION, OR PROFITS, DATA, OR DATA USE.
(B) EXCEPT FOR WIZ’S INDEMNIFICATION OBLIGATION UNDER SECTION 16, AND/OR DAMAGES RESULTING FROM CUSTOMER'S VIOLATION OF WIZ'S INTELLECTUAL PROPERTY RIGHTS; EITHER PARTY’S INCLUDING ITS AFFILIATES’ MAXIMUM LIABILITY FOR ANY DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT, INCLUDING ITS EXHIBITS, WHETHER IN CONTRACT OR TORT, OR OTHERWISE, SHALL IN NO EVENT EXCEED, IN THE AGGREGATE, THE TOTAL FEES ATTRIBUTABLE UNDER THE APPLICABLE ORDER TO THE TWELVE MONTH PERIOD OF THE CURRENT SUBSCRIPTION YEAR IN WHICH THE EVENT GIVING RISE TO SUCH CLAIM OCCURS. FOR CLARITY LIMITATIONS IN THIS SECTION DO NOT APPLY TO FEES DUE TO WIZ UNDER THIS AGREEMENT.
If the Platform becomes, or in Wiz’s opinion is likely to become, the subject of an IP Infringement Claim, then Wiz may, at its sole discretion: (a) procure for the Customer the right to continue using the Platform; (b) replace or modify the Platform to avoid the IP Infringement Claim; or (c) if options (a) and (b) cannot be accomplished despite Wiz’s reasonable efforts, then Wiz or Customer may terminate all affected Orders and Wiz shall provide a pro-rata refund for any amount pre-paid by Customer for the remaining unused period of the Term.
Notwithstanding the foregoing, Wiz shall have no responsibility for IP Infringement Claims to the extent resulting from or based on: (i) modifications to the Platform made by a party other than Wiz; (ii) the Customer’s failure to implement software updates provided by Wiz specifically to avoid infringement; or (iii) combination or use of the Platform with software not supplied by Wiz or not in accordance with the Documentation.
This Section states Wiz’s entire liability, and Customer’s exclusive remedy, for claims or alleged or actual infringement.
Effective November 13, 2023 to November 17, 2023
DownloadTable of Contents
WIZ MASTER SUBSCRIPTION AGREEMENT
BY ACCEPTING THIS AGREEMENT OR ACCESSING OR USING THE SERVICES, YOU ARE ACCEPTING THE TERMS AND CONDITIONS OF THIS AGREEMENT, UNLESS A SEPARATE WRITTEN AGREEMENT IS IN EFFECT THAT SPECIFICALLY GOVERNS THE SUBJECT MATTER HEREOF. IF YOU DO NOT AGREE TO THIS AGREEMENT, YOU MAY NOT USE THE SERVICE. YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO ENTER INTO THIS AGREEMENT; IF YOU ARE USING THE SERVICE AS AN EMPLOYEE OR AGENT OF AN ORGANIZATION OR ENTITY, THEN YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO SIGN FOR AND BIND SUCH ORGANIZATION OR ENTITY IN ORDER TO ACCEPT THE TERMS OF THIS AGREEMENT. IF YOU DO NOT HAVE AUTHORITY TO BIND YOUR EMPLOYER OR OTHER LEGAL ENTITY, PLEASE DO NOT ACCEPT THIS AGREEMENT AND IMMEDIATELY REFRAIN FROM ACCESSING AND/OR USING THE SERVICES.
IF YOU ARE USING THE SERVICE AS A PROOF OF CONCEPT OR FOR EVALUATION PURPOSES, THE SERVICES ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND AND IN ACCORDANCE WITH THE TERMS OF SECTION 8(“EVALUATIONS”) BELOW.
This Master Subscription Agreement (the “Agreement”) is effective on the earlier of: the date of (i) the execution of an Order referencing this Agreement; or (ii) Customer’s use of the Services (the “Effective Date”), by and between Wiz (as defined in Section 21 below) and you or the entity you represent referenced in the Order or otherwise accessing the Services (the “Customer”) (each, a “Party” and collectively, the “Parties”). Customer may use the Services (as defined below) subject to the terms below.
1. Ordering.
1.1 Customer may place an order for Services directly with Wiz via an order form (a “Direct Order”). Direct Orders may be entered into by Wiz or Wiz Affiliates with Customer or Customer Affiliates. Each Direct Order is hereby incorporated into this Agreement by reference and shall be deemed to be a stand-alone agreement that incorporates by reference the terms of this Agreement (mutatis mutandis) whereby each signing entity to the Direct Order shall be considered to be either “Wiz” or “Customer” referenced herein. A Customer Affiliate will have the right to enter into an Order referencing this Agreement and thereby indicating its agreement to be bound by the terms of this Agreement as if it were an original party hereto. In such case, for purposes of such Order, such Customer Affiliate will be deemed to be the “Customer” hereunder. To the extent of any conflict or inconsistency between the terms and conditions of this Agreement and a Direct Order, this Agreement shall prevail (unless a Direct Order specifically states otherwise). “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2 If Customer has purchased a subscription pursuant to the terms hereof from a partner, reseller or distributor authorized by Wiz (“Partner”), to the extent there is any conflict between this Agreement and the agreement entered between Customer and the respective Partner, including any purchase order (“Partner Order”), then, as between Customer and Wiz, this Agreement shall prevail. Any rights granted to Customer in such Partner Order which are not contained in this Agreement, apply only in connection with such Partner. In that case, Customer must seek redress or realization or enforcement of such rights solely with such Partner and not Wiz. An “Order” means a Direct Order or a Partner Order, as applicable.
2.2 Unless otherwise indicated, the term “Platform” also includes all software, revisions, fixes, improvements and/or updates to the subscription type specified in an Order and any user manuals and documentation available within the Platform (“Documentation”) provided to Customer in connection with the operation of the Platform. Customer may only use the Platform in accordance with the Documentation, subject to any use limitations indicated in an Order, and applicable laws and regulations. The Platform and any related services provided to Customer and detailed in an Order shall be referred to as the “Services”.
The Services are conditioned on Customer’s payment of the applicable fees as set forth in each Order (“Fees”) and Wiz reserves the right, following at least 15 days’ notice to Customer, to suspend Customer’s access to the Services for non or late payment. Except as set forth in this Agreement or a Direct Order, all Fees and other amounts paid pursuant to this Agreement and an Order are non-refundable and without right of set off. Unless otherwise specified in an Order: (i) Customer will pay all amounts due under this Agreement in U.S. Dollars currency, (ii) Fees for the entire Subscription Term set out in the applicable Order are due at the commencement of such Subscription Term and payable as described in the Order; (iii) all Fees are due and payable within thirty (30) days of the date of Wiz’s invoice; (iv) any amount not paid when due shall accrue interest on a daily basis until paid in full at the lesser of: (a) the rate of one and a half percent (1.5%) per month; or (b) the highest amount permitted by applicable law; and (v) all amounts payable under each Order are exclusive of all sales, use, value-added, withholding, and other direct or indirect taxes, charges, levies and duties. Customer shall bear all value added, state, local, withholding, and other taxes or other charges applicable to the Services; provided that Wiz will be responsible for any taxes imposed on Wiz’s income, assets and/or workforce.
4. Permitted Users. The Platform may be accessed solely by Customer or its Affiliates' employees or service providers who are explicitly authorized by Customer to use the Platform (each, a “Permitted User”). Customer will (i) ensure that Permitted Users comply with the terms of this Agreement at all times, (ii) maintain the confidentiality and security of their Wiz account credentials, and (iii) be fully responsible for any acts or omissions by a Permitted User. Customer must promptly notify Wiz upon becoming aware of any unauthorized access to or use of the Platform.
5. Prohibited Uses. Except as specifically permitted herein, without the prior written consent of Wiz, Customer shall not, and shall not allow any Permitted User or any third party to, directly or indirectly: (i) copy, modify, create derivative works of or distribute any part of the Platform (including by incorporation into its products); (ii) sell, license (or sub-license), lease, assign, transfer, pledge, or share Customer's rights under this Agreement with any third party; (iii) disclose the results of any testing or benchmarking of the Platform to any third party; (iv) disassemble, decompile, reverse engineer or attempt to discover the Platform’s source code or underlying algorithms; (v) use the Platform for any use in competition with Wiz’s Services; (vi) use the Platform in a manner that violates or infringes any rights of any third party; (vii) remove or alter any trademarks or other proprietary notices related to the Platform; or (vii) circumvent, disable or otherwise interfere with security-related features of the Platform or features that enforce use limitations.
6. Security. The Parties shall comply with the Wiz Security Addendum which is available at https://www.wiz.io/legal/security-addendum (“Security Addendum”).
If Customer chooses, in its sole discretion, to provide Feedback (defined below) to Wiz, nothing in this Agreement or in the parties’ dealings arising out of or related to this Agreement will restrict Wiz's right to use, profit from, disclose, publish, or otherwise exploit Feedback, without compensating or crediting Customer or the individual providing such Feedback. Customer’s Confidential Information shall not include Feedback, to the extent that such Feedback relates exclusively to Wiz’s products or services. “Feedback” means any feedback (e.g., questions, comments, suggestions or the like), whether orally or in writing, regarding any of the Services.
WIZ SHALL NOT BE RESPONSIBLE FOR ANY WARRANTIES AND REPRESENTATIONS MADE BY ANY PARTNER TO CUSTOMER, AND SUCH WARRANTIES AND REPRESENTATIONS ARE THE SOLE RESPONSIBILITY OF SUCH PARTNER.
(A) EXCEPT FOR ANY DAMAGES RESULTING FROM CUSTOMER'S VIOLATION OF WIZ'S INTELLECTUAL PROPERTY RIGHTS; NEITHER PARTY OR ITS AFFILIATES SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, OR ANY LOSS OF REVENUE, REPUTATION, OR PROFITS, DATA, OR DATA USE.
(B) EXCEPT FOR WIZ’S INDEMNIFICATION OBLIGATION UNDER SECTION 16, AND/OR DAMAGES RESULTING FROM CUSTOMER'S VIOLATION OF WIZ'S INTELLECTUAL PROPERTY RIGHTS; EITHER PARTY’S INCLUDING ITS AFFILIATES’ MAXIMUM LIABILITY FOR ANY DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT, INCLUDING ITS EXHIBITS, WHETHER IN CONTRACT OR TORT, OR OTHERWISE, SHALL IN NO EVENT EXCEED, IN THE AGGREGATE, THE TOTAL FEES ATTRIBUTABLE UNDER THE APPLICABLE ORDER TO THE TWELVE MONTH PERIOD OF THE CURRENT SUBSCRIPTION YEAR IN WHICH THE EVENT GIVING RISE TO SUCH CLAIM OCCURS. FOR CLARITY LIMITATIONS IN THIS SECTION DO NOT APPLY TO FEES DUE TO WIZ UNDER THIS AGREEMENT.
If the Platform becomes, or in Wiz’s opinion is likely to become, the subject of an IP Infringement Claim, then Wiz may, at its sole discretion: (a) procure for the Customer the right to continue using the Platform; (b) replace or modify the Platform to avoid the IP Infringement Claim; or (c) if options (a) and (b) cannot be accomplished despite Wiz’s reasonable efforts, then Wiz or Customer may terminate all affected Orders and Wiz shall provide a pro-rata refund for any amount pre-paid by Customer for the remaining unused period of the Term.
Notwithstanding the foregoing, Wiz shall have no responsibility for IP Infringement Claims to the extent resulting from or based on: (i) modifications to the Platform made by a party other than Wiz; (ii) the Customer’s failure to implement software updates provided by Wiz specifically to avoid infringement; or (iii) combination or use of the Platform with software not supplied by Wiz or not in accordance with the Documentation.
This Section states Wiz’s entire liability, and Customer’s exclusive remedy, for claims or alleged or actual infringement.
Effective November 13, 2023 to November 13, 2023
DownloadTable of Contents
WIZ MASTER SUBSCRIPTION AGREEMENT
BY ACCEPTING THIS AGREEMENT OR ACCESSING OR USING THE SERVICES, YOU ARE ACCEPTING THE TERMS AND CONDITIONS OF THIS AGREEMENT, UNLESS A SEPARATE WRITTEN AGREEMENT IS IN EFFECT THAT SPECIFICALLY GOVERNS THE SUBJECT MATTER HEREOF. IF YOU DO NOT AGREE TO THIS AGREEMENT, YOU MAY NOT USE THE SERVICE. YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO ENTER INTO THIS AGREEMENT; IF YOU ARE USING THE SERVICE AS AN EMPLOYEE OR AGENT OF AN ORGANIZATION OR ENTITY, THEN YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO SIGN FOR AND BIND SUCH ORGANIZATION OR ENTITY IN ORDER TO ACCEPT THE TERMS OF THIS AGREEMENT. IF YOU DO NOT HAVE AUTHORITY TO BIND YOUR EMPLOYER OR OTHER LEGAL ENTITY, PLEASE DO NOT ACCEPT THIS AGREEMENT AND IMMEDIATELY REFRAIN FROM ACCESSING AND/OR USING THE SERVICES.
IF YOU ARE USING THE SERVICE AS A PROOF OF CONCEPT OR FOR EVALUATION PURPOSES, THE SERVICES ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND AND IN ACCORDANCE WITH THE TERMS OF SECTION 8(“EVALUATIONS”) BELOW.
This Master Subscription Agreement (the “Agreement”) is effective on the earlier of: the date of (i) the execution of an Order referencing this Agreement; or (ii) Customer’s use of the Services (the “Effective Date”), by and between Wiz (as defined in Section 21 below) and you or the entity you represent referenced in the Order or otherwise accessing the Services (the “Customer”) (each, a “Party” and collectively, the “Parties”). Customer may use the Services (as defined below) subject to the terms below.
1. Ordering.
1.1 Customer may place an order for Services directly with Wiz via an order form (a “Direct Order”). Direct Orders may be entered into by Wiz or Wiz Affiliates with Customer or Customer Affiliates. Each Direct Order is hereby incorporated into this Agreement by reference and shall be deemed to be a stand-alone agreement that incorporates by reference the terms of this Agreement (mutatis mutandis) whereby each signing entity to the Direct Order shall be considered to be either “Wiz” or “Customer” referenced herein. A Customer Affiliate will have the right to enter into an Order referencing this Agreement and thereby indicating its agreement to be bound by the terms of this Agreement as if it were an original party hereto. In such case, for purposes of such Order, such Customer Affiliate will be deemed to be the “Customer” hereunder. To the extent of any conflict or inconsistency between the terms and conditions of this Agreement and a Direct Order, this Agreement shall prevail (unless a Direct Order specifically states otherwise). “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2 If Customer has purchased a subscription pursuant to the terms hereof from a partner, reseller or distributor authorized by Wiz (“Partner”), to the extent there is any conflict between this Agreement and the agreement entered between Customer and the respective Partner, including any purchase order (“Partner Order”), then, as between Customer and Wiz, this Agreement shall prevail. Any rights granted to Customer in such Partner Order which are not contained in this Agreement, apply only in connection with such Partner. In that case, Customer must seek redress or realization or enforcement of such rights solely with such Partner and not Wiz. An “Order” means a Direct Order or a Partner Order, as applicable.
2.2 Unless otherwise indicated, the term “Platform” also includes all software, revisions, fixes, improvements and/or updates to the subscription type specified in an Order and any user manuals and documentation available within the Platform (“Documentation”) provided to Customer in connection with the operation of the Platform. Customer may only use the Platform in accordance with the Documentation, subject to any use limitations indicated in an Order, and applicable laws and regulations. The Platform and any related services provided to Customer and detailed in an Order shall be referred to as the “Services”.
The Services are conditioned on Customer’s payment of the applicable fees as set forth in each Order (“Fees”) and Wiz reserves the right, following at least 15 days’ notice to Customer, to suspend Customer’s access to the Services for non or late payment. Except as set forth in this Agreement or a Direct Order, all Fees and other amounts paid pursuant to this Agreement and an Order are non-refundable and without right of set off. Unless otherwise specified in an Order: (i) Customer will pay all amounts due under this Agreement in U.S. Dollars currency, (ii) Fees for the entire Subscription Term set out in the applicable Order are due at the commencement of such Subscription Term and payable as described in the Order; (iii) all Fees are due and payable within thirty (30) days of the date of Wiz’s invoice; (iv) any amount not paid when due shall accrue interest on a daily basis until paid in full at the lesser of: (a) the rate of one and a half percent (1.5%) per month; or (b) the highest amount permitted by applicable law; and (v) all amounts payable under each Order are exclusive of all sales, use, value-added, withholding, and other direct or indirect taxes, charges, levies and duties. Customer shall bear all value added, state, local, withholding, and other taxes or other charges applicable to the Services; provided that Wiz will be responsible for any taxes imposed on Wiz’s income, assets and/or workforce.
4. Permitted Users. The Platform may be accessed solely by Customer or its Affiliates' employees or service providers who are explicitly authorized by Customer to use the Platform (each, a “Permitted User”). Customer will (i) ensure that Permitted Users comply with the terms of this Agreement at all times, (ii) maintain the confidentiality and security of their Wiz account credentials, and (iii) be fully responsible for any acts or omissions by a Permitted User. Customer must promptly notify Wiz upon becoming aware of any unauthorized access to or use of the Platform.
5. Prohibited Uses. Except as specifically permitted herein, without the prior written consent of Wiz, Customer shall not, and shall not allow any Permitted User or any third party to, directly or indirectly: (i) copy, modify, create derivative works of or distribute any part of the Platform (including by incorporation into its products); (ii) sell, license (or sub-license), lease, assign, transfer, pledge, or share Customer's rights under this Agreement with any third party; (iii) disclose the results of any testing or benchmarking of the Platform to any third party; (iv) disassemble, decompile, reverse engineer or attempt to discover the Platform’s source code or underlying algorithms; (v) use the Platform for any use in competition with Wiz’s Services; (vi) use the Platform in a manner that violates or infringes any rights of any third party; (vii) remove or alter any trademarks or other proprietary notices related to the Platform; or (vii) circumvent, disable or otherwise interfere with security-related features of the Platform or features that enforce use limitations.
6. Security.
If Customer chooses, in its sole discretion, to provide Feedback (defined below) to Wiz, nothing in this Agreement or in the parties’ dealings arising out of or related to this Agreement will restrict Wiz's right to use, profit from, disclose, publish, or otherwise exploit Feedback, without compensating or crediting Customer or the individual providing such Feedback. Customer’s Confidential Information shall not include Feedback, to the extent that such Feedback relates exclusively to Wiz’s products or services. “Feedback” means any feedback (e.g., questions, comments, suggestions or the like), whether orally or in writing, regarding any of the Services.
WIZ SHALL NOT BE RESPONSIBLE FOR ANY WARRANTIES AND REPRESENTATIONS MADE BY ANY PARTNER TO CUSTOMER, AND SUCH WARRANTIES AND REPRESENTATIONS ARE THE SOLE RESPONSIBILITY OF SUCH PARTNER.
(A) EXCEPT FOR ANY DAMAGES RESULTING FROM CUSTOMER'S VIOLATION OF WIZ'S INTELLECTUAL PROPERTY RIGHTS; NEITHER PARTY OR ITS AFFILIATES SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, OR ANY LOSS OF REVENUE, REPUTATION, OR PROFITS, DATA, OR DATA USE.
(B) EXCEPT FOR WIZ’S INDEMNIFICATION OBLIGATION UNDER SECTION 16, AND/OR DAMAGES RESULTING FROM CUSTOMER'S VIOLATION OF WIZ'S INTELLECTUAL PROPERTY RIGHTS; EITHER PARTY’S INCLUDING ITS AFFILIATES’ MAXIMUM LIABILITY FOR ANY DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT, INCLUDING ITS EXHIBITS, WHETHER IN CONTRACT OR TORT, OR OTHERWISE, SHALL IN NO EVENT EXCEED, IN THE AGGREGATE, THE TOTAL FEES ATTRIBUTABLE UNDER THE APPLICABLE ORDER TO THE TWELVE MONTH PERIOD OF THE CURRENT SUBSCRIPTION YEAR IN WHICH THE EVENT GIVING RISE TO SUCH CLAIM OCCURS. FOR CLARITY LIMITATIONS IN THIS SECTION DO NOT APPLY TO FEES DUE TO WIZ UNDER THIS AGREEMENT.
If the Platform becomes, or in Wiz’s opinion is likely to become, the subject of an IP Infringement Claim, then Wiz may, at its sole discretion: (a) procure for the Customer the right to continue using the Platform; (b) replace or modify the Platform to avoid the IP Infringement Claim; or (c) if options (a) and (b) cannot be accomplished despite Wiz’s reasonable efforts, then Wiz or Customer may terminate all affected Orders and Wiz shall provide a pro-rata refund for any amount pre-paid by Customer for the remaining unused period of the Term.
Notwithstanding the foregoing, Wiz shall have no responsibility for IP Infringement Claims to the extent resulting from or based on: (i) modifications to the Platform made by a party other than Wiz; (ii) the Customer’s failure to implement software updates provided by Wiz specifically to avoid infringement; or (iii) combination or use of the Platform with software not supplied by Wiz or not in accordance with the Documentation.
This Section states Wiz’s entire liability, and Customer’s exclusive remedy, for claims or alleged or actual infringement.
Effective October 29, 2023 to November 13, 2023
DownloadTable of Contents
WIZ MASTER SUBSCRIPTION AGREEMENT
BY ACCEPTING THIS AGREEMENT OR ACCESSING OR USING THE SERVICES, YOU ARE ACCEPTING THE TERMS AND CONDITIONS OF THIS AGREEMENT, UNLESS A SEPARATE WRITTEN AGREEMENT IS IN EFFECT THAT SPECIFICALLY GOVERNS THE SUBJECT MATTER HEREOF. IF YOU DO NOT AGREE TO THIS AGREEMENT, YOU MAY NOT USE THE SERVICE. YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO ENTER INTO THIS AGREEMENT; IF YOU ARE USING THE SERVICE AS AN EMPLOYEE OR AGENT OF AN ORGANIZATION OR ENTITY, THEN YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO SIGN FOR AND BIND SUCH ORGANIZATION OR ENTITY IN ORDER TO ACCEPT THE TERMS OF THIS AGREEMENT. IF YOU DO NOT HAVE AUTHORITY TO BIND YOUR EMPLOYER OR OTHER LEGAL ENTITY, PLEASE DO NOT ACCEPT THIS AGREEMENT AND IMMEDIATELY REFRAIN FROM ACCESSING AND/OR USING THE SERVICES.
IF YOU ARE USING THE SERVICE AS A PROOF OF CONCEPT OR FOR EVALUATION PURPOSES, THE SERVICES ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND AND IN ACCORDANCE WITH THE TERMS OF SECTION 8(“EVALUATIONS”) BELOW.
This Master Subscription Agreement (the “Agreement”) is effective on the earlier of: the date of (i) the execution of an Order referencing this Agreement; or (ii) Customer’s use of the Services (the “Effective Date”), by and between Wiz (as defined in Section 21 below) and you or the entity you represent referenced in the Order or otherwise accessing the Services (the “Customer”) (each, a “Party” and collectively, the “Parties”). Customer may use the Services (as defined below) subject to the terms below.
1. Ordering.
1.1 Customer may place an order for Services directly with Wiz via an order form (a “Direct Order”). Direct Orders may be entered into by Wiz or Wiz Affiliates with Customer or Customer Affiliates. Each Direct Order is hereby incorporated into this Agreement by reference and shall be deemed to be a stand-alone agreement that incorporates by reference the terms of this Agreement (mutatis mutandis) whereby each signing entity to the Direct Order shall be considered to be either “Wiz” or “Customer” referenced herein. A Customer Affiliate will have the right to enter into an Order referencing this Agreement and thereby indicating its agreement to be bound by the terms of this Agreement as if it were an original party hereto. In such case, for purposes of such Order, such Customer Affiliate will be deemed to be the “Customer” hereunder. To the extent of any conflict or inconsistency between the terms and conditions of this Agreement and a Direct Order, this Agreement shall prevail (unless a Direct Order specifically states otherwise). “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2 If Customer has purchased a subscription pursuant to the terms hereof from a partner, reseller or distributor authorized by Wiz (“Partner”), to the extent there is any conflict between this Agreement and the agreement entered between Customer and the respective Partner, including any purchase order (“Partner Order”), then, as between Customer and Wiz, this Agreement shall prevail. Any rights granted to Customer in such Partner Order which are not contained in this Agreement, apply only in connection with such Partner. In that case, Customer must seek redress or realization or enforcement of such rights solely with such Partner and not Wiz. An “Order” means a Direct Order or a Partner Order, as applicable.
2.2 Unless otherwise indicated, the term “Platform” also includes all software, revisions, fixes, improvements and/or updates to the subscription type specified in an Order and any user manuals and documentation available within the Platform (“Documentation”) provided to Customer in connection with the operation of the Platform. Customer may only use the Platform in accordance with the Documentation, subject to any use limitations indicated in an Order, and applicable laws and regulations. The Platform and any related services provided to Customer and detailed in an Order shall be referred to as the “Services”.
The Services are conditioned on Customer’s payment of the applicable fees as set forth in each Order (“Fees”) and Wiz reserves the right, following at least 15 days’ notice to Customer, to suspend Customer’s access to the Services for non or late payment. Except as set forth in this Agreement or a Direct Order, all Fees and other amounts paid pursuant to this Agreement and an Order are non-refundable and without right of set off. Unless otherwise specified in an Order: (i) Customer will pay all amounts due under this Agreement in U.S. Dollars currency, (ii) Fees for the entire Subscription Term set out in the applicable Order are due at the commencement of such Subscription Term and payable as described in the Order; (iii) all Fees are due and payable within thirty (30) days of the date of Wiz’s invoice; (iv) any amount not paid when due shall accrue interest on a daily basis until paid in full at the lesser of: (a) the rate of one and a half percent (1.5%) per month; or (b) the highest amount permitted by applicable law; and (v) all amounts payable under each Order are exclusive of all sales, use, value-added, withholding, and other direct or indirect taxes, charges, levies and duties. Customer shall bear all value added, state, local, withholding, and other taxes or other charges applicable to the Services; provided that Wiz will be responsible for any taxes imposed on Wiz’s income, assets and/or workforce.
4. Permitted Users. The Platform may be accessed solely by Customer or its Affiliates' employees or service providers who are explicitly authorized by Customer to use the Platform (each, a “Permitted User”). Customer will (i) ensure that Permitted Users comply with the terms of this Agreement at all times, (ii) maintain the confidentiality and security of their Wiz account credentials, and (iii) be fully responsible for any acts or omissions by a Permitted User. Customer must promptly notify Wiz upon becoming aware of any unauthorized access to or use of the Platform.
5. Prohibited Uses. Except as specifically permitted herein, without the prior written consent of Wiz, Customer shall not, and shall not allow any Permitted User or any third party to, directly or indirectly: (i) copy, modify, create derivative works of or distribute any part of the Platform (including by incorporation into its products); (ii) sell, license (or sub-license), lease, assign, transfer, pledge, or share Customer's rights under this Agreement with any third party; (iii) disclose the results of any testing or benchmarking of the Platform to any third party; (iv) disassemble, decompile, reverse engineer or attempt to discover the Platform’s source code or underlying algorithms; (v) use the Platform for any use in competition with Wiz’s Services; (vi) use the Platform in a manner that violates or infringes any rights of any third party; (vii) remove or alter any trademarks or other proprietary notices related to the Platform; or (vii) circumvent, disable or otherwise interfere with security-related features of the Platform or features that enforce use limitations.
6. Security.
If Customer chooses, in its sole discretion, to provide Feedback (defined below) to Wiz, nothing in this Agreement or in the parties’ dealings arising out of or related to this Agreement will restrict Wiz's right to use, profit from, disclose, publish, or otherwise exploit Feedback, without compensating or crediting Customer or the individual providing such Feedback. Customer’s Confidential Information shall not include Feedback, to the extent that such Feedback relates exclusively to Wiz’s products or services. “Feedback” means any feedback (e.g., questions, comments, suggestions or the like), whether orally or in writing, regarding any of the Services.
WIZ SHALL NOT BE RESPONSIBLE FOR ANY WARRANTIES AND REPRESENTATIONS MADE BY ANY PARTNER TO CUSTOMER, AND SUCH WARRANTIES AND REPRESENTATIONS ARE THE SOLE RESPONSIBILITY OF SUCH PARTNER.
(A) EXCEPT FOR ANY DAMAGES RESULTING FROM CUSTOMER'S VIOLATION OF WIZ'S INTELLECTUAL PROPERTY RIGHTS; NEITHER PARTY OR ITS AFFILIATES SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, OR ANY LOSS OF REVENUE, REPUTATION, OR PROFITS, DATA, OR DATA USE.
(B) EXCEPT FOR WIZ’S INDEMNIFICATION OBLIGATION UNDER SECTION 16, AND/OR DAMAGES RESULTING FROM CUSTOMER'S VIOLATION OF WIZ'S INTELLECTUAL PROPERTY RIGHTS; EITHER PARTY’S INCLUDING ITS AFFILIATES’ MAXIMUM LIABILITY FOR ANY DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT, INCLUDING ITS EXHIBITS, WHETHER IN CONTRACT OR TORT, OR OTHERWISE, SHALL IN NO EVENT EXCEED, IN THE AGGREGATE, THE TOTAL FEES ATTRIBUTABLE UNDER THE APPLICABLE ORDER TO THE TWELVE MONTH PERIOD OF THE CURRENT SUBSCRIPTION YEAR IN WHICH THE EVENT GIVING RISE TO SUCH CLAIM OCCURS. FOR CLARITY LIMITATIONS IN THIS SECTION DO NOT APPLY TO FEES DUE TO WIZ UNDER THIS AGREEMENT.
If the Platform becomes, or in Wiz’s opinion is likely to become, the subject of an IP Infringement Claim, then Wiz may, at its sole discretion: (a) procure for the Customer the right to continue using the Platform; (b) replace or modify the Platform to avoid the IP Infringement Claim; or (c) if options (a) and (b) cannot be accomplished despite Wiz’s reasonable efforts, then Wiz or Customer may terminate all affected Orders and Wiz shall provide a pro-rata refund for any amount pre-paid by Customer for the remaining unused period of the Term.
Notwithstanding the foregoing, Wiz shall have no responsibility for IP Infringement Claims to the extent resulting from or based on: (i) modifications to the Platform made by a party other than Wiz; (ii) the Customer’s failure to implement software updates provided by Wiz specifically to avoid infringement; or (iii) combination or use of the Platform with software not supplied by Wiz or not in accordance with the Documentation.
This Section states Wiz’s entire liability, and Customer’s exclusive remedy, for claims or alleged or actual infringement.
Effective September 14, 2023 to October 29, 2023
DownloadTable of Contents
WIZ MASTER SUBSCRIPTION AGREEMENT
BY ACCEPTING THIS AGREEMENT OR ACCESSING OR USING THE SERVICES, YOU ARE ACCEPTING THE TERMS AND CONDITIONS OF THIS AGREEMENT, UNLESS A SEPARATE WRITTEN AGREEMENT IS IN EFFECT THAT SPECIFICALLY GOVERNS THE SUBJECT MATTER HEREOF. IF YOU DO NOT AGREE TO THIS AGREEMENT, YOU MAY NOT USE THE SERVICE. YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO ENTER INTO THIS AGREEMENT; IF YOU ARE USING THE SERVICE AS AN EMPLOYEE OR AGENT OF AN ORGANIZATION OR ENTITY, THEN YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO SIGN FOR AND BIND SUCH ORGANIZATION OR ENTITY IN ORDER TO ACCEPT THE TERMS OF THIS AGREEMENT. IF YOU DO NOT HAVE AUTHORITY TO BIND YOUR EMPLOYER OR OTHER LEGAL ENTITY, PLEASE DO NOT ACCEPT THIS AGREEMENT AND IMMEDIATELY REFRAIN FROM ACCESSING AND/OR USING THE SERVICES.
IF YOU ARE USING THE SERVICE AS A PROOF OF CONCEPT OR FOR EVALUATION PURPOSES, THE SERVICES ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND AND IN ACCORDANCE WITH THE TERMS OF SECTION 8 (“EVALUATIONS”) BELOW.
This Master Subscription Agreement (the “Agreement”) is effective on the earlier of: the date of (i) the execution of an Order referencing this Agreement; or (ii) Customer’s use of the Services (the “Effective Date”), by and between Wiz (as defined in Section 21 below) and you or the entity you represent referenced in the Order or otherwise accessing the Services (the “Customer”) (each, a “Party” and collectively, the “Parties”). Customer may use the Services (as defined below) subject to the terms below.
- Ordering.
1.1. Customer may place an order for Services directly with Wiz via an order form (a “Direct Order”). Direct Orders may be entered into by Wiz or Wiz Affiliates with Customer or Customer Affiliates. Each Direct Order is hereby incorporated into this Agreement by reference and shall be deemed to be a stand-alone agreement that incorporates by reference the terms of this Agreement (mutatis mutandis) whereby each signing entity to the Direct Order shall be considered to be either “Wiz” or “Customer” referenced herein. A Customer Affiliate will have the right to enter into an Order referencing this Agreement and thereby indicating its agreement to be bound by the terms of this Agreement as if it were an original party hereto. In such case, for purposes of such Order, such Customer Affiliate will be deemed to be the “Customer” hereunder. To the extent of any conflict or inconsistency between the terms and conditions of this Agreement and a Direct Order, this Agreement shall prevail (unless a Direct Order specifically states otherwise). “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2. If Customer has purchased a subscription pursuant to the terms hereof from a partner, reseller or distributor authorized by Wiz (“Partner”), to the extent there is any conflict between this Agreement and the agreement entered between Customer and the respective Partner, including any purchase order (“Partner Order”), then, as between Customer and Wiz, this Agreement shall prevail. Any rights granted to Customer in such Partner Order which are not contained in this Agreement, apply only in connection with such Partner. In that case, Customer must seek redress or realization or enforcement of such rights solely with such Partner and not Wiz. An “Order” means a Direct Order or a Partner Order, as applicable. - Subscription.
2.1. Subject to the terms and conditions of this Agreement (including payment obligations), Wiz hereby grants Customer, in connection with each Order, a limited, non-exclusive, non-sublicensable, non-transferable and revocable (as provided herein) right to use the Wiz cloud security platform (“Platform”) in object code form, during the corresponding Subscription Term (as defined in an Order), solely for Customer's internal business purposes and in accordance with the subscriptions specified in the applicable Order.
2.2. Unless otherwise indicated, the term “Platform” also includes all software, revisions, fixes, improvements and/or updates to the subscription type specified in an Order and any user manuals and documentation available within the Platform (“Documentation”) provided to Customer in connection with the operation of the Platform. Customer may only use the Platform in accordance with the Documentation, subject to any use limitations indicated in an Order, and applicable laws and regulations. The Platform and any related services provided to Customer and detailed in an Order shall be referred to as the “Services”. - Fees.
The Services are conditioned on Customer’s payment of the applicable fees as set forth in each Order (“Fees”) and Wiz reserves the right, following at least 15 days’ notice to Customer, to suspend Customer’s access to the Services for non or late payment. Except as set forth in this Agreement or a Direct Order, all Fees and other amounts paid pursuant to this Agreement and an Order are non-refundable and without right of set off. Unless otherwise specified in an Order: (i) Customer will pay all amounts due under this Agreement in U.S. Dollars currency, (ii) Fees for the entire Subscription Term set out in the applicable Order are due at the commencement of such Subscription Term and payable as described in the Order; (iii) all Fees are due and payable within thirty (30) days of the date of Wiz’s invoice; (iv) any amount not paid when due shall accrue interest on a daily basis until paid in full at the lesser of: (a) the rate of one and a half percent (1.5%) per month; or (b) the highest amount permitted by applicable law; and (v) all amounts payable under each Order are exclusive of all sales, use, value-added, withholding, and other direct or indirect taxes, charges, levies and duties. Customer shall bear all value added, state, local, withholding, and other taxes or other charges applicable to the Services; provided that Wiz will be responsible for any taxes imposed on Wiz’s income, assets and/or workforce. - Permitted Users. The Platform may be accessed solely by Customer or its Affiliates' employees or service providers who are explicitly authorized by Customer to use the Platform (each, a “Permitted User”). Customer will (i) ensure that Permitted Users comply with the terms of this Agreement at all times, (ii) maintain the confidentiality and security of their Wiz account credentials, and (iii) be fully responsible for any acts or omissions by a Permitted User. Customer must promptly notify Wiz upon becoming aware of any unauthorized access to or use of the Platform.
- Prohibited Uses. Except as specifically permitted herein, without the prior written consent of Wiz, Customer shall not, and shall not allow any Permitted User or any third party to, directly or indirectly: (i) copy, modify, create derivative works of or distribute any part of the Platform (including by incorporation into its products); (ii) sell, license (or sub-license), lease, assign, transfer, pledge, or share Customer's rights under this Agreement with any third party; (iii) disclose the results of any testing or benchmarking of the Platform to any third party; (iv) disassemble, decompile, reverse engineer or attempt to discover the Platform’s source code or underlying algorithms; (v) use the Platform for any use in competition with Wiz’s Services; (vi) use the Platform in a manner that violates or infringes any rights of any third party; (vii) remove or alter any trademarks or other proprietary notices related to the Platform; or (vii) circumvent, disable or otherwise interfere with security-related features of the Platform or features that enforce use limitations.
- Security.
Customer acknowledges that it is responsible for implementing, running and managing its subscription to the Platform on a day to day basis. Wiz shall employ administrative, physical, and technical security measures in accordance with applicable industry standards, including AICPA SOC2 Type 2 criteria and ISO 27001, to protect (and prevent the accidental loss or unauthorized access, use or disclosure of) Customer Data, in each case, under its control. Customer shall be responsible for: (i) the security of cloud environments it owns, operates, and connects to Wiz, and for configuration of its instance(s) of the Wiz Platform; (ii) provisioning Permitted Users with access to Customer’s instance of the Wiz Platform, including: (a) managing instance-level administrators and other user privileges; (b) deauthorizing Permitted Users who no longer need access; (c) provisioning and configuring service account or API access; and (d) enabling integrations, in Customer’s sole discretion, with customer-owned or third-party technologies. Wiz provides customers with audit logs that record customer user account and application activity occurring within their respective Wiz Platform instance(s), however, Customer is responsible for monitoring its own instance’s audit logs. - Customer Data.
7.1. As between the parties, Customer owns and retains all right, title and interest (including all intellectual property rights) in and to any data or information that originates, resides on, or is otherwise processed through Customer's systems and processed by Wiz in the provision of the Services (“Customer Data”). Customer has exclusive control and responsibility for determining what Customer Data it and its Permitted Users submit into the Services and for obtaining all necessary rights, consents and permissions for submission of Customer Data and processing instructions to Wiz. Customer hereby grants to Wiz a non-exclusive, worldwide, royalty-free right to use Customer Data to provide the Services and perform its obligations under this Agreement.
7.2. If Customer Data contains personally identifiable information, to the extent applicable, the Parties shall comply with Wiz’s Data Processing Agreement (“DPA”), which is available at https://www.wiz.io/data-processing-agreement and forms an integral part of this Agreement.
7.3. Customer acknowledges and agrees that Wiz may collect and process information regarding the configuration, performance, security, access to and use of the Services by Customer (“Account Data”) for its internal business purposes including to develop, improve, support, secure and operate the Services and to fulfill legal obligations. Notwithstanding the foregoing, nothing in this Agreement shall restrict Wiz’s use of data that has been anonymized and/or aggregated, provided that such data does not in any way identify and cannot be reasonably associated with Customer, its Affiliates, Permitted Users or any individuals connected to Customer or Customer Confidential Information (“Anonymized Data”). - Evaluations. If Customer is using the Services for a free trial, proof of concept, evaluation, one-time assessment, or other similar purpose (“Evaluation”), such Evaluation is granted for a limited period of twenty-one (21) days, (or in the case of Wiz’s One-time free assessment for up to seven (7) days), unless Wiz agrees to an extension and in each case solely for the purpose of evaluating and testing the Services to determine whether to purchase a subscription for Customer’s internal use. Wiz may terminate Customer’s access to and use of any Evaluation at any time. Evaluations are provided “as is” without guaranteed support levels, indemnification, or warranty of any kind, whether express, implied, statutory, or otherwise. Notwithstanding Section 15 (Limitation of Liability) or any other provision of this Agreement, Wiz’s maximum aggregate liability under any Evaluation shall be capped at one thousand dollars US ($1,000 US).
- Wiz Preview Features. From time to time, upon Customer or its Permitted Users' request, Wiz may make available to Customer one or more proprietary, non-commercially available, hosted software applications, application platform interfaces, services, products, features and/or functionalities on a beta testing basis (“Wiz Preview Feature(s)”) to try at no charge. Customer may choose to try such Wiz Preview Features in its sole discretion subject to the Wiz Preview Program Terms which are available at https://www.wiz.io/preview-terms.
- Customer Integrations. Customer acknowledges that the Services may link to third party websites, applications or services that can be integrated with or connected to the Services (“Third Party Integrations”). Customer’s use of such Third Party Integrations is optional. To use such features, Customer must either obtain access to the Third Party Integrations via the third party provider or authorize Wiz to obtain access on Customer’s behalf. If Customer uses such Third Party Integrations, it acknowledges and agrees that: (a) any link from the Service does not imply any Wiz endorsement of, or responsibility for, those Third Party Integrations and the use of such Third Party Integrations are subject to the terms and conditions of the Third Party Integration provider; (b) Customer may be required to grant Wiz access to its Third Party Integration account and/or to grant the Third Party Integration provider access to its Wiz account; (c) Customer Data may be transferred between Wiz and the Third Party Integration provider as required for the interoperation with the Services; and (d) Wiz does not guarantee the continued availability of such Third Party Integrations, and may cease supporting them without liability to Customer. To the maximum extent permitted by law but without derogating from Wiz’s obligations under this Agreement, Wiz shall not bear and expressly disclaims all responsibility or liability of any kind relating to such Third Party Integrations, including, without limitation, for any disclosure of, access to or other processing of Customer Data by Third Party Integration providers.
- Warranties. Each Party represents and warrants that it is duly organized, validly existing and in good standing under the laws of its jurisdiction of incorporation or organization; and that the execution and performance of this Agreement will not conflict with other agreements to which it is bound or violate applicable law.
- Intellectual Property Rights. All right, title, and interest, including any intellectual property rights evidenced by or embodied in, attached, connected, and/or related to the Platform (and any and all improvements enhancements, corrections, modifications, alterations, revisions, extensions and updates and derivative works thereof) and any other products, deliverables or services provided by Wiz; are and shall remain owned solely by Wiz or its licensors. This Agreement does not convey to Customer any interest in or to the Platform other than a limited right to use the Platform in accordance with Section 2 (Subscription). Nothing herein constitutes a waiver of Wiz’s intellectual property rights under any law. Wiz reserves all rights not expressly granted herein to the Platform.
If Customer chooses, in its sole discretion, to provide Feedback (defined below) to Wiz, nothing in this Agreement or in the parties’ dealings arising out of or related to this Agreement will restrict Wiz's right to use, profit from, disclose, publish, or otherwise exploit Feedback, without compensating or crediting Customer or the individual providing such Feedback. Customer’s Confidential Information shall not include Feedback, to the extent that such Feedback relates exclusively to Wiz’s products or services. “Feedback” means any feedback (e.g., questions, comments, suggestions or the like), whether orally or in writing, regarding any of the Services. - Confidentiality. Each Party may have access to certain non-public information of the other Party, in any form or media, including without limitation trade secrets and other information related to the products, software, technology, data, know-how, or business of the other Party, and any other information that a reasonable person should have reason to believe is proprietary, confidential, or competitively sensitive (the “Confidential Information”). The receiving Party will use the same standard of care to protect the disclosing Party’s Confidential Information as it uses to protect its own Confidential Information, but no less than reasonable care. The receiving Party’s obligations under this Section, with respect to any Confidential Information of the disclosing Party, shall not apply to and/or shall terminate if such information: (a) was already lawfully known to the receiving Party at the time of disclosure by the disclosing Party; (b) was disclosed to the receiving Party by a third party who had the right to make such disclosure without any confidentiality restrictions; (c) is, or through no fault of the receiving Party has become, generally available to the public; or (d) was independently developed by the receiving Party without access to, or use of, the disclosing Party’s Confidential Information. Neither Party shall use or disclose the Confidential Information of the other Party except for performance of its obligations under this Agreement. The receiving Party shall only permit access to the disclosing Party's Confidential Information to its and/or its Affiliates’ respective employees, consultants, affiliates, service providers, agents, partners, and subcontractors having a need to know such information, and who are bound by at least equivalent obligations of confidentiality and non-disclosure as those under this Agreement (such recipients being “Authorized Recipients”). The receiving Party is responsible for the compliance of its Authorized Recipients with the confidentiality and non-disclosure obligations of this Agreement. The receiving Party will be allowed to disclose Confidential Information to the extent that such disclosure is required by law or by the order or a court of similar judicial or administrative body, provided that, to the extent permitted by applicable law, it notifies the disclosing Party of such required disclosure to enable disclosing party to seek a protective order or otherwise prevent or restrict such disclosure. Notwithstanding the foregoing, each Party can disclose the terms and existence of this Agreement to third parties in connection with a due diligence review (i.e., a potential investment in a Party or a going-public transaction) subject to such third parties being bound by at least equivalent obligations of confidentiality and non-disclosure as those under this Agreement. All right, title and interest in and to Confidential Information are and shall remain the sole and exclusive property of the disclosing Party.
- LIMITED WARRANTIES. Wiz represents and warrants that the Platform shall substantially perform in conformance with its Documentation. As the Customer's sole and exclusive remedy and Wiz's sole liability for breach of this warranty, Wiz shall use commercially reasonable efforts to repair the Platform and, if Wiz cannot do so within a reasonable time, not to exceed 30 days, Customer may terminate this Agreement and receive a pro-rata refund of any amounts pre-paid by Customer for the remaining unused period of the Term. The warranty set forth shall not apply if the failure of the Platform results from or is otherwise attributable to Customer or its Permitted User’s acts or omissions in violation of this Agreement. Wiz shall not be liable for any inaccuracy in the Service's output and/or delay and/or unavailability of the Services, caused due to (a) failure of Customer's Internet access or any public telecommunications network, or shortage of adequate power, (b) any incompatibility between the Customer's systems and the Platform and/or (c) maintenance within the Customer's systems affecting the operation of the Platform. OTHER THAN AS EXPLICITLY STATED IN THIS AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE PLATFORM, ITS RELATED SERVICES AND ANY OUTPUT RESULTED FROM THE USE OF THE PLATFORM ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. WIZ DOES NOT WARRANT THAT: (i) THE SERVICES WILL MEET CUSTOMER'S REQUIREMENTS, OR (ii) THE SERVICES WILL OPERATE ERROR-FREE. EXCEPT AS SET FORTH IN THIS AGREEMENT, WIZ EXPRESSLY DISCLAIMS ALL EXPRESS WARRANTIES AND ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, TITLE, NON- INFRINGEMENT, NON-INTERFERENCE, FITNESS FOR A PARTICULAR PURPOSE.
WIZ SHALL NOT BE RESPONSIBLE FOR ANY WARRANTIES AND REPRESENTATIONS MADE BY ANY PARTNER TO CUSTOMER, AND SUCH WARRANTIES AND REPRESENTATIONS ARE THE SOLE RESPONSIBILITY OF SUCH PARTNER. - LIMITATION OF LIABILITY. TO THE MAXIMUM EXTENT PERMITTED BY LAW:
(A) EXCEPT FOR ANY DAMAGES RESULTING FROM CUSTOMER'S VIOLATION OF WIZ'S INTELLECTUAL PROPERTY RIGHTS; NEITHER PARTY OR ITS AFFILIATES SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, OR ANY LOSS OF REVENUE, REPUTATION, OR PROFITS, DATA, OR DATA USE.
(B) EXCEPT FOR WIZ’S INDEMNIFICATION OBLIGATION UNDER SECTION 16, AND/OR DAMAGES RESULTING FROM CUSTOMER'S VIOLATION OF WIZ'S INTELLECTUAL PROPERTY RIGHTS; EITHER PARTY’S INCLUDING ITS AFFILIATES’ MAXIMUM LIABILITY FOR ANY DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT, INCLUDING ITS EXHIBITS, WHETHER IN CONTRACT OR TORT, OR OTHERWISE, SHALL IN NO EVENT EXCEED, IN THE AGGREGATE, THE TOTAL FEES ATTRIBUTABLE UNDER THE APPLICABLE ORDER TO THE TWELVE MONTH PERIOD OF THE CURRENT SUBSCRIPTION YEAR IN WHICH THE EVENT GIVING RISE TO SUCH CLAIM OCCURS. FOR CLARITY LIMITATIONS IN THIS SECTION DO NOT APPLY TO FEES DUE TO WIZ UNDER THIS AGREEMENT. - Indemnification. Wiz agrees to defend, at its expense, any third party action or suit brought against the Customer alleging that the Platform, when used as permitted under this Agreement and each respective Order or Partner Order (as the case may be), infringes intellectual property rights of a third party (“IP Infringement Claim”); and Wiz will pay any damages awarded in a final judgment against the Customer that are attributable to any such claim, or that are otherwise agreed in a settlement with the prior written consent of Wiz, provided that (i) the Customer promptly notifies Wiz in writing of such claim; (ii) the Customer grants Wiz the sole authority to handle the defense or settlement of any such claim and provides Wiz with all reasonable information and assistance, at Wiz’s expense; and (iii) the Customer refrains from admitting any liability or otherwise compromising the defense in whole or in part, without the express prior written consent of Wiz. Wiz will not enter into any settlement that imposes any legal liability or financial obligation on Customer without Customer’s prior written consent.
If the Platform becomes, or in Wiz’s opinion is likely to become, the subject of an IP Infringement Claim, then Wiz may, at its sole discretion: (a) procure for the Customer the right to continue using the Platform; (b) replace or modify the Platform to avoid the IP Infringement Claim; or (c) if options (a) and (b) cannot be accomplished despite Wiz’s reasonable efforts, then Wiz or Customer may terminate all affected Orders and Wiz shall provide a pro-rata refund for any amount pre-paid by Customer for the remaining unused period of the Term.
Notwithstanding the foregoing, Wiz shall have no responsibility for IP Infringement Claims to the extent resulting from or based on: (i) modifications to the Platform made by a party other than Wiz; (ii) the Customer’s failure to implement software updates provided by Wiz specifically to avoid infringement; or (iii) combination or use of the Platform with software not supplied by Wiz or not in accordance with the Documentation.
This Section states Wiz’s entire liability, and Customer’s exclusive remedy, for claims or alleged or actual infringement. - Term. This Agreement shall enter into force and effect on the Effective Date and, unless earlier terminated in accordance with Section 18, shall remain in full force and effect until all Orders expire or are terminated (the “Term”).
- Termination. Either Party may terminate an Order and/or this Agreement for cause with immediate effect if (a) the other Party breaches any material term or condition of an Order and/or this Agreement, and (b) such breach remains uncured thirty (30) days after the breaching Party receives written notice thereof. Upon termination or expiration of this Agreement and/or an Order: (i) all rights granted to Customer in the Platform shall expire, and Customer shall discontinue any further use and access thereof including, to the extent applicable, by deinstalling any Wiz provided software; (ii) Customer shall immediately delete and dispose of all copies of the Documentation in Customer’s or any of its representatives’ possession or control; and (iii) Wiz may retain Customer Data in accordance with its customer data retention policy without affecting any of Wiz’s rights to the Account Data or Anonymized Data. Section 5 (Prohibited Uses), Section 6 (Security) Section 7 (Customer Data), Section 8 (Evaluations), Section 9 (Wiz Preview Features), Section 10 (Customer Integrations), Section 12 (Intellectual Property), Section 13 (Confidentiality), Section 14 (Limited Warranties), Section 15 (Limitation of Liability), Section 18 (Termination), Section 21 (Contracting) and Section 22 22 (Miscellaneous) shall survive termination or expiration of this Agreement for any reason. Customer shall be responsible for downloading its Customer Data prior to termination of this Agreement.
- Customer Reference. Unless stated otherwise in an Order, Wiz shall not use Customer’s name to identify Customer as a customer of Wiz on Wiz’s websites or public marketing materials without Customer’s prior written consent.
- Export Compliance. The Services may be subject to export laws and regulations of the United States and other jurisdictions. Wiz and Customer each represents that it is not on any U.S. government denied-party list. Customer will not permit any Permitted User to access or use any Service in a U.S. embargoed country or region (currently the Crimea, Luhansk or Donetsk regions, Cuba, Iran, North Korea, Sudan or Syria) or as may be updated from time to time, or in violation of any U.S. export law or regulation.
- Contracting entity. For the purposes of this Agreement “Wiz” means Wiz Inc., a company incorporated under the laws of the State of Delaware, having its principal place of business at One Manhattan West, 57th Floor, New York, NY 10001 or its Affiliates, as applicable. For clarity, unless a Direct Order specifies otherwise, the Wiz entity contracting with Customer hereunder will be (i) Wiz, Inc., if Customer is located outside of the UK or Europe or is purchasing via a cloud service provider marketplace; or (ii) Wiz Cloud Limited, a private limited company under the laws of England and Wales, if Customer is located in the UK or Europe and not purchasing via a cloud service provider.
- Miscellaneous. This Agreement, including any Order(s) and any exhibits attached or referred hereto, represents the complete agreement concerning the subject matter hereof and may be amended only by a written agreement executed by both Parties. The failure of either Party to enforce any rights granted hereunder or to take action against the other Party in the event of any breach hereunder shall not be deemed a waiver by that Party as to subsequent enforcement of rights or subsequent actions in the event of future breaches. If any provision of this Agreement is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. This Agreement represents the entire agreement of the Parties with respect to the subject matter hereof, and supersedes and replaces all prior and contemporaneous oral or written understandings, agreements and statements by the Parties with respect to such subject matter, including prior non-disclosure agreements or evaluation agreements. Without limiting the generality of the foregoing, this Agreement supersedes any terms or conditions (whether printed, hyperlinked, or otherwise) in any Customer's purchase order or other standardized business forms, which purport to supersede, modify or supplement this Agreement. Neither Party may assign its rights or obligations under this Agreement without the prior written consent of the other Party, which consent may not be unreasonably withheld or delayed. Notwithstanding the foregoing, this Agreement may be assigned by either Party to its Affiliate or in connection with a merger, consolidation, sale of all of the equity interests of the Party, or a sale of all or substantially all of the assets of the Party to which this Agreement relates. Subject to the foregoing, this Agreement will be binding on the parties and their permitted successors and assigns. This Agreement shall be governed by and construed under the laws of the state of New York, without reference to principles and laws relating to the conflict of laws. The competent courts of New York City, New York shall have the exclusive jurisdiction with respect to any dispute and action arising under or in relation to this Agreement. This Agreement does not, and shall not be construed to create any relationship, partnership, joint venture, employer-employee, agency, or franchisor-franchisee relationship between the Parties. Neither Party will be liable for any delay or failure to perform its obligations hereunder resulting from circumstances or causes beyond its reasonable control including, but not limited to on account of strikes, shortages, riots, insurrection, fires, flood, storms, explosions, acts of God, war, government or quasi-governmental authorities actions, acts of terrorism, earthquakes, or power outages. From time to time, Wiz may modify this Agreement. Unless otherwise specified by Wiz, changes become effective for Customer upon renewal of the then-current Subscription Term or upon the effective date of a new Order after the updated version of this Agreement goes into effect. Wiz will use reasonable efforts to notify Customer of the changes through communications via Customer’s Account, email or other means. Customer may be required to click to accept or otherwise agree to the modified Agreement before renewing a Subscription Term or upon the effective date of a new Order, and in any event continued use of any Wiz Services after the updated version of this Agreement goes into effect will constitute Customer’s acceptance of such updated version.
Effective September 11, 2023 to September 14, 2023
DownloadTable of Contents
WIZ MASTER SUBSCRIPTION AGREEMENT
BY ACCEPTING THIS AGREEMENT OR ACCESSING OR USING THE SERVICES, YOU ARE ACCEPTING THE TERMS AND CONDITIONS OF THIS AGREEMENT, UNLESS A SEPARATE WRITTEN AGREEMENT IS IN EFFECT THAT SPECIFICALLY GOVERNS THE SUBJECT MATTER HEREOF. IF YOU DO NOT AGREE TO THIS AGREEMENT, YOU MAY NOT USE THE SERVICE. YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO ENTER INTO THIS AGREEMENT; IF YOU ARE USING THE SERVICE AS AN EMPLOYEE OR AGENT OF AN ORGANIZATION OR ENTITY, THEN YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO SIGN FOR AND BIND SUCH ORGANIZATION OR ENTITY IN ORDER TO ACCEPT THE TERMS OF THIS AGREEMENT. IF YOU DO NOT HAVE AUTHORITY TO BIND YOUR EMPLOYER OR OTHER LEGAL ENTITY, PLEASE DO NOT ACCEPT THIS AGREEMENT AND IMMEDIATELY REFRAIN FROM ACCESSING AND/OR USING THE SERVICES.
IF YOU ARE USING THE SERVICE AS A PROOF OF CONCEPT OR FOR EVALUATION PURPOSES, THE SERVICES ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND AND IN ACCORDANCE WITH THE TERMS OF SECTION 6 (“EVALUATIONS”) BELOW.
This Master Subscription Agreement (the “Agreement”) is effective on the earlier of: the date of (i) the execution of an Order referencing this Agreement; or (ii) Customer’s use of the Services (the “Effective Date”), by and between Wiz (as defined in Section 20 below) and you or the entity you represent referenced in the Order or otherwise accessing the Services (the “Customer”) (each, a “Party” and collectively, the “Parties”). Customer may use the Services (as defined below) subject to the terms below.
The Services are conditioned on Customer’s payment of the applicable fees as set forth in each Order (“Fees”) and Wiz reserves the right, following at least 15 days’ notice to Customer, to suspend Customer’s access to the Services for non or late payment. Except as set forth in this Agreement or a Direct Order, all Fees and other amounts paid pursuant to this Agreement and an Order are non-refundable and without right of set off. Unless otherwise specified in an Order: (i) Customer will pay all amounts due under this Agreement in U.S. Dollars currency, (ii) Fees for the entire Subscription Term set out in the applicable Order are due at the commencement of such Subscription Term and payable as described in the Order; (iii) all Fees are due and payable within thirty (30) days of the date of Wiz’s invoice; (iv) any amount not paid when due shall accrue interest on a daily basis until paid in full at the lesser of: (a) the rate of one and a half percent (1.5%) per month; or (b) the highest amount permitted by applicable law; and (v) all amounts payable under each Order are exclusive of all sales, use, value-added, withholding, and other direct or indirect taxes, charges, levies and duties. Customer shall bear all value added, state, local, withholding, and other taxes or other charges applicable to the Services; provided that Wiz will be responsible for any taxes imposed on Wiz’s income, assets and/or workforce.
If Customer chooses, in its sole discretion, to provide Feedback (defined below) to Wiz, nothing in this Agreement or in the parties’ dealings arising out of or related to this Agreement will restrict Wiz's right to use, profit from, disclose, publish, or otherwise exploit Feedback, without compensating or crediting Customer or the individual providing such Feedback. Customer’s Confidential Information shall not include Feedback, to the extent that such Feedback relates exclusively to Wiz’s products or services. “Feedback” means any feedback (e.g., questions, comments, suggestions or the like), whether orally or in writing, regarding any of the Services.
WIZ SHALL NOT BE RESPONSIBLE FOR ANY WARRANTIES AND REPRESENTATIONS MADE BY ANY PARTNER TO CUSTOMER, AND SUCH WARRANTIES AND REPRESENTATIONS ARE THE SOLE RESPONSIBILITY OF SUCH PARTNER.
(A) EXCEPT FOR ANY DAMAGES RESULTING FROM CUSTOMER'S VIOLATION OF WIZ'S INTELLECTUAL PROPERTY RIGHTS; NEITHER PARTY OR ITS AFFILIATES SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, OR ANY LOSS OF REVENUE, REPUTATION, OR PROFITS, DATA, OR DATA USE.
(B) EXCEPT FOR WIZ’S INDEMNIFICATION OBLIGATION UNDER SECTION 15, AND/OR DAMAGES RESULTING FROM CUSTOMER'S VIOLATION OF WIZ'S INTELLECTUAL PROPERTY RIGHTS; EITHER PARTY’S INCLUDING ITS AFFILIATES’ MAXIMUM LIABILITY FOR ANY DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT, INCLUDING ITS EXHIBITS, WHETHER IN CONTRACT OR TORT, OR OTHERWISE, SHALL IN NO EVENT EXCEED, IN THE AGGREGATE, THE TOTAL FEES ATTRIBUTABLE UNDER THE APPLICABLE ORDER TO THE TWELVE MONTH PERIOD OF THE CURRENT SUBSCRIPTION YEAR IN WHICH THE EVENT GIVING RISE TO SUCH CLAIM OCCURS. FOR CLARITY LIMITATIONS IN THIS SECTION DO NOT APPLY TO FEES DUE TO WIZ UNDER THIS AGREEMENT.
If the Platform becomes, or in Wiz’s opinion is likely to become, the subject of an IP Infringement Claim, then Wiz may, at its sole discretion: (a) procure for the Customer the right to continue using the Platform; (b) replace or modify the Platform to avoid the IP Infringement Claim; or (c) if options (a) and (b) cannot be accomplished despite Wiz’s reasonable efforts, then Wiz or Customer may terminate all affected Orders and Wiz shall provide a pro-rata refund for any amount pre-paid by Customer for the remaining unused period of the Term.
Notwithstanding the foregoing, Wiz shall have no responsibility for IP Infringement Claims to the extent resulting from or based on: (i) modifications to the Platform made by a party other than Wiz or its designee; (ii) the Customer’s failure to implement software updates provided by Wiz specifically to avoid infringement; or (iii) combination or use of the Platform with software not supplied by Wiz or not in accordance with the Documentation.
This Section states Wiz’s entire liability, and Customer’s exclusive remedy, for claims or alleged or actual infringement.
21. Miscellaneous. This Agreement, including any Order(s) and any exhibits attached or referred hereto, represents the complete agreement concerning the subject matter hereof and may be amended only by a written agreement executed by both Parties. The failure of either Party to enforce any rights granted hereunder or to take action against the other Party in the event of any breach hereunder shall not be deemed a waiver by that Party as to subsequent enforcement of rights or subsequent actions in the event of future breaches. If any provision of this Agreement is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. This Agreement represents the entire agreement of the Parties with respect to the subject matter hereof, and supersedes and replaces all prior and contemporaneous oral or written understandings, agreements and statements by the Parties with respect to such subject matter, including prior non-disclosure agreements or evaluation agreements. Without limiting the generality of the foregoing, this Agreement supersedes any terms or conditions (whether printed, hyperlinked, or otherwise) in any Customer's purchase order or other standardized business forms, which purport to supersede, modify or supplement this Agreement. Neither Party may assign its rights or obligations under this Agreement without the prior written consent of the other Party, which consent may not be unreasonably withheld or delayed. Notwithstanding the foregoing, this Agreement may be assigned by either Party to its Affiliate or in connection with a merger, consolidation, sale of all of the equity interests of the Party, or a sale of all or substantially all of the assets of the Party to which this Agreement relates. Subject to the foregoing, this Agreement will be binding on the parties and their permitted successors and assigns. This Agreement shall be governed by and construed under the laws of the state of New York, without reference to principles and laws relating to the conflict of laws. The competent courts of New York City, New York shall have the exclusive jurisdiction with respect to any dispute and action arising under or in relation to this Agreement. This Agreement does not, and shall not be construed to create any relationship, partnership, joint venture, employer-employee, agency, or franchisor-franchisee relationship between the Parties. Neither Party will be liable for any delay or failure to perform its obligations hereunder resulting from circumstances or causes beyond its reasonable control including, but not limited to on account of strikes, shortages, riots, insurrection, fires, flood, storms, explosions, acts of God, war, government or quasi-governmental authorities actions, acts of terrorism, earthquakes, or power outages. From time to time, Wiz may modify this Agreement. Unless otherwise specified by Wiz, changes become effective for Customer upon renewal of the then-current Subscription Term or upon the effective date of a new Order after the updated version of this Agreement goes into effect. Wiz will use reasonable efforts to notify Customer of the changes through communications via Customer’s Account, email or other means. Customer may be required to click to accept or otherwise agree to the modified Agreement before renewing a Subscription Term or upon the effective date of a new Order, and in any event continued use of any Wiz Services after the updated version of this Agreement goes into effect will constitute Customer’s acceptance of such updated version.
Effective September 11, 2023 to September 11, 2023
DownloadTable of Contents
WIZ MASTER SUBSCRIPTION AGREEMENT
BY ACCEPTING THIS AGREEMENT OR ACCESSING OR USING THE SERVICES, YOU ARE ACCEPTING THE TERMS AND CONDITIONS OF THIS AGREEMENT, UNLESS A SEPARATE WRITTEN AGREEMENT IS IN EFFECT THAT SPECIFICALLY GOVERNS THE SUBJECT MATTER HEREOF. IF YOU DO NOT AGREE TO THIS AGREEMENT, YOU MAY NOT USE THE SERVICE. YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO ENTER INTO THIS AGREEMENT; IF YOU ARE USING THE SERVICE AS AN EMPLOYEE OR AGENT OF AN ORGANIZATION OR ENTITY, THEN YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO SIGN FOR AND BIND SUCH ORGANIZATION OR ENTITY IN ORDER TO ACCEPT THE TERMS OF THIS AGREEMENT. IF YOU DO NOT HAVE AUTHORITY TO BIND YOUR EMPLOYER OR OTHER LEGAL ENTITY, PLEASE DO NOT ACCEPT THIS AGREEMENT AND IMMEDIATELY REFRAIN FROM ACCESSING AND/OR USING THE SERVICES.
IF YOU ARE USING THE SERVICE AS A PROOF OF CONCEPT OR FOR EVALUATION PURPOSES, THE SERVICES ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND AND IN ACCORDANCE WITH THE TERMS OF SECTION 6 (“EVALUATIONS”) BELOW.
This Master Subscription Agreement (the “Agreement”) is effective on the earlier of: the date of (i) the execution of an Order referencing this Agreement; or (ii) Customer’s use of the Services (the “Effective Date”), by and between Wiz (as defined in Section 20 below) and you or the entity you represent referenced in the Order or otherwise accessing the Services (the “Customer”) (each, a “Party” and collectively, the “Parties”). Customer may use the Services (as defined below) subject to the terms below.
The Services are conditioned on Customer’s payment of the applicable fees as set forth in each Order (“Fees”) and Wiz reserves the right, following at least 15 days’ notice to Customer, to suspend Customer’s access to the Services for non or late payment. Except as set forth in this Agreement or a Direct Order, all Fees and other amounts paid pursuant to this Agreement and an Order are non-refundable and without right of set off. Unless otherwise specified in an Order: (i) Customer will pay all amounts due under this Agreement in U.S. Dollars currency, (ii) Fees for the entire Subscription Term set out in the applicable Order are due at the commencement of such Subscription Term and payable as described in the Order; (iii) all Fees are due and payable within thirty (30) days of the date of Wiz’s invoice; (iv) any amount not paid when due shall accrue interest on a daily basis until paid in full at the lesser of: (a) the rate of one and a half percent (1.5%) per month; or (b) the highest amount permitted by applicable law; and (v) all amounts payable under each Order are exclusive of all sales, use, value-added, withholding, and other direct or indirect taxes, charges, levies and duties. Customer shall bear all value added, state, local, withholding, and other taxes or other charges applicable to the Services; provided that Wiz will be responsible for any taxes imposed on Wiz’s income, assets and/or workforce.
If Customer chooses, in its sole discretion, to provide Feedback (defined below) to Wiz, nothing in this Agreement or in the parties’ dealings arising out of or related to this Agreement will restrict Wiz's right to use, profit from, disclose, publish, or otherwise exploit Feedback, without compensating or crediting Customer or the individual providing such Feedback. Customer’s Confidential Information shall not include Feedback, to the extent that such Feedback relates exclusively to Wiz’s products or services. “Feedback” means any feedback (e.g., questions, comments, suggestions or the like), whether orally or in writing, regarding any of the Services.
WIZ SHALL NOT BE RESPONSIBLE FOR ANY WARRANTIES AND REPRESENTATIONS MADE BY ANY PARTNER TO CUSTOMER, AND SUCH WARRANTIES AND REPRESENTATIONS ARE THE SOLE RESPONSIBILITY OF SUCH PARTNER.
(A) EXCEPT FOR ANY DAMAGES RESULTING FROM CUSTOMER'S VIOLATION OF WIZ'S INTELLECTUAL PROPERTY RIGHTS; NEITHER PARTY OR ITS AFFILIATES SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, OR ANY LOSS OF REVENUE, REPUTATION, OR PROFITS, DATA, OR DATA USE.
(B) EXCEPT FOR WIZ’S INDEMNIFICATION OBLIGATION UNDER SECTION 15, AND/OR DAMAGES RESULTING FROM CUSTOMER'S VIOLATION OF WIZ'S INTELLECTUAL PROPERTY RIGHTS; EITHER PARTY’S INCLUDING ITS AFFILIATES’ MAXIMUM LIABILITY FOR ANY DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT, INCLUDING ITS EXHIBITS, WHETHER IN CONTRACT OR TORT, OR OTHERWISE, SHALL IN NO EVENT EXCEED, IN THE AGGREGATE, THE TOTAL FEES ATTRIBUTABLE UNDER THE APPLICABLE ORDER TO THE TWELVE MONTH PERIOD OF THE CURRENT SUBSCRIPTION YEAR IN WHICH THE EVENT GIVING RISE TO SUCH CLAIM OCCURS. FOR CLARITY LIMITATIONS IN THIS SECTION DO NOT APPLY TO FEES DUE TO WIZ UNDER THIS AGREEMENT.
If the Platform becomes, or in Wiz’s opinion is likely to become, the subject of an IP Infringement Claim, then Wiz may, at its sole discretion: (a) procure for the Customer the right to continue using the Platform; (b) replace or modify the Platform to avoid the IP Infringement Claim; or (c) if options (a) and (b) cannot be accomplished despite Wiz’s reasonable efforts, then Wiz or Customer may terminate all affected Orders and Wiz shall provide a pro-rata refund for any amount pre-paid by Customer for the remaining unused period of the Term.
Notwithstanding the foregoing, Wiz shall have no responsibility for IP Infringement Claims to the extent resulting from or based on: (i) modifications to the Platform made by a party other than Wiz or its designee; (ii) the Customer’s failure to implement software updates provided by Wiz specifically to avoid infringement; or (iii) combination or use of the Platform with software not supplied by Wiz or not in accordance with the Documentation.
This Section states Wiz’s entire liability, and Customer’s exclusive remedy, for claims or alleged or actual infringement.
Miscellaneous. This Agreement, including any Order(s) and any exhibits attached or referred hereto, represents the complete agreement concerning the subject matter hereof and may be amended only by a written agreement executed by both Parties. The failure of either Party to enforce any rights granted hereunder or to take action against the other Party in the event of any breach hereunder shall not be deemed a waiver by that Party as to subsequent enforcement of rights or subsequent actions in the event of future breaches. If any provision of this Agreement is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. This Agreement represents the entire agreement of the Parties with respect to the subject matter hereof, and supersedes and replaces all prior and contemporaneous oral or written understandings, agreements and statements by the Parties with respect to such subject matter, including prior non-disclosure agreements or evaluation agreements. Without limiting the generality of the foregoing, this Agreement supersedes any terms or conditions (whether printed, hyperlinked, or otherwise) in any Customer's purchase order or other standardized business forms, which purport to supersede, modify or supplement this Agreement. Neither Party may assign its rights or obligations under this Agreement without the prior written consent of the other Party, which consent may not be unreasonably withheld or delayed. Notwithstanding the foregoing, this Agreement may be assigned by either Party to its Affiliate or in connection with a merger, consolidation, sale of all of the equity interests of the Party, or a sale of all or substantially all of the assets of the Party to which this Agreement relates. Subject to the foregoing, this Agreement will be binding on the parties and their permitted successors and assigns. This Agreement shall be governed by and construed under the laws of the state of New York, without reference to principles and laws relating to the conflict of laws. The competent courts of New York City, New York shall have the exclusive jurisdiction with respect to any dispute and action arising under or in relation to this Agreement. This Agreement does not, and shall not be construed to create any relationship, partnership, joint venture, employer-employee, agency, or franchisor-franchisee relationship between the Parties. Neither Party will be liable for any delay or failure to perform its obligations hereunder resulting from circumstances or causes beyond its reasonable control including, but not limited to on account of strikes, shortages, riots, insurrection, fires, flood, storms, explosions, acts of God, war, government or quasi-governmental authorities actions, acts of terrorism, earthquakes, or power outages. From time to time, Wiz may modify this Agreement. Unless otherwise specified by Wiz, changes become effective for Customer upon renewal of the then-current Subscription Term or upon the effective date of a new Order after the updated version of this Agreement goes into effect. Wiz will use reasonable efforts to notify Customer of the changes through communications via Customer’s Account, email or other means. Customer may be required to click to accept or otherwise agree to the modified Agreement before renewing a Subscription Term or upon the effective date of a new Order, and in any event continued use of any Wiz Services after the updated version of this Agreement goes into effect will constitute Customer’s acceptance of such updated version.
Effective August 14, 2023 to September 11, 2023
DownloadTable of Contents
WIZ MASTER SUBSCRIPTION AGREEMENT
BY ACCEPTING THIS AGREEMENT OR ACCESSING OR USING THE SERVICES, YOU ARE ACCEPTING THE TERMS AND CONDITIONS OF THIS AGREEMENT, UNLESS A SEPARATE WRITTEN AGREEMENT IS IN EFFECT THAT SPECIFICALLY GOVERNS THE SUBJECT MATTER HEREOF. IF YOU DO NOT AGREE TO THIS AGREEMENT, YOU MAY NOT USE THE SERVICE. YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO ENTER INTO THIS AGREEMENT; IF YOU ARE USING THE SERVICE AS AN EMPLOYEE OR AGENT OF AN ORGANIZATION OR ENTITY, THEN YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO SIGN FOR AND BIND SUCH ORGANIZATION OR ENTITY IN ORDER TO ACCEPT THE TERMS OF THIS AGREEMENT. IF YOU DO NOT HAVE AUTHORITY TO BIND YOUR EMPLOYER OR OTHER LEGAL ENTITY, PLEASE DO NOT ACCEPT THIS AGREEMENT AND IMMEDIATELY REFRAIN FROM ACCESSING AND/OR USING THE SERVICES.
IF YOU ARE USING THE SERVICE AS A PROOF OF CONCEPT OR FOR EVALUATION PURPOSES, THE SERVICES ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND AND IN ACCORDANCE WITH THE TERMS OF SECTION 6 (“EVALUATIONS”) BELOW.
This Master Subscription Agreement (the “Agreement”) is effective on the earlier of: the date of (i) the execution of an Order referencing this Agreement; or (ii) Customer’s use of the Services (the “Effective Date”), by and between Wiz (as defined in Section 20 below) and you or the entity you represent referenced in the Order or otherwise accessing the Services (the “Customer”) (each, a “Party” and collectively, the “Parties”). Customer may use the Services (as defined below) subject to the terms below.
- Ordering.
- Customer may place an order for Services directly with Wiz via an order form (a “Direct Order”). Direct Orders may be entered into by Wiz or Wiz Affiliates with Customer or Customer Affiliates. Each Direct Order is hereby incorporated into this Agreement by reference and shall be deemed to be a stand-alone agreement that incorporates by reference the terms of this Agreement (mutatis mutandis) whereby each signing entity to the Direct Order shall be considered to be either “Wiz” or “Customer” referenced herein. A Customer Affiliate will have the right to enter into an Order referencing this Agreement and thereby indicating its agreement to be bound by the terms of this Agreement as if it were an original party hereto. In such case, for purposes of such Order, such Customer Affiliate will be deemed to be the “Customer” hereunder. To the extent of any conflict or inconsistency between the terms and conditions of this Agreement and a Direct Order, this Agreement shall prevail (unless a Direct Order specifically states otherwise). “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- If Customer has purchased a subscription pursuant to the terms hereof from a partner, reseller or distributor authorized by Wiz (“Partner”), to the extent there is any conflict between this Agreement and the agreement entered between Customer and the respective Partner, including any purchase order (“Partner Order”), then, as between Customer and Wiz, this Agreement shall prevail. Any rights granted to Customer in such Partner Order which are not contained in this Agreement, apply only in connection with such Partner. In that case, Customer must seek redress or realization or enforcement of such rights solely with such Partner and not Wiz. A Direct Order together with a Partner Order are referred to herein as an “Order”.
- Subscription.
- Subject to the terms and conditions of this Agreement (including payment obligations), Wiz hereby grants Customer, in connection with each Order, a limited, non-exclusive, non-sublicensable, non-transferable and revocable (as provided herein) right to use the Wiz cloud security platform (“Platform”) in object code form, during the corresponding Subscription Term (as defined in an Order), solely for Customer's internal business purposes and in accordance with the subscriptions specified in the applicable Order.
- Unless otherwise indicated, the term “Platform” also includes all software, revisions, fixes, improvements and/or updates thereto and any appliance, user manuals and documentation available within the Platform (“Documentation”) provided to Customer in connection with the operation of the Platform. Customer may only use the Platform in accordance with the Documentation, subject to any use limitations indicated in an Order, and applicable laws and regulations. The Platform and any related services provided to Customer and detailed in an Order shall be referred to as the “Services”.
- Fees.
The Services are conditioned on Customer’s payment of the applicable fees as set forth in each Order (“Fees”) and Wiz reserves the right, following at least 15 days’ notice to Customer, to suspend Customer’s access to the Services for non or late payment. Except as set forth in this Agreement or a Direct Order, all Fees and other amounts paid pursuant to this Agreement and an Order are non-refundable and without right of set off. Unless otherwise specified in an Order: (i) Customer will pay all amounts due under this Agreement in U.S. Dollars currency, (ii) Fees for the entire Subscription Term set out in the applicable Order are due at the commencement of such Subscription Term and payable as described in the Order; (iii) all Fees are due and payable within thirty (30) days of the date of Wiz’s invoice; (iv) any amount not paid when due shall accrue interest on a daily basis until paid in full at the lesser of: (a) the rate of one and a half percent (1.5%) per month; or (b) the highest amount permitted by applicable law; and (v) all amounts payable under each Order are exclusive of all sales, use, value-added, withholding, and other direct or indirect taxes, charges, levies and duties. Customer shall bear all value added, state, local, withholding, and other taxes or other charges applicable to the Services; provided that Wiz will be responsible for any taxes imposed on Wiz’s income, assets and/or workforce.
- Permitted Users. The Platform may be accessed solely by Customer or its Affiliates' employees or service providers who are explicitly authorized by Customer to use the Platform (each, a “Permitted User”). Customer will (i) ensure that Permitted Users comply with the terms of this Agreement at all times, (ii) maintain the confidentiality and security of their Wiz account credentials, and (iii) be fully responsible for any acts or omissions by a Permitted User. Customer must promptly notify Wiz upon becoming aware of any unauthorized access to or use of the Platform.
- Prohibited Uses. Except as specifically permitted herein, without the prior written consent of Wiz, Customer shall not, and shall not allow any Permitted User or any third party to, directly or indirectly: (i) copy, modify, create derivative works of or distribute any part of the Platform (including by incorporation into its products); (ii) sell, license (or sub-license), lease, assign, transfer, pledge, or share Customer's rights under this Agreement with any third party; (iii) disclose the results of any testing or benchmarking of the Platform to any third party; (iv) disassemble, decompile, reverse engineer or attempt to discover the Platform’s source code or underlying algorithms; (v) use the Platform for any use in competition with Wiz’s Services; (vi) use the Platform in a manner that violates or infringes any rights of any third party; (vii) remove or alter any trademarks or other proprietary notices related to the Platform; or (vii) circumvent, disable or otherwise interfere with security-related features of the Platform or features that enforce use limitations.
- Customer Data.
- As between the parties, Customer owns and retains all right, title and interest (including all intellectual property rights) in and to any data or information that originates, resides on, or is otherwise processed through Customer's systems and processed by Wiz in the provision of the Services (“Customer Data”). Customer has exclusive control and responsibility for determining what Customer Data it and its Permitted Users submit into the Services and for obtaining all necessary rights, consents and permissions for submission of Customer Data and processing instructions to Wiz. Customer hereby grants to Wiz a non-exclusive, worldwide, royalty-free right to use Customer Data to provide the Services and perform its obligations under this Agreement.
- If Customer Data contains personally identifiable information, to the extent applicable, the Parties shall comply with Wiz’s Data Processing Agreement (“DPA”), which is available at https://www.wiz.io/data-processing-agreement and forms an integral part of this Agreement.
- Customer acknowledges and agrees that Wiz may collect and process information regarding the configuration, performance, security, access to and use of the Services by Customer (“Account Data”) for its internal business purposes including to develop, improve, support, secure and operate the Services and to fulfill legal obligations. Notwithstanding the foregoing, nothing in this Agreement shall restrict Wiz’s use of data that has been anonymized and/or aggregated, provided that such data does not in any way identify and cannot be reasonably associated with Customer, its Affiliates, Permitted Users or any individuals connected to Customer or Customer Confidential Information (“Anonymized Data”).
- Evaluations. If Customer is using the Services for a free trial, proof of concept, evaluation, one-time assessment, or other similar purpose (“Evaluation”), such Evaluation is granted for a limited period of twenty-one (21) days, (or in the case of Wiz’s One-time free assessment for up to seven (7) days), unless Wiz agrees to an extension and in each case solely for the purpose of evaluating and testing the Services to determine whether to purchase a subscription for Customer’s internal use. Wiz may terminate Customer’s access to and use of any Evaluation at any time. Evaluations are provided “as is” without guaranteed support levels, indemnification, or warranty of any kind, whether express, implied, statutory, or otherwise. Notwithstanding Section 14 (Limitation of Liability) or any other provision of this Agreement, Wiz’s maximum aggregate liability under any Evaluation shall be capped at one thousand dollars US ($1,000 US).
- Wiz Preview Features. From time to time, upon Customer or its Permitted Users' request, Wiz may make available to Customer one or more proprietary, non-commercially available, hosted software applications, application platform interfaces, services, products, features and/or functionalities on a beta testing basis (“Wiz Preview Feature(s)”) to try at no charge. Customer may choose to try such Wiz Preview Features in its sole discretion subject to the Wiz Preview Program Terms which are available at https://www.wiz.io/preview-terms.
- Customer Integrations. Customer acknowledges that the Services may link to third party websites, applications or services that can be integrated with or connected to the Services (“Third Party Integrations”). Customer’s use of such Third Party Integrations is optional. To use such features, Customer must either obtain access to the Third Party Integrations via the third party provider or authorize Wiz to obtain access on Customer’s behalf. If Customer uses such Third Party Integrations, it acknowledges and agrees that: (a) any link from the Service does not imply any Wiz endorsement of, or responsibility for, those Third Party Integrations and the use of such Third Party Integrations are subject to the terms and conditions of the Third Party Integration provider; (b) Customer may be required to grant Wiz access to its Third Party Integration account and/or to grant the Third Party Integration provider access to its Wiz account; (c) Customer Data may be transferred between Wiz and the Third Party Integration provider as required for the interoperation with the Services; and (d) Wiz does not guarantee the continued availability of such Third Party Integrations, and may cease supporting them without liability to Customer. To the maximum extent permitted by law but without derogating from Wiz’s obligations under this Agreement, Wiz shall not bear and expressly disclaims all responsibility or liability of any kind relating to such Third Party Integrations, including, without limitation, for any disclosure of, access to or other processing of Customer Data by Third Party Integration providers.
- Warranties. Each Party represents and warrants that it is duly organized, validly existing and in good standing under the laws of its jurisdiction of incorporation or organization; and that the execution and performance of this Agreement will not conflict with other agreements to which it is bound or violate applicable law.
- Intellectual Property Rights. All right, title, and interest, including any intellectual property rights evidenced by or embodied in, attached, connected, and/or related to the Platform (and any and all improvements enhancements, corrections, modifications, alterations, revisions, extensions and updates and derivative works thereof) and any other products, deliverables or services provided by Wiz; are and shall remain owned solely by Wiz or its licensors. This Agreement does not convey to Customer any interest in or to the Platform other than a limited right to use the Platform in accordance with Section 2 (Subscription). Nothing herein constitutes a waiver of Wiz’s intellectual property rights under any law. Wiz reserves all rights not expressly granted herein to the Platform.
If Customer chooses, in its sole discretion, to provide Feedback (defined below) to Wiz, nothing in this Agreement or in the parties’ dealings arising out of or related to this Agreement will restrict Wiz's right to use, profit from, disclose, publish, or otherwise exploit Feedback, without compensating or crediting Customer or the individual providing such Feedback. Customer’s Confidential Information shall not include Feedback, to the extent that such Feedback relates exclusively to Wiz’s products or services. “Feedback” means any feedback (e.g., questions, comments, suggestions or the like), whether orally or in writing, regarding any of the Services.
- Confidentiality. Each Party may have access to certain non-public information of the other Party, in any form or media, including without limitation trade secrets and other information related to the products, software, technology, data, know-how, or business of the other Party, and any other information that a reasonable person should have reason to believe is proprietary, confidential, or competitively sensitive (the “Confidential Information”). The receiving Party will use the same standard of care to protect the disclosing Party’s Confidential Information as it uses to protect its own Confidential Information, but no less than reasonable care. The receiving Party’s obligations under this Section, with respect to any Confidential Information of the disclosing Party, shall not apply to and/or shall terminate if such information: (a) was already lawfully known to the receiving Party at the time of disclosure by the disclosing Party; (b) was disclosed to the receiving Party by a third party who had the right to make such disclosure without any confidentiality restrictions; (c) is, or through no fault of the receiving Party has become, generally available to the public; or (d) was independently developed by the receiving Party without access to, or use of, the disclosing Party’s Confidential Information. Neither Party shall use or disclose the Confidential Information of the other Party except for performance of its obligations under this Agreement. The receiving Party shall only permit access to the disclosing Party's Confidential Information to its and/or its Affiliates’ respective employees, consultants, affiliates, service providers, agents, partners, and subcontractors having a need to know such information, and who are bound by at least equivalent obligations of confidentiality and non-disclosure as those under this Agreement (such recipients being “Authorized Recipients”). The receiving Party is responsible for the compliance of its Authorized Recipients with the confidentiality and non-disclosure obligations of this Agreement. The receiving Party will be allowed to disclose Confidential Information to the extent that such disclosure is required by law or by the order or a court of similar judicial or administrative body, provided that, to the extent permitted by applicable law, it notifies the disclosing Party of such required disclosure to enable disclosing party to seek a protective order or otherwise prevent or restrict such disclosure. Notwithstanding the foregoing, each Party can disclose the terms and existence of this Agreement to third parties in connection with a due diligence review (i.e., a potential investment in a Party or a going-public transaction) subject to such third parties being bound by at least equivalent obligations of confidentiality and non-disclosure as those under this Agreement. All right, title and interest in and to Confidential Information are and shall remain the sole and exclusive property of the disclosing Party.
- LIMITED WARRANTIES. Wiz represents and warrants that the Platform shall substantially perform in conformance with its Documentation. As the Customer's sole and exclusive remedy and Wiz's sole liability for breach of this warranty, Wiz shall use commercially reasonable efforts to repair the Platform and, if Wiz cannot do so within a reasonable time, not to exceed 30 days, Customer may terminate this Agreement and receive a pro-rata refund of any amounts pre-paid by Customer for the remaining unused period of the Term. The warranty set forth shall not apply if the failure of the Platform results from or is otherwise attributable to Customer or its Permitted User’s acts or omissions in violation of this Agreement. Wiz shall not be liable for any inaccuracy in the Service's output and/or delay and/or unavailability of the Services, caused due to (a) failure of Customer's Internet access or any public telecommunications network, or shortage of adequate power, (b) any incompatibility between the Customer's systems and the Platform appliance and/or (c) maintenance within the Customer's systems affecting the operation of the Platform. OTHER THAN AS EXPLICITLY STATED IN THIS AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE PLATFORM, ITS RELATED SERVICES AND ANY OUTPUT RESULTED FROM THE USE OF THE PLATFORM ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. WIZ DOES NOT WARRANT THAT: (i) THE SERVICES WILL MEET CUSTOMER'S REQUIREMENTS, OR (ii) THE SERVICES WILL OPERATE ERROR-FREE. EXCEPT AS SET FORTH IN THIS AGREEMENT, WIZ EXPRESSLY DISCLAIMS ALL EXPRESS WARRANTIES AND ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, TITLE, NON- INFRINGEMENT, NON-INTERFERENCE, FITNESS FOR A PARTICULAR PURPOSE.
WIZ SHALL NOT BE RESPONSIBLE FOR ANY WARRANTIES AND REPRESENTATIONS MADE BY ANY PARTNER TO CUSTOMER, AND SUCH WARRANTIES AND REPRESENTATIONS ARE THE SOLE RESPONSIBILITY OF SUCH PARTNER.
(A) EXCEPT FOR ANY DAMAGES RESULTING FROM CUSTOMER'S VIOLATION OF WIZ'S INTELLECTUAL PROPERTY RIGHTS; NEITHER PARTY OR ITS AFFILIATES SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, OR ANY LOSS OF REVENUE, REPUTATION, OR PROFITS, DATA, OR DATA USE.
(B) EXCEPT FOR WIZ’S INDEMNIFICATION OBLIGATION UNDER SECTION 15, AND/OR DAMAGES RESULTING FROM CUSTOMER'S VIOLATION OF WIZ'S INTELLECTUAL PROPERTY RIGHTS; EITHER PARTY’S INCLUDING ITS AFFILIATES’ MAXIMUM LIABILITY FOR ANY DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT, INCLUDING ITS EXHIBITS, WHETHER IN CONTRACT OR TORT, OR OTHERWISE, SHALL IN NO EVENT EXCEED, IN THE AGGREGATE, THE TOTAL FEES ATTRIBUTABLE UNDER THE APPLICABLE ORDER TO THE TWELVE MONTH PERIOD OF THE CURRENT SUBSCRIPTION YEAR IN WHICH THE EVENT GIVING RISE TO SUCH CLAIM OCCURS. FOR CLARITY LIMITATIONS IN THIS SECTION DO NOT APPLY TO FEES DUE TO WIZ UNDER THIS AGREEMENT.
- Indemnification. Wiz agrees to defend, at its expense, any third party action or suit brought against the Customer alleging that the Platform, when used as permitted under this Agreement and each respective Order or Partner Order (as the case may be), infringes intellectual property rights of a third party (“IP Infringement Claim”); and Wiz will pay any damages awarded in a final judgment against the Customer that are attributable to any such claim, or that are otherwise agreed in a settlement with the prior written consent of Wiz, provided that (i) the Customer promptly notifies Wiz in writing of such claim; (ii) the Customer grants Wiz the sole authority to handle the defense or settlement of any such claim and provides Wiz with all reasonable information and assistance, at Wiz’s expense; and (iii) the Customer refrains from admitting any liability or otherwise compromising the defense in whole or in part, without the express prior written consent of Wiz. Wiz will not enter into any settlement that imposes any legal liability or financial obligation on Customer without Customer’s prior written consent.
If the Platform becomes, or in Wiz’s opinion is likely to become, the subject of an IP Infringement Claim, then Wiz may, at its sole discretion: (a) procure for the Customer the right to continue using the Platform; (b) replace or modify the Platform to avoid the IP Infringement Claim; or (c) if options (a) and (b) cannot be accomplished despite Wiz’s reasonable efforts, then Wiz or Customer may terminate all affected Orders and Wiz shall provide a pro-rata refund for any amount pre-paid by Customer for the remaining unused period of the Term.
Notwithstanding the foregoing, Wiz shall have no responsibility for IP Infringement Claims to the extent resulting from or based on: (i) modifications to the Platform made by a party other than Wiz or its designee; (ii) the Customer’s failure to implement software updates provided by Wiz specifically to avoid infringement; or (iii) combination or use of the Platform with software not supplied by Wiz or not in accordance with the Documentation.
This Section states Wiz’s entire liability, and Customer’s exclusive remedy, for claims or alleged or actual infringement.
- Term. This Agreement shall enter into force and effect on the Effective Date and, unless earlier terminated in accordance with Section 17, shall remain in full force and effect until all Orders expire or are terminated (the “Term”).
- Termination. Either Party may terminate an Order and/or this Agreement for cause with immediate effect if (a) the other Party breaches any material term or condition of an Order and/or this Agreement, and (b) such breach remains uncured thirty (30) days after the breaching Party receives written notice thereof. Upon termination or expiration of this Agreement and/or an Order: (i) all rights granted to Customer in the Platform shall expire, and Customer shall discontinue any further use and access thereof including, to the extent applicable, by deinstalling any Wiz provided software; (ii) Customer shall immediately delete and dispose of all copies of the Documentation in Customer’s or any of its representatives’ possession or control; and (iii) Wiz may retain Customer Data in accordance with its customer data retention policy without affecting any of Wiz’s rights to the Account Data or Anonymized Data. Section 5 (Prohibited Uses), Section 6 (Customer Data), Section 7 (Evaluations), Section 8 (Wiz Preview Features), Section 9 (Customer Integrations), Section 11 (Intellectual Property), Section 12 (Confidentiality), Section 13 (Limited Warranties), Section 14 (Limitation of Liability), Section 17 (Termination), Section 20 (Contracting) and Section 21(Miscellaneous) shall survive termination or expiration of this Agreement for any reason. Customer shall be responsible for downloading its Customer Data prior to termination of this Agreement.
- Customer Reference. Unless stated otherwise in an Order or Customer emails Wiz at advocates@wiz.io confirming otherwise, Customer hereby grants Wiz a revocable right and license to use: (a) Customer’s name to identify Customer as a customer of Wiz on Wiz’s websites, presentations, marketing materials or otherwise (collectively, “Marketing Materials”); and/or (b) Customer’s logo to identify Customer as customer of Wiz, in Wiz’s Marketing Materials. Without derogating from the foregoing, unless Customer confirms otherwise via email as set out in the previous sentence, following the deployment of the Services, Customer hereby agrees to participate in a case study about Wiz and its Services which may be published by Wiz in its Marketing Materials.
- Export Compliance. The Services may be subject to export laws and regulations of the United States and other jurisdictions. Wiz and Customer each represents that it is not on any U.S. government denied-party list. Customer will not permit any Permitted User to access or use any Service in a U.S. embargoed country or region (currently the Crimea, Luhansk or Donetsk regions, Cuba, Iran, North Korea, Sudan or Syria) or as may be updated from time to time, or in violation of any U.S. export law or regulation.
- Contracting entity. For the purposes of this Agreement “Wiz” means Wiz Inc., a company incorporated under the laws of the State of Delaware, having its principal place of business at One Manhattan West, 57th Floor, New York, NY 10001 or its Affiliates, as applicable. For clarity, unless a Direct Order specifies otherwise, the Wiz entity contracting with Customer hereunder will be (i) Wiz, Inc., if Customer is located outside of the UK or Europe or is purchasing via a cloud service provider marketplace; or (ii) Wiz Cloud Limited, a private limited company under the laws of England and Wales, if Customer is located in the UK or Europe and not purchasing via a cloud service provider.
Miscellaneous. This Agreement, including any Order(s) and any exhibits attached or referred hereto, represents the complete agreement concerning the subject matter hereof and may be amended only by a written agreement executed by both Parties. The failure of either Party to enforce any rights granted hereunder or to take action against the other Party in the event of any breach hereunder shall not be deemed a waiver by that Party as to subsequent enforcement of rights or subsequent actions in the event of future breaches. If any provision of this Agreement is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. This Agreement represents the entire agreement of the Parties with respect to the subject matter hereof, and supersedes and replaces all prior and contemporaneous oral or written understandings, agreements and statements by the Parties with respect to such subject matter, including prior non-disclosure agreements or evaluation agreements. Without limiting the generality of the foregoing, this Agreement supersedes any terms or conditions (whether printed, hyperlinked, or otherwise) in any Customer's purchase order or other standardized business forms, which purport to supersede, modify or supplement this Agreement. Neither Party may assign its rights or obligations under this Agreement without the prior written consent of the other Party, which consent may not be unreasonably withheld or delayed. Notwithstanding the foregoing, this Agreement may be assigned by either Party to its Affiliate or in connection with a merger, consolidation, sale of all of the equity interests of the Party, or a sale of all or substantially all of the assets of the Party to which this Agreement relates. Subject to the foregoing, this Agreement will be binding on the parties and their permitted successors and assigns. This Agreement shall be governed by and construed under the laws of the state of New York, without reference to principles and laws relating to the conflict of laws. The competent courts of New York City, New York shall have the exclusive jurisdiction with respect to any dispute and action arising under or in relation to this Agreement. This Agreement does not, and shall not be construed to create any relationship, partnership, joint venture, employer-employee, agency, or franchisor-franchisee relationship between the Parties. Neither Party will be liable for any delay or failure to perform its obligations hereunder resulting from circumstances or causes beyond its reasonable control including, but not limited to on account of strikes, shortages, riots, insurrection, fires, flood, storms, explosions, acts of God, war, government or quasi-governmental authorities actions, acts of terrorism, earthquakes, or power outages. From time to time, Wiz may modify this Agreement. Unless otherwise specified by Wiz, changes become effective for Customer upon renewal of the then-current Subscription Term or upon the effective date of a new Order after the updated version of this Agreement goes into effect. Wiz will use reasonable efforts to notify Customer of the changes through communications via Customer’s Account, email or other means. Customer may be required to click to accept or otherwise agree to the modified Agreement before renewing a Subscription Term or upon the effective date of a new Order, and in any event continued use of any Wiz Services after the updated version of this Agreement goes into effect will constitute Customer’s acceptance of such updated version.
Effective July 5, 2023 to August 14, 2023
DownloadTable of Contents
- Ordering.
- Customer may place an order for Services directly with Wiz via an order form (a “Direct Order”). Direct Orders may be entered into by Wiz or Wiz Affiliates with Customer or Customer Affiliates. Each Direct Order is hereby incorporated into this Agreement by reference and shall be deemed to be a stand-alone agreement that incorporates by reference the terms of this Agreement (mutatis mutandis) whereby each signing entity to the Direct Order shall be considered to be either “Wiz” or “Customer” referenced herein. A Customer Affiliate will have the right to enter into an Order referencing this Agreement and thereby indicating its agreement to be bound by the terms of this Agreement as if it were an original party hereto. In such case, for purposes of such Order, such Customer Affiliate will be deemed to be the “Customer” hereunder. To the extent of any conflict or inconsistency between the terms and conditions of this Agreement and a Direct Order, this Agreement shall prevail (unless a Direct Order specifically states otherwise). “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity.
- If Customer has purchased a subscription pursuant to the terms hereof from a partner, reseller or distributor authorized by Wiz (“Partner”), to the extent there is any conflict between this Agreement and the agreement entered between Customer and the respective Partner, including any purchase order (“Partner Order”), then, as between Customer and Wiz, this Agreement shall prevail. Any rights granted to Customer in such Partner Order which are not contained in this Agreement, apply only in connection with such Partner. In that case, Customer must seek redress or realization or enforcement of such rights solely with such Partner and not Wiz. A Direct Order together with a Partner Order are referred to herein as an “Order”.
- Subscription.
- Subject to the terms and conditions of this Agreement (including payment obligations), Wiz hereby grants Customer, in connection with each Order, a limited, non-exclusive, non-sublicensable, non-transferable and revocable (as provided herein) right to use the Wiz cloud security platform (“Platform”) in object code form, during the corresponding Subscription Term (as defined in an Order), solely for Customer's internal business purposes and in accordance with the subscriptions specified in the applicable Order.
- Unless otherwise indicated, the term “Platform” also includes all software, revisions, fixes, improvements and/or updates thereto and any appliance, user manuals and documentation available within the Platform (“Documentation”) provided to Customer in connection with the operation of the Platform. Customer may only use the Platform in accordance with the Documentation, subject to any use limitations indicated in an Order, and applicable laws and regulations. The Platform and any related services provided to Customer and detailed in an Order shall be referred to as the “Services”.
- Fees.
- Permitted Users. The Platform may be accessed solely by Customer or its Affiliates' employees or service providers who are explicitly authorized by Customer to use the Platform (each, a “Permitted User”). Customer will (i) ensure that Permitted Users comply with the terms of this Agreement at all times, (ii) maintain the confidentiality and security of their Wiz account credentials, and (iii) be fully responsible for any acts or omissions by a Permitted User. Customer must promptly notify Wiz upon becoming aware of any unauthorized access to or use of the Platform. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- Prohibited Uses. Except as specifically permitted herein, without the prior written consent of Wiz, Customer shall not, and shall not allow any Permitted User or any third party to, directly or indirectly: (i) copy, modify, create derivative works of or distribute any part of the Platform (including by incorporation into its products); (ii) sell, license (or sub-license), lease, assign, transfer, pledge, or share Customer's rights under this Agreement with any third party; (iii) disclose the results of any testing or benchmarking of the Platform to any third party; (iv) disassemble, decompile, reverse engineer or attempt to discover the Platform’s source code or underlying algorithms; (v) use the Platform for any use in competition with Wiz’s Services; (vi) use the Platform in a manner that violates or infringes any rights of any third party; (vii) remove or alter any trademarks or other proprietary notices related to the Platform; or (vii) circumvent, disable or otherwise interfere with security-related features of the Platform or features that enforce use limitations.
- Customer Data.
- As between the parties, Customer owns and retains all right, title and interest (including all intellectual property rights) in and to any data or information that originates, resides on, or is otherwise processed through Customer's systems and processed by Wiz in the provision of the Services (“Customer Data”). Customer has exclusive control and responsibility for determining what Customer Data it and its Permitted Users submit into the Services and for obtaining all necessary rights, consents and permissions for submission of Customer Data and processing instructions to Wiz. Customer hereby grants to Wiz a non-exclusive, worldwide, royalty-free right to use Customer Data to provide the Services and perform its obligations under this Agreement.
- If Customer Data contains personally identifiable information, to the extent applicable, the Parties shall comply with Wiz’s Data Processing Agreement (“DPA”), which is available at https://www.wiz.io/data-processing-agreement and forms an integral part of this Agreement.
- Customer acknowledges and agrees that Wiz may collect and process information regarding the configuration, performance, security, access to and use of the Services by Customer (“Account Data”) for its internal business purposes including to develop, improve, support, secure and operate the Services and to fulfill legal obligations. Notwithstanding the foregoing, nothing in this Agreement shall restrict Wiz’s use of data that has been anonymized and/or aggregated, provided that such data does not in any way identify and cannot be reasonably associated with Customer, its Affiliates, Permitted Users or any individuals connected to Customer or Customer Confidential Information (“ Anonymized Data”).
- Evaluations. If Customer is using the Services for a free trial, proof of concept, evaluation, or other similar purpose (“Evaluation”), such Evaluation is granted for a limited period of twenty-one (21) days unless Wiz agrees to an extension and in each case solely for the purpose of evaluating and testing the Services to determine whether to purchase a subscription for Customer’s internal use. Wiz may terminate Customer’s access to and use of any Evaluation at any time. Evaluations are provided “as is” without guaranteed support levels, indemnification, or warranty of any kind, whether express, implied, statutory, or otherwise. Notwithstanding Section 14 (Limitation of Liability) or any other provision of this Agreement, Wiz’s maximum aggregate liability under any Evaluation shall be capped at one thousand dollars US ($1,000 US).
- Wiz Preview Features. From time to time, upon Customer or its Permitted Users' request, Wiz may make available to Customer one or more proprietary, non-commercially available, hosted software applications, application platform interfaces, services, products, features and/or functionalities on a beta testing basis (“Wiz Preview Feature(s)”) to try at no charge. Customer may choose to try such Wiz Preview Features in its sole discretion subject to the Wiz Preview Program Terms which are available at https://www.wiz.io/preview-terms.
- Customer Integrations. Customer acknowledges that the Services may link to third party websites, applications or services that can be integrated with or connected to the Services (“Third Party Integrations”). Customer’s use of such Third Party Integrations is optional. To use such features, Customer must either obtain access to the Third Party Integrations via the third party provider or authorize Wiz to obtain access on Customer’s behalf. If Customer uses such Third Party Integrations, it acknowledges and agrees that: (a) any link from the Service does not imply any Wiz endorsement of, or responsibility for, those Third Party Integrations and the use of such Third Party Integrations are subject to the terms and conditions of the Third Party Integration provider; (b) Customer may be required to grant Wiz access to its Third Party Integration account and/or to grant the Third Party Integration provider access to its Wiz account; (c) Customer Data may be transferred between Wiz and the Third Party Integration provider as required for the interoperation with the Services; and (d) Wiz does not guarantee the continued availability of such Third Party Integrations, and may cease supporting them without liability to Customer. To the maximum extent permitted by law but without derogating from Wiz’s obligations under this Agreement, Wiz shall not bear and expressly disclaims all responsibility or liability of any kind relating to such Third Party Integrations, including, without limitation, for any disclosure of, access to or other processing of Customer Data by Third Party Integration providers.
- Warranties. Each Party represents and warrants that it is duly organized, validly existing and in good standing under the laws of its jurisdiction of incorporation or organization; and that the execution and performance of this Agreement will not conflict with other agreements to which it is bound or violate applicable law.
- Intellectual Property Rights. All right, title, and interest, including any intellectual property rights evidenced by or embodied in, attached, connected, and/or related to the Platform (and any and all improvements enhancements, corrections, modifications, alterations, revisions, extensions and updates and derivative works thereof) and any other products, deliverables or services provided by Wiz; are and shall remain owned solely by Wiz or its licensors. This Agreement does not convey to Customer any interest in or to the Platform other than a limited right to use the Platform in accordance with Section 2 (Subscription). Nothing herein constitutes a waiver of Wiz’s intellectual property rights under any law. Wiz reserves all rights not expressly granted herein to the Platform.
- Confidentiality. Each Party may have access to certain non-public information of the other Party, in any form or media, including without limitation trade secrets and other information related to the products, software, technology, data, know-how, or business of the other Party, and any other information that a reasonable person should have reason to believe is proprietary, confidential, or competitively sensitive (the “Confidential Information”). The receiving Party will use the same standard of care to protect the disclosing Party’s Confidential Information as it uses to protect its own Confidential Information, but no less than reasonable care. The receiving Party’s obligations under this Section, with respect to any Confidential Information of the disclosing Party, shall not apply to and/or shall terminate if such information: (a) was already lawfully known to the receiving Party at the time of disclosure by the disclosing Party; (b) was disclosed to the receiving Party by a third party who had the right to make such disclosure without any confidentiality restrictions; (c) is, or through no fault of the receiving Party has become, generally available to the public; or (d) was independently developed by the receiving Party without access to, or use of, the disclosing Party’s Confidential Information. Neither Party shall use or disclose the Confidential Information of the other Party except for performance of its obligations under this Agreement. The receiving Party shall only permit access to the disclosing Party's Confidential Information to its and/or its Affiliates’ respective employees, consultants, affiliates, service providers, agents and subcontractors having a need to know such information, and who are bound by at least equivalent obligations of confidentiality and non-disclosure as those under this Agreement (such recipients being “Authorized Recipients”). The receiving Party is responsible for the compliance of its Authorized Recipients with the confidentiality and non-disclosure obligations of this Agreement. The receiving Party will be allowed to disclose Confidential Information to the extent that such disclosure is required by law or by the order or a court of similar judicial or administrative body, provided that, to the extent permitted by applicable law, it notifies the disclosing Party of such required disclosure to enable disclosing party to seek a protective order or otherwise prevent or restrict such disclosure. Notwithstanding the foregoing, each Party can disclose the terms and existence of this Agreement to third parties in connection with a due diligence review (i.e., a potential investment in a Party or a going-public transaction) subject to such third parties being bound by at least equivalent obligations of confidentiality and non-disclosure as those under this Agreement. All right, title and interest in and to Confidential Information are and shall remain the sole and exclusive property of the disclosing Party.
- LIMITED WARRANTIES. Wiz represents and warrants that the Platform shall substantially perform in conformance with its Documentation. As the Customer's sole and exclusive remedy and Wiz's sole liability for breach of this warranty, Wiz shall use commercially reasonable efforts to repair the Platform and, if Wiz cannot do so within a reasonable time, not to exceed 30 days, Customer may terminate this Agreement and receive a pro-rata refund of any amounts pre-paid by Customer for the remaining unused period of the Term. The warranty set forth shall not apply if the failure of the Platform results from or is otherwise attributable to Customer or its Permitted User’s acts or omissions in violation of this Agreement. Wiz shall not be liable for any inaccuracy in the Service's output and/or delay and/or unavailability of the Services, caused due to (a) failure of Customer's Internet access or any public telecommunications network, or shortage of adequate power, (b) any incompatibility between the Customer's systems and the Platform appliance and/or (c) maintenance within the Customer's systems affecting the operation of the Platform. OTHER THAN AS EXPLICITLY STATED IN THIS AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE PLATFORM, ITS RELATED SERVICES AND ANY OUTPUT RESULTED FROM THE USE OF THE PLATFORM ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. WIZ DOES NOT WARRANT THAT: (i) THE SERVICES WILL MEET CUSTOMER'S REQUIREMENTS, OR (ii) THE SERVICES WILL OPERATE ERROR-FREE. EXCEPT AS SET FORTH IN THIS AGREEMENT, WIZ EXPRESSLY DISCLAIMS ALL EXPRESS WARRANTIES AND ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, TITLE, NON- INFRINGEMENT, NON-INTERFERENCE, FITNESS FOR A PARTICULAR PURPOSE.
- Indemnification. Wiz agrees to defend, at its expense, any third party action or suit brought against the Customer alleging that the Platform, when used as permitted under this Agreement and each respective Order or Partner Order (as the case may be), infringes intellectual property rights of a third party (“IP Infringement Claim”); and Wiz will pay any damages awarded in a final judgment against the Customer that are attributable to any such claim, or that are otherwise agreed in a settlement with the prior written consent of Wiz, provided that (i) the Customer promptly notifies Wiz in writing of such claim; (ii) the Customer grants Wiz the sole authority to handle the defense or settlement of any such claim and provides Wiz with all reasonable information and assistance, at Wiz’s expense; and (iii) the Customer refrains from admitting any liability or otherwise compromising the defense in whole or in part, without the express prior written consent of Wiz. Wiz will not enter into any settlement that imposes any legal liability or financial obligation on Customer without Customer’s prior written consent.
- Term. This Agreement shall enter into force and effect on the Effective Date and, unless earlier terminated in accordance with Section 17, shall remain in full force and effect until all Orders expire or are terminated (the “Term”).
- Termination. Either Party may terminate an Order and/or this Agreement for cause with immediate effect if (a) the other Party breaches any material term or condition of an Order and/or this Agreement, and (b) such breach remains uncured thirty (30) days after the breaching Party receives written notice thereof. Upon termination or expiration of this Agreement and/or an Order: (i) all rights granted to Customer in the Platform shall expire, and Customer shall discontinue any further use and access thereof including, to the extent applicable, by deinstalling any Wiz provided software; (ii) Customer shall immediately delete and dispose of all copies of the Documentation in Customer’s or any of its representatives’ possession or control; and (iii) Wiz may retain Customer Data in accordance with its customer data retention policy without affecting any of Wiz’s rights to the Account Data or Anonymized Data. Section 5 (Prohibited Uses), Section 6 (Customer Data), Section 7 (Evaluations), Section 8 (Wiz Preview Features), Section 9 (Customer Integrations), Section 11 (Intellectual Property), Section 12 (Confidentiality), Section 13 (Limited Warranties), Section 14 (Limitation of Liability), Section 17 (Termination), Section 20 (Contracting) and Section 21(Miscellaneous) shall survive termination or expiration of this Agreement for any reason. Customer shall be responsible for downloading its Customer Data prior to termination of this Agreement. Each Partner Order Form may be terminated in accordance with any termination rights specified therein.
- Customer Reference. Unless stated otherwise in an Order or Customer emails Wiz at advocates@wiz.io confirming otherwise, Customer hereby grants Wiz a revocable right and license to use: (a) Customer’s name to identify Customer as a customer of Wiz on Wiz’s websites, presentations, marketing materials or otherwise (collectively, “Marketing Materials”); and/or (b) Customer’s logo to identify Customer as customer of Wiz, in Wiz’s Marketing Materials. Without derogating from the foregoing, unless Customer confirms otherwise via email as set out in the previous sentence, following the deployment of the Services, Customer hereby agrees to participate in a case study about Wiz and its Services which may be published by Wiz in its Marketing Materials.
- Export Compliance. The Services may be subject to export laws and regulations of the United States and other jurisdictions. Wiz and Customer each represents that it is not on any U.S. government denied-party list. Customer will not permit any Permitted User to access or use any Service in a U.S. embargoed country or region (currently the Crimea, Luhansk or Donetsk regions, Cuba, Iran, North Korea, Sudan or Syria) or as may be updated from time to time, or in violation of any U.S. export law or regulation.
- Contracting entity. For the purposes of this Agreement “Wiz” means Wiz Inc., a company incorporated under the laws of the State of Delaware, having its principal place of business at One Manhattan West, 57th Floor, New York, NY 10001 or its Affiliates, as applicable. For clarity, unless a Direct Order specifies otherwise, the Wiz entity contracting with Customer hereunder will be (i) Wiz, Inc., if Customer is located outside of the UK or Europe or is purchasing via a cloud service provider marketplace; or (ii) Wiz Cloud Limited, a private limited company under the laws of England and Wales, if Customer is located in the UK or Europe and not purchasing via a cloud service provider.
- Miscellaneous. This Agreement, including any Order(s) and any exhibits attached or referred hereto, represents the complete agreement concerning the subject matter hereof and may be amended only by a written agreement executed by both Parties. The failure of either Party to enforce any rights granted hereunder or to take action against the other Party in the event of any breach hereunder shall not be deemed a waiver by that Party as to subsequent enforcement of rights or subsequent actions in the event of future breaches. If any provision of this Agreement is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. This Agreement represents the entire agreement of the Parties with respect to the subject matter hereof, and supersedes and replaces all prior and contemporaneous oral or written understandings, agreements and statements by the Parties with respect to such subject matter, including prior non-disclosure agreements or evaluation agreements. Without limiting the generality of the foregoing, this Agreement supersedes any terms or conditions (whether printed, hyperlinked, or otherwise) in any Customer's purchase order or other standardized business forms, which purport to supersede, modify or supplement this Agreement. Neither Party may assign its rights or obligations under this Agreement without the prior written consent of the other Party, which consent may not be unreasonably withheld or delayed. Notwithstanding the foregoing, this Agreement may be assigned by either Party to its Affiliate or in connection with a merger, consolidation, sale of all of the equity interests of the Party, or a sale of all or substantially all of the assets of the Party to which this Agreement relates. Subject to the foregoing, this Agreement will be binding on the parties and their permitted successors and assigns. This Agreement shall be governed by and construed under the laws of the state of New York, without reference to principles and laws relating to the conflict of laws. The competent courts of New York City, New York shall have the exclusive jurisdiction with respect to any dispute and action arising under or in relation to this Agreement. This Agreement does not, and shall not be construed to create any relationship, partnership, joint venture, employer-employee, agency, or franchisor-franchisee relationship between the Parties. Neither Party will be liable for any delay or failure to perform its obligations hereunder resulting from circumstances or causes beyond its reasonable control including, but not limited to on account of strikes, shortages, riots, insurrection, fires, flood, storms, explosions, acts of God, war, government or quasi-governmental authorities actions, acts of terrorism, earthquakes, or power outages. From time to time, Wiz may modify this Agreement. Unless otherwise specified by Wiz, changes become effective for Customer upon renewal of the then-current Subscription Term or upon the effective date of a new Order after the updated version of this Agreement goes into effect. Wiz will use reasonable efforts to notify Customer of the changes through communications via Customer’s Account, email or other means. Customer may be required to click to accept or otherwise agree to the modified Agreement before renewing a Subscription Term or upon the effective date of a new Order, and in any event continued use of any Wiz Services after the updated version of this Agreement goes into effect will constitute Customer’s acceptance of such updated version.
Wiz Security Addendum
Effective November 20, 2023
DownloadTable of Contents
Wiz Security Addendum
This Wiz Security Addendum is incorporated into and made a part of the Wiz Master Subscription Agreement or other written agreement between Wiz and Customer that references this document (the “Agreement”) and any capitalized terms used but not defined herein shall have the meaning set forth in the Agreement.
Wiz has implemented a comprehensive security, compliance and privacy management program under which Wiz maintains industry standard physical, administrative, organizational and technical safeguards designed to protect the confidentiality, integrity, availability, and security of the Services and Customer Data, including the measures set forth herein (the “Security Program”). Wiz regularly tests and evaluates its Security Program and may review and update its Security Program as well as this Wiz Security Addendum from time to time including to take in account technological developments, provided, however, that such updates shall be designed to enhance and not materially diminish the Security Program.
- IaaS and hosting.
- IaaS Provider. Wiz’s Platform is hosted on AWS.
- Hosting location. Wiz offers hosting in several locations including in the US, the EU and the UK. Customer may select the region in which their Wiz tenant will be hosted prior to the tenant being created.
- Wiz’s Audits & Certifications.
- Certifications. Wiz shall be assessed by independent third-party auditors on at least an annual basis under the following audits and certifications (“Third Party Certifications”): SOC2 Type 2, SOC3, ISO 27001, ISO 27701, ISO 27017 and/or ISO 27018. Wiz shall make available to Customer such Third-Party Certifications upon Customer’s written request. To the extent Wiz decides to discontinue a Third-Party Certification, Wiz will adopt or maintain an equivalent, industry-recognized framework or standard.
- PCI-DSS. To the extent Wiz processes cardholder data in the provision of Services, Wiz shall perform a Payment Card Industry Data Security Standard Attestation of Compliance (“AOC”) for Service Providers on an annual basis and shall provide such AOC to Customer upon Customer’s written request.
- Encryption.
- Encryption of Customer Data. Customer Data shall be encrypted by Wiz in transit (TLS 1.2. or above) and at rest (AES 256).
- Key Management. Wiz utilizes AWS’ Key Management System (KMS) to encrypt Customer Data. Keys are rotated periodically and are stored only in the KMS in the region of the Customer’s Wiz tenant.
- Authentication, Authorization, and Credential Management.
- User Authentication (Wiz Employees). Wiz enforces user authentication and authorization on Wiz systems via Single Sign-on (“SSO”) and multifactor authentication (“MFA”).
- User Authentication (Customer using Wiz). Wiz supports SAML 2.0 compliant SSO applications, allowing customers to manage authentication for their own Wiz tenant.
- Secure Storage of Credentials. Wiz uses managed authentication services (Okta for Wiz’s employee environment; Amazon Cognito for Wiz’s software platform) to handle authentication and associated credential management, including encryption in-motion and at-rest for passwords and other forms of credentials. Cloud-native Key Management Systems, such as AWS KMS, are used to store other forms of access tokens and secrets.
- Role-based Access Control (RBAC) for Wiz Employees. Access to Wiz information assets is restricted, and is granted to Wiz employees and contractors in order to fulfill their duties on a need-to-use basis and following the least privilege principle. Wiz employees and contractors are not granted access to any information asset that is not required by their work at Wiz. Wiz has defined various user roles, according to the positions and activities in the company. Each Wiz employee and contractor is assigned one of these roles and receives access control privileges relevant to that role. Quarterly reviews for user access will be conducted and access will be immediately revoked for unrequired access.
- Role-based Access Control for Customers using Wiz. Wiz provides customers with the ability to define roles for their own Wiz users that control the information they see and the actions they perform.
- Access to Customer Data. Wiz personnel will not access Customer Data except (i) as reasonably necessary to provide the Wiz Services under the Agreement; (ii) with Customer’s permission; or (ii) to comply with the law or a binding order of a governmental body.
- Minimum password requirements. Wiz shall follow the guidance provided by NIST 800-63B Digital Identity Guidelines to enforce password security controls, including length, complexity, re-use, lock-out, and use of multi-factor authentication. Passwords must never be stored in plain-text nor transmitted over unencrypted channels.
- Session lifespan. Single-sign on sessions expire after 8 hours of inactivity with a maximum duration of 12 hours.
- Workstation and Device Security
- Session Lock out. End-user devices are set to screen lock and require a password after 15 minutes of inactivity.
- Workstation Security Controls. For access to Wiz systems, Wiz personnel must use Wiz-issued laptops which utilize security controls that include, but are not limited to, (i) disk encryption, (ii) endpoint firewall, (iii) anti-malware and endpoint detection and response (EDR) tools, and (iv) vulnerability management tools in accordance with Section 9.1 (Vulnerability & Detection Management).
- Anti-malware. Wiz maintains anti-malware controls to automatically detect and prevent malicious files, user activity, and network activity on Wiz workstations, within Wiz’s e-mail, and within Wiz’s corporate cloud storage solutions.
- Workstation Management and Hardening. Wiz utilizes system management technologies to ensure that all endpoints are appropriately configured, hardened, and patched following Wiz’s technical procedures and applicable industry standards such as CIS Benchmarks.
- Data Loss Prevention. Wiz utilizes Data Loss Prevention (DLP) technologies to monitor and control sensitive information that is stored or accessed on systems. Wiz workstations are restricted from using removable storage devices and media.
- Cloud Infrastructure Security
- Separation of Environments. Wiz’s cloud network is divided into three segregated network environments: The development network, the staging network, and the production network. Each of these environments is segregated from the others and has its own privilege allocation and access control. There is no shared network, communication, or co-operation between the networks. Customer Data is never stored or accessed in development environments.
- Infrastructure as Code. Wiz’s cloud production environments are configured, provisioned, and managed through Infrastructure as Code (IaC), and subject to the controls defined in Wiz’s Software Development Lifecycle (SDLC).
- Remote Access. Wiz enforces device, network, authentication, and resource-specific authorization controls to limit access to development and production environments. Wiz does not automatically confer privileged access to any workstations or devices based on location.
- Network Security. Wiz utilizes cloud-native network security technologies, including network security groups, Web Application Firewalls, access gateways, application load balancers, and VPC configurations, to restrict ingress and egress traffic in cloud environments to the minimum sets of services and addresses required for business functionality.
- Cloud Infrastructure Hardening. Wiz utilizes its own instance of the Platform (“Wiz for Wiz”) in conjunction with cloud-native security services to ensure that cloud resources are configured and secured in accordance with Wiz’s internal technical procedures and industry standards such as the CIS AWS benchmarks.
- Anti-malware. Wiz utilizes Wiz for Wiz in conjunction with cloud-native security services to detect and respond to potentially malicious activity on its cloud-hosted workloads or networks.
- Monitoring & Logging.
- Logging. Wiz maintains security auditing and logging capabilities for the infrastructure, SaaS applications, and cloud services that support its corporate, development, and production environments in accordance with Wiz’s Information Security Policies. The use and activity of Wiz information assets is logged and audited for suspicious activity. Wiz preserves security-related logs for a minimum of 12 months unless otherwise specified in its security policies and procedures.
- Detection and Response Operations. Wiz uses Security Information Event Management (SIEM), Detection, and Alert Notification technologies to centralize and analyze logs, apply detection criteria, and escalate and route events to the appropriate security teams.
- Customer Access to Logs. Customers have access to system and user activity logs for their respective Wiz tenant via the Platform, and can export these logs to their own log storage or SIEM platforms as described in the Documentation.
- Security in the development process.
- SDLC. Software development in Wiz is performed according to Wiz’s Change Management & Software Development Life Cycle (SDLC) procedures.
- Security Reviews. Wiz conducts security reviews for significant changes, such as major new product features or changes that impact Wiz’s security posture, during the design and development process.
- Peer Reviews. Code changes must undergo secondary review and approval before being promoted to production.
- Security Testing within the SDLC. Wiz uses security technologies to automatically scan for vulnerabilities, exposed secrets, and code security risks as part of the CI/CD pipeline.
- Vulnerability Detection & Management.
- Vulnerability Detection & Management. Wiz shall maintain a continuous vulnerability management process across its corporate and production environments to ensure that vulnerabilities and other threats are quickly identified, prioritized, and remediated. This includes carrying out internal vulnerability tests daily and external vulnerability tests regularly (at least quarterly). Vulnerabilities shall be remediated according to Wiz’s Vulnerability Management Policy which shall meet or exceed industry standards. Wiz uses the Common Vulnerability Scoring System (CVSS) v3.1 and National Vulnerability Database (NVD) ratings as guidelines for patch prioritization and scheduling.
- Penetration Testing. Wiz shall engage one or more independent third parties to conduct penetration tests of the Service at least annually and upon major changes to the Services. Wiz will provide summary results of penetration tests to Customer upon written request.
- Administrative & Organizational Controls.
- Personnel Security. All prospective Wiz employees go through pre-employment reference and/or background checks, according to the local HR policies and applicable laws.
- Personnel Agreements. All Wiz employees and contractors are required to sign a contract which includes a confidentiality obligation and are provided with Wiz’s security policies, including Wiz’s Acceptable Use Policy, when their work commences. Any change in an employee's position in Wiz or change in his or her access privileges immediately affects the employee's access via the centralized access control system.
- Personnel Training. All Wiz employees are required to complete security and privacy awareness training during onboarding and on at least an annual basis.
- Vendor Risk Management. Wiz maintains a third-party vendor risk management program, which includes a compliance, security, and privacy review for every third-party used in the provision of the Services and/or with access to Customer Data. The results of the risk assessment are reviewed by the security, legal and privacy team to ensure the third party maintains security measures consistent with the measures hereunder.
- Physical & Environmental Controls.
- Cloud Environment Data Centers. Wiz only utilizes leading cloud providers who shall be required to have a SOC 2 Type II annual audit and ISO 27001 certification, or industry recognized equivalent frameworks.
- Wiz Corporate Offices. Wiz's employees and subcontractors in each of Wiz’s offices are subject to Wiz's physical minimum-security requirements which include use of CCTV with a defined retention period in accordance with applicable laws, badge only access with regular access reviews and requirements for visitors to be logged and accompanied by Wiz authorized personnel.
- Security Incident Notification and Response.
- Wiz shall maintain a formal documented Information Security Incident Management Program designed to provide an effective and consistent process for managing security incidents.
- Security Incident notification. In any event of a reasonably suspected or successful unauthorized access, use, disclosure, modification, or destruction of Customer Data (“Security Incident”), Wiz will notify Customer within 48 hours of becoming aware of the Security Incident and shall promptly take reasonable steps to contain, investigate, and mitigate such Security Incident. Wiz shall provide Customer with assistance and information as reasonably required by Customer in order to fulfil its legal obligations.
- Security Incident Reporting and Response. Security Incidents are reported to Wiz’s Chief Information Security Officer (CISO). The CISO acts according to Wiz's Incident Response Plan in classifying, handling, documenting, and reporting any incident. Customer may request a copy of Wiz’s Incident Response Plan.
- Backup, Business Continuity & Disaster Recovery
- Business Continuity and Disaster Recovery Plan. Wiz maintains industry standard business continuity and disaster recovery procedures, as further described in Wiz’s Business Continuity and Disaster Recovery Plan (“BCDRP”), and will implement these procedures to minimize the impact of events, whether related to technology or operational failures, that may affect Wiz’s ability to provide the Services. Wiz shall provide Customer with its BCDRP upon Customer’s written request. Wiz’s RTO shall not exceed 48 hours.
- Testing of BCDRP. Wiz shall conduct testing of its BCDRP at least annually and shall make the results of such testing available to Customer upon written request.
- Backups and Disaster Recovery. Wiz leverages multiple Amazon services to backup Customer Data on both daily and monthly schedules. Each Customer tenant is allocated a disaster recovery tenant in a geographically distinct area. Where possible, Wiz will use a disaster recovery region in the same jurisdiction as the main data center. Wiz also keeps full and incremental backups of critical corporate data and logs in geographically distinct datacenters.
- Customer Audit Rights. To the greatest extent possible, Customer shall utilize Wiz’s Third-Party Certifications and other security documentation and policies to assess Wiz’s compliance with its obligations hereunder. Only to the extent that Customer is not able to do so, and in any event, no more than once per year except if required by applicable law, and following at least 45 days’ notice in writing from Customer, Wiz shall provide Customer (and/or Customer’s third party advisors who are not reasonably objected to by Wiz and who are subject to appropriate confidentiality obligations) with access to documents, systems, Wiz employees and electronic data as reasonably necessary in order to audit Wiz’s compliance with its obligations under this Addendum. Wiz shall provide assistance, co-operation, and access reasonably required by Customer in relation to the conduct of such audits. Customer shall use reasonable endeavors to ensure that the conduct of each audit does not disrupt the Wiz’s business. In no event shall Customer be permitted to access to any information, including without limitation, personal data that belongs to Wiz’s other customers or such other information that is not relevant to Wiz’s compliance with this Addendum. Except as required by law, the Parties shall agree on the scope, methodology, timing and conditions of such audits in advance.
- Shared Responsibility. Without derogating from Wiz’s obligations hereunder, Customer acknowledges that it is responsible for implementing, running and managing the Platform on a day-to-day basis. In addition, Customer acknowledges and agrees that it has obligations with respect to the security of the Customer Data and the Services. Customer’s responsibility includes but is not limited to: (i) the security of cloud environments it owns, operates, and connects to Wiz, and for configuration of its instance(s) of the Wiz Platform; (ii) provisioning Permitted Users with access to Customer’s instance of the Wiz Platform, including: (a) managing instance-level administrators and other user privileges; (b) deauthorizing Permitted Users who no longer need access; (c) provisioning and configuring service account or API access; (d) enabling integrations with customer-owned or third-party technologies; and (e) ensuring that all Permitted User’s keep all Wiz credential’s confidential; and (iii) updating any Wiz provided software upon Wiz’s announcement of such updates. Wiz provides customers with audit logs that record customer user account and application activity occurring within their respective Wiz Platform instance(s), however, Customer is responsible for monitoring its own instance’s audit logs for security or other purposes. Customer agrees to notify Wiz upon becoming aware of any reasonably suspected unauthorized access to the Platform.
Effective October 26, 2023 to November 20, 2023
DownloadTable of Contents
Wiz Security Addendum
This Wiz Security Addendum is incorporated into and made a part of the Wiz Master Subscription Agreement or other written agreement between Wiz and Customer that references this document (the “Agreement”) and any capitalized terms used but not defined herein shall have the meaning set forth in the Agreement.
Wiz has implemented a comprehensive security, compliance and privacy management program under which Wiz maintains industry standard physical, administrative, organizational and technical safeguards designed to protect the confidentiality, integrity, availability, and security of the Services and Customer Data, including the measures set forth herein (the “Security Program”). Wiz regularly tests and evaluates its Security Program and may review and update its Security Program as well as this Wiz Security Addendum from time to time including to take in account technological developments, provided, however, that such updates shall be designed to enhance and not materially diminish the Security Program.
- IaaS and hosting.
- IaaS Provider. Wiz’s Platform is hosted on AWS.
- Hosting location. Wiz offers hosting in several locations including in the US, the EU and the UK. Customer may select the region in which their Wiz tenant will be hosted prior to the tenant being created.
- Wiz’s Audits & Certifications.
- Certifications. Wiz shall be assessed by independent third-party auditors on at least an annual basis under the following audits and certifications (“Third Party Certifications”): SOC2 Type 2, SOC3, ISO 27001, ISO 27701, ISO 27017 and/or ISO 27018. Wiz shall make available to Customer such Third-Party Certifications upon Customer’s written request. To the extent Wiz decides to discontinue a Third-Party Certification, Wiz will adopt or maintain an equivalent, industry-recognized framework or standard.
- PCI-DSS. To the extent Wiz processes cardholder data in the provision of Services, Wiz shall perform a Payment Card Industry Data Security Standard Attestation of Compliance (“AOC”) for Service Providers on an annual basis and shall provide such AOC to Customer upon Customer’s written request.
- Encryption.
- Encryption of Customer Data. Customer Data shall be encrypted by Wiz in transit (TLS 1.2. or above) and at rest (AES 256).
- Key Management. Wiz utilizes AWS’ Key Management System (KMS) to encrypt Customer Data. Keys are rotated periodically and are stored only in the KMS in the region of the Customer’s Wiz tenant.
- Authentication, Authorization, and Credential Management.
- User Authentication (Wiz Employees). Wiz enforces user authentication and authorization on Wiz systems via Single Sign-on (“SSO”) and multifactor authentication (“MFA”).
- User Authentication (Customer using Wiz). Wiz supports SAML 2.0 compliant SSO applications, allowing customers to manage authentication for their own Wiz tenant.
- Secure Storage of Credentials. Wiz uses managed authentication services (Okta for Wiz’s employee environment; Amazon Cognito for Wiz’s software platform) to handle authentication and associated credential management, including encryption in-motion and at-rest for passwords and other forms of credentials. Cloud-native Key Management Systems, such as AWS KMS, are used to store other forms of access tokens and secrets.
- Role-based Access Control (RBAC) for Wiz Employees. Access to Wiz information assets is restricted, and is granted to Wiz employees and contractors in order to fulfill their duties on a need-to-use basis and following the least privilege principle. Wiz employees and contractors are not granted access to any information asset that is not required by their work at Wiz. Wiz has defined various user roles, according to the positions and activities in the company. Each Wiz employee and contractor is assigned one of these roles and receives access control privileges relevant to that role. Quarterly reviews for user access will be conducted and access will be immediately revoked for unrequired access.
- Role-based Access Control for Customers using Wiz. Wiz provides customers with the ability to define roles for their own Wiz users that control the information they see and the actions they perform.
- Access to Customer Data. Wiz personnel will not access Customer Data except (i) as reasonably necessary to provide the Wiz Services under the Agreement; (ii) with Customer’s permission; or (ii) to comply with the law or a binding order of a governmental body.
- Minimum password requirements. Wiz shall follow the guidance provided by NIST 800-63B Digital Identity Guidelines to enforce password security controls, including length, complexity, re-use, lock-out, and use of multi-factor authentication. Passwords must never be stored in plain-text nor transmitted over unencrypted channels.
- Session lifespan. Single-sign on sessions expire after 8 hours of inactivity with a maximum duration of 12 hours.
- Workstation and Device Security
- Session Lock out. End-user devices are set to screen lock and require a password after 15 minutes of inactivity.
- Workstation Security Controls. For access to Wiz systems, Wiz personnel must use Wiz-issued laptops which utilize security controls that include, but are not limited to, (i) disk encryption, (ii) endpoint firewall, (iii) anti-malware and endpoint detection and response (EDR) tools, and (iv) vulnerability management tools in accordance with Section 9.1 (Vulnerability & Detection Management).
- Anti-malware. Wiz maintains anti-malware controls to automatically detect and prevent malicious files, user activity, and network activity on Wiz workstations, within Wiz’s e-mail, and within Wiz’s corporate cloud storage solutions.
- Workstation Management and Hardening. Wiz utilizes system management technologies to ensure that all endpoints are appropriately configured, hardened, and patched following Wiz’s technical procedures and applicable industry standards such as CIS Benchmarks.
- Data Loss Prevention. Wiz utilizes Data Loss Prevention (DLP) technologies to monitor and control sensitive information that is stored or accessed on systems. Wiz workstations are restricted from using removable storage devices and media.
- Cloud Infrastructure Security
- Separation of Environments. Wiz’s cloud network is divided into three segregated network environments: The development network, the staging network, and the production network. Each of these environments is segregated from the others and has its own privilege allocation and access control. There is no shared network, communication, or co-operation between the networks. Customer Data is never stored or accessed in development environments.
- Infrastructure as Code. Wiz’s cloud production environments are configured, provisioned, and managed through Infrastructure as Code (IaC), and subject to the controls defined in Wiz’s Software Development Lifecycle (SDLC).
- Remote Access. Wiz enforces device, network, authentication, and resource-specific authorization controls to limit access to development and production environments. Wiz does not automatically confer privileged access to any workstations or devices based on location.
- Network Security. Wiz utilizes cloud-native network security technologies, including network security groups, Web Application Firewalls, access gateways, application load balancers, and VPC configurations, to restrict ingress and egress traffic in cloud environments to the minimum sets of services and addresses required for business functionality.
- Cloud Infrastructure Hardening. Wiz utilizes its own instance of the Platform (“Wiz for Wiz”) in conjunction with cloud-native security services to ensure that cloud resources are configured and secured in accordance with Wiz’s internal technical procedures and industry standards such as the CIS AWS benchmarks.
- Anti-malware. Wiz utilizes Wiz for Wiz in conjunction with cloud-native security services to detect and respond to potentially malicious activity on its cloud-hosted workloads or networks.
- Monitoring & Logging.
- Logging. Wiz maintains security auditing and logging capabilities for the infrastructure, SaaS applications, and cloud services that support its corporate, development, and production environments in accordance with Wiz’s Information Security Policies. The use and activity of Wiz information assets is logged and audited for suspicious activity. Wiz preserves security-related logs for a minimum of 12 months unless otherwise specified in its security policies and procedures.
- Detection and Response Operations. Wiz uses Security Information Event Management (SIEM), Detection, and Alert Notification technologies to centralize and analyze logs, apply detection criteria, and escalate and route events to the appropriate security teams.
- Customer Access to Logs. Customers have access to system and user activity logs for their respective Wiz tenant via the Platform, and can export these logs to their own log storage or SIEM platforms as described in the Documentation.
- Security in the development process.
- SDLC. Software development in Wiz is performed according to Wiz’s Change Management & Software Development Life Cycle (SDLC) procedures.
- Security Reviews. Wiz conducts security reviews for significant changes, such as major new product features or changes that impact Wiz’s security posture, during the design and development process.
- Peer Reviews. Code changes must undergo secondary review and approval before being promoted to production.
- Security Testing within the SDLC. Wiz uses security technologies to automatically scan for vulnerabilities, exposed secrets, and code security risks as part of the CI/CD pipeline.
- Vulnerability Detection & Management.
- Vulnerability Detection & Management. Wiz shall maintain a continuous vulnerability management process across its corporate and production environments to ensure that vulnerabilities and other threats are quickly identified, prioritized, and remediated. This includes carrying out internal vulnerability tests daily and external vulnerability tests regularly (at least quarterly). Vulnerabilities shall be remediated according to Wiz’s Vulnerability Management Policy which shall meet or exceed industry standards. Wiz uses the Common Vulnerability Scoring System (CVSS) v3.1 and National Vulnerability Database (NVD) ratings as guidelines for patch prioritization and scheduling.
- Penetration Testing. Wiz shall engage one or more independent third parties to conduct penetration tests of the Service at least annually and upon major changes to the Services. Wiz will provide summary results of penetration tests to Customer upon written request.
- Administrative & Organizational Controls.
- Personnel Security. All prospective Wiz employees go through pre-employment reference and/or background checks, according to the local HR policies and applicable laws.
- Personnel Agreements. All Wiz employees and contractors are required to sign a contract which includes a confidentiality obligation and are provided with Wiz’s security policies, including Wiz’s Acceptable Use Policy, when their work commences. Any change in an employee's position in Wiz or change in his or her access privileges immediately affects the employee's access via the centralized access control system.
- Personnel Training. All Wiz employees are required to complete security and privacy awareness training during onboarding and on at least an annual basis.
- Vendor Risk Management. Wiz maintains a third-party vendor risk management program, which includes a compliance, security, and privacy review for every third-party used in the provision of the Services and/or with access to Customer Data. The results of the risk assessment are reviewed by the security, legal and privacy team to ensure the third party maintains security measures consistent with the measures hereunder.
- Physical & Environmental Controls.
- Cloud Environment Data Centers. Wiz only utilizes leading cloud providers who shall be required to have a SOC 2 Type II annual audit and ISO 27001 certification, or industry recognized equivalent frameworks.
- Wiz Corporate Offices. Wiz's employees and subcontractors in each of Wiz’s offices are subject to Wiz's physical minimum-security requirements which include use of CCTV with a defined retention period in accordance with applicable laws, badge only access with regular access reviews and requirements for visitors to be logged and accompanied by Wiz authorized personnel.
- Security Incident Notification and Response.
- Wiz shall maintain a formal documented Information Security Incident Management Program designed to provide an effective and consistent process for managing security incidents.
- Security Incident notification. In any event of a reasonably suspected or successful unauthorized access, use, disclosure, modification, or destruction of Customer Data (“Security Incident”), Wiz will notify Customer within 48 hours of becoming aware of the Security Incident and shall promptly take reasonable steps to contain, investigate, and mitigate such Security Incident. Wiz shall provide Customer with assistance and information as reasonably required by Customer in order to fulfil its legal obligations.
- Security Incident Reporting and Response. Security Incidents are reported to Wiz’s Chief Information Security Officer (CISO). The CISO acts according to Wiz's Incident Response Plan in classifying, handling, documenting, and reporting any incident. Customer may request a copy of Wiz’s Incident Response Plan.
- Backup, Business Continuity & Disaster Recovery
- Business Continuity and Disaster Recovery Plan. Wiz maintains industry standard business continuity and disaster recovery procedures, as further described in Wiz’s Business Continuity and Disaster Recovery Plan (“BCDRP”), and will implement these procedures to minimize the impact of events, whether related to technology or operational failures, that may affect Wiz’s ability to provide the Services. Wiz shall provide Customer with its BCDRP upon Customer’s written request.
- Testing of BCDRP. Wiz shall conduct testing of its BCDRP at least annually and shall make the results of such testing available to Customer upon written request.
- Backups and Disaster Recovery. Wiz leverages multiple Amazon services to backup Customer Data on both daily and monthly schedules. Each Customer tenant is allocated a disaster recovery tenant in a geographically distinct area. Where possible, Wiz will use a disaster recovery region in the same jurisdiction as the main data center. Wiz also keeps full and incremental backups of critical corporate data and logs in geographically distinct datacenters.
- Customer Audit Rights. To the greatest extent possible, Customer shall utilize Wiz’s Third-Party Certifications and other security documentation and policies to assess Wiz’s compliance with its obligations hereunder. Only to the extent that Customer is not able to do so, and in any event, no more than once per year, and following at least 45 days’ notice in writing from Customer, Wiz shall provide Customer (and/or Customer’s third party advisors who are not reasonably objected to by Wiz and who are subject to appropriate confidentiality obligations) with access to documents, systems, Wiz employees and electronic data as reasonably necessary in order to audit Wiz’s compliance with its obligations under this Addendum. Wiz shall provide assistance, co-operation, and access reasonably required by Customer in relation to the conduct of such audits. Customer shall use reasonable endeavors to ensure that the conduct of each audit does not disrupt the Wiz’s business. In no event shall Customer be permitted to access to any information, including without limitation, personal data that belongs to Wiz’s other customers or such other information that is not relevant to Wiz’s compliance with this Addendum. The Parties shall agree on the scope, methodology, timing and conditions of such audits in advance.
- Shared Responsibility. Without derogating from Wiz’s obligations hereunder, Customer acknowledges that it is responsible for implementing, running and managing the Platform on a day-to-day basis. In addition, Customer acknowledges and agrees that it has obligations with respect to the security of the Customer Data and the Services. Customer’s responsibility includes but is not limited to: (i) the security of cloud environments it owns, operates, and connects to Wiz, and for configuration of its instance(s) of the Wiz Platform; (ii) provisioning Permitted Users with access to Customer’s instance of the Wiz Platform, including: (a) managing instance-level administrators and other user privileges; (b) deauthorizing Permitted Users who no longer need access; (c) provisioning and configuring service account or API access; (d) enabling integrations with customer-owned or third-party technologies; and (e) ensuring that all Permitted User’s keep all Wiz credential’s confidential; and (iii) updating any Wiz provided software upon Wiz’s announcement of such updates. Wiz provides customers with audit logs that record customer user account and application activity occurring within their respective Wiz Platform instance(s), however, Customer is responsible for monitoring its own instance’s audit logs for security or other purposes. Customer agrees to notify Wiz upon becoming aware of any reasonably suspected unauthorized access to the Platform.
U.S. Government Addendum
Effective November 8, 2023
DownloadTable of Contents
U.S GOVERNMENT ADDENDUM TO WIZ MASTER SUBSCRIPTION AGREEMENT
This U.S. government addendum (“Addendum”) is incorporated into and forms part of the Wiz Master Subscription Agreement between Wiz and Customer (“Agreement”) and which governs the provision and use of Wiz products or services. Capitalized terms used but not otherwise defined in this Addendum shall have the meanings given to them in the Agreement.
This Addendum applies to United States government customers, including entities of the United States Federal Government (“Federal”), as well as state, local, or public education entities created by the law of the applicable state (collectively, “SLED”). Wiz acknowledges that statues and regulations that govern Federal and SLED customers may sometimes require that certain terms in commercial supplier agreements be limited and may be ineffective and inoperative. Therefore, if and to the extent the deviations set forth in this Addendum are required by applicable law, Wiz and Customer agree that the following provisions take precedence over any conflicting terms in the Agreement:
- Business Purpose/Grant of License. Wiz acknowledges that references to “business purpose” in the Agreement include Customer’s government purposes authorized by applicable law.
- FOIA/Public Disclosure Laws. Notwithstanding any confidentiality obligations in the Agreement, Wiz acknowledges that Customer may be compelled to disclose Confidential Information pursuant to the Federal Freedom of Information Act and any state equivalents or other applicable public disclosure laws. Wiz acknowledges that such Confidential Information, including the terms and conditions of the Agreement, related Order Forms, Statements of Work, or other attachments, or pricing information, may be disclosed to third parties upon request to the extent compelled by such Laws; provided that, prior to any such disclosure, Customer provides written notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at Wiz’s expense, if Wiz should wish to contest the disclosure.
- Fees and Taxes. Wiz understands that Customer may be subject to applicable laws governing payment, including availability of funds, timing of payments, late payment interest penalties, and taxes.
- Indemnification.
- No Customer Indemnification Obligation. If and to the extent applicable law prohibits Customer from indemnifying Wiz, any terms or conditions in the Agreement requiring Customer to indemnify Wiz shall be deemed void and not binding against Customer.
- Take Down Requirement. In the event of any IP Infringement Claim or any other legal claim brought against Wiz alleging that Customer Data infringes or misappropriates a third party’s intellectual property rights or violates applicable law, or arising out of Customer’s use of the Services in breach of the Agreement, the Documentation, or any applicable Order Form, Wiz may require, by written notice to Customer, that Customer delete from the Service any Customer Data, or cease use of the applicable Service, that is the subject of any Claims. Promptly after receiving any such notice, Customer will delete such Customer Data, or cease such applicable use of the Services, and certify such deletion or cessation to Wiz in writing. Wiz shall be authorized to provide a copy of such certification to the applicable claimant.
- Government Control of Defense. Any provision of the Agreement requiring Wiz to defense or indemnify Customer is hereby amended, if and to the extent required by applicable law, to provide that the U.S. Department of Justice (for a Federal Customer) or applicable State Attorney General’s Office (for a SLED Customer) has the sole right to represent the respective Federal or SLED entity in litigation and other formal proceedings.
- Controlling Law, Venue and Disputes. Notwithstanding anything in the Agreement to the contrary:
- Federal. As it relates to Federal entities, the Agreement and any disputes arising out of or related thereto shall be governed by U.S. Federal Law. Any language requiring dispute resolution in a specific forum or venue that is different from that prescribed by applicable Federal Law is hereby deleted and superseded by the forum or venue required by applicable law. If Wiz believes that a Federal Customer is in breach of the Agreement, it shall pursue its rights under the Contract Disputes Act or other applicable Law while continuing performance as set forth in Federal Acquisition Regulation 52.233-1 (Disputes).
- SLED. As it relates to SLED entities, the Agreement and any disputes arising out of or related thereto shall be government by the laws of the state pursuant to which Customer is created, or the state in which Customer’s primary headquarters or main office is geographically located. With respect to all disputes arising out of or related to the Agreement, the parties consent to exclusive jurisdiction and venue in the state and federal courts located in such state.
Effective October 30, 2023 to November 8, 2023
DownloadTable of Contents
U.S GOVERNMENT ADDENDUM TO WIZ MASTER SUBSCRIPTION AGREEMENT
This U.S. government addendum (“Addendum”) is incorporate into and forms part of the Wiz Master Subscription Agreement between Wiz and Customer (“Agreement”) and which governs the provision and use of Wiz products or services. Capitalized terms used but not otherwise defined in this Addendum shall have the meanings given to them in the Agreement.
This Addendum applies to United States government customers, including entities of the United States Federal Government (“Federal”), as well as state, local, or public education entities created by the law of the applicable state (collectively, “SLED”). Wiz acknowledges that statues and regulations that govern Federal and SLED customers may sometimes require that certain terms in commercial supplier agreements be limited and may be ineffective and inoperative. Therefore, if and to the extent the deviations set forth in this Addendum are required by applicable law, Wiz and Customer agree that the following provisions take precedence over any conflicting terms in the Agreement:
- Business Purpose/Grant of License. Wiz acknowledges that references to “business purpose” in the Agreement include Customer’s government purposes authorized by applicable law.
- FOIA/Public Disclosure Laws. Notwithstanding any confidentiality obligations in the Agreement, Wiz acknowledges that Customer may be compelled to disclose Confidential Information pursuant to the Federal Freedom of Information Act and any state equivalents or other applicable public disclosure laws. Wiz acknowledges that such Confidential Information, including the terms and conditions of the Agreement, related Order Forms, Statements of Work, or other attachments, or pricing information, may be disclosed to third parties upon request to the extent compelled by such Laws; provided that, prior to any such disclosure, Customer provides written notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at Wiz’s expense, if Wiz should wish to contest the disclosure.
- Fees and Taxes. Wiz understands that Customer may be subject to applicable laws governing payment, including availability of funds, timing of payments, late payment interest penalties, and taxes.
- Indemnification.
- No Customer Indemnification Obligation. If and to the extent applicable law prohibits Customer from indemnifying Wiz, any terms or conditions in the Agreement requiring Customer to indemnify Wiz shall be deemed void and not binding against Customer.
- Take Down Requirement. In the event of any IP Infringement Claim or any other legal claim brought against Wiz alleging that Customer Data infringes or misappropriates a third party’s intellectual property rights or violates applicable law, or arising out of Customer’s use of the Services in breach of the Agreement, the Documentation, or any applicable Order Form, Wiz may require, by written notice to Customer, that Customer delete from the Service any Customer Data, or cease use of the applicable Service, that is the subject of any Claims. Promptly after receiving any such notice, Customer will delete such Customer Data, or cease such applicable use of the Services, and certify such deletion or cessation to Wiz in writing. Wiz shall be authorized to provide a copy of such certification to the applicable claimant.
- Government Control of Defense. Any provision of the Agreement requiring Wiz to defense or indemnify Customer is hereby amended, if and to the extent required by applicable law, to provide that the U.S. Department of Justice (for a Federal Customer) or applicable State Attorney General’s Office (for a SLED Customer) has the sole right to represent the respective Federal or SLED entity in litigation and other formal proceedings.
- Controlling Law, Venue and Disputes. Notwithstanding anything in the Agreement to the contrary:
- Federal. As it relates to Federal entities, the Agreement and any disputes arising out of or related thereto shall be governed by U.S. Federal Law. Any language requiring dispute resolution in a specific forum or venue that is different from that prescribed by applicable Federal Law is hereby deleted and superseded by the forum or venue required by applicable law. If Wiz believes that a Federal Customer is in breach of the Agreement, it shall pursue its rights under the Contract Disputes Act or other applicable Law while continuing performance as set forth in Federal Acquisition Regulation 52.233-1 (Disputes).
- SLED. As it relates to SLED entities, the Agreement and any disputes arising out of or related thereto shall be government by the laws of the state pursuant to which Customer is created, or the state in which Customer’s primary headquarters or main office is geographically located. With respect to all disputes arising out of or related to the Agreement, the parties consent to exclusive jurisdiction and venue in the state and federal courts located in such state.
Data Processing Agreement
Effective November 20, 2023
DownloadTable of Contents
DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) forms part of the Wiz Master Subscription Agreement or other agreement for Wiz services entered into between the Parties (the “Agreement”) between the Wiz entity that has entered into the Agreement (“Wiz”, “Us”, “We”, “Our”) and Customer (collectively, “You”, “Your”, or “Customer”) pursuant to the Agreement. Both parties shall be referred to as the “Parties” and each, a “Party”. This DPA forms a binding legal agreement to reflect the Parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below).
WHEREAS, Wiz shall provide the services set forth in the Agreement (collectively, the “Services”) to Customer, as described in the Agreement; and
WHEREAS, the Parties wish to set forth the arrangements concerning the Processing of Personal Data within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the Parties, intending to be legally bound, agree as follows:
1. INTERPRETATION AND DEFINITIONS
1.1 The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
1.2 Definitions:
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- “Controller” or “Business” as relevant under applicable Data Protection Laws, means the entity which determines the purposes and means of the Processing of Personal Data or such equivalent term under Data Protection Laws.
- “Customer Personal Data” means any Personal Data which is provided to and Processed by Wiz on behalf of Customer in order to provide the Services under the Agreement. Customer Personal Data does not include Personal Data that Wiz Processes as a Controller separately from its Processing obligations to Customer under the Agreement.
- “Data Protection Laws” means all laws and regulations of the European Union, the EEA and their Member States, Switzerland, the United Kingdom, and the United States, each to the extent applicable to the Processing of Personal Data under the Agreement.
- “Data Subject” means the identified or identifiable person to whom the Customer Personal Data relates.
- “EEA” means the European Economic Area.
- “EU Data Protection Law” means the GDPR, and the UK GDPR.
- “Extended EEA Country” means a Member State of the EEA, Switzerland or the United Kingdom, and Extended EEA Countries means the foregoing countries collectively.
- “Member State(s)” means a country that belongs to the European Union and/or the EEA.
- “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or such equivalent term under Data Protection Laws.
- “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” or “Service Provider,” as relevant under applicable Data Protection Laws, means the entity which Processes Personal Data on behalf of the Controller or Business or such equivalent term under Data Protection Laws.
- “Security Addendum” means Wiz’s Security Addendum which is available via https://www.wiz.io/legal/security-addendum.
- “Standard Contractual Clauses” means the “standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission decision of 4 June 2021” and published under document number C (2021) 3972 available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&qid=1689513765256, as may be updated, amended or superseded from time to time.
- “Sub-Processor” means any Processor or Service Provider engaged by Wiz and/or Wiz Affiliate to Process Customer Personal Data.
- “Supervisory Authority” means the competent supervisory authority pursuant to the applicable Data Protection Laws.
- “Third Country” has the meaning given in Clause 8.2 below.
- “UK GDPR” means the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR").
- “US Privacy Laws” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 along with any associated regulations (“CCPA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act; and any similar U.S. laws governing data privacy and security once effective.
2. CUSTOMER’S PROCESSING OF PERSONAL DATA. Customer shall, in its use of the Services, Process Customer Personal Data in accordance with the requirements of Data Protection Laws and comply at all times with the obligations applicable to Controllers or Businesses, as applicable. For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the means by which Customer acquired Customer Personal Data. Without limitation, Customer shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall have any and all required legal basis in order to collect, Process and transfer to Wiz the Customer Personal Data and to authorize the Processing by Wiz of the Customer Personal Data which is authorized in this DPA.
3. WIZ’S PROCESSING OF PERSONAL DATA
3.1 Application. As used in clauses 3 – 9 herein, Customer Personal Data refers to Customer Personal Data that is subject to Data Protection Laws.
3.2 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, (i) Customer is the Controller or Business, (ii) Wiz is the Processor or Service Provider, and (iii) Wiz or its Affiliates may engage Sub-Processors pursuant to the requirements set forth in Clause 6 below.
3.3 Wiz and its Affiliates (as applicable) shall Process Customer Personal Data only in accordance with Customer’s documented instructions, which are set out in the Agreement, as necessary for the performance of the Services and for the performance of the Agreement and this DPA, unless required to otherwise by any applicable law, court of competent jurisdiction or other Supervisory Authority to which Wiz and its Affiliates are subject, in which case, Wiz shall inform Customer of the legal requirement before processing, unless that law prohibits such information. Customer agrees that the Agreement is its complete and final instructions to Wiz in relation to the Processing of Personal Data. Processing any Personal Data outside the scope of the Agreement will require prior written agreement between Wiz and Customer by way of an amendment to the Agreement, and may include any additional fees that may be payable by Customer to Wiz for carrying out such instructions. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Customer Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 to this DPA.
3.4 To the extent that Wiz or its Affiliates cannot comply with an instruction from Customer and/or its authorized users relating to Processing of Customer Personal Data or where Wiz considers such instruction to be unlawful, Wiz (i) shall inform Customer, providing relevant details of the problem; (ii) may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Customer Personal Data (other than securely storing those data); and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Wiz all the amounts owed to Wiz or due before the date of termination.
4. RIGHTS OF DATA SUBJECTS. If Wiz receives a request from a Data Subject to exercise its rights under Data Protection Laws (“Data Subject Request”), Wiz shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to Customer. Taking into account the nature of the Processing, Wiz shall use commercially reasonable efforts to assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws.
5. WIZ PERSONNEL
5.1 Confidentiality. Wiz shall grant access to the Customer Personal Data to persons under its authority (including, without limitation, its personnel) only on a need-to-know basis and ensure that such persons engaged in the Processing of Customer Personal Data have committed themselves to confidentiality.
6. AUTHORIZATION REGARDING SUB-PROCESSORS
6.1 Customer hereby grants general written authorization to Wiz to appoint Sub-Processors to perform specific Processing activities on Customer Personal Data on its behalf. Wiz’s current list of Sub-Processors is included at https://www.wiz.io/sub-processor-list (“Sub-Processor List”) and is hereby approved by Customer.
6.2 Objection Right for Sub-Processors. Wiz offers a mechanism for Customers to subscribe to notifications of changes to Wiz’s Sub-Processor List via https://www.wiz.io/sub-processor-list. If Customer subscribes to receive such updates, Wiz shall provide notification of any intended changes concerning the addition or replacement of other Sub-Processor(s) to the email address which has subscribed thereby giving Customer the opportunity to object. Customer may reasonably object to Wiz’s use of a Sub-Processor for reasons related to the Data Protection Laws by notifying Wiz in writing within ten (10) days after receipt of Wiz’s notice including the reasons for objecting to Wiz’s use of such Sub-Processor. Failure to object to such Sub-Processor in writing within ten (10) days following Wiz’s notice shall be deemed as acceptance of the Sub-Processor. In the event Customer reasonably objects to a Sub-Processor, Wiz will use reasonable efforts to make available to Customer a change in the Services to avoid Processing of Customer Personal Data by the objected-to Sub-Processor without unreasonably burdening Customer. If Wiz is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the Agreement and this DPA by providing written notice to Wiz provided that all amounts due under the Agreement before the termination date shall be duly paid to Wiz. Until a decision is made regarding the Sub-Processor, Wiz may temporarily suspend the Processing of the affected Customer Personal Data.
6.3 Where Wiz engages a Sub-Processor, we shall do so by way of a written contract which imposes on the Sub-Processor substantially the same data protection obligations as in this DPA.
7.SECURITY
7.1 Controls for the Protection of Customer Personal Data. Taking into account the state of the art, Wiz shall maintain industry-standard technical and organizational measures, including as required pursuant to Article 32 of the GDPR and other applicable Data Protection Laws, for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Data), confidentiality and integrity of Customer Personal Data, as set forth in the Security Addendum. Upon Customer’s request, Wiz will use commercially reasonable efforts to assist Customer, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR and other applicable Data Protection Laws taking into account the nature of the processing, the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing and the information available to Wiz.
7.2 Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Wiz shall make available to Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and bound by confidentiality obligations) a copy of Wiz’s then most recent third-party audits or certifications, as applicable (provided, however, that any such documentation shall be Wiz’s confidential information and shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Wiz’s prior written approval and, upon Wiz’s request, Customer shall return all such documentation in Customer’s possession or control). Only as required by applicable Data Protection Laws and at Customer’s cost and expense, not more than once per year, Wiz shall allow for and contribute to audits, including remote inspections, conducted by Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and that is bound by confidentiality obligations) provided that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections in advance. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, Personal Data that belongs to Wiz’s other customers.
8. TRANSFERS OF DATA
8.1 Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from the Extended EEA Countries to countries or frameworks that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the Extended EEA Countries (“Adequacy Decisions”), without any further safeguard being necessary.
8.2 Transfers to other countries. If, and to the extent, the Processing of Customer Personal Data which is subject to Data Protection Laws of the EEA Extended Countries includes transfers by Customer from the Extended EEA Countries to Wiz in countries outside the Extended EEA Countries which have not been subject to an Adequacy Decision (“Third Countries”), the Parties agree that such transfers shall be undertaken on the basis of the Standard Contractual Clauses, which will be deemed to have been signed by each Party on the Effective Date of this Agreement, are incorporated herein by reference and construed in accordance with Schedule 2 below, unless another mechanism provided for in the Data Protection Laws of the applicable Extended EEA Country applies.
8.3 In the event Customer enables Third Party Integrations (as defined in the Agreement) which involve transfers of Customer Personal Data between Wiz and the Third Party Integration provider, Customer acknowledges and agrees that (a) such Third Party Integration providers are not Sub-Processors of Wiz; (b) such transfers are conducted at Customer’s instruction in accordance with an agreement between the Customer and such Third Party Integration provider (which Wiz is not a party to); and (c) Customer shall be solely responsible for such transfers and their compliance with Data Protection Laws, including without limitation, executing Standard Contractual Clauses with such Third Party Integration providers as required.
9. US PRIVACY LAWS
9.1 In performing its obligations under the Agreement and this DPA, Wiz will not: (1) “sell” or “share” for purposes of “cross-context behavioral advertising” or “targeted advertising” (as defined by applicable US Privacy Laws) any Customer Personal Data; (2) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Wiz and Customer; or (3) attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Customer Personal Data.
9.2 Wiz will (1) comply with any applicable restrictions under applicable US Privacy Laws on combining Customer Personal Data with Personal Data that Wiz receives from, or on behalf of, another person or persons; and (2) promptly notify Customer if Wiz determines that it (i) can no longer meet its obligations under this DPA or applicable US Privacy Laws; or (ii) in Wiz’s opinion, an instruction from Customer infringes applicable US Privacy Laws.
9.3 To the extent required under US Privacy Laws, Customer may take reasonable and appropriate steps to help to ensure that Wiz uses Customer Personal Data in a manner consistent with Customer’s obligations under US Privacy Laws and to stop and remediate unauthorized use of the Customer Personal Data.
9.4 Wiz certifies that it understands its obligations in this Clause 9.The Parties agree that Schedule 1 hereto shall satisfy any requirement under applicable U.S. Privacy Law to provide details regarding the nature of the Processing activities related to Customer Personal Data.
10. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION. To the extent required under applicable Data Protection Laws, Wiz shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (a “Personal Data Incident”). Wiz shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Wiz deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident. Customer (or its customers), as the Controller or Business, will be the party responsible for notifying supervisory authorities and/or concerned Data Subjects (where required by Data Protection Laws).
11. RETURN AND DELETION OF PERSONAL DATA. Subject to the Agreement, upon termination or expiry of the Services, Wiz shall, make available for return the Customer Personal Data via the Services and delete such Customer Personal Data in accordance with Wiz’s customer data retention & deletion policy unless applicable law requires storage of the Customer Personal Data. In any event, Customer agrees that Wiz may retain Customer Personal Data in accordance with its standard backup policy, for evidence purposes and/or for the establishment, exercise or defence of legal claims and/or to comply with applicable laws and regulations. Notwithstanding anything to the contrary, Customer hereby agrees and understands that, to the extent Wiz performs cloud scanning on behalf of Customer, if and when Customer wants to delete specific Customer Personal Data, Customer may delete such Customer Personal Data from its own databases, and it will automatically be erased from Wiz’s databases within a reasonable market standard timeframe. If Customer requests return of the Customer Personal Data, it shall be returned in an industry standard format generally available for Wiz’s Customers.
12. TERMINATION. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided, provided that, to the extent Wiz retains any Customer Personal Data following termination or expiration of the Agreement, this DPA shall survive for such period that Wiz retains Customer Personal Data. Clauses 2, 3.4 and 13 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
13. RELATIONSHIP WITH AGREEMENT. Subject to any provisions in Schedule 2 regarding governing law and choice of forum of the Standard Contractual Clauses, the governing law and choice of forum provision in the Agreement shall apply to this DPA. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. For the avoidance of doubt each Party’s and its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, the Standard Contractual Clauses, Data Protection Laws and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. NOTWITHSTANDING THE FOREGOING, IF CUSTOMER IS USING THE SERVICES FOR A FREE TRIAL, WIZ’S MAXIMUM AGGREGATE LIABILITY TO CUSTOMER UNDER OR RELATED TO THIS DPA SHALL BE CAPPED AT ONE THOUSAND DOLLARS US ($1,000 US).
14. MISCELLANEOUS. Any Wiz obligation hereunder may be performed (in whole or in part), and any Wiz right (including invoice and payment rights) or remedy may be exercised (in whole or in part), by an Affiliate of Wiz. This DPA may be amended by Wiz from time to time in its sole discretion, with such updated version posted to Wiz’s website, provided, however, that no such update shall materially diminish the privacy or security of Customer Personal Data.
List of Schedules
SCHEDULE 1 – DETAILS OF THE PROCESSING
SCHEDULE 2 – STANDARD CONTRACTUAL CLAUSE
SCHEDULE 1
DETAILS OF THE PROCESSING
Subject matter.
Wiz will Process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
Nature and Purpose of Processing.
1. Performing the Agreement, this DPA and/or other contracts executed by the Parties, including, providing the Service(s) and support and technical maintenance to Customer.
2. To comply with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
3. Resolving disputes, enforcing the Agreement, this DPA and/or defending Wiz’s rights.
4. Complying with applicable laws and regulations, including for cooperating with local and foreign tax authorities, preventing fraud, money laundering and terrorist financing.
Duration of Processing.
Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Wiz will Process Customer Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Types of Customer Personal Data.
Customer determines the categories of any Customer Personal Data that is made accessible to Wiz, which may include, without limitation, Customer Personal Data relating to the following categories:
- If Customer uses Wiz for scanning, Personal Data might be temporarily processed by Wiz during the scanning. The type of the Personal Data depends on Customer environment and which sources Customer connects.
- Wiz only stores metadata such as CVEs, misconfigurations, list of installed packages, cloud events, local cloud user accounts, cloud object identifiers and (depending on the features used by Customer) logs and file paths. Such metadata does not generally contain Personal Data, however, depending on the Customer’s environment and naming conventions and the features used by Customer, some limited Personal Data may be included. For example, cloud user account names, logs and artifacts could include an individual’s name, logs could contain names, associated email address and IP address and (if specific Wiz features are enabled) pseudonymized samples of findings to enable Customer to locate, verify and remediate the finding(s).
Customer acknowledges that Wiz does not control which Customer Personal Data Customer shares with it in the context of the Services.
Categories of Data Subjects.
As part of providing the Services, Wiz may process Customer Personal Data related to Customer’s customers or users, leads, employees and service providers, the extent of which is solely determined by Customer.
SCHEDULE 2
STANDARD CONTRACTUAL CLAUSES
1 Incorporation and interpretation of the Standard Contractual Clauses
1.1 In relation to transfers by Customer of Customer Personal Data which are subject to Data Protection Laws of the Extended EEA Countries to Wiz in Third Countries, the parties agree that Module Two (Transfer controller to processor) or Module 3 (Transfer processor to processor) of the Standard Contractual Clauses shall apply, as applicable.
1.2 The Parties acknowledge that the information required to be provided in the Standard Contractual Clauses, including the appendices, is set out in Appendix 1 below.
1.3 If there is a conflict between the provisions of this Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail, provided that, except to the extent prohibited by applicable law, the Standard Contractual Clauses shall be interpreted in accordance with and subject to this DPA and the Agreement, including without limitation, the provisions on limitation of liability, instructions, storage, erasure and return of Personal Data, audits and engagement of Sub-Processors.
1.4 If any provision or part-provision of this DPA or the Agreement causes the Standard Contractual Clauses to become an invalid export mechanism in the relevant Extended EEA Country, it shall be deemed deleted but that shall not affect the validity and enforceability of the rest of this Agreement and the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
1.5 Where requested by Wiz, Customer shall provide reasonable assistance to Wiz and be responsible for issuing such communications to Data Subjects and/or the Controller (to the extent Module Three applies) as are required in order for Wiz to comply with its obligations under the Standard Contractual Clauses.
1.6 For the purpose of Section III, Clause 14 of the Standard Contractual Clauses, the parties acknowledge and agree that, as between the parties, the Customer (acting as data exporter) is responsible for: (i) assessing the laws of the country to which it transfers Personal Data; and (ii) determining whether or not the transfer meets the requirements of Section III, Clause 14(a) of the Standard Contractual Clauses. Where Wiz (as data importer) provides information to the Customer (acting as data exporter) for assisting the Customer in its assessment, such information is provided on an “as is” basis for informational purposes only. Without prejudice to Section III, Clause 14(c) of the Standard Contractual Clauses, Wiz (as data importer) shall not be liable for any losses suffered by the Customer in connection with its assessment.
1.7 Notwithstanding anything to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is the UK, template Addendum B.1.0 issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses, (the “UK Approved Addendum”) shall amend the Standard Contractual Clauses in respect of such transfers and Part 1 of the UK Approved Addendum shall be populated as set out below:
Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are Customer as exporter Wiz as importer.
Table 2. The “Addendum EU SCCs” are the modules and clauses of the Standard Contractual Clauses selected in relation to a particular transfer in accordance with paragraphs 1.1 and 1.2 of this Schedule.
Table 3. The “Appendix Information” is as set out in Appendix 1 to this Schedule.
Table 4. Neither party may end the UK Approved Addendum in accordance with its Section 19.
1.8 Except where paragraph 1.9 above applies, but notwithstanding anything else to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is not a Member State of the European Union, references in the Standard Contractual Clauses to:
(a)“Member States of the European Union” shall refer to the applicable Extended EEA Country in which the data exporter is established or from where the transferred Personal Data originated (as applicable);
(b)“the GDPR” shall refer to the Data Protection Laws of the Extended EEA Country in which the data exporter is established or from where the Personal Data originated; and
(c)“supervisory authority” shall refer to the data protection authority in the Extended EEA Country as determined in Annex I(C) below.
Appendix 1 – Completion of the Standard Contractual Clauses
ANNEX I
A. LIST OF THE PARTIES | |
Data Exporter: | Name and address: Customer, as set out in the Agreement Contact details: As set out in the Agreement Activities relevant to the data transferred under these Clauses: Receipt of Wiz Services, as set out in the Agreement and this DPA |
Data Importer: | Name and address: Wiz, as set out in the Agreement Contact details: Privacy Officer, privacy@wiz.io Activities relevant to the data transferred under these Clauses: Provision of Wiz Services, as set out in the Agreement and this DPA |
B. DETAILS OF PROCESSING/TRANSFER | |
CATEGORIES OF DATA SUBJECTS | As described in Schedule 1 |
CATEGORIES OF PERSONAL DATA | As described in Schedule 1 |
SPECIAL CATEGORIES OF DATA (IF APPLICABLE) | Wiz does not control which Personal Data Customer shares with it in the context of the Services |
FREQUENCY OF THE TRANSFER | As regular as is required to provide the Services |
NATURE AND PURPOSE OF THE PROCESSING | As described in Schedule 1 |
RETENTION | As described in Schedule 1 |
TRANSFER TO (SUB)PROCESSORS | As set out in Wiz’s Sub-Processor List |
C. COMPETENT SUPERVISORY AUTHORITY | |
The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses. Where an EU Representative has not been appointed by data exporter, the competent supervisory authority shall be the supervisory authority of the Netherlands. | |
D. GOVERNING LAW AND CHOICE OF FORUM | |
GOVERNING LAW | For the purposes of Clause 17 of the Standard Contractual Clauses the Parties select OPTION 1: the law of the Netherlands. a) |
CHOICE OF FORUM | For the purposes of Clause 18 of the SCCs: the Parties select the courts of the Netherlands. |
E. OTHER | |
Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following will apply: For Clause 7 (Docking Clause), the optional provision will apply. For Clause 9(a), option 2 (General Written Authorisation) will apply and the time period for prior notice of Sub-Processor changes shall be as set out in this DPA. For Clause 11(a) (Redress) – the optional provision will not apply. |
ANNEX II – WIZ SECURITY MEASURES
The technical and organizational measures including technical and organizational measures to support the security of Personal Data incorporated into Annex II of the Standard Contractual Clauses shall be the technical and organizational security measures as described in Wiz’s Security Addendum.
In addition, Wiz agrees to the following compensating safeguards to protect such data to an equivalent level as required under the Data Protection Laws of the Extended EEA Countries to the extent required under the Standard Contractual Clauses:
- Wiz and Customer shall encrypt all transfers of the Customer Personal Data between them, and Wiz shall encrypt any onward transfers it makes of such Customer Personal Data.
- Wiz will use reasonably available legal mechanisms to challenge any demands for Customer Personal Data access through national security process it receives as well as any non-disclosure provisions attached thereto.
- Wiz will promptly notify Customer of any government demands for Customer Personal Data, unless prohibited under applicable law. To the extent Wiz is prohibited by law from providing such notification, Wiz shall: (i) review each request on a case-by-case basis; (ii) use reasonable efforts to request that the confidentiality requirement be waived to enable Wiz to notify the Customer and/or the appropriate Supervisory Authority competent for the Customer; and (iii) maintain evidence of any such attempt to have a confidentiality requirement waived.
- Wiz will promptly notify Customer if Wiz can no longer comply with the applicable clauses in this Section. Wiz shall not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice shall entitle Customer to terminate the Agreement (or, at Customer’s option, affected statements of work, order forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder.
Effective November 17, 2023 to November 20, 2023
DownloadTable of Contents
DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) forms part of the Wiz Master Subscription Agreement or other agreement for Wiz services entered into between the Parties (the “Agreement”) between the Wiz entity that has entered into the Agreement (“Wiz”, “Us”, “We”, “Our”) and Customer (collectively, “You”, “Your”, or “Customer”) pursuant to the Agreement. Both parties shall be referred to as the “Parties” and each, a “Party”. This DPA forms a binding legal agreement to reflect the Parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below).
WHEREAS, Wiz shall provide the services set forth in the Agreement (collectively, the “Services”) to Customer, as described in the Agreement; and
WHEREAS, the Parties wish to set forth the arrangements concerning the Processing of Personal Data within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the Parties, intending to be legally bound, agree as follows:
1. INTERPRETATION AND DEFINITIONS
1.1 The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
1.2Definitions:
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- “Controller” or “Business” as relevant under applicable Data Protection Laws, means the entity which determines the purposes and means of the Processing of Personal Data or such equivalent term under Data Protection Laws.
- “Customer Personal Data” means any Personal Data which is provided to and Processed by Wiz on behalf of Customer in order to provide the Services under the Agreement. Customer Personal Data does not include Personal Data that Wiz Processes as a Controller separately from its Processing obligations to Customer under the Agreement.
- “Data Protection Laws” means all laws and regulations of the European Union, the EEA and their Member States, Switzerland, the United Kingdom, and the United States, each to the extent applicable to the Processing of Personal Data under the Agreement.
- “Data Subject” means the identified or identifiable person to whom the Customer Personal Data relates.
- “EEA” means the European Economic Area.
- “EU Data Protection Law” means the GDPR, and the UK GDPR.
- “Extended EEA Country” means a Member State of the EEA, Switzerland or the United Kingdom, and Extended EEA Countries means the foregoing countries collectively.
- “Member State(s)” means a country that belongs to the European Union and/or the EEA.
- “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or such equivalent term under Data Protection Laws.
- “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” or “Service Provider,” as relevant under applicable Data Protection Laws, means the entity which Processes Personal Data on behalf of the Controller or Business or such equivalent term under Data Protection Laws.
- “Security Addendum” means Wiz’s Security Addendum which is available via https://www.wiz.io/legal/security-addendum.
- “Standard Contractual Clauses” means the “standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission decision of 4 June 2021” and published under document number C (2021) 3972 available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&qid=1689513765256, as may be updated, amended or superseded from time to time.
- “Sub-Processor” means any Processor or Service Provider engaged by Wiz and/or Wiz Affiliate to Process Customer Personal Data.
- “Supervisory Authority” means the competent supervisory authority pursuant to the applicable Data Protection Laws.
- “Third Country” has the meaning given in Clause 8.2 below.
- “UK GDPR” means the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR").
- “US Privacy Laws” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 along with any associated regulations (“CCPA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act; and any similar U.S. laws governing data privacy and security once effective.
2.CUSTOMER’S PROCESSING OF PERSONAL DATA. Customer shall, in its use of the Services, Process Customer Personal Data in accordance with the requirements of Data Protection Laws and comply at all times with the obligations applicable to Controllers or Businesses, as applicable. For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the means by which Customer acquired Customer Personal Data. Without limitation, Customer shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall have any and all required legal basis in order to collect, Process and transfer to Wiz the Customer Personal Data and to authorize the Processing by Wiz of the Customer Personal Data which is authorized in this DPA.
3.WIZ’S PROCESSING OF PERSONAL DATA
3.1Application. As used in clauses 3 – 9 herein, Customer Personal Data refers to Customer Personal Data that is subject to Data Protection Laws.
3.2Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, (i) Customer is the Controller or Business, (ii) Wiz is the Processor or Service Provider, and (iii) Wiz or its Affiliates may engage Sub-Processors pursuant to the requirements set forth in Clause 6 below.
3.3Wiz and its Affiliates (as applicable) shall Process Customer Personal Data only in accordance with Customer’s documented instructions, which are set out in the Agreement, as necessary for the performance of the Services and for the performance of the Agreement and this DPA, unless required to otherwise by any applicable law, court of competent jurisdiction or other Supervisory Authority to which Wiz and its Affiliates are subject, in which case, Wiz shall inform Customer of the legal requirement before processing, unless that law prohibits such information. Customer agrees that the Agreement is its complete and final instructions to Wiz in relation to the Processing of Personal Data. Processing any Personal Data outside the scope of the Agreement will require prior written agreement between Wiz and Customer by way of an amendment to the Agreement, and may include any additional fees that may be payable by Customer to Wiz for carrying out such instructions. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Customer Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 to this DPA.
3.4To the extent that Wiz or its Affiliates cannot comply with an instruction from Customer and/or its authorized users relating to Processing of Customer Personal Data or where Wiz considers such instruction to be unlawful, Wiz (i) shall inform Customer, providing relevant details of the problem; (ii) may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Customer Personal Data (other than securely storing those data); and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Wiz all the amounts owed to Wiz or due before the date of termination.
4.RIGHTS OF DATA SUBJECTS. If Wiz receives a request from a Data Subject to exercise its rights under Data Protection Laws (“Data Subject Request”), Wiz shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to Customer. Taking into account the nature of the Processing, Wiz shall use commercially reasonable efforts to assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws.
5.WIZ PERSONNEL
5.1Confidentiality. Wiz shall grant access to the Customer Personal Data to persons under its authority (including, without limitation, its personnel) only on a need-to-know basis and ensure that such persons engaged in the Processing of Customer Personal Data have committed themselves to confidentiality.
6.AUTHORIZATION REGARDING SUB-PROCESSORS
6.1Customer hereby grants general written authorization to Wiz to appoint Sub-Processors to perform specific Processing activities on Customer Personal Data on its behalf. Wiz’s current list of Sub-Processors is included at https://www.wiz.io/sub-processor-list (“Sub-Processor List”) and is hereby approved by Customer.
6.2 Objection Right for Sub-Processors. Wiz offers a mechanism for Customers to subscribe to notifications of changes to Wiz’s Sub-Processor List via https://www.wiz.io/sub-processor-list. If Customer subscribes to receive such updates, Wiz shall provide notification of any intended changes concerning the addition or replacement of other Sub-Processor(s) to the email address which has subscribed thereby giving Customer the opportunity to object. Customer may reasonably object to Wiz’s use of a Sub-Processor for reasons related to the Data Protection Laws by notifying Wiz in writing within ten (10) days after receipt of Wiz’s notice including the reasons for objecting to Wiz’s use of such Sub-Processor. Failure to object to such Sub-Processor in writing within ten (10) days following Wiz’s notice shall be deemed as acceptance of the Sub-Processor. In the event Customer reasonably objects to a Sub-Processor, Wiz will use reasonable efforts to make available to Customer a change in the Services to avoid Processing of Customer Personal Data by the objected-to Sub-Processor without unreasonably burdening Customer. If Wiz is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the Agreement and this DPA by providing written notice to Wiz provided that all amounts due under the Agreement before the termination date shall be duly paid to Wiz. Until a decision is made regarding the Sub-Processor, Wiz may temporarily suspend the Processing of the affected Customer Personal Data.
6.3Where Wiz engages a Sub-Processor, we shall do so by way of a written contract which imposes on the Sub-Processor substantially the same data protection obligations as in this DPA.
7.SECURITY
7.1Controls for the Protection of Customer Personal Data. Taking into account the state of the art, Wiz shall maintain industry-standard technical and organizational measures, including as required pursuant to Article 32 of the GDPR and other applicable Data Protection Laws, for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Data), confidentiality and integrity of Customer Personal Data, as set forth in the Security Addendum. Upon Customer’s request, Wiz will use commercially reasonable efforts to assist Customer, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR and other applicable Data Protection Laws taking into account the nature of the processing, the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing and the information available to Wiz.
7.2Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Wiz shall make available to Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and bound by confidentiality obligations) a copy of Wiz’s then most recent third-party audits or certifications, as applicable (provided, however, that any such documentation shall be Wiz’s confidential information and shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Wiz’s prior written approval and, upon Wiz’s request, Customer shall return all such documentation in Customer’s possession or control). Only as required by applicable Data Protection Laws and at Customer’s cost and expense, not more than once per year, Wiz shall allow for and contribute to audits, including remote inspections, conducted by Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and that is bound by confidentiality obligations) provided that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections in advance. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, Personal Data that belongs to Wiz’s other customers.
8.TRANSFERS OF DATA
8.1Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from the Extended EEA Countries to countries or frameworks that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the Extended EEA Countries (“Adequacy Decisions”), without any further safeguard being necessary.
8.2 Transfers to other countries. If, and to the extent, the Processing of Customer Personal Data which is subject to Data Protection Laws of the EEA Extended Countries includes transfers by Customer from the Extended EEA Countries to Wiz in countries outside the Extended EEA Countries which have not been subject to an Adequacy Decision (“Third Countries”), the Parties agree that such transfers shall be undertaken on the basis of the Standard Contractual Clauses, which will be deemed to have been signed by each Party on the Effective Date of this Agreement, are incorporated herein by reference and construed in accordance with Schedule 2 below, unless another mechanism provided for in the Data Protection Laws of the applicable Extended EEA Country applies.
8.3In the event Customer enables Third Party Integrations (as defined in the Agreement) which involve transfers of Customer Personal Data between Wiz and the Third Party Integration provider, Customer acknowledges and agrees that (a) such Third Party Integration providers are not Sub-Processors of Wiz; (b) such transfers are conducted at Customer’s instruction in accordance with an agreement between the Customer and such Third Party Integration provider (which Wiz is not a party to); and (c) Customer shall be solely responsible for such transfers and their compliance with Data Protection Laws, including without limitation, executing Standard Contractual Clauses with such Third Party Integration providers as required.
9. US PRIVACY LAWS
9.1 In performing its obligations under the Agreement and this DPA, Wiz will not: (1) “sell” or “share” for purposes of “cross-context behavioral advertising” or “targeted advertising” (as defined by applicable US Privacy Laws) any Customer Personal Data; (2) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Wiz and Customer; or (3) attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Customer Personal Data.
9.2Wiz will (1) comply with any applicable restrictions under applicable US Privacy Laws on combining Customer Personal Data with Personal Data that Wiz receives from, or on behalf of, another person or persons; and (2) promptly notify Customer if Wiz determines that it (i) can no longer meet its obligations under this DPA or applicable US Privacy Laws; or (ii) in Wiz’s opinion, an instruction from Customer infringes applicable US Privacy Laws.
9.3 Wiz certifies that it understands its obligations in this Clause 9.
9.4The Parties agree that Schedule 1 hereto shall satisfy any requirement under applicable U.S. Privacy Law to provide details regarding the nature of the Processing activities related to Customer Personal Data.
10.PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION. To the extent required under applicable Data Protection Laws, Wiz shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (a “Personal Data Incident”). Wiz shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Wiz deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident. Customer (or its customers), as the Controller or Business, will be the party responsible for notifying supervisory authorities and/or concerned Data Subjects (where required by Data Protection Laws).
11.RETURN AND DELETION OF PERSONAL DATA. Subject to the Agreement, upon termination or expiry of the Services, Wiz shall, make available for return the Customer Personal Data via the Services and delete such Customer Personal Data in accordance with Wiz’s customer data retention & deletion policy unless applicable law requires storage of the Customer Personal Data. In any event, Customer agrees that Wiz may retain Customer Personal Data in accordance with its standard backup policy, for evidence purposes and/or for the establishment, exercise or defence of legal claims and/or to comply with applicable laws and regulations. Notwithstanding anything to the contrary, Customer hereby agrees and understands that, to the extent Wiz performs cloud scanning on behalf of Customer, if and when Customer wants to delete specific Customer Personal Data, Customer may delete such Customer Personal Data from its own databases, and it will automatically be erased from Wiz’s databases within a reasonable market standard timeframe. If Customer requests return of the Customer Personal Data, it shall be returned in an industry standard format generally available for Wiz’s Customers.
12.TERMINATION. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided, provided that, to the extent Wiz retains any Customer Personal Data following termination or expiration of the Agreement, this DPA shall survive for such period that Wiz retains Customer Personal Data. Clauses 2, 3.4 and 13 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
13.RELATIONSHIP WITH AGREEMENT. Subject to any provisions in Schedule 2 regarding governing law and choice of forum of the Standard Contractual Clauses, the governing law and choice of forum provision in the Agreement shall apply to this DPA. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. For the avoidance of doubt each Party’s and its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, the Standard Contractual Clauses, Data Protection Laws and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. NOTWITHSTANDING THE FOREGOING, IF CUSTOMER IS USING THE SERVICES FOR A FREE TRIAL, WIZ’S MAXIMUM AGGREGATE LIABILITY TO CUSTOMER UNDER OR RELATED TO THIS DPA SHALL BE CAPPED AT ONE THOUSAND DOLLARS US ($1,000 US).
14.MISCELLANEOUS. Any Wiz obligation hereunder may be performed (in whole or in part), and any Wiz right (including invoice and payment rights) or remedy may be exercised (in whole or in part), by an Affiliate of Wiz. This DPA may be amended by Wiz from time to time in its sole discretion, with such updated version posted to Wiz’s website, provided, however, that no such update shall materially diminish the privacy or security of Customer Personal Data.
List of Schedules
SCHEDULE 1 – DETAILS OF THE PROCESSING
SCHEDULE 2 – STANDARD CONTRACTUAL CLAUSE
SCHEDULE 1
DETAILS OF THE PROCESSING
Subject matter.
Wiz will Process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
Nature and Purpose of Processing.
1.Performing the Agreement, this DPA and/or other contracts executed by the Parties, including, providing the Service(s) and support and technical maintenance to Customer.
2.To comply with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
3.Resolving disputes, enforcing the Agreement, this DPA and/or defending Wiz’s rights.
4.Complying with applicable laws and regulations, including for cooperating with local and foreign tax authorities, preventing fraud, money laundering and terrorist financing.
Duration of Processing.
Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Wiz will Process Customer Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Types of Customer Personal Data.
Customer determines the categories of any Customer Personal Data that is made accessible to Wiz, which may include, without limitation, Customer Personal Data relating to the following categories:
- If Customer uses Wiz for scanning, Personal Data might be temporarily processed by Wiz during the scanning. The type of the Personal Data depends on Customer environment and which sources Customer connects.
- Wiz only stores metadata such as CVEs, misconfigurations, list of installed packages, cloud events, local cloud user accounts, cloud object identifiers and (depending on the features used by Customer) logs and file paths. Such metadata does not generally contain Personal Data, however, depending on the Customer’s environment and naming conventions and the features used by Customer, some limited Personal Data may be included. For example, cloud user account names, logs and artifacts could include an individual’s name, logs could contain names, associated email address and IP address and (if specific Wiz features are enabled) pseudonymized samples of findings to enable Customer to locate, verify and remediate the finding(s).
Customer acknowledges that Wiz does not control which Customer Personal Data Customer shares with it in the context of the Services.
Categories of Data Subjects.
As part of providing the Services, Wiz may process Customer Personal Data related to Customer’s customers or users, leads, employees and service providers, the extent of which is solely determined by Customer.
SCHEDULE 2
STANDARD CONTRACTUAL CLAUSES
1Incorporation and interpretation of the Standard Contractual Clauses
1.1In relation to transfers by Customer of Customer Personal Data which are subject to Data Protection Laws of the EEA Extended Countries to Wiz in Third Countries, the parties agree that Module Two (Transfer controller to processor) or Module 3 (Transfer processor to processor) of the Standard Contractual Clauses shall apply, as applicable.
1.2The Parties acknowledge that the information required to be provided in the Standard Contractual Clauses, including the appendices, is set out in Appendix 1 below.
1.3If there is a conflict between the provisions of this Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail, provided that, except to the extent prohibited by applicable law, the Standard Contractual Clauses shall be interpreted in accordance with and subject to this DPA and the Agreement, including without limitation, the provisions on limitation of liability, instructions, storage, erasure and return of Personal Data, audits and engagement of Sub-Processors.
1.4If any provision or part-provision of this DPA or the Agreement causes the Standard Contractual Clauses to become an invalid export mechanism in the relevant Extended EEA Country, it shall be deemed deleted but that shall not affect the validity and enforceability of the rest of this Agreement and the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
1.5Where requested by Wiz, Customer shall provide reasonable assistance to Wiz and be responsible for issuing such communications to Data Subjects and/or the Controller (to the extent Module Three applies) as are required in order for Wiz to comply with its obligations under the Standard Contractual Clauses.
1.6For the purpose of Section III, Clause 14 of the Standard Contractual Clauses, the parties acknowledge and agree that, as between the parties, the Customer (acting as data exporter) is responsible for: (i) assessing the laws of the country to which it transfers Personal Data; and (ii) determining whether or not the transfer meets the requirements of Section III, Clause 14(a) of the Standard Contractual Clauses. Where Wiz (as data importer) provides information to the Customer (acting as data exporter) for assisting the Customer in its assessment, such information is provided on an “as is” basis for informational purposes only. Without prejudice to Section III, Clause 14(c) of the Standard Contractual Clauses, Wiz (as data importer) shall not be liable for any losses suffered by the Customer in connection with its assessment.
1.7 Notwithstanding anything to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is the UK, template Addendum B.1.0 issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses, (the “UK Approved Addendum”) shall amend the Standard Contractual Clauses in respect of such transfers and Part 1 of the UK Approved Addendum shall be populated as set out below:
Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are Customer as exporter Wiz as importer.
Table 2. The “Addendum EU SCCs” are the modules and clauses of the Standard Contractual Clauses selected in relation to a particular transfer in accordance with paragraphs 1.1 and 1.2 of this Schedule.
Table 3. The “Appendix Information” is as set out in Appendix 1 to this Schedule.
Table 4. Neither party may end the UK Approved Addendum in accordance with its Section 19.
1.8 Except where paragraph 1.9 above applies, but notwithstanding anything else to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is not a Member State of the European Union, references in the Standard Contractual Clauses to:
(a)“Member States of the European Union” shall refer to the applicable Extended EEA Country in which the data exporter is established or from where the transferred Personal Data originated (as applicable);
(b)“the GDPR” shall refer to the Data Protection Laws of the Extended EEA Country in which the data exporter is established or from where the Personal Data originated; and
(c)“supervisory authority” shall refer to the data protection authority in the Extended EEA Country as determined in Annex I(C) below.
Appendix 1 – Completion of the Standard Contractual Clauses
ANNEX I
A. LIST OF THE PARTIES | |
Data Exporter: | Name and address: Customer, as set out in the Agreement Contact details: As set out in the Agreement Activities relevant to the data transferred under these Clauses: Receipt of Wiz Services, as set out in the Agreement and this DPA |
Data Importer: | Name and address: Wiz, as set out in the Agreement Contact details: Privacy Officer, privacy@wiz.io Activities relevant to the data transferred under these Clauses: Provision of Wiz Services, as set out in the Agreement and this DPA |
B. DETAILS OF PROCESSING/TRANSFER | |
CATEGORIES OF DATA SUBJECTS | As described in Schedule 1 |
CATEGORIES OF PERSONAL DATA | As described in Schedule 1 |
SPECIAL CATEGORIES OF DATA (IF APPLICABLE) | Wiz does not control which Personal Data Customer shares with it in the context of the Services |
FREQUENCY OF THE TRANSFER | As regular as is required to provide the Services |
NATURE AND PURPOSE OF THE PROCESSING | As described in Schedule 1 |
RETENTION | As described in Schedule 1 |
TRANSFER TO (SUB)PROCESSORS | As set out in Wiz’s Sub-Processor List |
C. COMPETENT SUPERVISORY AUTHORITY | |
The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses. Where an EU Representative has not been appointed by data exporter, the competent supervisory authority shall be the supervisory authority of the Netherlands. | |
D. GOVERNING LAW AND CHOICE OF FORUM | |
GOVERNING LAW | For the purposes of Clause 17 of the Standard Contractual Clauses the Parties select OPTION 1: the law of the Netherlands. a) |
CHOICE OF FORUM | For the purposes of Clause 18 of the SCCs: the Parties select the courts of the Netherlands. |
E. OTHER | |
Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following will apply: For Clause 7 (Docking Clause), the optional provision will apply. For Clause 9(a), option 2 (General Written Authorisation) will apply and the time period for prior notice of Sub-Processor changes shall be as set out in this DPA. For Clause 11(a) (Redress) – the optional provision will not apply. |
ANNEX II – WIZ SECURITY MEASURES
The technical and organizational measures including technical and organizational measures to support the security of Personal Data incorporated into Annex II of the Standard Contractual Clauses shall be the technical and organizational security measures as described in Wiz’s Security Addendum.
In addition, Wiz agrees to the following compensating safeguards to protect such data to an equivalent level as required under the Data Protection Laws of the Extended EEA Countries to the extent required under the Standard Contractual Clauses:
- Wiz and Customer shall encrypt all transfers of the Customer Personal Data between them, and Wiz shall encrypt any onward transfers it makes of such Customer Personal Data.
- Wiz will use reasonably available legal mechanisms to challenge any demands for Customer Personal Data access through national security process it receives as well as any non-disclosure provisions attached thereto.
- Wiz will promptly notify Customer of any government demands for Customer Personal Data, unless prohibited under applicable law. To the extent Wiz is prohibited by law from providing such notification, Wiz shall: (i) review each request on a case-by-case basis; (ii) use reasonable efforts to request that the confidentiality requirement be waived to enable Wiz to notify the Customer and/or the appropriate Supervisory Authority competent for the Customer; and (iii) maintain evidence of any such attempt to have a confidentiality requirement waived.
- Wiz will promptly notify Customer if Wiz can no longer comply with the applicable clauses in this Section. Wiz shall not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice shall entitle Customer to terminate the Agreement (or, at Customer’s option, affected statements of work, order forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder.
Effective November 13, 2023 to November 17, 2023
DownloadTable of Contents
DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) forms part of the Wiz Master Subscription Agreement or other agreement for Wiz services entered into between the Parties (the “Agreement”) between the Wiz entity that has entered into the Agreement (“Wiz”, “Us”, “We”, “Our”) and Customer (collectively, “You”, “Your”, or “Customer”) pursuant to the Agreement. Both parties shall be referred to as the “Parties” and each, a “Party”. This DPA forms a binding legal agreement to reflect the Parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below).
WHEREAS, Wiz shall provide the services set forth in the Agreement (collectively, the “Services”) to Customer, as described in the Agreement; and
WHEREAS, the Parties wish to set forth the arrangements concerning the Processing of Personal Data within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the Parties, intending to be legally bound, agree as follows:
1. INTERPRETATION AND DEFINITIONS
1.1 The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
1.2Definitions:
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- “Controller” or “Business” as relevant under applicable Data Protection Laws, means the entity which determines the purposes and means of the Processing of Personal Data or such equivalent term under Data Protection Laws.
- “Customer Personal Data” means any Personal Data which is provided to and Processed by Wiz on behalf of Customer in order to provide the Services under the Agreement. Customer Personal Data does not include Personal Data that Wiz Processes as a Controller separately from its Processing obligations to Customer under the Agreement.
- “Data Protection Laws” means all laws and regulations of the European Union, the EEA and their Member States, Switzerland, the United Kingdom, and the United States, each to the extent applicable to the Processing of Personal Data under the Agreement.
- “Data Subject” means the identified or identifiable person to whom the Customer Personal Data relates.
- “EEA” means the European Economic Area.
- “EU Data Protection Law” means the GDPR, and the UK GDPR.
- “Extended EEA Country” means a Member State of the EEA, Switzerland or the United Kingdom, and Extended EEA Countries means the foregoing countries collectively.
- “Member State(s)” means a country that belongs to the European Union and/or the EEA.
- “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or such equivalent term under Data Protection Laws.
- “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” or “Service Provider,” as relevant under applicable Data Protection Laws, means the entity which Processes Personal Data on behalf of the Controller or Business or such equivalent term under Data Protection Laws.
- “Security Addendum” means Wiz’s Security Addendum which is available via https://www.wiz.io/legal/security-addendum.
- “Standard Contractual Clauses” means the “standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission decision of 4 June 2021” and published under document number C (2021) 3972 available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&qid=1689513765256, as may be updated, amended or superseded from time to time.
- “Sub-Processor” means any Processor or Service Provider engaged by Wiz and/or Wiz Affiliate to Process Customer Personal Data.
- “Supervisory Authority” means the competent supervisory authority pursuant to the applicable Data Protection Laws.
- “Third Country” has the meaning given in Clause 8.2 below.
- “UK GDPR” means the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR").
- “US Privacy Laws” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 along with any associated regulations (“CCPA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act; and any similar U.S. laws governing data privacy and security once effective.
2.CUSTOMER’S PROCESSING OF PERSONAL DATA. Customer shall, in its use of the Services, Process Customer Personal Data in accordance with the requirements of Data Protection Laws and comply at all times with the obligations applicable to Controllers or Businesses, as applicable. For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the means by which Customer acquired Customer Personal Data. Without limitation, Customer shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall have any and all required legal basis in order to collect, Process and transfer to Wiz the Customer Personal Data and to authorize the Processing by Wiz of the Customer Personal Data which is authorized in this DPA.
3.WIZ’S PROCESSING OF PERSONAL DATA
3.1Application. As used in clauses 3 – 9 herein, Customer Personal Data refers to Customer Personal Data that is subject to Data Protection Laws.
3.2Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, (i) Customer is the Controller or Business, (ii) Wiz is the Processor or Service Provider, and (iii) Wiz or its Affiliates may engage Sub-Processors pursuant to the requirements set forth in Clause 6 below.
3.3Wiz and its Affiliates (as applicable) shall Process Customer Personal Data only in accordance with Customer’s documented instructions, which are set out in the Agreement, as necessary for the performance of the Services and for the performance of the Agreement and this DPA, unless required to otherwise by any applicable law, court of competent jurisdiction or other Supervisory Authority to which Wiz and its Affiliates are subject, in which case, Wiz shall inform Customer of the legal requirement before processing, unless that law prohibits such information. Customer agrees that the Agreement is its complete and final instructions to Wiz in relation to the Processing of Personal Data. Processing any Personal Data outside the scope of the Agreement will require prior written agreement between Wiz and Customer by way of an amendment to the Agreement, and may include any additional fees that may be payable by Customer to Wiz for carrying out such instructions. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Customer Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 to this DPA.
3.4To the extent that Wiz or its Affiliates cannot comply with an instruction from Customer and/or its authorized users relating to Processing of Customer Personal Data or where Wiz considers such instruction to be unlawful, Wiz (i) shall inform Customer, providing relevant details of the problem; (ii) may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Customer Personal Data (other than securely storing those data); and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Wiz all the amounts owed to Wiz or due before the date of termination.
4.RIGHTS OF DATA SUBJECTS. If Wiz receives a request from a Data Subject to exercise its rights under Data Protection Laws (“Data Subject Request”), Wiz shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to Customer. Taking into account the nature of the Processing, Wiz shall use commercially reasonable efforts to assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws.
5.WIZ PERSONNEL
5.1Confidentiality. Wiz shall grant access to the Customer Personal Data to persons under its authority (including, without limitation, its personnel) only on a need-to-know basis and ensure that such persons engaged in the Processing of Customer Personal Data have committed themselves to confidentiality.
6.AUTHORIZATION REGARDING SUB-PROCESSORS
6.1Customer hereby grants general written authorization to Wiz to appoint Sub-Processors to perform specific Processing activities on Customer Personal Data on its behalf. Wiz’s current list of Sub-Processors is included at https://www.wiz.io/sub-processor-list (“Sub-Processor List”) and is hereby approved by Customer.
6.2 Objection Right for Sub-Processors. Wiz offers a mechanism for Customers to subscribe to notifications of changes to Wiz’s Sub-Processor List via https://www.wiz.io/sub-processor-list. If Customer subscribes to receive such updates, Wiz shall provide notification of any intended changes concerning the addition or replacement of other Sub-Processor(s) to the email address which has subscribed thereby giving Customer the opportunity to object. Customer may reasonably object to Wiz’s use of a Sub-Processor for reasons related to the Data Protection Laws by notifying Wiz in writing within ten (10) days after receipt of Wiz’s notice including the reasons for objecting to Wiz’s use of such Sub-Processor. Failure to object to such Sub-Processor in writing within ten (10) days following Wiz’s notice shall be deemed as acceptance of the Sub-Processor. In the event Customer reasonably objects to a Sub-Processor, Wiz will use reasonable efforts to make available to Customer a change in the Services to avoid Processing of Customer Personal Data by the objected-to Sub-Processor without unreasonably burdening Customer. If Wiz is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the Agreement and this DPA by providing written notice to Wiz provided that all amounts due under the Agreement before the termination date shall be duly paid to Wiz. Until a decision is made regarding the Sub-Processor, Wiz may temporarily suspend the Processing of the affected Customer Personal Data.
6.3Where Wiz engages a Sub-Processor, we shall do so by way of a written contract which imposes on the Sub-Processor substantially the same data protection obligations as in this DPA.
7.SECURITY
7.1Controls for the Protection of Customer Personal Data. Taking into account the state of the art, Wiz shall maintain industry-standard technical and organizational measures, including as required pursuant to Article 32 of the GDPR and other applicable Data Protection Laws, for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Data), confidentiality and integrity of Customer Personal Data, as set forth in the Security Addendum. Upon Customer’s request, Wiz will use commercially reasonable efforts to assist Customer, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR and other applicable Data Protection Laws taking into account the nature of the processing, the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing and the information available to Wiz.
7.2Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Wiz shall make available to Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and bound by confidentiality obligations) a copy of Wiz’s then most recent third-party audits or certifications, as applicable (provided, however, that any such documentation shall be Wiz’s confidential information and shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Wiz’s prior written approval and, upon Wiz’s request, Customer shall return all such documentation in Customer’s possession or control). Only as required by applicable Data Protection Laws and at Customer’s cost and expense, not more than once per year, Wiz shall allow for and contribute to audits, including remote inspections, conducted by Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and that is bound by confidentiality obligations) provided that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections in advance. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, Personal Data that belongs to Wiz’s other customers.
8.TRANSFERS OF DATA
8.1Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from the Extended EEA Countries to countries or frameworks that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the Extended EEA Countries (“Adequacy Decisions”), without any further safeguard being necessary.
8.2 Transfers to other countries. If, and to the extent, the Processing of Customer Personal Data which is subject to Data Protection Laws of the EEA Extended Countries includes transfers by Customer from the Extended EEA Countries to Wiz in countries outside the Extended EEA Countries which have not been subject to an Adequacy Decision (“Third Countries”), the Parties agree that such transfers shall be undertaken on the basis of the Standard Contractual Clauses, which will be deemed to have been signed by each Party on the Effective Date of this Agreement, are incorporated herein by reference and construed in accordance with Schedule 2 below, unless another mechanism provided for in the Data Protection Laws of the applicable Extended EEA Country applies.
8.3In the event Customer enables Third Party Integrations (as defined in the Agreement) which involve transfers of Customer Personal Data between Wiz and the Third Party Integration provider, Customer acknowledges and agrees that (a) such Third Party Integration providers are not Sub-Processors of Wiz; (b) such transfers are conducted at Customer’s instruction in accordance with an agreement between the Customer and such Third Party Integration provider (which Wiz is not a party to); and (c) Customer shall be solely responsible for such transfers and their compliance with Data Protection Laws, including without limitation, executing Standard Contractual Clauses with such Third Party Integration providers as required.
9. US PRIVACY LAWS
9.1 In performing its obligations under the Agreement and this DPA, Wiz will not: (1) “sell” or “share” for purposes of “cross-context behavioral advertising” or “targeted advertising” (as defined by applicable US Privacy Laws) any Customer Personal Data; (2) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Wiz and Customer; or (3) attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Customer Personal Data.
9.2Wiz will (1) comply with any applicable restrictions under applicable US Privacy Laws on combining Customer Personal Data with Personal Data that Wiz receives from, or on behalf of, another person or persons; and (2) promptly notify Customer if Wiz determines that it (i) can no longer meet its obligations under this DPA or applicable US Privacy Laws; or (ii) in Wiz’s opinion, an instruction from Customer infringes applicable US Privacy Laws.
9.3 Wiz certifies that it understands its obligations in this Clause 9.
9.4The Parties agree that Schedule 1 hereto shall satisfy any requirement under applicable U.S. Privacy Law to provide details regarding the nature of the Processing activities related to Customer Personal Data.
10.PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION. To the extent required under applicable Data Protection Laws, Wiz shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (a “Personal Data Incident”). Wiz shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Wiz deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident. Customer (or its customers), as the Controller or Business, will be the party responsible for notifying supervisory authorities and/or concerned Data Subjects (where required by Data Protection Laws).
11.RETURN AND DELETION OF PERSONAL DATA. Subject to the Agreement, upon termination or expiry of the Services, Wiz shall, make available for return the Customer Personal Data via the Services and delete such Customer Personal Data in accordance with Wiz’s customer data retention & deletion policy unless applicable law requires storage of the Customer Personal Data. In any event, Customer agrees that Wiz may retain Customer Personal Data in accordance with its standard backup policy, for evidence purposes and/or for the establishment, exercise or defence of legal claims and/or to comply with applicable laws and regulations. Notwithstanding anything to the contrary, Customer hereby agrees and understands that, to the extent Wiz performs cloud scanning on behalf of Customer, if and when Customer wants to delete specific Customer Personal Data, Customer may delete such Customer Personal Data from its own databases, and it will automatically be erased from Wiz’s databases within a reasonable market standard timeframe. If Customer requests return of the Customer Personal Data, it shall be returned in an industry standard format generally available for Wiz’s Customers.
12.TERMINATION. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided, provided that, to the extent Wiz retains any Customer Personal Data following termination or expiration of the Agreement, this DPA shall survive for such period that Wiz retains Customer Personal Data. Clauses 2, 3.4 and 13 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
13.RELATIONSHIP WITH AGREEMENT. Subject to any provisions in Schedule 2 regarding governing law and choice of forum of the Standard Contractual Clauses, the governing law and choice of forum provision in the Agreement shall apply to this DPA. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. For the avoidance of doubt each Party’s and its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, the Standard Contractual Clauses, Data Protection Laws and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. NOTWITHSTANDING THE FOREGOING, IF CUSTOMER IS USING THE SERVICES FOR A FREE TRIAL, WIZ’S MAXIMUM AGGREGATE LIABILITY TO CUSTOMER UNDER OR RELATED TO THIS DPA SHALL BE CAPPED AT ONE THOUSAND DOLLARS US ($1,000 US).
14.MISCELLANEOUS. Any Wiz obligation hereunder may be performed (in whole or in part), and any Wiz right (including invoice and payment rights) or remedy may be exercised (in whole or in part), by an Affiliate of Wiz. This DPA may be amended by Wiz from time to time in its sole discretion, with such updated version posted to Wiz’s website, provided, however, that no such update shall materially diminish the privacy or security of Customer Personal Data.
List of Schedules
SCHEDULE 1 – DETAILS OF THE PROCESSING
SCHEDULE 2 – STANDARD CONTRACTUAL CLAUSE
SCHEDULE 1
DETAILS OF THE PROCESSING
Subject matter.
Wiz will Process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
Nature and Purpose of Processing.
1.Performing the Agreement, this DPA and/or other contracts executed by the Parties, including, providing the Service(s) and support and technical maintenance to Customer.
2.To comply with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
3.Resolving disputes, enforcing the Agreement, this DPA and/or defending Wiz’s rights.
4.Complying with applicable laws and regulations, including for cooperating with local and foreign tax authorities, preventing fraud, money laundering and terrorist financing.
Duration of Processing.
Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Wiz will Process Customer Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Types of Customer Personal Data.
Customer determines the categories of any Customer Personal Data that is made accessible to Wiz, which may include, without limitation, Customer Personal Data relating to the following categories:
- If Customer uses Wiz for scanning, Personal Data might be temporarily processed by Wiz during the scanning. The type of the Personal Data depends on Customer environment and which sources Customer connects.
- Wiz only stores metadata such as CVEs, misconfigurations, list of installed packages, cloud events, local cloud user accounts, cloud object identifiers and (depending on the features used by Customer) logs and file paths. Such metadata does not generally contain Personal Data, however, depending on the Customer’s environment and naming conventions and the features used by Customer, some limited Personal Data may be included. For example, cloud user account names, logs and artifacts could include an individual’s name, logs could contain names, associated email address and IP address and (if specific Wiz features are enabled) pseudonymized samples of findings to enable Customer to locate, verify and remediate the finding(s).
Customer acknowledges that Wiz does not control which Customer Personal Data Customer shares with it in the context of the Services.
Categories of Data Subjects.
As part of providing the Services, Wiz may process Customer Personal Data related to Customer’s customers or users, leads, employees and service providers, the extent of which is solely determined by Customer.
SCHEDULE 2
STANDARD CONTRACTUAL CLAUSES
1Incorporation and interpretation of the Standard Contractual Clauses
1.1In relation to transfers by Customer of Customer Personal Data which are subject to Data Protection Laws of the EEA Extended Countries to Wiz in Third Countries, the parties agree that Module Two (Transfer controller to processor) or Module 3 (Transfer processor to processor) of the Standard Contractual Clauses shall apply, as applicable.
1.2The Parties acknowledge that the information required to be provided in the Standard Contractual Clauses, including the appendices, is set out in Appendix 1 below.
1.3If there is a conflict between the provisions of this Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail, provided that, except to the extent prohibited by applicable law, the Standard Contractual Clauses shall be interpreted in accordance with and subject to this DPA and the Agreement, including without limitation, the provisions on limitation of liability, instructions, storage, erasure and return of Personal Data, audits and engagement of Sub-Processors.
1.4If any provision or part-provision of this DPA or the Agreement causes the Standard Contractual Clauses to become an invalid export mechanism in the relevant Extended EEA Country, it shall be deemed deleted but that shall not affect the validity and enforceability of the rest of this Agreement and the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
1.5Where requested by Wiz, Customer shall provide reasonable assistance to Wiz and be responsible for issuing such communications to Data Subjects and/or the Controller (to the extent Module Three applies) as are required in order for Wiz to comply with its obligations under the Standard Contractual Clauses.
1.6For the purpose of Section III, Clause 14 of the Standard Contractual Clauses, the parties acknowledge and agree that, as between the parties, the Customer (acting as data exporter) is responsible for: (i) assessing the laws of the country to which it transfers Personal Data; and (ii) determining whether or not the transfer meets the requirements of Section III, Clause 14(a) of the Standard Contractual Clauses. Where Wiz (as data importer) provides information to the Customer (acting as data exporter) for assisting the Customer in its assessment, such information is provided on an “as is” basis for informational purposes only. Without prejudice to Section III, Clause 14(c) of the Standard Contractual Clauses, Wiz (as data importer) shall not be liable for any losses suffered by the Customer in connection with its assessment.
1.7 Notwithstanding anything to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is the UK, template Addendum B.1.0 issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses, (the “UK Approved Addendum”) shall amend the Standard Contractual Clauses in respect of such transfers and Part 1 of the UK Approved Addendum shall be populated as set out below:
Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are Customer as exporter Wiz as importer.
Table 2. The “Addendum EU SCCs” are the modules and clauses of the Standard Contractual Clauses selected in relation to a particular transfer in accordance with paragraphs 1.1 and 1.2 of this Schedule.
Table 3. The “Appendix Information” is as set out in Appendix 1 to this Schedule.
Table 4. Neither party may end the UK Approved Addendum in accordance with its Section 19.
1.8 Except where paragraph 1.9 above applies, but notwithstanding anything else to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is not a Member State of the European Union, references in the Standard Contractual Clauses to:
(a)“Member States of the European Union” shall refer to the applicable Extended EEA Country in which the data exporter is established or from where the transferred Personal Data originated (as applicable);
(b)“the GDPR” shall refer to the Data Protection Laws of the Extended EEA Country in which the data exporter is established or from where the Personal Data originated; and
(c)“supervisory authority” shall refer to the data protection authority in the Extended EEA Country as determined in Annex I(C) below.
Appendix 1 – Completion of the Standard Contractual Clauses
ANNEX I
A. LIST OF THE PARTIES | |
Data Exporter: | Name and address: Customer, as set out in the Agreement Contact details: As set out in the Agreement Activities relevant to the data transferred under these Clauses: Receipt of Wiz Services, as set out in the Agreement and this DPA |
Data Importer: | Name and address: Wiz, as set out in the Agreement Contact details: Privacy Officer, privacy@wiz.io Activities relevant to the data transferred under these Clauses: Provision of Wiz Services, as set out in the Agreement and this DPA |
B. DETAILS OF PROCESSING/TRANSFER | |
CATEGORIES OF DATA SUBJECTS | As described in Schedule 1 |
CATEGORIES OF PERSONAL DATA | As described in Schedule 1 |
SPECIAL CATEGORIES OF DATA (IF APPLICABLE) | Wiz does not control which Personal Data Customer shares with it in the context of the Services |
FREQUENCY OF THE TRANSFER | As regular as is required to provide the Services |
NATURE AND PURPOSE OF THE PROCESSING | As described in Schedule 1 |
RETENTION | As described in Schedule 1 |
TRANSFER TO (SUB)PROCESSORS | As set out in Wiz’s Sub-Processor List |
C. COMPETENT SUPERVISORY AUTHORITY | |
The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses. Where an EU Representative has not been appointed by data exporter, the competent supervisory authority shall be the supervisory authority of the Netherlands. | |
D. GOVERNING LAW AND CHOICE OF FORUM | |
GOVERNING LAW | For the purposes of Clause 17 of the Standard Contractual Clauses the Parties select OPTION 1: the law of the Netherlands. a) |
CHOICE OF FORUM | For the purposes of Clause 18 of the SCCs: the Parties select the courts of the Netherlands. |
E. OTHER | |
Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following will apply: For Clause 7 (Docking Clause), the optional provision will apply. For Clause 9(a), option 2 (General Written Authorisation) will apply and the time period for prior notice of Sub-Processor changes shall be as set out in this DPA. For Clause 11(a) (Redress) – the optional provision will not apply. |
ANNEX II – WIZ SECURITY MEASURES
The technical and organizational measures including technical and organizational measures to support the security of Personal Data incorporated into Annex II of the Standard Contractual Clauses shall be the technical and organizational security measures as described in Wiz’s Security Addendum.
In addition, Wiz agrees to the following compensating safeguards to protect such data to an equivalent level as required under the Data Protection Laws of the Extended EEA Countries to the extent required under the Standard Contractual Clauses:
- Wiz and Customer shall encrypt all transfers of the Customer Personal Data between them, and Wiz shall encrypt any onward transfers it makes of such Customer Personal Data.
- Wiz will use reasonably available legal mechanisms to challenge any demands for Customer Personal Data access through national security process it receives as well as any non-disclosure provisions attached thereto.
- Wiz will promptly notify Customer of any government demands for Customer Personal Data, unless prohibited under applicable law. To the extent Wiz is prohibited by law from providing such notification, Wiz shall: (i) review each request on a case-by-case basis; (ii) use reasonable efforts to request that the confidentiality requirement be waived to enable Wiz to notify the Customer and/or the appropriate Supervisory Authority competent for the Customer; and (iii) maintain evidence of any such attempt to have a confidentiality requirement waived.
- Wiz will promptly notify Customer if Wiz can no longer comply with the applicable clauses in this Section. Wiz shall not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice shall entitle Customer to terminate the Agreement (or, at Customer’s option, affected statements of work, order forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder.
Effective October 29, 2023 to November 13, 2023
DownloadTable of Contents
DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) forms part of the Wiz Master Subscription Agreement or other agreement for Wiz services entered into between the Parties (the “Agreement”) between the Wiz entity that has entered into the Agreement (“Wiz”, “Us”, “We”, “Our”) and Customer (collectively, “You”, “Your”, or “Customer”) pursuant to the Agreement. Both parties shall be referred to as the “Parties” and each, a “Party”. This DPA forms a binding legal agreement to reflect the Parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below).
WHEREAS, 	Wiz shall provide the services set forth in the Agreement (collectively, the “Services”) to Customer, as described in the Agreement; and
WHEREAS, 	the Parties wish to set forth the arrangements concerning the Processing of Personal Data within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the Parties, intending to be legally bound, agree as follows:
1. 	INTERPRETATION AND DEFINITIONS
1.1 	The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
1.2	Definitions:
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- “Controller” or “Business” as relevant under applicable Data Protection Laws, means the entity which determines the purposes and means of the Processing of Personal Data or such equivalent term under Data Protection Laws.
- “Customer Personal Data” means any Personal Data which is provided to and Processed by Wiz on behalf of Customer in order to provide the Services under the Agreement. Customer Personal Data does not include Personal Data that Wiz Processes as a Controller separately from its Processing obligations to Customer under the Agreement.
- “Data Protection Laws” means all laws and regulations of the European Union, the EEA and their Member States, Switzerland, the United Kingdom, and the United States, each to the extent applicable to the Processing of Personal Data under the Agreement.
- “Data Subject” means the identified or identifiable person to whom the Customer Personal Data relates.
- “EEA” means the European Economic Area.
- “EU Data Protection Law” means the GDPR, and the UK GDPR.
- “Extended EEA Country” means a Member State of the EEA, Switzerland or the United Kingdom, and Extended EEA Countries means the foregoing countries collectively.
- “Member State(s)” means a country that belongs to the European Union and/or the EEA.
- “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or such equivalent term under Data Protection Laws.
- “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” or “Service Provider,” as relevant under applicable Data Protection Laws, means the entity which Processes Personal Data on behalf of the Controller or Business or such equivalent term under Data Protection Laws.
- “Security Addendum” means Wiz’s Security Addendum which is available via https://www.wiz.io/security-addendum.
- “Standard Contractual Clauses” means the “standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission decision of 4 June 2021” and published under document number C (2021) 3972 available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&qid=1689513765256, as may be updated, amended or superseded from time to time.
- “Sub-Processor” means any Processor or Service Provider engaged by Wiz and/or Wiz Affiliate to Process Customer Personal Data.
- “Supervisory Authority” means the competent supervisory authority pursuant to the applicable Data Protection Laws.
- “Third Country” has the meaning given in Clause 8.2 below.
- “UK GDPR” means the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR").
- “US Privacy Laws” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 along with any associated regulations (“CCPA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act; and any similar U.S. laws governing data privacy and security once effective.
2.	CUSTOMER’S PROCESSING OF PERSONAL DATA. Customer shall, in its use of the Services, Process Customer Personal Data in accordance with the requirements of Data Protection Laws and comply at all times with the obligations applicable to Controllers or Businesses, as applicable. For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the means by which Customer acquired Customer Personal Data. Without limitation, Customer shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall have any and all required legal basis in order to collect, Process and transfer to Wiz the Customer Personal Data and to authorize the Processing by Wiz of the Customer Personal Data which is authorized in this DPA.
3.	WIZ’S PROCESSING OF PERSONAL DATA
3.1	Application. As used in clauses 3 – 9 herein, Customer Personal Data refers to Customer Personal Data that is subject to Data Protection Laws.
3.2	Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, (i) Customer is the Controller or Business, (ii) Wiz is the Processor or Service Provider, and (iii) Wiz or its Affiliates may engage Sub-Processors pursuant to the requirements set forth in Clause 6 below.
3.3	Wiz and its Affiliates (as applicable) shall Process Customer Personal Data only in accordance with Customer’s documented instructions, which are set out in the Agreement, as necessary for the performance of the Services and for the performance of the Agreement and this DPA, unless required to otherwise by any applicable law, court of competent jurisdiction or other Supervisory Authority to which Wiz and its Affiliates are subject, in which case, Wiz shall inform Customer of the legal requirement before processing, unless that law prohibits such information. Customer agrees that the Agreement is its complete and final instructions to Wiz in relation to the Processing of Personal Data. Processing any Personal Data outside the scope of the Agreement will require prior written agreement between Wiz and Customer by way of an amendment to the Agreement, and may include any additional fees that may be payable by Customer to Wiz for carrying out such instructions. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Customer Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 to this DPA.
3.4	To the extent that Wiz or its Affiliates cannot comply with an instruction from Customer and/or its authorized users relating to Processing of Customer Personal Data or where Wiz considers such instruction to be unlawful, Wiz (i) shall inform Customer, providing relevant details of the problem; (ii) may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Customer Personal Data (other than securely storing those data); and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Wiz all the amounts owed to Wiz or due before the date of termination.
4.	RIGHTS OF DATA SUBJECTS. If Wiz receives a request from a Data Subject to exercise its rights under Data Protection Laws (“Data Subject Request”), Wiz shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to Customer. Taking into account the nature of the Processing, Wiz shall use commercially reasonable efforts to assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws.
5.	WIZ PERSONNEL
5.1	Confidentiality. Wiz shall grant access to the Customer Personal Data to persons under its authority (including, without limitation, its personnel) only on a need-to-know basis and ensure that such persons engaged in the Processing of Customer Personal Data have committed themselves to confidentiality.
6.	AUTHORIZATION REGARDING SUB-PROCESSORS
6.1	Customer hereby grants general written authorization to Wiz to appoint Sub-Processors to perform specific Processing activities on Customer Personal Data on its behalf. Wiz’s current list of Sub-Processors is included at https://www.wiz.io/sub-processor-list (“Sub-Processor List”) and is hereby approved by Customer.
6.2	Objection Right for Sub-Processors. Wiz offers a mechanism for Customers to subscribe to notifications of changes to Wiz’s Sub-Processor List via https://www.wiz.io/legal/sub-processor-list. If Customer subscribes to receive such updates, Wiz shall provide notification of any intended changes concerning the addition or replacement of other Sub-Processor(s) to the email address which has subscribed thereby giving Customer the opportunity to object. Customer may reasonably object to Wiz’s use of a Sub-Processor for reasons related to the Data Protection Laws by notifying Wiz in writing within ten (10) days after receipt of Wiz’s notice including the reasons for objecting to Wiz’s use of such Sub-Processor. Failure to object to such Sub-Processor in writing within ten (10) days following Wiz’s notice shall be deemed as acceptance of the Sub-Processor. In the event Customer reasonably objects to a Sub-Processor, Wiz will use reasonable efforts to make available to Customer a change in the Services to avoid Processing of Customer Personal Data by the objected-to Sub-Processor without unreasonably burdening Customer. If Wiz is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the Agreement and this DPA by providing written notice to Wiz provided that all amounts due under the Agreement before the termination date shall be duly paid to Wiz. Until a decision is made regarding the Sub-Processor, Wiz may temporarily suspend the Processing of the affected Customer Personal Data.
6.3	Where Wiz engages a Sub-Processor, we shall do so by way of a written contract which imposes on the Sub-Processor substantially the same data protection obligations as in this DPA.
7.	SECURITY
7.1	Controls for the Protection of Customer Personal Data. Taking into account the state of the art, Wiz shall maintain industry-standard technical and organizational measures, including as required pursuant to Article 32 of the GDPR and other applicable Data Protection Laws, for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Data), confidentiality and integrity of Customer Personal Data, as set forth in the Security Addendum. Upon Customer’s request, Wiz will use commercially reasonable efforts to assist Customer, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR and other applicable Data Protection Laws taking into account the nature of the processing, the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing and the information available to Wiz.
7.2	Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Wiz shall make available to Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and bound by confidentiality obligations) a copy of Wiz’s then most recent third-party audits or certifications, as applicable (provided, however, that any such documentation shall be Wiz’s confidential information and shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Wiz’s prior written approval and, upon Wiz’s request, Customer shall return all such documentation in Customer’s possession or control). Only as required by applicable Data Protection Laws and at Customer’s cost and expense, not more than once per year, Wiz shall allow for and contribute to audits, including remote inspections, conducted by Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and that is bound by confidentiality obligations) provided that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections in advance. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, Personal Data that belongs to Wiz’s other customers.
8.	TRANSFERS OF DATA
8.1	Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from the Extended EEA Countries to countries or frameworks that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the Extended EEA Countries (“Adequacy Decisions”), without any further safeguard being necessary.
8.2 	Transfers to other countries. If, and to the extent, the Processing of Customer Personal Data which is subject to Data Protection Laws of the EEA Extended Countries includes transfers by Customer from the Extended EEA Countries to Wiz in countries outside the Extended EEA Countries which have not been subject to an Adequacy Decision (“Third Countries”), the Parties agree that such transfers shall be undertaken on the basis of the Standard Contractual Clauses, which will be deemed to have been signed by each Party on the Effective Date of this Agreement, are incorporated herein by reference and construed in accordance with Schedule 2 below, unless another mechanism provided for in the Data Protection Laws of the applicable Extended EEA Country applies.
8.3	In the event Customer enables Third Party Integrations (as defined in the Agreement) which involve transfers of Customer Personal Data between Wiz and the Third Party Integration provider, Customer acknowledges and agrees that (a) such Third Party Integration providers are not Sub-Processors of Wiz; (b) such transfers are conducted at Customer’s instruction in accordance with an agreement between the Customer and such Third Party Integration provider (which Wiz is not a party to); and (c) Customer shall be solely responsible for such transfers and their compliance with Data Protection Laws, including without limitation, executing Standard Contractual Clauses with such Third Party Integration providers as required.
9. 	US PRIVACY LAWS
9.1 	In performing its obligations under the Agreement and this DPA, Wiz will not: (1) “sell” or “share” for purposes of “cross-context behavioral advertising” or “targeted advertising” (as defined by applicable US Privacy Laws) any Customer Personal Data; (2) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Wiz and Customer; or (3) attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Customer Personal Data.
9.2	Wiz will (1) comply with any applicable restrictions under applicable US Privacy Laws on combining Customer Personal Data with Personal Data that Wiz receives from, or on behalf of, another person or persons; and (2) promptly notify Customer if Wiz determines that it (i) can no longer meet its obligations under this DPA or applicable US Privacy Laws; or (ii) in Wiz’s opinion, an instruction from Customer infringes applicable US Privacy Laws.
9.3 Wiz certifies that it understands its obligations in this Clause 9.
9.4	The Parties agree that Schedule 1 hereto shall satisfy any requirement under applicable U.S. Privacy Law to provide details regarding the nature of the Processing activities related to Customer Personal Data.
10.	PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION. To the extent required under applicable Data Protection Laws, Wiz shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (a “Personal Data Incident”). Wiz shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Wiz deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident. Customer (or its customers), as the Controller or Business, will be the party responsible for notifying supervisory authorities and/or concerned Data Subjects (where required by Data Protection Laws).
11.	RETURN AND DELETION OF PERSONAL DATA. Subject to the Agreement, upon termination or expiry of the Services, Wiz shall, make available for return the Customer Personal Data via the Services and delete such Customer Personal Data in accordance with Wiz’s customer data retention & deletion policy unless applicable law requires storage of the Customer Personal Data. In any event, Customer agrees that Wiz may retain Customer Personal Data in accordance with its standard backup policy, for evidence purposes and/or for the establishment, exercise or defence of legal claims and/or to comply with applicable laws and regulations. Notwithstanding anything to the contrary, Customer hereby agrees and understands that, to the extent Wiz performs cloud scanning on behalf of Customer, if and when Customer wants to delete specific Customer Personal Data, Customer may delete such Customer Personal Data from its own databases, and it will automatically be erased from Wiz’s databases within a reasonable market standard timeframe. If Customer requests return of the Customer Personal Data, it shall be returned in an industry standard format generally available for Wiz’s Customers.
12.	TERMINATION. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided, provided that, to the extent Wiz retains any Customer Personal Data following termination or expiration of the Agreement, this DPA shall survive for such period that Wiz retains Customer Personal Data. Clauses 2, 3.4 and 13 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
13.	RELATIONSHIP WITH AGREEMENT. Subject to any provisions in Schedule 2 regarding governing law and choice of forum of the Standard Contractual Clauses, the governing law and choice of forum provision in the Agreement shall apply to this DPA. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. For the avoidance of doubt each Party’s and its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, the Standard Contractual Clauses, Data Protection Laws and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. NOTWITHSTANDING THE FOREGOING, IF CUSTOMER IS USING THE SERVICES FOR A FREE TRIAL, WIZ’S MAXIMUM AGGREGATE LIABILITY TO CUSTOMER UNDER OR RELATED TO THIS DPA SHALL BE CAPPED AT ONE THOUSAND DOLLARS US ($1,000 US).
14.	MISCELLANEOUS. Any Wiz obligation hereunder may be performed (in whole or in part), and any Wiz right (including invoice and payment rights) or remedy may be exercised (in whole or in part), by an Affiliate of Wiz. This DPA may be amended by Wiz from time to time in its sole discretion, with such updated version posted to Wiz’s website, provided, however, that no such update shall materially diminish the privacy or security of Customer Personal Data.
List of Schedules
SCHEDULE 1 – DETAILS OF THE PROCESSING
SCHEDULE 2 – STANDARD CONTRACTUAL CLAUSE
SCHEDULE 1
DETAILS OF THE PROCESSING
Subject matter.
Wiz will Process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
Nature and Purpose of Processing.
1.	Performing the Agreement, this DPA and/or other contracts executed by the Parties, including, providing the Service(s) and support and technical maintenance to Customer.
2.	To comply with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
3.	Resolving disputes, enforcing the Agreement, this DPA and/or defending Wiz’s rights.
4.	Complying with applicable laws and regulations, including for cooperating with local and foreign tax authorities, preventing fraud, money laundering and terrorist financing.
Duration of Processing.
Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Wiz will Process Customer Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Types of Customer Personal Data.
Customer determines the categories of any Customer Personal Data that is made accessible to Wiz, which may include, without limitation, Customer Personal Data relating to the following categories:
- If Customer uses Wiz for scanning, Personal Data might be temporarily processed by Wiz during the scanning. The type of the Personal Data depends on Customer environment and which sources Customer connects.
- Wiz only stores metadata such as CVEs, misconfigurations, list of installed packages, cloud events, local cloud user accounts, cloud object identifiers and (depending on the features used by Customer) logs and file paths. Such metadata does not generally contain Personal Data, however, depending on the Customer’s environment and naming conventions and the features used by Customer, some limited Personal Data may be included. For example, cloud user account names, logs and artifacts could include an individual’s name, logs could contain names, associated email address and IP address and (if specific Wiz features are enabled) pseudonymized samples of findings to enable Customer to locate, verify and remediate the finding(s).
Customer acknowledges that Wiz does not control which Customer Personal Data Customer shares with it in the context of the Services.
Categories of Data Subjects.
As part of providing the Services, Wiz may process Customer Personal Data related to Customer’s customers or users, leads, employees and service providers, the extent of which is solely determined by Customer.
SCHEDULE 2
STANDARD CONTRACTUAL CLAUSES
1	Incorporation and interpretation of the Standard Contractual Clauses
1.1	In relation to transfers by Customer of Customer Personal Data which are subject to Data Protection Laws of the EEA Extended Countries to Wiz in Third Countries, the parties agree that Module Two (Transfer controller to processor) or Module 3 (Transfer processor to processor) of the Standard Contractual Clauses shall apply, as applicable.
1.2	The Parties acknowledge that the information required to be provided in the Standard Contractual Clauses, including the appendices, is set out in Appendix 1 below.
1.3	If there is a conflict between the provisions of this Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail, provided that, except to the extent prohibited by applicable law, the Standard Contractual Clauses shall be interpreted in accordance with and subject to this DPA and the Agreement, including without limitation, the provisions on limitation of liability, instructions, storage, erasure and return of Personal Data, audits and engagement of Sub-Processors.
1.4	If any provision or part-provision of this DPA or the Agreement causes the Standard Contractual Clauses to become an invalid export mechanism in the relevant Extended EEA Country, it shall be deemed deleted but that shall not affect the validity and enforceability of the rest of this Agreement and the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
1.5	Where requested by Wiz, Customer shall provide reasonable assistance to Wiz and be responsible for issuing such communications to Data Subjects and/or the Controller (to the extent Module Three applies) as are required in order for Wiz to comply with its obligations under the Standard Contractual Clauses.
1.6	For the purpose of Section III, Clause 14 of the Standard Contractual Clauses, the parties acknowledge and agree that, as between the parties, the Customer (acting as data exporter) is responsible for: (i) assessing the laws of the country to which it transfers Personal Data; and (ii) determining whether or not the transfer meets the requirements of Section III, Clause 14(a) of the Standard Contractual Clauses. Where Wiz (as data importer) provides information to the Customer (acting as data exporter) for assisting the Customer in its assessment, such information is provided on an “as is” basis for informational purposes only. Without prejudice to Section III, Clause 14(c) of the Standard Contractual Clauses, Wiz (as data importer) shall not be liable for any losses suffered by the Customer in connection with its assessment.
1.7 	Notwithstanding anything to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is the UK, template Addendum B.1.0 issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses, (the “UK Approved Addendum”) shall amend the Standard Contractual Clauses in respect of such transfers and Part 1 of the UK Approved Addendum shall be populated as set out below:
Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are Customer as exporter Wiz as importer.
Table 2. The “Addendum EU SCCs” are the modules and clauses of the Standard Contractual Clauses selected in relation to a particular transfer in accordance with paragraphs 1.1 and 1.2 of this Schedule.
Table 3. The “Appendix Information” is as set out in Appendix 1 to this Schedule.
Table 4. Neither party may end the UK Approved Addendum in accordance with its Section 19.
1.8 	Except where paragraph 1.9 above applies, but notwithstanding anything else to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is not a Member State of the European Union, references in the Standard Contractual Clauses to:
(a)	“Member States of the European Union” shall refer to the applicable Extended EEA Country in which the data exporter is established or from where the transferred Personal Data originated (as applicable);
(b)	“the GDPR” shall refer to the Data Protection Laws of the Extended EEA Country in which the data exporter is established or from where the Personal Data originated; and
(c)	“supervisory authority” shall refer to the data protection authority in the Extended EEA Country as determined in Annex I(C) below.
Appendix 1 – Completion of the Standard Contractual Clauses
ANNEX I
A. LIST OF THE PARTIES | |
Data Exporter: | Name and address: Customer, as set out in the Agreement Contact details: As set out in the Agreement Activities relevant to the data transferred under these Clauses: Receipt of Wiz Services, as set out in the Agreement and this DPA |
Data Importer:	 | Name and address: Wiz, as set out in the Agreement Contact details: Privacy Officer, privacy@wiz.io Activities relevant to the data transferred under these Clauses: Provision of Wiz Services, as set out in the Agreement and this DPA |
B. DETAILS OF PROCESSING/TRANSFER | |
CATEGORIES OF DATA SUBJECTS | As described in Schedule 1 |
CATEGORIES OF PERSONAL DATA	 | As described in Schedule 1 |
SPECIAL CATEGORIES OF DATA (IF APPLICABLE) | Wiz does not control which Personal Data Customer shares with it in the context of the Services |
FREQUENCY OF THE TRANSFER | As regular as is required to provide the Services |
NATURE AND PURPOSE OF THE PROCESSING	 | As described in Schedule 1 |
RETENTION | As described in Schedule 1 |
TRANSFER TO (SUB)PROCESSORS | As set out in Wiz’s Sub-Processor List |
C. COMPETENT SUPERVISORY AUTHORITY | |
The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses. Where an EU Representative has not been appointed by data exporter, the competent supervisory authority shall be the supervisory authority of the Netherlands. | |
D. GOVERNING LAW AND CHOICE OF FORUM | |
GOVERNING LAW | For the purposes of Clause 17 of the Standard Contractual Clauses the Parties select OPTION 1: the law of the Netherlands. a)	 |
CHOICE OF FORUM | For the purposes of Clause 18 of the SCCs: the Parties select the courts of the Netherlands. |
E. OTHER | |
Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following will apply:	 For Clause 7 (Docking Clause), the optional provision will apply. For Clause 9(a), option 2 (General Written Authorisation) will apply and the time period for prior notice of Sub-Processor changes shall be as set out in this DPA. For Clause 11(a) (Redress) – the optional provision will not apply. |
ANNEX II – WIZ SECURITY MEASURES
The technical and organizational measures including technical and organizational measures to support the security of Personal Data incorporated into Annex II of the Standard Contractual Clauses shall be the technical and organizational security measures as described in Wiz’s Security Addendum.
In addition, Wiz agrees to the following compensating safeguards to protect such data to an equivalent level as required under the Data Protection Laws of the Extended EEA Countries to the extent required under the Standard Contractual Clauses:
- Wiz and Customer shall encrypt all transfers of the Customer Personal Data between them, and Wiz shall encrypt any onward transfers it makes of such Customer Personal Data.
- Wiz will use reasonably available legal mechanisms to challenge any demands for Customer Personal Data access through national security process it receives as well as any non-disclosure provisions attached thereto.
- Wiz will promptly notify Customer of any government demands for Customer Personal Data, unless prohibited under applicable law. To the extent Wiz is prohibited by law from providing such notification, Wiz shall: (i) review each request on a case-by-case basis; (ii) use reasonable efforts to request that the confidentiality requirement be waived to enable Wiz to notify the Customer and/or the appropriate Supervisory Authority competent for the Customer; and (iii) maintain evidence of any such attempt to have a confidentiality requirement waived.
- Wiz will promptly notify Customer if Wiz can no longer comply with the applicable clauses in this Section. Wiz shall not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice shall entitle Customer to terminate the Agreement (or, at Customer’s option, affected statements of work, order forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder.
Effective September 19, 2023 to October 29, 2023
DownloadTable of Contents
DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) forms part of the Wiz Master Subscription Agreement or other agreement for Wiz services entered into between the Parties (the “Agreement”) between the Wiz entity that has entered into the Agreement (“Wiz”, “Us”, “We”, “Our”) and Customer (collectively, “You”, “Your”, or “Customer”) pursuant to the Agreement. Both parties shall be referred to as the “Parties” and each, a “Party”. This DPA forms a binding legal agreement to reflect the Parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below).
WHEREAS, Wiz shall provide the services set forth in the Agreement (collectively, the “Services”) to Customer, as described in the Agreement; and
WHEREAS, the Parties wish to set forth the arrangements concerning the Processing of Personal Data within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the Parties, intending to be legally bound, agree as follows:
1. INTERPRETATION AND DEFINITIONS
1.1 The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
1.2 Definitions:
2. CUSTOMER’S PROCESSING OF PERSONAL DATA. Customer shall, in its use of the Services, Process Customer Personal Data in accordance with the requirements of Data Protection Laws and comply at all times with the obligations applicable to Controllers or Businesses, as applicable. For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the means by which Customer acquired Customer Personal Data. Without limitation, Customer shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall have any and all required legal basis in order to collect, Process and transfer to Wiz the Customer Personal Data and to authorize the Processing by Wiz of the Customer Personal Data which is authorized in this DPA.
3. WIZ’S PROCESSING OF PERSONAL DATA
3.1 Application. As used in clauses 3 – 9 herein, Customer Personal Data refers to Customer Personal Data that is subject to Data Protection Laws.
3.2 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, (i) Customer is the Controller or Business, (ii) Wiz is the Processor or Service Provider, and (iii) Wiz or its Affiliates may engage Sub-Processors pursuant to the requirements set forth in Clause 6 below.
3.3 Wiz and its Affiliates (as applicable) shall Process Customer Personal Data only in accordance with Customer’s documented instructions, which are set out in this DPA, the Agreement, as necessary for the performance of the Services and for the performance of the Agreement and this DPA, unless required to otherwise by any applicable law, court of competent jurisdiction or other Supervisory Authority to which Wiz and its Affiliates are subject, in which case, Wiz shall inform Customer of the legal requirement before processing, unless that law prohibits such information. Customer agrees that the Agreement is its complete and final instructions to Wiz in relation to the Processing of Personal Data. Processing any Personal Data outside the scope of the Agreement will require prior written agreement between Wiz and Customer by way of an amendment to the Agreement, and may include any additional fees that may be payable by Customer to Wiz for carrying out such instructions. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Customer Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 to this DPA.
3.4 To the extent that Wiz or its Affiliates cannot comply with an instruction from Customer and/or its authorized users relating to Processing of Customer Personal Data or where Wiz considers such instruction to be unlawful, Wiz (i) shall inform Customer, providing relevant details of the problem; (ii) may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Customer Personal Data (other than securely storing those data); and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Wiz all the amounts owed to Wiz or due before the date of termination.
4. RIGHTS OF DATA SUBJECTS. If Wiz receives a request from a Data Subject to exercise its rights under Data Protection Laws (“Data Subject Request”), Wiz shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to Customer. Taking into account the nature of the Processing, Wiz shall use commercially reasonable efforts to assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws.
5. WIZ PERSONNEL
5.1 Confidentiality. Wiz shall grant access to the Customer Personal Data to persons under its authority (including, without limitation, its personnel) only on a need-to-know basis and ensure that such persons engaged in the Processing of Customer Personal Data have committed themselves to confidentiality.
6. AUTHORIZATION REGARDING SUB-PROCESSORS
6.1 Customer hereby grants general written authorization to Wiz to appoint Sub-Processors to perform specific Processing activities on Customer Personal Data on its behalf. Wiz’s current list of Sub-Processors is included at https://www.wiz.io/sub-processor-list (“Sub-Processor List”) and is hereby approved by Customer.
6.2. Objection Right for Sub-Processors. Wiz offers a mechanism for Customers to subscribe to notifications of changes to Wiz’s Sub-Processor List via https://www.wiz.io/legal/sub-processor-list. If Customer subscribes to receive such updates, Wiz shall provide notification of any intended changes concerning the addition or replacement of other Sub-Processor(s) to the email address which has subscribed thereby giving Customer the opportunity to object. Customer may reasonably object to Wiz’s use of a Sub-Processor for reasons related to the Data Protection Laws by notifying Wiz in writing within ten (10) days after receipt of Wiz’s notice including the reasons for objecting to Wiz’s use of such Sub-Processor. Failure to object to such Sub-Processor in writing within ten (10) days following Wiz’s notice shall be deemed as acceptance of the Sub-Processor. In the event Customer reasonably objects to a Sub-Processor, Wiz will use reasonable efforts to make available to Customer a change in the Services to avoid Processing of Customer Personal Data by the objected-to Sub-Processor without unreasonably burdening Customer. If Wiz is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the Agreement and this DPA by providing written notice to Wiz provided that all amounts due under the Agreement before the termination date shall be duly paid to Wiz. Until a decision is made regarding the Sub-Processor, Wiz may temporarily suspend the Processing of the affected Customer Personal Data.
6.3. Where Wiz engages a Sub-Processor, we shall do so by way of a written contract which imposes on the Sub-Processor substantially the same data protection obligations as in this DPA.
7. SECURITY
7.1 Controls for the Protection of Customer Personal Data. Taking into account the state of the art, Wiz shall maintain industry-standard technical and organizational measures, including as required pursuant to Article 32 of the GDPR and other applicable Data Protection Laws, for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Data), confidentiality and integrity of Customer Personal Data, as set forth in the Security Documentation. Upon Customer’s request, Wiz will use commercially reasonable efforts to assist Customer, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR and other applicable Data Protection Laws taking into account the nature of the processing, the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing and the information available to Wiz.
7.2 Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Wiz shall make available to Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and bound by confidentiality obligations) a copy of Wiz’s then most recent third-party audits or certifications, as applicable (provided, however, that any such documentation shall be Wiz’s confidential information and shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Wiz’s prior written approval and, upon Wiz’s request, Customer shall return all such documentation in Customer’s possession or control). Only as required by applicable Data Protection Laws and at Customer’s cost and expense, not more than once per year, Wiz shall allow for and contribute to audits, including remote inspections, conducted by Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and that is bound by confidentiality obligations) provided that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections in advance. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, Personal Data that belongs to Wiz’s other customers.
8. TRANSFERS OF DATA
8.1 Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from the Extended EEA Countries to countries or frameworks that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the Extended EEA Countries (“Adequacy Decisions”), without any further safeguard being necessary.
8.2 Transfers to other countries. If, and to the extent, the Processing of Customer Personal Data which is subject to Data Protection Laws of the EEA Extended Countries includes transfers by Customer from the Extended EEA Countries to Wiz in countries outside the Extended EEA Countries which have not been subject to an Adequacy Decision (“Third Countries”), the Parties agree that such transfers shall be undertaken on the basis of the Standard Contractual Clauses, which will be deemed to have been signed by each Party on the Effective Date of this Agreement, are incorporated herein by reference and construed in accordance with Schedule 2 below, unless another mechanism provided for in the Data Protection Laws of the applicable Extended EEA Country applies.
8.3 In the event Customer enables Third Party Integrations (as defined in the Agreement) which involve transfers of Customer Personal Data between Wiz and the Third Party Integration provider, Customer acknowledges and agrees that (a) such Third Party Integration providers are not Sub-Processors of Wiz; (b) such transfers are conducted at Customer’s instruction in accordance with an agreement between the Customer and such Third Party Integration provider (which Wiz is not a party to); and (c) Customer shall be solely responsible for such transfers and their compliance with Data Protection Laws, including without limitation, executing Standard Contractual Clauses with such Third Party Integration providers as required.
9. US PRIVACY LAWS
9.1 In performing its obligations under the Agreement and this DPA, Wiz will not: (1) “sell” or “share” for purposes of “cross-context behavioral advertising” or “targeted advertising” (as defined by applicable US Privacy Laws) any Customer Personal Data; (2) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Wiz and Customer; or (3) attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Customer Personal Data.
9.2 Wiz will (1) comply with any applicable restrictions under applicable US Privacy Laws on combining Customer Personal Data with Personal Data that Wiz receives from, or on behalf of, another person or persons; and (2) promptly notify Customer if Wiz determines that it (i) can no longer meet its obligations under this DPA or applicable US Privacy Laws; or (ii) in Wiz’s opinion, an instruction from Customer infringes applicable US Privacy Laws.
9.3 Wiz certifies that it understands its obligations in this Clause 9.
9.4 The Parties agree that Schedule 1 hereto shall satisfy any requirement under applicable U.S. Privacy Law to provide details regarding the nature of the Processing activities related to Customer Personal Data.
10. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION. To the extent required under applicable Data Protection Laws, Wiz shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (a “Personal Data Incident”). Wiz shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Wiz deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident. Customer (or its customers), as the Controller or Business, will be the party responsible for notifying supervisory authorities and/or concerned Data Subjects (where required by Data Protection Laws).
11. RETURN AND DELETION OF PERSONAL DATA. Subject to the Agreement, upon termination or expiry of the Services, Wiz shall, make available for return the Customer Personal Data via the Services and delete such Customer Personal Data in accordance with Wiz’s customer data retention & deletion policy unless applicable law requires storage of the Customer Personal Data. In any event, Customer agrees that Wiz may retain Customer Personal Data in accordance with its standard backup policy, for evidence purposes and/or for the establishment, exercise or defence of legal claims and/or to comply with applicable laws and regulations. Notwithstanding anything to the contrary, Customer hereby agrees and understands that, to the extent Wiz performs cloud scanning on behalf of Customer, if and when Customer wants to delete specific Customer Personal Data, Customer may delete such Customer Personal Data from its own databases, and it will automatically be erased from Wiz’s databases within a reasonable market standard timeframe. If Customer requests return of the Customer Personal Data, it shall be returned in an industry standard format generally available for Wiz’s Customers.
12. TERMINATION. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided, provided that, to the extent Wiz retains any Customer Personal Data following termination or expiration of the Agreement, this DPA shall survive for such period that Wiz retains Customer Personal Data. Clauses 2, 3.4 and 13 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
13. RELATIONSHIP WITH AGREEMENT. Subject to any provisions in Schedule 2 regarding governing law and choice of forum of the Standard Contractual Clauses, the governing law and choice of forum provision in the Agreement shall apply to this DPA. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. For the avoidance of doubt each Party’s and its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, the Standard Contractual Clauses, Data Protection Laws and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. NOTWITHSTANDING THE FOREGOING, IF CUSTOMER IS USING THE SERVICES FOR A FREE TRIAL, WIZ’S MAXIMUM AGGREGATE LIABILITY TO CUSTOMER UNDER OR RELATED TO THIS DPA SHALL BE CAPPED AT ONE THOUSAND DOLLARS US ($1,000 US).
14. MISCELLANEOUS. Any Wiz obligation hereunder may be performed (in whole or in part), and any Wiz right (including invoice and payment rights) or remedy may be exercised (in whole or in part), by an Affiliate of Wiz. This DPA may be amended by Wiz from time to time in its sole discretion, with such updated version posted to Wiz’s website, provided, however, that no such update shall materially diminish the privacy or security of Customer Personal Data.
List of Schedules
SCHEDULE 1 – DETAILS OF THE PROCESSING
SCHEDULE 2 – STANDARD CONTRACTUAL CLAUSE
SCHEDULE 1
DETAILS OF THE PROCESSING
Subject matter.
Wiz will Process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
Nature and Purpose of Processing.
1. Performing the Agreement, this DPA and/or other contracts executed by the Parties, including, providing the Service(s) and support and technical maintenance to Customer.
2. To comply with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
3. Resolving disputes, enforcing the Agreement, this DPA and/or defending Wiz’s rights.
4. Complying with applicable laws and regulations, including for cooperating with local and foreign tax authorities, preventing fraud, money laundering and terrorist financing.
Duration of Processing.
Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Wiz will Process Customer Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Types of Customer Personal Data.
Customer determines the categories of any Customer Personal Data that is made accessible to Wiz, which may include, without limitation, Customer Personal Data relating to the following categories:
- If Customer uses Wiz for scanning, Personal Data might be temporarily processed by Wiz during the scanning. The type of the Personal Data depends on Customer environment and which sources Customer connects.
- Wiz only stores metadata such as CVEs, misconfigurations, list of installed packages, cloud events, local cloud user accounts, cloud object identifiers and (depending on the features used by Customer) logs and file paths. Such metadata does not generally contain Personal Data, however, depending on the Customer’s environment and naming conventions and the features used by Customer, some limited Personal Data may be included. For example, cloud user account names, logs and artifacts could include an individual’s name, logs could contain names, associated email address and IP address and (if specific Wiz features are enabled) pseudonymized samples of findings to enable Customer to locate, verify and remediate the finding(s).
Customer acknowledges that Wiz does not control which Customer Personal Data Customer shares with it in the context of the Services.
Categories of Data Subjects.
As part of providing the Services, Wiz may process Customer Personal Data related to Customer’s customers or users, leads, employees and service providers, the extent of which is solely determined by Customer.
SCHEDULE 2
STANDARD CONTRACTUAL CLAUSES
1. Incorporation and interpretation of the Standard Contractual Clauses
1.1 In relation to transfers by Customer of Customer Personal Data which are subject to Data Protection Laws of the EEA Extended Countries to Wiz in Third Countries, the parties agree that Module Two (Transfer controller to processor) or Module 3 (Transfer processor to processor) of the Standard Contractual Clauses shall apply, as applicable.
1.2 The Parties acknowledge that the information required to be provided in the Standard Contractual Clauses, including the appendices, is set out in Appendix 1 below.
1.3 If there is a conflict between the provisions of this Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail, provided that, except to the extent prohibited by applicable law, the Standard Contractual Clauses shall be interpreted in accordance with and subject to this DPA and the Agreement, including without limitation, the provisions on limitation of liability, instructions, storage, erasure and return of Personal Data, audits and engagement of Sub-Processors.
1.4 If any provision or part-provision of this DPA or the Agreement causes the Standard Contractual Clauses to become an invalid export mechanism in the relevant Extended EEA Country, it shall be deemed deleted but that shall not affect the validity and enforceability of the rest of this Agreement and the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
1.5 Where requested by Wiz, Customer shall provide reasonable assistance to Wiz and be responsible for issuing such communications to Data Subjects and/or the Controller (to the extent Module Three applies) as are required in order for Wiz to comply with its obligations under the Standard Contractual Clauses.
1.6 For the purpose of Section III, Clause 14 of the Standard Contractual Clauses, the parties acknowledge and agree that, as between the parties, the Customer (acting as data exporter) is responsible for: (i) assessing the laws of the country to which it transfers Personal Data; and (ii) determining whether or not the transfer meets the requirements of Section III, Clause 14(a) of the Standard Contractual Clauses. Where Wiz (as data importer) provides information to the Customer (acting as data exporter) for assisting the Customer in its assessment, such information is provided on an “as is” basis for informational purposes only. Without prejudice to Section III, Clause 14(c) of the Standard Contractual Clauses, Wiz (as data importer) shall not be liable for any losses suffered by the Customer in connection with its assessment.
1.7 Notwithstanding anything to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is the UK, template Addendum B.1.0 issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses, (the “UK Approved Addendum”) shall amend the Standard Contractual Clauses in respect of such transfers and Part 1 of the UK Approved Addendum shall be populated as set out below:
Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are Customer as exporter Wiz as importer.
Table 2. The “Addendum EU SCCs” are the modules and clauses of the Standard Contractual Clauses selected in relation to a particular transfer in accordance with paragraphs 1.1 and 1.2 of this Schedule.
Table 3. The “Appendix Information” is as set out in Appendix 1 to this Schedule.
Table 4. Neither party may end the UK Approved Addendum in accordance with its Section 19.
1.8 Except where paragraph 1.9 above applies, but notwithstanding anything else to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is not a Member State of the European Union, references in the Standard Contractual Clauses to:
(a)“Member States of the European Union” shall refer to the applicable Extended EEA Country in which the data exporter is established or from where the transferred Personal Data originated (as applicable);
(b)“the GDPR” shall refer to the Data Protection Laws of the Extended EEA Country in which the data exporter is established or from where the Personal Data originated; and
(c)“supervisory authority” shall refer to the data protection authority in the Extended EEA Country as determined in Annex I(C) below.
Appendix 1 – Completion of the Standard Contractual Clauses
ANNEX I
A. LIST OF THE PARTIES | |
Data Exporter: | Name and address: Customer, as set out in the Agreement Contact details: As set out in the Agreement Activities relevant to the data transferred under these Clauses: Receipt of Wiz Services, as set out in the Agreement and this DPA |
Data Importer: | Name and address: Wiz, as set out in the Agreement Contact details: Privacy Officer, privacy@wiz.io Activities relevant to the data transferred under these Clauses: Provision of Wiz Services, as set out in the Agreement and this DPA |
B. DETAILS OF PROCESSING/TRANSFER | |
CATEGORIES OF DATA SUBJECTS | As described in Schedule 1 |
CATEGORIES OF PERSONAL DATA | As described in Schedule 1 |
SPECIAL CATEGORIES OF DATA (IF APPLICABLE) | Wiz does not control which Personal Data Customer shares with it in the context of the Services |
FREQUENCY OF THE TRANSFER | As regular as is required to provide the Services |
NATURE AND PURPOSE OF THE PROCESSING | As described in Schedule 1 |
RETENTION | As described in Schedule 1 |
TRANSFER TO (SUB)PROCESSORS | As set out in Wiz’s Sub-Processor List |
C. COMPETENT SUPERVISORY AUTHORITY | |
The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses. Where an EU Representative has not been appointed by data exporter, the competent supervisory authority shall be the supervisory authority of the Netherlands. | |
D. GOVERNING LAW AND CHOICE OF FORUM | |
GOVERNING LAW | For the purposes of Clause 17 of the Standard Contractual Clauses the Parties select OPTION 1: the law of the Netherlands. a |
CHOICE OF FORUM | For the purposes of Clause 18 of the SCCs: the Parties select the courts of the Netherlands. |
E. OTHER | |
Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following will apply: For Clause 7 (Docking Clause), the optional provision will apply. For Clause 9(a), option 2 (General Written Authorisation) will apply and the time period for prior notice of Sub-Processor changes shall be as set out in this DPA. For Clause 11(a) (Redress) – the optional provision will not apply. |
ANNEX II – WIZ SECURITY MEASURES
The technical and organizational measures including technical and organizational measures to support the security of Personal Data incorporated into Annex II of the Standard Contractual Clauses shall be the technical and organizational security measures as described in Wiz’s Security Documentation.
In addition, Wiz agrees to the following compensating safeguards to protect such data to an equivalent level as required under the Data Protection Laws of the Extended EEA Countries to the extent required under the Standard Contractual Clauses:
- Wiz and Customer shall encrypt all transfers of the Customer Personal Data between them, and Wiz shall encrypt any onward transfers it makes of such Customer Personal Data.
- Wiz will use reasonably available legal mechanisms to challenge any demands for Customer Personal Data access through national security process it receives as well as any non-disclosure provisions attached thereto.
- Wiz will promptly notify Customer of any government demands for Customer Personal Data, unless prohibited under applicable law. To the extent Wiz is prohibited by law from providing such notification, Wiz shall: (i) review each request on a case-by-case basis; (ii) use reasonable efforts to request that the confidentiality requirement be waived to enable Wiz to notify the Customer and/or the appropriate Supervisory Authority competent for the Customer; and (iii) maintain evidence of any such attempt to have a confidentiality requirement waived.
- Wiz will promptly notify Customer if Wiz can no longer comply with the applicable clauses in this Section. Wiz shall not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice shall entitle Customer to terminate the Agreement (or, at Customer’s option, affected statements of work, order forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder.
Effective September 11, 2023 to September 19, 2023
DownloadTable of Contents
DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) forms part of the Wiz Master Subscription Agreement or other agreement for Wiz services entered into between the Parties (the “Agreement”) between the Wiz entity that has entered into the Agreement (“Wiz”, “Us”, “We”, “Our”) and Customer (collectively, “You”, “Your”, or “Customer”) pursuant to the Agreement. Both parties shall be referred to as the “Parties” and each, a “Party”. This DPA forms a binding legal agreement to reflect the Parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below).
WHEREAS, Wiz shall provide the services set forth in the Agreement (collectively, the “Services”) to Customer, as described in the Agreement; and
WHEREAS, the Parties wish to set forth the arrangements concerning the Processing of Personal Data within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the Parties, intending to be legally bound, agree as follows:
1. INTERPRETATION AND DEFINITIONS
1.1 The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
1.2 Definitions:
2. CUSTOMER’S PROCESSING OF PERSONAL DATA. Customer shall, in its use of the Services, Process Customer Personal Data in accordance with the requirements of Data Protection Laws and comply at all times with the obligations applicable to Controllers or Businesses, as applicable. For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the means by which Customer acquired Customer Personal Data. Without limitation, Customer shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall have any and all required legal basis in order to collect, Process and transfer to Wiz the Customer Personal Data and to authorize the Processing by Wiz of the Customer Personal Data which is authorized in this DPA.
3. WIZ’S PROCESSING OF PERSONAL DATA
3.1 Application. As used in clauses 3 – 9 herein, Customer Personal Data refers to Customer Personal Data that is subject to Data Protection Laws.
3.2 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, (i) Customer is the Controller or Business, (ii) Wiz is the Processor or Service Provider, and (iii) Wiz or its Affiliates may engage Sub-Processors pursuant to the requirements set forth in Clause 6 below.
3.3 Wiz and its Affiliates (as applicable) shall Process Customer Personal Data only in accordance with Customer’s documented instructions, which are set out in this DPA, the Agreement, as necessary for the performance of the Services and for the performance of the Agreement and this DPA, unless required to otherwise by any applicable law, court of competent jurisdiction or other Supervisory Authority to which Wiz and its Affiliates are subject, in which case, Wiz shall inform Customer of the legal requirement before processing, unless that law prohibits such information. Customer agrees that the Agreement is its complete and final instructions to Company in relation to the Processing of Personal Data. Processing any Personal Data outside the scope of the Agreement will require prior written agreement between Wiz and Customer by way of an amendment to the Agreement, and may include any additional fees that may be payable by Customer to Wiz for carrying out such instructions. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Customer Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 to this DPA.
3.4 To the extent that Wiz or its Affiliates cannot comply with an instruction from Customer and/or its authorized users relating to Processing of Customer Personal Data or where Wiz considers such instruction to be unlawful, Wiz (i) shall inform Customer, providing relevant details of the problem; (ii) may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Customer Personal Data (other than securely storing those data); and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Wiz all the amounts owed to Wiz or due before the date of termination.
4. RIGHTS OF DATA SUBJECTS. If Wiz receives a request from a Data Subject to exercise its rights under Data Protection Laws (“Data Subject Request”), Wiz shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to Customer. Taking into account the nature of the Processing, Wiz shall use commercially reasonable efforts to assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws.
5. WIZ PERSONNEL
5.1 Confidentiality. Wiz shall grant access to the Customer Personal Data to persons under its authority (including, without limitation, its personnel) only on a need-to-know basis and ensure that such persons engaged in the Processing of Customer Personal Data have committed themselves to confidentiality.
6. AUTHORIZATION REGARDING SUB-PROCESSORS
6.1 Customer hereby grants general written authorization to Wiz to appoint Sub-Processors to perform specific Processing activities on Customer Personal Data on its behalf. Wiz’s current list of Sub-Processors is included at https://www.wiz.io/sub-processor-list (“Sub-Processor List”) and is hereby approved by Customer.
6.2. Objection Right for Sub-Processors. Wiz offers a mechanism for Customers to subscribe to notifications of changes to Wiz’s Sub-Processor List via https://www.wiz.io/legal/sub-processor-list. If Customer subscribes to receive such updates, Wiz shall provide notification of any intended changes concerning the addition or replacement of other Sub-Processor(s) to the email address which has subscribed thereby giving Customer the opportunity to object. Customer may reasonably object to Wiz’s use of a Sub-Processor for reasons related to the Data Protection Laws by notifying Wiz in writing within ten (10) days after receipt of Wiz’s notice including the reasons for objecting to Wiz’s use of such Sub-Processor. Failure to object to such Sub-Processor in writing within ten (10) days following Wiz’s notice shall be deemed as acceptance of the Sub-Processor. In the event Customer reasonably objects to a Sub-Processor, Wiz will use reasonable efforts to make available to Customer a change in the Services to avoid Processing of Customer Personal Data by the objected-to Sub-Processor without unreasonably burdening Customer. If Wiz is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the Agreement and this DPA by providing written notice to Wiz provided that all amounts due under the Agreement before the termination date shall be duly paid to Wiz. Until a decision is made regarding the Sub-Processor, Wiz may temporarily suspend the Processing of the affected Customer Personal Data.
6.3. Where Wiz engages a Sub-Processor, we shall do so by way of a written contract which imposes on the Sub-Processor substantially the same data protection obligations as in this DPA.
7. SECURITY
7.1 Controls for the Protection of Customer Personal Data. Taking into account the state of the art, Wiz shall maintain industry-standard technical and organizational measures, including as required pursuant to Article 32 of the GDPR and other applicable Data Protection Laws, for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Data), confidentiality and integrity of Customer Personal Data, as set forth in the Security Documentation. Upon Customer’s request, Wiz will use commercially reasonable efforts to assist Customer, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR and other applicable Data Protection Laws taking into account the nature of the processing, the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing and the information available to Wiz.
7.2 Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Wiz shall make available to Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and bound by confidentiality obligations) a copy of Wiz’s then most recent third-party audits or certifications, as applicable (provided, however, that any such documentation shall be Wiz’s confidential information and shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Wiz’s prior written approval and, upon Wiz’s request, Customer shall return all such documentation in Customer’s possession or control). Only as required by applicable Data Protection Laws and at Customer’s cost and expense, not more than once per year, Wiz shall allow for and contribute to audits, including remote inspections, conducted by Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and that is bound by confidentiality obligations) provided that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections in advance. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, Personal Data that belongs to Wiz’s other customers.
8. TRANSFERS OF DATA
8.1 Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from the Extended EEA Countries to countries or frameworks that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the Extended EEA Countries (“Adequacy Decisions”), without any further safeguard being necessary.
8.2 Transfers to other countries. If, and to the extent, the Processing of Customer Personal Data which is subject to Data Protection Laws of the EEA Extended Countries includes transfers by Customer from the Extended EEA Countries to Wiz in countries outside the Extended EEA Countries which have not been subject to an Adequacy Decision (“Third Countries”), the Parties agree that such transfers shall be undertaken on the basis of the Standard Contractual Clauses, which will be deemed to have been signed by each Party on the Effective Date of this Agreement, are incorporated herein by reference and construed in accordance with Schedule 2 below, unless another mechanism provided for in the Data Protection Laws of the applicable Extended EEA Country applies.
8.3 In the event Customer enables Third Party Integrations (as defined in the Agreement) which involve transfers of Customer Personal Data between Wiz and the Third Party Integration provider, Customer acknowledges and agrees that (a) such Third Party Integration providers are not Sub-Processors of Wiz; (b) such transfers are conducted at Customer’s instruction in accordance with an agreement between the Customer and such Third Party Integration provider (which Wiz is not a party to); and (c) Customer shall be solely responsible for such transfers and their compliance with Data Protection Laws, including without limitation, executing Standard Contractual Clauses with such Third Party Integration providers as required.
9. US PRIVACY LAWS
9.1 In performing its obligations under the Agreement and this DPA, Wiz will not: (1) “sell” or “share” for purposes of “cross-context behavioral advertising” or “targeted advertising” (as defined by applicable US Privacy Laws) any Customer Personal Data; (2) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Wiz and Customer; or (3) attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Customer Personal Data.
9.2 Wiz will (1) comply with any applicable restrictions under applicable US Privacy Laws on combining Customer Personal Data with Personal Data that Wiz receives from, or on behalf of, another person or persons; and (2) promptly notify Customer if Wiz determines that it (i) can no longer meet its obligations under this DPA or applicable US Privacy Laws; or (ii) in Wiz’s opinion, an instruction from Customer infringes applicable US Privacy Laws.
9.3 Wiz certifies that it understands its obligations in this Clause 9.
9.4 The Parties agree that Schedule 1 hereto shall satisfy any requirement under applicable U.S. Privacy Law to provide details regarding the nature of the Processing activities related to Customer Personal Data.
10. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION. To the extent required under applicable Data Protection Laws, Wiz shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (a “Personal Data Incident”). Wiz shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Wiz deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident. Customer (or its customers), as the Controller or Business, will be the party responsible for notifying supervisory authorities and/or concerned Data Subjects (where required by Data Protection Laws).
11. RETURN AND DELETION OF PERSONAL DATA. Subject to the Agreement, upon termination or expiry of the Services, Wiz shall, make available for return the Customer Personal Data via the Services and delete such Customer Personal Data in accordance with Wiz’s customer data retention & deletion policy unless applicable law requires storage of the Customer Personal Data. In any event, Customer agrees that Wiz may retain Customer Personal Data in accordance with its standard backup policy, for evidence purposes and/or for the establishment, exercise or defence of legal claims and/or to comply with applicable laws and regulations. Notwithstanding anything to the contrary, Customer hereby agrees and understands that, to the extent Wiz performs cloud scanning on behalf of Customer, if and when Customer wants to delete specific Customer Personal Data, Customer may delete such Customer Personal Data from its own databases, and it will automatically be erased from Wiz’s databases within a reasonable market standard timeframe. If Customer requests return of the Customer Personal Data, it shall be returned in an industry standard format generally available for Wiz’s Customers.
12. TERMINATION. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided, provided that, to the extent Wiz retains any Customer Personal Data following termination or expiration of the Agreement, this DPA shall survive for such period that Wiz retains Customer Personal Data. Clauses 2, 3.4 and 13 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
13. RELATIONSHIP WITH AGREEMENT. Subject to any provisions in Schedule 2 regarding governing law and choice of forum of the Standard Contractual Clauses, the governing law and choice of forum provision in the Agreement shall apply to this DPA. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. For the avoidance of doubt each Party’s and its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, the Standard Contractual Clauses, Data Protection Laws and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. NOTWITHSTANDING THE FOREGOING, IF CUSTOMER IS USING THE SERVICES FOR A FREE TRIAL, WIZ’S MAXIMUM AGGREGATE LIABILITY TO CUSTOMER UNDER OR RELATED TO THIS DPA SHALL BE CAPPED AT ONE THOUSAND DOLLARS US ($1,000 US).
14. MISCELLANEOUS. Any Wiz obligation hereunder may be performed (in whole or in part), and any Wiz right (including invoice and payment rights) or remedy may be exercised (in whole or in part), by an Affiliate of Wiz. This DPA may be amended by Wiz from time to time in its sole discretion, with such updated version posted to Wiz’s website, provided, however, that no such update shall materially diminish the privacy or security of Customer Personal Data.
List of Schedules
SCHEDULE 1 – DETAILS OF THE PROCESSING
SCHEDULE 2 – STANDARD CONTRACTUAL CLAUSE
SCHEDULE 1
DETAILS OF THE PROCESSING
Subject matter.
Wiz will Process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
Nature and Purpose of Processing.
1. Performing the Agreement, this DPA and/or other contracts executed by the Parties, including, providing the Service(s) and support and technical maintenance to Customer.
2. To comply with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
3. Resolving disputes, enforcing the Agreement, this DPA and/or defending Wiz’s rights.
4. Complying with applicable laws and regulations, including for cooperating with local and foreign tax authorities, preventing fraud, money laundering and terrorist financing.
Duration of Processing.
Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Wiz will Process Customer Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Types of Customer Personal Data.
Customer determines the categories of any Customer Personal Data that is made accessible to Wiz, which may include, without limitation, Customer Personal Data relating to the following categories:
- If Customer uses Wiz for scanning, Personal Data might be temporarily processed by Wiz during the scanning. The type of the Personal Data depends on Customer environment and which sources Customer connects.
- Wiz only stores metadata such as CVEs, misconfigurations, list of installed packages, cloud events, local cloud user accounts, cloud object identifiers and (depending on the features used by Customer) logs and file paths. Such metadata does not generally contain Personal Data, however, depending on the Customer’s environment and naming conventions and the features used by Customer, some limited Personal Data may be included. For example, cloud user account names, logs and artifacts could include an individual’s name, logs could contain names, associated email address and IP address and (if specific Wiz features are enabled) pseudonymized samples of findings to enable Customer to locate, verify and remediate the finding(s).
Customer acknowledges that Wiz does not control which Customer Personal Data Customer shares with it in the context of the Services.
Categories of Data Subjects.
As part of providing the Services, Wiz may process Customer Personal Data related to Customer’s customers or users, leads, employees and service providers, the extent of which is solely determined by Customer.
SCHEDULE 2
STANDARD CONTRACTUAL CLAUSES
1. Incorporation and interpretation of the Standard Contractual Clauses
1.1 In relation to transfers by Customer of Customer Personal Data which are subject to Data Protection Laws of the EEA Extended Countries to Wiz in Third Countries, the parties agree that Module Two (Transfer controller to processor) or Module 3 (Transfer processor to processor) of the Standard Contractual Clauses shall apply, as applicable.
1.2 The Parties acknowledge that the information required to be provided in the Standard Contractual Clauses, including the appendices, is set out in Appendix 1 below.
1.3 If there is a conflict between the provisions of this Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail, provided that, except to the extent prohibited by applicable law, the Standard Contractual Clauses shall be interpreted in accordance with and subject to this DPA and the Agreement, including without limitation, the provisions on limitation of liability, instructions, storage, erasure and return of Personal Data, audits and engagement of Sub-Processors.
1.4 If any provision or part-provision of this DPA or the Agreement causes the Standard Contractual Clauses to become an invalid export mechanism in the relevant Extended EEA Country, it shall be deemed deleted but that shall not affect the validity and enforceability of the rest of this Agreement and the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
1.5 Where requested by Wiz, Customer shall provide reasonable assistance to Wiz and be responsible for issuing such communications to Data Subjects and/or the Controller (to the extent Module Three applies) as are required in order for Wiz to comply with its obligations under the Standard Contractual Clauses.
1.6 For the purpose of Section III, Clause 14 of the Standard Contractual Clauses, the parties acknowledge and agree that, as between the parties, the Customer (acting as data exporter) is responsible for: (i) assessing the laws of the country to which it transfers Personal Data; and (ii) determining whether or not the transfer meets the requirements of Section III, Clause 14(a) of the Standard Contractual Clauses. Where Wiz (as data importer) provides information to the Customer (acting as data exporter) for assisting the Customer in its assessment, such information is provided on an “as is” basis for informational purposes only. Without prejudice to Section III, Clause 14(c) of the Standard Contractual Clauses, Wiz (as data importer) shall not be liable for any losses suffered by the Customer in connection with its assessment.
1.7 Notwithstanding anything to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is the UK, template Addendum B.1.0 issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses, (the “UK Approved Addendum”) shall amend the Standard Contractual Clauses in respect of such transfers and Part 1 of the UK Approved Addendum shall be populated as set out below:
Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are Customer as exporter Wiz as importer.
Table 2. The “Addendum EU SCCs” are the modules and clauses of the Standard Contractual Clauses selected in relation to a particular transfer in accordance with paragraphs 1.1 and 1.2 of this Schedule.
Table 3. The “Appendix Information” is as set out in Appendix 1 to this Schedule.
Table 4. Neither party may end the UK Approved Addendum in accordance with its Section 19.
1.8 Except where paragraph 1.9 above applies, but notwithstanding anything else to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is not a Member State of the European Union, references in the Standard Contractual Clauses to:
(a)“Member States of the European Union” shall refer to the applicable Extended EEA Country in which the data exporter is established or from where the transferred Personal Data originated (as applicable);
(b)“the GDPR” shall refer to the Data Protection Laws of the Extended EEA Country in which the data exporter is established or from where the Personal Data originated; and
(c)“supervisory authority” shall refer to the data protection authority in the Extended EEA Country as determined in Annex I(C) below.
Appendix 1 – Completion of the Standard Contractual Clauses
ANNEX I
A. LIST OF THE PARTIES | |
Data Exporter: | Name and address: Customer, as set out in the Agreement Contact details: As set out in the Agreement Activities relevant to the data transferred under these Clauses: Receipt of Wiz Services, as set out in the Agreement and this DPA |
Data Importer: | Name and address: Wiz, as set out in the Agreement Contact details: Privacy Officer, privacy@wiz.io Activities relevant to the data transferred under these Clauses: Provision of Wiz Services, as set out in the Agreement and this DPA |
B. DETAILS OF PROCESSING/TRANSFER | |
CATEGORIES OF DATA SUBJECTS | As described in Schedule 1 |
CATEGORIES OF PERSONAL DATA | As described in Schedule 1 |
SPECIAL CATEGORIES OF DATA (IF APPLICABLE) | Wiz does not control which Personal Data Customer shares with it in the context of the Services |
FREQUENCY OF THE TRANSFER | As regular as is required to provide the Services |
NATURE AND PURPOSE OF THE PROCESSING | As described in Schedule 1 |
RETENTION | As described in Schedule 1 |
TRANSFER TO (SUB)PROCESSORS | As set out in Wiz’s Sub-Processor List |
C. COMPETENT SUPERVISORY AUTHORITY | |
The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses. Where an EU Representative has not been appointed by data exporter, the competent supervisory authority shall be the supervisory authority of the Netherlands. | |
D. GOVERNING LAW AND CHOICE OF FORUM | |
GOVERNING LAW | For the purposes of Clause 17 of the Standard Contractual Clauses the Parties select OPTION 1: the law of the Netherlands. a |
CHOICE OF FORUM | For the purposes of Clause 18 of the SCCs: the Parties select the courts of the Netherlands. |
E. OTHER | |
Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following will apply: For Clause 7 (Docking Clause), the optional provision will apply. For Clause 9(a), option 2 (General Written Authorisation) will apply and the time period for prior notice of Sub-Processor changes shall be as set out in this DPA. For Clause 11(a) (Redress) – the optional provision will not apply. |
ANNEX II – WIZ SECURITY MEASURES
The technical and organizational measures including technical and organizational measures to support the security of Personal Data incorporated into Annex II of the Standard Contractual Clauses shall be the technical and organizational security measures as described in Wiz’s Security Documentation.
In addition, Wiz agrees to the following compensating safeguards to protect such data to an equivalent level as required under the Data Protection Laws of the Extended EEA Countries to the extent required under the Standard Contractual Clauses:
- Wiz and Customer shall encrypt all transfers of the Customer Personal Data between them, and Wiz shall encrypt any onward transfers it makes of such Customer Personal Data.
- Wiz will use reasonably available legal mechanisms to challenge any demands for Customer Personal Data access through national security process it receives as well as any non-disclosure provisions attached thereto.
- Wiz will promptly notify Customer of any government demands for Customer Personal Data, unless prohibited under applicable law. To the extent Wiz is prohibited by law from providing such notification, Wiz shall: (i) review each request on a case-by-case basis; (ii) use reasonable efforts to request that the confidentiality requirement be waived to enable Wiz to notify the Customer and/or the appropriate Supervisory Authority competent for the Customer; and (iii) maintain evidence of any such attempt to have a confidentiality requirement waived.
- Wiz will promptly notify Customer if Wiz can no longer comply with the applicable clauses in this Section. Wiz shall not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice shall entitle Customer to terminate the Agreement (or, at Customer’s option, affected statements of work, order forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder.
Effective August 29, 2023 to September 11, 2023
DownloadTable of Contents
DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) forms part of the Wiz Master Subscription Agreement or other agreement for Wiz services entered into between the Parties (the “Agreement”) between the Wiz entity that has entered into the Agreement (“Wiz”, “Us”, “We”, “Our”) and Customer (collectively, “You”, “Your”, or “Customer”) pursuant to the Agreement. Both parties shall be referred to as the “Parties” and each, a “Party”. This DPA forms a binding legal agreement to reflect the Parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below).
WHEREAS, 	Wiz shall provide the services set forth in the Agreement (collectively, the “Services”) to Customer, as described in the Agreement; and
WHEREAS, 	the Parties wish to set forth the arrangements concerning the Processing of Personal Data within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the Parties, intending to be legally bound, agree as follows:
1. 	INTERPRETATION AND DEFINITIONS
1.1 	The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
1.2	Definitions:
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- “Controller” or “Business” as relevant under applicable Data Protection Laws, means the entity which determines the purposes and means of the Processing of Personal Data or such equivalent term under Data Protection Laws.
- “Customer Personal Data” means any Personal Data which is provided to and Processed by Wiz on behalf of Customer in order to provide the Services under the Agreement. Customer Personal Data does not include Personal Data that Wiz Processes as a Controller separately from its Processing obligations to Customer under the Agreement.
- “Data Protection Laws” means all laws and regulations of the the European Union, the EEA and their Member States, Switzerland, the United Kingdom, and the United States, each to the extent applicable to the Processing of Personal Data under the Agreement.
- “Data Subject” means the identified or identifiable person to whom the Customer Personal Data relates.
- “EEA” means the European Economic Area.
- “EU Data Protection Law” means the GDPR, and the UK GDPR.
- “Extended EEA Country” means a Member State of the EEA, Switzerland or the United Kingdom, and Extended EEA Countries means the foregoing countries collectively.
- “Member State(s)” means a country that belongs to the European Union and/or the EEA.
- “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or such equivalent term under Data Protection Laws.
- “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” or “Service Provider,” as relevant under applicable Data Protection Laws, means the entity which Processes Personal Data on behalf of the Controller or Business or such equivalent term under Data Protection Laws.
- “Security Documentation” means Wiz’s security documentation that is applicable to the specific Services purchased by Customer, as updated from time to time, and as made reasonably available by Wiz.
- “Standard Contractual Clauses” means the “standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission decision of 4 June 2021” and published under document number C (2021) 3972 available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&qid=1689513765256, as may be updated, amended or superseded from time to time.
- “Sub-Processor” means any Processor or Service Provider engaged by Wiz and/or Wiz Affiliate to Process Customer Personal Data.
- “Supervisory Authority” means the competent supervisory authority pursuant to the applicable Data Protection Laws.
- “Third Country” has the meaning given in Clause 8.2 below.
- “UK GDPR” means the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR").
- “US Privacy Laws” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 along with any associated regulations (“CCPA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act; and any similar U.S. laws governing data privacy and security once effective.
2.	CUSTOMER’S PROCESSING OF PERSONAL DATA. Customer shall, in its use of the Services, Process Customer Personal Data in accordance with the requirements of Data Protection Laws and comply at all times with the obligations applicable to Controllers or Businesses, as applicable. For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the means by which Customer acquired Customer Personal Data. Without limitation, Customer shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall have any and all required legal basis in order to collect, Process and transfer to Wiz the Customer Personal Data and to authorize the Processing by Wiz of the Customer Personal Data which is authorized in this DPA.
3.	WIZ’S PROCESSING OF PERSONAL DATA
3.1	Application. As used in clauses 3 – 9 herein, Customer Personal Data refers to Customer Personal Data that is subject to Data Protection Laws.
3.2	Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, (i) Customer is the Controller or Business, (ii) Wiz is the Processor or Service Provider, and (iii) Wiz or its Affiliates may engage Sub-Processors pursuant to the requirements set forth in Clause 6 below.
3.3	Wiz and its Affiliates (as applicable) shall Process Customer Personal Data only in accordance with Customer’s documented instructions, which are set out in this DPA, the Agreement, as necessary for the performance of the Services and for the performance of the Agreement and this DPA, unless required to otherwise by any applicable law, court of competent jurisdiction or other Supervisory Authority to which Wiz and its Affiliates are subject, in which case, Wiz shall inform Customer of the legal requirement before processing, unless that law prohibits such information. Customer agrees that the Agreement is its complete and final instructions to Company in relation to the Processing of Personal Data. Processing any Personal Data outside the scope of the Agreement will require prior written agreement between Wiz and Customer by way of an amendment to the Agreement, and may include any additional fees that may be payable by Customer to Wiz for carrying out such instructions. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Customer Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 to this DPA.
3.4	To the extent that Wiz or its Affiliates cannot comply with an instruction from Customer and/or its authorized users relating to Processing of Customer Personal Data or where Wiz considers such instruction to be unlawful, Wiz (i) shall inform Customer, providing relevant details of the problem; (ii) may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Customer Personal Data (other than securely storing those data); and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Wiz all the amounts owed to Wiz or due before the date of termination.
4.	RIGHTS OF DATA SUBJECTS. If Wiz receives a request from a Data Subject to exercise its rights under Data Protection Laws (“Data Subject Request”), Wiz shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to Customer. Taking into account the nature of the Processing, Wiz shall use commercially reasonable efforts to assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws.
5.	WIZ PERSONNEL
5.1	Confidentiality. Wiz shall grant access to the Customer Personal Data to persons under its authority (including, without limitation, its personnel) only on a need-to-know basis and ensure that such persons engaged in the Processing of Customer Personal Data have committed themselves to confidentiality.
6.	AUTHORIZATION REGARDING SUB-PROCESSORS
6.1	Customer hereby grants general written authorization to Wiz to appoint Sub-Processors to perform specific Processing activities on Customer Personal Data on its behalf. Wiz’s current list of Sub-Processors is included at https://www.wiz.io/sub-processor-list (“Sub-Processor List”) and is hereby approved by Customer.
6.2	Objection Right for Sub-Processors. Wiz offers a mechanism for Customers to subscribe to notifications of changes to Wiz’s Sub-Processor List via https://www.wiz.io/legal/sub-processor-list. If Customer subscribes to receive such updates, Wiz shall provide notification of any intended changes concerning the addition or replacement of other Sub-Processor(s) to the email address which has subscribed thereby giving Customer the opportunity to object. Customer may reasonably object to Wiz’s use of a Sub-Processor for reasons related to the Data Protection Laws by notifying Wiz in writing within ten (10) days after receipt of Wiz’s notice including the reasons for objecting to Wiz’s use of such Sub-Processor. Failure to object to such Sub-Processor in writing within ten (10) days following Wiz’s notice shall be deemed as acceptance of the Sub-Processor. In the event Customer reasonably objects to a Sub-Processor, Wiz will use reasonable efforts to make available to Customer a change in the Services to avoid Processing of Customer Personal Data by the objected-to Sub-Processor without unreasonably burdening Customer. If Wiz is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the Agreement and this DPA by providing written notice to Wiz provided that all amounts due under the Agreement before the termination date shall be duly paid to Wiz. Until a decision is made regarding the Sub-Processor, Wiz may temporarily suspend the Processing of the affected Customer Personal Data.
6.3	Where Wiz engages a Sub-Processor, we shall do so by way of a written contract which imposes on the Sub-Processor substantially the same data protection obligations as in this DPA.
7.	SECURITY
7.1	Controls for the Protection of Customer Personal Data. Taking into account the state of the art, Wiz shall maintain industry-standard technical and organizational measures, including as required pursuant to Article 32 of the GDPR and other applicable Data Protection Laws, for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Data), confidentiality and integrity of Customer Personal Data, as set forth in the Security Documentation. Upon Customer’s request, Wiz will use commercially reasonable efforts to assist Customer, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR and other applicable Data Protection Laws taking into account the nature of the processing, the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing and the information available to Wiz.
7.2	Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Wiz shall make available to Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and bound by confidentiality obligations) a copy of Wiz’s then most recent third-party audits or certifications, as applicable (provided, however, that any such documentation shall be Wiz’s confidential information and shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Wiz’s prior written approval and, upon Wiz’s request, Customer shall return all such documentation in Customer’s possession or control). Only as required by applicable Data Protection Laws and at Customer’s cost and expense, not more than once per year, Wiz shall allow for and contribute to audits, including remote inspections, conducted by Customer (or Customer’s independent, third-party auditor that is not reasonably objected to by Wiz and that is bound by confidentiality obligations) provided that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections in advance. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, Personal Data that belongs to Wiz’s other customers.
8.	TRANSFERS OF DATA
8.1	Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from the Extended EEA Countries to countries or frameworks that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the Extended EEA Countries (“Adequacy Decisions”), without any further safeguard being necessary.
8.2 	Transfers to other countries. If, and to the extent, the Processing of Customer Personal Data which is subject to Data Protection Laws of the EEA Extended Countries includes transfers by Customer from the Extended EEA Countries to Wiz in countries outside the Extended EEA Countries which have not been subject to an Adequacy Decision (“Third Countries”), the Parties agree that such transfers shall be undertaken on the basis of the Standard Contractual Clauses, which will be deemed to have been signed by each Party on the Effective Date of this Agreement, are incorporated herein by reference and construed in accordance with Schedule 2 below, unless another mechanism provided for in the Data Protection Laws of the applicable Extended EEA Country applies.
8.3	In the event Customer enables Third Party Integrations (as defined in the Agreement) which involve transfers of Customer Personal Data between Wiz and the Third Party Integration provider, Customer acknowledges and agrees that (a) such Third Party Integration providers are not Sub-Processors of Wiz; (b) such transfers are conducted at Customer’s instruction in accordance with an agreement between the Customer and such Third Party Integration provider (which Wiz is not a party to); and (c) Customer shall be solely responsible for such transfers and their compliance with Data Protection Laws, including without limitation, executing Standard Contractual Clauses with such Third Party Integration providers as required.
9. 	US PRIVACY LAWS
9.1 	In performing its obligations under the Agreement and this DPA, Wiz will not: (1) “sell” or “share” for purposes of “cross-context behavioral advertising” or “targeted advertising” (as defined by applicable US Privacy Laws) any Customer Personal Data; (2) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Wiz and Customer; or (3) attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Customer Personal Data.
9.2	Wiz will (1) comply with any applicable restrictions under applicable US Privacy Laws on combining Customer Personal Data with Personal Data that Wiz receives from, or on behalf of, another person or persons; and (2) promptly notify Customer if Wiz determines that it (i) can no longer meet its obligations under this DPA or applicable US Privacy Laws; or (ii) in Wiz’s opinion, an instruction from Customer infringes applicable US Privacy Laws.
9.3 Wiz certifies that it understands its obligations in this Clause 9.
9.4	The Parties agree that Schedule 1 hereto shall satisfy any requirement under applicable U.S. Privacy Law to provide details regarding the nature of the Processing activities related to Customer Personal Data.
10.	PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION. To the extent required under applicable Data Protection Laws, Wiz shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (a “Personal Data Incident”). Wiz shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Wiz deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident. Customer (or its customers), as the Controller or Business, will be the party responsible for notifying supervisory authorities and/or concerned Data Subjects (where required by Data Protection Laws).
11.	RETURN AND DELETION OF PERSONAL DATA. Subject to the Agreement, upon termination or expiry of the Services, Wiz shall, make available for return the Customer Personal Data via the Services and delete such Customer Personal Data in accordance with Wiz’s customer data retention & deletion policy unless applicable law requires storage of the Customer Personal Data. In any event, Customer agrees that Wiz may retain Customer Personal Data in accordance with its standard backup policy, for evidence purposes and/or for the establishment, exercise or defence of legal claims and/or to comply with applicable laws and regulations. Notwithstanding anything to the contrary, Customer hereby agrees and understands that, to the extent Wiz performs cloud scanning on behalf of Customer, if and when Customer wants to delete specific Customer Personal Data, Customer may delete such Customer Personal Data from its own databases, and it will automatically be erased from Wiz’s databases within a reasonable market standard timeframe. If Customer requests return of the Customer Personal Data, it shall be returned in an industry standard format generally available for Wiz’s Customers.
12.	TERMINATION. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided, provided that, to the extent Wiz retains any Customer Personal Data following termination or expiration of the Agreement, this DPA shall survive for such period that Wiz retains Customer Personal Data. Clauses 2, 3.4 and 13 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
13.	RELATIONSHIP WITH AGREEMENT. Subject to any provisions in Schedule 2 regarding governing law and choice of forum of the Standard Contractual Clauses, the governing law and choice of forum provision in the Agreement shall apply to this DPA. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. For the avoidance of doubt each Party’s and its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, the Standard Contractual Clauses, Data Protection Laws and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. NOTWITHSTANDING THE FOREGOING, IF CUSTOMER IS USING THE SERVICES FOR A FREE TRIAL, WIZ’S MAXIMUM AGGREGATE LIABILITY TO CUSTOMER UNDER OR RELATED TO THIS DPA SHALL BE CAPPED AT ONE THOUSAND DOLLARS US ($1,000 US).
14.	MISCELLANEOUS. Any Wiz obligation hereunder may be performed (in whole or in part), and any Wiz right (including invoice and payment rights) or remedy may be exercised (in whole or in part), by an Affiliate of Wiz. This DPA may be amended by Wiz from time to time in its sole discretion, with such updated version posted to Wiz’s website, provided, however, that no such update shall materially diminish the privacy or security of Customer Personal Data.
List of Schedules
SCHEDULE 1 – DETAILS OF THE PROCESSING
SCHEDULE 2 – STANDARD CONTRACTUAL CLAUSE
SCHEDULE 1
DETAILS OF THE PROCESSING
Subject matter.
Wiz will Process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
Nature and Purpose of Processing.
1.	Performing the Agreement, this DPA and/or other contracts executed by the Parties, including, providing the Service(s) and support and technical maintenance to Customer.
2.	To comply with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
3.	Resolving disputes, enforcing the Agreement, this DPA and/or defending Wiz’s rights.
4.	Complying with applicable laws and regulations, including for cooperating with local and foreign tax authorities, preventing fraud, money laundering and terrorist financing.
Duration of Processing.
Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Wiz will Process Customer Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Types of Customer Personal Data.
Customer determines the categories of any Customer Personal Data that is made accessible to Wiz, which may include, without limitation, Customer Personal Data relating to the following categories:
- If Customer uses Wiz for scanning, Personal Data might be temporarily processed by Wiz during the scanning. The type of the Personal Data depends on Customer environment and which sources Customer connects.
- Wiz only stores metadata such as CVEs, misconfigurations, list of installed packages, cloud events, local cloud user accounts, cloud object identifiers and (depending on the features used by Customer) logs and file paths. Such metadata does not generally contain Personal Data, however, depending on the Customer’s environment and naming conventions and the features used by Customer, some limited Personal Data may be included. For example, cloud user account names, logs and artifacts could include an individual’s name, logs could contain names, associated email address and IP address and (if specific Wiz features are enabled) pseudonymized samples of findings to enable Customer to locate, verify and remediate the finding(s).
Customer acknowledges that Wiz does not control which Customer Personal Data Customer shares with it in the context of the Services.
Categories of Data Subjects.
As part of providing the Services, Wiz may process Customer Personal Data related to Customer’s customers or users, leads, employees and service providers, the extent of which is solely determined by Customer.
SCHEDULE 2
STANDARD CONTRACTUAL CLAUSES
1	Incorporation and interpretation of the Standard Contractual Clauses
1.1	In relation to transfers by Customer of Customer Personal Data which are subject to Data Protection Laws of the EEA Extended Countries to Wiz in Third Countries, the parties agree that Module Two (Transfer controller to processor) or Module 3 (Transfer processor to processor) of the Standard Contractual Clauses shall apply, as applicable.
1.2	The Parties acknowledge that the information required to be provided in the Standard Contractual Clauses, including the appendices, is set out in Appendix 1 below.
1.3	If there is a conflict between the provisions of this Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail, provided that, except to the extent prohibited by applicable law, the Standard Contractual Clauses shall be interpreted in accordance with and subject to this DPA and the Agreement, including without limitation, the provisions on limitation of liability, instructions, storage, erasure and return of Personal Data, audits and engagement of Sub-Processors.
1.4	If any provision or part-provision of this DPA or the Agreement causes the Standard Contractual Clauses to become an invalid export mechanism in the relevant Extended EEA Country, it shall be deemed deleted but that shall not affect the validity and enforceability of the rest of this Agreement and the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
1.5	Where requested by Wiz, Customer shall provide reasonable assistance to Wiz and be responsible for issuing such communications to Data Subjects and/or the Controller (to the extent Module Three applies) as are required in order for Wiz to comply with its obligations under the Standard Contractual Clauses.
1.6	For the purpose of Section III, Clause 14 of the Standard Contractual Clauses, the parties acknowledge and agree that, as between the parties, the Customer (acting as data exporter) is responsible for: (i) assessing the laws of the country to which it transfers Personal Data; and (ii) determining whether or not the transfer meets the requirements of Section III, Clause 14(a) of the Standard Contractual Clauses. Where Wiz (as data importer) provides information to the Customer (acting as data exporter) for assisting the Customer in its assessment, such information is provided on an “as is” basis for informational purposes only. Without prejudice to Section III, Clause 14(c) of the Standard Contractual Clauses, Wiz (as data importer) shall not be liable for any losses suffered by the Customer in connection with its assessment.
1.7 	Notwithstanding anything to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is the UK, template Addendum B.1.0 issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses, (the “UK Approved Addendum”) shall amend the Standard Contractual Clauses in respect of such transfers and Part 1 of the UK Approved Addendum shall be populated as set out below:
Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are Customer as exporter Wiz as importer.
Table 2. The “Addendum EU SCCs” are the modules and clauses of the Standard Contractual Clauses selected in relation to a particular transfer in accordance with paragraphs 1.1 and 1.2 of this Schedule.
Table 3. The “Appendix Information” is as set out in Appendix 1 to this Schedule.
Table 4. Neither party may end the UK Approved Addendum in accordance with its Section 19.
1.8 	Except where paragraph 1.9 above applies, but notwithstanding anything else to the contrary, where the applicable Extended EEA Country where the data exporter is established or from where the transferred personal data originated is not a Member State of the European Union, references in the Standard Contractual Clauses to:
(a)	“Member States of the European Union” shall refer to the applicable Extended EEA Country in which the data exporter is established or from where the transferred Personal Data originated (as applicable);
(b)	“the GDPR” shall refer to the Data Protection Laws of the Extended EEA Country in which the data exporter is established or from where the Personal Data originated; and
(c)	“supervisory authority” shall refer to the data protection authority in the Extended EEA Country as determined in Annex I(C) below.
Appendix 1 – Completion of the Standard Contractual Clauses
ANNEX I
A. LIST OF THE PARTIES | |
Data Exporter: | Name and address: Customer, as set out in the Agreement Contact details: As set out in the Agreement Activities relevant to the data transferred under these Clauses: Receipt of Wiz Services, as set out in the Agreement and this DPA |
Data Importer:	 | Name and address: Wiz, as set out in the Agreement Contact details: Privacy Officer, privacy@wiz.io Activities relevant to the data transferred under these Clauses: Provision of Wiz Services, as set out in the Agreement and this DPA |
B. DETAILS OF PROCESSING/TRANSFER | |
CATEGORIES OF DATA SUBJECTS | As described in Schedule 1 |
CATEGORIES OF PERSONAL DATA	 | As described in Schedule 1 |
SPECIAL CATEGORIES OF DATA (IF APPLICABLE) | Wiz does not control which Personal Data Customer shares with it in the context of the Services |
FREQUENCY OF THE TRANSFER | As regular as is required to provide the Services |
NATURE AND PURPOSE OF THE PROCESSING	 | As described in Schedule 1 |
RETENTION | As described in Schedule 1 |
TRANSFER TO (SUB)PROCESSORS | As set out in Wiz’s Sub-Processor List |
C. COMPETENT SUPERVISORY AUTHORITY | |
The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses. Where an EU Representative has not been appointed by data exporter, the competent supervisory authority shall be the supervisory authority of the Netherlands. | |
D. GOVERNING LAW AND CHOICE OF FORUM | |
GOVERNING LAW | For the purposes of Clause 17 of the Standard Contractual Clauses the Parties select OPTION 1: the law of the Netherlands. a |
CHOICE OF FORUM | For the purposes of Clause 18 of the SCCs: the Parties select the courts of the Netherlands. |
E. OTHER | |
Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following will apply:	 For Clause 7 (Docking Clause), the optional provision will apply. For Clause 9(a), option 2 (General Written Authorisation) will apply and the time period for prior notice of Sub-Processor changes shall be as set out in this DPA. For Clause 11(a) (Redress) – the optional provision will not apply. |
ANNEX II – WIZ SECURITY MEASURES
The technical and organizational measures including technical and organizational measures to support the security of Personal Data incorporated into Annex II of the Standard Contractual Clauses shall be the technical and organizational security measures as described in Wiz’s Security Documentation.
In addition, Wiz agrees to the following compensating safeguards to protect such data to an equivalent level as required under the Data Protection Laws of the Extended EEA Countries to the extent required under the Standard Contractual Clauses:
- Wiz and Customer shall encrypt all transfers of the Customer Personal Data between them, and Wiz shall encrypt any onward transfers it makes of such Customer Personal Data.
- Wiz will use reasonably available legal mechanisms to challenge any demands for Customer Personal Data access through national security process it receives as well as any non-disclosure provisions attached thereto.
- Wiz will promptly notify Customer of any government demands for Customer Personal Data, unless prohibited under applicable law. To the extent Wiz is prohibited by law from providing such notification, Wiz shall: (i) review each request on a case-by-case basis; (ii) use reasonable efforts to request that the confidentiality requirement be waived to enable Wiz to notify the Customer and/or the appropriate Supervisory Authority competent for the Customer; and (iii) maintain evidence of any such attempt to have a confidentiality requirement waived.
- Wiz will promptly notify Customer if Wiz can no longer comply with the applicable clauses in this Section. Wiz shall not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice shall entitle Customer to terminate the Agreement (or, at Customer’s option, affected statements of work, order forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder.
Effective August 21, 2023 to August 29, 2023
DownloadTable of Contents
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- “Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the Data Protection Laws, and (b) is permitted to use the Services pursuant to the Agreement between Customer and Wiz but has not signed its own agreement with Wiz and is not a “Customer” as defined under the Agreement. For the purposes of the DPA, the term Customer includes Customer Authorized Affiliates to the extent applicable.
- “Controller” or “Business” as relevant under applicable Data Protection Laws, means the entity which determines the purposes and means of the Processing of Personal Data or such equivalent term under Data Protection Laws.
- “Customer Personal Data” means any Personal Data which is provided to and Processed by Wiz on behalf of Customer in order to provide the Services under the Agreement. Customer Personal Data does not include Personal Data that Wiz Processes as a Controller separately from its Processing obligations to Customer under the Agreement.
- “Data Protection Laws” means all laws and regulations of the European Union, the EEA and their Member States, Switzerland, the United Kingdom, and United States, each to the extent applicable to the Processing of Personal Data under the Agreement.
- “Data Subject” means the identified or identifiable person to whom the Customer Personal Data relates.
- “EEA” means the European Economic Area.
- “EU Data Protection Law” means the GDPR, and the UK GDPR.
- “Extended EEA Country” means a country within the EEA, Switzerland or the United Kingdom, and Extended EEA Countries means the foregoing countries collectively.
- “Member State(s)” means a country that belongs to the European Union and/or the EEA.
- “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier.
- “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” or “Service Provider,” as relevant under applicable Data Protection Laws, means the entity which Processes Personal Data on behalf of the Controller or Business or such equivalent term under Data Protection Laws.
- “Security Documentation” means Wiz’s security documentation that is applicable to the specific Services purchased by Customer, as updated from time to time, and as made reasonably available by Wiz.
- “Standard Contractual Clauses” means the “standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission decision of 4 June 2021” and published under document number C (2021) 3972 available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en, as may be updated, amended or superseded from time to time.
- “Sub-Processor” means any Processor or Service Provider engaged by Wiz and/or Wiz Affiliate to Process Customer Personal Data.
- “Supervisory Authority” means the competent supervisory authority pursuant to the applicable Data Protection Laws.
- “Third Country” has the meaning given in Clause 8.2 below.
- “UK GDPR” means the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR").
- “U.S. Privacy Laws” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 along with any associated regulations (“CCPA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act; and any similar U.S. laws governing data privacy and security once effective.
- Wiz certifies that it understands its obligations in this Clause 9.
Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are Customer or Customer Authorized Affiliate as exporter Wiz as importer.
Table 2. The “Addendum EU SCCs” are the modules and clauses of the Standard Contractual Clauses selected in relation to a particular transfer in accordance with paragraphs 1.1 and 1.2 of this Schedule.
Table 4. Neither party may end the UK Approved Addendum in accordance with its Section 19.
A. LIST OF THE PARTIES | |
Data Exporter: | Name and address: Customer or Customer Authorized Affiliate, as set out in the Agreement Contact details: As set out in the Agreement Activities relevant to the data transferred under these Clauses: Receipt of Wiz Services, as set out in the Agreement and this DPA |
Data Importer:	 | Name and address: Wiz, as set out in the Agreement Contact details: Privacy Officer, privacy@wiz.io Activities relevant to the data transferred under these Clauses: Provision of Wiz Services, as set out in the Agreement and this DPA |
B. DETAILS OF PROCESSING/TRANSFER | |
CATEGORIES OF DATA SUBJECTS | As described in Schedule 1 |
CATEGORIES OF PERSONAL DATA	 | As described in Schedule 1 |
SPECIAL CATEGORIES OF DATA (IF APPLICABLE) | Wiz does not control which Personal Data Customer shares with it in the context of the Services |
FREQUENCY OF THE TRANSFER | As regular as is required to provide the Services |
NATURE AND PURPOSE OF THE PROCESSING	 | As described in Schedule 1 |
RETENTION | As described in Schedule 1 |
TRANSFER TO (SUB)PROCESSORS | As set out in Wiz’s Sub-Processor List. |
C. COMPETENT SUPERVISORY AUTHORITY | |
The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses. Where an EU Representative has not been appointed by data exporter, the competent supervisory authority shall be the supervisory authority of the Netherlands. Where the data exporter is established outside of the EU, but within an Extended EEA Country, the competent supervisory authority shall be the supervisory authority of the Extended EEA Country in which the Transferring Client Entity is established. Where the data exporter is established outside an Extended EEA Country and the personal data originates from an Extended EEA Country which is not in the EU, the supervisory authority shall be the supervisory authority of the Extended EEA Country from which the Personal Data originated. | |
D. GOVERNING LAW AND CHOICE OF FORUM | |
GOVERNING LAW | For the purposes of Clause 17 of the Standard Contractual Clauses the Parties select OPTION 1: a)	(a) where the data exporter is established in the EU or otherwise if the personal data originates from the EU, the Parties select the laws of the Netherlands; (b) where the data exporter is established outside the EU but within an Extended EEA Country, the Parties select the laws of the Extended EEA Country where the data exporter is established; or (c) subject to (a) above, where the data exporter is established outside an Extended EEA Country, the parties select the laws of the Extended EEA Country where the personal data originates from. |
CHOICE OF FORUM | For the purposes of Clause 18 of the SCCs:
outside an Extended EEA Country, the parties select the courts of the Extended EEA Country where the personal data originates from. |
E. OTHER | |
Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following will apply:	 For Clause 7 (Docking Clause), the optional provision will apply. For Clause 9(a), option 2 will apply and the time period for prior notice of Sub-Processor changes shall be as set out in this DPA. For Clause 11(a) (Redress) – the optional provision will not apply. |
Effective July 5, 2023 to August 21, 2023
DownloadTable of Contents
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- “Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the Data Protection Laws, and (b) is permitted to use the Services pursuant to the Agreement between Customer and Wiz but has not signed its own agreement with Wiz and is not a “Customer” as defined under the Agreement. For the purposes of the DPA, the term Customer includes Customer Authorized Affiliates to the extent applicable.
- “Controller” or “Business” as relevant under applicable Data Protection Laws, means the entity which determines the purposes and means of the Processing of Personal Data or such equivalent term under Data Protection Laws.
- “Customer Personal Data” means any Personal Data which is provided to and Processed by Wiz on behalf of Customer in order to provide the Services under the Agreement. Customer Personal Data does not include Personal Data that Wiz Processes as a Controller separately from its Processing obligations to Customer under the Agreement.
- “Data Protection Laws” means all laws and regulations of the European Union, the EEA and their Member States, Switzerland, the United Kingdom, and United States, each to the extent applicable to the Processing of Personal Data under the Agreement.
- “Data Subject” means the identified or identifiable person to whom the Customer Personal Data relates.
- “EEA” means the European Economic Area.
- “EU Data Protection Law” means the GDPR, and the UK GDPR.
- “Extended EEA Country” means a country within the EEA, Switzerland or the United Kingdom, and Extended EEA Countries means the foregoing countries collectively.
- “Member State(s)” means a country that belongs to the European Union and/or the EEA.
- “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier.
- “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” or “Service Provider,” as relevant under applicable Data Protection Laws, means the entity which Processes Personal Data on behalf of the Controller or Business or such equivalent term under Data Protection Laws.
- “Security Documentation” means Wiz’s security documentation that is applicable to the specific Services purchased by Customer, as updated from time to time, and as made reasonably available by Wiz.
- “Standard Contractual Clauses” means the “standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission decision of 4 June 2021” and published under document number C (2021) 3972 available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en, as may be updated, amended or superseded from time to time.
- “Sub-Processor” means any Processor or Service Provider engaged by Wiz and/or Wiz Affiliate to Process Customer Personal Data.
- “Supervisory Authority” means the competent supervisory authority pursuant to the applicable Data Protection Laws.
- “Third Country” has the meaning given in Clause 8.2 below.
- “UK GDPR” means the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR").
- “U.S. Privacy Laws” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 along with any associated regulations (“CCPA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act; and any similar U.S. laws governing data privacy and security once effective.
- Wiz certifies that it understands its obligations in this Clause 9.
Table 1. The “start date” will be the date this DPA enters into force. The “Parties” are Customer or Customer Authorized Affiliate as exporter Wiz as importer.
Table 2. The “Addendum EU SCCs” are the modules and clauses of the Standard Contractual Clauses selected in relation to a particular transfer in accordance with paragraphs 1.1 and 1.2 of this Schedule.
Table 4. Neither party may end the UK Approved Addendum in accordance with its Section 19.
A. LIST OF THE PARTIES | |
Data Exporter: | Name and address: Customer or Customer Authorized Affiliate, as set out in the Agreement Contact details: As set out in the Agreement Activities relevant to the data transferred under these Clauses: Receipt of Wiz Services, as set out in the Agreement and this DPA |
Data Importer:	 | Name and address: Wiz, as set out in the Agreement Contact details: Privacy Officer, privacy@wiz.io Activities relevant to the data transferred under these Clauses: Provision of Wiz Services, as set out in the Agreement and this DPA |
B. DETAILS OF PROCESSING/TRANSFER | |
CATEGORIES OF DATA SUBJECTS | As described in Schedule 1 |
CATEGORIES OF PERSONAL DATA	 | As described in Schedule 1 |
SPECIAL CATEGORIES OF DATA (IF APPLICABLE) | Wiz does not control which Personal Data Customer shares with it in the context of the Services |
FREQUENCY OF THE TRANSFER | As regular as is required to provide the Services |
NATURE AND PURPOSE OF THE PROCESSING	 | As described in Schedule 1 |
RETENTION | As described in Schedule 1 |
TRANSFER TO (SUB)PROCESSORS | As set out in Wiz’s Sub-Processor List. |
C. COMPETENT SUPERVISORY AUTHORITY | |
The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses. Where an EU Representative has not been appointed by data exporter, the competent supervisory authority shall be the supervisory authority of the Netherlands. Where the data exporter is established outside of the EU, but within an Extended EEA Country, the competent supervisory authority shall be the supervisory authority of the Extended EEA Country in which the Transferring Client Entity is established. Where the data exporter is established outside an Extended EEA Country and the personal data originates from an Extended EEA Country which is not in the EU, the supervisory authority shall be the supervisory authority of the Extended EEA Country from which the Personal Data originated. | |
D. GOVERNING LAW AND CHOICE OF FORUM | |
GOVERNING LAW | For the purposes of Clause 17 of the Standard Contractual Clauses the Parties select OPTION 1: a)	(a) where the data exporter is established in the EU or otherwise if the personal data originates from the EU, the Parties select the laws of the Netherlands; (b) where the data exporter is established outside the EU but within an Extended EEA Country, the Parties select the laws of the Extended EEA Country where the data exporter is established; or (c) subject to (a) above, where the data exporter is established outside an Extended EEA Country, the parties select the laws of the Extended EEA Country where the personal data originates from. |
CHOICE OF FORUM | For the purposes of Clause 18 of the SCCs:
outside an Extended EEA Country, the parties select the courts of the Extended EEA Country where the personal data originates from. |
E. OTHER | |
Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following will apply:	 For Clause 7 (Docking Clause), the optional provision will apply. For Clause 9(a), option 2 will apply and the time period for prior notice of Sub-Processor changes shall be as set out in this DPA. For Clause 11(a) (Redress) – the optional provision will not apply. |
Service and Support Levels Agreement (SLA)
Effective November 13, 2023
DownloadTable of Contents
SERVICE AND SUPPORT LEVELS AGREEMENT (SLA)
This Service and Support Levels Agreement (“SLA”) supplements the Agreement and describes the service levels available to Customer under the Agreement. Capitalized terms not specifically defined in this SLA shall have the meanings defined in the Agreement.