This Master Subscription and Services Agreement (this "Agreement") is Boom Software, Inc.'s standard agreement and is entered into by and between Boom Software, Inc., a Delaware corporation ("Vendor"), and the entity executing an Order Form that references this Agreement ("Customer"). This Agreement is effective as of the Effective Date stated in the applicable Order Form.
Definitions
1.1 “Affiliate” means an entity that controls, is controlled by, or is under common control with a party, where “control” means ownership, directly or indirectly, of more than 50% of the voting interests.
1.2 “Aggregated/De-Identified Data” means data derived from Customer Data or use of the Service that has been de-identified and/or aggregated so it cannot reasonably identify Customer, any Affiliate, or any natural person.
1.3 “Authorized Users” means employees and individual contractors of Customer and its authorized Affiliates who are bound by confidentiality obligations and who use the Service solely for Customer’s internal business purposes.
1.4 “Customer Data” means data submitted to or collected by the Service from or on behalf of Customer.
1.5 “Deliverables” means the specific work product identified in a Statement of Work (excluding Vendor Technology).
1.6 “Documentation” means user guides, product descriptions, and other materials made available by Vendor regarding the Service.
1.7 “Order Form” or “Order” means an ordering document executed by the parties referencing this Agreement.
1.8 “Personal Data,” “Controller,” “Processor,” and “Process/Processing” have the meanings given in Schedule 4 (Data Processing Addendum).
1.9 “Service” means Vendor’s hosted, cloud-based software platform and related functionality provided by Vendor on a subscription basis (including Updates and Fixes) and Documentation, expressly excluding source code.
1.10 “SLA Credits” means the service credits defined in Schedule 1 (Service Level Agreement).
1.11 “Statement of Work” or “SOW” means a project document describing Professional Services, Deliverables, milestones, and pricing that references this Agreement.
1.12 “Subprocessor” means a third party engaged by Vendor to Process Personal Data on Vendor’s behalf.
1.13 “Vendor Technology” means the Service, software, platform, tools, algorithms, models, prompts, connectors, APIs, interfaces, designs, schema, templates, libraries, UI/UX, know-how, and all enhancements, modifications, Updates and derivative works of any of the foregoing, whether pre-existing or developed in the course of performance.
2. Order Forms; Access and Use
2.1 Grant. Subject to this Agreement and the applicable Order, Vendor grants Customer a non-exclusive, non-transferable (except as permitted in Section 21), non-sublicensable right during the Order term for Authorized Users to access and use the Service and Documentation solely for Customer's internal business purposes and within the usage parameters in the Order. No source code is provided.
2.2 Affiliates. Affiliates may (a) execute Orders that incorporate this Agreement; or (b) use the Service under Customer's Order, in which case Customer is responsible for such Affiliate's use.
2.3 Restrictions. Customer will not: (a) copy, frame, mirror, or use the Service except as permitted; (b) reverse engineer, decompile, or attempt to access the Service's source code; (c) remove proprietary notices; (d) publish or disclose benchmarks without Vendor's prior written consent; (e) circumvent technical controls or usage limits; (f) use the Service for competitive analysis or to build a competing product; or (g) make the Service available to Customer's own customers except where an Order expressly authorizes such managed-services use with specific terms and limitations.
2.4 Third-Party Services. The Service may interoperate with third-party applications or models (including generative AI services) that are not controlled by Vendor ("Third-Party Services"). Vendor remains responsible for its subprocessors and will conduct reasonable security due diligence (including reviews in Vendor's Vanta environment) and require contractual protections—no training on Customer Data, no publication, and security controls consistent with industry standards; Customer-chosen Third-Party Services are governed by their own terms and are Customer's responsibility.
3. Customer Responsibilities
3.1 Accounts and Security. Customer is responsible for maintaining the confidentiality of credentials and all activities under Customer accounts.
3.2 Acceptable Use. Customer will comply with Schedule 5 (Acceptable Use Policy).
3.3 Data Rights. Customer is responsible for the accuracy, quality, legality, and means of acquiring Customer Data and represents it has all rights necessary to grant the licenses in this Agreement.
3.4 Prohibited Data. Customer will not submit to the Service any regulated or sensitive data categories (e.g., PHI under HIPAA, PCI payment card data, or special categories under GDPR) unless expressly permitted in an Order.
4. Data Privacy; Security
4.1 Ownership. As between the parties, Customer owns Customer Data.
4.2 License to Host. Customer grants Vendor a non-exclusive, worldwide license to host, process, transmit, and display Customer Data to provide, secure, support, maintain, operate, and improve the Service for Customer (including testing, incident response, and usage analytics).
4.3 Aggregated/De-Identified Data and Usage Data. Vendor may create, use, and disclose Aggregated/De-Identified Data and may collect and use telemetry, logs, and usage data to operate, secure, and improve the Service, develop new features, and generate insights and benchmarks, provided no such data identifies Customer or an individual.
4.4 Export and Scheduled Deletion. During the Order term and for 30 days thereafter, Customer may export Customer Data via the Service’s standard tools or a one-time export provided by Vendor. After that period, Vendor will delete Customer Data from active systems. Residual copies may remain in encrypted backups until their retention period expires, after which they are permanently removed.
4.5 Manual Deletion Requests. Customer can request Customer Data be deleted via an official signed request specifying the scope of data to delete. Deletion requests will be processed within 21 days of receipt. Residual copies may remain in encrypted backups until their retention period expires, after which they are permanently removed.
4.6 Personal Data; DPA. When the Service Processes Personal Data, Schedule 4 (Data Processing Addendum) governs and is incorporated herein.
4.7 Security Program. Vendor will maintain an information security program appropriate to the nature of the Service and data processed, as summarized in Schedule 3 (Security & Business Continuity Overview).
5. Professional Services; Statements of Work
5.1 Services. Vendor may provide implementation, configuration, or consulting services as described in a SOW.
5.2 Acceptance. Deliverables are accepted when they meet the objective acceptance criteria set forth in the SOW and are deemed accepted 10 business days after delivery if Customer does not provide a written rejection specifying material non-conformance to those criteria. Re-tests are limited to the criteria.
5.3 Change Control. Changes to scope, milestones, or fees require a written, mutually executed change order.
5.4 Assumptions. Schedules and fees assume timely access to personnel, environments, and data; Customer delays entitle Vendor to schedule relief and additional fees.
6. Intellectual Property; Ownership; Feedback; Open Source
6.1 Vendor Technology. Vendor and its licensors exclusively own all right, title, and interest in and to the Vendor Technology. No rights are granted except as expressly provided.
6.2 Deliverables and Foreground Developments. As between the parties, Vendor owns all Deliverables and any inventions, works of authorship, discoveries, improvements, configurations, scripts, templates, or other works conceived, created, or reduced to practice by or for Vendor in performing a SOW (“Foreground Developments”), together with all intellectual property rights therein. Subject to Customer’s payment in full under the applicable SOW, Vendor grants Customer a perpetual, worldwide, non-exclusive, non-transferable (except as permitted in Section 21), non-sublicensable license to use the Deliverables solely for Customer’s internal business purposes.
6.3 Embedded Background IP. To the extent any Deliverable necessarily includes Vendor Technology, Customer receives a license only to the extent necessary to use the Deliverable as delivered; Customer acquires no rights in the underlying Vendor Technology itself.
6.4 Feedback. Vendor may use or exploit any suggestions, enhancement requests, recommendations, or other feedback provided by Customer or Authorized Users without restriction or obligation.
6.5 Open Source. To Vendor’s knowledge, any open-source components used by the Service or Deliverables are used in accordance with their applicable licenses and do not require disclosure of Vendor’s source code, impose “copyleft” obligations on the Service, or otherwise restrict Vendor’s commercial licensing. Open-source notices will be provided upon request.
6.6 No Source Code; No Escrow. The Service is provided as hosted software. Vendor has no obligation to provide source code or to enter into source code escrow unless expressly stated in an Order or SOW.
7. Confidentiality
7.1 Definition. “Confidential Information” means non-public information disclosed by a party that is identified as confidential or that should reasonably be understood to be confidential, including product plans, security information, Customer Data, and terms of this Agreement.
7.2 Protection. Each party will protect the other’s Confidential Information using at least reasonable care and use it only to fulfill this Agreement.
7.3 Exclusions. Information is not confidential to the extent it is or becomes public through no breach, was known without restriction, is independently developed without use of the other party’s Confidential Information, or is rightfully received from a third party.
7.4 Compelled Disclosure. A party may disclose the other’s Confidential Information when required by law, subpoena, or court order, with prompt notice (if legally permitted).
8. Warranties; Disclaimers
8.1 Service Warranty. Vendor warrants that, during an Order term, the Service will perform materially in accordance with the Documentation.
8.2 Professional Services Warranty. Vendor warrants Professional Services will be performed in a professional and workmanlike manner by appropriately skilled personnel.
8.3 Malware. Vendor uses commercially reasonable efforts to prevent introduction of malicious code into the Service.
8.4 Compliance with Law. Each party will comply with laws applicable to its performance, including anti-corruption, export, and sanctions laws.
8.5 Disclaimers. Except as expressly stated, the Service and Deliverables are provided “as is” and Vendor disclaims all other warranties to the fullest extent permitted by law, including implied warranties of merchantability, fitness for a particular purpose, title, and non-infringement.
9. Indemnification
9.1 IP Indemnity by Vendor. Vendor will defend Customer against third-party claims alleging that the Service, as provided by Vendor, directly infringes a U.S. patent, copyright, or trade secret, and will pay damages and reasonable attorneys’ fees finally awarded or agreed in settlement. If an infringement claim arises, Vendor may: (a) procure the right for Customer to continue using the Service; (b) modify or replace the Service to be non-infringing while materially preserving functionality; or (c) terminate the impacted Order and refund prepaid, unused fees. Vendor has no obligation for claims based on (i) Customer Data; (ii) use not in accordance with the Documentation or this Agreement; (iii) combination with items not provided or specified by Vendor; or (iv) Customer-provided specifications. This Section states Vendor’s entire liability for IP infringement.
9.2 Other Claims. Vendor will defend claims for bodily injury or tangible property damage to the extent caused by Vendor’s gross negligence or willful misconduct, and claims arising from Vendor’s breach of its data security obligations under Schedule 3 resulting in unauthorized disclosure of Customer Data.
9.3 Indemnification Procedures. The indemnified party will promptly notify the indemnifying party, which will have sole control of defense and settlement (no settlement imposing liability or obligations on the indemnified party without its consent). The indemnified party will reasonably cooperate at the indemnifying party’s expense.
10. Limitation of Liability
10.1 Exclusion. Neither party will be liable for any indirect, incidental, special, consequential, exemplary, or punitive damages; or lost profits, revenues, goodwill, or data, even if advised of the possibility.
10.2 Cap. Except for (a) indemnification obligations in Section 9; (b) Customer’s payment obligations; and (c) a party’s breach of Section 7 (Confidentiality) or willful misconduct, each party’s aggregate liability arising out of or relating to this Agreement will not exceed the fees paid or payable by Customer to Vendor for the Service giving rise to the claim in the twelve (12) months preceding the event giving rise to liability. Multiple claims do not enlarge this cap.
11. Fees; Taxes; Invoicing; Payment
11.1 Fees. Customer will pay fees as set forth in each Order or SOW. Unless otherwise stated, subscription fees are billed in advance; usage-based and Professional Services fees are billed in arrears.
11.2 Payment Terms. Net 30 days from invoice date. Late amounts accrue interest at 1.0% per month or the maximum allowed by law, whichever is less.
11.3 Taxes. Fees are exclusive of taxes; Customer is responsible for applicable taxes (excluding Vendor’s income taxes).
11.4 Disputes; Set-off. Customer may withhold only the disputed portion of an invoice reasonably disputed in good faith with written detail; undisputed amounts remain payable. Neither party may set off amounts due absent a final, non-appealable court order.
12. Suspension
Vendor may suspend access to the Service: (a) for non-payment after 10 days’ written notice; (b) for material AUP violations; or (c) to address a bona fide security risk. Any suspension will be as narrow as commercially reasonable and lifted promptly once the issue is resolved.
13. Term; Termination; Effect; Transition
13.1 Term. This Agreement commences on the Effective Date and continues until terminated as provided herein. Orders specify their own terms and renewals.
13.2 Termination for Cause. Either party may terminate this Agreement or an affected Order or SOW for material breach uncured after 30 days’ written notice, or if the other party becomes insolvent.
13.3 Convenience Termination. (a) SaaS Subscriptions. After any minimum commitment period specified in an Order, Customer may terminate any SaaS subscription Order for convenience upon not less than thirty (30) days' prior written notice. Such termination will be effective at the end of the notice period (or a later effective date specified in the notice) and will not affect any other Orders or SOWs. Customer remains responsible for all fees accrued or committed through the effective termination date; prepaid subscription fees for the then-current billing period are non-refundable, and recurring charges will cease as of the effective termination date. (b) Statements of Work. Customer may terminate any SOW for convenience upon at least forty-eight (48) hours' prior written notice. Upon receipt of the notice, Vendor will promptly cease work under the affected SOW. Customer will pay: (i) fees for Services performed up to the effective termination date (including work performed during the notice period); (ii) any non-cancellable, pre-approved third-party costs and expenses; and (iii) for fixed-fee engagements, the portion of the fees corresponding to work completed through the effective termination date, determined on a good-faith percent-complete basis. Any transition or wind-down assistance will be provided in accordance with Section 13.4 and, if beyond the standard data export, at Vendor's then-current professional services rates.
13.4 Effect of Termination. Upon termination/expiration of all Orders, Customer access ends. Vendor will provide one standard export of Customer Data in its then-current machine-readable format within 30 days at no additional charge. Any additional transition assistance will be provided under a separate, billable SOW. Accrued amounts remain due. Sections that by their nature should survive (including 3–4, 6–11, 13.4, 15–25, and Schedules) survive termination.
14. Compliance; Audit
Upon 30 days’ notice, no more than once per 12 months, Customer may review Vendor’s compliance by (i) receiving, when available, current SOC 2 Type II and/or ISO/IEC 27001 reports and executive summaries of penetration tests, or until such certifications are obtained, Vendor's internal security documentation; and (ii) if reasonably necessary, a focused audit during business hours at Vendor’s site subject to Vendor’s security and confidentiality requirements. Customer bears its audit costs unless a material, uncured breach or an overcharge greater than 5% is found.
15. Subcontractors; Subprocessors
Vendor may use subcontractors, including Subprocessors, and remains responsible for their performance.
16. Export; Sanctions; Anti-Corruption
Each party will comply with applicable export control and sanctions laws and anti-corruption laws (including the U.S. FCPA and UK Bribery Act). Customer represents it is not listed on any restricted party list and will not permit access to sanctioned persons or jurisdictions.
17. Insurance
Vendor will maintain commercially reasonable insurance, including Technology E&O/Cyber and Commercial General Liability, with aggregate limits of at least US $2,000,000.
18. Force Majeure
Neither party is liable for delays or failures due to causes beyond its reasonable control (excluding payment obligations). If performance is materially prevented for more than 30 consecutive days, either party may terminate the impacted Order on notice with a pro-rata refund of prepaid, unused fees.
19. Publicity
With Customer’s prior written consent (not unreasonably withheld or delayed), Vendor may use Customer’s name and logo for factual marketing references and case studies.
20. Government Rights
If Customer is a U.S. Government end user, the Service and Documentation are “commercial computer software” and “commercial computer software documentation,” and are provided with only the rights set forth in this Agreement consistent with FAR 12.212 and DFARS 227.7202.
21. Assignment; Change of Control
Neither party may assign this Agreement without the other party’s consent, except either party may assign, without consent, to an Affiliate or in connection with a merger, reorganization, or sale of all or substantially all assets or equity, upon notice. If Vendor is acquired by Customer’s direct competitor, Customer may terminate impacted Orders on 60 days’ notice.
22. Governing Law; Venue; Equitable Relief; Jury Waiver
This Agreement is governed by the laws of the State of Delaware. Each party agrees that a breach or threatened breach of Sections 6 or 7 may cause irreparable harm for which money damages are inadequate, and the non-breaching party may seek injunctive relief. Each party waives any right to a jury trial in any action relating to this Agreement.
23. Notices
Notices must be in writing and delivered by personal service, reputable overnight courier, or certified mail to the addresses in the Order (with an email copy that does not constitute notice unless expressly stated).
24. Miscellaneous
Order of Precedence: the Order controls, then Schedule 4 (for data terms), then this Agreement, then other Schedules. This Agreement constitutes the entire agreement and supersedes prior and contemporaneous agreements on the subject. No waiver is effective unless in writing. If any provision is unenforceable, it will be modified to the minimum extent necessary to be enforceable while preserving the parties’ intent; the remainder will remain in effect. Counterparts and e-signatures are binding. There are no third-party beneficiaries.