Cursor · Inbound Master Services Agreement

This Inbound Master Services Agreement (the “Agreement”) governs the relationship between Anysphere, Inc., a Delaware corporation located at 2261 Market Street, STE 86466, San Francisco, CA 94114 (“Anysphere”), and any vendor (“Vendor”) who enters into a statement of work with Anysphere that references this Agreement (“SOW”). By entering into a SOW, the parties agree to be bound by the version of this Agreement posted on this page on the effective date of the applicable SOW.

1. SERVICES & DELIVERABLES

1.1. From time to time, Anysphere and Vendor may execute one or more SOWs that describe the specific services (“Services”) and deliverables (“Deliverables”) to be performed by Vendor in accordance with the terms and conditions and the delivery schedule set forth in each SOW and this Agreement. Each SOW may be amended only by written agreement of the parties. In the event of any conflict between a SOW and this Agreement, the SOW will control.

1.2. Anysphere may inspect the Deliverables and review the Services throughout the Term. Anysphere will conduct regular check-ins or progress reviews and may provide feedback on the Services and Deliverables during their performance. Anysphere will accept or reject the Deliverables within thirty days after delivery based on conformity with the applicable SOW. Acceptance does not reduce any applicable warranties under this Agreement. Anysphere will provide a written explanation for any rejected Services or Deliverables. Anysphere may require Vendor to correct and re-deliver any rejected Services and Deliverables at no cost to Anysphere, under agreed deadlines, and subject to further inspection by Anysphere. Otherwise, Anysphere’s rejection is final and Anysphere will not be obligated to pay for the rejected Services and Deliverables.

1.3. Vendor will promptly notify Anysphere in writing of anything that is likely to cause a delay in the delivery of any Service or Deliverable.

2. PAYMENT.

2.1. Fees and Expenses. As Vendor’s sole compensation for the performance of Services and delivery of the Deliverables, Anysphere will pay Vendor the fees specified in each SOW in accordance with the terms set forth therein. Without limiting the generality of the foregoing, Vendor acknowledges and agrees that, if specified in the SOW, Anysphere’s payment obligation will be expressly subject to Vendor’s completion or achievement of certain milestones to Anysphere’s reasonable satisfaction. Unless otherwise provided in the SOW, Vendor must obtain Anysphere’s prior written approval to be reimbursed for reasonable out-of-pocket travel, lodging and related expenses incurred by Vendor in connection with Vendor’s performance of Services. To obtain reimbursement, Vendor will furnish Anysphere with copies of receipts and other customary documentation for any expenses for which Vendor requests reimbursement hereunder.

2.2. All fees and other amounts set forth in the SOW, if any, are stated in and are payable in U.S. dollars unless otherwise specified in the applicable SOW. Unless otherwise provided in a SOW, Vendor will invoice Anysphere monthly in arrears for all fees and expenses payable to Vendor, and undisputed invoices shall be paid Net 60 upon receipt by Anysphere of a correct invoice. Invoices should include the date of work, amount of time worked (e.g., hours, days, or other applicable unit) and the billable rate. If reasonable out-of-pocket expenses are approved for reimbursement under this Agreement, Vendor must submit receipts in order to receive payment for them. The parties will use commercially reasonable efforts to promptly resolve any payment disputes. Anysphere is not required to pay any invoice submitted more than 180 days after the final Deliverables have been made.

2.3. In addition to other rights and remedies Anysphere may have, Anysphere may offset any payment obligations to Vendor that Anysphere may incur under this Agreement against any fees owed to Anysphere and not yet paid by Vendor under this Agreement. Anysphere may withhold and offset against its payment obligations under this Agreement, or require Vendor to pay to Anysphere within 30 days of receipt of any invoice, any amounts Anysphere may have overpaid to Vendor in prior periods.

2.4. Taxes. Fees due under any SOW do not include any taxes. If Vendor is legally obligated to collect applicable taxes, Vendor must state each applicable tax as a separate line item on its invoice. Anysphere will pay taxes separately stated on correct, undisputed, and timely invoices for the applicable Services and Deliverables. If Anysphere is obligated to withhold any taxes from its payments to Vendor, Anysphere will make the payments net of the withheld amounts.

3. INTELLECTUAL PROPERTY.

3.1. Disclosure of Work Product. Vendor will, as an integral part of its performance of Services, disclose in writing to Anysphere all works of authorship, know-how, algorithms, specifications, and other materials of any kind that Vendor may make, conceive, or develop alone or jointly with others, in connection with performing Services, or that result from or that are related to such Services, whether or not they are eligible for copyright, trade secret, trademark or other legal protection (collectively, “Vendor Work Product”). Vendor Work Product includes without limitation any Deliverables that Vendor delivers to Anysphere pursuant to Section 1.2.

3.2. Ownership of Vendor Work Product. Vendor and Anysphere agree that, to the fullest extent permitted by applicable law, each item of Vendor Work Product will be a work made for hire owned exclusively by Anysphere. Vendor agrees that, regardless of whether an item of Vendor Work Product is a work made for hire, all Vendor Work Product will be the sole and exclusive property of Anysphere. Vendor hereby irrevocably transfers and assigns to Anysphere, and agrees to irrevocably transfer and assign to Anysphere, all right, title and interest in and to the Vendor Work Product, including all worldwide copyrights, know-how, and any and all other intellectual property or proprietary rights (collectively, “Intellectual Property Rights”) therein. At Anysphere’s request and expense, during and after the term of this Agreement, Vendor will assist and cooperate with Anysphere in all respects, and will execute documents, and will take such further acts reasonably requested by Anysphere to enable Anysphere to acquire, transfer, maintain, perfect and enforce its Intellectual Property Rights and other legal protections for the Vendor Work Product.

3.3. Prior Inventions. Vendor retains ownership of any inventions, works of authorship, developments, improvements, trade secrets, and other intellectual property owned by Vendor or in which Vendor has an interest prior to, or separate from, performing the Services under this Agreement (“Prior Invention(s)”). Vendor will not incorporate any proprietary information or product owned by any third party or open source software into any Deliverable without Anysphere’s prior written permission. Any approved third-party materials included in any Deliverables will be (a) without additional expense to Anysphere and (b) with written consent consistent as set forth in the applicable SOW and with the rights granted to Anysphere under this Section. To the extent that any Prior Invention is incorporated into or necessary for the use, operation, or exploitation of any Vendor Work Product, Vendor hereby grants to Anysphere a nonexclusive, royalty-free, perpetual, irrevocable, transferable, worldwide license (with the right to grant and authorize sublicenses) to make, have made, use, import, offer for sale, sell, reproduce, distribute, modify, adapt, prepare derivative works of, display, perform, and otherwise exploit such Prior Invention in connection with such Vendor Work Product.

3.4. Moral Rights. To the fullest extent permitted by applicable law, Vendor irrevocably transfers and assigns to Anysphere, and agrees to irrevocably transfer and assign to Anysphere, and waives and agrees never to assert, any and all Moral Rights (as defined below) that Vendor may have in or with respect to any Vendor Work Product, during and after the term of this Agreement. “Moral Rights” mean any rights to claim authorship of a work, to object to or prevent the modification or destruction of a work, to withdraw from circulation or control the publication or distribution of a work, and any similar right, existing under judicial or statutory law of any country in the world, regardless of whether or not such right as called or generally referred to as a “moral right.”

3.5. Related Rights. To the extent that Vendor owns or controls (presently or in the future) any patent rights, copyright rights, mask work rights, trade secret rights, or any other intellectual property or proprietary rights that may block or interfere with, or may otherwise be required for, the exercise by Anysphere of the rights assigned to Anysphere under this Agreement (collectively, “Related Rights”), Vendor hereby grants or will cause to be granted to Anysphere a non-exclusive, royalty-free, irrevocable, perpetual, transferable, worldwide license (with the right to sublicense) to make, have made, use, offer to sell, sell, import, copy, modify, create derivative works based upon, distribute, sublicense, display, perform and transmit any products, software, hardware, methods or materials of any kind that are covered by such Related Rights, to the extent necessary to enable Anysphere to exercise all of the rights assigned to Anysphere under this Agreement.

4. CONFIDENTIALITY AND DATA PROCESSING AGREEMENT.

4.1. Confidentiality. For purposes of this Agreement, “Confidential Information” means and will include: (i) any information, materials or knowledge regarding either party and its business, financial condition, products, programming techniques, customers, suppliers, technology or research and development that is disclosed to the other party or to which the other party has access in connection with performing Services, including, in the case of Anysphere, Anysphere Data; (ii) the Vendor Work Product; and (iii) the terms and conditions of this Agreement. “Anysphere Data” means any data, content, information, prompts, inputs, outputs, logs, metadata, telemetry, embeddings, derivatives, personal data, or customer data provided or made available by or on behalf of Anysphere, or accessed, generated, processed, stored, or transmitted by Vendor in connection with the Services. Vendor may use Anysphere Data only to perform the Services under this Agreement and the applicable SOW. Confidential Information will not include any information that: (a) is or becomes part of the public domain through no fault of the receiving party; (b) was rightfully in the receiving party’s possession at the time of disclosure, without restriction as to use or disclosure; or (c) the receiving party rightfully receives from a third party who has the right to disclose it and who provides it without restriction as to use or disclosure.

Each party agrees to hold all Confidential Information of the other party in strict confidence, not to use it in any way, commercially or otherwise, except in performing Services, and not to disclose it to others. Each party further agrees to take all actions reasonably necessary to protect the confidentiality of all Confidential Information including, without limitation, implementing and enforcing procedures to minimize the possibility of unauthorized use or disclosure of Confidential Information, and complying with the obligations under Exhibit A. Notwithstanding the foregoing, under the Defend Trade Secrets Act of 2016, a party (if an individual) will not be liable for disclosing a trade secret if the disclosure is: (A) made in confidence to a government official or attorney to report or investigate a legal violation, or (B) made in a lawsuit or proceeding filed under seal. A party may also share the trade secret with their attorney and use it in a retaliation lawsuit, as long as any court filing is under seal and the trade secret is not disclosed except by court order. Except for the limited use rights under this Agreement, neither party acquires any right, title, or interest in the other party's Confidential Information.

4.2. Security. Vendor will comply with the obligations set forth in Exhibit A. In addition, Vendor will notify Anysphere in writing within 24 hours of becoming aware of any actual or reasonably suspected security breach, unauthorized access, or data incident affecting Anysphere's Confidential Information or data. Such notification will include details of the incident, affected data, remedial actions taken, and Vendor's plan to prevent similar incidents. Vendor will provide all reasonable assistance to Anysphere in investigating and remediating any such incident at Vendor's expense.

5. INDEPENDENT CONTRACTOR.

Vendor is an independent contractor; Vendor and Vendor Personnel are not Anysphere employees. Vendor and Vendor Personnel will not be entitled to any compensation, stock, options, or other rights or benefits provided to Anysphere employees, waives any right to them, and promises never to claim them. Vendor will notify Vendor Personnel of the above and will obtain a similar waiver from Vendor Personnel. Vendor is responsible for any income tax withholding applicable to Vendor Personnel.

6. REPRESENTATIONS AND WARRANTIES

6.1. Mutual. Each party represents and warrants that it has full power and authority to enter into and fulfill its obligations under this Agreement.

6.2. Vendor. Vendor represents and warrants that: (a) Vendor will perform the Services in a professional and workmanlike manner by employees of Vendor having a level of skill commensurate with the requirements of this Agreement; (b) all work under this Agreement shall be Vendor’s original work and none of the Services or Deliverables nor any development, use, production, distribution or exploitation thereof will infringe, misappropriate or violate any intellectual property or other right of any person or entity; (c) Vendor has the full right to allow it to provide Anysphere with the assignments and rights provided for herein (and has written enforceable agreements with all persons necessary to give it the rights to do the foregoing and otherwise fully perform this Agreement); (d) Vendor shall comply with all applicable laws and regulations and, if provided, Anysphere’s safety rules in the course of performing the Services; (e) there are no actual or potential conflicts of interest concerning the Services; (f) the Deliverables will be free from any viruses or other malicious code; and (g) Vendor is an equal-opportunity employer and does not discriminate on the basis of age, race, creed, color, religion, sex, sexual orientation, national origin, disability, marital or veteran status or any other basis that is prohibited by law and will not so discriminate in providing the Services.

7. INDEMNIFICATION.

7.1. Vendor indemnity. Vendor will defend and indemnify Anysphere, its officers, directors, employees, sublicensees, users and agents (the “Anysphere Parties”) from any claims, lawsuits, liabilities, or causes of action of every nature (“Claims”) arising out of or related to: (a) any third party Claim that the Services or any Deliverables infringe or misappropriate any third-party Intellectual Property Rights; (b) Vendor’s breach of warranty, negligence or violation of law; (c) any breach of Section 4 (Confidentiality and Data Processing Agreement) by Vendor or anyone acting on Vendor’s behalf; and (d) any property damage, personal injury or death related to performance of the Services.

7.2. Indemnity process. Anysphere will have the right to approve any counsel retained to defend against any Claims against an Anysphere Party and will not unreasonably withhold such approval. Anysphere will have the right to control and participate in the defense of any such Claim concerning matters that relate to Anysphere, and Vendor will not settle or compromise any such Claim without Anysphere's written consent. If, in Anysphere's reasonable judgment, a conflict exists between the interests of Anysphere and Vendor in such a Claim, Anysphere may retain its own counsel whose reasonable fees will be paid by Vendor.

8. LIMITATION OF LIABILITY.

EXCEPT FOR INFRINGEMENT OR MISAPPROPRIATION OF INTELLECTUAL PROPERTY RIGHTS, BREACHES OF OBLIGATIONS UNDER SECTION 4 (CONFIDENTIALITY AND DATA PROCESSING AGREEMENT), OR OBLIGATIONS UNDER SECTION 7 (INDEMNIFICATION): (A) NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY OR PUNITIVE DAMAGES; AND (B) NEITHER PARTY’S LIABILITY ARISING OUT OF THIS AGREEMENT WILL EXCEED THE AMOUNT ACTUALLY PAID OR PAYABLE UNDER THE APPLICABLE SOW UNDER WHICH THE LIABILITY AROSE.

9. TERM AND TERMINATION.

9.1. Term. This Agreement will commence on the Effective Date and continue until terminated pursuant to this Agreement.

9.2. Termination. Either party may immediately terminate this Agreement or any SOW on written notice if the other party is in material breach of this Agreement and fails to cure that breach within 30 days after receiving written notice from the first party identifying the breach. In addition, either party may immediately suspend performance or terminate this Agreement if an applicable law or an applicable government or court order prohibits performance of any part of the Agreement. Anysphere may terminate this Agreement or any SOW with fifteen (15) days written notice to Vendor, subject to Section 9.3.

9.3. Effect of Termination. Unless otherwise specified in the termination notice, termination is effective immediately and Vendor will stop work on all applicable SOWs immediately on receipt of the termination notice. Termination of this Agreement terminates all outstanding SOWs and all licenses that Anysphere granted under this Agreement. For the avoidance of doubt, termination of a SOW only terminates that SOW and not this Agreement. Anysphere will pay for Services and Deliverables provided prior to the date of termination. Upon termination, Vendor will delete all Confidential Information and personal data unless it is required by applicable law to retain some portion of the Confidential Information or personal data. Upon written request, Vendor will confirm that Confidential Information and/or personal data has been deleted in accordance with this Agreement.

9.4. Survival. Sections 3 (Intellectual Property), 4 (Confidentiality and Data Processing Agreement), 7 (Indemnification), 8 (Limitation of Liability), 9.4 (Survival) and 12.3 (AI Breach) and 13 (General Terms) will survive any termination of this Agreement.

10. INSURANCE, BACKGROUND CHECKS.

10.1. Insurance. Vendor will maintain and carry throughout the term of this Agreement insurance of types and in amounts customary for vendors performing similar services and sufficient to meet Vendor's obligations under this Agreement. Vendor shall furnish Anysphere certificates of insurance evidencing such coverage upon written request and will provide prompt notice to Anysphere of any cancellation or material change to such policies.

10.2. Background Checks. Vendor shall conduct standard background checks on all Vendor Personnel as permitted by applicable law and any policies provided by Anysphere, and shall maintain records of such checks and, upon Anysphere's request, promptly provide evidence of compliance with this Section.

11. EXPORT LICENSES

Vendor represents, warrants, and covenants that it and all Vendor Personnel will comply with all applicable export control laws, regulations, and orders of the United States and any other relevant jurisdiction, including but not limited to the Export Administration Regulations ("EAR"), and the regulations administered by the Office of Foreign Assets Control ("OFAC") (collectively, "Export Control Laws"). Vendor will not export, re-export, transfer, or make available, directly or indirectly, any Confidential Information, technology, software, or technical data received from Anysphere to any country, entity, or person prohibited by Export Control Laws. Vendor represents and warrants that neither Vendor nor any Vendor Personnel appear on any restricted party list maintained by the U.S. government or other applicable government authorities, including but not limited to the Denied Persons List, Entity List, Specially Designated Nationals List, or Unverified List. Vendor will conduct appropriate screening of all Vendor Personnel and will immediately notify Anysphere if any Vendor Personnel become subject to any export control restrictions.

12. AI REQUIREMENTS

12.1. Use of AI Technology. Vendor shall not use, incorporate, or rely on any artificial intelligence, machine learning, or generative technology ("AI Technology") in performing the Services or creating any Deliverables unless expressly disclosed and approved in the applicable SOW ("Approved AI"). Each SOW permitting AI Technology must specify the purpose.

12.2. Training Prohibition. Vendor shall (a) not use any of Anysphere’s Confidential Information, including Anysphere Data, to train, fine-tune, improve, or evaluate any AI Technology or model, nor allow any third party to do so, and (b) will implement zero data retention practices, ensuring that none of Anysphere’s Confidential Information, including Anysphere Data, is retained, stored, or cached by Vendor or any third-party AI Technology providers after completion of processing, unless expressly approved in the SOW.

12.3. AI Breach. Any breach of this Section 12 constitutes a material breach of this Agreement and entitles Anysphere to injunctive and other equitable relief in addition to all other remedies available at law or in equity.

13. GENERAL TERMS

13.1. No Publicity. Neither party may make any public statement regarding this Agreement without the other party’s prior written approval.

13.2. Records and Audit Rights. Anysphere may examine the Deliverables and work-in-progress at any time. Vendor will maintain complete and accurate records relating to this Agreement. Within 30 days of Anysphere’s reasonable request, during the Term and for 12 months thereafter, and subject to reasonable confidentiality and security requirements, Vendor will provide access to those books and records that are reasonably necessary for Anysphere to confirm compliance with this Agreement.

13.3. Assignment. Vendor may not assign or transfer this Agreement, in whole or in part, without Anysphere’s express prior written consent. Any attempt to assign this Agreement, without such consent, will be void. Subject to the foregoing, this Agreement will bind and benefit the parties and their respective successors and assigns.

13.4. Subcontracting. Vendor may use subcontractors and subprocessors in connection with the Services, provided that Vendor remains responsible for their acts and omissions and ensures they are bound by written obligations no less protective of Anysphere than this Agreement. Upon Anysphere’s request, Vendor will provide a list of subcontractors and subprocessors that may access or process Anysphere Data. Vendor will provide prior notice of any new subcontractor or subprocessor that may access or process Anysphere Data, or any other material change to such subcontractors or subprocessors, and will not use any subcontractor or subprocessor to which Anysphere reasonably objects.

13.5. Force Majeure. Neither party will be liable for failure or delay in performance to the extent caused by circumstances beyond its reasonable control.

13.6. No Election of Remedies. Except as expressly set forth in this Agreement, the exercise by Anysphere of any of its remedies under this Agreement will not be deemed an election of remedies and will be without prejudice to other remedies under this Agreement or available at law or equity.

13.7. Equitable Remedies. Because the Services are personal and unique and because Vendor will have access to Confidential Information of Anysphere, Anysphere will have the right to enforce this Agreement and any of its provisions by injunction, specific performance or other equitable relief, without having to post a bond or other consideration, in addition to all other remedies available by law.

13.8. Governing Law. This Agreement will be governed by and construed in accordance with the laws of the State of California excluding its body of law controlling conflict of laws. Any legal action or proceeding arising under this Agreement will be brought exclusively in the federal or state courts located in San Francisco, California, and the parties irrevocably consent to the personal jurisdiction and venue therein.

13.9. Severability. If any provision of this Agreement is held invalid or unenforceable by a court of competent jurisdiction, the remaining provisions of this Agreement will remain in full force and effect, and the provision affected will be construed so as to be enforceable to the maximum extent permitted by law.

13.10. Waiver. Failure by either party to enforce any provision of this Agreement will not constitute a waiver of future enforcement of that or any other provision.

13.11. Notices. All notices must be in writing and are effective upon receipt if delivered by courier, overnight service, or email. For email notice, the Anysphere’s designated address is legal@cursor.com, and Vendor’s designated address is as listed in the applicable SOW.

13.12. Entire Agreement. This Agreement, together with any SOW, constitutes the complete and exclusive understanding and agreement of the parties with respect to its subject matter and supersedes all prior understandings and agreements, whether written or oral. Anysphere may update the terms of this Agreement from time to time by posting an updated version on this page. Such updates will be effective for new SOWs entered into after the updated version is posted. Vendor is responsible for reviewing the current version of this Agreement prior to entering into a new SOW.

Exhibit A — Data Security Exhibit

Program. Vendor will implement and maintain a comprehensive written information security program (“Information Security Program”), which contains appropriate administrative, technical and organizational safeguards that comply with this Exhibit A and that ensures the security, integrity, availability, resilience and confidentiality of Anysphere’s Confidential Information and that meet or exceed generally accepted industry standards.
Access Controls. Vendor will: (a) abide by the “principle of least privilege,” pursuant to which Vendor will permit access to Anysphere’s Confidential Information by its personnel solely on a need-to-know basis; (b) promptly terminate its personnel’s access to Anysphere’s Confidential Information when such access is no longer required for performance under the Agreement; (c) log the details of any access to Anysphere’s Confidential Information, and retain such records for no less than 90 days; and (d) be responsible for any processing of Anysphere’s Confidential Information by its personnel.
Account Management. Vendor will use reasonable measures to manage the creation, use, and deletion of all account credentials used to access the Vendor Systems, including by implementing: (a) a segregated account with unique credentials for each user; (b) strict management of administrative accounts; (c) password best practices, including the use of strong passwords and secure password storage; and (d) periodic audits of accounts and credentials. “Vendor Systems” means the facilities, systems, equipment, hardware, and software used in connection with Vendor’s Processing of Anysphere’s Confidential Information.
Vulnerability Management. Vendor will: (a) use automated vulnerability scanning tools to scan the Vendor Systems; (b) log vulnerability scan reports; (c) conduct periodic reviews of vulnerability scan reports over time; (d) use patch management and software update tools for the Vendor Systems; (e) prioritize and remediate vulnerabilities by severity; and (f) use compensating controls if no patch or remediation is immediately available.
Incident Response. Vendor will notify Anysphere of any accidental or unlawful destruction, loss, or alteration of Anysphere Confidential Information, or any unauthorized access to, or use or disclosure of, Anysphere Confidential Information (“Security Incident”) without undue delay (and in any event within 24 hours) after becoming aware of any actual or reasonably suspected Security Incident. In any such notice, Vendor will include: (a) a description of the Security Incident, including the number and categories of any individuals affected, (b) categories and number of records concerned, (c) types of information affected, (d) date and time of the Security Incident, (e) a summary of the circumstances that caused the Security Incident and any ongoing risks that the Security Incident poses, (f) a description of the measures proposed or taken by Vendor to address the Security Incident, and (g) any other information reasonably requested by Anysphere relating to the Security Incident. If and solely to the extent it is not possible to provide the above information at the same time, the information may be provided in phases without undue delay. Vendor will provide reasonable assistance to Anysphere to investigate, remediate or take any other action Anysphere deems reasonably necessary regarding the Security Incident, including in connection with any dispute, inquiry, investigation or claim concerning the Security Incident.
Security Segmentation. Vendor will use reasonable measures to monitor, detect and restrict the flow of information on a multilayered basis within the Vendor Systems using tools such as firewalls, proxies, and network-based intrusion detection systems.
Data Loss Prevention. Vendor will use reasonable data loss prevention measures to identify, monitor and protect Anysphere’s Confidential Information in use, in transit and at rest. Such data loss prevention processes and tools will include: (a) automated tools to identify attempts of data exfiltration; (b) the prohibition of, or secure and managed use of, portable devices; (c) use of certificate-based security; and (d) secure key management policies and procedures.
Encryption. Vendor will encrypt, using industry standard encryption tools, Anysphere’s Confidential Information that Vendor: (i) transmits or sends wirelessly or across public networks or within the Vendor Systems; (ii) stores on laptops or storage media, and (iii) stores on portable devices or within the Vendor System. Vendor will safeguard the security and confidentiality of all encryption keys associated with encrypted information.
Pseudonymization. Vendor will, where possible and consistent with the Services, use industry standard and reasonable pseudonymization techniques to protect Anysphere’s Confidential Information.
Secure Software Development. Vendor represents and warrants that any software used in connection with the processing of Anysphere’s Confidential Information is or has been developed using secure software development practices, including: (a) segregating development and production environments; (b) filtering out potentially malicious character sequences in user inputs; (c) using secure communication techniques, including encryption; (d) using sound memory management practices; (e) using web application firewalls to address common web application attacks such as cross-site scripting, SQL injection and command injection; (f) implementing the OWASP Top Ten recommendations, as applicable; (g) patching of software; (h) testing object code and source code for common coding errors and vulnerabilities using code analysis tools; (i) testing of web applications for vulnerabilities using web application scanners; and (j) testing software for performance under denial of service and other resource exhaustion attacks.
PCI Compliance. To the extent any of Anysphere’s Confidential Information includes “cardholder data,” as such term is defined by the Payment Card Industry Data Security Standard (“PCI DSS”), Vendor will: (a) comply with the PCI DSS and other applicable PCI and payment card issuer, brand or association rules and requirements; (b) fully cooperate with any security review or investigation as may be required by Anysphere, any payment card issuer, brand or association, or law enforcement entity, including by providing data security reports; (c) pay any fines and penalties in the event Vendor or any of its subcontractors fail to comply with such rules or requirements; and (d) on no less than an annual basis, at its own expense, undergo a PCI DSS compliance audit or self-assessment, as applicable, and provide the results of such audit or self-assessment, along with evidence of compliance (in the form of an Attestation of Compliance or ROC), to Anysphere.
Physical Safeguards. Vendor will maintain physical access controls that secure relevant Vendor Systems used to Process any Anysphere’s Confidential Information, including an access control system that enables Vendor to monitor and control physical access to each Vendor facility, that includes 24x7 physical security monitoring systems and the use of trained and experienced security guards.
Administrative Safeguards. Prior to providing access to Anysphere’s Confidential Information to any of its personnel, Vendor will: (a) ensure the reliability of such personnel, including by performing background screening (to the extent permitted by Data Protection Law); and (b) provide appropriate security training to such personnel to ensure such personnel can comply with the obligations under this Exhibit A. Vendor will periodically provide additional training to its personnel as may be appropriate to help ensure that Vendor’s Information Security Program meets or exceeds prevailing industry standards.

1. SERVICES & DELIVERABLES

1.3. Vendor will promptly notify Anysphere in writing of anything that is likely to cause a delay in the delivery of any Service or Deliverable.

2. PAYMENT.

3. INTELLECTUAL PROPERTY.

4. CONFIDENTIALITY AND DATA PROCESSING AGREEMENT.

5. INDEPENDENT CONTRACTOR.

6. REPRESENTATIONS AND WARRANTIES

6.1. Mutual. Each party represents and warrants that it has full power and authority to enter into and fulfill its obligations under this Agreement.

7. INDEMNIFICATION.

8. LIMITATION OF LIABILITY.

9. TERM AND TERMINATION.

9.1. Term. This Agreement will commence on the Effective Date and continue until terminated pursuant to this Agreement.

10. INSURANCE, BACKGROUND CHECKS.

11. EXPORT LICENSES

12. AI REQUIREMENTS

13. GENERAL TERMS

13.1. No Publicity. Neither party may make any public statement regarding this Agreement without the other party’s prior written approval.

13.5. Force Majeure. Neither party will be liable for failure or delay in performance to the extent caused by circumstances beyond its reasonable control.

13.10. Waiver. Failure by either party to enforce any provision of this Agreement will not constitute a waiver of future enforcement of that or any other provision.

Exhibit A — Data Security Exhibit

Program. Vendor will implement and maintain a comprehensive written information security program (“Information Security Program”), which contains appropriate administrative, technical and organizational safeguards that comply with this Exhibit A and that ensures the security, integrity, availability, resilience and confidentiality of Anysphere’s Confidential Information and that meet or exceed generally accepted industry standards.
Access Controls. Vendor will: (a) abide by the “principle of least privilege,” pursuant to which Vendor will permit access to Anysphere’s Confidential Information by its personnel solely on a need-to-know basis; (b) promptly terminate its personnel’s access to Anysphere’s Confidential Information when such access is no longer required for performance under the Agreement; (c) log the details of any access to Anysphere’s Confidential Information, and retain such records for no less than 90 days; and (d) be responsible for any processing of Anysphere’s Confidential Information by its personnel.
Account Management. Vendor will use reasonable measures to manage the creation, use, and deletion of all account credentials used to access the Vendor Systems, including by implementing: (a) a segregated account with unique credentials for each user; (b) strict management of administrative accounts; (c) password best practices, including the use of strong passwords and secure password storage; and (d) periodic audits of accounts and credentials. “Vendor Systems” means the facilities, systems, equipment, hardware, and software used in connection with Vendor’s Processing of Anysphere’s Confidential Information.
Vulnerability Management. Vendor will: (a) use automated vulnerability scanning tools to scan the Vendor Systems; (b) log vulnerability scan reports; (c) conduct periodic reviews of vulnerability scan reports over time; (d) use patch management and software update tools for the Vendor Systems; (e) prioritize and remediate vulnerabilities by severity; and (f) use compensating controls if no patch or remediation is immediately available.
Incident Response. Vendor will notify Anysphere of any accidental or unlawful destruction, loss, or alteration of Anysphere Confidential Information, or any unauthorized access to, or use or disclosure of, Anysphere Confidential Information (“Security Incident”) without undue delay (and in any event within 24 hours) after becoming aware of any actual or reasonably suspected Security Incident. In any such notice, Vendor will include: (a) a description of the Security Incident, including the number and categories of any individuals affected, (b) categories and number of records concerned, (c) types of information affected, (d) date and time of the Security Incident, (e) a summary of the circumstances that caused the Security Incident and any ongoing risks that the Security Incident poses, (f) a description of the measures proposed or taken by Vendor to address the Security Incident, and (g) any other information reasonably requested by Anysphere relating to the Security Incident. If and solely to the extent it is not possible to provide the above information at the same time, the information may be provided in phases without undue delay. Vendor will provide reasonable assistance to Anysphere to investigate, remediate or take any other action Anysphere deems reasonably necessary regarding the Security Incident, including in connection with any dispute, inquiry, investigation or claim concerning the Security Incident.
Security Segmentation. Vendor will use reasonable measures to monitor, detect and restrict the flow of information on a multilayered basis within the Vendor Systems using tools such as firewalls, proxies, and network-based intrusion detection systems.
Data Loss Prevention. Vendor will use reasonable data loss prevention measures to identify, monitor and protect Anysphere’s Confidential Information in use, in transit and at rest. Such data loss prevention processes and tools will include: (a) automated tools to identify attempts of data exfiltration; (b) the prohibition of, or secure and managed use of, portable devices; (c) use of certificate-based security; and (d) secure key management policies and procedures.
Encryption. Vendor will encrypt, using industry standard encryption tools, Anysphere’s Confidential Information that Vendor: (i) transmits or sends wirelessly or across public networks or within the Vendor Systems; (ii) stores on laptops or storage media, and (iii) stores on portable devices or within the Vendor System. Vendor will safeguard the security and confidentiality of all encryption keys associated with encrypted information.
Pseudonymization. Vendor will, where possible and consistent with the Services, use industry standard and reasonable pseudonymization techniques to protect Anysphere’s Confidential Information.
Secure Software Development. Vendor represents and warrants that any software used in connection with the processing of Anysphere’s Confidential Information is or has been developed using secure software development practices, including: (a) segregating development and production environments; (b) filtering out potentially malicious character sequences in user inputs; (c) using secure communication techniques, including encryption; (d) using sound memory management practices; (e) using web application firewalls to address common web application attacks such as cross-site scripting, SQL injection and command injection; (f) implementing the OWASP Top Ten recommendations, as applicable; (g) patching of software; (h) testing object code and source code for common coding errors and vulnerabilities using code analysis tools; (i) testing of web applications for vulnerabilities using web application scanners; and (j) testing software for performance under denial of service and other resource exhaustion attacks.
PCI Compliance. To the extent any of Anysphere’s Confidential Information includes “cardholder data,” as such term is defined by the Payment Card Industry Data Security Standard (“PCI DSS”), Vendor will: (a) comply with the PCI DSS and other applicable PCI and payment card issuer, brand or association rules and requirements; (b) fully cooperate with any security review or investigation as may be required by Anysphere, any payment card issuer, brand or association, or law enforcement entity, including by providing data security reports; (c) pay any fines and penalties in the event Vendor or any of its subcontractors fail to comply with such rules or requirements; and (d) on no less than an annual basis, at its own expense, undergo a PCI DSS compliance audit or self-assessment, as applicable, and provide the results of such audit or self-assessment, along with evidence of compliance (in the form of an Attestation of Compliance or ROC), to Anysphere.
Physical Safeguards. Vendor will maintain physical access controls that secure relevant Vendor Systems used to Process any Anysphere’s Confidential Information, including an access control system that enables Vendor to monitor and control physical access to each Vendor facility, that includes 24x7 physical security monitoring systems and the use of trained and experienced security guards.
Administrative Safeguards. Prior to providing access to Anysphere’s Confidential Information to any of its personnel, Vendor will: (a) ensure the reliability of such personnel, including by performing background screening (to the extent permitted by Data Protection Law); and (b) provide appropriate security training to such personnel to ensure such personnel can comply with the obligations under this Exhibit A. Vendor will periodically provide additional training to its personnel as may be appropriate to help ensure that Vendor’s Information Security Program meets or exceeds prevailing industry standards.

1. SERVICES & DELIVERABLES

1.3. Vendor will promptly notify Anysphere in writing of anything that is likely to cause a delay in the delivery of any Service or Deliverable.

2. PAYMENT.

3. INTELLECTUAL PROPERTY.

4. CONFIDENTIALITY AND DATA PROCESSING AGREEMENT.

5. INDEPENDENT CONTRACTOR.

6. REPRESENTATIONS AND WARRANTIES

6.1. Mutual. Each party represents and warrants that it has full power and authority to enter into and fulfill its obligations under this Agreement.

7. INDEMNIFICATION.

8. LIMITATION OF LIABILITY.

9. TERM AND TERMINATION.

9.1. Term. This Agreement will commence on the Effective Date and continue until terminated pursuant to this Agreement.

10. INSURANCE, BACKGROUND CHECKS.

11. EXPORT LICENSES

12. AI REQUIREMENTS

13. GENERAL TERMS

13.1. No Publicity. Neither party may make any public statement regarding this Agreement without the other party’s prior written approval.

13.5. Force Majeure. Neither party will be liable for failure or delay in performance to the extent caused by circumstances beyond its reasonable control.

13.10. Waiver. Failure by either party to enforce any provision of this Agreement will not constitute a waiver of future enforcement of that or any other provision.

Exhibit A — Data Security Exhibit

Program. Vendor will implement and maintain a comprehensive written information security program (“Information Security Program”), which contains appropriate administrative, technical and organizational safeguards that comply with this Exhibit A and that ensures the security, integrity, availability, resilience and confidentiality of Anysphere’s Confidential Information and that meet or exceed generally accepted industry standards.
Access Controls. Vendor will: (a) abide by the “principle of least privilege,” pursuant to which Vendor will permit access to Anysphere’s Confidential Information by its personnel solely on a need-to-know basis; (b) promptly terminate its personnel’s access to Anysphere’s Confidential Information when such access is no longer required for performance under the Agreement; (c) log the details of any access to Anysphere’s Confidential Information, and retain such records for no less than 90 days; and (d) be responsible for any processing of Anysphere’s Confidential Information by its personnel.
Account Management. Vendor will use reasonable measures to manage the creation, use, and deletion of all account credentials used to access the Vendor Systems, including by implementing: (a) a segregated account with unique credentials for each user; (b) strict management of administrative accounts; (c) password best practices, including the use of strong passwords and secure password storage; and (d) periodic audits of accounts and credentials. “Vendor Systems” means the facilities, systems, equipment, hardware, and software used in connection with Vendor’s Processing of Anysphere’s Confidential Information.
Vulnerability Management. Vendor will: (a) use automated vulnerability scanning tools to scan the Vendor Systems; (b) log vulnerability scan reports; (c) conduct periodic reviews of vulnerability scan reports over time; (d) use patch management and software update tools for the Vendor Systems; (e) prioritize and remediate vulnerabilities by severity; and (f) use compensating controls if no patch or remediation is immediately available.
Incident Response. Vendor will notify Anysphere of any accidental or unlawful destruction, loss, or alteration of Anysphere Confidential Information, or any unauthorized access to, or use or disclosure of, Anysphere Confidential Information (“Security Incident”) without undue delay (and in any event within 24 hours) after becoming aware of any actual or reasonably suspected Security Incident. In any such notice, Vendor will include: (a) a description of the Security Incident, including the number and categories of any individuals affected, (b) categories and number of records concerned, (c) types of information affected, (d) date and time of the Security Incident, (e) a summary of the circumstances that caused the Security Incident and any ongoing risks that the Security Incident poses, (f) a description of the measures proposed or taken by Vendor to address the Security Incident, and (g) any other information reasonably requested by Anysphere relating to the Security Incident. If and solely to the extent it is not possible to provide the above information at the same time, the information may be provided in phases without undue delay. Vendor will provide reasonable assistance to Anysphere to investigate, remediate or take any other action Anysphere deems reasonably necessary regarding the Security Incident, including in connection with any dispute, inquiry, investigation or claim concerning the Security Incident.
Security Segmentation. Vendor will use reasonable measures to monitor, detect and restrict the flow of information on a multilayered basis within the Vendor Systems using tools such as firewalls, proxies, and network-based intrusion detection systems.
Data Loss Prevention. Vendor will use reasonable data loss prevention measures to identify, monitor and protect Anysphere’s Confidential Information in use, in transit and at rest. Such data loss prevention processes and tools will include: (a) automated tools to identify attempts of data exfiltration; (b) the prohibition of, or secure and managed use of, portable devices; (c) use of certificate-based security; and (d) secure key management policies and procedures.
Encryption. Vendor will encrypt, using industry standard encryption tools, Anysphere’s Confidential Information that Vendor: (i) transmits or sends wirelessly or across public networks or within the Vendor Systems; (ii) stores on laptops or storage media, and (iii) stores on portable devices or within the Vendor System. Vendor will safeguard the security and confidentiality of all encryption keys associated with encrypted information.
Pseudonymization. Vendor will, where possible and consistent with the Services, use industry standard and reasonable pseudonymization techniques to protect Anysphere’s Confidential Information.
Secure Software Development. Vendor represents and warrants that any software used in connection with the processing of Anysphere’s Confidential Information is or has been developed using secure software development practices, including: (a) segregating development and production environments; (b) filtering out potentially malicious character sequences in user inputs; (c) using secure communication techniques, including encryption; (d) using sound memory management practices; (e) using web application firewalls to address common web application attacks such as cross-site scripting, SQL injection and command injection; (f) implementing the OWASP Top Ten recommendations, as applicable; (g) patching of software; (h) testing object code and source code for common coding errors and vulnerabilities using code analysis tools; (i) testing of web applications for vulnerabilities using web application scanners; and (j) testing software for performance under denial of service and other resource exhaustion attacks.
PCI Compliance. To the extent any of Anysphere’s Confidential Information includes “cardholder data,” as such term is defined by the Payment Card Industry Data Security Standard (“PCI DSS”), Vendor will: (a) comply with the PCI DSS and other applicable PCI and payment card issuer, brand or association rules and requirements; (b) fully cooperate with any security review or investigation as may be required by Anysphere, any payment card issuer, brand or association, or law enforcement entity, including by providing data security reports; (c) pay any fines and penalties in the event Vendor or any of its subcontractors fail to comply with such rules or requirements; and (d) on no less than an annual basis, at its own expense, undergo a PCI DSS compliance audit or self-assessment, as applicable, and provide the results of such audit or self-assessment, along with evidence of compliance (in the form of an Attestation of Compliance or ROC), to Anysphere.
Physical Safeguards. Vendor will maintain physical access controls that secure relevant Vendor Systems used to Process any Anysphere’s Confidential Information, including an access control system that enables Vendor to monitor and control physical access to each Vendor facility, that includes 24x7 physical security monitoring systems and the use of trained and experienced security guards.
Administrative Safeguards. Prior to providing access to Anysphere’s Confidential Information to any of its personnel, Vendor will: (a) ensure the reliability of such personnel, including by performing background screening (to the extent permitted by Data Protection Law); and (b) provide appropriate security training to such personnel to ensure such personnel can comply with the obligations under this Exhibit A. Vendor will periodically provide additional training to its personnel as may be appropriate to help ensure that Vendor’s Information Security Program meets or exceeds prevailing industry standards.