TERMS OF SERVICE (SAAS)

PLEASE READ THESE TERMS OF SERVICE CAREFULLY. THESE TERMS OF SERVICE ARE A BINDING AGREEMENT (THE “AGREEMENT”) ENTERED INTO BETWEEN CYBERARK SOFTWARE, INC. A DELAWARE CORPORATION WITH OFFICES AT 60 WELLS AVENUE, NEWTON MA 02459 (OR WITH ITS AFFILIATE, AS APPLICABLE) (“CYBERARK”) AND THE ENTITY OR PERSON IDENTIFIED ON ANY ORDER FOR SOFTWARE AS A SERVICE (FOR SUBSCRIPTION SERVICES OR ON TRIAL BASIS), WHICH IS CONFIRMED BY CYBERARK (“CUSTOMER”, “ORDER” and RESPECTIVELY).

BY (I) CUSTOMER CLICKING THROUGH THIS AGREEMENT ELECTRONICALLY, (II) THE PARTIES ENTERING INTO AN ORDER REFERENCING THIS AGREEMENT, OR (III) CUSTOMER USING THE SERVICES, CUSTOMER AND CYBERARK MUTUALLY AGREE TO BE BOUND BY THE TERMS AND CONDITIONS HEREOF. EACH ORDER SHALL BE MUTUALLY AGREED TO AND ENTERED INTO BETWEEN CUSTOMER AND CYBERARK, PROVIDED THAT, IF CUSTOMER PURCHASES THE SERVICES THROUGH A CYBERARK AUTHORIZED PARTNER (“RESELLER”), THE ORDER SHALL BE THE ORDER ENTERED INTO BETWEEN CYBERARK AND THE RESELLER FOR CUSTOMER’S USE. IF YOU DO NOT ACCEPT THE TERMS OF THIS AGREEMENT, YOU ARE NOT PERMITTED TO USE THE SERVICES.

IF YOU ARE ENTERING INTO THIS AGREEMENT AS AN AGENT, EMPLOYEE OR REPRESENTATIVE OF YOUR EMPLOYER, THE TERM “CUSTOMER” MEANS YOUR EMPLOYER AND/OR ANY OTHER PARTY ON WHOSE BEHALF YOU ACT, AND YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO ACT ON SUCH PARTY’S BEHALF.

1. DEFINITIONS. Affiliate” means any entity controlled by, controlling, or under common control with a party to this Agreement during the period such control exists, where “control” means the power to direct the operation, policies and management of an entity through the ownership of at least fifty percent (50%) of the voting stock or other ownership interests of such entity or the ability, by voting securities, contract or otherwise, to elect a majority of the board of directors or other governing body of such entity or to direct or cause the direction of the management and policies of such entity. “Documentation” means the user guidelines and other user documentation related to the use or operation of the Services, each as officially published and made available by CyberArk electronically via the Services or otherwise in writing. “Services” means the services specified in the Order as further described in the Documentation (including any updates to the Services provided by CyberArk in its sole discretion, and any software and/or systems owned, controlled or provided by CyberArk used in the Services).

2. SERVICES.

2.1 License Grant. CyberArk shall provide the Services as described in an Order. Subject to the terms and conditions of this Agreement, CyberArk grants Customer, during the subscription term specified in an Order, a non-exclusive, non-transferable license (without the right to sub-license) to access and use the Services for Customer’s internal business purposes in accordance with the Documentation. In connection with such use, Customer shall have the right to allow its employees and contractors (“Authorized Users”) to use the Services on Customer’s behalf, subject to their compliance with the terms of this Agreement, and Customer shall remain liable for any non-compliance by Authorized Users. CyberArk, and/or any of its Affiliates, owns all right, title and interest in the Services and in the underlying intellectual property thereof. Nothing in this Agreement shall be construed to grant Customer any rights in CyberArk’s Services or its underlying  intellectual property beyond those expressly provided for herein.

2.2 License Restrictions. Customer shall not (directly or indirectly): (i) remove any notice of proprietary rights from the Services, (ii) reverse engineer, decompile, attempt to derive the source code or underlying ideas or algorithms of any part of the Services (except to the limited extent applicable laws specifically prohibit such restriction), attempt to recreate the Services or use the Services for any competitive purpose, (iii) copy, modify, translate or otherwise create derivative works of any part of the Services, (iv) sell, resell, encumber, rent, lease, time-share, distribute, transfer or otherwise use or exploit or make available any of the Services to or for the benefit of any third party, or (v) use the Services to infringe on the intellectual property rights, publicity rights, or privacy rights of any third party, or to store defamatory, trade libelous, or otherwise unlawful data. Customer’s authorized use of the Services is subject to the purchased quantities and features set forth in the applicable Order for the Services, and any usage guidelines and acceptable use policies to the extent applicable to Customer’s usage of the Service.

2.3 Login Access to the Services. Customer is solely responsible for ensuring: (i) that only appropriate Authorized Users of Customer have access to the Services, (ii) that such Authorized Users have been trained in proper use of the Services, and (iii) proper usage of passwords, tokens and access procedures with respect to logging into the Services. CyberArk reserves the right to refuse registration of, or to cancel, login IDs that it reasonably believes to violate the terms and conditions set forth in this Agreement, in which case CyberArk will promptly inform Customer in writing of such refusal or cancellation.

2.4 Free Trial or Beta Versions of the Services. If Customer is using a free trial or proof of concept version of the Services or a beta version of the Services as specified in an Order, CyberArk makes such Services available to Customer until the earlier of (i) the end of the free trial or proof of concept period or beta testing period as communicated by CyberArk, (ii) the start date of any purchased version of such Services, or (iii) written notice of termination from CyberArk. Customer is authorized to use a trial or proof of concept version of the Service only for evaluation and not for any business or productive purposes. Any data Customer enters into the Services and any revisions made to the Services by or for Customer during the free trial or proof of concept or during the beta testing period will be permanently lost unless Customer (a) has purchased a subscription to the same Services as covered by the free trial or proof of concept or beta version or (b) exports such data before the end of such free period. There is no guarantee that features or functions of the Service available in a beta version of the Service will be available, or if available will be the same, in the general release version of the Service, and Customer should review the Service features and functions before making a purchase.

2.5 Hosting. Customer acknowledges that CyberArk’s Services operate on one or more third party cloud computing platforms and that CyberArk shall have the right to change or add to the cloud computing platforms on which its Services operate.

3. CUSTOMER DATA.

Customer owns all right, title and interest in all data and/or content created or provided by Customer, and in all data derived from it, specifically excluding the Non-Identifiable Aggregated Data and Non-Identifiable Threat Indicators (defined below) (“Customer Data”). Nothing in this Agreement shall be construed to grant CyberArk any rights in Customer Data beyond those expressly provided herein. Customer agrees that CyberArk shall own all right, title and interest in the Non-Identifiable Aggregated Data and Non-Identifiable Threat Indicators. For clarity, CyberArk will not store any Customer Data other than as required for the provision of the Services, except to the extent that it constitutes Customer Meta-Data or Non-Identifiable Threat Indicators. As between CyberArk and Customer, Customer is solely responsible for the content, quality and accuracy of Customer Data, for securing any necessary approvals for CyberArk’s use of the Customer Data as provided for herein, and for ensuring that the Customer Data as made available by Customer complies with applicable laws and regulations. CyberArk is not responsible for Customer Data once it leaves the CyberArk Services, including by way of example, if Customer utilizes APIs to push data from the Services to a Customer application or system.

Notwithstanding any other restrictions on use of data in this or any other agreement:

3.1 Use of Customer Data. Customer grants CyberArk the limited, non-exclusive right to use the Customer Data solely for the purpose of providing the Services to Customer in accordance with the Documentation (including routine actions taken to enable data backups and disaster recovery and business continuity procedures).

3.2 Use of Customer Meta-Data. Customer grants CyberArk the limited, non-exclusive right to view, and use the Customer Data to create meta-data derived from Customer Data which may include, by way of example only, file modification dates, audit trails, and the number of times a file has been accessed) (“Customer Meta-Data”), for the purpose of providing and improving the Services.

3.3 Use of Aggregated Data. Customer grants CyberArk the right to collect and use anonymized generic statistical information derived from such Customer Meta-Data (but not the Customer Data itself) and aggregate it with statistical information from other customers (“Non-Identifiable Aggregated Data”) for CyberArk’s reasonable business purposes, including without limitation for analyzing customer needs and improving the Services.

3.4 Use of Threat Intelligence Indicators. With respect to certain Services, Customer grants CyberArk the right to collect and use anonymized threat intelligence indicators directly derived from the provision of the Services, including an automated content scan of Customer Data stored in the Services (“Non-Identifiable Threat Indicators”) for CyberArk’s reasonable business purposes, including without limitation for improving the Services.

Certain Services have deep scanning and data analytics capabilities, as described in the Documentation, and if Customer has purchased such Services, Customer shall ensure that the use of the Services on its endpoints complies with Customer’s internal privacy policies and procedures with respect to analysis of endpoint data for information security purposes.

3.5 Processing of Personal Data. To the extent required by applicable laws, Customer warrants that it complies with its obligations under relevant data protection laws in respect of its processing of personal data and in any processing instructions that Customer issues to CyberArk, including any obligations specific to its role as data controller or data processor (as applicable). Without limitation to the foregoing, Customer shall ensure that its instructions comply with all laws, regulations and rules applicable to such personal data, and that CyberArk’s processing of the personal data in accordance with Customer’s instructions will not cause CyberArk to violate any applicable laws. Customer will ensure that it has all necessary consents and notices in place to enable the lawful transfer of the personal data (as prescribed by applicable laws) to CyberArk for the duration and purposes of this Agreement. In particular, if Customer is established in the European Economic Area (“EEA”) or will, in connection with the Services, provide CyberArk with personal data relating to an individual resident within the EEA, the Data Processing Addendum (SaaS) found at https://www.cyberark.com/addendum_saas.pdf is incorporated into this Agreement.

4. SUPPORT; UPDATES AND MAINTENANCE. CyberArk shall make available to Customers who have paid fees for the Service, support, updates, and maintenance in accordance with CyberArk standard terms of the maintenance and support (based on the support level purchased by Customer). Upon notification from CyberArk, Customer shall promptly update any locally-installed software agents on Customer systems that interact with the Services. Customer acknowledges and agrees that its failure to timely install such an update may result in disruptions to or failures of the Services, or suspension of Customer’s access to the Services, without any liability on the part of CyberArk to Customer.

5. FEES.

5.1 Payment Terms. Fees for the Service are due annually in advance net thirty (30) days from date of invoice unless otherwise agreed between the parties. Fees do not include sales, use, value added or other excise tax. Customer is responsible for payment of all such taxes based on fees paid or payable hereunder (but not taxes based on CyberArk’s gross revenues or net income) together with any interest on such taxes if not due to CyberArk’s delay. Delinquent payments may be assessed interest at the rate of one-and-one-half percent per month (or the highest rate permissible by law if less) from the payment due date until paid in full. This Section will apply to the CyberArk Reseller if the Order is placed by it, with the necessary changes and subject to its valid agreement with CyberArk.

5.2 Reasonable Use of Services. Fees for the Service are based on “normal usage” of the Service in a manner consistent with its intended purposes and as described in the Documentation. If Customer’s usage is in a manner outside of the intended purposes or otherwise exceeds the quantities listed in the Order, then CyberArk reserves the right to require Customer to either comply with such limits or pay an additional mutually agreed fee, not to exceed CyberArk’s list price for such additional usage.

6. TERM AND RENEWAL.

6.1 Term of the Agreement. CyberArk will provide the Services during the term specified in an Order that was confirmed by CyberArk, which term shall be at least one (1) year. During that period, this Agreement shall remain in effect unless or until terminated in accordance with the terms hereof. Prior to the end of the subscription period, CyberArk will enquire with Customer whether it wishes to extend the term of this Agreement and if so, the term of this Agreement would be extended for the period stated in the renewal Order.

6.2 Termination of Agreement; Cessation of Services. Either party may terminate this Agreement, upon sixty (60) days prior written notice, for any reason, provided however that: (i) if CyberArk terminates the Agreement, it will refund the fees paid to it for the unused subscription term to the Customer, pro-rated, and (ii) if Customer terminates the Agreement, it shall not be entitled to any refund.

6.3 Termination or Suspension of Services for Cause. Either party may terminate the Agreement upon written notice to the other party if the other party materially breaches this Agreement and fails to cure such breach within thirty (30) days after receiving written notice of such breach. Further, CyberArk may terminate the Agreement and/or suspend the Services upon written notice to Customer if CyberArk has not received payment for such Services and if such failure is not cured within the period of time stated in CyberArk written notice advising of such failure (which shall be at least 5 business days).

6.4 Effect of Termination. Upon termination of the Services: (i) Customer will have no further right to access or use the Services; (ii) CyberArk will immediately cease accessing any Customer Data; and (iii) each party will use commercially reasonable efforts to return any tangible Confidential Information and destroy any electronic Confidential Information of the other party within its possession or control Customer acknowledges that, prior to termination, Customer is responsible for exporting any Customer Data to which Customer desires continued access after termination, and CyberArk shall have no liability for any failure of Customer to retrieve such Customer Data and no obligation to store or retain any such Customer Data. The provisions of Sections 3, 5, 6.4, 7, 9, 10, 11, 13, and 14 shall survive termination.

7. CONFIDENTIALITY.

7.1 Confidential Information. Each party may have access to information that is confidential or proprietary to the other party and/or its Affiliates. For purposes of this Agreement, “Confidential Information” means the confidential information of a party and/or its Affiliates which is disclosed to the other party in connection with this Agreement, whether disclosed in written, oral, electronic, visual or other form, which is identified as confidential at the time of disclosure or should reasonably be understood to be confidential given the nature of the information and the circumstances surrounding the disclosure, including without limitation information regarding a party’s business, operations, finances, technologies, current and future products and services, pricing, personnel, customers and suppliers, the Customer Data, CyberArk’s Services and each Party’s intellectual property. Confidential Information excludes information to the extent such information (i) is or becomes part of the public domain or otherwise is publicly available through no act or omission of the receiving party; (ii) was in the receiving party’s lawful possession prior to the disclosure and was not obtained directly or indirectly from the disclosing party; (iii) is lawfully disclosed to the receiving party by a third party without restriction on disclosure; or (iv) is independently developed by the receiving party without use of or reference to the disclosing party’s Confidential Information.

7.2 Restrictions on Use and Disclosure of Confidential Information. The receiving party will use the disclosing party’s Confidential Information solely as necessary in connection with the performance of this Agreement. The receiving party shall maintain the confidentiality of the disclosing party’s Confidential Information using at least the same degree of care that such party uses to protect its own Confidential Information of a similar nature, and shall restrict disclosure of the disclosing party’s Confidential Information to its employees, consultants, contractors, agents and representatives who have a need to know such information and are bound by obligations of confidentiality and non-use no less restrictive than those set forth herein; provided, that a party may disclose the disclosing party’s Confidential Information if required by law and provided the receiving party provides prompt notice of such requirement and disclosure to the other party to the extent allowed by law. The receiving party shall have the right to disclose Confidential Information of the other party pursuant to the order or requirement of a court, administrative agency, or other governmental body provided that the receiving party provides prompt, advance written notice thereof to enable the disclosing party to seek a protective order or otherwise prevent such disclosure. In the event such a protective order is not obtained by the disclosing party, the receiving party shall disclose only that portion of the Confidential Information which its legal counsel advises that it is legally required to disclose. Confidential Information so disclosed shall continue to be deemed Confidential Information.

7.3 Equitable and Injunctive Relief. If a party breaches any of its obligations with respect to confidentiality or use or disclosure of Confidential Information hereunder, the other party is entitled to seek equitable and injunctive relief in addition to all other remedies that may be available to protect its interest without having to post a bond or prove irreparable harm.

8. WARRANTIES AND DISCLAIMERS.

8.1 Limited Services Warranty. During the term of this Agreement, CyberArk warrants that the Services will perform in substantial conformity with the Documentation, and that the Services are not designed to contain viruses, worms, Trojan horses or other unintended malicious or destructive code, or any code designed to intentionally cause the Services to stop functioning. CyberArk further warrants that it shall maintain and enforce reasonable safety and security procedures in providing the Services that are compliant with applicable industry standards for such Services.

Customer shall be required to report any breach of warranty to CyberArk within a period of thirty (30) days of the date on which the incident giving rise to the claim occurred. CyberArk’s sole and exclusive liability, and Customer’s sole and exclusive remedy, for breach of this warranty will be for CyberArk, at its expense, to use reasonable commercial efforts to correct such nonconformity within thirty (30) days of the date that notice of the breach was provided; and, if CyberArk fails to correct the breach within such cure period, Customer may terminate the affected Order and, in such event, CyberArk shall provide Customer with a pro-rata refund of any unused pre-paid fees paid for the period following termination as calculated on a monthly basis.

8.2 Compliance with Law. Each party shall comply with all applicable, laws and regulations in connection with the performance of its obligations and the exercise of its rights under this Agreement.

8.3 Disclaimer. THE EXPRESS WARRANTIES SET FORTH IN THIS SECTION ARE THE ONLY WARRANTIES GIVEN BY CYBERARK WITH RESPECT TO THE SERVICES OR THIS AGREEMENT. CYBERARK DISCLAIMS ALL OTHER WARRANTIES, EXPRESS, IMPLIED OR ARISING BY CUSTOM OR TRADE USAGE, INCLUDING WITHOUT LIMITATION WARRANTIES THAT THE SERVICES ARE MERCHANTABLE, WILL OPERATE UNINTERRUPTED OR FREE OF DEFECT OR ERROR, NON-INFRINGING, OR FIT FOR ANY PARTICULAR PURPOSE. CYBERARK DOES NOT MAKE ANY REPRESENTATIONS OR WARRANTIES REGARDING THE ACCURACY OR COMPLETENESS OF THE SERVICES. NOTWITHSTANDING THE EXPRESS WARRANTY SET FORTH ABOVE, CYBERARK MAKES NO WARRANTY WHATSOEVER TO CUSTOMERS USING A FREE OR TRIAL OR BETA VERSION OF THE SERVICES (“NONPAYING CUSTOMERS”) OR USING ANY COMPONENT OF THE SERVICE THAT IS IDENTIFIED BY CYBERARK AS A SAMPLE OR ANY SAMPLE REFERENCED IN THE DOCUMENTATION, AND PROVIDES SUCH SERVICES TO NONPAYING CUSTOMERS AND ALL SAMPLES “AS IS” AND “AS AVAILABLE.” CUSTOMER AGREES THAT ITS PURCHASES HEREUNDER ARE FOR THE CURRENTLY AVAILABLE SERVICES AND ARE NEITHER CONTINGENT ON THE DELIVERY OF ANY FUTURE FUNCTIONALITY OR FEATURES NOR DEPENDENT ON ANY ORAL OR WRITTEN PUBLIC COMMENTS MADE BY CYBERARK REGARDING FUTURE FUNCTIONALITY OR FEATURES.

9. INDEMNIFICATION.

9.1 Services Indemnity. CyberArk shall indemnify, defend and hold harmless, at its expense, Customer and/or its Affiliates and their officers, directors, employees and agents (the “Customer Indemnified Parties”) for any claim, action or proceeding brought by a third party against Customer Indemnified Parties, including all damages and costs finally awarded against the Customer Indemnified Parties in connection with such claim, arising directly from an actual or alleged infringement or violation by the Services of a third party’s patent, copyright, trade secret or other intellectual property right (“Claim”); provided that CyberArk shall not be responsible for any Claim to the extent arising from (i) use of the Services in violation of the terms of this Agreement, or (ii) use of the Services in combination with software, hardware, systems or data provided or controlled by Customer or a third party to the extent the Claim would not have arisen but for such combination. If the Services become, or in CyberArk’s opinion are likely to become, the subject of a valid claim of infringement or the like under any applicable law, CyberArk shall have the right, at its option and expense, either to (a) obtain for Customer a license permitting the continued use of the Services, (b) replace or modify the Services so that they become non-infringing, or (c) if neither of the foregoing options are available in a timely manner on commercially reasonable terms, terminate the affected Order and provide Customer with a pro-rata refund of any unused pre-paid fees paid for the period following termination as calculated on a monthly basis. The indemnification obligations of CyberArk in this Section are not applicable to Nonpaying Customers.

9.2 Customer Data and Use Indemnity. Customer shall defend, at its expense, any Claim brought by a third party against CyberArk and/or its Affiliates or their officers, directors and employees (the “CyberArk Indemnified Parties”) arising from an alleged infringement or violation by the Customer Data of a third party patent, copyright or trade secret, or CyberArk’s use of the Customer Data in accordance with the terms of this Agreement; and Customer shall indemnify and hold the CyberArk Indemnified Parties harmless against all damages and costs awarded against the CyberArk Indemnified Parties in connection with such Claim.

9.3 Indemnification Process and Exclusivity. The indemnifying party shall have sole control over the defense and settlement of any claim for which it has provided indemnity; provided that the indemnified party shall have the right to provide for its separate defense at its own expense. The indemnified party shall give prompt notice of any claim for which indemnity is sought and shall cooperate in defending against such claim at the indemnifying party’s expense. The rights and remedies set forth in this Section 9 state a party’s sole and exclusive liability and the other party’s sole and exclusive rights and remedies with regard to any third party claim for infringement or violation of a third party’s intellectual property.

10. Limitations of Liability. TO THE MAXIMUM EXTENT PERMITTED BY LAW AND EXCEPT FOR EITHER PARTY’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR SPECIAL, INDIRECT, INCIDENTAL, TORT OR CONSEQUENTIAL DAMAGES (INCLUDING ANY DAMAGES RESULTING FROM LOSS OF USE, LOSS OF OR DAMAGE TO SOFTWARE OR DATA, LOSS OF PROFITS OR LOSS OF BUSINESS) ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT OR THE SERVICES FURNISHED HEREUNDER, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

TO THE MAXIMUM EXTENT PERMITTED BY LAW, AND EXCEPT FOR ANY CLAIM TO THE EXTENT ARISING FROM OR IN CONNECTION WITH EITHER PARTY’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, OR EITHER PARTY’S IDEMNIFICATION OBLIGATIONS PURSUANT TO SECTION 9 ABOVE, OR PERSONAL INJURY, DEATH OR DAMAGE TO TANGIBLE PROPERTY, IN NO EVENT SHALL THE AGGREGATE LIABILITY OF EITHER PARTY HEREUNDER EXCEED (I) EXCEPT AS PROVIDED IN (II) BELOW, THE TOTAL OF THE FEES PAID AND PAYABLE BY CUSTOMER TO CYBERARK FOR THE THEN CURRENT SUBSCRIPTION TERM UNDER THE ORDER TO WHICH THE INITIAL CLAIM RELATES (THE “AGGREGATE FEES”), OR (II) SOLELY FOR DAMAGES RESULTING FROM A PARTY’S BREACH OF ITS CONFIDENTIALITY OBLIGATIONS PURSUANT TO SECTION 7, THREE (3) TIMES THE AGGREGATE FEES. THE LIMITATIONS OF LIABILITY IN THIS PARAGRAPH APPLY WHETHER SUCH LIABILITY ARISES IN CONTRACT, TORT (INCLUDING NEGLIGENCE), UNDER STATUTE OR OTHERWISE.

11. U.S. GOVERNMENT RESTRICTED RIGHTS; EXPORT RESTRICTIONS. If Customer is an agency or contractor of the United States Government, Customer acknowledges and agrees that (i) the Services (including any software forming a part thereof) were developed entirely at private expense, (ii) the Services (including any software forming a part thereof) in all respects constitute proprietary data belonging solely to CyberArk, (iii) the Services (including any software forming a part thereof) are not in the public domain, and (iv) the software forming a part of the Services is “Commercial Computer Software” as defined in sub-paragraph (a)(1) of DFAR Section 252.227-7014 or FAR Part 12.212. Customer agrees not to store or process any Customer Data that is subject to the International Traffic in Arms Regulations maintained by the United States Department of State. Customer shall comply with the export laws and regulations of the United States, the State of Israel and other applicable jurisdictions in using the Services and obtain any permits, licenses and authorizations required for such compliance. Without limiting the foregoing, (i) Customer represents that it is not named on any U.S. government list of persons or entities prohibited from receiving exports, (ii) Customer shall not permit users to access or use the Services in violation of any U.S. and Israeli export embargo, prohibition or restriction, and (iii) Customer shall comply with all applicable laws regarding the transmission of technical data exported from the United States and the country in which its users are located.

12. SERVICE SUGGESTIONS. To the extent that Customer provides CyberArk with ideas or suggestions for improvements or changes to the Service which constitute intellectual property rights under applicable law (“Suggestions”), Customer hereby assigns to CyberArk ownership of such Suggestions and CyberArk will have sole discretion as to whether and how to implement such Suggestions into the Service.

13. MODIFICATIONS. CyberArk may make changes to these Terms of Service from time to time. If CyberArk makes a material change to any of the foregoing, CyberArk will inform Customer by e-mail to the e-mail address(es) noted on the Order (or subsequently designated by Customer in writing as a contact for notifications from CyberArk), or through a banner or other prominent notice within the Service, or through CyberArk Support platform. If Customer does not agree to the change, Customer must so notify CyberArk by e-mail to [email protected] within thirty (30) days after CyberArk’s notice. If Customer so notifies CyberArk, then Customer will remain governed by the most recent terms of service applicable to Customer until the end of the then-current year of the Services term and the updated terms shall apply upon the commencement of the subsequent year of the Services term.

14. GENERAL PROVISIONS.

14.1 Notices. All notices under this Agreement shall be made in writing and delivered to each party at the address under its signature hereto. Notices shall be deemed delivered (i) upon personal delivery with signature required, (ii) one Business Day after they have been sent to the recipient by reputable overnight courier service (charges prepaid and signature required), or (iii) upon successful transmission of an email containing such notice if sent between 9 a.m. and 5 p.m., local time of the recipient, on any Business Day, and as of 9 a.m. local time of the recipient on the next Business Day if sent at any other time, or (iv) three Business Days after deposit in the mail. “Business Day” as used in this Section 14.1 shall mean any day other than Saturday, Sunday or a day on which banking institutions are not required to be open in the Commonwealth of Massachusetts.

14.2 Entire Agreement. This Agreement together with each Order represent the entire agreement between Customer and CyberArk with respect to the subject matter hereof, and supersede all prior proposals, representations and agreements, whether written or oral, with respect thereto. This Agreement shall govern with respect to all Orders and forms of purchases, whether submitted through electronic transmissions or otherwise, unless otherwise agreed by both parties in writing. The terms and conditions of this Agreement shall take precedence over any conflicting terms in the Order (or, an agreement between CyberArk and the Reseller, if applicable) unless the Order (or the Reseller’s agreement) expressly amends this Agreement and is signed by both parties. Any waiver, amendment, or modification of any right or remedy, in whole or in part under this Agreement, or any additional or different terms in any purchase orders, acknowledgments or other documents other than the Order, will not be effective unless expressly agreed to by both parties in writing or electronic form. If Customer issues a purchase order in connection with an Order, such purchase order shall be solely for Customer’s internal administrative purposes and to facilitate payment. In no event shall the terms of such purchase order modify or become part of these Terms of Service or become binding on CyberArk even if CyberArk signs an acknowledgment copy of such purchase order.

14.3 Assignment and Subcontractors. Except as expressly provided for herein, this Agreement may not be assigned by either party without the prior written consent of the other party, which shall not be unreasonably withheld, including by reason of a change of control or by operation of law. CyberArk may assign this Agreement, without consent, in whole (but not in part), to a successor in interest to its business including in connection with a change of control, merger, acquisition, sale of all or substantially all of its assets, or similar transaction. CyberArk may use subcontractors in connection with the performance of the Services provided that it shall be responsible for the acts and omissions of its subcontractors to the same extent as it would be responsible hereunder for its own acts and omissions. The terms of this Agreement shall be binding upon the permitted successors and assigns of each party.

14.4 Governing Law. The terms of this Agreement shall be construed in accordance with the substantive laws of Massachusetts without regard to its principles of conflict of law or the U.N. Convention on Contracts for the International Sale of Goods. The Uniform Computer Information Transactions Act (“UCITA”) will not apply to this Agreement regardless of when and howsoever adopted, enacted and further amended under the governing state laws.

14.5 Force Majeure. Neither party shall be liable for any breach of this Agreement to the extent that such breach arises from factors outside its reasonable control. Customer’s subscription to the Services is predicated on Customer’s use of cloud computing services provided by a third party cloud service provider, and CyberArk will not be responsible for the acts or omissions of Customer’s cloud service provider.

14.6 Severability. It is intended that this Agreement shall not violate any applicable law and the unenforceability or invalidity of any provision (other than the provisions obligating Customer to make payments to CyberArk) shall not affect the force and validity of the remaining provisions and such provisions determined to be invalid shall be deemed severed from this Agreement and, to the extent possible, be replaced with terms which as closely as possible approximate the interest and economic intent of such invalid provisions.

Last updated: June 25, 2018