The definitions of certain capitalized terms used in this Agreement are set forth below. Others are defined in the body of the Agreement.
“Affiliate” means, with respect to an entity, any entity or person which directly or indirectly controls, is controlled by, or is under common control with that entity.
“Customer Data” means (i) User authentication information, such as name and email address, (ii) Customer’s source code, and (iii) Metadata (as defined below).
“Documentation” means the written or online documentation regarding the Service made available by Company at https://semgrep.dev/docs.
“Metadata” means the results of the scanning of Customer’s source code, such as filepath, project identity, committer email address, and the OWASP vulnerability type and severity detected.
“Reports” means the electronic reports that Customer generates from the Metadata by means of the Service.
“Rules” means the sets of instructions based on which Semgrep OSS Engine and/or the Service detects patterns in source code.
“Semgrep OSS Engine” means the Semgrep open source software program in object code form used for the purpose of detecting source code vulnerabilities.
“Service” means Company’s proprietary, Software-as-a-Service solution, known as the Semgrep Cloud Platform, for use by Customer for the purpose of detecting, managing, and remediating vulnerabilities in source code. The Service includes various proprietary features, the Software, the Rules, the Documentation, and all modifications, updates, and upgrades thereto and derivative works thereof.
“Software” means the software that Company develops and maintains in order to provide the Service, and all modifications, updates, upgrades thereto and derivative works thereof but specifically excludes Semgrep OSS Engine.
“Subscription” has the meaning ascribed to it in Section 2.1.
“Term” has the meaning ascribed to it in Section 3.1.
“Users”means individuals or entities that are authorized by Customer to use the Service.
2. ACCESS TO AND USE OF SERVICES
Right to Access and Use Service. Subject to the terms of this Agreement, Company grants Customer a royalty-free, nonexclusive, nontransferable, worldwide right during each Subscription Term to use the free version of the Service available at semgrep.dev (the “Subscription”).
Semgrep OSS Engine. Semgrep OSS Engine is available for download at https://github.com/returntocorp/semgrep and licensed under the LGPL 2.1, available at www.gnu.org/licenses. If Customer chooses to make use of Semgrep OSS Engine, Customer is responsible for downloading and running it in its environment and for complying with the terms of the applicable license.
Restrictions. Customer will not: (i) access (or allow a third party to access) the Service in order to monitor the availability, security, performance, or functionality of the Service, or benchmark the Service, for any competitive purposes without Company’s express written consent; (ii) market, sublicense, resell, lease, loan, transfer, or otherwise commercially exploit or make the Software or Service available to any third party; (iii) modify, create derivative works, decompile, reverse engineer, attempt to gain access to the source code, or copy the Service, or any of their components; (iv) use the Service to conduct any fraudulent, malicious, or illegal activities (each of (i) through (iv), a “Prohibited Use”).
Support. Customer may join Company’s Slack at https://go.semgrep.dev/slack to participate in the user community. Company will not provide support beyond the Documentation and knowledge base articles.
3. TERM AND TERMINATION
Term. The term of this Agreement will commence on the Effective Date and will continue for as long as Customer is using the Service, unless terminated by Company at any time and for any reason (the “Term”).
Survival. The following provisions will survive any expiration or termination of the Agreement: Sections4, 6; 8; 9; and 10.
Confidential Information. Except as explicitly excluded below, any information of a confidential or proprietary nature provided by a party (the “Disclosing Party”) to the other party (the “Receiving Party”) constitutes the Disclosing Party’s confidential and proprietary information (“Confidential Information”). Company’s Confidential Information includes the Service and any information conveyed to Customer in connection with Support. Customer’s Confidential Information includes Customer Data and Reports. Confidential Information does not include information which is (i) already known by the Receiving Party without an obligation of confidentiality other than pursuant to this Agreement; (ii) publicly known or becomes publicly known through no unauthorized act of the Receiving Party; (iii) rightfully received from a third party without a confidentiality obligation to the Disclosing Party; or (iv) independently developed by the Receiving Party without access to the Disclosing Party’s Confidential Information.
Confidentiality Obligations. Each party will use the Confidential Information of the other party only as necessary to perform its obligations under this Agreement, will not disclose the Confidential Information to any third party, and will protect the confidentiality of the Disclosing Party’s Confidential Information with the same standard of care as the Receiving Party uses or would use to protect its own Confidential Information, but in no event will the Receiving Party use less than a reasonable standard of care. Notwithstanding the foregoing, the Receiving Party may share the other party’s Confidential Information with those of its employees, agents and representatives who have a need to know such information and who are bound by confidentiality obligations at least as restrictive as those contained herein (each, a “Representative”). Each party shall be responsible for any breach of confidentiality by any of its Representatives.
Additional Exclusions. A Receiving Party will not violate its confidentiality obligations if it discloses the Disclosing Party’s Confidential Information if required by applicable laws, including by court subpoena or similar instrument so long as the Receiving Party provides the Disclosing Party with written notice of the required disclosure so as to allow the Disclosing Party to contest or seek to limit the disclosure or obtain a protective order. If no protective order or other remedy is obtained, the Receiving Party will furnish only that portion of the Confidential Information that is legally required, and agrees to exercise reasonable efforts to ensure that confidential treatment will be accorded to the Confidential Information so disclosed.
5. DATA PROTECTION
Customer Data. Semgrep processes Customer Data during the Term for the purpose of developing, maintaining, and improving the Service, including the accuracy of the Rules, and providing the Service to the Customer, and Customer grants Company a limited license to do so.
Security & Data Processing. Company maintains the physical, technical, and administrative safeguards (“Security Measures”) described at https://trust.semgrep.dev (the “Trust Portal”) in order to protect Customer Data and assist Customer with securing its own account in its use of the Service. Updates to the Security Measures will be posted to the Trust Portal from time to time, and subscribed Customers will be notified via email. Semgrep will process Customer Data for the purposes set forth in this Agreement and in accordance with the Data Processing Addendum available on the Trust Portal.
Company Property. Company owns and retains all right, title, and interest in and to the Service. Except for the limited license granted to Customer in Section 2.1, Company does not by means of this Agreement or otherwise transfer any rights in the Service to Customer, and Customer will take no action inconsistent with Company’s intellectual property rights in the Service.
Feedback. Customer may provide comments, suggestions and recommendations to Company regarding the Service such as modifications, enhancements, improvements and other changes (collectively, “Feedback”). Company may freely use and exploit any such Feedback without any obligation to Customer.
Customer Property. Customer owns and retains all right, title, and interest in and to the Customer Data and the Reports, and does not by means this Agreement or otherwise transfer any rights in the Customer Data or Reports to Company, except for the limited licenses set forth in Section 5.1. The Reports will be the sole property of Customer and will be considered “works made for hire” as that term is defined in the United States Copyright Act. To the extent that ownership of the Reports does not by operation of law vest in Customer, Company will assign (or cause to be assigned) and does hereby assign fully to Customer all right, title and interest in and to the Reports, including all related intellectual property rights.
7. REPRESENTATIONS AND WARRANTIES
Mutual Representations and Warranties. Each party represents and warrants it has validly entered into this Agreement and has the legal power and authority to do so.
Disclaimer. With the exception of the limited warranties set forth in this Section 7, the Service is provided “as is” to the fullest extent permitted by law. Company and its licensors expressly disclaim all other warranties, express or implied, including warranties of performance, merchantability, fitness for any particular purposes, and non-infringement. Company does not warrant that the Service (i) are error-free, (ii) will perform uninterrupted, or (iii) will meet Customer’s requirements.
Customer will indemnify, defend, and hold harmless Company, its Affiliates, and their respective owners, directors, members, officers, and employees (together, the “Company Indemnitees”) from and against any claim, action, demand, suit or proceeding made or brought by a third party (each a “Claim”) against the Company Indemnitees related to (i) Customer’s or a User’s engaging in a Prohibited Use, and (ii) any grossly negligent acts or omissions of its Users. Customer will pay any settlement of and any damages finally awarded against any Company Indemnitee by a court of competent jurisdiction as a result of any such Claim so long as Company (a) gives Customer prompt written notice of the Claim, (b) gives Customer sole control of the defense and settlement of the Claim (provided that Customer may not settle any Claim without Company’s prior written consent which will not be unreasonably withheld), and (c) provides to Customer all reasonable assistance, at Customer’s request and expense.
9. LIMITATIONS OF LIABILITY
NEITHER PARTY, NOR ITS AFFILIATES, NOR THE OFFICERS, DIRECTORS, EMPLOYEES, SHAREHOLDERS, OR REPRESENTATIVES OF ANY OF THEM, WILL BE LIABLE TO THE OTHER PARTY FOR ANY INCIDENTAL, INDIRECT, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES, THAT MAY ARISE OUT OF THIS AGREEMENT, EVEN IF THE OTHER PARTY HAS BEEN NOTIFIED OF THE POSSIBILITY OR LIKELIHOOD AND WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, SERVICES LIABILITY OR OTHERWISE.
EXCEPT WITH RESPECT TO UNCAPPED CLAIMS, IN NO EVENT WILL THE COLLECTIVE LIABILITY OF EITHER PARTY, OR THEIR RESPECTIVE AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, SHAREHOLDERS, AGENTS AND REPRESENTATIVES, TO THE OTHER PARTY FOR ANY AND ALL DAMAGES, INJURIES, AND LOSSES ARISING FROM ANY AND ALL CLAIMS AND CAUSES OF ACTION ARISING OUT OF, BASED ON, RESULTING FROM, OR IN ANY WAY RELATED TO THIS AGREEMENT, EXCEED $500. THE EXISTENCE OF MULTIPLE CLAIMS OR SUITS UNDER OR RELATED TO THIS AGREEMENT WILL NOT ENLARGE OR EXTEND THE LIMITATION OF MONEY DAMAGES WHICH WILL BE THE CLAIMANT’S SOLE AND EXCLUSIVE REMEDY.
“Uncapped Claims” means any claim or liability associated with: (a) Customer’s indemnification obligations under Section 8; or (b) any liability of a party which cannot be limited under applicable law, including gross negligence, recklessness, or intentional misconduct.
This Agreement is the entire agreement between Customer and Company and supersedes all prior agreements and understandings concerning the subject matter hereof. Customer and Company are independent contractors, and this Agreement will not establish any relationship of partnership, joint venture, or agency between Customer and Company. Failure to exercise any right under this Agreement will not constitute a waiver. There are no third-party beneficiaries to this Agreement. This Agreement is governed by the laws of California without reference to conflicts of law rules. For any dispute relating to this Agreement, the Parties consent to personal jurisdiction and the exclusive venue of the courts in San Francisco County, California. Any notice provided by one party to the other under this Agreement will be in writing and sent by overnight courier or certified mail (receipt requested) to the address on file with the party providing the notice. If any provision of this Agreement is found unenforceable, this Agreement will be construed as if it had not been included. Neither party may assign this Agreement without the prior, written consent of the other party, except that either party may assign this Agreement without such consent in connection with an acquisition of the assigning party or a sale of all or substantially all of its assets.