LEGAL

Website Terms and Conditions

Last Updated: September 11, 2024

PLEASE READ THESE TERMS OF USE (“AGREEMENT”) CAREFULLY BEFORE USING THE SERVICES OFFERED BY BEDROCK LABS, INC. (“COMPANY”). BY VISITING THE WEBSITES OR USING THE BEDROCK SERVICES OR CONTENT IN ANY MANNER, YOU AGREE THAT YOU HAVE READ AND AGREE TO BE BOUND BY AND A PARTY TO THE TERMS AND CONDITIONS OF THIS AGREEMENT TO THE EXCLUSION OF ALL OTHER TERMS. IF THE TERMS OF THIS AGREEMENT ARE CONSIDERED AN OFFER, ACCEPTANCE IS EXPRESSLY LIMITED TO SUCH TERMS. IF YOU DO NOT UNCONDITIONALLY AGREE TO ALL THE TERMS AND CONDITIONS OF THE AGREEMENT, YOU HAVE NO RIGHT TO USE THE WEBSITE OR SERVICES. USE OF COMPANY’S SERVICES IS EXPRESSLY CONDITIONED UPON YOUR ASSENT TO ALL THE TERMS AND CONDITIONS OF THIS AGREEMENT, TO THE EXCLUSION OF ALL OTHER TERMS.

ACCESS TO THE SERVICES. The bedrock.security, bedrock.engineering, and all other websites and domain names affiliated with Company, and any other linked pages, features, content, or application services offered from time to time by Company in connection therewith (collectively, the “Website”) are owned and operated by Company. Subject to the terms and conditions of this Agreement, Company may offer to provide certain services, as described more fully on the Website, and which are selected by you through the process provided on the Website (together with the Website, “Services”), solely for your own use, and not for the use or benefit of any third party. The term “Services” shall include, without limitation, any service Company performs for you and the Content (as defined below) offered by Company on the Website. Company may change, suspend or discontinue the Services at any time, including the availability of any feature, database, or content. Company may also impose limits on certain features and services or restrict your access to parts or all of the Services without notice or liability. For example, if you wish to gain access to Company’s application, you must enter into a separate agreement with Company, its Master Service Agreement. Company reserves the right, in its sole discretion, to modify this Agreement at any time by updating the notice and its “Last Updated” date. You shall be responsible for reviewing and becoming familiar with any such modifications. Your use of the Services following such notification constitutes your acceptance of the terms and conditions of this Agreement as modified.

You represent and warrant to Company that: (i) you are a natural person or the entity you represent have the authority to enter into this agreement; (ii) all registration information you submit is accurate and truthful; and (iii) you will maintain the accuracy of such information. You also certify that you are legally permitted to use and access the Services and take full responsibility for the selection and use of and access to the Services. This Agreement is void where prohibited by law, and the right to access the Services is revoked in such jurisdictions.

WEBSITE CONTENT. The Website and its contents are intended solely for the personal, non-commercial use of Website users and may only be used in accordance with the terms of this Agreement. All materials displayed or performed on the Website that are created and/or provided by the Company (including, but not limited to text, graphics, articles, photographs, images, illustrations (also known as the “Content”)) are protected by copyright. You shall abide by all copyright notices, trademark rules, information, and restrictions contained in any Content accessed through the Services, and shall not use, copy, reproduce, modify, translate, publish, broadcast, transmit, distribute, perform, upload, display, license, sell or otherwise exploit for any purposes whatsoever any Content or third party submissions or other proprietary rights not owned by you: (i) without the express prior written consent of the respective owners, and (ii) in any way that violates any third party right.

The Website is protected by copyright as a collective work and/or compilation, pursuant to U.S. copyright laws, international conventions, and other copyright laws. You may not modify, publish, transmit, participate in the transfer or sale of, reproduce (except as expressly provided in this Section 2), create derivative works based on, distribute, perform, display, or in any way exploit, any of the Content, software, materials, or Services in whole or in part.

You may download or copy the Content (and other items displayed on the Website for download) for personal non-commercial use only, provided that you maintain all copyright and other notices contained in such Content. You shall not store any significant portion of any Content in any form. Copying or storing of any Content other than personal, noncommercial use is expressly prohibited without prior written permission from Company or from the copyright holder identified in such Content’s copyright notice. You shall not link to the Website without Company’s prior written consent.

Company has a separate agreement, the Master Service Agreement, that you must agree with to use its application, which you may use to secure your data (“Data”). For clarity, such Data is distinct from Content and User Submissions, and this agreement includes separate confidentiality provisions governing Bedrock’s use of such Data.

In the course of using the Services, you may provide information which may be used by Company in connection with the Services.

Under no circumstances will Company be liable in any way for any Content, including, but not limited to, any errors or omissions in any Content, or any loss or damage of any kind incurred in connection with use of or exposure to any Content posted, emailed, accessed, transmitted, or otherwise made available via the Services.

YOUR WARRANTY. You warrant, represent and agree that you will not contribute any User Submissions or otherwise use the Services in a manner that (i) infringes or violates the intellectual property rights or proprietary rights, rights of publicity or privacy, or other rights of any third party; (ii) violates any law, statute, ordinance or regulation; (iii) is harmful, fraudulent, deceptive, threatening, abusive, harassing, tortious, defamatory, vulgar, obscene, libelous, or otherwise objectionable; (iv) involves commercial activities and/or sales without Company’s prior written consent such as contests, sweepstakes, barter, advertising, or pyramid schemes; (v) impersonates any person or entity, including without limitation any employee or representative of Company; or (vi) contains a virus, trojan horse, worm, time bomb, or other harmful computer code, file, or program. Company reserves the right to remove any Content or User Submissions from the Services at any time, for any reason (including, but not limited to, upon receipt of claims or allegations from third parties or authorities relating to such Content or User Submissions or if Company is concerned that you may have breached the immediately preceding sentence), or for no reason at all. You, not Company, remain solely responsible for all User Submissions that you upload, post, email, transmit, or otherwise disseminate using, or in connection with, the Services, and you warrant that you possess all rights necessary to provide such content to Company and to grant Company the rights to use such information in connection with the Services and as otherwise provided herein.

RESTRICTIONS. You are responsible for all of your activity in connection with the Services. Any fraudulent, abusive, or otherwise illegal activity may be grounds for termination of your right to access or use the Services. You may not post or transmit, or cause to be posted or transmitted, any communication or solicitation designed or intended to obtain password, account, or private information from any Company user. Use of the Services to violate the security of any computer network, crack passwords or security encryption codes, transfer or store illegal material (including material that may be considered threatening or obscene), or engage in any kind of illegal activity is expressly prohibited. You will not run Maillist, Listserv, any form of auto-responder, or “spam” on the Services, or any processes that run or are activated while you are not logged on to the Website, or that otherwise interfere with the proper working of or place an unreasonable load on the Services’ infrastructure. Further, the use of manual or automated software, devices, or other processes to “crawl” or “spider” any page of the Website is strictly prohibited. You will not decompile, reverse engineer, or otherwise attempt to obtain the source code of the Services. You will be responsible for withholding, filing, and reporting all taxes, duties and other governmental assessments associated with your activity in connection with the Services.

WARRANTY DISCLAIMER. Company has no special relationship with or fiduciary duty to you. You acknowledge that Company has no control over, and no duty to take any action regarding: which users gains access to the Services; what Content or User Submissions you access via the Services; what effects the Content or User Submissions may have on you; how you may interpret or use the Content or User Submissions; or what actions you may take as a result of having been exposed to the Content or User Submissions. You release Company from all liability for you having acquired or not acquired Content or User Submissions through the Services. The Services may contain, or direct you to websites containing, information that some people may find offensive or inappropriate. Company makes no representations concerning any content contained in or accessed through the Services, and Company will not be responsible or liable for the accuracy, copyright compliance, legality or decency of material contained in or accessed through the Services. THE SERVICES, CONTENT, USER SUBMISSIONS, WEBSITE AND ANY SOFTWARE ARE PROVIDED ON AN “AS IS” BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR THAT USE OF THE SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE. SOME STATES DO NOT ALLOW LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, SO THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU.

PRIVACY POLICY. For information regarding Company’s treatment of personally identifiable information, please review Company’s current Privacy Policy, which is hereby incorporated by reference; your acceptance of this Agreement constitutes your acceptance and agreement to be bound by Company’s Privacy Policy.

REGISTRATION AND SECURITY. As a condition to using some aspects of the Services, you may be required to register with Company and provide login credentials. You shall provide Company with accurate, complete, and updated registration information. Failure to do so shall constitute a breach of this Agreement, which may result in immediate termination of your account. You may not (i) select or use the credentials of another person; or (ii) use the credentials of a person other than you without appropriate authorization. Company reserves the right to refuse registration of or cancel credentials in its discretion. You shall be responsible for maintaining the availability and confidentiality of your password.

INDEMNITY. You will indemnify and hold Company, its parents, subsidiaries, affiliates, officers, and employees harmless (including, without limitation, from all damages, liabilities, settlements, costs and attorneys’ fees) from any claim or demand made by any third party due to or arising out of your access to the Services, use of the Services, your violation of this Agreement, or the infringement by you or any third party using your account of any intellectual property or other right of any person or entity.

LIMITATION OF LIABILITY. IN NO EVENT SHALL COMPANY OR ITS SUPPLIERS, OR THEIR RESPECTIVE OFFICERS, DIRECTORS, EMPLOYEES, OR AGENTS BE LIABLE WITH RESPECT TO THE WEBSITE OR THE SERVICES OR THE SUBJECT MATTER OF THIS AGREEMENT UNDER ANY CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR OTHER LEGAL OR EQUITABLE THEORY (I) FOR ANY AMOUNT IN THE AGGREGATE IN EXCESS OF $5; (II) FOR ANY INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES OF ANY KIND WHATSOEVER; (III) FOR DATA LOSS OR COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; OR (IV) FOR ANY MATTER BEYOND COMPANY’S REASONABLE CONTROL. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATIONS AND EXCLUSIONS MAY NOT APPLY TO YOU.

FEES AND PAYMENT. Company reserves the right to require payment of fees for certain Services. If you choose to sign up for any of our Services that carries a fee, you hereby represent and warrant that you are eighteen (18) years of age or older. You shall pay all applicable fees in connection with such Services selected by you. Company reserves the right to change its pricing and to institute new charges at any time. Your use of the Services following such notification constitutes your acceptance of any new or increased charges.

THIRD PARTY WEBSITES. The Services may contain links to third party websites that are not owned or controlled by Company, or the Services may be accessible by logging in through a third party website or service. When you access third party websites, you do so at your own risk. You hereby represent and warrant that you have read and agreed to be bound by all applicable policies of any third party websites or services relating to your use of the Services and that you will act in accordance with those policies, in addition to your obligations under this Agreement. Company has no control over, and assumes no responsibility for, the content, accuracy, privacy policies, or practices of or opinions expressed in any third party websites. In addition, Company will not and cannot monitor, verify, censor or edit the content of any third party site.

By using the Services, you expressly relieve and hold harmless Company from any and all liability arising from your use of any third party website. Your interactions with organizations and/or individuals found on or through the Services, including payment and delivery of goods or services, and any other terms, conditions, warranties or representations associated with such dealings, are solely between you and such organizations and/or individuals. You should make whatever investigation you feel necessary or appropriate before proceeding with any online or offline transaction with any of these third parties. You agree that Company shall not be responsible or liable for any loss or damage of any sort incurred as the result of any such dealings. If there is a dispute between participants on this site, or between users and any third party, you understand and agree that Company is under no obligation to become involved. In the event that you have a dispute with one or more other users, you hereby release Company, its officers, employees, agents, and successors in rights from claims, demands, and damages (actual and consequential) of every kind or nature, known or unknown, suspected or unsuspected, disclosed or undisclosed, arising out of or in any way related to such disputes and/or our service. If you are a California resident, you shall and hereby do waive California Civil Code Section 1542, which says: “A general release does not extend to claims which the creditor does not know or suspect to exist in his favor at the time of executing the release, which, if known by him must have materially affected his settlement with the debtor.”

TERMINATION. This Agreement shall remain in full force and effect while you use the Services. You may terminate your use of the Services or your membership at any time by following the instructions on the Website. Company may terminate your access to the Services or your membership at any time, for any reason, and without warning, which may result in the forfeiture and destruction of all information associated with your membership. Company may also terminate or suspend any and all Services and access to the Website immediately, without prior notice or liability, if you breach any of the terms or conditions of this Agreement. Any fees paid hereunder are non-refundable. Upon termination of your account, your right to use the Services, access the Website, and any Content will immediately cease. All provisions of this Agreement which, by their nature, should survive termination, shall survive termination, including, without limitation, ownership provisions, warranty disclaimers, and limitations of liability.

MISCELLANEOUS. The failure of either party to exercise, in any respect, any right provided for herein shall not be deemed a waiver of any further rights hereunder. Company shall not be liable for any failure to perform its obligations hereunder where such failure results from any cause beyond Company’s reasonable control, including, without limitation, mechanical, electronic or communications failure or degradation (including “line-noise” interference). If any provision of this Agreement is found to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary so that this Agreement shall otherwise remain in full force and effect and enforceable. This Agreement is not assignable, transferable or sublicensable by you except with Company’s prior written consent. Company may transfer, assign or delegate this Agreement and its rights and obligations without consent. This Agreement shall be governed by and construed in accordance with the laws of the State of California without regard to the conflict of laws provisions thereof. Any dispute arising from or relating to the subject matter of this Agreement shall be finally settled by arbitration in San Mateo County, California, using the English language in accordance with the Arbitration Rules and Procedures of Judicial Arbitration and Mediation Services, Inc. (“JAMS”) then in effect, by one commercial arbitrator with substantial experience in resolving intellectual property and commercial contract disputes, who shall be selected from the appropriate list of JAMS arbitrators in accordance with the Arbitration Rules and Procedures of JAMS. Judgment upon the award so rendered may be entered in a court having jurisdiction, or application may be made to such court for judicial acceptance of any award and an order of enforcement, as the case may be. Notwithstanding the foregoing, each party shall have the right to institute an action in a court of proper jurisdiction for injunctive or other equitable relief pending a final decision by the arbitrator. For all purposes of this Agreement, the parties consent to exclusive jurisdiction and venue in the United States Federal Courts located in the Northern District of California. All parties agree that this Agreement is the complete and exclusive statement of the mutual understanding of the parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement, and that all modifications must be in a writing signed by both parties, except as otherwise provided herein. No agency, partnership, joint venture, or employment is created as a result of this Agreement and you do not have any authority of any kind to bind Company in any respect whatsoever.

COPYRIGHT DISPUTE POLICY. Company has adopted the following general policy toward copyright infringement in accordance with the Digital Millennium Copyright Act or DMCA. The address of Company’s Designated Agent to Receive Notification of Claimed Infringement (“Designated Agent”) is listed at the end of this Section. It is Company’s policy to (1) block access to or remove material that it believes in good faith to be copyrighted material that has been illegally copied and distributed by any of our advertisers, affiliates, content providers, members or users; and (2) remove and discontinue service to repeat offenders.

CONTACT. If you have any questions, complaints, or claims with respect to the Services, you may contact us at legal@bedrock.security.

Application General Terms of Service

Version Date: Mar 15, 2025

These Terms of Service (“Terms”) are an agreement between Bedrock Labs, Inc., a Delaware corporation with an address at 2550 Sand Hill Road, Suite 200, Menlo Park, CA 94025 (“Bedrock”) and you or the organization that you represent (“Customer”) and they govern Customer’s use of certain Bedrock products and services (“Services”) that Bedrock makes available without having signed another Master Services Agreement, End User License Agreement, or Order Form linking to one of the previous two documents. These Terms are effective as of the first date Customer accesses the Bedrock Services or the date Customer assents to these Terms, whichever is earlier (“Effective Date”).

1. BEDROCK PRODUCTS AND SERVICES

1.1          Access to the Services. Subject to Customer’s compliance with these Terms and the Bedrock Acceptable Use Policy (“AUP”), Customer may access and use the Services solely for Customer’s internal business purposes.

1.3          Customer Account. In order to use the Services, Customer must register for a Customer account (“Account”). All information provided during the Account registration process must be accurate, current and complete. Customer agrees that Bedrock may communicate with Customer using the contact information provided in Customer’s Account, and that such communication satisfies any requirements for legal notices under these Terms. Customer must protect the confidentiality of its login credentials and is responsible for all activity that occurs under its Account. Customer will promptly notify Bedrock if it becomes aware of any unauthorized activity under its Account.

1.4          Restrictions. Customer must not, and must not allow any third party to: (a) sell, rent, lease or use the Services for any service bureau, time sharing, outsourcing or similar purposes; (b) use the Services to help develop, or help provide to any third party, any product or service similar to or competitive with any Services; (c) reverse engineer, decompile, disassemble, or otherwise seek to obtain the source code of the Services; (d) copy, modify or create derivative works from the Services; (e) remove or obscure any copyright or proprietary or other notices contained in the Services; (f) propagate any virus, Trojan horse, or other malware or programming routine intended to damage any system or data; (g) access or use the Services in a manner intended to circumvent or exceed service account limitations or requirements; (h) use the Services in a manner that violates any applicable law, regulation, or legal requirement or obligation, including applicable privacy and intellectual property laws; (i) use or permit the use of any tools in order to probe, scan or attempt to penetrate or benchmark the Services; (j) impose an unreasonable or disproportionately large load on Bedrock’s infrastructure, as determined by Bedrock in its sole discretion, or detrimentally interfere with, intercept, or expropriate any system, data, or information; (k) post, upload, transmit or provide to the Services any Customer Data (as defined below) that is unlawful, harmful, abusive or otherwise objectionable, or that Customer does not have rights to; or (l) use the Services in violation of the AUP or in any other manner not expressly permitted by these Terms.

1.5          Changes to Services. Bedrock reserves the right to modify, suspend or discontinue the Services at any time without notice or liability to Customer.

  1. OWNERSHIP

2.1          Bedrock Services. Bedrock and its suppliers own and retain all right, title and interest, including all patent, copyright, trade secret and other intellectual property rights, in and to the Services. Other than the limited right to use the Services granted to Customer in these Terms, Customer has no right, title or interest in the Services.

2.2          Customer Data. As between the parties, Customer retains all right, title and interest in the Customer Data. “Customer Data” means any data or information that is (a) input by Customer into the Services, and (b) subject to Bedrock’s intellectual property rights in the Services, any reports generated by Customer when using the Services. If Customer Data includes “Personal Data,” as that term is defined under applicable data protection laws, Bedrock will process such Personal Data in accordance with the Bedrock Data Processing Addendum (“DPA”).

2.3          Usage Data. Notwithstanding the foregoing, Bedrock shall have the right to use Customer Data to: (a) provide the Services to Customer; (b) improve the Services (such use new or improved technologies or processes to protect Customer Data); (c) monitor, analyze, and audit Customer’s use of the Services for security, compliance, service optimization, performance monitoring, troubleshooting, capacity planning, usage analytics, and operational efficiency or other similar internal business purposes; (d) enforce these Terms; and (e) generate aggregated, anonymized, and de-identified Usage Data for statistical analysis, including for service improvements (such as performance optimizations and UI/UX enhancements) and industry insights (such as reporting trends like “Sensitive data comprises X% of total scanned data”). “Usage Data” means information and data relating to the manner in which all customers (including but not limited to Customer) use the Services.

  1. TERM, TERMINATION AND SUSPENSION.

3.1          Term. These terms will remain in effect until the earlier to occur of (i) the date fifteen (15) days after the date either party provides written notice of termination to the other party, or (ii) the date five (5) days after the date that Bedrock provides notice of termination to Customer for Customer’s material breach, or (iii) one (1) months after the date of Customer’s last use of the Services.

3.2          Suspension and Throttling. Bedrock reserves the right, in Bedrock’s sole discretion, (i) to suspend Customer’s access to the Services if Bedrock believes that Customer’s use of the Services (a) is in violation of these Terms or the AUP, (b) is for fraudulent, illegal, or unauthorized purposes, or (c) disrupts or poses a security risk to Bedrock, the Services, or a third party, and (ii) to throttle Customer’s access to the Services if Bedrock determines that Customer’s use is excessive or causes an unacceptable burden on the Services.

3.3          Effect of Termination. Upon the expiration or termination of these Terms, (a) Customer shall immediately cease use of and access to the Services, and (b) each party will return or destroy the other party’s Confidential Information (as defined below). The following Sections shall survive any expiration or termination of these Terms: 1.4, 2, 3.3, and 4-8.

  1. DISCLAIMER

4.1          Warranty Disclaimer. THE SERVICES ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. BEDROCK AND ITS SUPPLIERS EACH EXPRESSLY DISCLAIM ANY OTHER WARRANTIES, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, TITLE, OR FITNESS FOR A PARTICULAR PURPOSE.

  1. LIMITATION OF LIABILITY

5.1          Consequential Damages Disclaimer. TO THE FULLEST EXTENT POSSIBLE UNDER APPLICABLE LAW, IN NO EVENT WILL BEDROCK, ITS AFFILIATES, INVESTORS, DIRECTORS, OFFICERS, EMPLOYEES, AGENTS, SUCCESSORS OR ASSIGNS (COLLECTIVELY, “BEDROCK PARTIES”) BE LIABLE UNDER ANY LEGAL OR EQUITABLE THEORY OF LAW (INCLUDING, WITHOUT LIMITATION, CONTRACT, TORT OR STRICT LIABILITY), WITH RESPECT TO ANY SUBJECT MATTER OF THESE TERMS OR IN ANY WAY RELATING TO THE SERVICES, FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES OF ANY KIND, INCLUDING LOST PROFITS, BUSINESS, CONTRACTS, REVENUE, GOODWILL, PRODUCTION, AND ANTICIPATED SAVINGS OR DATA, EVEN IF INFORMED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE.

5.2          Liability Cap. TO THE FULLEST EXTENT POSSIBLE UNDER APPLICABLE LAW, THE BEDROCK PARTIES’ TOTAL AGGREGATE LIABILITY WITH RESPECT TO ANY SUBJECT MATTER OF THESE TERMS OR IN ANY WAY RELATING TO THE SERVICES, UNDER ANY LEGAL OR EQUITABLE THEORY OF LAW (INCLUDING, WITHOUT LIMITATION, CONTRACT, TORT OR STRICT LIABILITY), SHALL IN NO EVENT EXCEED FIVE DOLLARS ($5). THE FOREGOING LIMITATIONS ARE AN ESSENTIAL BASIS OF THESE TERMS, AND BEDROCK WOULD NOT OFFER THE SERVICES TO CUSTOMER UNDER THESE TERMS WITHOUT THESE LIMITATIONS.

  1. CUSTOMER INDEMNIFICATION

 

  • Indemnification by Customer. Customer shall defend, indemnify, and hold harmless the Bedrock Parties from and against any and all claims, liabilities, damages and/or costs (including reasonable attorneys’ fees) arising out of or relating to (a) Customer Data, (b) Customer’s breach of these Terms, or (c) any action taken or not taken by Customer based upon use of the Services.

 

  1. CONFIDENTIAL INFORMATION

7.1          Definition. “Confidential Information” means any non-public information about the business or products of a party (“Discloser”) that is disclosed to the other party (“Recipient”) in connection with these Terms, and that is either (a) identified in writing as confidential at the time of disclosure, or (b) is by its nature confidential or Recipient knows, or should reasonably know is confidential. The Services are the Confidential Information of Bedrock, and Customer Data is the Confidential Information of Customer. Confidential Information does not include information that (i) has become public knowledge through no fault of Recipient, (ii) was known to Recipient, free of any confidentiality obligations, prior to disclosure by Discloser, (iii) becomes known to Recipient, free of any confidentiality obligations, from a source other than Discloser, or (iv) is independently developed by Recipient without use of the Confidential Information.

7.2          Confidentiality Obligations. Recipient will protect Confidential Information with the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but not less than reasonable care) and disclose it only to its employees and agents who need to know such Confidential Information for the purposes of these Terms and who are bound by a written or statutory duty of confidentiality equivalent to the provisions of this Section 7. Recipient will only use Confidential Information for purposes of fulfilling its obligations under these Terms or as otherwise permitted in these Terms. Notwithstanding the foregoing, Recipient may disclose Confidential Information (a) if approved by Discloser in writing, or (b) if required by law or regulation or court order, provided that Recipient first provides notice of such compelled disclosure to Discloser and assists Discloser in limiting the disclosure, unless prohibited by law from doing so.

  1. GENERAL TERMS

8.1          Assignment. These Terms may not be assigned by Customer without the prior written consent of Bedrock, but may be assigned by Bedrock without restriction.

8.2          Publicity. Bedrock may reference Customer as a Bedrock customer in marketing, promotional materials and public statements.

8.3          Feedback. In the event Customer elects to provide Bedrock with any suggestions, ideas, improvements or other feedback with respect to any aspect of the Services (“Feedback”), Bedrock is free to use such Feedback for any purpose whatsoever without attribution or payment to Customer.

8.4          Severability. If any provision (or any part thereof) of these Terms is unenforceable under or prohibited by any present or future law, then such provision (or part thereof) will be amended, and is amended, so as to be in compliance with such law, while preserving to the maximum extent possible the intent of the original provision. Any provision (or part thereof) that cannot be so amended will be severed from these Terms and all the remaining provisions of these Terms will remain unimpaired.

8.5          Governing Law; Jurisdiction and Venue. These Terms are governed by the laws of the State of California and the United States without regard to conflicts of laws provisions thereof, and without regard to the United Nations Convention on the International Sale of Goods. Except for claims for injunctive or equitable relief or claims regarding intellectual property rights, any dispute arising under these Terms shall be finally settled in binding arbitration. The Judicial Arbitration and Mediation Service, Inc. (“JAMS”) will administer the arbitration in accordance with its Comprehensive Arbitration Rules and Procedures (though to the extent JAMS’ Expedited Arbitration Procedures are available, they will apply), and the arbitration will be held in San Mateo County, California. Subject to the foregoing provisions of this Section 8.5, the jurisdiction and venue for actions related to the subject matter hereof shall be the state and federal courts located in San Mateo County, California and both parties hereby submit to the personal jurisdiction of such courts.

8.6          Waivers. No supplement, modification, or amendment of these Terms shall be binding, unless executed in writing by a duly authorized representative of each party to these Terms. No waiver will be implied from conduct or failure to enforce or exercise rights under these Terms, nor will any waiver be effective unless in a writing signed by a duly authorized representative on behalf of the party claimed to have waived. A waiver of any provision of these Terms must be signed by the waiving party; and, one waiver will not imply any future waiver.

8.7          No Third-Party Rights. There are no third-party beneficiaries to these Terms.

8.8          Government Rights. As defined in FAR section 2.101, any software and documentation provided by Bedrock are “commercial items” and according to DFAR section 252.2277014(a)(1) and (5) are deemed to be “commercial computer software” and “commercial computer software documentation.” Consistent with DFAR section 227.7202 and FAR section 12.212, any use modification, reproduction, release, performance, display, or disclosure of such commercial software or commercial software documentation by the U.S. Government will be governed solely by the terms of these Terms and will be prohibited except to the extent expressly permitted by these Terms. Unpublished rights reserved under copyright laws of the United States.

8.9          Export Compliance. Customer shall comply with all applicable export and re-export control and trade and economic sanctions laws, including the Export Administration Regulations maintained by the U.S. Department of Commerce, trade and economic sanctions maintained by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), and the International Traffic in Arms Regulations maintained by the U.S. State Department. Neither Customer, nor any of its subsidiaries or any person acting on its behalf or owning 50% or more of its equity securities or other equivalent voting interests, is (a) a person on the List of Specially Designated Nationals and Blocked Persons or any other list of sanctioned persons administered by OFAC or any other governmental entity, or (b) a national or resident of, or a segment of the government of, any country or territory for which the United States has embargoed goods or imposed trade sanctions.

8.10        Changes to Terms. Bedrock may revise and update these Terms at its discretion. If Customer continues to use the Services after these Terms have been updated on Bedrock’s website, or Bedrock otherwise provides notice to Customer of such updated Terms, then Customer is deemed to have assented to such updated Terms. If Customer objects to any updated Terms, Customer must stop using the Services.

8.11        Entire Agreement. These Terms are the complete and exclusive statement of the mutual understanding of the parties, and supersede and cancels all previous written and oral agreements and communications, relating to the subject matter of these Terms. These Terms may be executed electronically and in counterparts, which counterparts taken together shall form one legal instrument.

Acceptable Use Policy

Last Updated: Mar 15, 2025

This Acceptable Use Policy (“AUP”) applies to customers’ use of (and access to) all services offered by Bedrock Labs, Inc. or its affiliates (“Bedrock”).

Bedrock may change this AUP by posting an updated version of the AUP here, and such updates will be effective upon posting.

A customer’s violation of this AUP will be considered a material breach of the service agreement (or other agreement) governing the customer’s use of (or access to) the services (“Agreement”).

Customers will promptly notify Bedrock in writing of any unauthorized use of the services under this AUP (in each case that comes to the customer’s attention) and promptly take all reasonable steps necessary to terminate such unauthorized use, including collaborating with Bedrock to remediate.

Customers will not, and will not encourage, permit or assist any third party to:

  • Circumvent any usage or access limits on the use of the services.
  • Create multiple accounts, including online or otherwise, or otherwise access or use the services in a manner intended to void or reduce incurring fees.
  • Intentionally distribute viruses, worms, defects, Trojan horses, corrupted files, hoaxes, or any other item of a destructive or deceptive nature.
  • Make the services available to any third party (via, a services arrangement, service bureau, lease, sale, resale, or otherwise) or use such for any purpose other than its own internal business purposes.
  • Damage, disable, overburden, impair, or disrupt the services or attempt to gain unauthorized access to any systems or networks that connect thereto or otherwise interfere with the operation of the services or in any way with the use or enjoyment of the services by others.
  • Perform or disclose network discovery, port and service identification, vulnerability scanning, password cracking, or penetration testing of the services (without first obtaining Bedrock’s written consent).
  • Use the services other than in accordance with the Agreement and in compliance with all applicable laws and regulations (including but not limited to any European or local privacy laws to the extent applicable to the customer).
  • Use the services in a manner that violates any third-party rights (including, without limitation, intellectual property and privacy rights).
  • Promote, facilitate, or encourage illegal activity.
  • Access or use the services in order to create a product or service competitive with the services.
  • Copy any features, functionality, or graphics of the services.
  • Remove any copyright, trademark, or other proprietary rights notices contained in or on the services or reformat (or frame) any portion of the web pages that are part of the service’s administration display.
  • Use the services in connection with any real-time control system (including any aviation, mass transit, medical or nuclear application) or any other application that could result in death, personal injury, catastrophic damage or mass destruction.
  • Use any services in any manner that would disparage Bedrock.
  • To the extent the following restriction is permitted by applicable law, access or use the services for purposes of evaluating the availability, performance or functionality of the services, or for any other benchmarking or competitive purposes.
  • Create, train or improve (directly or indirectly) a substantially similar product or service, including machine learning engine.
  • Reverse engineer (except to the extent statutory law expressly prohibits or limits restrictions on reverse engineering and, in which instance, customer will provide notice to Bedrock so that Bedrock can respond and assist with such request), decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas or algorithms of the services, documentation or data related to the services.
  • Modify, translate, or create derivative works based on the services.

Free Products Policy

Last Updated: Mar 15, 2025

We may offer a certain free Products or “freemium” versions of Bedrock Technology to You at no monetary cost (collectively “Free Products”). Use of the Free Products is subject to any additional terms that we specify and is only permitted during the time period we designate. As a licensee of the Free Product, Bedrock will perform scans at a daily frequency for the first fourteen (14) days. Subsequently, we will perform scans at a monthly frequency once per month. Scanning may be limited to a certain volume of data, number of tables, and list of data sources at Bedrock’s sole discretion, and may be subject to change at any time. We may delete Your tenant and deprovision Your account after 30 days without Your logging in, and We are not required to provide prior notification. We may modify or terminate the foregoing functionality, or your right to use Free Products, at any time and for any reason in our sole discretion, without any liability to You. We will have no liability whatsoever for any harm or damage arising from or in connection with Free Products. The Free Products are provided “as is” without any warranty. BEDROCK EXPRESSLY DISCLAIMS ALL OBLIGATIONS OR LIABILITIES WITH RESPECT TO FREE PRODUCTS, INCLUDING ANY SUPPORT, WARRANTY AND INDEMNIFICATION OBLIGATIONS. NOTWITHSTANDING ANYTHING TO THE CONTRARY, BEDROCK’S MAXIMUM AGGREGATE LIABILITY TO YOU IN RESPECT TO FREE PRODUCTS WILL BE THE AMOUNT OF MONIES YOU PAID BEDROCK IN THE LAST MONTH TO BEDROCK TO USE BEDROCK’S FREE PRODUCTS. For the full suite of Bedrock features, dedicated white-glove service, and a panoply of other benefits You may upgrade from the Free Products by contacting sales@bedrock.security.

Security Addendum

Last Updated: Mar 15, 2025

Purpose. This Security Addendum sets forth the information security program and infrastructure policies that Bedrock will meet and maintain in order to protect Customer Data from unauthorized use, access or disclosure, during the term of the Agreement.

  1. Information Security Management Program. Bedrock will maintain throughout the Term of the Agreement an information security management program (the “ISMP”) designed to protect and secure Customer Data in its possession, if any, from unauthorized access or use. The ISMP will be documented and updated based on changes in applicable legal and regulatory requirements related to privacy and data security practices and industry standards.
  2. Standards. Bedrock incorporates commercially reasonable and appropriate methods and safeguards to protect the security, confidentiality, and availability of Customer Data. Bedrock will, at a minimum, adhere to applicable information security practices as identified in the Services Trust Criteria and Supporting Controls as identified by SOC 2 along with those identified in the International Organization of Standardization 27001 (ISO/IEC 27001).
  3. Independent Assessments. On an annual basis, Bedrock has an independent third-party organization conduct an independent assessment consisting of a Report on Controls at a Service Organization Relevant to Security, Availability, Processing, Integrity, Confidentiality and/or Privacy (SOC 2 Type II) along with an ISO/IEC 27001:2022 Certification Audit Report. Additionally, Bedrock undergoes regular penetration testing from independent third parties at least on an annual basis.
  4. Information Security Policies. Bedrock implements, maintains, and adheres to its internal information security and privacy policies that address the roles and responsibilities of Bedrock’s personnel, including both technical and non-technical personnel, who have direct or indirect access to Customer Data in connection with providing the Services. All Bedrock personnel with access to Customer Data will receive annual training on Bedrock’s ISMP.

Notwithstanding the foregoing, You understand and acknowledge that You will be solely responsible for implementing and maintaining access and security controls on its own systems.

Data Processing Addendum

Last Updated: Mar 15, 2025

  1. Introduction

This Data Processing Addendum ("Addendum"), governs Bedrock Labs, Inc. (“Bedrock”) processing of Personal Data in relation to the provision of Bedrock’s Platform and Services to Customer as specified in the applicable Master Service Agreement or other relevant agreement (“Agreement”).  To the extent that there is a conflict between this Addendum and the Agreement, the terms of this Addendum shall apply. This DPA shall be effective and remain in force for the full term of the Agreement. The effective date within the Agreement is the “Effective Date” of this Addendum. This Addendum is legally binding when Customer enters into the Agreement.

  1. Definitions

Any terms used in this Addendum and not defined will have the meanings given to them in the applicable Agreement.

  1. "Applicable Data Protection Laws" means all applicable privacy and data protection laws and regulations and in each case, as amended, superseded, or replaced from time to time, including, without limitation, the EU General Data Protection Regulation (EU) 2016/679 ("GDPR"); the United Kingdom Data Protection Act 2018; Swiss Federal Data Protection Act (“FADP”); and the California Consumer Privacy Act of 2018 ("CCPA"), including, when applicable, all amendments thereto including the California Privacy Rights Act of 2019. ; the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA"); and the Australian Privacy Principles and the Australian Privacy Act (1988).
  2. "Contact Data" means the Personal Data that Bedrock Processes as a controller, such as account information and payment information.
  3. "Customer Data" means the Personal Data that Bedrock Processes on behalf of Customer.
  4. "Data Subject" means the identified or identifiable natural person who is the subject of Personal Data or the meaning as set forth in Applicable Data Protection Laws, including similar terms, such as "Consumer" as used in the CCPA.
  5. "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction and including all "processing" as defined in any Applicable Data Protection Laws.
  6. "Personal Data" means "personal data", "personal information", "personally identifiable information" or similar information defined in and governed by Applicable Data Protection Laws.
  7. "Security Incident" means any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data Processed by Bedrock and/or its Subprocessors in connection with the provision of the Service. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.
  8. "Service" means the data management and security platform, as further described in the Agreement. 
  9. "Subprocessor" means any third-party authorized by Bedrock to Process Customer Data in assistance with fulfilling its obligations with respect to providing the Service under the Agreement or this Addendum.
  1. General; Termination
  1. This Addendum forms part of the Agreement and except as expressly set forth in this Addendum, the Agreement remains unchanged and in full force and effect. If there is any conflict between this Addendum and the Agreement, this Addendum will govern.
  2. Any liabilities arising under this Addendum are subject to the limitations of liability in the Agreement.
  3. This Addendum will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless otherwise specified hereunder or required otherwise by Applicable Data Protection Laws.
  4. This Addendum will remain in effect until, and automatically terminate upon, deletion of Customer Data as described in this Addendum.
  1. Relationship of the Parties
  1. Bedrock as Processor. The parties acknowledge and agree that with regard to the Processing of Customer Data, Customer acts as a controller (or processor) and Bedrock is a processor (or sub-processor). Bedrock will process Customer Data under and in accordance with Customer's instructions (on behalf of the controller) as outlined in Section 6 (Role and Scope of Processing).
  2. Bedrock as Controller. As to any Contact Data, Bedrock is the controller with respect to such data and will Process such data in accordance with its Privacy Policy.
  1. Compliance with Law

Each party will comply with its obligations under Applicable Data Protection Laws with respect to its Processing of Customer Data.

  1. Role and Scope of the Processing
  1. Customer Responsibilities. Customer is solely responsible for obtaining and maintaining all the necessary consents prior to accessing, storing, uploading, processing, or storing Customer Data in the Service. Customer has provided, and will continue to provide, all notices and has obtained, and will continue to obtain, all consents, permissions, and rights necessary under applicable laws, including Applicable Data Protection Laws, for Bedrock to lawfully process Customer Data for the purposes contemplated by the Agreement. Customer has complied with all applicable laws, rules, and regulations, including Applicable Data Protection Laws, in the collection and provision to Bedrock and its Subprocessors of such Customer Data.
  1. Customer Instructions. Bedrock will Process Customer Data only in accordance with Customer's documented, lawful instructions on behalf of the controller, except to the extent required by Applicable Data Protection Laws to which Bedrock is subject or where Bedrock becomes aware or believes that Customer's instructions violate Applicable Data Protection Laws, in which case Bedrock will notify Customer. By entering into the Agreement, Customer instructs Bedrock to Process Customer Data to provide the Service and pursuant to any other written instructions given by Customer and acknowledged in writing by Bedrock as constituting instructions for purposes of this Addendum. Customer acknowledges and agrees that such instruction authorizes Bedrock to Process Customer Data (a) to perform its obligations and exercise its rights under the Agreement; (b) to perform its legal obligations and to establish, exercise or defend legal claims in respect of the Agreement; and (c) does not conflict with the instructions given to the Customer by the controller to Process Customer Data.  Bedrock 
  1. Subprocessing
  1. Customer generally authorizes Bedrock to engage Subprocessors to Process Customer Data. In such instances, Bedrock: (i) will enter into a written agreement with each Subprocessor, imposing data protection obligations substantially similar to those set out in this Addendum to the extent applicable to the nature of the services provided by such Subprocessor; and (ii) remains liable for compliance with the obligations of this Addendum and for any acts or omissions of the Subprocessor that cause Bedrock to breach any of its obligations under this Addendum.
  2. A list of Bedrock's Subprocessors, including their functions and locations, is available below and may be updated by Bedrock from time to time in accordance with this Addendum.
    1. Amazon Web Services, Inc. – Data Hosting – USA
  3. Bedrock will inform Customer in advance and in writing of any intended changes to the Subprocessors, whether by addition or replacement of a Subprocessor. If, within thirty (30) calendar days after such notice, Customer notifies Bedrock in writing that Customer objects to Bedrock's appointment of a new Subprocessor based on reasonable data protection concerns, the parties will discuss such concerns in good faith and whether they can be resolved. If the parties are not able to mutually agree to a resolution of such concerns, Customer, as its sole and exclusive remedy, may terminate the Agreement for convenience with no refunds and Customer will remain liable to pay any committed fees in an order form, order, statement of work or other similar ordering document.
  1. Security
  1. Security Measures. Bedrock will implement and maintain technical and organizational security measures designed to protect Customer Data from Security Incidents and to preserve the security and confidentiality of the Customer Data, in accordance with Bedrock's security standards referenced in the Agreement ("Security Measures"). 
  2. Customer Responsibility.
    1. Customer is responsible for reviewing the information made available by Bedrock relating to data security and making an independent determination as to whether the Service meet Customer's requirements and legal obligations under Applicable Data Protection Laws. Customer acknowledges that the Security Measures provide a level of security appropriate to the risk in respect of the Customer Data and that they may be updated from time to time upon reasonable notice to Customer to reflect process improvements or changing practices (but the modifications will not materially decrease Bedrock's obligations as compared to those reflected in such terms as of the Effective Date).
    2. Customer agrees that, without limitation of Bedrock's obligations under this Section 8, Customer is solely responsible for its use of the Service, including (a) making appropriate use of the Service to ensure a level of security appropriate to the risk in respect of the Customer Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Service; (c) securing Customer's systems and devices that it uses with the Service; and (d) maintaining its own backups of Customer Data.
  3. Security Incident. Upon becoming aware of a confirmed Security Incident, Bedrock will notify Customer without undue delay unless prohibited by applicable law. A delay in giving such notice requested by law enforcement and/or in light of Bedrock's legitimate needs to investigate or remediate the matter before providing notice will not constitute an undue delay. Such notice to Customer will describe, to the extent possible, (a) the details of the Security Incident as known or as reasonable requested by Customer, and (b) the steps taken, deemed necessary and reasonable by Bedrock, to mitigate the potential risks, to the extent that the remediation is within Bedrock's reasonable control. Without prejudice to Bedrock's obligations under this Section 8.c., Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incidents. Bedrock's notification of or response to a Security Incident under this Section 8.c. will not be construed as an acknowledgment by Bedrock of any fault or liability with respect to the Security Incident. These obligations will not apply to Security Incidents to the extent they are caused by Customer.
  1. Audits and Reviews of Compliance

The parties acknowledge that Customer must be able to assess Bedrock's compliance with its obligations under Applicable Data Protection Laws and this Addendum, insofar as Bedrock is acting as a processor on behalf of Customer.

  1. Bedrock's Audit Program. Bedrock uses external auditors to verify the adequacy of its security measures with respect to its processing of Customer Data. Such audits (e.g., SOC 2 Type 2) are performed at least once annually at Bedrock's expense by independent, third-party security professionals at Bedrock's selection and result in the generation of a confidential audit report ("Audit Report"). For more information on Bedrock's security measures please see Schedule 2. Bedrock will maintain records of its compliance with this DPA for three (3) years after the DPA ends.
  2. Customer Audit. Upon Customer's written request at reasonable intervals, and subject to reasonable confidentiality controls, Bedrock will make available to Customer a copy of Bedrock's most recent Audit Report. Customer agrees that any audit rights granted by Applicable Data Protection Laws will be satisfied by these Audit Reports. 
  1. Impact Assessments and Consultations

Bedrock will provide reasonable cooperation to Customer, to the extent Customer does not otherwise have access to the relevant information and such information is available to Bedrock, in connection with any data protection impact assessment (at Customer's expense only if such reasonable cooperation will require Bedrock to assign significant resources to that effort) or consultations with regulatory authorities as required by Applicable Data Protection Laws.

  1. Data Subject Requests

Bedrock will upon Customer's request (and at Customer's expense) provide Customer with such assistance as it may reasonably require to comply with its obligations under Applicable Data Protection Laws to respond to requests from individuals to exercise their rights under Applicable Data Protection Laws (e.g., rights of data access, rectification, erasure, restriction, portability and objection) in cases where Customer cannot reasonably fulfill such requests independently by using the Service. If Bedrock receives a request from a Data Subject in relation to the Processing of their Customer Data, Bedrock will advise the Data Subject to submit their request to Customer, and Customer will be responsible for responding to any such request.

  1. Return or Deletion of Customer Data
  1. Customers may delete or export Customer Data at any time while using the Service in a manner consistent with the functionality of the Service. Termination or expiration of the Agreement serves as instruction for Bedrock to delete all Customer Data within a commercially reasonable timeframe.
  2. Notwithstanding the foregoing, Customer understands that Bedrock may retain Customer Data if required by law, and such data will remain subject to the requirements of this Addendum.
  1. International Provisions
  1. Processing in the United States. Customer acknowledges that, as of the Effective Date, Bedrock's primary processing facilities are in the United States. Notwithstanding the foregoing, Customer acknowledges that Bedrock may in connection with the provision of the Service, need to transfer and process Customer Data to and in the United States and anywhere else in the world where Bedrock or its Subprocessors maintain data processing operations. Bedrock will ensure such transfers are made in compliance with the requirements of Applicable Data Protection Laws and this Addendum.
  2. Jurisdiction Specific Terms. To the extent that Bedrock Processes Customer Data originating from and protected by Applicable Data Protection Laws in one of the Jurisdictions listed in Schedule 4 (Jurisdiction Specific Terms), then the terms specified therein with respect to the applicable jurisdiction(s) will apply in addition to the terms of this Addendum.
  3. Cross Border Data Transfer Mechanism. To the extent that Customer's use of the Service requires an onward transfer mechanism to lawfully transfer personal data from a jurisdiction (i.e., the European Economic Area ("EEA"), the United Kingdom ("UK"), Switzerland or any other jurisdiction listed in Schedule 3) to Bedrock located outside of that jurisdiction (a "Transfer Mechanism"), the terms and conditions of Schedule 3 (Cross Border Transfer Mechanisms) will apply.

Schedule 1: Subject Matter & Details of Processing

  1. Nature and Purpose of the Processing

Bedrock will process Personal Data as necessary to provide the Service under the Agreement. Bedrock does not sell Customer Data (or end user information within such Customer Data) and does not share such end users' information with third parties for compensation or for those third parties' own business interests.

  1. Customer Data. Bedrock will process Customer Data as a processor in accordance with Customer's instructions as outlined in Section 6.b (Customer Instructions) of this Addendum.
  2. Contact Data. Bedrock will process Contact Data as a controller for the purposes outlined in Section 2.b (Bedrock as Controller) of this Addendum.

 

  1. Processing Activities
  1. Customer Data. Customer Data will be subject to the following basic processing activities: the provision of the Service   in accordance with the Agreement, and/or as compelled by applicable laws.
  2. Contact Data. Personal Data contained in Contact Data will be subject to the following processing activities by Bedrock: Bedrock may use Contact Data to operate, improve and support the Service, to provide marketing and service-related messages and for other lawful business practices, such as analytics, benchmarking and reporting.

 

  1. Duration of the Processing

The period for which Personal Data will be retained and the criteria used to determine that period is as follows:

  1. Customer Data. Prior to the termination of the Agreement, Bedrock will Process Customer Data for as long as required to conduct the Processing Activities and in accordance with Sections 3 and 12 of this Addendum.

Contact Data. Upon termination of the Agreement, Bedrock may retain, use, and disclose Contact Data for the purposes set forth above in Section 2.b (Contact Data) of this Schedule 1, subject to the confidentiality obligations set forth in the Agreement. Bedrock will anonymize or delete Personal Data contained within Contact Data when Bedrock no longer requires it for the purpose set forth in Section 2.b (Contact Data) of this Schedule 1.

  1. Categories of Data Subjects
  1. Customer Data. Customer and authorized users and the authorized users’ contacts. 
  2. Contact Data. Customer's authorized users with access to a Bedrock account, and end users.

 

  1. Categories of Personal Data
  1. Customer Data. By default, Bedrock does not process or collect Customer Data. For authorized users, only upon their explicit opt-in and deployment of a specific infrastructure-as-code-package, Customer may instruct Bedrock to collect sample data that illustrates the results of Bedrock’s scans for the purpose of displaying those sample findings to the Customer in the Bedrock Service (as opposed to the Customer’s environment). Customer and authorized users determine the identity of the persons which are part of the processing and content analyzed by the Service, and the type and nature of any Personal Data (if any) exchanged or included in such content. Bedrock has no control over the identity of the Data Subjects whose Personal Data is processed on behalf of Customer and over the types of Personal Data Processed.  
  2. Contact Data. Bedrock processes Personal Data within Contact Data, such as name, email address, phone number, account preferences, and content of communications with support services.

 

  1. Sensitive Data or Special Categories of Data
  1. Customer Data.  Customer is directed to not include, upload or allow access to any Sensitive data in the Service. 
  2. Contact Data. Sensitive data is not contained in Contact Data.

     

Schedule 2: Technical & Organizational Security Measures

Where applicable, this Schedule 2 will serve as Annex II to the Standard Contractual Clauses. The following provides more information regarding Bedrock's technical and organizational security measures set forth below. 

  1. Information Security Management Program. Bedrock shall maintain an information security management program (the “ISMP”) designed to protect and secure Customer Data from unauthorized access or use. The ISMP shall be documented and updated based on changes in applicable legal and regulatory requirements related to privacy and data security practices and industry standards. Bedrock incorporates commercially reasonable and appropriate methods and safeguards designed to protect the security, confidentiality, and availability of Customer Data. Bedrock shall, at a minimum, implement measures designed to adhere to applicable information security practices as identified in International Organization for Standardization 27001 (ISO/IEC 27001) (or a substantially equivalent or replacement standard) or other authoritative sources (e.g. SOC2).
  2. Independent Assessments. On an annual basis, Bedrock has an independent third-party organization conduct an independent assessment consisting of a Report on Controls at a Service Organization Relevant to Security, Availability, Processing, Integrity, Confidentiality and/or Privacy (SOC2 Type II) or such other assessment at its sole discretion (e.g. ISO 27001 Certificate). Additionally, Bedrock undergoes regular penetration testing from independent third parties at least on an annual basis.
  3. Information Security Policies. Bedrock shall implement information security and privacy policies that address the roles and responsibilities of Bedrock ’s personnel who have access to Customer Data in connection with providing the Services. All Bedrock personnel with access to Customer Data shall receive annual training on Bedrock ’s ISMP.
  4. Information Security Infrastructure.
    1. Access Controls. Bedrock shall implement and maintain, throughout the Term and at all times while Bedrock has access to or possession of Customer Data, reasonable access controls (physical, technical, and administrative) that are designed to protect Customer Data.
    2. Encryption. Bedrock shall implement measures designed to encrypt Customer Data (i) at rest within the SaaS Services at a minimum AES algorithm with a default value of 256-bit strength; and (ii) in transit using TLS 1.2 encryption or stronger.
    3. Network and Host Security. Bedrock has implemented measures designed to address network intrusion detection and firewalls. Bedrock uses reasonable efforts designed to ensure that the SaaS Services’ operating systems and applications that are associated with Customer Data are patched or secured to mitigate the impact of security vulnerabilities in accordance with Bedrock ’s patch management processes.
    4. Data Management. Bedrock has reasonable information security infrastructure controls in place for Customer Data obtained, transported, and retained by Bedrock for the provision of the Services.
  5. Business Continuity. Bedrock shall maintain a business continuity plan, which is designed to ensure Bedrock shall be able to continue to provide the SaaS Services in the event of a disaster or other significant event that may impact Bedrock’s operations.

Notwithstanding the foregoing, Customer understands and acknowledges that Customer shall be solely responsible for implementing and maintaining access and security controls on its own systems.

When Bedrock engages a Subprocessor under this Addendum, Bedrock and the Subprocessor enter into an agreement with data protection terms substantially similar to those contained herein. Each Subprocessor agreement must ensure that Bedrock is able to meet its obligations to Customer. In addition to implementing technical and organisational measures to protect personal data, Subprocessors must a) notify Bedrock in the event of a Security Incident so Bedrock may notify Customer; b) delete data when instructed by Bedrock in accordance with Customer's instructions to Bedrock; c) not engage additional Subprocessors without authorization; d) not change the location where data is processed; or e) process data in a manner which conflicts with Customer's instructions to Bedrock.

Schedule 3: Cross Border Data Transfer Mechanism

  1. Definitions
  1. "Standard Contractual Clauses" means the 2021 Standard Contractual Clauses approved by the European Commission in decision 2021/914.
  2. "UK IDTA" means the UK international data transfer addendum (Schedule 5).
  1. UK IDTA

For data transfers from the United Kingdom, the UK IDTA will be deemed entered into (and incorporated into this Addendum by reference) together with the Standard Contractual Clauses as set forth in Section 3 of this Schedule below.

  1. The 2021 Standard Contractual Clauses

For data transfers from the EEA, the UK, and Switzerland that are subject to the Standard Contractual Clauses, the Standard Contractual Clauses will apply in the following manner:

  1. Module One (Controller to Controller) will apply where Customer is a controller of Contact Data and Bedrock is a controller of Contact Data.
  2. Module Two (Controller to Processor) will apply where Customer is a controller of Contact Data and Bedrock is a processor of Contact Data.
  3. Module Three (Processor to Processor) will apply where Customer is a processor of Contact Data and Bedrock is a processor of Contact Data.
  4. For each Module, where applicable:
  1. In Clause 7, the option docking clause will not apply;
    ii. In Clause 9, Option 2 will apply, and the time period for prior notice of Subprocessor changes will be as set forth in Section 7 (Subprocessing) of this Addendum;
    iii. In Clause 11, the optional language will not apply;
    iv. In Clause 17 (Option 1), the 2021 Standard Contractual Clauses will be governed by Irish law.
    v. In Clause 18(b), disputes will be resolved before the courts of Ireland;
    vi. In Annex I, Part A:

Data Exporter: Customer and authorized affiliates of Customer.
Contact Details: Customer's account owner email address, or to the email address(es) for which Customer elects to receive privacy communications.
Data Exporter Role: The Data Exporter's role is outlined in Section 4 of this Addendum.
Signature & Date: By entering into the Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
Data Importer: Bedrock, Inc.
Contact Details: Bedrock Security Contact – Gordon Yu legal@bedrock.securityData Importer Role: The Data Importer's role is outlined in Section 4 of this Addendum.
Signature & Date: By entering into the Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

  1. In Annex I, Part B: The categories of data subjects are described in Schedule 1, Section 4.

The sensitive data transferred is described in Schedule 1, Section 6.
The frequency of the transfer is a continuous basis for the duration of the Agreement.
The nature of the processing is described in Schedule 1, Section 1.
The purpose of the processing is described in Schedule 1, Section 1.
The period of the processing is described in Schedule 1, Section 3.
For transfers to Subprocessors, the subject matter, nature, and duration of the processing is outlined in 7(b) above.

  1. In Annex I, Part C: The Irish Data Protection Commission will be the competent supervisory authority.
    xi. Schedule 2 serves as Annex II of the Standard Contractual Clauses.
  2. Modules. As to the specific modules, the parties agree that the following modules apply, as the circumstances of the transfer may apply:
  • Controller-Controller - Module One
  • Controller-Processor - Module Two
  • Processor-Processor - Module Three
  1. Conflicts. To the extent there is any conflict between the Standard Contractual Clauses or the UK IDTA and any other terms in this Addendum, including Schedule 4 (Jurisdiction Specific Terms), the provisions of the Standard Contractual Clauses or the UK IDTA, as applicable, will prevail.

Schedule 4: Jurisdiction Specific Terms

  1. California
  1. The definition of "Applicable Data Protection Laws" includes the California Consumer Privacy Act ("CCPA").
  2. The terms "business", "commercial purpose", "service provider", "sell" and "personal information" have the meanings given in the CCPA.
  3. With respect to Customer Data, Bedrock is a service provider under the CCPA with the Customer as the business.
  4. Bedrock will not (a) sell Customer Data; (b) retain, use or disclose any Customer Data for any purpose other than for the specific purpose of providing the Service, including retaining, using or disclosing the Customer Data for a commercial purpose other than providing the Service; or (c) retain, use or disclose the Customer Data outside of the direct business relationship between Bedrock and Customer.
  5. The parties acknowledge and agree that the Processing of Customer Data authorized by Customer's instructions described in Section 6 of this Addendum is integral to and encompassed by Bedrock's provision of the Service and the direct business relationship between the parties.
  6. Notwithstanding anything in the Agreement or any Order Form entered in connection therewith, the parties acknowledge and agree that Bedrock's access to Customer Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.
  7. To the extent that any Contact Data is considered Personal Data, pursuant to the CCPA, Bedrock is the business under the CCPA with respect to such data and will Process such data in accordance with its Privacy Policy.
  8. Bedrock implements and maintains reasonable security and privacy practices appropriate to the nature of the personal information that it processes as set forth in Section 8 of this Addendum.
  1. EEA
  1. The definition of "Applicable Data Protection Laws" includes the General Data Protection Regulation (EU 2016/679) ("GDPR").
  2. When Bedrock engages a Subprocessor under Section 7 (Subprocessing), it will:
    1. require any appointed Subprocessor to protect Customer Data to the standard required by Applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and
    2. require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an "adequate" level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses.
  3. GDPR Penalties. Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party's indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party's violation of the GDPR.
  1. Switzerland
  1. The definition of "Applicable Data Protection Laws" includes the Swiss Federal Act on Data Protection.
  2. When Bedrock engages a Subprocessor under Section 7 (Subprocessing), it will:
    1. require any appointed Subprocessor to protect Customer Data to the standard required by Applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and
    2. require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an "adequate" level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses.
  1. United Kingdom
  1. References in this Addendum to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).
  2. When Bedrock engages a Subprocessor under Section 7 (Subprocessing), it will:
    1. require any appointed Subprocessor to protect Customer Data to the standard required by Applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and
    2. require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an "adequate" level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses and the UK IDTA.
  1. Australia
  1. As the definition of "Applicable Data Protection Laws" includes the Australian Privacy Principles and the Australian Privacy Act (1988), the following applies:
    1. The definition of "Personal Data" includes "Personal Information" as defined under the Australian Privacy Principles and the Australian Privacy Act (1988).
    2. The definition of "sensitive data" includes "Sensitive Information" as defined under the Australian Privacy Principles and the Australian Privacy Act (1988).
  1. Canada
  1. As the definition of "Applicable Data Protection Laws" includes the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA"), the following applies:
    1. Bedrock's Subprocessors, as described in this Addendum, are third parties under the PIPEDA, with whom Bedrock has entered into a written contract that includes terms substantially similar to this Addendum. 
    2. Bedrock has conducted appropriate due diligence on its Subprocessors.

Bedrock will implement technical and organizational measures as set forth in Schedule 2.

Schedule 5: UK IDTA

Where a Restricted Transfer is made from the UK, the Standard Contractual Clauses will be modified and interpreted in accordance with UK IDTA, which will be incorporated by reference and form an integral part of the Agreement. Tables 1, 2, and 3 of the UK IDTA is completed with the information set out in Schedule 1, Schedule 2 and Schedule 3 to this DPA, and Table 4 is completed by selecting “Importer” and “Exporter.” In the event of any conflict between the terms of the Standard Contractual Clauses and the UK IDTA, it will be resolved in accordance with Section 10 and Section 11 of the UK IDTA.