The Cvent Marketplace ( the “Marketplace”) is Cvent’s online directory of (i) applications that interoperate with Cvent Services and (ii) consulting partner services. Pursuant to the terms of this Marketplace Addendum, Company commits to design, develop, support and maintain a mutually agreed upon integration between Cvent Services and Company Application or Non-Cvent Application.

BY ACCEPTING THIS AGREEMENT, EITHER BY CLICKING A BOX INDICATING YOUR ACCEPTANCE OR OTHERWISE ELECTRONICALLY INDICATING ACCEPTANCE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERMS "YOU" OR "YOUR" SHALL REFER TO SUCH ENTITY. YOU AND CVENT, INC. (“CVENT”) ARE EACH A “PARTY” AND COLLECTIVELY “PARTIES” TO THIS AGREEMENT. 

YOU MAY NOT ACCESS THE CVENT AP MARKETPLACE  PROGRAM IF YOU (I) DO NOT AGREE WITH THESE TERMS AND CONDITIONS, OR (II) ARE OR BECOME (IN WHOLE OR IN PART) A DIRECT COMPETITOR OF CVENT EXCEPT WITH CVENT’S PRIOR WRITTEN CONSENT. FURTHER, YOU MAY NOT ACCESS THE CVENT APP MARKETPLACE FOR PURPOSES OF MONITORING SFDC OR ITS SERVICES, THEIR PERFORMANCE OR FUNCTIONALITY, OR FOR ANY OTHER BENCHMARKING OR COMPETITIVE PURPOSES.

Terms & Conditions

1.     Definitions.

1.1           Company” means the organization or other legal entity entering this Agreement to make available Company Applications or Non-Cvent Applications (both as defined below) on the Cvent App Marketplace.

1.2           Company Application” means any  application  and/or  component  that Company submits to  Cvent  for  review  and/or listing as an Cvent App Marketplace Application under this Agreement.

1.3           Company Marks” means the trademarks, trade names, service marks, logos, and other indicia of origin of Company.

1.4           Consulting Services Listing” means a  listing  on  the  Cvent App Marketplace  describing  systems  integration  services  and  similar consulting services a Company offers to Customers.

1.5           Customer” means a customer or prospective customer of Company

1.6           Cvent App Marketplace Application” means  an  internet-based,  on-demand  application  or  component  and/or  downloadable  software  application  or  component  that  interoperates  with the Cvent  Services and  that  has  been  approved  by  Cvent for listing on the Cvent App Marketplace.

1.7           Cvent Marks” means the trademarks, trade names, service marks, logos, and other indicia of origin of Cvent.

1.8           Cvent Software” means Cvent’s web-based and/or mobile application-based software solution(s) related to online meeting management, site selection and sourcing toolset located at www.cvent.com.

1.9           Cvent Services” means collectively, Cvent Software, and the maintenance, hosting, remote and/or on-site customer support services related to the Cvent Software.

1.10         Integration” means a mutually agreed upon integration for the exchange of Customer Data between the Cvent Service and Company Application.

1.11         Intellectual Property Rights” means patent rights, copyright, trademark and trade secret rights, and any other intellectual property rights recognized by the law of each applicable jurisdiction.

1.12         “Know How” means the ideas, techniques, concepts or know-how related to the development and operation of integrations that a party is exposed to, learns or develops, during the course of its performance of this Agreement.

1.13         Non-Cvent Application” means any internet-based, mobile, offline or other software application functionality that is provided by a Customer, Company or a third party and interoperates with the Cvent Service, including, for example, an application that is developed by or for Customer or Company, is listed on an online directory, catalog or marketplace of applications that interoperate with Cvent’s Services.

2.     MARKETPLACE PROGRAM OVERVIEW.

2.1.          Term. Unless earlier terminated as provided herein, the initial term shall commence on the Effective Date and expire on the first anniversary thereof (the “Initial Term”). Following expiration of the Initial Term, this Agreement shall automatically renew for successive twelve (12) month renewal terms (each a “Renewal Term”) unless either party provides the other with written notice of its intent not to renew at least forty-five (45) calendar days prior to the start of any Renewal Term. Renewal Terms will be billed annually in advance. If either party experiences a change of control event, the other party has the right to terminate the Agreement upon forty-five (45) days prior written notice.

 

2.2.          Listing Fee. Partner will pay to Cvent the applicable annual listing fee (“Annual Listing Fee”) for the Initial Term and any subsequent Renewal Terms. Cvent may modify the Annual Listing Fee and partner type for subsequent Renewal Terms by providing any updated fees and partner types to Partner at least thirty (30) calendar days prior to the end of each Renewal Term. Once paid, the Annual Listing Fee is non-cancelable and nonrefundable, except in the event of termination for Cvent’s material uncured breach of the Agreement. The Annual Listing Fee is exclusive of sales, use, value-added or import taxes, customs duties or similar taxes that may be assessed by any jurisdiction.

 

2.3.          Commission. Cvent shall receive a commission as further outlined below for any prospective customer (a “Lead”) that Cvent submits to Company and Company then converts to a customer by executing a contract with such Lead within six (6) months of the date Cvent submitted such Lead. Cvent is not committing to any amount or volume of Leads during the Term of this Agreement. Company acknowledges its right to receive Leads is non-exclusive, and Cvent may refer Leads to any third-party for similar services, whether competitive or not.

 Company shall pay Cvent a commission equal to 10% of the annual gross value of the contract (calculated in accordance with U.S. GAAP) for the term of the contract (excluding taxes) agreed to by Company and a Lead (the “Commission”).  All Commissions will be paid on a monthly basis in arrears. Cvent may dispute a Commission amount within thirty (30) days of payment and the Parties agree to negotiate in good faith to resolve such dispute. Partner shall pay the Commission even if a third-party refers the same Lead to Partner provided that Cvent’s referral came first.

 2.4.          API Access. Each party will provide the other party with access to its APIs as reasonably necessary, solely for use by the other party’s employees to become knowledgeable about that party’s APIs in support of the parties’ activities hereunder and develop, maintain and support the Integration. Access to a party’s products or services and related documentation shall be at a party’s sole discretion and the other party’s use thereof will be subject to the provisions therewith or herein. Each party shall not (i) license, sublicense, distribute, sell, resell, rent, or lease the Products or Services of the other party; (ii) create derivative works of the other party’s Products or Services; (iii) use the other party’s Products or Services to send malicious code; and (iv) use the other party’s Products or Services to send any infringing or otherwise unlawful material.

 2.5.          Other Restrictions. Company shall not use the API’s in any application that competes with Cvent. Company shall not use any data returned or received through the API’s for generating advertising, messages, promotions, or offers, or for any other purpose other than for users to use the returned data in Company’s application or a Non-Cvent Application. Company shall not use the API’s in conjunction with Cvent content acquired through scraping or any other means outside the official Cvent API’s. Company shall not obfuscate or hide your deployment or use of any Cvent buttons, signin functionality, or user flows. Company shall not provide functionality that proxies, requests, or collects Cvent user names or passwords.

 3.     Termination.

3.1.          Termination For Cause. Either party may terminate this Agreement if (i) the other party breaches any  material term or condition and fails to cure such breach within thirty (30) days after written notice of the same, or (ii) the other party becomes the subject of a voluntary or involuntary petition in bankruptcy or any proceeding relating to insolvency, liquidation or receivership. 

 3.2.          Termination Without Cause. At any time after the first year of the Term, Cvent may terminate this Agreement without cause by providing the Company at least sixty (60) days’ prior written notice.

 3.3.          Effect of Termination. Upon termination of this Agreement, (i) each party shall, upon request, immediately return to the other party all Confidential Information and data (including all copies thereof) then in the party’s possession or control including, without limitation, all technical materials and business plans supplied by the other party; (ii) Cvent shall pay Company for all unpaid Referral Fees and/or commissions, as applicable, accrued hereunder prior to and through the effective date of termination within sixty (60) days after the date of termination, (iii) all other rights and licenses of Company hereunder shall terminate, and Company shall obligations of the parties under this Agreement will terminate, and (iv) all other rights and obligations of the parties under this Agreement will terminate, except that neither party will be relieved of liability for such party’s breach of any of the provisions of this Agreement.  For the avoidance of doubt, termination of this Agreement pursuant to this Section 4 will not cancel or alter subscriptions existing between Cvent and Customers.

 3.4.          Right to Disable Service. Cvent may disable any listing in the Marketplace or the corresponding application if Cvent, in its sole discretion, determines that the listing or application adversely impacts Cvent’s Service or Cvent’s customers. Cvent support will notify Company and the Cvent Alliances team upon discovery of the adverse impact interruption in order to remedy the situation.

 4.     MARKETPLACE LISTING TECHNICAL TERMS.

4.1.          Overview. Company is responsible for evaluating and testing each Company Application as to its technology, functionality, performance, security, and user interface before the applicable Company Application is submitted to Cvent for review and listed on the Marketplace. Cvent reserves the right to conduct any type of review of all Company Applications and Consulting Services Listings. Cvent may adopt and change its Marketplace review standards and processes in its sole discretion. Company must submit each Company Application and Consulting Services Listing to Cvent for review or listing on the Marketplace. Company acknowledges that Company is solely responsible for, and that Cvent has no responsibility or liability of any kind for, the development, installation, operation, or maintenance of Company Applications or Company Consulting Services. Cvent reserves the right, for any reason at any time (as Cvent decides in its sole discretion), to refuse to list a Company Application or post a Consulting Services Listing on, and/or to remove any Company Applications or Consulting Services Listings from, the Marketplace.

 By using the Marketplace to list one or more Company Applications, Company agrees that Company will (i) ensure any user documentation relating to a Company Application accurately reflects its functionality, including detailed security controls and safeguards relating thereto, (ii) ensure Company’s user documentation accurately describes the applicable Company Application, including to what extent functionality resides within and outside Cvent Services, and (iii) maintain at all times a current privacy statement available on Company’s website which details Company’s collection, processing and handling of Company’s customer’s data, including any personally identifiable information relating to Company Application users. Company shall promptly notify Cvent and all users of each Company Application in writing prior to making any update to Company’s privacy policy and related disclosures associated with item (ii) above. 

 4.2.          Security Reviews. Cvent will conduct security evaluations of each Company or Non-Cvent Application (“Security Reviews”) prior to the Application being published on the Marketplace, which may include a qualitative assessment involving review of a questionnaire completed by Company, an interview with appropriate Company personnel, and/or security testing. Company agrees that all Company Applications or Non-Cvent Applications shall meet the security guidelines set forth in Schedule 1 below. Cvent conducts such Security Reviews for its own benefit and Company may not rely on, publicly disclose or promote, a Company Application's successful passage of such Security Review. Company shall not distribute a Company Application unless such Company Application has successfully passed the Security Review. There may be fees associated with such review. If the Company Application, in whole or in part, runs outside Cvent’s Services, security testing may include remote application-level security testing of the Company Application, and network-level security testing including a vulnerability threat assessment. Cvent may conduct such testing itself or through a third party. Cvent will provide reasonable notice to Partner before starting such testing. Cvent will cooperate reasonably with Company to mitigate the effects of such testing on Company’s business and operations. Company agrees to cooperate reasonably with such testing. Despite the foregoing, such testing may in rare cases cause downtime or other adverse effects on the Company Application or Company’s systems. Company agrees that Cvent and its agents or contractors conducting the testing will bear no responsibility or liability arising from such testing. Any of Company Confidential Information to which Cvent obtains access in the course of a Security Review will be subject to the Confidentiality provisions of the Agreement. Company acknowledges that if Company is not participating in the Marketplace Program with respect to a Company Application, any security review conducted by Cvent with respect to such Company Application will be considered null and void, unless otherwise agreed to in writing by Cvent. Cvent reserves the right to notify Customers that a Company Application is not listed on the Marketplace or otherwise enrolled in the Marketplace Program. Notwithstanding anything to the contrary contained herein, the status of Cvent’s review of a Company Application can be disclosed by Cvent at Cvent’s sole discretion.

 4.3.          Listing. As applicable, Company will provide functional specifications defining the capabilities of the Company Application to the Customer (as well as any third-party systems integrators engaged by customers) prior to Company promoting, marketing, or otherwise offering the Integration for use by Company customers. As applicable, Company agrees to support and maintain the Application for each of its customers (or assist Cvent in doing so for Cvent built integrations) for the term of the Agreement and for one hundred and eighty (180 )days following termination or expiration of the Agreement.

 Without limiting any of Cvent’s other rights set forth herein, if Company submits for listing a Consulting Services Listing to the Marketplace, Company agrees that Cvent may do the following with respect to such listing: (i) collect and publish reviews related to Company’s Consulting Services; and (ii) publish on the Marketplace the number of completed consulting engagements Company has submitted to the Marketplace and the results of customer satisfaction surveys relating to the performance of such engagements with such results to be generally compiled and conveyed in the form of an average numerical overall Customer rating of Company’s services. Without limiting any of Cvent’s other rights set forth herein, for any Company Application listed on the Marketplace, Company agrees Cvent may (i) collect and publish reviews related to such Company Applications, and (ii) collect and publish additional data and metrics about Company Applications such as the number of installations of such Company Applications.

 4.4.          Documentation. As applicable, each party will provide documentation, functional and technical design documents, and other relevant documents useful in designing, creating and supporting the Application.

 4.5.          Updates. Should either party develop enhancements or updates to its Services that may materially impact an Application, then that party shall provide the other party and, if applicable, all customers using the Application, with prior notice and the opportunity to test and validate the integration with the updated Services prior to the updates and enhancements being put into production. For Company Applications, Company will make required modifications in its systems based on the changes to Cvent Services. If changes are required, Company will be responsible for any tests or validation needed to ensure that the Application will not be materially degraded in functionality or performance from the prior update. To the extent that the Application does suffer from material degradations in performance or functionality, then Company will use commercially reasonable efforts to remedy such defects prior to final Cvent update being placed into production at all Cvent customers. Company also commits to working with Cvent customers to resolve any specific material degradation in performance or functionality observed by specific customers.

 CVENT MAY IN ITS SOLE AND ABSOLUTE DISCRETION UPDATE OR DISCONTINUE ITS SERVICES AT ANY TIME UPON NOTICE TO COMPANY. IN NO EVENT SHALL CVENT BE LIABLE FOR ANY DAMAGES WHETHER DIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, CONSEQUENTIAL OR SIMILAR DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF CVENT’S UPDATES TO ITS SERVICES OR CVENT’S DISCONTINUATION OF ANY SERVICES.

 4.6.          Support. Each party will provide support as reasonably necessary to enable Customers to utilize the Company Application. For customers using any Application designed and built by Company, Company will provide first line support to all customers prior to escalating to Cvent’s support team.

 4.7.          Independent Development. Nothing in the Agreement will impair Cvent’s right to develop, acquire, license, market, promote or distribute products, software or technologies that perform the same or similar functions as, or otherwise compete with, any other products, software or technologies that Company may develop, produce, market, or distribute. In the absence of a separate written agreement to the contrary, Cvent will be free to use any information, suggestions or recommendations Company provides to Cvent pursuant to this Agreement for any purpose.

 4.8.          Reviews of Marketplace Applications by Company. The Marketplace allows Company to post reviews of Company Applications and other Applications. Any review by Company of any Application shall be made in good faith after reasonable evaluation of the full Marketplace Application. If Company posts a review of its Company Application, Company shall self-identify and disclose the fact that it is reviewing its own Application. If Company posts a review of a competitor's Application, Company shall self-identity and disclose the fact that company publishes a competitive Application.

 5.     Warranties.

5.1.          Corporate. Each party represents and warrants that: (i) it is authorized to enter into this Agreement and perform its obligations hereunder, and (ii) that it is not party to any other agreement or under any obligation to any third party which would prevent it from entering into this Agreement or from performing its obligations hereunder, or require it to obtain any consent or permission with respect thereto. 

 5.2.          Compliance with Laws.  Each party agrees to comply with all applicable laws, rules, and regulations in connection with its activities under this Agreement.

 5.3.          Sanctions Compliance. Sanctions Compliance.  Company and it its subsidiaries, any director, officer, agent, employee, affiliate or any person associated with or acting on behalf of the Company or any of its subsidiaries, covenants it will not have any dealings with organizations or individuals that are subject to, any sanctions administered by (a) the Office of Foreign Assets Control of the U.S. Department of the Treasury (“OFAC”) (including, but not limited to, the designation as a “specially designated national or blocked person” thereunder and sanctions pursuant to the U.S. Iran Sanctions Act of 1996, Public Law 104-172, as amended by the Comprehensive Iran Sanctions, Accountability, and Divestment Act of 2010, Public Law 111-195) or the U.S. Departments of State or Commerce in the United States, (B) any other relevant sanctions authority (collectively, “Sanctions”).

 5.4.          Disclaimer of Implied Warranties.  CVENT HEREBY DISCLAIMS ALL IMPLIED WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, SATISFACTORY QUALITY, QUIET ENJOYMENT, DATA ACCURACY OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE,  AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.  CVENT DOES NOT GUARANTEE THAT COMPANY’S, CUSTOMERS’ OR CUSTOMER END USERS’ USE OF THE CVENT SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE.

 6.     Company’s Responsibilities.

6.1.          Company’s Assistance. Company will cooperate and work in good faith with Cvent, and provide all information reasonably requested by Cvent, in connection with Cvent’s enforcement of the Terms of Use, including investigation of any suspected violations of the Terms of Use by Company, or Customers.

 6.2.          Business Practices. Company will: (i) make no false or misleading representations with regard to Cvent or its products; (ii) make no representations, warranties or guarantees to third parties with respect to the specifications, features, or capabilities of Cvent Service that are inconsistent with the then-current marketing literature supplied by Cvent; and (iii) not represent that it is acting as an agent of Cvent or otherwise on behalf of Cvent.

 6.3.          Non-Circumvention. Company shall not, for itself or others, urge any customers of Cvent to discontinue, in whole or in part, its business with Cvent, or not to do business with Cvent.  Company agrees that its breach of this provision will result in irreparable harm to Cvent for which damages may not be a sufficient remedy and that Cvent will be entitled to seek equitable relief including, without limitation, specific performance and or injunctive relief, without the necessity the posting a bond or other surety.

 6.4.          Non-Disparagement. Company agrees that it nor any of its employees or representatives shall not at any time make, publish, or communicate to any person or entity or in any public forum any disparaging remarks, comments, or statements concerning Cvent or its Services now or in the future.

 7.     Confidentiality.

7.1.          Confidential Information As used herein, “Confidential Information” means all confidential information disclosed by a Party (“Disclosing Party”) to the other Party (“Receiving Party”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Confidential Information of Company shall include Company data; Confidential Information of Cvent shall include the source code related to Product and Services and customer data provided directly to Cvent by a Customer or Customer End User; Confidential Information of each Party shall include the terms and conditions of this Agreement and all Exhibits and attachments, as well as business and marketing plans, technology and technical information, product plans and designs, and business processes disclosed by such Party. However, Confidential Information shall not include any information that (i) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party, (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party, (iii) is received   from a third party without breach of any obligation owed to the Disclosing Party, or (iv) was independently developed by the Receiving Party.

 7.2.          Nondisclosure Period. During the term of this Agreement and for five (5) years thereafter, the Receiving Party shall not disclose or use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement, except with the Disclosing Party’s prior written permission.

 7.3.          Obligations. Except as otherwise permitted in writing by the Disclosing Party, (i) the Receiving Party shall use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but in no event less than reasonable care) not to disclose any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement, and (ii) the Receiving Party shall limit access to Confidential Information of the Disclosing Party to those of its employees, contractors and agents who need such access for purposes consistent with this Agreement and who have signed confidentiality agreements with the Receiving Party containing protections no less stringent than those herein. Additionally, Cvent shall provide prompt notification to Company of any unauthorized access to or disclosure of Company or Customer Confidential Information.  

 7.4.          Compelled Disclosure. If the Receiving Party is compelled by law to disclose Confidential Information of the Disclosing Party, it shall provide the Disclosing Party with prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure. If the Receiving Party is compelled by law to disclose the Disclosing Party’s Confidential Information as part of a civil proceeding to which the Disclosing Party is a party, and the Disclosing Party is not contesting the disclosure, the Disclosing Party will reimburse the Receiving Party for its reasonable cost of compiling and providing secure access to such Confidential Information.

 7.5.          Remedies. If the Receiving Party discloses or uses (or threatens to disclose or use) any Confidential Information of the Disclosing Party in breach of confidentiality protections hereunder, the Disclosing Party shall have the right, in addition to any other remedies available to it, to seek injunctive relief to enjoin such acts, it being specifically acknowledged by the Parties that any other available remedies are inadequate.

 7.6.          Return of Materials. Upon the written request of Company (i) at any time during the Term of this Agreement, or (ii) within thirty (30) days after the expiration or termination of this Agreement, Cvent will deliver to Company or destroy and certify destruction (at Company’s election) all Company Confidential Information.

 8.     Proprietary Rights.

8.1           Cvent Marks. Cvent hereby grants Company a limited, revocable, royalty-free, non-exclusive, non-transferable license to use the Cvent Marks designated by Cvent from time to time during the Term, all in accordance with Cvent’s usage guidelines communicated to Company in writing with respect thereto, solely for the purposes of exercising its rights under this Agreement; provided that any use of the Cvent Marks shall require the prior written consent of Cvent.  Cvent will retain all goodwill and all other rights thereto, and Company will obtain no goodwill or any other rights thereof as a result of the use of the Cvent Marks.

 8.2           Cvent Services. The Cvent Services are and will remain the sole and exclusive property of Cvent and its suppliers, if any, whether the Cvent Services are separate or integrated with any other services or products, or if modified by Company in any way.  Cvent’s rights under this subsection include, but are not limited to, all Intellectual Property Rights in the Cvent Services.  Company will not delete or in any manner alter the Intellectual Property Rights notices of Cvent and its suppliers, if any, appearing in the Cvent Services or any documentation or other materials provided in connection therewith.  Company shall use its reasonable efforts to protect Cvent’s Intellectual Property Rights in the Cvent Services and promptly shall report to Cvent any infringement of such rights of which Company becomes aware.  Cvent reserves the sole and exclusive right, exercisable at its discretion, to assert claims against any party for infringement or misappropriation of its Intellectual Property Rights in the Cvent Services.

 8.3           Company Marks. Company hereby grants Cvent a royalty-free, non-exclusive, non-transferable license to use the Company Marks designated by Company from time to time during the Term, all in accordance with Company’s usage guidelines communicated to Cvent in writing with respect thereto, solely for the purposes of exercising its rights under this Agreement; provided that any use of the Company Marks shall require the prior written consent of Company.  Company will retain all goodwill and all other rights thereto, and Cvent will obtain no goodwill or any other rights thereof as a result of the use of the Company Marks.

 8.4           Company Products. Cvent acknowledges that Company retains all intellectual property rights, including but not limited to, all copyright, trademark, trade secret, and patent rights, in the Company Products, any modifications thereto, related documentation and marketing materials, regardless of (i) whether such intellectual property notices appear on the materials or (ii) whether such intellectual property notices have been filed with governmental agencies. Nothing in this Agreement shall directly or indirectly be construed to assign or grant to Cvent any right, title or interest in the Company Products or any intellectual property rights relating thereto.

 8.5           Freedom of Action. Either party shall be free to use, royalty-free, in the performance of its products and services, any Know-How learned by involvement in the development of any integration with the other party; provided, however, that nothing herein shall give a party the right to use any copyrighted or patented materials belonging to the other party. Nothing in this Agreement restricts either party in its ability to develop (whether on its own or with others), distribute, market or promote applications, services, products or software similar to the other party’s applications, services, products or software.

 9.     Indemnification. Company agrees to defend, indemnify, and hold Cvent and its officers, directors, employees, agents, and affiliates (each a “Cvent Indemnitee”) harmless from and against any third party claims against a Cvent Indemnitee for losses, liabilities, damages and expenses, including the fees of attorneys and other professionals, arising out of (a) provision of Company’s products or services; (b) any negligent acts or omissions of Company in connection with its activities under this Agreement; (c) any warranty made by Company, its employees or agents relating to the Cvent Services that is inconsistent with policies or specifications provided in writing by Cvent; (d) any claims by Customers relating to Company’s services or arising from the agreements between Company and Customers and/or Customer End Users; (e) any claims of infringement of a third party’s intellectual property rights against the Company’s products or services; or (f) breach of any representation, warranty, covenant or agreement of Company in each case, other than to the extent such losses arose as a result of:  (i) The negligent acts, errors or omissions, or intentional misconduct of Cvent and its officers, directors, employees and affiliates; or (ii) a material breach of this agreement by Cvent.

 10.  Limitations of Liability. IN NO EVENT SHALL EITHER PARTY, ITS DIRECTORS, OFFICERS, EMPLOYEES, CONTRACTORS OR AGENTS BE LIABLE FOR ANY INCIDENTAL, PUNITIVE, SPECIAL, OR CONSEQUENTIAL DAMAGES, LOST PROFITS OR ANTICIPATED PROFITS, OR LOST DATA, OR ANY OTHER INDIRECT DAMAGES, WHETHER ARISING IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, EVEN IF A PARTY HAS BEEN INFORMED OF THE POSSIBILITY THEREOF.  EXCEPT FOR COMPANY’S INDEMNIFICATION OBLIGATIONS, A BREACH OF SECTION 9.1 (CVENT MARKS) BY COMPANY, AND ANY PAYMENT OBLIGATIONS HEREUNDER, THE AGGREGATE LIABILITY OF EITHER PARTY WITH RESPECT TO THIS AGREEMENT SHALL NOT EXCEED FEES PAID OR PAYABLE HEREUNDER DURING THE TWELVE MONTH PERIOD IMMEDIATELY PRECEDING WHEN THE CLAIM FIRST ARISES. THIS LIMITATION OF LIABILITY IS CUMULATIVE AND NOT PER INCIDENT. THE FOREGOING LIMITATIONS SHALL APPLY NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY STATED HEREIN.

 11.  Miscellaneous.

11.1         Governing Law. This Agreement shall be governed in all respects by the laws of the Commonwealth of Virginia without giving effect to the principles of conflict of law. The parties hereby agree to the exclusive jurisdiction of the courts of Virginia and United States courts located in the Fairfax County, Virginia for the purpose of any action or proceeding brought by either in connection with this Agreement.  The UN Convention on the International Sale of Goods shall not apply to this Agreement.

11.2         No Waiver. No waiver of rights under this Agreement by either party shall constitute a subsequent waiver of such right or any other right under this Agreement.

11.3         Publicity. Customer agrees that Cvent may use Customer’s name and logo to identify Customer as a customer of Cvent on Cvent’s website, in investor documents (whether or not filed with the Securities and Exchange Commission), and as a part of a general list of Cvent’s customers for use and reference in Cvent’s corporate and marketing literature.

11.4         Assignment. This Agreement may not be assigned or transferred by either party without the prior written consent of the other party.  Any attempted assignment without such consent will be void.  Notwithstanding the foregoing, either party may assign its rights and obligations under this Agreement, in whole but not in part, without the other party’s permission, in connection with any merger, consolidation, sale of all or substantially all of such assigning party’s assets, or any other similar transaction; provided, that the assignee provides prompt written notice of such assignment to the other party, the assignee agrees to be bound by the terms and conditions of this Agreement, and the assignee is capable of fully performing the obligations of the assignor under this Agreement.

11.5         Severability.  In the event that any of the terms of this Agreement become or are declared to be illegal or otherwise unenforceable by any court of competent jurisdiction, such term(s) shall be null and void and shall be deemed deleted from this Agreement.  All remaining terms of this Agreement shall remain in full force and effect.

11.6         No Agency or Joint Venture.  The parties agree and acknowledge that the relationship of the parties is in the nature of an independent contractor.  This Agreement shall not be deemed to create a partnership or joint venture and neither party is the other’s agent, partner, employee, or representative.  Neither party has the right or authority to, and shall not, assume or create any obligation of any nature whatsoever on behalf of the other party or bind the other party in any respect whatsoever.

11.7         No Third Party Beneficiary.  It is the intention of the parties that no person or entity other than Cvent and Company or their permissible assigns is or shall be entitled to bring any action to enforce any provision of this Agreement against either of the parties, and the covenants, undertakings and agreements set forth herein shall be solely for the benefit of, and shall be enforceable only by, the parties hereto or their respective successors and assigns as permitted hereunder.

11.8         Survival.  The clauses of this Agreement which by their nature should survive termination or expiration of this Agreement shall survive such termination or expiration. 

11.9         Entire Agreement. This Agreement is the complete agreement between the parties hereto concerning the subject matter of this Agreement and replaces any prior oral or written communications between the parties.  This Agreement may only be modified by a written document executed by the parties hereto.

11.10      Force Majeure. Except for payment obligations hereunder, neither party shall be liable for any delay or failure in performance due to events outside such party’s reasonable control, including without limitation acts of God, terrorism, denial or service attack, earthquake, governmental acts, criminal acts, labor disputes, utility failures, shortages of supplies, riots, war, fire, epidemics, or delays of common carriers.  The obligations and rights of the excused party shall be extended on a day-to-day basis for the time period equal to the period of the excusable delay.

11.11      Notices. All notices required or permitted under this Agreement will be in writing, in English, and will be deemed given: (a) when delivered personally; (b) when sent by email to the designated contact (followed by confirmation of receipt by telephone); (c) three (3) days after having been sent by registered or certified mail, return receipt requested, postage prepaid (or six (6) days for international mail); or (d) one (1) day after deposit with a commercial express courier specifying next day delivery (or two (2) days for international courier packages specifying 2-day delivery), with written verification of receipt.  All communications will be sent to the addresses set forth on the last page of this Agreement or such other address as may be designated by a party by giving written notice to the other party pursuant to this paragraph.

Schedule 1

Guidelines for API Security

#

Guidelines for API Security

1

HTTPS: Secure REST services must only provide HTTPS endpoints

2

Access Control: Non-public REST services must perform access control at each API endpoint. Web services in monolithic applications implement this by means of user authentication, authorization logic and session management. 

·       In order to minimize latency and reduce coupling between services, the access control decision should be taken locally by REST endpoints

·       User authentication should be centralized in an Identity Provider (IdP), which issues access tokens

3

JSON Web Tokens (JWT): Ensure JWTs are integrity protected by either a signature or a MAC. Do not allow the unsecured JWTs: {"alg":"none"}.

In general, signatures should be preferred over MACs for integrity protection of JWTs.

4

API Keys: Ensure that API Keys are not issued to third-party clients as they are relatively easy to compromise.

5

Restrict HTTP methods: Apply an allow list of permitted HTTP Methods e.g. GET, POST, PUT and restrict users from using DELETE or PUT on protected API or resources

6

Input validation:

·       Do not trust input parameters/objects.

·       Validate input: length / range / format and type.

·       Achieve an implicit input validation by using strong types like numbers, booleans, dates, times or fixed data ranges in API parameters.

·       Constrain string inputs with regexps.

·       Reject unexpected/illegal content.

·       Make use of validation/sanitation libraries or frameworks in your specific language.

·       Define an appropriate request size limit and reject requests exceeding the limit with HTTP response status 413 Request Entity Too Large.

·       Consider logging input validation failures. Assume that someone who is performing hundreds of failed input validations per second is up to no good.

·       Have a look at input validation cheat sheet for comprehensive explanation.

·       Use a secure parser for parsing the incoming messages. If you are using XML, make sure to use a parser that is not vulnerable to XXE and similar attacks

7

Validate content types:

A REST request or response body should match the intended content type in the header. Otherwise this could cause misinterpretation at the consumer/producer side and lead to code injection/execution.

 

·       Document all supported content types in your API.

8

Send safe response content types:

·       Do NOT simply copy the Accept header to the Content-type header of the response.

·       Reject the request (ideally with a 406 Not Acceptable response) if the Accept header does not specifically contain one of the allowable types.

·       Ensure sending intended content type headers in your response matching your body content e.g. application/json and not application/javascript.

9

Management endpoints:

·       Avoid exposing management endpoints via Internet.

·       If management endpoints must be accessible via the Internet, make sure that users must use a strong authentication mechanism, e.g. multi-factor.

·       Expose management endpoints via different HTTP ports or hosts preferably on a different NIC and restricted subnet.

·       Restrict access to these endpoints by firewall rules or use of access control lists

10

Error handling

·       Respond with generic error messages - avoid revealing details of the failure unnecessarily.

·       Do not pass technical details (e.g. call stacks or other internal hints) to the client.

11

Audit logs

·       Write audit logs before and after security related events.

·       Consider logging token validation errors in order to detect attacks.

·       Take care of log injection attacks by sanitizing log data beforehand.

12

Security Headers

·       There are a number of security related headers that can be returned in the HTTP responses to instruct browsers to act in specific ways. However, some of these headers are intended to be used with HTML responses, and as such may provide little or no security benefits on an API that does not return HTML.

 

The following headers should be included in all API responses:

  • Cache-Control: no-store -> Prevent sensitive information from being cached.
  • Content-Security-Policy: frame-ancestors 'none' -> To protect against drag-and-drop style clickjacking attacks.
  • Content-Type - To specify the content type of the response. This should be application/json for JSON responses.
  • Strict-Transport-Security -  To require connections over HTTPS and to protect against spoofed certificates.
  • X-Content-Type-Options: nosniff - To prevent browsers from performing MIME sniffing, and inappropriately interpreting responses as HTML.
  • X-Frame-Options: DENY - To protect against drag-and-drop style clickjacking attacks.

13

Cross-Origin Resource Sharing (CORS):

·       Disable CORS headers if cross-domain calls are not supported/expected.

·       Be as specific as possible and as general as necessary when setting the origins of cross-domain calls.

14

Sensitive information in HTTP requests:
RESTful web services should be careful to prevent leaking credentials. Passwords, security tokens, and API keys should not appear in the URL, as this can be captured in web server logs, which makes them intrinsically valuable.

In POST/PUT requests sensitive data should be transferred in the request body or request headers.
In GET requests sensitive data should be transferred in an HTTP Header.

OK:
https://example.com/resourceCollection/[ID]/action
https://twitter.com/vanderaj/lists

NOT OK:
https://example.com/controller/123/action?apiKey=a53f435643de32 because API Key is into the URL.

15

HTTP Return Code

·       HTTP defines status code. When designing REST API, don't just use 200 for success or 404 for error. Always use the semantically appropriate status code for the response.