This Agreement is entered into by and between SonarSource and Customer to govern Customer’s installation and use of SonarQube Server Products and related Support. 

1. DEFINITIONS

1. “Active Version” means (i) the most recent version of the Product; (ii) the version preceding the most recent version of the Product; (iii) the most recent LTA version of the Product; or (iv) the LTA version preceding the most recent LTA version of the Product, but only for a 6-month period after the most recent LTA version is released.
2. “Agreement” means these SonarQube Server Terms and Conditions.
3. "Authorized Contact(s)" means the person or group of people Customer designates to contact SonarSource for Support.
4. “Authorized Use” means Customer’s installation and operation of a Product to analyze code on each SonarQube Server Instance for which it has obtained a License Key.
5. “Customer” means the entity or person that has purchased a License for a Product or Support, or who will be using the License in accordance with their Authorized Use. The term “Customer” when interpreting the scope of a License or Authorized Use includes affiliates of Customer, as well as any persons granted access to a Product by Customer or its affiliates for their Authorized Use.
6. “Commencement Date” means the date that SonarSource sends a License Key to Customer.
7. “Community Build” means the open-source SonarQube Server and SonarQube for IDE software that is available free of charge under a GNU Lesser GPL license (Version 3) via the Website. The Community Build is not covered by this Agreement.
8. “Data Processing Addendum” means the SonarSource data processing addendum referenced in Section 6.
9. “Documentation” means the official user documentation prepared and provided by SonarSource to Customer on the use of the Products (as updated from time to time). For the avoidance of doubt, any online community site, unofficial documentation, videos, white papers, related media, or feedback do not constitute Documentation.
10. “Intellectual Property” means all present and future intellectual and industrial property rights, whether obtained or conferred by registration, automatically, by statute, by common law or in equity; and wherever existing or created.
11. “License” means a license for Customer to use a Product for an approved SonarQube Server Instance for a set period of time from the Commencement Date, subject to this Agreement. 
12. "License Key" means the key that SonarSource provides to activate the Product for a specified period of time on a specified SonarQube Server Instance in accordance with its License. 
13. “Lines of Code” means the addition of the lines of code for each project analyzed in a SonarQube Server Instance. The lines of code of a project are found by the SonarQube Server software during the analysis of a project by counting the lines of code of the largest branch analyzed for that project. They are not cumulative when the same project is re-analyzed.
14. “LTA” means the then-current long-term Active Version of a Product, as described on the Website.
15. “Party” means SonarSource or Customer individually, and “Parties” means SonarSource and Customer together.
16. “Personal Data” means any information relating to an identified or identifiable natural person, or which otherwise constitutes “personal data”, “personal information”, “personally identifiable information”, or similar terms as defined in applicable data protection law. 
17. “Product” means a commercial edition of the SonarQube Server software that SonarSource offers for a fee, as listed on the Website. The Community Build is not a Product under this definition.
18. “SonarQube Server Instance” means the server that Customer identifies to be licensed under this Agreement.
19. “SonarSource” means SonarSource SA, a Swiss company registered in Switzerland under UID No. CHE-114.587.664 with a mailing address of P.O. Box 765, CH-1215, Geneva 15, Switzerland.
20. “Support” means access to SonarSource’s online support offering, as described on the Website.
21. “Updates” means all new features, improvements, or bug fixes that are provided for a Product.
22. “Website” means SonarSource’s website at  www.sonarsource.com and its sub-domain webpages.

2. PRODUCT EVALUATION

Customer may request a temporary License Key to evaluate a Product for a trial period prior to purchasing.  SonarSource may accept or decline such a request at its own discretion. 

3. SUPPORT

If Customer has purchased Support or is otherwise entitled to receive Support based on the License that Customer has purchased, SonarSource will provide Support in accordance with the Support terms set forth on the following page of the Website: https://www.sonarsource.com/legal/support-terms/. In order to receive Support, Customer must operate an Active Version of the Product.       

4. DELIVERY AND PAYMENT

(a) Promptly following Customer’s purchase of a License, SonarSource will provide Customer with a License Key.

(b) SonarSource will generally invoice Customer at the time it provides a License Key. Customer shall pay undisputed invoices (plus any applicable VAT or sales tax) by an electronic funds transfer to be received in SonarSource’s account within thirty (30) days of receipt unless the Parties have agreed otherwise in writing. If an invoice is not timely settled in full, SonarSource may, at its reasonable discretion:

     (i) deactivate any License Key upon five (5) business days’ prior notice;

     (ii) stop providing Support; and

     (iii) terminate this Agreement for cause in accordance with Section 14.

(c) Any payment, once received, is non-refundable, subject to any other specific provisions in this Agreement.

(d) If Customer purchases through an authorized reseller, then Section 4(b) and 4(c) will not apply and all payment, invoicing, and credit terms for the purchase will be as agreed between Customer and the authorized reseller.

5. INTELLECTUAL PROPERTY RIGHTS

(a) Subject to the terms, conditions, and limitations of this Agreement, SonarSource grants Customer a worldwide, non-exclusive, non-transferable, non-sublicensable and revocable License for (i) the Authorized Use of a Product on the SonarQube Server Instance for which the License was purchased, (ii) the testing, staging, and disaster recovery of a Product on a separate SonarQube Server Instance, (iii) the use of the information a SonarQube Server Instance generates about a project, while that project is active in the SonarQube Server Instance, and (iv) if purchased or included, the receipt by an Authorized Contact of Support for a qualifying Product. The License is limited to a maximum Lines of Code and an annual term. No rights, licenses or warranties are provided to any of SonarSource’s Intellectual Property rights, save as are covered by the License to use any Products and receive any Support that are provided for by this Agreement. Customer undertakes to comply with and not to challenge or misuse any of SonarSource’s Intellectual Property rights.

(b) SonarSource shall defend Customer and its officers, directors, and employees (“Customer Parties”) against any third-party claim that a Product infringes or misappropriates a third-party’s Intellectual Property right (“IP Claim”). SonarSource shall indemnify Customer Parties against any damages finally awarded to the third party making the IP Claim, and all penalties, fines, and reasonable third-party costs (including reasonable attorneys’ fees) paid by Customer Parties to the extent arising out of an IP Claim (collectively, “IP Losses”). SonarSource’s obligations under this Section 5(b) shall not apply to the extent an IP Claim is based on or arises from (i) a combination or use of a Product with hardware, software, or other materials not provided by SonarSource; (ii) the modification of a Product by anyone other than SonarSource or its authorized agents; (iii) the use of a Product not in accordance with its documentation or this Agreement; (iv) Customer’s breach of this Agreement; or (v) a Customer Party’s negligence, fraud, or willful misconduct. 

(c) In the event of an IP Claim, SonarSource shall be entitled, at its own expense and option, to either (i) procure the right for Customer to continue utilizing the Product features at issue; (ii) modify the Product to render the Product non-infringing; or (iii) replace the Product with an equally suitable, functionally equivalent, compatible, non-infringing product. SonarSource’s obligation to defend and indemnify requires that (a) Customer give notice to SonarSource of any IP Claim immediately upon becoming aware of the same; (b) Customer give SonarSource the sole right to conduct the defense of any claim or action, or the negotiation of any settlement, in respect of an IP Claim and does not at any time admit liability or otherwise settle or compromise or attempt to settle or compromise the IP Claim except upon the express written instructions of SonarSource; and (c) Customer act in accordance with  SonarSource’s reasonable instructions and gives SonarSource assistance as it shall reasonably require in respect of the conduct of the defense, including the filing of all pleadings and other court processes and the provision of all relevant documents. Sections 5(b) and 5(c) set forth Customer’s sole and exclusive remedy from SonarSource for any IP Claim.

6. PERSONAL INFORMATION

Customer may choose to disclose the name and work email address of certain of its employees in connection with this Agreement. Customer acknowledges that any Personal Data that Customer (or others acting on Customer’s behalf) provide for the purpose of performance of this Agreement will be processed in accordance with the SonarSource Privacy Statement and the Data Processing Addendum.

7. CONFIDENTIALITY

“Confidential Information” means all non-public information, materials, documentation, or data, relating to a Party’s business, which is disclosed by one Party (“Discloser”), or received by the other Party (“Recipient”), in connection with this Agreement, and which is clearly identified or marked as confidential or proprietary at the time of delivery to Recipient or which a reasonable person would understand to be confidential or proprietary. Recipient undertakes to (i) protect the confidentiality of the Confidential Information with at least the same degree of care as it applies to its own Confidential Information of a similar nature, but in no event less than a reasonable degree of care; (ii) only use Confidential Information for purposes consistent with its rights and obligations under this Agreement; (iii) not reverse engineer or decompile Confidential Information; and (iv) not disclose Confidential Information to any third-party other than its employees, consultants, vendors or advisors who have a need to know and who are bound by confidentiality and non-use obligations no less restrictive than those set forth herein. Confidential Information shall not include any information which: (a) Recipient already knew at the time of disclosure; (b) is generally available to the public or becomes publicly known through no wrongful act of Recipient; (c) Recipient received from a third-party who had a legal right to provide it; and/or (d) Recipient developed independently of any knowledge of or access to any of Discloser’s Confidential Information. Either party may disclose Confidential Information if required by law or regulatory authorities, provided that, so far as it is lawful to do so, Recipient gives prompt notice to Discloser, so that Discloser may contest the requirement to provide such information. Upon Discloser’s written request, Recipient will return or destroy all Confidential Information in Recipient’s possession within thirty (30) days of the request. Recipient may retain a limited number of electronic copies of the Confidential Information to comply with applicable law, and as may be automatically created, maintained, and destroyed by its standard backup processes and systems. Recipient will remain bound by its confidentiality obligations for any copies retained.

8. CUSTOMER'S OBLIGATIONS

(a) Customer shall at all times:

     (i) ensure that only Customer’s Authorized Contact requests Support and only for Customer’s benefit;

     (ii) ensure that all Products are used only as expressly permitted in this Agreement;

     (iii) advise SonarSource in writing within thirty (30) calendar days if Customer becomes aware of any person’s unauthorized use or distribution of a Product;

     (iv) verify and take sole responsibility for ensuring that the version of any Product that it is using or intends to use is compatible with the SonarQube Server Instance it was obtained for; 

     (v) only use an unmodified version of a Product that was downloaded from the Website or from an authorized third party as indicated on the Website;

     (vi) only use a License Key that was provided by SonarSource;

     (vii) report the discovery of any violations of this Agreement to SonarSource in writing, within thirty (30) calendar days of discovering a violation;

     (viii) prohibit, by appropriate measures, any unauthorized resale, access to, or use of any Product on any other SonarQube Server Instances than the one for which a License was obtained; 

     (ix) only use Products and Support in compliance with applicable law; and

     (x) ensure its agents, employees, consultants and subcontractors comply with this Agreement, as applicable.

(b) Customer is responsible for its own use of Products and for verifying the absence of any viruses, spyware, or malicious programming in its own server environment.

(c) Customer must not:

     (i) decompile, reverse engineer, disassemble, modify, adapt, create derivative works from, or otherwise attempt to derive such information from any Product;

     (ii) sell, resell, sublicense, redistribute, reproduce, transmit, circulate, disseminate, translate, or reduce to or from any electronic medium or machine-readable form any Product, or any portion or derivative of a Product, whether in whole or in part;

     (iii) vary or amend any Authorized Use;

     (iv) publish, promote, broadcast, circulate or otherwise seek to make any commercial use of SonarSource’s name, trade name, trademarks, service marks or logo, without SonarSource’s  prior written consent;

     (v) whether through deliberate or negligent act or act of omission of its employees, consultants, or subcontractors or otherwise, resell, distribute, or cause the distribution of any Product to any third party other than for an Authorized Use, or use any Product on any SonarQube Server Instance other than the SonarQube Server Instance for which it was originally Licensed (in which case separate Products should be bought for those other SonarQube Server Instances);

     (vi) use the Product to analyze code outside of its SonarQube Server Instance, which is not already analyzed in its SonarQube Server Instance;

     (vii) use the information a SonarQube Server Instance generated about a project, unless that project is active in the SonarQube Server Instance; 

     (viii) use any Products that have been modified by anyone other than SonarSource or its authorized agents; 

     (ix) disclose, publish, or otherwise make publicly available any benchmark, comparative, or performance tests or evaluations on the Product without the express written permission of Company; or 

     (x) perform, or direct any third party to perform, any benchmark, comparative, or performance tests or evaluations on the Product for competitive advantage.

     (xi) employ, use, or engage artificial intelligence technology that is not part of the Products to ingest, interpret, analyze, train on, or interact with the data provided by the Products, or to engage with the Products in any manner, without the prior written consent of SonarSource; or

     (xii) enhance, augment, or improve data provided by the Products without the prior written consent of SonarSource;.

9. REPRESENTATIONS AND WARRANTIES

SonarSource represents and warrants to the best of its knowledge and belief that the Products will substantially perform in accordance with the Documentation and do not contain any computer code that:

     (a) is designed to disrupt, disable, harm, modify, spy on, delete or otherwise impede in any manner, including aesthetic disruptions or distortions, the operations of any of Customer’s software, firmware, hardware, computer systems or networks (sometimes referred to as “viruses” or “worms”);

     (b) would disable the Products or Customer’s systems or impair their operation based on the elapsing of time or for exceeding the maximum numbers of Lines of Code during the effective period of any License; or

     (c) would permit SonarSource or any third party to access a Product or Customer’s systems, whether or not to cause disablement or impairment (sometimes referred to as “trap doors,” “access codes” or “back door” devices).

10. DISCLAIMER

Save as expressly provided otherwise in this Agreement and to the maximum extent permitted by applicable law:

(a) all Products and Support are provided on an “as is” basis and on an "as available" basis without any warranties or representations, whether express or implied, oral, or written, of any kind or nature, including, but not limited to, any warranties of quality, performance, reliability, security, non-infringement, merchantability, or fitness for any particular purpose, and SonarSource expressly excludes any such warranties, representations or implications that a Product will be error-free, complete, operate without interruption, or operate correctly with any given product, system or specifications of Customer; and

(b) SonarSource makes no guarantee as to the availability of its Products and Support, and SonarSource shall not be responsible for any loss resulting from the loss or deletion of any data or information resulting from the use of any Products or Support, or any network or system outages, file corruptions, or for any other alleged consequences of having used any Products or Support.

11. LIMITATION OF LIABILITY

(a) Save for either Party’s willful breach of this Agreement or gross negligence, or an infringement by either Party of the other Party’s Intellectual Property, neither Party will be liable for any lost profits nor for any special, indirect, incidental, or consequential damages, costs, or expenses, regardless of the form of action, even if such Party is advised of the possibility of such damages in advance. 

(b) Save for either Party’s willful breach of this Agreement or gross negligence, an infringement by either Party of the other Party’s Intellectual Property, or IP Losses under Section 5, in no event will SonarSource's aggregate liabilities under any claims arising out of this Agreement exceed the fees Customer paid under this Agreement within the previous twelve (12) months for the Product or Support giving rise to the claim. SonarSource's aggregate liabilities for IP Losses under Section 5 shall not exceed three times (3x) the fees Customer paid under this Agreement within the previous twelve (12) months for the Product giving rise to the IP Losses.

(c) The foregoing liability limitations shall apply to the maximum extent allowed by the governing law of this Agreement.

12. LOGO RIGHT

SonarSource may include Customer’s name and/or logo in a list of its customers in marketing materials and on the Website, together with the names and logos of other SonarSource customers. Customer may revoke the foregoing right at any time by submitting a written request via e-mail to: contact@sonarsource.com. SonarSource shall comply with such a termination or revocation request within twenty (20) business days from receipt of such notice.

13. ASSIGNMENT

(a) SonarSource and Customer may assign or transfer their rights and/or obligations under this Agreement to a purchaser of all or a substantial part of its assets or shares or as part of a corporate restructuring, without the other Party’s consent. In the event of such a permitted assignment by Customer:

     (i) SonarSource must be notified, in writing, within ninety (90) days of such assignment;

     (ii) the assignee must agree in writing to be bound by the terms and conditions of this Agreement; and

     (iii) upon completion of such assignment, the assignor shall make no further use of any Products or Support under this Agreement.

(b) This Agreement shall survive assignment, and the assignor and any permitted assignee shall be bound by it.

14. DURATION AND TERMINATION

(a) This Agreement is in effect as long as there is an active License for a Product and/or Support.

(b) Customer may terminate this Agreement unilaterally, at any time and without cause, by providing at least three (3) months’ prior written notice to SonarSource. In the event of a termination without cause, amounts paid by Customer will not be refundable and Customer’s obligation to pay amounts payable under an applicable order will not terminate.

(c) Either Party may terminate this Agreement unilaterally at any time without prior notice if the other Party commits a material breach that is not cured within thirty (30) days following receipt of notice of the breach. If SonarSource terminates for breach, any amounts Customer paid will not be refunded and SonarSource reserves the right to bring claims for damages. Immediately upon receipt of SonarSource’s termination notification (which may be oral or in writing), Customer shall:

     (i) cease using the Product;

     (ii) cease requesting Support;

     (iii) destroy any corresponding License Keys; and

     (iv) provide SonarSource with written confirmation of such destruction within fifteen (15) days from the termination date.

(d) SonarSource may terminate this Agreement and/or an active License without liability if (i) Customer’s License or use of a Product or Support violates applicable law; or (ii) SonarSource is prohibited by law or otherwise restricted from providing Products or Support to Customer.

(e) The following sections shall survive termination of this Agreement: Sections 6 (Personal Information), 7 (Confidentiality), 8 (Customer’s Obligations), 10 (Disclaimer), 11 (Limitation of Liability), 12 (Logo Right), 16 (Governing Law and Jurisdiction), and 17 (General Conditions).

15. FORCE MAJEURE

Neither Party shall be deemed in default or otherwise be liable under this Agreement (except for payments due) as a result of its inability to perform its obligations hereunder by reason of any fire, earthquake, flood, substantial snow storm, epidemic, accident, explosion, casualty, strike, lock-out, labor controversy, riot, civil disturbance, act of public enemy, embargo, war, act of God, or any municipal, county, state, provincial, territorial or national ordinance or law, or any executive, administrative or judicial order (which order is not the result of any act or omission which would constitute a default hereunder) or any failure or delay of any transportation, power or communication system or any other similar cause beyond that Party's control.

16. GOVERNING LAW AND JURISDICTION

(a) This Agreement is deemed to have been made under and shall be governed by and construed in accordance with Swiss law.

(b) Any dispute, controversy or claim arising under, out of or relating to this Agreement shall be submitted to arbitration in accordance with the WIPO Expedited Arbitration Rules in effect at that date. The arbitral tribunal shall consist of a sole arbitrator. The seat of arbitration proceedings shall be   Geneva, Switzerland. The language to be used in any arbitration proceedings shall be English.

17. GENERAL CONDITIONS

(a) This Agreement constitutes the Parties’ entire contractual relationship.  It cancels and supersedes all prior oral or written communications, proposals, conditions, representations, and warranties, and prevails over any conflicting or additional terms mentioned in any price quotation, purchase order, acknowledgment, clickwrap or clickthrough provisions, or other communication between the Parties, regardless of when such terms were issued. This Agreement may only be amended or overridden by a written document, signed by authorized representatives of both Parties.

(b) The English version of this Agreement is the only valid version.  Translations into other languages are not legally binding.

(c) Any notices to be provided under this Agreement should be sent by international courier service to the registered address of the Party, or to such other address as that Party may request in writing that notices be sent to.  Notices may also be sent by e-mail if proof of receipt is obtained.  E-mail notices to SonarSource must be sent to contact@sonarsource.com.

(d) SonarSource will notify Customer of any material modifications to this Agreement at least 30 days prior to the modifications taking effect by posting a notice on the Website or sending an email notice to Customer. Customer’s continued use of a Product and/or Support after thirty (30) days from notice constitutes agreement to the modifications of the Agreement.

SONARQUBE ADVANCED SECURITY ADDENDUM

This Addendum governs Customer’s installation and use of SonarQube Advanced Security (“SQAS”) and related Support. As referenced in an applicable SonarSource sales quotation for SQAS, this Addendum is incorporated by reference into, and forms an integral part of, the Agreement between SonarSource and Customer. All capitalized terms used herein but not otherwise defined shall have the meanings given to them in the Agreement. 

1 DEFINITIONS

1.1 “Addendum” means this SQAS Addendum. 

1.2 “Agreement” means the relevant SonarQube Server Terms and Conditions entered into by and between Customer and SonarSource. 

1.3 “Authorized Use” shall have the meaning set forth in the Agreement and shall additionally include Customer’s operation of SQAS to evaluate software dependencies and components on each SonarQube Server Instance for which Customer has obtained a valid License Key. 

1.4 “Dependency Data” means lockfiles, manifests, and any other metadata regarding third-party software dependencies, made available for the purpose of analyzing software dependencies and components. 

1.5 “License” means a separate, supplementary license granted to Customer to use SQAS solely in conjunction with an approved SonarQube Server Instance, for a specified period of time commencing on the applicable Commencement Date. The SQAS License cannot operate independently of the corresponding License for the associated SonarQube Server Instance.  

1.6 “License Key” means a separate, supplementary key provided by SonarSource to activate SQAS for a specified period of time on a designated SonarQube Server Instance, in accordance with the corresponding SQAS License. The SQAS License Key is distinct from, but must be used in conjunction with, the License Key for the associated SonarQube Server Instance, and cannot operate independently. 

1.7 “Product” has the meaning set forth in the Agreement and shall additionally include SQAS. 

1.8 “Service Level Addendum” means the Service Level Addendum set forth on the following page of the Website: https://www.sonarsource.com/legal/sonarcloud/service-level-agreement/.

1.9 “Security Analysis Results” means the results that are generated by SQAS processing Dependency Data, and made available to Customer via SQAS.

1.10 “Lines of Code” has the meaning set forth in the Agreement. For avoidance of doubt, Lines of Code does not include third-party code that may be evaluated by SQAS.

2 INTELLECTUAL PROPERTY

2.1 Solely with respect to Customer’s use of SQAS, Section 5(a) of the Agreement shall be deleted in its entirety and replaced with the following: 

“Subject to the terms, conditions, and limitations of the Agreement and the SonarQube Advanced Security Addendum, SonarSource grants Customer a worldwide, non-exclusive, non-transferable, non-sublicensable and revocable License: (i) for the Authorized Use of a Product and Documentation on the SonarQube Server Instance for which the License was purchased; (ii) to access, use, and distribute the Security Analysis Results for Customer’s own internal software development purposes; and (iii) if purchased or included, the receipt by an Authorized Contact of Support for a qualifying Product. The License is limited to a maximum Lines of Code and the term set forth in the applicable order form.” 

2.2 As between the Customer and SonarSource, all right, title, and interest in and to Dependency Data, including all Intellectual Property rights therein, belong exclusively to Customer and Customer grants to SonarSource the right to internally use such data solely for the purpose of providing the Customer with SQAS, Documentation, and Security Analysis Results. 

2.3 Except for the limited license rights expressly granted by SonarSource to Customer in Section 2.1 above, all right, title, and interest in and to SQAS, Documentation, and Security Analysis Results, including all Intellectual Property rights therein, belong exclusively to SonarSource and/or its licensors. All rights not expressly granted under this Addendum are reserved by SonarSource. Customer undertakes to comply with and not to challenge or misuse any of SonarSource’s Intellectual Property rights.

2.4 SonarSource is hereby granted a royalty-free, fully-paid, worldwide, exclusive, transferable, sub-licensable, irrevocable, and perpetual license to use or incorporate into its products and services any suggestions, enhancement requests, recommendations, or other feedback provided by you relating to SQAS or Documentation. 

3. CUSTOMER’S OBLIGATIONS 

Without limiting Section 8 of the Agreement, and solely with respect to SQAS, Customer must not (i) copy, reproduce, republish, upload, post, or transmit SQAS or Documentation; (ii) use SQAS to store or transmit infringing, libelous, unlawful or tortious material, or to store or transmit material in violation of third party rights; (iii) use SQAS to store or transmit malicious code, Trojan horses, malware, spam, viruses, or other destructive technology; (iv) interfere with, impair, or disrupt the integrity or performance of SQAS or any other third party’s use of SQAS; (vi) access or use SQAS in a manner that results in excessive use, bandwidth, or storage or harms the performance or security of SQAS; (vii) alter, circumvent, or provide the means to alter or circumvent the Product, including technical limitations, recurring fees, or usage limits; (viii) perform or disclose any performance or vulnerability testing, password cracking, or remote access testing of SQAS without SonarSource’s prior written approval. 

4. PERSONAL INFORMATION 

4.1 SQAS transmits Dependency Data to SonarSource’s cloud servers for analysis. SQAS does not transmit Customer’s source code. SonarSource has implemented physical, administrative, organizational, and technical information security measures to protect the security of Dependency Data and will maintain security practices consistent with those described in Exhibit A. 

4.2 Customer is solely responsible for ensuring that Dependency Data does not contain any Personal Data. SonarSource disclaims all liability arising from the presence of Personal Data in Dependency Data. For the avoidance of doubt, the SonarSource Privacy Statement and Data Processing Addendum do not apply to the transfer, processing, storage, or other handling of Dependency Data under this Addendum. 

5. SUPPORT AND SERVICE LEVEL COMMITMENT

If Customer purchased Enterprise Edition (or higher level), SonarSource will: 

• a. provide SQAS’s network-dependent functionalities in accordance with the Service Level Addendum; and 
• b. provide Support as described in the Agreement. 

6. MODIFICATION TO THE SERVICE

SonarSource may make commercially reasonable updates or modifications to SQAS from time to time to reflect changes in, among other things, laws, regulations, rules, technology, industry practices, patterns of system use, and availability of a third-party program. SonarSource will provide advance notice of any such material updates or modifications that it reasonably believes are likely to materially degrade core features or functionalities of SQAS. 

7. GENERAL 

Except as modified by this Addendum, the Agreement remains in full force and effect. SonarSource may modify this Addendum from time to time. SonarSource will notify Customer of any material modifications to this Addendum at least thirty (30) days prior to such modifications taking effect, either by posting a notice on the Website or by sending an email notice to Customer. Customer’s continued use of SQAS and/or Support after thirty (30) days from such notice will constitute Customer’s acceptance of the modifications to this Addendum. In the event of any conflict between the terms of this Addendum and the Agreement, the terms of this Addendum shall prevail in connection with SQAS.

Exhibit A: Technical and Organisational Measures Applicable to Dependency Data and Security Analysis Results

 

Access Control

 

• Internally, SonarSource restricts access to Dependency Data and/or Security Analysis Results to its employees or contractors who have a defined need-to-know basis or a role requiring such access.
• Internally, access to the SonarSource network and production systems requires multi-factor authentication (MFA), or equivalent controls.
• Internally, SonarSource maintains user access controls that address the timely provisioning and de-provisioning of SonarSource employee and contractor internal user accounts.
• Remote access is strictly managed and requires secure connections and MFA to access the SonarSource network and production environments.

 

Personnel Security

 

• SonarSource performs appropriate educational and criminal background checks on its employees and contingent workers, as applicable under the relevant local laws and regulations.
• SonarSource ensures that all of SonarSource’s employees and contingent workers receive security awareness and data protection training appropriate for their role upon hire, as well as update training sessions at least annually thereafter.

 

Audit

 

• Internally, and for the Products, SonarSource will maintain ISO 27001:2022 certification and/or AICPA SOC 2 attestation for the term of the Agreement.
• SonarSource agrees to participate in Customer’s third-party assurance program. SonarSource agrees to complete Customer’s security questionnaires at intervals of every twelve (12) months, or upon contract renewal(s), where the information provided in SonarSource’s security certification or attestation reports is deemed insufficient to answer to assurance questions.

 

Business Continuity

 

• SonarSource maintains business continuity, backup and disaster recovery plans (“BC/DR Plans”) in order to minimize the loss of service and to comply with applicable data protection laws and regulations.
• The BC/DR Plans address threats to the Products and any dependencies, and have an established procedure for resuming access to, and use of, the Products.
• SonarSource tests the BC/DR Plans at regular intervals.
• SonarSource enables all Customer Product instances with a minimum of thirty (30) days’ of back-ups, to which only the Customer has access to.
• All customer instances enabled within the AWS Frankfurt region use High Availability (HA) configuration.
• For Customer’s own environments and systems, the Customer is solely responsible for the design, development, implementation, and management of its own BC/DR Plans, including the use of the supplied back-ups provided by SonarSource.

 

Change Control

 

• SonarSource maintains internal policies and procedures for applying changes to the Products, including the underlying infrastructure and system components, to ensure quality standards are being met.
• SonarSource undergoes a penetration test of its network, Products and Support offerings on an annual basis. Any vulnerabilities found during this testing are remediated in accordance with SonarSource’s Vulnerability Management Policies and Procedures and are assessed on the basis of Sonar’s Risk Management Framework.
• SonarSource performs regular scans of its network and any vulnerabilities found will be addressed in accordance with SonarSource’s Vulnerability Management Policies and Procedures and are assessed on the basis of SonarSource’s Risk Management Framework.
• Security patches are applied in accordance with SonarSource’s patching schedule.

Data Classification and Security

• SonarSource maintains and enforces formal data classification and handling requirements for all customer, internal, and public-facing data.
• SonarSource maintains technical safeguards and other security measures to ensure the security and confidentiality of Dependency Data and/or Security Analysis Results, including state of endpoint device protections, anti-malware, IDS/IPS, data loss/leakage prevention (DLP), network and host-based firewalls.
• Sonar logically segregates Dependency Data and/or Security Analysis Results in the production environment.

 

Logging and Monitoring

 

• SonarSource logs and correlates all material events from its internal and production environments through SIEM technology, with 24x7x365 security alert and monitoring from tis Service Operations Center.
• SonarSource logically segregates all Customer instance and production logs and events.

 

Vulnerability Management

 

• SonarSource regularly scans internal and production environments for vulnerability and remediates in a timely manner.