Terms and Conditions - ZEIFUS - Business Solutions

Terms of Services

Introduction:

Zeifus.com (“Zeifus”, “we”, “us” or “our”) is a pioneering, technology-powered integrated service provider with a unique model rendering business management solutions.

Your use of the Website, application or Zeifus Platform, owned and managed by Zeifus, are governed by the following terms and conditions of this agreement as applicable to the Website, application or Zeifus Platform, including the applicable policies which are incorporated herein by way of reference. By mere use of the Website, application or Zeifus Platform, You shall be contracting with Zeifus and these Terms including the policies constitute your binding obligations with Zeifus.

IF YOU ARE USING ANY SERVICE AS AN EMPLOYEE, AGENT, OR CONTRACTOR OF A CORPORATION, PARTNERSHIP OR ANY OTHER ENTITY, THEN YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO SIGN FOR AND BIND SUCH ENTITY IN ORDER TO ACCEPT THE TERMS OF THIS AGREEMENT. THE RIGHTS GRANTED UNDER THIS AGREEMENT ARE EXPRESSLY CONDITIONED UPON ACCEPTANCE BY SUCH AUTHORIZED PERSONNEL.

Services offered by Zeifus are subject to the terms of our website/platform, policies [i.e. Terms of Use, Privacy Policy, Cancellation and Refund Policy etc.] (“Policies”), available at ‘https://www.zeifus.com/’ (“Website”). By contacting Zeifus for the services or availing the services or by registering with us or by accepting this Agreement, now or in the future, you being the person or entity placing an order for or accessing the Service (“Subscriber” or “Customer” “you”, “your”, “yourself” or “user”) signify that you agree to these Terms of the Agreement (“Terms”) and the Policies.

This Agreement is effective between You and Us as of the date of Your acceptance of this Agreement.

This Terms of Service (“the Agreement”), is entered into by and between Zeifus and You.

Zeifus and Subscriber are each a “party”, and together are “parties” to this Agreement.

In consideration of the terms and conditions set forth below, the parties agree as follows:

Definitions:
1.1. “Affiliates” shall mean any entity which directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for the purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

1.2. “Agreement” means this Master Subscription Agreement, including the Service Level Agreement, Data Processing Agreement, Security Agreement, and any other exhibits, addenda, or attachments hereto, and any fully executed Order Form.

1.3. “Authorised User” shall mean an individual user for whom a user license has been purchased by Subscriber pursuant to the terms of the Invoice and this Agreement, and to whom unique user credentials have been given to access Zeifus Platform. Authorised Users may include employees, individual contractors or consultants of Subscriber or Subscriber’s Affiliates or third party service providers.

1.4. “Confidential Information” shall mean all information disclosed by a party (“Disclosing Party”) to the other party (“Receiving Party”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Zeifus’s Confidential Information shall include the terms of this Agreement and all Invoices (including all non-public pricing information). Confidential Information of each party shall include (without limitation) the business and marketing plans, technology and technical information, product plans and designs, and business processes disclosed by such party. However, Confidential Information shall not include any information that (i) is or becomes generally known to the public without breach of obligation owed to the Disclosing Party, (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation to the Disclosing Party, (iii) is received from a third party without breach of any obligation owed to the Disclosing Party, or (iv) was independently developed by the Receiving Party without the use of Disclosing Party’s Confidential Information.

1.5. “Subscriber Data” shall mean electronic data and information submitted to and stored within the Zeifus Platform by the Subscriber or an Authorized User as a result of Subscriber’s or Authorised User’s use of the Zeifus Platform.

1.6. “Subscriber Input” means suggestions, enhancement requests, recommendations or other feedback provided by Subscriber, its Employees relating to the operation or functionality of the Zeifus Platform.

1.7. “Documentation” shall mean the user manuals and documentation(s), whether in written or electronic form, provided by Zeifus to the Subscriber from time to time detailing the features, functionalities and operation of the Zeifus Platform.

1.8. “Employee” or “Worker” or “User” means employees, consultants, contingent workers, independent contractors, and retirees of Subscriber and its Affiliates, whether actively employed or terminated, whose business record(s) are or may be managed by the Service and for whom a subscription to the Service has been purchased in an Order Form.

1.9. “Improvements” means all improvements, updates, enhancements, error corrections, bug fixes, release notes, upgrades and changes to the Service and Documentation, as developed by Zeifus and made generally available for Production use without a separate charge to Subscribers.

1.10. “Intellectual Property” or “IP” shall mean all intellectual property (whether registered or not) including but not limited to patents, designs, literary work, artistic work, audio, video, any translations, adaptations, computer programme and/or any other works, materials, software, source, executable or object code, documentation, methods, apparatus, systems and the like, any copyrightable/patentable material, trade secrets and all trademarks and trade names and any other materials that can be protected under existing or future intellectual property rights in India or any other applicable jurisdiction.

1.11. “Intellectual Property Rights ” means any and all common law, statutory and other industrial property rights and intellectual property rights, including copyrights, trademarks, trade secrets, patents and other proprietary rights in the IP issued, honoured or enforceable under any applicable laws anywhere in the world, and all moral rights related thereto.

1.12. “Law” means any local, state, national and/or foreign law, treaties, and/or regulations applicable to the respective party.

1.13. “Malicious Code” means viruses, worms, time bombs, Trojan horses and other malicious code, files, scripts, agents, bots or programs.

1.14. “Order Form” means the ordering documents under which Subscriber subscribes to the Service which is fully executed pursuant to this Agreement.

1.15. “Personal Data” has the definition set forth in the Exhibit 2.

1.16. “Production” means the Subscriber’s use of or Zeifus’s written verification of the availability of the Service (i) to administer Employees; (ii) to generate data for Subscriber’s books/records; or (iii) in any decision support capacity.

1.17. “Security Breach” means (i) any actual or reasonably suspected unauthorized use of, loss of, access to or disclosure of, Subscriber Data; provided that an incidental disclosure of Subscriber Data to an Authorized Party or Zeifus, or incidental access to Subscriber Data by an Authorized Party or Zeifus, where no reasonable suspicion exists that such disclosure or access involves theft, or is fraudulent, criminal or malicious in nature, shall not be considered a “Security Breach” for purposes of this definition, unless such incidental disclosure or incidental access triggers a notification obligation under any applicable Law and (ii) any security breach (or substantially similar term) as defined by applicable Law.

1.18. “Zeifus Platform” means Zeifus’s software-as-a-service applications as described in the Documentation and subscribed to under an Order Form.

1.19. “Non-Zeifus Services” shall mean third party applications, services, software, networks, systems, websites or databases that are integrated with the Zeifus Platform to interoperate with the Zeifus Platform.

1.20. “Invoice” shall mean the document evidencing a subscription to Zeifus Services that specifies the description of services subscribed, subscription plan, Subscription Period, number of user licenses purchased and applicable fees.

1.21. “Subscription Period(s)” shall mean, in respect of each of the Zeifus Platform, the duration of validity of each fee-based subscription plan purchased by Subscriber.

1.22. “Service” shall mean such services as provided by Zeifus through the Zeifus Platform under this Agreement.

1.23. “Usage Limits” shall mean the limits on use of each of the Zeifus Platform corresponding to the fee-based subscription plan purchased by the Subscriber.

1.24. “Taxes” shall mean all taxes, duties, levies, imposts, fines or similar governmental assessments, including sales and use taxes, value-added taxes, goods and services taxes, excise, business, service, and other similar transactional taxes imposed by any local, state, provincial or foreign jurisdiction and include the interest and penalties thereon.

1.25. “Grace Period” means a predetermined period provided in the Order Form, during which the Subscriber may onboard their data and conduct tests on the system, prior to taking the system live.

1.26. “Terms of Service” shall mean the terms and conditions available for access and use of the Zeifus Platform, as modified from time to time.

2. Use of the Zeifus Platform, Restrictions and Responsibilities:

2.1. Rights Granted. Subject to the terms and conditions of this Agreement, Zeifus will make the Zeifus Platform available to Subscribers for the Subscription Period as set out in the Invoice. Zeifus grants Subscriber a revocable, non-exclusive, non-transferable right and limited license to access, use and, where applicable, download the Zeifus Platform during such Subscription Period for Subscriber’s internal business purposes. If the Subscriber exceeds the Usage Limits of the Zeifus Platform or functionalities within the Zeifus Platform, Subscriber may purchase additional quantities of the Zeifus Platform by making payment(s) for such excess usage.

2.2. Usage Restrictions. Subscriber shall not and shall not permit its Authorised Users to:

copy, modify, create derivative works or otherwise attempt to gain unauthorised access to the Zeifus Platform.
except as permitted under applicable law, attempt to disassemble, reverse engineer or decompile the Zeifus Platform.
use the Zeifus Platform on behalf of any third party or include the Zeifus Platform as part of service bureau or provide any business process service.
use the Zeifus Platform in any manner that interferes with or disrupts the integrity, security or performance of the Zeifus Platform, its components and the data contained therein.
sell, resell, license, sublicense, rent, lease, transfer, assign or otherwise make the Zeifus Platform available to any third-party without an Authorised User subscription.
use the Zeifus Platform to send or store material containing software viruses, worms or other harmful computer codes, files, scripts or programs.
Upload or transmit (or attempt to upload or to transmit) any material that acts as a passive or active information collection or transmission mechanism, including without limitation, clear graphics interchange formats (“gifs”), 1×1 pixels, web bugs, cookies, or other similar devices (sometimes referred to as “spyware” or “passive collection mechanisms” or “pcms”).
use the Zeifus Platform to store or transmit any material that is unlawful, abusive, malicious, harassing, tortious, defamatory, vulgar, obscene, libellous, or violates any third party rights.
permit direct or indirect access to or use of the Zeifus Platform in a way that circumvents the Usage Limits.
use the Zeifus Platform in any manner that could damage, disable, overburden, impair or harm any server, network, computer system, or resource of Zeifus.
allow Authorised User licenses to be shared or used by more than one individual other than by way of reassigning the user license to a new user.
remove or obscure any proprietary or other notices contained in the Zeifus Platform.
attempt to gain unauthorized access to the Zeifus Platform (including features and functionality) or its related systems or network.
use the Zeifus Platform for any form of competitive or benchmarking purposes.
2.3. Subscriber Responsibilities. Subscriber shall be responsible for (i) providing accurate, current and complete information regarding the Subscriber in connection with Subscriber’s access and use of the Zeifus Platform; (ii) Authorized Users’ compliance with the Agreement, Documentation and Invoice; (iii) accuracy, quality and legality of the Subscriber Data; (iv) means by which the Subscriber Data was acquired and Subscriber’s use of the Subscriber Data; (v) using commercially reasonable efforts to prevent unauthorised access to or use of the Zeifus Platform; (vi) using the Zeifus Platform in accordance with this Agreement, Documentation and Invoice; (vii) all activities that occur under Subscriber’s account; and (viii) compliance with all applicable laws and regulations;.

3. Fees and Payments:

3.1. Fees : Subscriber will pay to Zeifus, without any deductions, the fees set forth in the applicable Invoice. Except as otherwise specified in the Agreement, all payment obligations are non-cancellable and all amounts paid are non-refundable whether or not the Zeifus Platform is actively being used. Additional charges will apply for additional purchases or usage in excess of the purchased subscription(s). All pricing terms provided for the Subscriber are confidential and Subscriber agrees not to disclose them to any third party without Zeifus’s prior written authorization.

3.2. Invoicing and Payment: Payments shall be made through online banking facilities. The Subscription Period will commence only upon receipt of payment or a purchase order acceptable to Zeifus. Subscriber shall be responsible for providing complete and accurate payment information to Zeifus. Subscriber shall promptly update any change in the billing information. If a purchase order raised by the Subscriber is accepted by Zeifus, the payment must be made by the Subscriber within fifteen (15) days from the receipt of an invoice by email, unless otherwise stated in the Invoice.

3.3. The Subscription Fee paid by the Subscriber shall be converted into service credits (“Zeifus Service Credits”) which will be stored in a Subscriber e-wallet (“Zeifus Wallet”) provided by Zeifus, created pursuant to the aforementioned License under clause 2 of this agreement For the purpose of this Agreement, one (1) Zeifus Service Credit shall be equivalent to one (1) currency unit as the case may be.

3.4. The Subscriber will be able to use the Zeifus Service Credits from its Zeifus Wallet for its use of the Software. Upon the expiry of the Zeifus Service Credits and subject to the billing cycle provided under the Order Form, the Subscriber shall be liable to top-up the Zeifus Wallet according to its usage of the Software.

3.5. Overdue Payments. Undisputed overdue payments shall bear interest at the rate of one (1)% per month or the maximum rate allowed under applicable law. Subscriber acknowledges and accepts that non-payment of any undisputed fees within the term defined in the applicable Invoice constitutes a material breach of this Agreement and that Zeifus shall have the right to: (i) block the access to the Zeifus Platform until all such due and undisputed amounts and applicable interests, if any, have been paid; and/or (ii) terminate the Agreement as specified under Term and termination clause of this agreement

3.6. Payment Disputes: In the event Subscriber has any disputes with regard to the invoice raised by Zeifus, then the Subscriber shall raise the same within five (5) business days from the date of receipt of invoice. Subscriber shall not be considered to have defaulted on Subscriber’s payment obligations under this Section, if the Subscriber (i) has disputed the fees in good faith in accordance with clause 3.6and is co-operating diligently to resolve the dispute; and (ii) remits payment for any undisputed amounts in a timely manner.

3.7. Taxes: Subscriber shall be responsible for paying the Taxes in addition to the fees applicable for the Zeifus Platform as specified in the Invoice. If the Subscriber is withholding Taxes, Subscriber shall pay the withholding Tax directly to the appropriate government entity and shall furnish a tax certificate to Zeifus evidencing such payment within hundred (100) days of making such payments In the event of a failure to furnish the tax certificate within the timer period specified herein, the concerned tax amount shall be fortified by Zeifus

3.8. Pricing: Zeifus reserves the right to unilaterally determine and modify its pricing for the Zeifus Platform. Where an Invoice is in effect, the pricing for the Zeifus Platform shall remain as agreed for the term specified in such Invoice.

4. Availability and Technical Support:

4.1. Zeifus will make the Zeifus Platform available to the Subscriber pursuant to the terms of this Agreement, applicable Invoice and Documentation. Zeifus shall use commercially reasonable efforts to make the Zeifus Platform available 24 hours a day, 7 days a week and honour the Monthly Uptime Commitment as set forth in Exhibit 1, except during: (i) Scheduled Downtime, and (ii) Force Majeure Events.

4.2. Zeifus will provide product support to the Subscriber according to the timeframe specified in Exhibit 1.

5. Privacy and Security:

5.1. Privacy. To the extent that Personal Information (as defined under the Exhibit 2)is processed by Zeifus when Subscriber uses the Zeifus Platform, Zeifus shall comply with applicable legal requirements for privacy, data protection and confidentiality. Zeifus’s processing of Personal Information will, at all times, be compliant with Exhibit 2 of this Agreement. Exhibit 2 explains how Zeifus will, (i) process Personal Information; (ii) use third party service providers who process Personal Information on Zeifus’s behalf; (iii) assist Subscriber to handle data subject requests; (iv) handle Security Incidents; (v) accommodate an audit request from Subscriber; (vi) ensure that its personnel maintain confidentiality and security of Personal Information; and (vii) handle return or deletion of Personal Information.

5.2. Security. Zeifus has implemented and will maintain industry-standard administrative, technical, and physical safeguards to reasonably protect the security, confidentiality and integrity of the Subscriber Data as described in Exhibit 3 of this Agreement. Zeifus will periodically review and update its security practices to address new and evolving security threats and to implement evolving security technologies and industry standard practices. Zeifus warrants that no modification to the security practices will materially degrade the security of the Zeifus Platform.

6. Proprietary Rights and Licenses:

6.1. Reservation of Intellectual Property Rights. As between the parties to this Agreement, Zeifus retains all the rights, title and interest in and to the Zeifus Platform and Documentation, including all related Intellectual Property Rights. Except as expressly stated herein, this Agreement does not grant any additional rights or licenses to the Subscriber in the Zeifus Platform or in any intellectual property rights of Zeifus. The Subscriber agrees and acknowledges that unless as provided herein this Agreement, any other use of the Zeifus Platform shall constitute a material breach of this Agreement and an infringement under applicable laws. Such material breach or infringement shall cause Zeifus irreparable loss and damage. Therefore, in addition to and without limitation to the rights provided herein this Agreement, Zeifus shall have the right to recover damages and injunctive relief under applicable laws

6.2. License to use Suggestion and Feedback. Subscriber grants to Zeifus a fully paid-up, royalty free, worldwide, sub-licensable, assignable, irrevocable and perpetual license to use and incorporate into the Zeifus Platform any idea, suggestion for enhancement, recommendation, correction or other feedback provided by Subscriber to Zeifus in connection with such Subscriber’s use of the Zeifus Platform.

6.3. Subscriber Input. Subscriber Input is defined as any information subscriber may have provided Zeifus as an idea, feature request, enhancement or bug-fix on Zeifus product offerings to Zeifus. Zeifus shall have a royalty-free, worldwide, transferable, sub-licensable, irrevocable, perpetual license to use or incorporate into the Service any Subscriber Zeifus shall have no obligation to make Subscriber Input an Improvement. Subscriber shall have no obligation to provide subscriber Input.

6.4. Statistical Data Use. Zeifus has exclusive rights to use the statistical data derived from the operation of the Service, including, without limitation, the number of records in the Service, the number and types of transactions, configurations, and reports processed in the Service and the performance results for the Service (the “Aggregated Data”). Nothing herein shall be construed as prohibiting Zeifus from utilizing the Aggregated Data for purposes of operating Zeifus’s business, provided that Zeifus’s use of Aggregated Data will not reveal the identity, whether directly or indirectly, of any individual or specific data entered by any individual into the Service. In no event does the Aggregated Data include any personally identifiable information or corporate identifiable information.

6.5. Use of name: Subscriber agrees that Zeifus may refer Subscriber’s name, trademarks, logos, Feedback, comments, suggestions, case studies, testimonials, name and pitch.

7. Confidentiality:

7.1. Confidentiality Obligations. Except as otherwise permitted in writing by the Disclosing Party, the Receiving Party shall (i) use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but in no event less than reasonable care) not to disclose or use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement, and (ii) limit access to Confidential Information of the Disclosing Party to those of its employees, contractors and agents who need such access for the purposes consistent with this Agreement and who have signed confidentiality agreements with the Receiving Party containing protections no less stringent than those contained herein. Any exchange of Confidential Information prior to the execution of this Agreement shall continue to be governed by any non-disclosure agreement executed by and between the parties and not the terms of this Agreement. All copies of Confidential Information, regardless of form, shall, at the discretion of the Disclosing Party, either be destroyed or returned to the Disclosing Party, promptly upon the earlier of: (i) Disclosing Party’s written request, or (ii) expiration or termination of this Agreement for any reason.

7.2. Compelled Disclosure. The Receiving Party may disclose Confidential Information of the Disclosing Party (i) as necessary to comply with an order or subpoena of any administrative agency or court of competent jurisdiction; or (ii) as reasonably necessary to comply with any applicable law or regulation; or (iii) as necessary to establish the rights of the Receiving Party, provided the Receiving Party gives the Disclosing Party prior notice of the compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure. Any such disclosure shall be limited to only what is required and shall be subject to the confidentiality obligations to the extent reasonably practicable.

8. Representations, Warranties and Disclaimers:

8.1. Mutual Representation. Each party represents and warrants to the other party that it is duly organized and validly existing under the laws of the state of its incorporation and has full corporate power and authority, and is duly authorized, to enter into the Agreement and to carry out the provisions thereof.

8.2. Warranty by Zeifus. Zeifus warrants that during an applicable Subscription Period (i) the Zeifus Platform will perform materially in accordance with the Documentation when Subscriber uses the Zeifus Platform in accordance with such Documentation; (ii) Zeifus will, at a minimum, implement safeguards for protection of the security, confidentiality and integrity of Subscriber Data, as set forth in DPA of this Agreement; (iii) Zeifus will not materially decrease the overall functionality of the Zeifus Platform. In case of any breach of warranty listed in this Section, the Subscriber shall be entitled to sole and exclusive remedies against Zeifus as described in Sections 11.2. and 11.3. of this Agreement.

8.3. Warranty Disclaimer. Subscriber understands and agrees that the use of the Zeifus Platform is at subscriber’s sole risk. Except as expressly provided herein, Zeifus Platform is provided on an “as is” and “as available” basis, without any warranties of any kind. Except for warranties specified in this agreement, Zeifus disclaims warranties of all kinds, including, but not limited to, the implied warranties of merchantability, title, fitness for a particular purpose, and non-infringement. Zeifus further disclaims warranties that the Zeifus Platform will be uninterrupted, timely, secure, error-free or free from viruses or other malicious software. No advice or information obtained by subscriber from Zeifus or from any third party shall create any warranty not expressly stated in this agreement. The foregoing exclusions and limitations shall apply to the maximum extent permitted by applicable law, even if remedy fails its essential purpose.

9. Indemnification:

Indemnification by Zeifus

9.1. Zeifus shall defend Subscriber , at Zeifus’s expense, from claims, demands, suits, or proceedings made or brought against Subscriber by a third party (“Claims”) alleging that the use of the Zeifus Platform as contemplated hereunder infringes such third party’s Intellectual Property Rights and shall indemnify and hold Subscriber harmless against any loss, damage or costs finally awarded or entered into in settlement (including, without limitation, reasonable attorneys’ fees) (collectively, “Losses”); provided that Subscriber : (a) promptly gives written notice of the Claim to Zeifus (although a delay of notice will not relieve Zeifus of its obligations under this section except to the extent that Zeifus is prejudiced by such delay); (b) gives Zeifus sole control of the defense and settlement of the Claim (although Zeifus may not settle any Claim unless it unconditionally releases Subscriber of all liability); and (c) provides to Zeifus, at Zeifus’s cost, all reasonable assistance. Zeifus shall have no liability for Claims or Losses to the extent arising from: (d) modification of the Zeifus Platform by anyone other than Zeifus; (e) use of the Zeifus Platform in a manner inconsistent with the Agreement or Documentation; or (f) use of the Zeifus Platform in combination with any other product or service not provided by Zeifus. If Subscriber is enjoined from using the Zeifus Platform or Zeifus reasonably believes it will be enjoined, Zeifus shall have the right, at its sole option, to obtain for Subscriber the right to continue use of the Zeifus Platform or to replace or modify the Zeifus Platform so that it is no longer infringing. If neither of the foregoing options is reasonably available to Zeifus, then the Agreement may be terminated at either party’s option and Zeifus’s sole liability, in addition to the indemnification obligations herein, shall be to refund any prepaid fees for the Zeifus Platform that was to be provided after the effective date of termination.

Indemnification by the Subscriber

9.2. Subscriber agrees to indemnify and hold harmless Zeifus, its directors, officers, employees, affiliates, agents and representatives from and against any and all claims, damages, liabilities, fines, penalties, costs and expenses (including reasonable attorneys’ fees) to which Zeifus may be subjected as a result of Subscriber’s, its employee’s or agent’s (i) business operations, including, without limitation, Subscriber employee claims, (ii) any act or omission to act which constitutes a breach of this Agreement, or (iii) performance hereunder in a manner that is negligent, grossly negligent, reckless, or wilfully improper.

9.3. Subscriber recognizes that Zeifus will be irreparably harmed by a violation of Subscriber’s confidentiality, non-use or other obligations hereunder. Therefore, in addition to any other available remedies, Zeifus is entitled to an injunction or other decree of specific performance with respect to any violation thereof by Subscriber.

10. Limitation of Liability:

Under no circumstances and under no legal theory, whether tort, contract, product liability, negligence or otherwise, shall either party or its affiliates be liable to the other party or any other affiliate or third party for any lost profits, lost sales or lost revenue, loss of data (through no fault of Zeifus), business interruption, loss of goodwill or for any indirect, special, incidental, exemplary, consequential or punitive damages, even if a party or its affiliates have been advised of the possibility of such damages. In no event shall the liability of either party to the other party or its affiliates, for any claim or action arising out of this agreement, exceed the value of 10% of aggregate of all amounts paid by the Subscriber to Zeifus in the twelve (12) months preceding the first event giving rise to such claim or action. The limitations specified herein will not limit Subscriber’s obligation to pay fees in accordance with this agreement.

11. Term and Termination:

11.1. The term of this Agreement shall commence on the Effective Date and shall thereafter continue for the duration of the Subscription Period of the relevant Invoice, unless terminated in accordance with the provisions of this Section. Except as otherwise specified in the Agreement or Invoice, subscriptions will automatically renew for additional terms equivalent to the expiring Subscription Period.

11.2. Termination for cause. A party may terminate this Agreement for cause : (i) upon 30 days written notice to the other party of a material breach if such breach remains uncured at the expiration of such period, or (ii) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of the creditors.

11.3. Termination by Zeifus: Zeifus shall be entitled to terminate this Agreement forthwith upon giving written notice of thirty (30 days) to the subscriber if it: (i) enters an agreement with creditors without authorisation Zeifus and/or steps have been taken for its winding up (other than for the purposes of bona fide reconstruction); (ii) has reasonable grounds to suspect that it has participated in illegal practices and/or acts or been charged in a court of law acts in a manner prejudicial to the interests of Zeifus; (iii) commits misconduct, fraudulent, dishonest, undisciplined conduct or breach of integrity or embezzlement or misappropriation or misuse or causing damage to the Software and other property of Zeifus; (iv) misrepresents, makes false statements and breaches the representations and warranties under the Agreement; and (v) ceases or threatens to cease to carry on business.

11.4. Refund. Upon termination for cause by Subscriber, Zeifus shall refund Subscriber any prepaid fees covering the unused portion of the Subscription Period. Upon any termination for cause by Zeifus, Subscriber shall expedite all payments due to Zeifus and in no event will termination of this Agreement relieve Subscriber of its obligation to pay any fees due to Zeifus. Notwithstanding anything contained herein, in the event Subscriber terminates the Agreement except as mentioned in Section 11.2 of the Agreement, Zeifus is under no obligation to refund the fees paid by the Subscriber.

11.5. Retrieval of Subscriber Data. Upon Subscriber’s written request made on or prior to expiration or termination of the Agreement, Zeifus will give Subscriber limited access to the Zeifus Platform for a period of up to thirty (30) days, at no additional cost, solely for purposes of retrieving Subscriber Data. Subject to such thirty day period and Zeifus’s legal obligations, Zeifus has no obligation to maintain or provide any Subscriber Data and may, unless legally prohibited, delete Subscriber Data; provided, however, that Zeifus will not be required to remove copies of the Subscriber Data from its backup media and servers until such time as the backup copies are scheduled to be deleted.

11.6. Surviving Provisions. Sections “Confidentiality,” “Fees and Payments,” “Warranty Disclaimers,” “Limitation of Liability,” “Indemnification,” “Termination,” “Surviving Provisions” and “General” shall survive termination of this Agreement.

12. General:

12.1. Applicability of Terms of Service. Subscriber understands that, in addition to the terms of this Agreement, Zeifus’s Terms of Service will apply to Subscriber’s access and use of the Zeifus Platform. In the event of any conflict between this Agreement and the Terms of Service, the terms of this Agreement shall prevail.

12.2. Entire Agreement. This Agreement, including the Exhibits attached hereto and the Terms of Service, constitute the entire agreement between the parties with respect to the subject matter of this Agreement and supersedes any and all prior and contemporaneous agreements, negotiations, correspondence, understandings and communications between the parties, whether written or oral, concerning the subject matter hereof.

12.3. No changes, modifications or amendment of any nature made to this Agreement shall be valid unless evidenced in writing and signed for and on behalf of both parties by the respective authorized representatives.

12.4. Governing Law and Jurisdiction. This Agreement shall be governed by and construed strictly in accordance with the laws of India (excluding the rules governing conflict of laws). Any dispute arising out of or resulting from this Agreement shall be subject to the exclusive jurisdiction of courts in Hyderabad, India to the exclusion of all other courts.

12.5. All notices required under this Agreement shall be in writing and shall be sent to the respective address set forth below. Any such notice may be delivered by hand, by overnight courier, by registered post or certified mail with return receipt requested, or by electronic mail to the person to whom such notice is to be sent as per the terms of this Agreement. Such notice shall be deemed to have been received: (i) by hand delivery, at the time of delivery; (ii) by overnight courier, on the succeeding business day; (iii) by registered post or certified mail, on the date marked in proof of receipt; and (v) by electronic mail, when sent. All notices shall be sent to:

If to Zeifus:

– Legal Team contact@zeifus.com

– If to the Subscriber, then their respective contact details.

12.6. Relationship of the Parties. The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties. Neither party shall have the power to bind the other or incur obligations on the other party’s behalf without the other party’s written consent.

12.7. Assignment. Neither party shall assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the other party (which consent shall not be unreasonably withheld). . Any attempt by a party to assign its rights or obligations under this Agreement other than as permitted by this section shall be void and of no effect. Subject to the foregoing, this Agreement shall bind and inure to the benefit of the parties, their respective successors and permitted assigns.

12.8. Affairs of the Parties: In the event that, at any time during this Agreement, the Subscriber experiences a Change of Control or any Kind of corporate Restructuring. The Subscriber shall ensure that the rights of Zeifus under this Agreement are not adversely affected or curtailed by virtue of such an event. The existence of the Agreement or/and rights of Zeifus under this Agreement shall not be affected in any manner and the Subscriber shall ensure the same terms and conditions are carried through the Term of the Agreement. Subscriber shall provide a written notice to the Zeifus at least 30 Days prior to the anticipated Change in Control/ Corporate Restructuring involving companies in similar industry as Zeifus.

12.9. No Third Party Beneficiaries. The provisions of this Agreement shall be binding and inure solely to the benefit of the parties, their successors, and permitted assigns. Nothing herein, whether express or implied, will confer any right, benefit or remedy upon any person or entity other than the parties, their successors and permitted assigns.

12.10. Force Majeure. No Party shall be liable to the other if, and to the extent, that the performance or delay in performance of any of its obligations under this Agreement is prevented, restricted, delayed or interfered with, due to circumstances beyond the reasonable control of such Party, including but not limited to, Government legislations, fires, floods, explosions, epidemics, accidents, acts of God, wars, riots, strikes, lockouts, or other concerted acts of workmen, acts of Government. The Party claiming an event of force majeure shall promptly notify the other Party in writing and provide full particulars of the cause or event and the date of first occurrence thereof, as soon as possible after the event and also keep the other Party informed of any further developments. The Party so affected shall use its best efforts to remove the cause of non-performance, and the Parties shall resume performance as soon as such cause is removed.

12.11. Severability. Any provision of this Agreement, which is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction be ineffective to the extent of such prohibition or unenforceability without invalidating the remaining provisions hereof or affecting the validity or enforceability of such provision in any other jurisdiction. Accordingly, this Agreement shall be construed as if such portion had not been inserted and the remaining provisions of this Agreement shall remain in full force and effect.

12.12. Waiver. Except as otherwise provided in this Agreement, failure on the part of either Party to exercise any right hereunder or to insist upon strict compliance by the other Party with any of the terms, covenants or conditions hereof shall not be deemed a waiver of such right, term, covenant or condition.

12.13.Interpretation. No provision of this Agreement shall be construed against one party by reason of being deemed the “author” of the Agreement. The headings used in this Agreement are for convenience only and shall not affect the interpretation of the terms of this Agreement.

——–

Exhibit 1

SERVICE LEVEL AVAILABILITY

This Exhibit documents Zeifus’s Service Level Availability Policy (“SLA”) with its Subscribers. Capitalized terms, unless otherwise defined herein, shall have the same meaning as in the Master Subscription Agreement.

Definitions

“Downtime” shall mean inability to access Zeifus Platform due to a Qualifying Fault. Downtime is measured based on availability of the Zeifus Platform as measured by Zeifus’s monitoring tools.

“Qualifying Fault” shall mean and include server side errors and reachability errors attributable to the Zeifus Platform.

“Downtime Period” shall mean ten or more consecutive minutes of Downtime. Intermittent Downtime for a period of less than ten minutes will not be counted towards any Downtime Periods.

“Monthly Uptime” shall mean total number of minutes in a calendar month minus the number of minutes of Downtime suffered from all Downtime Periods in a calendar month.

“Monthly Uptime Percentage” shall mean the percentage calculated by dividing Monthly Uptime by the total number of minutes in a calendar month.

“Scheduled Downtime” shall mean unavailability of the Zeifus Platform about which Subscriber is informed at least forty eight (48) hours in advance. A Schedule Downtime will not constitute a Qualifying Fault.

“Zeifus SLA Service Credit” shall mean Zeifus Service Credits added to the Zeifus Wallet at no additional cost as compensation for Zeifus’s failure to meet the monthly uptime commitment.

2. Service availability

Zeifus Platform will have a Monthly Uptime Percentage of 99.8%.

3. Zeifus Platform Updates

Periodically, Zeifus introduces new features in the Zeifus Platform with enhanced functionality. Features and functionality will be made available as part of a major feature release (“Feature Release”) or as part of weekly service updates (“Service Updates”).

4. SLA Service Credits

Calculation of Zeifus SLA Service Credit:
Uptime Compensation for Downtime (% of Monthly Subscription Fees)
99.5% to 99.8% 5%
99% to 99.5% 15%
<99% 25%
In order to receive any of the Zeifus SLA Service Credits described above, Subscriber must notify Zeifus within ten (10) days from the time Subscriber becomes eligible to receive a Zeifus SLA Service Credit. Failure to comply with this requirement will result in forfeiture of Subscriber’s right to receive a Service Credit.
Zeifus SLA Service Credits will not be exchanged for, or converted to, monetary compensation.
Subscriber’s sole and exclusive remedy for Zeifus’s failure to meet the uptime commitment is to receive Zeifus SLA Service Credit.
5.Zeifus Support Scope

Zeifus will support functionality that is delivered by Zeifus as part of the Zeifus Platform. For all other functionality, and/or issues or errors in the Zeifus Platform caused by issues, errors and/or changes in Subscriber’s information systems, customizations, and/or third-party products or services, Zeifus may assist Subscriber and its third-party providers in diagnosing and resolving issues or errors but Subscriber acknowledges that these matters are outside of Zeifus’s support obligations. Failure to meet obligations or commitments under this SLA that are attributable to (i) Subscriber’s acts or omissions; and (ii) force majeure events shall be excused.
After the completion of the grace period, the consumption against the wallet balance will start even if the onboarding is not completed and Zeifus shall not be held liable for any delays in setup or commencement of services resulting from circumstances beyond its control, including but not limited to:
The non-availability of the customer or their representatives during the agreed-upon setup period.
Issues identified during the onboarding process, such as data discrepancies or system configurations requiring additional time to rectify.
New requirements or changes in scope brought forth by the customer after the initiation of the setup process
Delay in deployment of any feature request requested by Customer.
Internal issues faced by the customer, including but not limited to organizational restructuring, resource constraints, or internal procedural changes, which are not under the control of Zeifus.
Challenges in Migration of data from one platform to another
6. Issue Submission and Reporting

Subscriber’s Named Support Contacts may submit cases to Zeifus Support via the Zeifus Support Portal. Named Support Contacts must be trained on the Zeifus Platform. Each case will be assigned a unique case number. Zeifus will respond to each case in accordance with this SLA and will work diligently toward resolution of the issue taking into consideration its severity and impact on the Subscriber’s business operations. Actual resolution time will depend on the nature of the case and the resolution itself. A resolution may consist of a fix, workaround, delivery of information or other reasonable solution to the issue. Case reporting is available on demand via the Zeifus Support Portal.

7. Severity level determination

Subscriber shall reasonably self-diagnose each support issue and recommend to Zeifus an appropriate Severity Level designation. Zeifus shall validate Subscriber’s Severity Level designation or notify Subscriber of the change in the Severity Level designation to a higher or lower level with justification. The following definition shall be used in determination of severity level:

Severity Level 1

Description: This Problem Severity Level is associated with: the software, as a whole, is non-functional or is not accessible; unauthorized exposure of all or part of the client’s data; or loss or corruption of all or part of the client’s data.
Severity Level 2

Description: This Problem Severity Level is associated with significant and / or ongoing interruption of an authorized user’s use of a critical function of the software and for which no acceptable work-around is available.
Severity Level 3

Description: This Problem Severity Level is associated with: a minor and/or limited interruption of an authorized user’s use of a non-critical function of the software; or, problems which are not included in Problem Severity Levels 1 or 2.
Severity Level 4

Description: This Problem Severity Level is associated with: general questions about the software; or, configuration changes that have been previously agreed to be in scope by the client.
8. Response and resolution

Response, Problem Determination and Resolution/Restoration/Work-around Timeframe

Severity Level Response (business hours) Problem Determination (business hours / business days) Resolution / Restoration / Work-around (business days)
1 1 hour 4 hours 8 hours
2 8 hours 12 hours 3 days
3 24 hours 7 days 10 days
4 24 hours 10 days 14 days
Exclusions

The SLA does not apply to any performance and availability issues:

caused by factors outside of Zeifus’s reasonable control;
that resulted from any actions or inactions of Subscriber; or
that resulted from Subscriber’s equipment and/or third party equipment that are not within Zeifus’s reasonable control.
Any issues which required coding changes from back-end.
Exhibit 2

Data Processing Agreement

GDPR Regulation (EU) 2016/679

This Data Processing Agreement (DPA) contains GDPR clauses to be followed by the parties who signed the Subscription Services with Zeifus,

The agreement is BETWEEN THE PARTIES: Customer/Partner (Hereinafter referred to as Data Controller) & Zeifus, a company incorporated (Hereinafter referred to as the “Data Processor”)

In consideration of the mutual obligations set out in this GDPR Addendum, the parties agree as follows:

This agreement details the roles of both parties set forth in GDPR Regulation (EU) 2016/679 under Articles 28, 32, and 82 effective from <<Date>>
This DPA is applicable for below Clauses

If the Customer entity signing this Addendum is a party to the MSA, this DPA is an addendum to and forms part of the MSA. In such case, the entity that is party to the Agreement is party to this DPA.
If the Customer entity signing this DPA has executed an Order Form with Zeifus, or its Affiliate pursuant to the Agreement, but is not itself a party to the Agreement, this DPA is an addendum to that Order Form and applicable renewal Order Forms, and Zeifus, entity that is party to such Order Form is party to this DPA.
If the Customer entity signing this DPA is neither a party to an Order Form nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Customer entity who is a party to the Agreement executes this DPA.
If the Customer entity signing the DPA is not a party to an Order Form nor a Master Subscription Agreement directly with Zeifus, but is instead a customer indirectly via an authorized reseller of Zeifus, services, this DPA is not valid and is not legally binding. Such entity should contact the authorized reseller to discuss whether any amendment to its agreement with that reseller may be required. This DPA shall not replace any comparable or additional rights relating to Processing of Customer Data contained in Customer’s Agreement (including any existing data processing addendum to the Agreement).
The Data Controller and Zeifus, each warrant that they are and will continue to adhere to GDPR and shall perform their obligations under this GDPR Addendum in accordance with the provisions of the GDPR from time to time in force.
The parties acknowledge that for the purposes of GDPR, that the Customer/Partner is the Data Controller for the Personal Data (Personal Data of Customer’s Employees or the Customer’s Customer or Contractor as applicable) and the performance of the services will require the processing of Personal Data by Zeifus, for the Data Controller.
The parties acknowledge that for the purposes of GDPR:
Zeifus, shall be processing the personal data provided by Data Controller that is limited to Name, Phone, E-Mail and Job Title for the escalation and communication that is used to send notifications/ alerts during the business operations to the Data Subjects whose personal data is shared by the Data Controller.
Zeifus, implements controls to undertake Consent from Users of the platform without disrupting Customer’s Operations. The Data Controller is responsible for ensuring the respective customers and users accept the user consent
Zeifus, may use various software tools/Cloud Services for storing such Personal Data in their repositories.
Zeifus, may use or store the Personal Data for retracting any reference to the Data Subject, as mentioned in their Privacy Policy, if it is required in future even after expiry of the agreement for identifying or tracing any alerts/ notifications sent to the Data Subject.
The Customer/Partner shall be responsible to notify and undertake Consent from their Employees/ Customers/ Contractors on how the Personal Data is processed by Zeifus, and their Data Sub-Processor, without which compliance to GDPR by the Data Controller/Zeifus, /Data Sub Processor would be difficult.
Zeifus, shall bring to the Customer’s /Partner’s attention if they find a Personal Data Breach in their or their Data Sub-Processor environment that has impacted any form of Personal Data stored by either or both parties.
Zeifus, shall not process Personal Data (Personal Data collected from the Data Controller) other than for the purposes of the processing which are documented in the Agreement.
2. Zeifus warrants to the Data Controller (Customer/Partner) to comply with below,

It shall fully comply with the provisions of GDPR in carrying out its obligations under this agreement
It has all provisions for data protection necessary for carrying out of its obligations under this agreement and shall maintain such provisions throughout the term.
3. Zeifus, shall:

Adopt and maintain appropriate technical and organizational measures to ensure Personal Data is kept secure throughout the data life cycle, considering the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, and take such precautions as are necessary to ensure the integrity of Personal Data and to prevent any Personal Data Breach.
Ensure that the Data Sub-Processors process the Personal Data (Personal Data collected from the Data Controller) as per the instructions provided by Zeifus, in accordance with the requirements of GDPR.
Shall not collect Personal Data (Personal Data collected from the Data Controller), more than that is required to Zeifus, for Processing.
Shall not appoint any other Data Sub-Processor/ Third Party for processing Personal Data (Personal Data collected from the Data Controller) that does not meet the requirements of GDPR
Allow Data Subjects to keep contents of their Personal Data (Personal Data collected from the Data Controller) accurate
On reasonable written notice by the Data Controller, make available to the Data Controller all such information as is necessary to demonstrate Zeifus’s compliance with GDPR, including where such information is requested as part of an audit/assessment/compliance check.
On termination of the Agreement, at the Data Controller’s sole requisition, provide all Personal Data (Personal Data collected from the Data Controller) to the Data Controller and shall provide reasonable evidence of erasure.
Keep the records of the Processing activities that are carried out on behalf of Data Controller
Assist the controller in meeting its GDPR obligations to notify the Personal Data Breaches to the Supervisory Authority along with the process and information required to be submitted for the same.
Shall Not use the Personal Data (Personal Data collected from the Data Controller) for activities like analytics and profiling unless required for business operations to provide subscribed services.
4. Customer Data Incident Management:

Zeifus maintains security incident management policies and procedures specified in the Security Policy on the website and shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by Zeifus, or its Sub-processors of which Zeifus, becomes aware (a “Customer Data Incident”). Zeifus, shall make reasonable efforts to identify the cause of such Customer Data Incident and take those steps as Zeifus, deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident to the extent the remediation is within Zeifus’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users.

Immediately notify the Data Controller with full details of:
Any Personal Data Breach in relation to this Agreement;
Processing of Personal Data (Personal Data collected from the Data Controller) which are contrary to or would require it to act in a way contrary to GDPR
Any request received (including from an individual or the Supervisory Authority) to disclose any Personal Data
5. Return and Erasure of Customer Data: –

Zeifus, has made provision for retrieval of customer data from the platform by authorization, to the extent allowed by applicable law, delete Customer Data in accordance with the procedures and timeframes specified in the Retention Policies

6. Nothing in this Agreement shall relieve Zeifus, of its own direct responsibilities and liabilities under GDPR.

7. The Clauses in this document shall be governed by the law of the Member State of EEA (European Economic Area) in which the data processing is established.

In assessing the appropriate level of security, Zeifus, shall conduct DPIA (Data Protection Impact Assessment) on a periodic basis to evaluate the risks that are presented by processing, from a Personal Data Breach.

Appendix 1

This Appendix forms part of the DPA covering Information Security of the Platform and Operations.

Description of the technical and organizational security measures implemented by Zeifus, in accordance with Data Processing Agreement

Zeifus currently observes the security practices described in this Appendix 1. Notwithstanding any provision to the contrary otherwise agreed to by data controller, Zeifus may modify or update these practices at its discretion provided that such modification and update does not result in a material degradation in the protection offered by these practices. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement.

Access Control

Preventing Unauthorized Product Access

Outsourced processing: Zeifus, hosts its Service in AWS Cloud. Zeifus, maintains contractual relationships with vendors in order to provide the Service in accordance with our Data Processing Agreement.
Zeifus relies on contractual agreements, privacy policies, and vendor compliance programs to protect data processed or stored by these vendors.
Physical and environmental security: Zeifus, hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC2 Type II and ISO 27001 compliance, among other certifications.
Authentication: Zeifus, implemented a unifies password policy for its Platform.
Customers who interact with the platform via the user interface must authenticate before accessing their data. Zeifus, also has a provision for integrating with various single sign on tools or use Zeifus’s authentication mechanisms
Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of Zeifus’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against role-based access policies defined by the Customer
Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through any other authorized process or method.
Preventing Unauthorized Product Use

Zeifus implements standard access controls and detection capabilities for the internal networks that support its products.

Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The control measures are implemented by security group assignment, and traditional firewall rules.
Intrusion detection and prevention: Zeifus implemented Firewalls designed to identify and prevent attacks against publicly available network services. A regular VA and PT assessment is carried on to proactively identify any threats and remediate as required.
Static code analysis: Security reviews of code stored in Zeifus’s source code repositories is performed, checking for coding best practices and identifiable software flaws.
Limitations of Privilege & Authorization Requirements

Product access: An authorized group of Zeifus’s employees have access to the Platform and to customer data via controlled interfaces. The intent of providing access to an authorized employee is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through a Service request process for all requests for access. Employees are granted access by role and responsibility. Employee roles are reviewed at least once every six months as part of Internal Security Audit.
Background checks: All Zeifus employees undergo a third-party background check prior to being extended an employment offer, in accordance with the applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
Data Transfer Controls

In-transit: Zeifus, makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its logins. Data is transmitted between systems in same geographical regions
At-rest: Zeifus, stores user passwords following policies that follow industry standard practices for security. Zeifus, has implemented technologies to ensure that stored data is encrypted at rest.
Data Input

Detection: Zeifus has designed an internal monitoring and management systems to log information about the system behaviour, traffic received, system authentication, and other application requests. Internal systems alert appropriate Platform Support Groups of malicious, unintended, or anomalous activities. Zeifus has established support process and personnel for security, operations to respond to various incidents
Response and tracking: Zeifus, maintains a record of known security incidents that includes description, dates and times, priority and remediation process. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Zeifus will take appropriate steps to minimize Product and Customer damage or unauthorized disclosure.
Communication: If Zeifus becomes aware of unlawful access to Customer data stored within its products, Zeifus, will
notify the affected Customers of the incident
provide a description of the steps taken to resolve the incident; and
provide status updates to the Customer contact, as Zeifus deems necessary. Notification(s) of incidents, if any, shall be delivered to one or more of the Customer’s contacts in a form Zeifus, selects, which may include via email through Customer Support
Availability Control

Infrastructure availability: Zeifus, is obligated to provide a minimum of 99.8% uptime for the Platform. The providers maintain a minimum of N+1 redundancy to power, network, and other Services in AWS Cloud.
Fault tolerance: Backup and replication strategies are designed to ensure redundancy and failover protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple systems. Zeifus maintains an Active -Active set-up for disaster recovery to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Zeifus’s operations in maintaining and updating the product applications and backend while limiting downtime.
Audits and Certification

Zeifus, is certified for ISO 27001:2013 and has been assessed in compliant with the controls stipulated in SOC 2 Type II.

Appendix 2

Definitions:

1) Personal Data: Personal Data means any information relating to an identified or identifiable natural person (‘Data Subject’). The following data, often used for the express purpose of distinguishing individual identity, can be classified as Personal Data

Name
Identification Number
Location data
An online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a Natural Person.
IP Address
Cookie Identifiers
Radio Frequency ID (RF ID) tags
2) Natural Person/Data Subject: An identifiable Natural Person/Data Subject is one who can be identified, directly or indirectly, by reference to his/her Personal Data.

3) Processing: Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data by automated means, such as

Collection
Recording
Organisation
Structuring
Storage
Adaptation or alteration
Retrieval/Downloading data
Consultation
Use
Disclosure by transmission
Dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
4) Data Controller: Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

5) Data Processor: Data Processor means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller.

6) Data Sub-Processor: Data Sub-Processor means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of Data Processor.

7) GDPR: The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of Personal Data of individuals within the European Union (EU).

8) Profiling: Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

9) Personal Data Breach: Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

10) Consent: Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to the Data Subject.

11) Data Protection Impact Assessment (DPIA): This activity is carried out to enhance compliance with GDPR where processing operations are likely to result in a high risk to the rights and freedoms of Data Subjects.

12) Supervisory Authority: Supervisory authority means an independent public authority which is established by an EU member state. Supervisory Authority Concerned means a Supervisory Authority which is concerned by the processing of personal data because:

The Data Controller or processor is established on the territory of the Member State of that supervisory authority;
Data Subjects residing in the Member State of that Supervisory Authority are substantially affected or likely to be substantially affected by the processing; or
A complaint has been lodged with that supervisory authority
Exhibit 3

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

Zeifus has established, and will maintain at a minimum, an information security management system that includes the following:

Security Governance

A governance framework that supports relevant aspects of information security through appropriate policies and standards.
Formal documentation of the roles and responsibilities of employees with respect to governance of Information Security within Zeifus that are communicated by the management to employees.
An information security program in accordance with the international standard ISO 27001 that includes technical, organizational and physical security measures in order to protect Personal Information against accidental loss, destruction or alteration, unauthorized disclosure or access, or unlawful destruction.
Formally documented information security policy, data privacy policy and other policies that are communicated periodically to employees responsible for the design, implementation and maintenance of security and privacy controls. The policies will be reviewed annually to keep them up-to-date.
Compliance with industry standard security measures as described at https://www.zeifus.com/security
Risk Management

Annual risk assessment, to prioritize mitigation of identified risks.
Established internal audit requirements and periodical audits on information systems and processes at planned intervals.
Assessment of the design and operating effectiveness of controls against the established control framework through which corrective actions related to identified deficiencies will be tracked to resolution.
Human Resources Security

Background verification of all employees having access to confidential data that includes verification of criminal records, previous employment records if any, and educational background.
Signing of confidentiality agreement and acceptable use policy by employees upon their employment with clauses on protection of confidential information.
Training on security and privacy awareness including training on Zeifus’s policies, standards and relevant technologies along with maintenance and retention of training completion records.
Employees will be required to adhere to the information security policies and procedures. Disciplinary process for non adherence will be defined and communicated.
Identity and Access management of Zeifus Personnel

Creation of unique identifiers for employees to access information systems and prohibition of sharing user accounts among employees.
User authentication to information systems protected by passwords that meet Zeifus’s password policy requirements derived based on NIST SP 800-63B standards.
Strong password configurations that include i) 8 character minimum length; ii) non dictionary words and iii) screening of passwords against list of known compromised passwords.
Mandatory Two factor authentication for access to information systems involving confidential data.
Secure remote access to the corporate network provisioned via SSL VPN with strong encryption and two factor authentication.
Adherence to the principles of least privilege and need-to-know and need-to-use basis for access control.
Approval mechanism from appropriate personnel to provide access to information systems.
Revocation of access that is no longer required in the event of termination or role change.
Recording of approval, assignment, alteration and withdrawal of access rights.
User access reviews on a half yearly basis and corrective actions whenever necessary.
Restrictions on administrative access to Personal Information and provision of access on a strictly need-to-know basis along with implementation of access-control measures such as mandatory two factor authentication.
Asset Management

Inventory maintenance of assets associated with information processing. Owners are assigned for each asset and rules for acceptable use of assets are defined. Assets assigned to employees are returned in the event of termination or role change.
Capacity management policies through which resources are continuously monitored and projections are made for future requirements.
Determined procedures in accordance with industry best practices for the reuse, secure disposal and destruction of electronic media to ensure that the data is rendered unreadable and unrecoverable.
Disposal of unusable devices by verified and authorized vendors which includes storing of such devices in a secure location until disposal, formatting any information contained in the devices before disposal, degaussing and physical destruction of failed hard drives using shredder and crypto-erasing and shredding of failed SSDs.
Physical Security

Physical access to Zeifus’s data center is highly restricted and requires prior management approval. The data centers are housed in facilities that require electronic card key access. Additional two-factor authentication and biometric authentication are required to enter the data center premises and there is continuous monitoring of CCTV cameras and alarm systems.
Control of physical access to Zeifus’s development facilities using access cards and monitoring by security personnel.
Installation of CCTV cameras and review of access logs and CCTV footage in case of any incidents.
Defined visitor management process to authorize visitor entries and maintenance of access records of visitors.
Revocation of physical access to employees in the event of termination of employment or role change.
Network Security and Operations

A dedicated Network Operations Center (NOC), which operates 24×7 monitoring the infrastructure health.
Establishment and implementation of firewall rules in accordance to identified security requirements and business justifications.
Review of firewall rules on a quarterly basis to ensure that legacy rules are removed and active rules are configured correctly.
Establishment and maintenance of appropriate network segmentation, that includes use of virtual local area networks (VLANS) where appropriate, to restrict access to systems storing confidential data with a data storage layer that is designed to be not directly accessible from the Internet.
Clear separation of production, development and integration environments to ensure that production data is not replicated or used in non-production environments for testing purposes.
Management of access to production environments by a central directory and authentication for such access using a combination of strong passwords, two-factor authentication, and passphrase-protected SSH keys. Access to the production environment is facilitated through a separate network with strict rules.
Deployment of DDOS mitigation capabilities from well established service providers to prevent volumetric attacks and to keep the applications available and performing.
Secure Software Development

Well defined security process that is implemented and monitored throughout the SDLC taking into consideration confidentiality, availability and integrity requirements.
Implementation of secure software development policies, procedures, and standards that are aligned to industry standard practices such as OWASP, CSA, CWE/SANS including secure design review, secure coding practices, risk based testing and remediation requirements.
Training on secure coding principles and industry standards to personnel involved in the development and coding of products.
“Secure by design” approach by incorporating security risk assessments and Threat modeling in the planning and analysis phase of SDLC and review of the design to prevent new threats.
Examination of Source code changes for potential security issues using Zeifus’s proprietary SAST (static code analysis) tools and manual review process before deployment.
Web Application Firewall (WAF) layer that is embedded in all web applications for protection against Open Web Application Security Project (OWASP) threats, including SQL injections, Cross-site scripting (XSS) and remote file inclusions.
Maintenance of inventory of third party software that gets bundled in the products/services .
Alerts on potential security vulnerabilities in the third party software by Zeifus’s proprietory SCA(Software Composition Analysis) that is reviewed periodically to check its applicability and impact and to take steps to upgrade third party software to the latest version.
Appropriate checking and elimination procedures to ensure that the service is not affected by malware/viruses during development, maintenance and operation.
Appropriate security controls to ensure the confidentiality, integrity and availability of the CI/CD pipeline in the software development environment used to develop, deploy, and support the products.
Maintenance of clear distinction between the development, QA and production environments.
Data Security and Management

Information classification scheme with data handling guidelines related to access control, physical and electronic storage, and electronic transfer.
Logical separation of each subscriber’s service data from other subscriber’ data by distributing and maintaining separate logical cloud space for each subscriber.
Deletion of data from active database upon termination of Zeifus Platforms by the subscriber (clean-up occurs once in every 6 months), deletion of backup data within 3 months of deletion from active database and termination of accounts that remain unpaid and inactive for a continuous period of 120 days by giving prior notice to the subscriber.
Encryption

Use of transport encryption for information that traverses across networks outside of the direct control of Zeifus including, but not limited to the Internet, Wi-Fi and mobile phone networks.
Encryption of data transmission to Zeifus Platforms are made using TLS 1.2/TLS1.3 protocols, with latest and strong ciphers like AES_CBC/AES_GCM 256 bit/128 bit keys, authentication of message using SHA2 and use of ECDHE_RSA as the key exchange mechanism.
Encryption of sensitive Personal Information at rest using 256-bit Advanced Encryption Standard (AES). (The data that is encrypted at rest varies specific to Zeifus Platforms and also options are provided where the subscriber defines the fields to encrypt depending on their business need and data sensitivity).
Irreversible industry standard algorithm (bcrypt) will be used to hash and store the passwords of Zeifus Platforms with randomly generated per user salt added to the input.
Zeifus’s in-house Key Management Service (KMS) to own and maintain encryption keys that includes additional layer of security by encrypting the data encryption keys using master keys.
Separation of master keys and data encryption keys by physically storing them in different servers with limited access.
Change Management

A change management policy that governs changes in all components of the service environment whereby all changes are planned, tested, reviewed and authorized before implementation into production.
Assessment of the potential impacts, including information security and privacy impacts of the changes.
Documented fall-back mechanisms including procedures and responsibilities for aborting and recovering from unsuccessful changes and unforeseen events.
Notification to subscriber of any changes that may affect subscribers in an adverse manner.
Configuration Management

Implementation of security hardening and baseline configuration standards in accordance with industry standards that are reviewed and updated periodically.
Predefined OS images with security baselines are used to build systems in development and production.
Hardening standards including (i) ensuring that unnecessary features, services, components, files, protocols and ports are removed from the production environment; and (ii) removing unnecessary user logins and disabling or changing default passwords.
Approval from the appropriate personnel to install any software package in the production environment.
Vulnerability Management

Vulnerability management plan designed to (i) identify promptly, prevent, investigate, and mitigate any cyber security vulnerabilities; (ii) analyze the vulnerability; (iii) perform recovery actions to remedy the impact.
Vulnerability assessments using automated scanners performed periodically on Zeifus’s internet facing systems.
Application penetration testing by Zeifus’s in house security personnel performed annually in accordance to defined test methodologies
Review of identified issues from vulnerability assessments and penetration testing, determination of its applicability, impact and priority and rectification in accordance with the SLA definition: High level vulnerabilities within 7 calendar days of discovery, Medium level vulnerabilities within 30 calendar days of discovery and Low level vulnerabilities within 60 calendar days of discovery.
Monitoring known vulnerabilities from common sources such as OWASP, CVE, NVD and other vendor security lists and installation of security relevant patches to product and/or supporting systems in accordance with Zeifus’s patch management policy.
Antivirus deployment by running the current version of industry standard anti-virus software as a part of which signature definitions are updated periodically within 24 hours of release, real time scans are enabled and alerts are reviewed and resolved by appropriate personnel.
Security Logging and Monitoring

Use of centralized logging solution to aggregate and correlate events from various components including network devices, servers and applications.
Maintenance of audit logs recording privileged user access activities, authorized and unauthorized access attempts, system exceptions, and information security events and retention of logs in accordance with applicable policies and regulations.
Host and application intrusion detection (IDS) technology to facilitate timely detection, investigation and response to incidents.
Restrictions on physical and logical access of logs by authorized personnel.
Business continuity and Disaster recovery

Disaster recovery and business continuity plans and processes (i) to ensure continuous availability of the services in case of any disaster; (ii) to provide an effective and accurate recovery.
Annual review of business continuity plan to evaluate its adequacy & effectiveness.
Redundancy mechanisms to eliminate single point of failure consisting of (i) dual or multiple circuits, switches, networks or other necessary devices; and (ii) storing of application data in a resilient storage that is replicated in near real time across data centers.
Taking periodic backups (incremental backups every day and weekly full backups) and storing them in an encrypted format in the same datacenter.
Retention of backups for a period of three months and testing recovery of backups at planned intervals.
SLA for service availability with 99.9% monthly uptime as a part of which real time availability can be viewed in https://status.zeifus.com.
Incident Management

An incident response plan and program containing procedures that are to be followed in the event of an information security incident.
Dedicated email (contact@zeifus.com) to which external parties can report security incidents and creating awareness among employees to report any potential security incident or weakness on time without any delay.
Tracking of security incidents, fixing of such incidents through appropriate actions, maintenance of such records in the incident registry and implementation of controls to prevent recurrence of similar incidents.
Incident management procedures that lays down the steps for notifying the client, and other stakeholders in a timely manner in accordance with breach notification obligations.
Implementation of appropriate forensic procedures including chain of custody for collection, retention, and presentation of evidence in the event of an information security incident likely to result in a legal action.
Third-Party Vendor Management

Vendor management policy through which Zeifus evaluates and qualifies third party vendors as a part of which new vendors are onboarded only after understanding their processes and performing risk assessments.
Execution of agreements with vendors that require vendors to adhere to confidentiality, availability, and integrity commitments in order to maintain Zeifus’s security stance.
Annual reviews to monitor the operation of vendor’s processes and security measures.

Project Management Tool

What's New

HR Management Tool

What's New

Client Management Tool

What's New

Easy Integrations

What's New

Terms of Services