Marriott Franchise Property Level Subscription Agreement Terms

(To be used by Marriott Franchise Properties only)

Welcome to myDigitalOffice

We are pleased that you will be using our products and services (“Services”). has also entered into a Service Agreement dated June 14, 2019, with Marriott International Administrative Services, Inc. (“Marriott”) whereby Marriott and Vendor have agreed to the terms and conditions pursuant to which Vendor may offer the Services to Marriott Franchise Properties (the “Master Agreement”); These Services are provided by, LLC, (“myDigitalOffice”, or “MDO”, or “Vendor”) to you, the Customer (“Customer”, or “Property”, or “Subscriber”), as part of the Franchise Property Level Subscription Agreement Terms (“Subscription Agreement” or “Agreement”) and Order Form you have signed. By using our Services, you are agreeing to these terms. Please read them carefully.

Article 1

1.1. Terms and Interpretation.

Unless otherwise defined in this Agreement, capitalized terms used in this Agreement will have the meaning set forth in the Appendix attached hereto or in the attachments, schedules, exhibits, and other documents attached hereto and made a part hereof. Terms, acronyms, and phrases known in the information technology industry shall be interpreted in accordance with their generally known meanings. Unless the context otherwise requires, words importing the singular include the plural and vice-versa; references to and use of the word “include” and its variations thereof shall mean “include without limitation” and “including without limitation.”

Article 2 – Services

2.1. Services.

This Agreement sets forth the terms and conditions pursuant to which Vendor agrees to (i) grant Subscriber a subscription to access and use certain hosted services as further set forth in Schedule A attached hereto (“Order Form”) (ii) perform services, functions and responsibilities related to the hosting of the system and services (“Hosting Services”); and (iii) perform implementation, training, support and maintenance of the system and services, if any, as described in the Order Form (collectively referred to as “Services”).

2.2. Service Locations.

The Services, including Hosting Services, shall be provided solely from locations within the United States or as otherwise agreed to by the Parties and set forth in the Order Form (“Service Locations”). Any relocation of the Services shall be subject to mutual agreement of the Parties in writing. If such agreement is not reached, Subscriber shall have the right to terminate the Agreement without further liability or penalty.

2.3. Support and Maintenance Services.

a. Vendor will provide support and maintenance services in accordance with Vendor’s then current support and maintenance services attached as set forth in the Order Form (“Support Services”).
b. Vendor will provide Subscriber with no less than forty-eight (48) hours’ prior written notice of all non-emergency maintenance to be performed on the Services outside of the maintenance windows identified in the Order Form During the term of the Agreement, in no event will Vendor (i) materially reduce the functionality of the Services available as of the Effective Date of the Agreement or (ii) alter the Services in such a way as to reduce the performance of the Services in the Subscriber Operating Environment below the Service Levels set forth in the Order Form to which the Parties have mutually agreed. In addition to any other rights or remedies to which Subscriber may be entitled under this Agreement or applicable law, Subscriber may terminate the Agreement without termination penalty if the functionality or performance of the Services is so reduced or altered as to cause a material adverse effect to Subscriber’s use of the Services and not cured by Vendor within a commercially reasonable time period after receipt of written notice thereof, and Subscriber shall receive a refund of any pre-paid amounts applicable to Services not yet performed. The Parties agree that the foregoing refund amount to be paid by Vendor is a fair measure of Subscriber’s damages associated with a breach of this Section and shall not be construed as punitive damages or similar penalty.

2.4. Installation and Training Services.

Vendor will provide the required training for the Subscriber and End Users of the use of and access to the Services as set forth in the Order Form.

2.5. Documentation.

Vendor shall provide Subscriber with access to all Documentation for the Services. The Documentation for the Services will accurately describe in terms understandable by a typical end-user the functions and features of such Services and the procedures for exercising such functions and features, including all subsequent revisions thereto (e.g., revisions to such Documentation related to any modifications or enhancements to the Services). Notwithstanding any provision in this Agreement to the contrary, the Subscriber shall have the right to copy the Documentation, at no additional charge, for its Internal Purposes in connection with access to the Services,
provided all proprietary markings that had been affixed by MDO are retained on such copies.

2.6 Subcontractors.

Vendor shall not subcontract any material portion of the Services, nor shall Vendor disclose, provide access to or transfer any Personal Data to a subcontractor without Subscriber’s prior written consent, which will not be unreasonably withheld. At Subscriber’s request, Vendor shall provide information regarding the subcontractors’ qualifications and a listing of the subcontractors’ personnel used to provide the Services. Vendor shall cause all subcontractors to sign a confidentiality agreement with Vendor that protects Subscriber Confidential Information in a manner that is consistent with the terms of this Agreement as a condition of becoming an authorized subcontractor. Further, Vendor shall be liable to Subscriber for the acts and omissions of its subcontractors that result in a breach of Vendor’s obligations under this Agreement as if the acts or omissions were performed by the Vendor itself and further shall indemnify Subscriber for such acts and omissions if Vendor would have been required to indemnify Subscriber had the act or omission been performed by its own employee pursuant to Article 11. Notwithstanding the foregoing Vendor’s hosting provider for the Services shall not be considered a subcontractor for which written consent is required pursuant to this Section.

Article 3 – Operating Environment/Audit

3.1. Minimum Requirements for the Subscriber Operating Environment.

Vendor will identify in the minimum Subscriber Operating Environment, necessary to optimally access and use the Services, including any incompatibilities as of the Effective Date of this Agreement. If no Subscriber Operating Environment is specified, the existing hardware, software and environment configuration will be deemed to be the Subscriber Operating Environment.

3.2. Features and Functions.

Vendor warrants that it will maintain and operate the Service Web Site such that the features, functions, and links therein perform in all material respects as set forth in the Documentation (e.g., no persisting “broken links,” no error messages when an End User clicks on buttons, menus, links, or other features).

3.3. Privacy Statement.

Vendor will, at Subscriber’s request, post a Subscriber approved privacy statement on the site(“Privacy Statement”) as directed by Subscriber. The Privacy Statement will, at a minimum, notify End-Users of the Personal data collected, how it will be used, and how it will be secured. Any use of cookies, pixel tags, web bugs, or other forms of electronic tracking codes or instrumentalities shall comply with applicable privacy laws and be subject to Subscriber’s prior written approval, and if approved, shall be described in the Privacy Statement or other means as required by applicable law. Vendor will comply with the descriptions and provisions of the Privacy Statement. In addition, the transmission of Personal data between the User and the Vendor’s web server will be protected using commercially acceptable encryption such as Secure Socket Layer (“SSL”). The only types of communication permitted between Vendor and Subscriber Customers will be for purposes of providing customer service relating to transactions conducted by Subscriber Customers on the Service Web Site or questions initiated by such SubscriberCustomers regarding the Services.

3.4 Content.

Vendor shall not make any changes, including changes in content, presentation or placement, to Subscriber Materials displayed on a Service Web Site without Subscriber’s prior written consent. In no event will Subscriber be required to be associated with the Service Web Site if it contains offensive or illegal content, if it puts Subscriber in a negative or disparaging light, or if it exhibits bias against Subscriber. Without limiting Subscriber’s remedies, if Vendor materially breaches any provision of this Section, Subscriber may direct that Subscriber Materials, Marks or other intellectual property be immediately removed from the Service Web Site, and Subscriber may terminate the Order Form immediately upon written notice, in which event it will receive a refund of any pre-paid amounts applicable to Services not performed.

3.5 Marriott Branded Web Sites.

The following provisions apply in the event the Service Web Site is formatted such that a reasonable User would believe that the Service Web Site is owned, controlled or operated by Subscriber (“Marriott Branded Web Site”). Subscriber and Vendor agree that:
a.Subscriber shall have the right to control the structure, sequence and layout of the audiovisual components of the Licensed Products as perceived by an end user, including (a) the appearance and behavior of the graphical user interface components contained therein, such as menus, command buttons, and textual components thereof and (b) the organization and presentation of the user visible functions of the Licensed Products for all content on the MarriottBranded Web Site, including information architecture, page layout, templates, graphics, text, images, links, advertisements, pop-ups, etc. Vendor will implement a “Terms of Use” statement on the Marriott-Branded Web Site in a prominent location as directed by Subscriber. In addition, Subscriber shall have the right to require Vendor to implement changes to the Terms of Use, which changes Vendor shall implement within a reasonable time period of its receipt of such changes from Subscriber.
b. Vendor shall register the domain names of a Marriott-Branded Web Site in the name of Subscriber and execute all documents and perform all actions necessary to effect the assignment of, or to confirm Subscriber’s rights in, such domain names. Subscriber shall appoint Vendor as the technical contact for the domain names of the MarriottBranded Web Sites; provided, however, Vendor’s use of the Marriott-Branded Web Site domain names shall be limited solely to directing End Users to the Marriott-Branded Web Site. Subscriber shall remain, at all times, the administrative contact, registrant and owner of all such Marriott-Branded Web Site domain names. Subscriber shall have the right, at any time, to remove Vendor as the technical contact for any or all of the Marriott-Branded Web Site domain names, and Vendor shall take all actions necessary to effect such removal.

Article 4 – Service Level Commitments

4.1. Service Level Commitment and Reporting.

Vendor shall provide the Services in accordance with the service levels regarding availability, responsiveness, overall quality, and any other attributes in accordance with the service levels as set forth in the Order Form (“Service Levels”). Vendor shall provide monthly reports to Subscriber regarding its performance relative to the Service Levels. Vendor shall utilize the necessary measurement and monitoring tools and procedures to measure and report Vendor’s performance of the Services against the applicable Service Levels to Subscriber on a monthly basis.

4.2. Service Level Credits.

Vendor recognizes that its failure to meet the Service Levels may have a material adverse impact on the business and operations of the Subscriber and that the damage from Vendor’s failure to meet a Service Level cannot be precisely determined. Accordingly, in the event that Vendor fails to meet a Service Level, then, in addition to any non-monetary remedies available to Subscriber under this Agreement, in equity, or at law, Subscriber shall recover, as its sole and exclusive monetary remedy for such failure, the corresponding “Service Level Credit” as specified in the Order Form as liquidated damages. Vendor shall not be required to pay credits to the extent that
failure to meet Service Levels is caused (a) by the actions or omissions of Subscriber or third party systems or networks not in the control of Vendor, or (b) circumstances that constitute a Force Majeure Event. Notwithstanding anything to the contrary in this Section 4.2, should the Vendor fail to meet any Service Level (i) for three (3) consecutive months; or (ii) for four (4) months out of any consecutive twelve (12) month period, Subscriber (A) may terminate the Agreement for cause upon written notice to Vendor and, (B) in addition to any other rights or remedies to which Subscriber may be entitled under this Agreement or applicable law, be entitled to a refund of all service fees paid during the period where the Service Levels were not attained and of any prepaid fees where the Services have not been rendered as of the termination date.

Article 5 – Payment Terms

5.1 Total Charges.

Vendor’s total charges for the Services shall be set forth in the Order Form. The charges specified therein are the total charges; no other fees, costs or expenses may be charged to Subscriber except as set forth in the Order Form. Vendor shall not increase any recurring charges for the Services for the duration of the Term of this Agreement.

5.2 Expenses.

Unless otherwise stated herein, each Party will bear its own costs and expenses in performing its obligations under this Agreement.

5.3 Invoices.

The Subscriber will pay properly submitted, valid invoices within forty-five (45) days after Subscriber’s receipt thereof. If any undisputed amounts remain unpaid and are past due, they shall thereafter bear interest at a rate equal to the lower of: (a) 1% per month, or (b) the rate permitted under applicable law. If any amount is the subject of a dispute between the Parties, and such dispute cannot be resolved promptly, the Subscriber shall pay the amounts due under the applicable invoice, less the disputed amount, and shall advise Vendor in reasonable detail of the reason for the dispute. Vendor shall not invoice Subscriber in advance for Services or expenses without Subscriber’s prior written approval.

5.4 Set-off Rights of Subscriber.

With respect to any amount to be paid by the Subscriber under the Agreement, Subscriber may deduct from such amount any amount that Vendor is obligated to pay or credit the Subscriber under the Agreement.

5.5 Taxes.

All amounts payable under the Agreement are exclusive of any value added, goods and services, sales, excise or similar taxes (“Taxes”). If required by any law, statute, or regulation, Vendor will collect from the Subscriber and remit to the appropriate authorities, any Taxes applicable to the provision of the Services. Vendor will issue the required tax invoice to the Subscriber unless the Subscriber provides Vendor with a timely and valid tax exemption certificate authorized by the appropriate taxing authority. If the Subscriber has paid such Taxes to Vendor, the Subscriber shall have no other responsibility with respect to such Taxes and Vendor shall be responsible for promptly paying such Taxes to the appropriate taxing authority. If it is later determined that such Tax, or any portion thereof, was not required, Vendor will promptly refund the overpaid amount to the Subscriber together with interest on such amounts at the Late Payment Rate regardless of whether Vendor has recovered such amount from such taxing authority. To the extent applicable law requires any such Taxes to be paid by the Subscriber directly to a governmental authority or to the extent a reverse charge mechanism is available and applicable to the Subscriber, the Subscriber shall account for and pay such Taxes according to applicable legal requirements. Notwithstanding the foregoing, and for the avoidance of doubt, Vendor will pay income taxes imposed (including by withholding or other means) by any competent governmental authority on any payments made by the Subscriber under this Agreement. If the Subscriber is required by law to withhold or deduct any amount from its payments to Vendor, the Subscriber will provide Vendor with an official tax receipt of other appropriate documentation to support such withholding. The Parties will cooperate to more accurately determine and minimize, to the extent commercially reasonable, their respective tax liability. Each Party will provide tax information or tax documents reasonably requested by the other Party. Each Party will promptly notify the other of any claim for taxes asserted with respect to this Agreement by a taxing authority with jurisdiction over either Party. With respect to any claim arising out of a tax form or return signed by a Party to this Agreement, the signing Party may control the response to and settlement of the claim, but the other Party may participate to the extent it may be liable.

Article 6 – Confidentiality; Publicity; Personal Data

6.1 Confidentiality “Confidential Information” shall mean any non-public information of the other Party that is designated as confidential, or that the receiving Party knew or reasonably should have known was confidential or proprietary because it derives independent value from not being generally known to the public. Without limiting the generality of the foregoing, Subscriber’s Confidential Information shall include Subscriber Materials and information regarding Subscriber’s customers, sales, marketing, personnel matters, or means of doing business; Vendor’s Confidential Information shall include Vendor’s proprietary methodologies and Vendor Materials. The terms and conditions of this Agreement shall be considered Subscriber and Vendor Confidential Information. Confidential Information shall not include any information which: (a) a Party can demonstrate was rightfully in its possession prior to the date of disclosure to it by the other Party; (b) at the time of disclosure or later, is published or becomes part of the public domain through no act or failure to act on the part of the Party receiving the Confidential Information; (c) a Party has developed independently without reference to any Confidential Information of the other Party; or (d) a Party can demonstrate came into its possession from a third party who had a bona fide right to make such information available. Except as provided herein, the Party receiving Confidential Information will not at any time disclose to any person or use for its own benefit or the benefit of anyone, Confidential Information of the other Party without the prior written consent of said Party. Each Party shall limit disclosure of Confidential Information to its: (i) employees, subcontractors, or agents who have a need to know related to the Parties’ business relationship or (ii) third party auditors or consultants who have a need to know in order to perform their respective contractual obligations for the receiving Party; provided that any person to whom Confidential Information may be disclosed under subsections (i) or(ii) above are subject to a confidentiality agreement, or in the case of a Party’s employees, confidentiality policies, that in either case protects the Confidential Information of the other Party in a manner that is consistent with the terms of this Section. Upon termination of this Agreement or upon the request of the disclosing Party, the recipient of Confidential Information shall promptly deliver to the other Party or destroy any and all such information in its possession or under its control, and any copies made thereof which the recipient of said information may have made, except as the Parties by prior express written permission have agreed to retain. The Parties acknowledge that in the case of Confidential Information communicated through email or which has been scanned or otherwise stored electronically by the receiving Party, the receiving Party’s deletion of (a) email messages from individual mailboxes or(b) documents from its network or individual hard drives will not result in the removal of all copies of such information from the receiving Party’s back-up or archival systems and any such retained Confidential Information shall remain subject to the obligations of confidentiality herein. Neither the receiving Party’s retention of archival copies nor failure to remove copies from its back-up or archival systems will be deemed a breach of this Agreement. Neither Party shall be liable for disclosure of Confidential Information if made in response to a valid order of a court or authorized agency of government; provided that, if available, five (5) days’ notice first be given to the other party so a protective order, if appropriate, may be sought by such Party. The parties acknowledge and agree that a breach of its obligations under this Section may cause harm to the other Party for which monetary damages are not a sufficient remedy. In such event, the Parties understand and agree that the non-defaulting Party shall be entitled to seek to obtain from a court of appropriate jurisdiction immediate injunctive or other equitable relief to which it may be entitled under the circumstances in addition to other remedies allowed under this Agreement and under applicable law.

6.2 Publicity.

Vendor shall not use and shall keep its employee(s), agent(s), and subcontractor(s) from using, either orally or in writing, the name of (including any form of) Marriott International, Inc., the names of its Affiliates and Marriott Marks in connection with any sales, advertising, marketing or promotional activities, including without
limitation, any publication, press release, advertisement, web site, or public forum , without the prior written consent of the Office of the Chief Information Officer of Marriott for each case where such usage is requested. Any such approval granted by Marriott is temporary and may be withdrawn by Marriott on prior written notice. Notwithstanding the foregoing, the preceding restriction does not apply to disclosure required by applicable law, or that may be required or appropriate in the Vendor’s filings with the federal, state, or local government.

6.3 Marriott Marks.

Marriott shall own all right, title and interest in its Marks. Vendor may not use, copy, or distribute Marriott’s Marks without Marriott’s prior written approval in each instance where Vendor wishes to use such Mark.

6.4 Personal Data.

Vendor will comply with all applicable privacy and other laws and regulations relating to protection, collection, use, and distribution of Personal Data. As between Subscriber and Vendor, Personal Data is the exclusive property of Subscriber and will be deemed Subscriber Materials under the applicable provisions of this Agreement and Confidential Information subject to the confidentiality provisions of this Agreement. Vendor will retain, use and disclose Personal Data only on behalf of Subscriber in accordance with this Agreement or other documented instructions of Subscriber . Vendor will not, without the prior written consent of an authorized representative of Subscriber, use Personal Data for any purpose other than to provide the Services under this Agreement. In no event may Vendor: (a) use Personal Data to market its services or those of a third party; or (b) sell or transfer Personal Data to third parties for the commercial benefit of Vendor or any third party; or (c) otherwise provide third parties with access thereto. Vendor shall provide Subscriber with reasonable access to Personal Data at any time as Subscriber may reasonably request. If Vendor is required under applicable law to use Personal Data in a manner inconsistent with any of the foregoing, it will prior to doing so inform Subscriber of the applicable legal requirement(s), unless the law prohibits such notice. (a) Cross Border Transfers. Vendor will ensure that Personal Data is not physically transferred to, accessed by, or otherwise processed by its employees or personnel in any country, other than those specified in the Agreement, unless Subscriber agrees in writing. At Subscriber’s request and solely to the extent required by applicable law, Vendor and any Vendor affiliate or subcontractor will enter into a Data Transfer Agreement, including the European Commission Standard Contractual Clauses, as applicable, with Subscriber to allow Subscriber’s international offices to transfer Personal Data to Vendor and any Vendor affiliate or subcontractor. (b) Individual Rights Assistance. Vendor will notify Subscriber in writing, and in any case within two (2) days of receipt, unless specifically prohibited by laws applicable to Vendor, if Vendor receives: (i) any requests from an individual with respect to Personal Data, including but not limited to opt-out requests, requests for access and/or rectification, erasure, restriction, requests for data portability and all similar requests; or (ii) any complaint relating to the processing of Personal Data, including allegations that the processing infringes on an individual’s rights. Vendor will not respond to any such request or complaint unless expressly authorized to do so by Subscriber and will seek to implement appropriate processes (including technical and organizational measures) to assist Subscriber in responding to requests or complaints from individuals. Vendor will provide any relevant information and assistance requested by Subscriber to demonstrate Vendor’s compliance with its obligations under this Agreement and will allow for and contribute to audits, including inspections conducted by Subscriber or another auditor mandated by Subscriber. Vendor agrees that it will inform Subscriber if it believes that any Subscriber instructions made in the context of an audit or inquiry regarding the processing of Personal Data pursuant to this Agreement would violate applicable law. Taking into account the nature of the processing and the information available to Vendor, Vendor will assist Subscriber in meeting its obligations under data protection laws regarding: (i) registration and notification; (ii) accountability; (iii) ensuring the security of Personal Data; and (iv) the carrying out of privacy and data protection impact assessments and related consultations of data protection authorities.

6.5 Usage Data.

The Parties recognize that it is possible for data to be collected from End Users that is not Personal Data, including “hits”, “clickstream data” and the like. Any such data entered by or collected from End Users, to the extent relating specifically to Subscriber (“Usage Data”), is Subscriber’s exclusive property and shall be deemed Subscriber Materials. Vendor may use Usage Data for the purpose of providing the Services to Subscriber. Aggregate, statistical information derived from Usage Data may be used by Vendor solely for purposes of improving performance and usage of the Services and its service delivery to its customers and such use shall be in compliance with applicable privacy laws. For the purposes of this Agreement “Aggregate Data” means information that relates to multiple individuals that fall into the same group or category, from which individual identities been removed, that is not linked or linkable to Subscriber or to any individual or household, including via a device.

6.6 Regulatory Investigations.

Upon notice to Vendor, Vendor will assist and support Subscriber in the event of an investigation by any regulator, including a data protection authority, or similar authority, if and to the extent that such investigation relates to Personal Data handled by Vendor on behalf of Subscriber in accordance with this Agreement. Such assistance will be at Subscriber’s sole expense, except where investigation was required due to Vendor’s acts or omissions, in which case such assistance will be at Vendor’s sole expense.

6.7 Disclosure Requests.

If Vendor receives any order, demand, warrant, or any other document requesting or purporting to compel the production of Personal Data (including, for example, by oral questions, interrogatories, requests for information or documents in legal proceedings, subpoenas, civil investigative demands or other similar processes) (“Disclosure Request”), Vendor will immediately notify Subscriber (except to the extent otherwise required by laws applicable to Vendor). If the Disclosure Request is not legally valid and binding, Vendor will not respond. If a Disclosure Request is legally valid and binding, Vendor will provide Subscriber at least five (5) days’ notice prior to the required disclosure, so that Subscriber may, at its own expense, exercise such rights as it may have under applicable law to prevent or limit such disclosure. Notwithstanding the foregoing, Vendor will exercise commercially reasonable efforts to prevent and limit any such disclosure and to otherwise preserve the confidentiality of Personal Data and will cooperate with Subscriber with respect to any action taken with respect to such request, complaint, order or other document, including to obtain an appropriate protective order or other reliable assurance that confidential treatment
will be accorded to Personal Data.

Article 7 – Security

7.1 Security.

Vendor shall implement, maintain and continually update throughout the Term of the Agreement appropriate, current technical and organizational security measures to prevent unauthorized access to the Service Web Site and Subscriber Materials under Vendor’s control. Such measures shall in no event be less stringent than those used to safeguard Vendor’s own property, or than those used by other companies providing services similar to the Service and shall include, where appropriate, use of updated firewalls, virus screening software, logon identification and passwords, encryption, intrusion detection systems, logging of incidents, periodic reporting, and prompt application of current security patches, virus definitions and other updates. At a minimum, Vendor shall comply with the security requirements attached hereto as Attachment 1 (“Information Security Requirements”). Vendor shall promptly notify Subscriber if, during the Term of the Agreement, Vendor modifies its security procedures, policies or controls regarding the Vendor’s System used in providing the Service under the Agreement. Any change in a third party hosting provider or hosting facility is subject to continued compliance with this Section. The Vendor’s System and hosting facility used to provide the Services shall be subject to security audits by Subscriber as set forth in this Agreement. Prior to implementing Services and no more than once a year during the term of this Agreement, Subscriber shall have the right to provide Vendor with a request to comply with a security scan and review based on the sensitivity and proprietary nature of the data accessed and processed by Vendor under this Agreement. Where any non-compliance with the Information Security Requirements is noted, Vendor and Subscriber shall agree on a plan and timeframe to either achieve compliance or implement alternative methods to mitigate the effect of such noncompliance to the reasonable satisfaction of Subscriber (“Remediation Plan”). Vendor’s material violation of this Section shall be considered a breach of this Agreement, and Subscriber may exercise its right to terminate under Section 13.4. Notwithstanding the foregoing, Subscriber understands and acknowledges that the transmissions of data through the Internet are not inherently secure, and that security measures are not foolproof.

7.2 Security Breach.

If there is a suspected or actual breach of security involving Subscriber Materials (“Security Breach”), Vendor will notify Subscriber’s Information Protection and Privacy Department at, without undue delay and, in any case, within forty-eight (48) hours of becoming aware of such occurrence. After providing notice, Vendor will investigate the Security Breach, take all reasonably necessary steps to eliminate or contain the exposure of Subscriber Materials and keep Subscriber informed of the status of the Security Breach and all related matters. Vendor further agrees to provide reasonable assistance and cooperation mutually agreed upon by the Parties in the furtherance of any correction, remediation or investigation of any Security Breach and/or the mitigation of any potential damage, including any notification that Subscriber may determine appropriate to send to affected individuals, regulators or third parties, and/or the provision of any credit reporting service that Subscriber deems appropriate to provide to affected individuals. Unless required by law applicable to Vendor, Vendor will not notify any individual or any third party other than law enforcement of any Security Breach in any manner that would identify or is reasonably likely to identify or reveal the identity of, Subscriber without first obtaining the written permission of Subscriber. In addition, within 30 days of identifying or being informed of any Security Breach arising from any act or omission by Vendor, Vendor will develop and execute a plan, subject to Subscriber’s approval, that reduces the likelihood of a recurrence of a Security Breach.

7.3 Delivery/Disposal of Data.

Personal Data, Usage Data and any other data or information specific to Subscriber collected through the use of the Services (collectively, “Data”) shall be readily accessible for Subscriber’s retrieval from the Services at any time during the Term of the Agreement. Following termination or expiration of this Agreement, Subscriber shall have a period of thirty days (30) within which to retrieve all Data from the Services. Vendor shall, as appropriate and as directed by Subscriber, regularly dispose of Data that is maintained by Vendor, but that is no longer necessary to provide the Services or permitted to be used by Vendor as set forth in this Agreement. If Vendor has a legal obligation to retain the Data beyond the period specified in or in a manner inconsistent with the provisions of this Section, Vendor shall notify Subscriber in writing of such obligation, to the extent permitted by applicable law, and will deliver or dispose of the Data in accordance with this Section as soon as possible after the legally required retention period has ended. If Vendor disposes of any paper, electronic or other record containing Data, Vendor shall do so by taking all reasonable steps (based on the sensitivity of the Data) to destroy the Data by: (a) shredding; (b) permanently erasing or deleting; (c) degaussing; or (d) otherwise modifying Data in such records as to make them unreadable, unreconstructable and indecipherable. Upon request, Vendor shall provide a written certification that the Data has been delivered or securely disposed in accordance with this Section. All such Data shall be considered Subscriber Materials and shall be protected in accordance with the confidentiality obligations of the Parties set forth in this Agreement.

7.4 Disaster Recovery Plan.

Vendor warrants that (i) it performs regular server backups of Subscriber Materials; (ii) it maintains a disaster recovery plan; and (iii) a third party tests the disaster recovery plan. The “Disaster Recovery Plan” is a plan that, at a minimum, documents (a) data, system and network recovery procedures, (b) network connectivity fail-over procedures, (c) how Vendor will interact with its disaster recovery vendor, if any, and (d) the estimated time required to recover the functionality of the Services under the Agreement in the event of a Disaster. A “Disaster” shall be defined as any unplanned event or condition that renders Subscriber unable to use the Subscription Services for their intended purposes. In the event of a Disaster, Vendor shall provide notice to Subscriber stating that a Disaster occurred, identifying the affected Services and specifying which recovery services Vendor believes will be required. Any updates to the Disaster Recovery Plan shall be provided to Subscriber within thirty (30) days of the implementation of such update. Subject to the Force Majeure provisions set forth in this Agreement, Vendor shall not diminish or eliminate the Service Levels set forth in the Agreement in the event of a Disaster without Subscriber’s written consent. In addition, Vendor shall (i) provide Subscriber with a copy of any future third party certification reports that review or certify the disaster recovery plan when such reports are made available to Vendor,

7.5 System Backup Requirements.

Vendor shall back up the system used to provide the Services, and Subscriber Materials in its possession on a daily basis and shall archive such Subscriber Materials on a regular basis as described in the Agreement which in no event shall be less frequently than thirty (30) day intervals. Vendor shall store all backup and archival copies of the Subscriber Materials in a secure off-site facility maintained by Vendor (or its designated third party approved by Subscriber). Upon Subscriber’s request, Vendor shall provide Subscriber with copies of, and access to, such backup and archival copies of the Subscriber Materials. Vendor also shall maintain, at all times, back up servers that shall host an exact duplicate of the Subscriber’s Materials in its possession such that in the event such Services and Subscriber Materials or any part thereof becomes unavailable on the primary Vendor’s System, Subscriber may access and use the Services and Subscriber Materials on the back up servers in sufficient time to comply with Vendor’s Service Level commitments, but in no event more than thirty (30) days.

7.6 Bug Bounty Program.

Subscriber has established a bug bounty program (“Bug Bounty Program”) pursuant to which ethical hackers are invited to identify security lapses and issues and submit vulnerability reports to Subscriber (“Bug Bounty Report”) related to its systems. To the extent that Subscriber receives a Bug Bounty Report related to Vendor’s System, Vendor agrees to (a) cooperate with Subscriber in reviewing and validating the Bug Bounty Report, (b) provide Subscriber such assistance and documentation as may be necessary to respond to the Bug Bounty Report, (c) promptly remediate any confirmed vulnerabilities related to Vendor’s System and (d) reimburse Subscriber for all bounties and expenses paid or incurred by Subscriber with respect to a confirmed and validated vulnerability related to Vendor’s System.

Article 8 – Ownership and Use of Information and Materials

8.1 Vendor Information and Materials.

Vendor Materials are and shall remain the property of Vendor or its licensors, which shall retain all Intellectual Property Rights therein. Vendor Materials shall also include: (a) derivative works created to the foregoing, even if the derivative works were created as part of the Services, to the extent such derivative works do not incorporate any Subscriber Confidential Information and (b) the Materials identified in writing as Vendor Materials, which may consist of Materials developed in the course of providing Services under the Agreement, to the extent such Materials do not incorporate any Subscriber Confidential Information. All Vendor Materials shall be subject to the confidentiality provisions of this Agreement. Except as specifically provided in this Agreement, Subscriber obtains no right, title, or interest therein.

8.2 Subscriber Information and Materials.

Subscriber Materials are and shall remain the exclusive property of Subscriber or its licensors, which shall retain all Intellectual Property Rights therein. Vendor obtains no right, title, or interest therein, except that Vendor may use the Subscriber Materials for the sole, exclusive and limited purpose of performing the Services in compliance with the terms and conditions of this Agreement and for its internal business purposes. Vendor shall comply with the terms of any license or other agreement applicable to such Subscriber Material of which it is given notice by Subscriber. All Subscriber Material shall be deemed Subscriber’s Confidential Information and subject to the confidentiality provisions of this Agreement. Vendor shall not encumber the Subscriber Materials in any way, and promptly shall return to Subscriber any and all Subscriber Materials in Vendor’s possession or control upon Subscriber’s request and in any event upon termination of the Agreement.

Article 9 – Warranties

9.1 Ownership and Non-Infringement.

Vendor warrants that Vendor is the lawful owner or licensee of any Materials used to provide the Services to the Subscriber. Vendor also warrants that it has all the necessary Intellectual Property Rights in the Vendor Materials to grant the access rights under this Agreement without violation or infringement of the Intellectual Property Rights of third parties.

9.2 Compliance with Documentation.

Vendor agrees and warrants that during the Term of the Agreement the Services provided hereunder will conform in all material respects to the terms of this Agreement, and its exhibits and attachments, and the Documentation, all of which are incorporated herein by reference. In addition, Vendor agrees and warrants that all updates, changes, alterations or modifications to the Services by Vendor will be compatible with and will not materially diminish the features or functionality of the Services in Subscriber’s Operating Environment, when used in accordance with the Documentation and all of the terms and conditions hereof. Subscriber shall have the right to a refund of pre-paid and unused fees and expenses related to such Service if such Service is found in material breach of the warranties set forth in this Section and Vendor cannot remedy such breach to Subscriber’s satisfaction within thirty (30) calendar days of first notifying Vendor of such breach.

9.3 Compliance with Laws.

Vendor agrees and warrants that the Services will not violate any applicable law, rule, or regulation, and that Vendor possesses all permits required to comply with any applicable law, rule, regulation, ordinance, order, direction and regulation, including applicable privacy and security laws (as they may be amended from time to time) of the applicable government agencies having jurisdiction over the provision and use of the Services. In the event that any change in an applicable law, rule, or regulation requires Vendor to modify the Services as necessary to comply with such change in law, Vendor will make such modifications available in the Services. To the extent Vendor determines that it is not commercially reasonable to provide such modifications after pursuing all commercially reasonable options that were reasonably identifiable to Vendor under the circumstances, Vendor may provide Subscriber with at least and terminate this Agreement. Subscriber shall be entitled to a refund of any prepaid, unused fees for the Services upon Vendor’s termination pursuant to this Section.

Each Party shall comply with all applicable laws, statutes, rules, ordinances, codes, orders and regulations of all federal, state, local and other governmental and regulatory authorities in performing its obligations under this Agreement. Vendor and its subsidiaries, subcontractors and distributors shall comply with Marriott’s Human Rights. Policy Statement which can be found at

To the extent applicable, Vendor (also referred to as “Contractor”) shall comply with Executive Order 11246, as amended, Section 503 of the Rehabilitation Act of 1973, as amended, and the Vietnam Era Veterans’ Readjustment Assistance Act, as amended, which are administered by the United States Department of Labor (“DOL”), Office of Federal Contract Compliance Programs (“OFCCP”). The equal employment opportunity clauses of the implementing regulations, including but not limited to 41 C.F.R. §§ 60.1-4, 60-300.5(a), and 60-741.5(a), are hereby incorporated by reference, with all relevant rules, regulations and orders pertaining thereto. This contractor and subcontractor shall abide by the requirements of 41 C.F.R. §§ 60-1.4(a), 60-300.5(a) and 60-741.5(a). These regulations prohibit discrimination against qualified individuals based on their status as protected veterans or individuals with disabilities and prohibit discrimination against all individuals based on their race, color, religion, sex, sexual orientation, gender identity or national origin. Moreover, these regulations require that covered prime contractors and subcontractors take affirmative action to employ and advance in employment individuals without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, protected veteran status or disability.

To the extent applicable, Vendor also shall comply with Executive Order 13496 and with all relevant rules, regulations and orders pertaining thereto, to the extent applicable. The employee notice clause and all other provisions of 29 C.F.R. Part 471, Appendix A to Subpart A, are hereby incorporated by reference. To the extent applicable, Vendor shall include the provisions of this section in every subcontract or purchase order so that such provisions shall be binding upon each contractor, subcontractor or vendor performing services or providing materials relating to this Agreement and the services provided pursuant to the terms hereof.

To the extent applicable, Vendor further agrees it will comply with all applicable federal, state and local laws governing employment including, but not limited to, the Fair Labor Standards Act, the Immigration Reform and Control Act of 1986, and the Immigration Control Act of 1990. If providing staffing services, Vendor agrees that it will, in response to a request from Subscriber, provide assurances that Contractor is complying with state and federal employment laws.

9.4 Pending Litigation.

As of the Effective Date, Vendor warrants that there is no action, suit, claim, investigation or proceeding pending or, to the best of Vendor’s knowledge, threatened against, by or affecting Vendor or Services to be provided hereunder which, if adversely decided, might affect: (a) Vendor’s ability to enter into this Agreement; (b) Vendor’s performance of its obligations under this Agreement; or (c) Subscriber’s use of the Services as contemplated under this Agreement. Vendor further represents and warrants that it does not know of any basis for any such action. Vendor shall promptly notify Subscriber if any of the foregoing types of litigation arises during the Term of this Agreement that might affect (i) Vendor’s performance of its obligations under this Agreement; or (ii) Subscriber’s use of the Services as contemplated under the Agreement.

9.5 Vendor’s Legal Status.

Each Party warrants that it is duly organized and in good standing under the laws of the jurisdiction in which it is organized and has the authority and power to enter into this Agreement and perform its obligations hereunder. Additionally, each Party warrants that it is not currently the subject of a voluntary or involuntary petition in bankruptcy, does not currently contemplate filing any such voluntary petition, and is not aware of any claim for the filing of an involuntary petition.

9.6 Conflicting Agreements.

Each Party warrants that neither the execution of this Agreement nor its performance of its obligations under this Agreement will directly or indirectly violate or interfere with the terms of another agreement to which such Party is a party, nor will either Party enter into any agreement the execution or performance of which would violate this Agreement.

9.7 Disclaimer.


Article 10 – Insurance

10.1 Insurance.

Vendor shall procure and maintain through the Term of this Agreement, the following insurance coverages through insurers who carry an AM Best Rating of at least “A-”, “VII”, or a comparable rating from a recognized insurance rating agency:

(a) Worker’s compensation insurance that complies with all applicable worker’s compensation laws on all employees working for the Vendor and employer’s liability insurance for not less than one million dollars ($1,000,000) per each accident and disease;
(b) Commercial general liability insurance, including personal injury liability, broad form property damage and blanket contractual liability, with a combined single limit of not less than two million dollars ($2,000,000) per each occurrence. Such commercial general liability insurance policy shall name Subscriber as an additional insured;
(c) Automobile liability insurance covering all owned, non-owned and hired vehicles to the extent Vendor uses an automobile at a location in conjunction with the performance of Services with a limit of at least one million dollars ($1,000,000) per each occurrence. Such automobile liability insurance policy shall name Subscriber as
an additional insured.
(d) Fidelity Bond coverage including third party coverage for employee dishonesty and computer fraud for a limit of one million dollars ($1,000,000) per each occurrence; and
(e) Technology/Professional liability, Media liability and Network Security/Privacy (cyber) liability insurance covering acts, errors, omissions, breach of Agreement, and violation of any consumer protection laws arising out of Vendor’s operations or Services with a limit of five million dollars ($5,000,000) per claim and in the aggregate.

Such coverage shall include but not be limited to, third party and first party coverage for loss or disclosure of any data, including Personal Data and Credit Card Information, network security failure, violation of any consumer protection laws, unauthorized access and/or use or other intrusions, infringement of any Intellectual Property Rights (except patent), unintentional breach of Agreement, negligence or breach of duty to use reasonable care, breach of any duty of confidentiality, invasion of privacy, or violations of any other legal protections for Personal Data, defamation, libel, slander, commercial disparagement, negligent transmission of computer virus, or use of computer networks in connection with denial of service attacks. Vendor shall maintain coverage in force during the Term of the Agreement and for an extended reporting period of not less than three (3) years after.

All policies obtained by the Vendor pursuant to this Agreement shall be specifically endorsed to provide that the coverages shall be primary, and any insurance carried by Subscriber shall be excess and non-contributory. All policies shall be specifically endorsed to provide that such coverage shall not be canceled or materially reduced without at least thirty (30) days prior written notice to Subscriber. The Vendor shall deliver certificates of insurance and any renewal thereof, that evidence that the required insurance coverages are in force.

Article 11 – Indemnification

11.1 Mutual Indemnities.

Each Party agrees to indemnify, defend and hold harmless the other Party and its respective officers, directors, employees, agents, successors, and assigns, from any Losses related to, arising from, or in connection with any Third Party Claims alleging: (a) personal injury, wrongful death, or property damage proximately caused by the negligence or willful misconduct of the indemnitor, its employees, agents or subcontractors; (b) an act or omission of the indemnitor in its capacity as employer of a person; and (c) any breach by the indemnitor of its obligation with respect to Confidential Information under this Agreement.

11.2 Indemnity by Vendor.
Vendor agrees to indemnify, defend and hold harmless Subscriber and their respective officers, directors, employees, agents, successors, and permitted assigns, from any Losses related to, arising from, or
in connection with any Third Party Claims alleging: (a) the infringement by Vendor of a third party’s Intellectual Property Rights; (b) Vendor’s gross negligence or willful misconduct; (c) any violation by Vendor of applicable laws, rules, regulations, ordinances, orders, and directions of federal, state, provincial, county, and municipal governments,
all as they may be amended from time to time; and (d) Vendor’s abandonment or termination of the Services without cause. In the event of Vendor’s breach of its obligations with respect to Personal Data under this Agreement that results in unauthorized use or disclosure of Personal Data and in addition to Vendor’s other obligations under this
Section, Vendor shall reimburse Subscriber and Subscriber Entity for any and all costs and expenses related to notification of effected individuals and procurement of credit protection services for such individuals for a defined period The foregoing obligations of Vendor do not apply (i) to the extent that the allegedly infringing Services or portions or components thereof or modifications thereto result from any change made by Subscriber or any third party for the Subscriber without Vendor’s approval, (ii) to the extent that an infringement claim is based upon Subscriber Materials or (iii) to the extent that an infringement claim is based upon the combination of the Services with any third
party product, software or services except as expressly instructed by Vendor,, provided the infringement would not have occurred in the absence of such combination.

11.3 Indemnity by Subscriber.
To the extend Vendor processes Personal Data on behalf of Subscriber, Subscriber agrees to indemnify, defend and hold harmless Vendor and its officers, directors, employees, agents, successors, and assigns, from any Losses related to, arising from, or in connection with any Third Party Claims alleging such Personal Data and Vendor’s use thereof received directly from or at the direction of Subscriber. 

11.4 Infringement.
If a Service provided under this Agreement, or any part thereof, becomes, or in Vendor’s reasonable opinion is likely to become, the subject of an infringement or misappropriation claim or proceeding, and as a result of such claim or proceeding, Subscriber’s use of the Services, or any part thereof, may be enjoined or interfered with in any manner, then Vendor shall, in the following order of priority and in addition to indemnifying Subscriber as provided in this Agreement and to the other rights Subscriber may have, promptly (which, in the event Subscriber’s use of the Service, or any part thereof, is enjoined or interfered with in any manner, shall not exceed thirty (30) calendar days following such enjoinment or interference) at Vendor’s expense: (a) obtain a license for Subscriber to continue to use
the Service; (b) modify the Service to avoid the infringement but in a manner that still permits the Service to perform as promised under this Agreement; or (c) replace the Service with a compatible, functionally equivalent, and noninfringing deliverable or service. Vendor shall accomplish the remedies under subsections (a), (b) and (c) in a manner that minimizes the disruption to Subscriber’s business operations. If Vendor is not able to accomplish the remedies under subsections (a), (b) and (c) within a commercially reasonable time frame (which, in the event Subscriber’s use of the Service, or any part thereof, is enjoined or interfered with in any manner, shall not exceed thirty (30) calendar days following such enjoinment or interference), upon the discontinued use of the Services, Vendor may, at its option, terminate the Agreement without penalty, and Vendor shall promptly refund any pre-paid amounts applicable to any Services not performed as of the termination date. Sections 11.2 and this Section 11.4 set forth Vendor’s sole and exclusive liability and Subscriber’s sole remedy for any intellectual property infringement or misappropriation claim or proceeding.

11.5 Indemnification Procedures.
The Parties shall follow the following indemnification procedures: Promptly after receipt by the indemnitee of notice of a Third Party Claim, the indemnitee shall notify the indemnitor of such Third Party Claim in writing. No failure to provide indemnitor such notification shall relieve the indemnitor of its obligations under this Agreement except to the extent that the indemnitor can demonstrate prejudice attributable to such failure.
Within fifteen (15) days following receipt of written notice from the indemnitee relating to any Third Party Claim, but no later than ten (10) days before the date on which any response to a complaint or summons is due (“Election Notice Period”), the indemnitor shall notify the indemnitee in writing if the indemnitor elects to assume control of the defense
and settlement of that Third Party Claim (“Election Notice”). If the indemnitor delivers an Election Notice relating to any Third Party Claim within the required Election Notice Period, the indemnitor shall be entitled to have sole control over the defense and settlement of such claim; provided that: (a) the indemnitor’s successful defense or settlement of such claim is reasonably likely to result in the indemnified Party’s release of all liability relating to such claim; (b) the indemnitee may participate in the defense and employ counsel at its own expense to assist with such Third Party Claim; and (c) the indemnitor shall obtain the prior written approval of the indemnitee before entering into any settlement of such Third Party Claim that purports to bind the indemnitee. After the indemnitor has delivered an Election Notice, the indemnitor shall not be liable to the indemnitee for any legal expenses incurred by the indemnitee in connection with the defense of that Third Party Claim. In addition, the indemnitor shall not be required to indemnify the indemnitee for any amount paid or payable by the indemnitee in the settlement of any Third Party Claim for which the indemnitor has delivered a timely Election Notice if such amount was agreed to without the written consent of the indemnitor. If the indemnitor does not deliver an Election Notice relating to any Third Party Claim within the required Election Notice Period, the indemnitee shall have the right to defend the Third Party Claim in such manner as it may deem appropriate, at the sole cost and expense of the indemnitor. The indemnitor shall promptly reimburse the indemnitee for all such costs and expenses.

Article 12 – Limitation of Liability

12.1 Limitation of Liability. Neither Party shall be liable to the other for special, indirect, incidental, consequential, exemplary or punitive damages of the other or for any form of damages (even if advised of the possibility thereof) other than direct damages arising out of, or in connection with this Agreement or the subject matter hereof. The
aggregate liability to a Party for direct damages shall not exceed the greater of (i) three (3) times the fees paid or payable under the Agreement in the prior twelve (12) month period preceding the vent giving rise to a claim or (ii) $2,000,000 (two million) dollars. Notwithstanding the foregoing, the limitations of liability in this Agreement shall not
apply to limit: (a) a Party’s defense and indemnification obligations under this Agreement; (b) either Party’s liability to the other Party for Losses incurred by such other Party arising from fraud, gross negligence or willful misconduct, or violation of any applicable laws, rules or regulations of the liable Party; or (c) either Party’s breach of its obligations with respect to Personal Data or Confidential Information under this Agreement.

Article 13 – Term and Termination

13.1 Term of Agreement.
This Agreement shall commence on the Effective Date and remain in effect for three (3) years (“Term of Agreement”); provided that if an Order Form is active at the expiration of this Agreement, the terms and conditions hereof will remain in effect for such active Order Form until its completion. For clarity, an Order Form may not be executed nor renewed by the Parties following the (i) expiration or termination of this Agreement or (ii) the expiration or termination of the Master Agreement.

13.2 Order Form Initial Term and Renewal.
Each Order Form executed by the Parties, shall set forth a term for the Services provided thereunder. At the expiration of the Initial Term, the Order Form shall renew for the same period (“Renewal Term”) unless Subscriber elects not to renew the Services by notifying Vendor of such election in writing thirty (30) days prior to the expiration of the applicable term. Subject to Section 13.1 above, the Order Form shall continue to renew in a similar manner at the expiration of each subsequent Renewal Term.

13.3 Termination by Subscriber for Convenience. Subscriber may terminate this Agreement or Order Form at any time without cause on thirty (30) days’ prior written notice without liability to Vendor, except for payment by Subscriber on a pro rata basis for work completed or Services provided in accordance with the terms of this Agreement prior to such termination notice. Except as otherwise instructed by Subscriber immediately upon receipt of such termination notice by Vendor, Vendor shall cease all Services being performed hereunder. With respect to Services performed during the notice period, Subscriber will pay only for Services actually provided in accordance with Subscriber’s instructions.

13.4 Termination by Either Party for Cause.
Either Party may terminate this Agreement on thirty (30) days’ prior written notice if the other Party: (a) has committed a material breach of this Agreement and has failed to cure such material breach within such thirty (30) day notice period; or (b) should become insolvent, file a voluntary petition in bankruptcy, be adjudicated a bankrupt, have a receiver appointed for the operation of its business, or make a material liquidation of assets. Vendor may suspend Subscriber’s access and use of the Services (i) upon ten (10) days’ written notice to Subscriber in the event Subscriber is in breach of this Agreement, or (ii) if, and so long as, in Vendor’s reasonable business judgment, there is a security risk created by Subscriber that may interfere with the proper continued provision of the Services or the operation of Vendor’s network or systems.

13.5 Effect of Termination.
Upon termination of this Agreement for any reason, each Party shall: (a) return any
Confidential Information of the other Party in its possession in a form reasonably requested by the other Party and delete all copies of such Confidential Information from all systems, records, and backups; and (b) Vendor shall immediately cease using Subscriber Materials, and Subscriber shall immediately cease use of the Services. Additionally, Vendor shall refund to Subscriber any prepaid amounts applicable to Services not performed as of the termination date, and Subscriber shall pay any outstanding fees owed to Vendor. Termination of this Agreement shall not affect any rights that any Party may have (whether at law or in equity), with respect to any breach of this Agreement occurring prior to or following such termination.

Article 14 – Resolution of Disputes

14.1 Resolution of Disputes.
Prior to the initiation of litigation, the Parties shall first attempt to resolve their dispute on an informal basis in accordance with this Section. All communications made in connection with informal dispute resolution hereunder shall be deemed confidential and privileged settlement communications pursuant to the applicable rules of evidence and shall not be admissible in any legal proceedings.
(a) The Party believing itself aggrieved (the “Invoking Party”) shall call for management involvement in the dispute negotiation by written notice to the other Party. The Parties shall use their best efforts to arrange personal meetings and/or telephone conferences as needed, at mutually convenient times and places, between negotiators for the Parties set forth below:
Subscriber Vendor
As indicated on the signed Property
Order Form Director of Operations
The negotiators shall have a period of ten (10) business days in which to attempt to resolve the dispute, unless otherwise agreed to by the Parties. The allotted time for the negotiation shall begin on the date of receipt of the Invoking Party’s notice. If a resolution is not achieved by the negotiators within the allotted time for such negotiations, then either Party shall have the right to commence litigation proceedings.
(b) The Parties agree that the foregoing shall not apply when a Party makes a good faith determination that a breach of the terms of this Agreement by the other Party is such that the damages to such Party resulting from the breach will be so immediate, so large or severe, and so incapable of adequate redress after the fact that a temporary restraining order or other immediate injunctive relief is the only adequate remedy.
(c) The Parties agree to consider resolution of their dispute by binding arbitration, subject to their mutual written agreement to do so at the time of the dispute.
(d) Except where clearly prevented by the area in dispute, both Parties shall continue performing their obligations under this Agreement while the dispute is being resolved under this Section unless and until the dispute is resolved or until this Agreement is terminated or expires as provided herein.

Article 15 – General

15.1 Assignment.
Neither Party may assign or transfer this Agreement, in whole or in part without the prior written consent of the other Party; provided, that either Party may assign to an Affiliate and Vendor may assign this Agreement or any interest herein, or delegate any obligation hereunder without the prior written consent of Subscriber to an Affiliate in connection with a merger, consolidation, reorganization acquisition or transfer of all or substantially all of Vendor’s assets, provided however that Subscriber shall have the right to immediately terminate the Agreement without any further liability if such assignment is made to a Marriott Competitor. For all valid assignments and delegations, this Agreement shall bind and inure to the benefit of the Parties and their successors and assigns.

15.2 Force Majeure.
If a Party fails to complete, or is delayed at any time in fulfilling its obligations under this Agreement and: (a) such failure or delay is due to a cause beyond such Party’s reasonable control; (b) such Party is without fault in causing such failure or delay; and (c) such failure or delay could not have been prevented by reasonable precautions and cannot reasonably be circumvented by such Party through the use of alternate sources, workaround plans or other means, (“Force Majeure Event”), the other Party will: (i) extend the time of completion for a reasonable time provided the Party continues to use its best efforts to re-commence performance whenever and to whatever extent possible without delay; or (ii) excuse the failure to fulfill its obligations provided the Party continues to use its best efforts to comply with such obligations. No such extension or excuse shall be granted unless such Party gives
written notice of failure or delay to the other Party within three (3) business days after such Party first has knowledge of the Force Majeure Event. If a failure or delay caused by a Force Majeure Event continues, or is likely to continue, for longer than thirty (30) business days, Subscriber may terminate this Agreement, without liability, except for amounts due and payable for Services already performed hereunder prior to the date of the Force Majeure Event, and payment of any pro rata portion of any “holdback” or retained fees.

15.3 Supplier Diversity Program. Vendor acknowledges and understands that Subscriber has a supplier diversity program and agrees to provide reasonable cooperation and information to Subscriber as part of such program. Specifically, if Vendor is a certified minority-, woman-, service veteran-, disabled-, or LGBT (Lesbian, Gay, Bisexual or
Transsexual)-owned business (collectively “Diverse Business”), Vendor shall submit a copy of the relevant certification prepared by a certifying organization confirming its status as a Diverse Business, and shall notify Subscriber promptly of any changes to its status as a Diverse Business. If, in connection with the Services to be provided hereunder, Vendor has business relationships with Diverse Businesses, Vendor will use reasonable efforts
to: (a) supply Subscriber with a list of such Diverse Businesses together with a copy of the relevant certification prepared by a certifying organization; and (b) report the dollar amount impact of such Diverse Businesses in a format reasonably requested by Subscriber.

15.4 Notices.
All notices, requests and demands, other than routine communications under this Agreement, shall be in writing and shall be deemed to have been duly given when delivered, or when transmitted by confirmed facsimile (with a copy provided by another means specified in this Section), or one (1) business day after being given to an overnight courier with a reliable system for tracking delivery, or three (3) business days after the day of mailing, when mailed by United States mail, registered or certified mail, return receipt requested, postage prepaid, and addressed as follows:
Vendor: Subscriber:
myDigitalOffice As indicated on the signed Property
4350 East West Highway, Suite 401
Bethesda, MD 20817
Order Form
Attn: Ali Moloo
Either Party may from time to time change the individual(s) to receive notices under this Section and its address for notification purposes by giving the other prior written notice of the new individual(s) and address and the date upon which the change will become effective.

15.5 Relationship of Parties.
Both Parties agree that they are independent entities. Nothing in this Agreement shall be construed to create a partnership, joint venture, or agency relationship between the Parties. Each Party is responsible for the supervision, management, direction, employment costs, and payment of compensation of its own employees. Each Party is responsible for any injury to its own employees occurring in the course of such employees’ employment for which their employer is responsible.

15.6 Remedies are Cumulative.
Unless otherwise expressly set forth in this Agreement, all remedies available to either Party for breach of this Agreement are cumulative and may be exercised concurrently or separately, are in addition to any other rights and remedies provided by law, and the exercise of any one remedy will not be deemed an election of such remedy to the exclusion of other remedies.

15.7 Waiver.
No failure of either Party to exercise any power or right granted hereunder to insist upon strict compliance with any obligation hereunder, and no custom or practice of the Parties with regard to the terms and performance hereof shall constitute a waiver of the rights of such Party to demand full and exact compliance with the terms of this Agreement. No waiver of any provision or right hereunder will be valid unless it is in writing and signed by the Party giving such waiver.

15.8 Severability. The Parties intend that this Agreement is valid and shall be enforced as written. If any provision of this Agreement is held by a court of competent jurisdiction to be overly broad, excessive, or unenforceable in any circumstances or to any extent, then the remainder of the Agreement and the application of such provision or portion in all other circumstances shall be valid and enforceable to the fullest extent permitted by law or equity.

15.9 Survival of Provisions.
The terms and provisions of this Agreement that by their sense and context are intended to
survive the performance thereof or hereof by either Party or both Parties hereto shall so survive the completion of performance and termination or expiration of this Agreement, including Articles concerning Confidentiality, Publicity, Personal Data, Warranties, Indemnification, Insurance, and Limitation of Liability and making of any and all payments
due hereunder.

15.10 Counterparts; Facsimile Signatures.
This Agreement shall be binding on the Parties through facsimile or scanned and emailed signatures, including electronic or digital signatures. For clarity, electronic, digital, machine-generated or images of signature shall be considered valid for executing this Agreement or an Order Form as if the original had been received.

15.11 Governing Law and Jurisdiction.
This Agreement, the interpretation hereof, and any dispute arising hereunder, shall be governed by the laws of the State of New York, without regard to its choice of law rules. If New York subsequently adopts the Uniform Computer Information Transaction Act (“UCITA”) or an act that is substantially based on UCITA, the Parties hereby opt out from the applicability of the provisions of such act to the maximum extent permitted by law. In addition, for all litigation arising from or relating to this Agreement, the Parties consent to the exclusive jurisdiction of competent Maryland state courts or federal courts located in Maryland. The Parties hereby agree to waive or opt-out of any application of the United Nations Convention on Contracts for the International Sale of Goods.

15.12 No Effect of Click-Through Terms and Conditions.
Where an End User is required to “click through” or otherwise accept or is made subject to online terms and conditions in accessing or using the Services, such terms and conditions are binding and shall have force or effect as to the Services solely with respect to the End User; provided, that in the event of a conflict between the provisions of online terms and conditions and the Agreement, the terms of the Agreement shall control.

15.13 Entire Agreement; Amendments.
This Agreement and its Terms, exhibits, appendices, or any other attachments
constitutes the entire understanding of the Parties with respect to the subject matter herein. This Agreement may not be amended or modified by a purchase order, invoice or similar form, or conduct manifesting assent, and each Party is hereby put on notice that any individual purporting to amend or modify this Agreement by a purchase order, invoice or similar form, or conduct manifesting assent is not authorized to do so. Any and all previous agreements and understandings between the Parties regarding the subject matter hereof, whether written or oral, are superseded by this Agreement (except for any confidentiality agreements to which the Parties have duly executed, which shall
remain in full force and effect for any discussions, transactions or exchanges of confidential information outside of the subject matter herein). This Agreement shall not be modified or amended except in a writing signed by the authorized representatives of each Party.

APPENDIX – Definitions

Capitalized terms used herein shall have the meanings ascribed to them in the Attachments, Schedules, Appendices, Exhibits and other documents attached hereto, or as defined hereunder:
“Affiliates” shall mean entities: (a) under the majority ownership or control of, under common majority ownership or control with, or which own or control, a Party; and (b) partnerships and joint ventures in which a Party or an entity under clause (a) above is a partner or a principal.
“Agreement” shall mean the Property Level between the Parties including any attachments, appendices, schedules, and exhibit(s) hereto.
“Bug Bounty Program” shall have the meaning set forth in Section 7.6.
“Bug Bounty Report” shall have the meaning set forth in Section 7.6.
“Confidential Information” shall have the meaning set forth in Section 6.1.
“Diverse Business” shall have the meaning set forth in Section 15.3.
“Documentation” shall have the meaning set forth in Section 2.5
“Effective Date” shall have the meaning set forth in the Property Order Form.
“Election Notice Period” shall have the meaning set forth in Section 11.4.
“Election Notice” shall have the meaning set forth in Section 11.4.
“End User” shall mean any individual (solely if an employee, agent or representative of Subscriber, Subscriber Entity, or
Subscriber Owner, as permitted herein) who is designated by Subscriber as applicable to receive or use the Services;
provided, that Subscriber has paid for use of the Services by such End User under the applicable Order Form.
“Force Majeure Event” shall have the meaning set forth in Section 15.2.
“Intellectual Property Rights” shall mean any and all right, title and interest (including all patent, patent registration,
copyright, trademark, trade name, service mark, service name, trade secret, or other proprietary right arising or enforceable
under any United States federal or state law, rule or regulation, non-United States law, rule or regulation or international
treaty) in any technology, system, invention, medium, or content, including without limitation text, print, pictures,
photographs, video, Marks, logos, designs, drawings, artistic and graphical works, music, speech, computer software and
documentation, any other works of authorship, and any form, method or manner of expression or communication;
“Internal Purposes” shall mean that Subscriber may: (a) designate its employees to use the Services solely for the benefit
of Subscriber; and (b) designate one or more consultants, auditors, and other third party service providers to exercise
Subscriber’s rights under this Agreement with respect to the Services solely for the benefit of Subscriber; provided that the
aforementioned third parties are under an obligation to protect the confidentiality of the Services to the same extent this
Agreement obligates Subscriber to protect the confidentiality of the Services.
“Invoking Party” shall have the meaning set forth in Section 14.1(a).
“Late Payment Rate” shall mean the lower of: (a) 1% per month; or (b) the highest interest rate permitted by applicable law
for outstanding debt.
“Losses” shall mean all losses, fines, penalties, liabilities, damages and claims, and all related costs and expenses
(including reasonable legal fees, disbursements and costs of investigation, litigation, settlement, judgment, interest and
“Malfunction” shall mean a failure by the Services to perform as required by this Agreement.
“Marks” shall mean trademarks, trade names, web site domain names, service marks and logos, whether or not registered.
“Marriott Competitor” shall mean any company providing lodging related services to the general public.
“Materials” shall mean any and all reports, computer programs, Documentation, specifications, products, work product,
software, source code, algorithms, routines, graphics, files, software patches, enhancements, modifications, diagrams,
charts, functional descriptions, photographs, surveys, or other materials, writings, or derivatives thereof however delivered.
“Party” or “Parties” shall mean, individually, Subscriber or Vendor as the context requires and, collectively, both
Subscriber and Vendor.
“Personal Data” shall mean any End User information that can be associated with or traced to any individual End User,
including an individual’s name, address, telephone number, e-mail address, credit card information, social security number,
or other similar specific factual information, regardless of the media on which such information is stored (e.g., on paper or
electronically) and includes such information that is generated, collected, stored or obtained as part of this Agreement or
such information that Vendor has access to while performing its obligations and responsibilities under this Agreement.
“Service(s)” shall have the meaning set forth in Section 2.1.
“Service Web Site” shall mean the web site(s) and other forms of electronic communication that constitute a part of the
Services and means the Internet site operated by Vendor to provide access to the Services.
“Security Breach” shall have the meaning set forth in Section 7.1
“Subscriber”, or “Customer”, shall mean the (1) signing entity that operates or owns a property under a franchise or
license agreement with Marriott or (ii) signing third party management company.
“Subscriber Customers” shall mean customers or guests of Subscriber.
“Subscriber Materials” shall mean Materials owned by Subscriber and Subscriber data stored or used in or produced or
obtained as the result of processing through the use of the Services, including Personal Data.
“Subscriber Operating Environment” shall mean the minimum hardware, software and environment configuration
necessary to access and use the Services identified in the Order Form, including any incompatibilities as of the effective date
of the Agreement.
“Taxes” shall have the meaning set forth in Section 5.5.
“Term of Agreement” shall have the meaning set forth in Section 13.1.
“Third Party Claim(s)” shall mean all claims or threatened claims, civil, criminal, administrative, or investigative action or
proceeding, demand, charge, action, cause of action or other proceeding asserted against a Party brought by a third party.
“Vendor” shall have the meaning set forth in the Preamble.
“Vendor Materials” shall mean all Materials owned by Vendor and shall also include any information, products, or services
contained or made available to Subscriber in the course of providing the Services, including any training materials or
“Vendor’s System” shall mean the software, hardware, and systems used by Vendor to provide Subscriber with access to
and use of the Services.


1. Application or service being provided to MI has been reviewed by an independent third party and a compliance
report or certification letter can be provided. (ex. Service Organization Controls (SOC) 1 Type 2 report, SOC 2
Type 2 report, an ISO 27002 review or equivalent).
2. Data Center or Co-location facility used to host the service or application has been reviewed by an independent
third party and a compliance report or certification letter can be provided. (ex. Service Organization Controls
(SOC) 1 Type 2 report, SOC 2 Type 2 report, an ISO 27002 review or equivalent).
3. Vendor allows MI to remotely run non-invasive, credentialed web application/vulnerability scans using industry
accepted tools to test the security of the service or application. Any Critical, High or Medium security issues
discovered by these scans will be remediated within time frames agreed to in coordination with MI. (Typically,
Critical & High flaws within 30 days and Medium flaws within 60 days)
Network Security
4. A firewall exists at each Internet connection and between any demilitarized zone (DMZ) and the internal network
5. For web applications, an automated solution (such as a web-application firewall) that continually checks traffic to
detect and prevent web-based attacks against externally facing web applications is in place.
6. A formal process is in place for approving and testing all external network connections and changes to the firewall
7. Documentation and business justifications exist for the use of insecure services, protocols or ports and includes
documentation of security features implemented to mitigate the risks of using insecure services.
8. Firewall (Security/Network Group) and router rule sets are reviewed at least every six months.
9. MI data is not stored on any system components connected directly to the Internet (i.e. on the web servers or in the
10. A Network Intrusion Detection or Prevention System (NIDS/NIPS) is in place to detect, alert on, and block or initiate
response to potentially malicious activity.
11. For communications via HTTPS (web applications, web services, etc.) only current, non-vulnerable protocols &
ciphers are enabled (i.e. TLS 1.1 or higher).
12. In cloud or co-location environments, all internal data in transit is encrypted. (i.e. end-to-end encryption).
13. Network access (non-console) to systems hosting MI data for administrative purposes use encryption technologies
such as SSH, VPN or TLS for web-based management.
Configuration Management
14. Router configuration files are secured and synchronized across the network.
15. All patches and system and software configuration changes are tested before deployment.
16. Separate development, test, and production environments exist to develop and test changes to the systems or
17. Users have separate accounts for accessing each environment (dev, test, QA, Prod, etc.) with defined and
documented separation of duties between the personnel or functions within each environment.
18. Production MI data is not being used within development environments. Any copies of data used in QA, user
acceptance or staging environments for testing purposes has been properly anonymized (masked) or
pseudonymized (transformed) using security industry-recognized methods.
19. Change control procedures are followed and include at least the following steps:
a. Documentation of impact for all changes
b. Management sign-off by appropriate parties
c. Testing of operational functionality
d. Back-out procedures for all changes
20. All system components have configuration standards that assure all known security vulnerabilities are addressed
and the systems are secured/hardened using industry-accepted standards.
21. For any custom developed code, Source code repositories are secured and implement strict access control
22. Outdated or un-supported hardware/software is not used by any components within the system. Example: End of
Life Operating Systems/software/hardware.
23. A process exists that can be used by security researchers or users of the system to submit potential security issues
or vulnerabilities when observed (i.e. an email address is publicly available for submitting security concerns, etc.).
Identity & Access Management
24. For web applications that will allow MI associates to login, the system supports SAML 2.0 to integrate with
Marriott’s Single Sign-On (SSO) solution or an alternative authentication & authorization system is provided that
has been approved by MI and supports MFA for end user access.
25. An access control system has been established that restricts access based on a user’s need to know and is set to
“deny all” unless specifically allowed.
26. Written procedures are in place on user provisioning, authorization and access review processes for the vendors
own systems and for any MI access to the application or service.
27. Passwords require a minimum length and complexity (alphanumeric, unrelated to user ID, contain at least one
number (or special character) and one alpha character, and not all numbers or all characters) based on user type:
a. End Users – minimum 8-characters
b. Privileged Users – minimum of 12-characters
28. User passwords are changed at least every 90 days.
29. The application automatically Removes/disables inactive user accounts at least every 90 days.
30. Passwords do not appear or are masked on the screen when entered.
31. Idle sessions for more than 15 minutes require the user to re-enter the password to re-activate the site or
32. Repeated access attempts are limited by locking out the user ID after 5 attempts within 15 minutes.
33. If a user ID is locked, the lockout duration is a minimum of 30 minutes or until administrator enables the user ID.
34. Users are prevented from using the previous 4 passwords during a password change.
35. The application validates the user identifier and user authenticator as a pair and rejects the logon attempt if the pair
is invalid. The system does not inform the user on which of the two is wrong.
36. All passwords are rendered unreadable (encrypted) during transmission and storage (password hashing) on all
components using NIST approved cryptography.
37. All users are assigned a unique ID before allowing them to access system components. (No shared or group
accounts are used.)
38. Vendor-supplied defaults are changed/removed before installing a system on the network (i.e. passwords, simple
network management protocol (SNMP) community strings, unnecessary accounts, etc.)
39. Remote access to the network or systems that host MI data by employees, administrators or third parties
(contractors) requires multi-factor authentication.
40. All access to web consoles used to manage cloud services are configured to require multi-factor authentication for
System and Application Security
41. Anti-virus software has been deployed on all systems commonly affected by malicious software and is updated at
least weekly with the proper updates or definitions.
42. A file-integrity monitoring (FIM) solution or Host-based IDS has been implemented to detect, alert on, and block or
initiate responses to unauthorized changes, additions, or deletions to critical system files, configuration files, or
audit logs.
43. Marriott production data is stored on a backend file or database server which is physically or virtually different from
the web server.
44. All system components and software have the latest vendor-supplied security patches installed and Critical security
patches are installed within 30 days of release.
45. Applications are routinely tested, to include manual or automated inspection of source code to ensure no critical,
high or medium vulnerabilities exist within the system. External penetration tests are conducted at least annually,
and internal vulnerability scans of the infrastructure are conducted at least quarterly.
Data Protection & Retention
46. Only the minimum amount of Marriott data is stored by the system and the vendor will work with MI business
sponsors to define and adhere to data retention and disposal agreements.
47. All MI data can be purged / deleted from all storage locations, including backup media, in a timely fashion at the
end of the contract term or at the request of MI.
48. All MI data can be transferred to MI in a timely fashion at the end of the contract term or at the request of MI.
49. All employees and contractors that will have access to MI data receive information security training at least
50. Any reports containing Marriott data that can be produced or downloaded from the system can have a
confidentiality label or footer added to the report.
Encryption and Key Management
51. NIST approved cryptography is used to protect all MI data during transmission over open, public networks.
52. All MI data is encrypted at rest in storage (including on portable digital media, backup media, logs, etc.) using NIST
approved cryptography (MI does not allow for the use of cipher/protocols that have been proven to be
weak/vulnerable or “home-grown”/non-standard encryption ciphers/protocols/schemes).
53. Strict access control measures are used to protect encryption keys and access is restricted to the fewest number of
custodians necessary.
54. Cryptographic keys securely stored in the fewest possible locations and forms.
55. Key management processes and procedures are fully documented and implemented to include:
a. How keys are generated
b. How keys are stored and distributed for use within the system
c. How and when keys are changed/rotated
d. How expiring or possibly comprised keys are changed
e. How dual control / split knowledge is implemented to limit access to keys
Physical, Media & Peripherals Security
56. Any hard copy materials containing MI data are properly disposed of (shred, incinerate, pulp, etc.) so that data
cannot be reconstructed.
57. MI data on electronic media is rendered unrecoverable via a secure wipe program in accordance with industryaccepted standards for secure deletion, or otherwise physically destroyed.
58. Multifunction printers (MFPs) used to copy, print or scan MI data are properly secured.
59. MFPs used to handle MI data do not permanently store processed documents on the hard drive or in Dynamic
random-access memory (DRAM) memory as a standard feature.
60. Appropriate facility entry controls are used to limit and monitor physical access to systems.
61. Cameras or other equipment is used to monitor sensitive areas containing MI data.
62. Physical access to publicly accessible network jacks is restricted.
63. Physical access to wireless access points, gateways or handheld devices are restricted.
64. Procedures exist to distinguish between employees and visitors in areas where MI data is accessible.
65. Visitor/access logs are used to maintain audit trails of access to server rooms, data centers or co-location facilities.
Security Logging & Monitoring
66. Audit trails/logging is enabled to link all access to system components (especially Admin IDs) to each individual
67. Automated audit trails/logging is enabled for all system components (servers, applications, databases, etc.) to
reconstruct the following events:
f. Administrative access to MI data or systems hosting/processing MI data
g. Any access to the audit trails or logs
h. Invalid or denied access attempts
i. The creation or deletion of system objects/software
j. Unauthorized or out-of-band changes to database rows and columns
68. For each event, the following items are captured by the audit trails/logs to identify what occurred on the system:
k. User ID
l. Type of event
m. Date and Time of event
n. Success or failure of the event
o. Name of the affected data, component or resource
69. All audit trails are protected from unauthorized modifications or deletion.
70. Audit trails / logs for all system components are reviewed at least daily, either through automated or manual
means, to identify issues that could affect the confidentiality, integrity or availability of the MI data stored,
processed or transmitted by the system.
71. Events from applications or appliances providing security services (Firewalls, IDS’s, etc.) are automatically sent to
the appropriate personnel in real time to address and respond to potential incidents.