Summit Suite Service agreement

This agreement is between Laird Connectivity LLC, a Delaware limited liability company (LCL), and the customer (Customer) agreeing to these terms and the related Description & Responsibilities, and is effective as of the date of the last signature below.

1.    SCOPE.

LCL agrees to render services (Services) to Customer as described in each order signed by the parties (Order). All Orders are governed by the terms of this agreement and are subject to the Description & Responsibilities.

2.    SERVICES FEES.

The fees payable to LCL for the Services will be detailed in an Order. Customer will pay amounts invoiced plus applicable taxes within 30 days following receipt of an invoice in accordance with this agreement and the Order.

3.    WARRANTY.

a.     30-Day Warranty. LCL warrants that for a period of 30 days from delivery of the Services each month during the term of an Order that it has performed the Services in conformance with generally accepted practices within the software services industry and in accordance with the Order. Customer must notify LCL of any breach of this warranty no later than 60 days after delivery of the Services for a particular month under the Order in order to make any warranty claim.

b.     LIMITED REMEDY. CUSTOMER'S EXCLUSIVE REMEDY AND LCL'S ENTIRE LIABILITY UNDER THIS WARRANTY WILL BE FOR LCL TO RE-PERFORM ANY NON-CONFORMING PORTION OF THE SERVICES WITHIN A REASONABLE PERIOD OF TIME; OR IF LCL CANNOT REMEDY THE BREACH DURING SUCH TIME PERIOD, THEN REFUND THE PORTION OF THE FEE ATTRIBUTABLE TO SUCH NON-CONFORMING PORTION OF THE SERVICES UNDER THE ORDER.

c.     DISCLAIMER. THE ABOVE WARRANTY IS IN LIEU OF ALL OTHER WARRANTIES. THERE ARE NO OTHER EXPRESS OR IMPLIED WARRANTIES, INCLUDING THE IMPLIED WARRANTY OF MERCHANTABILITY, NON-INFRINGEMENT OR FITNESS FOR A PARTICULAR PURPOSE. LCL CANNOT PROTECT AGAINST ALL SECURITY RISKS, NOT ALL VULNERABILITIES CAN BE DETECTED, AND THE SERVICES ARE LIMITED TO THE SPECIFIC SCOPE OF SERVICES PROVIDED BY LCL IN THE DESCRIPTION & RESPONSIBILITIES:  SUMMIT SUITE SERVICE AGREEMENT.

4.    MUTUAL CONFIDENTIALITY.

a.     Definition of Confidential Information. Confidential Information means all non-public information disclosed by a party (Discloser) to the other party (Recipient), whether orally, visually, or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure (Confidential Information).

b.     Protection of Confidential Information. The Recipient must use the same degree of care that it uses to protect the confidentiality of its own confidential information (but in no event less than reasonable care), and it may not disclose or use any Confidential Information of the Discloser for any purpose outside the scope of this agreement. The Recipient must make commercially reasonable efforts to limit access to Confidential Information of Discloser to those of its employees and contractors who need such access for purposes consistent with this agreement and who have signed confidentiality agreements with Recipient no less restrictive than the confidentiality terms of this agreement.

c.     Exclusions. Confidential Information excludes information that: (i) is or becomes generally known to the public without breach of any obligation owed to Discloser; (ii) was known to the Recipient prior to its disclosure by the Discloser without breach of any obligation owed to the Discloser; (iii) is received from a third party without breach of any obligation owed to Discloser; or (iv) was independently developed by the Recipient without use or access to the Confidential Information. The Recipient may disclose Confidential Information to the extent required by law or court order, but will provide Discloser with advance notice to seek a protective order.

5.    PROPRIETARY RIGHTS.

LCL owns all right, title, and interest in the results of all Services (Deliverable), including all intellectual property rights embodied in the work.

6.    TERM AND TERMINATION.

a.     Term. This agreement will continue in effect until either party terminates this agreement as provided below or all Orders have expired.

b.     Mutual Termination for Material Breach. If either party is in material breach of this agreement, the other party may terminate this agreement at the end of a written 30-day notice/cure period, if the breach has not been cured.

b.     Renewals. Each Order renews for additional 1-year periods, subject to updated pricing upon notification from LCL, if any, unless either party provides the other with notice of non-renewal for its convenience at least 45 days prior to renewal date.

7.    LIABILITY LIMIT.

a.     EXCLUSION OF INDIRECT DAMAGES. TO THE MAXIMUM EXTENT ALLOWED BY LAW, LCL IS NOT LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT (INCLUDING, WITHOUT LIMITATION, COSTS OF DELAY; LOSS OF OR UNAUTHORIZED ACCESS TO DATA OR INFORMATION; AND LOST PROFITS, REVENUE, OR ANTICIPATED COST SAVINGS), EVEN IF IT KNOWS OF THE POSSIBILITY OR FORESEEABILITY OF SUCH DAMAGE OR LOSS.

b.     TOTAL LIMIT ON LIABILITY. TO THE MAXIMUM EXTENT ALLOWED BY LAW, LCL'S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT (WHETHER IN CONTRACT, TORT, OR OTHERWISE) DOES NOT EXCEED THE AMOUNT PAID BY CUSTOMER UNDER THE APPLICABLE ORDER.

8.    GOVERNING LAW AND FORUM.

This agreement is governed by the laws of the State of Ohio (without regard to conflicts of law principles) for any dispute between the parties or relating in any way to the subject matter of this agreement. Any suit or legal proceeding must be exclusively brought in the federal or state courts for Summit County, Ohio, and Customer submits to this personal jurisdiction and venue. Nothing in this agreement prevents either party from seeking injunctive relief in a court of competent jurisdiction. The prevailing party in any litigation is entitled to recover its attorneys' fees and costs from the other party.

9.    OTHER TERMS.

a.     Entire Agreement and Changes. This agreement, the related Description & Responsibilities and each Order constitute the entire agreement between the parties and supersede any prior or contemporaneous negotiations or agreements, whether oral or written, related to this subject matter. Customer is not relying on any representation concerning this subject matter, oral or written, not included in this agreement. No representation, promise, or inducement not included in this agreement is binding. No modification or waiver of any term of this agreement is effective unless both parties sign it.

b.     No Assignment. Neither party may assign or transfer this agreement to a third party, nor delegate any duty, except that the agreement and all Orders may be assigned, without the consent of the other party, as part of a merger or sale of all or substantially all the businesses or assets of a party.

c.     Independent Contractors. The parties are independent contractors with respect to each other.

d.     Survival of Terms. All provisions of this agreement regarding payment, confidentiality, indemnification, limitations of liability, proprietary rights and such other provisions that by fair implication require performance beyond the term of this agreement must survive expiration or termination of this agreement until fully performed or otherwise are inapplicable. The UN Convention on Contracts for the International Sale of Goods does not apply.

e.     Enforceability and Force Majeure. If any term of this agreement is invalid or unenforceable, the other terms remain in effect. Neither party is liable for events beyond its reasonable control, including, without limitation, force majeure events.

f.      Money Damages Insufficient. Any breach by a party of this agreement or violation of the other party's intellectual property rights could cause irreparable injury or harm to the other party. The other party may seek a court order to stop any breach or avoid any future breach of this agreement.

g.     Order of Precedence and PO. If there is a conflict between the terms of an Order and this agreement (including the Description & Responsibilities), the Order prevails. LCL rejects any conflicting or additional terms of any Customer purchase order.

10.Description & Responsibilities:


Chain of Trust

     Laird Connectivity Responsibilities

-        Program production hardware modules with a hardware root of trust key unique to the end customer’s platform. 

o    The secure keys are used to sign custom software images and support secure boot for each hardware module.

-        Maintain a secure production environment and manage the secure provisioning of keys during the hardware module production process for each customer. 

-        Maintain the secure process to enable future software image updates to be signed prior to provisioning of hardware modules. 

o    Signed software images are available to customer via a secure server to allow for field distribution. 

     Customer Responsibilities

-        Work with Laird Connectivity to release a software bill of material for provisioning during production.

-        Support a secure interface with Laird Connectivity for the transmission of signed images (via a secure server).

-        Manage distribution of secure software updates to field units

Vulnerability Monitoring and Remediation

     Laird Connectivity Responsibilities

-        Perform a Common Vulnerabilities and Exposures (CVE) scan prior to customer’s software bill of materials/images (Customer SBOM) being released to production.

-        Provide regular CVE scanning on the Customer SBOM.

-        Notify the customer electronically of high or critical vulnerabilities within 5 business days.

-        Develop and discuss a joint mitigation strategy for the identified high or critical vulnerabilities within 15 business days.

-        Execute Joint Mitigation Strategy. Use commercially reasonable efforts to mitigate high or critical vulnerabilities based on the joint mitigation strategy (and use appropriate compensating controls until a more comprehensive risk control measure is available).

-        Provide Software Releases as required for high or critical vulnerability corrections and mitigations within 90 days.

-        Utilize the CVSS scoring methodology to define the severity of vulnerabilities

     Customer Responsibilities

-        Review reports from Laird Connectivity and help prioritize high or critical vulnerabilities

-        Contact Laird Connectivity if Customer is aware of any high or critical vulnerabilities within the SBOM.

-        Provide timely feedback to prioritize medium or low vulnerabilities that may need addressed.

-        Utilize the CVSS scoring methodology to define the severity of vulnerabilities

-        Approve new releases, as needed, to implement corrections for targeted CVE.

-        Maintain updated contact information for electronic communications from Laird Connectivity.

-        Review and Approve updated releases and Manage distribution of software updates to field units

FIPS Security Validation

     Laird Connectivity Responsibilities

-        Maintain FIPs 140-2 or FIPS 140-3 Level 1 certification across the specified hardware (under this maintenance agreement) throughout the product lifecycle.

     Customer Responsibilities

-        May utilize the “FIPS Validated” logo from NIST within end product documentation when using a Laird Connectivity certified hardware module and Board Support Package Release.

-        Must update to the latest FIPS validated Board Support Package Release as required.

 

DISCLAIMER: LAIRD CONNECTIVITY CANNOT PROTECT AGAINST ALL SECURITY RISKS, NOT ALL VULNERABILITIES CAN BE DETECTED, AND THE SERVICES ARE LIMITED TO THE SPECIFIC SCOPE OF SERVICES PROVIDED BY LAIRD CONNECTIVITY IN THE DESCRIPTION & RESPONSIBILITIES ABOVE AND THE RELATED SUMMIT SUITE SERVICE AGREEMENT.