Exhibit 10.16
CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, MARKED BY [***], HAS BEEN OMITTED BECAUSE IT IS BOTH (I) NOT MATERIAL AND (II) IS THE TYPE THAT RUBRIK, INC. TREATS AS PRIVATE OR CONFIDENTIAL.
Original Equipment Manufacturer (OEM) Purchase Agreement
This Original Equipment Manufacturer (OEM) Purchase Agreement (“Agreement”) is made and entered into by and between SUPER MICRO COMPUTER INC. (“Supplier”), a Delaware corporation having its principal place of business at 980 Rock Avenue, San Jose, CA 95131 and RUBRIK, INC. (“OEM”), a Delaware corporation having its principal place of business at 1001 Page Mill Road, Building 2, Palo Alto, CA, 94304, United States.
TERMS AND CONDITIONS
|1.
|
TERM OF AGREEMENT.
This Agreement is effective as of the date last signed below (“Effective Date”) and will continue thereafter until terminated in accordance with this Agreement (the “Term”).
|2.
|
PRODUCTS.
Under the terms of this Agreement, OEM may purchase servers and computer components from Supplier as described in Exhibit A (“Products”) as an original equipment manufacturer. The parties may mutually agree to amend Exhibit A to add or remove Products and the corresponding SKUs, through a written amendment to this Agreement, signed by both parties. For purposes of Section 13 (Compliance), Section 14 (Incoming Inspection and Acceptance), Section 15 (Epidemic Failures), Section 16 (Representations, Warranties, Covenants and Disclaimer), Section 17 (Limitation of Liability), Section 18 (Indemnification) and Exhibit C (Warranty and RMA Policy), the term “Products” will include the Authorized Systems (defined below) that are manufactured or assembled by OEM’s authorized contract manufacturers (“CM”) using a design or components provided by Supplier.
|3.
|
SERVICES.
Supplier will provide services for out-of-warranty Products further described in Exhibit B as updated in writing by the parties hereto (“Services”).
|4.
|
PRICE.
The current prices (“Prices”) for Products purchased hereunder will be provided to OEM in a written quotation. Any change in Prices will be reflected in Supplier’s quotation and will be mutually agreed upon.
|5.
|
PURCHASE ORDERS.
5.1. [***].
5.2. Orders. OEM may order Products for shipment by submitting written purchase orders via email or XML to Supplier or through any other means as mutually agreed to in writing by the parties (each an “Order”). Orders will contain, at a minimum: (i) Product part number, (ii) Product quantity, (iii) requested shipment dates, (iv) Product Price, and (v) delivery address. OEM’s tax exemption certificate number is to be provided as a blanket for all production items, if applicable. [***](“PT”) [***].
5.3. [***](“Authorized Systems”). [***].
5.4. The terms and conditions of this Agreement, and no others, will apply to all Orders. Except for the information included on an Order, as specified in Section 5.2, each party hereby expressly rejects any and all different, conflicting, or additional terms appearing on any purchase order, acknowledgement, confirmation or similar document, and such terms will have no force or effect.
|6.
|
FORECAST.
|6.1.
|
To assist Supplier with respect to planning, OEM will provide Supplier with a [***] rolling forecast on a [***] basis indicating the number of Products OEM intends to purchase during such period (“OEM Forecast”). [***].
|6.2.
|
Supplier will use the OEM Forecast as follows:
a. Capacity Planning. Supplier will perform a [***] capacity analysis based on the OEM Forecast to reserve manufacturing capacity, including labor, all necessary equipment, and factory space. Unless otherwise agreed, Supplier will ensure the necessary capacity required to fulfill the OEM Forecast. [***].
b. Material Planning. Supplier will perform a [***] material analysis based on the OEM Forecast. Supplier will purchase all materials required to meet the OEM Forecast.
|6.3.
|
[***]
|7.
|
ORDER RESCHEDULES AND CANCELLATIONS.
Subject to OEM’s obligations set forth in Section 8, [***] with respect to such Order.
|8.
|
INVENTORY LIABILITY.
a. OEM will have no liability for any inventory other than [***] as defined in Exhibit E, which becomes Obsolete Inventory as defined below. [***].
b. Obsolete Inventory. Unless otherwise agreed, OEM will issue an Order for, and take receipt of all Non-Standard Material inventory that : (i) [***] and (ii) [***](the “Obsolete Inventory”) [***].
|9.
|
PAYMENT. OEM agrees to pay all undisputed invoices in U.S. Dollars within [***] from the date of the invoice Notwithstanding the foregoing, upon written notice to Supplier, OEM may withhold payment for any invoice (or portion thereof) that OEM disputes in good faith. Pending settlement or resolution of such disputed invoice (or portion thereof), OEM’s non-payment of such an invoice (or portion thereof) will not be considered late, will not constitute a default by OEM and will not entitle Supplier to suspend or delay any Services.
|10.
|
TAXES.
OEM will be responsible for all taxes with respect to Orders for Products placed by OEM (except Supplier’s income taxes), unless OEM provides Supplier with tax exemption documentation required by the applicable taxing authority.
|11.
|
DELIVERY TERMS.
|11.1.
|
Title; Delivery. All deliveries of Products purchased pursuant to this Agreement will be made [***] (“Delivery”).
11.2. Time. Supplier will ship Products from its warehouse by the shipment date specified in the Order, [***] (i) [***] and (ii) [***]. Supplier will use reasonable efforts to ship all other Orders accepted, [***] set forth in the OEM Forecast, by the requested shipment date indicated in such Order. Notwithstanding the foregoing, in all cases, Supplier will inform OEM [***] if Supplier cannot fulfill such Order by the requested shipment date. “Business hours” shall be defined as M-F, 9:00am to 5:00pm PT.
|12.
|
PRODUCT SHORTAGE; CONSISTENCY OF SUPPLY.
In the event of any supply shortages of Products, manufacturing difficulties or process-related reliability problems, Supplier will allocate [***] Products (and within Supplier’s manufacturing process no fewer components) for supply to OEM [***]. If Supplier is required to change the Specifications or components of a Product by law or for concerns of public safety, Supplier will promptly notify OEM and the parties will cooperate and mutually agree on the required changes. Supplier will use OEM’s bill of materials management software to document and implement any changes to the Specifications or components of a Product even if such changes are requested by OEM.
|13.
|
COMPLIANCE.
Supplier represents and warrants that Products sold by or otherwise transferred by Supplier to OEM will comply with applicable laws, rules and regulations, including without limitation, applicable laws, rules and regulations of the European Union and other countries into which Product is shipped, regarding the use of: (i) restricted hazardous substances; (ii) restricted chemicals; or (iii) other materials restricted by applicable law unless expressly agreed otherwise by OEM in writing in advance. Supplier agrees to provide notification of applicable RoHs exemptions and REACH notifications as needed. From time to time, OEM may request evidence of Supplier’s compliance with applicable laws, and Supplier will provide this information in a timely manner. In the event Products are non-compliant with an applicable law, rule or regulation of a country specified in an Order, Supplier may upon prompt written notice to OEM or CM, as applicable, reject such Order. Supplier will promptly provide OEM or CM, as applicable, with an estimated date of compliance to allow OEM or CM, as applicable, to re-submit such Order.
|14.
|
INCOMING INSPECTION AND ACCEPTANCE.
OEM may conduct incoming inspection testing to confirm that the Product conforms to any mutually agreed upon specifications and all documentation and information published or provided by Supplier concerning the Products (collectively, the “Specifications”) and does not contain any other errors or defects. Any Product failing to operate upon initial installation (“DOA”) within [***] from the Delivery of such Product, [***]. Supplier will issue an RMA number for such DOA Product within [***] after it receives a request from OEM. If Supplier fails to replace the Products within such time, OEM, in its sole discretion, may require [***]. Transportation charges associated with the replacement (i) to be shipped from OEM to Supplier will be borne by OEM (ii) to be shipped back to OEM, or original delivery destination (as directed by OEM), will be borne by Supplier.
|15.
|
EPIDEMIC FAILURES.
15.1. For purposes of this Agreement, “Epidemic Failure Event” will mean Product failures or defects affecting [***] percent ([***]%) or more of any [***] (i) having a similar failure or defect, resulting from the same root cause, as reasonably agreed upon by both parties (ii) occurring at any time within the Warranty period with respect to the particular Product; and (iii) resulting from failures or defects in materials, workmanship, manufacturing process or design or failure to conform with the Specifications. [***]. Upon [***] an Epidemic Failure Event, the remedies of this Section 15 will apply to the entire Product population affected by the root cause(s) until corrective action is complete. Supplier’s obligation to ensure that components meet the Specifications include, but are not limited to, incoming quality control, sub-tier audits, statistical process control, control of workmanship, outgoing quality inspection and all other relevant elements of quality set forth in this Agreement. [***].
15.2. Upon occurrence of a suspected Epidemic Failure Event, OEM will promptly notify Supplier, and will provide, if known and as may then exist, a description of the failure, and the suspected lot numbers, serial numbers or other identifiers, and delivery dates, of the failed Products. OEM will make available to Supplier samples of the failed Products for testing and analysis. Upon receipt of Products from OEM, Supplier will promptly provide its preliminary findings regarding the cause of the failure. The parties will cooperate and work together to determine the root cause. Thereafter, Supplier will promptly provide the results of its root cause corrective analysis, its proposed plan for the identification of and the repair and/or replacement of the affected Products, [***]. Supplier will recommend a corrective action program which identifies the affected units for repair or replacement, and which minimizes disruption to the end user. OEM and Supplier will consider, evaluate and determine the corrective action program. For Epidemic Failure Events that are affecting current production, however, Supplier will identify the problem and develop a plan to solve it within [***] of OEM’s notice.
15.3. Upon [***] an Epidemic Failure Event, Supplier will at OEM’s option: (i) either repair or replace the affected Products; or (ii) provide a credit or payment to OEM in an amount equal to [***].
|16.
|
REPRESENTATIONS, WARRANTIES, COVENANTS AND DISCLAIMER.
16.1. Supplier hereby represents, warrants and covenants that the Products will (i) be new and unused; (ii) be free from errors and defects in workmanship and materials; and (iii) conform to the Specifications during the periods set forth in Exhibit C (“Warranty Period”). During the Warranty Period, Supplier will (a) [***] and (b) provide technical support in accordance with the warranties and RMA policies set forth in Exhibit C.
16.2. Supplier hereby represents and covenants that: (i) it will perform the Services in a professional manner and meet the satisfaction of OEM; (ii) the Services and any work product created pursuant to the Services (“Work Product”) will: conform to all applicable industry standards, all specifications described in the applicable Statement of Work (as defined in Exhibit B) and published documentation, be free from material defects; (iii) its performance of the Services and its obligations under this Agreement will not breach any agreement that Supplier has with another party; and (iv) it will abide by all applicable laws, regulations and, when on OEM’s premises, OEM’s safety rules, in the course of performing the Services.
16.3. Supplier will ensure that each of its component suppliers and each Product complies with all standards which (i) are adopted by standards bodies in the industry in which OEM sells the Products and (ii) OEM has determined that, and notified Supplier of, products it sells should adhere. Supplier will (a) release new versions of Products which apply to revisions, updates, or new standards within [***] of adoption of such revised, updated or new standards; (b) make available to OEM, for evaluation purposes, without charge, solely during the Supplier designated evaluation period, all “beta” and other pre-release versions of new Products and major revisions to Products; (c) make available to OEM all released fixes, updates and upgrades to all software and firmware (whether stand-alone or within a Product) free of charge immediately upon first availability of such (OEM may use such software internally as well as for distribution to its customers of Products); and (d) will deploy any released fixes, as requested, reviewed and approved by OEM for deployment to all devices of OEM’s choosing. Fixes may be considered as issues related to system reliability, firmware logic, bug fixes or other customer facing functionality.
16.4. Supplier represents, warrants and covenants that it: (i) has not included, and will not include, in any Product (a) any software, device or mechanism which would permit Supplier or any third party to remotely access, monitor, control or disable the Products without the end user’s consent, or (b) any virus, malware, spyware or other malicious software; and (ii) uses and has used commercially reasonable efforts to prevent the introduction of any of the foregoing into any Products.
16.5. Supplier will (i) obtain and maintain [***] all applicable regulatory approvals and certifications for the Products furnished to OEM (such as FCC (USA), CE (Europe), C-Tick (Australia/New Zealand), Homologation and Radio Type Approvals) to enable their lawful resale and distribution, (ii) assure Product marking and labeling in accordance therewith, and (iii) furnish applicable documentation to OEM evidencing such approvals and certifications as may be reasonable or necessary. In conformance with the foregoing and EU Decision No. 768/2008/EC Supplier will maintain at all times during the Term a technical file (“Technical File”) for the Products containing the following items:
|a.
|
Description of the apparatus with a block diagram
|b.
|
General Arrangement Drawing
|c.
|
List of standards applied
|d.
|
RoHS status of all subcomponents
|e.
|
Records of risk assessments and assessments of standards
|f.
|
Parts list
|g.
|
Copies of markings and labels
|h.
|
Copy of instructions (user, maintenance, installation)
|i.
|
Test Reports
|j.
|
Quality procedures
|k.
|
Declaration of Conformity / Homologation / Radio Type Approval
|l.
|
Bill of materials
16.6. Supplier will deliver a copy of the Technical File to OEM upon request, and at any time upon changes made to the Products that would require revision of the Technical File in order to maintain its accuracy and currency in a format reasonably requested by OEM. Supplier will make, at its own expense, any changes to the Product and/or Technical File that are required by any regulatory agencies following the Effective Date for continued approval listing for the Products.
16.7. Supplier will meet the requirements and provide ongoing proof of its compliance with the Responsible Business Alliance (RBA) Code of Conduct to the extent these codes of conduct do not directly conflict with local laws in the country or countries where Supplier has its business operations and manufacturing facilities. The RBA Code of Conduct may be viewed at: http://www.responsiblebusiness.org/code-standards-and-accountability.
16.8. Supplier will have the portion of Supplier’s quality system that applies to the Products covered under this Agreement registered to the then current and applicable ISO 9000 series. Supplier will, prior to or upon execution of this Agreement, provide OEM a copy of the appropriate certificates of registration issued by such third-party accredited registrar. Supplier will use commercially reasonable efforts to improve Product quality over the course of the Term.
16.9. Supplier and OEM each warrant to the other that it has: (i) all requisite legal and corporate power to execute and deliver this Agreement; (ii) no agreement or understanding with any third party that interferes with or will interfere with its performance of its obligations under this Agreement; (iii) obtained and will maintain all rights, approvals and consents necessary to perform its obligations and grant all rights and licenses granted under this Agreement; and (iv) taken all action required to make this Agreement a legal, valid and binding obligation, enforceable against it in accordance with its terms.
16.10. Supplier and OEM each warrant that its business and performance under this Agreement is and will be in compliance with all applicable federal, state and local laws and government rules and regulations, including, but not limited to, the United States Foreign Corrupt Practices Act of 1977 as amended pursuant to the 1988 Amendments and the International Anti-Bribery and Fair Competition Act of 1998, and the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions.
16.11. EXCEPT AS SET FORTH IN WRITING IN THIS AGREEMENT, SUPPLIER MAKES NO PERFORMANCE REPRESENTATIONS, WARRANTIES, OR GUARANTEES, EITHER EXPRESS OR IMPLIED, ORAL OR WRITTEN, WITH RESPECT TO THE PRODUCTS AND ANY SERVICES COVERED BY OR FURNISHED PURSUANT TO THIS AGREEMENT, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY (I) OF MERCHANTABILITY, (II) OF FITNESS FOR A PARTICULAR PURPOSE, III) NON-INFRINGEMENT OR (IV) ARISING FROM COURSE OF PERFORMANCE, COURSE OF DEALING, OR USAGE OF TRADE. THE PROVISIONS OF THE LIMITED WARRANTY AND WARRANTY DISCLAIMER ARE REFLECTED IN THE PRODUCT PRICES.
16.12. Supplier will maintain the insurance coverages set forth in Exhibit F.
|17.
|
LIMITATION OF LIABILITY.
[***].
|18.
|
INDEMNIFICATION.
18.1. Supplier’s Indemnification Obligations. Subject to Section 18.3 below, Supplier will defend, indemnify and hold OEM, its officers, directors, agents, distributors, resellers, customers and employees (collectively the “OEM Indemnified Parties”) harmless from and against any and all claims, suits, demands and actions (collectively “Claims”) brought against the OEM Indemnified Parties, and for all damages, costs, expenses (including, but not limited to, reasonable attorney’s fee and costs) or liabilities (collectively “Losses”) to the extent arising in whole or in part from, (i) [***] (ii) [***] (iii) the personal injury or death or damage to tangible property, to the extent such injury, death or damage is caused by a defect in the Product, Supplier’s failure to comply with this Agreement in connection with its supply of the Product, Supplier’s performance of the Services or the negligent or willful acts or omissions of Supplier; or (iv) [***]. Notwithstanding the foregoing, Supplier will have no indemnification obligations arising from clause (ii) above, to the extent such liability arises from (a) use of the Products in combination with any other third party products not provided by Supplier if such infringement would have not occurred absent such combination and such combination was not reasonably required to use the Product for its intended purpose; (b) any material modification of the Products not intended or expressly authorized by Supplier unless such modification is subsequently incorporated into the Products by Supplier; or (c) [***].
18.2. OEM’s Indemnification Obligations. Subject to Section 18.3 below, OEM will defend, indemnify and hold Supplier, its officers, directors, agents and employees (collectively the “Supplier Indemnified Parties”) harmless from and against any and all Losses to the extent arising in whole or in part from Claims alleging that (i) [***]; or (ii) the manufacture, use or sale of any Product caused personal injury or death or damage to tangible property to the extent any of the foregoing is caused by (a) the negligent acts or omissions or willful misconduct of OEM or (b) [***].
18.3. Indemnification Procedures. Each party’s indemnification obligations set forth in this Section 18 are subject to the following indemnification procedures: (i) the indemnified party must give the indemnifying party prompt notice of each Claim received by the indemnified party; (ii) the indemnifying party will have the right and authority to control and direct the investigation, defense and settlement of such Claims, provided that (a) the indemnified party will be entitled to participate in the defense of such Claim, (b) if a settlement imposes an obligation, restriction or liability on the indemnified party, or requires indemnified party to make an admission, the indemnifying party will obtain the prior written approval of the indemnified party before entering into any settlement of such Claim; and (iii) the indemnified party will provide all assistance and cooperation as may be reasonably necessary for the defense of any Claim, at the indemnifying party’s request and expense.
|19.
|
AUDIT RIGHTS.
Upon [***] advance written notice, Supplier will provide information contained in its Technical File, as requested by OEM and will permit OEM or its representative to visit Supplier’s premises and conduct an audit of Supplier’s premises and processes, which will include, but is not limited to, [***]. Any such audit will be conducted during normal business hours not more than [***] (except where OEM determines, in its reasonable discretion, that it has reasonable grounds for believing that there are manufacturing or technical issues relating to the Product. In such cases, OEM will provide such reasonable evidence to Supplier for its review and approval for an additional audit, and such approval shall not be unreasonably withheld) and in a manner designed to cause minimal impact on Supplier’s ordinary business activities.
|20.
|
SUPPLY CHAIN DILIGENCE
Supplier will and (will cause its component suppliers (including any software and firmware suppliers) to) (i) abide by all applicable laws, and (ii) have in place a comprehensive and effective security program designed to prevent the inclusion of (a) any software, device or mechanism which would permit any person or entity to remotely access, monitor, control or disable the Products without the end user’s consent, or (b) any virus, malware, spyware or other malicious software. [***].
|21.
|
NOTICE.
Any notice required or permitted under the terms of this Agreement, or when any statute or law requiring the giving of notice, may be delivered (i) by registered airmail or registered courier service, or (ii) by electronic mail, if properly posted and sent to the relevant party at the address set forth below or to such changed address as may be given by either party to the other by such written notice. Any such notice will be deemed to have been given upon receipt or upon [***] after having been dispatched in the manner provided above, whichever is earlier.
|For Supplier: Super Micro Computer, Inc.
|980 Rock Avenue
|San Jose, CA 95131
|Attn: General Counsel
|Phone:
|[***]
|Email:
|[***]
|For
|OEM:
|
Rubrik, Inc.
|1001 Page Mill Road, Building 2
|Palo Alto, CA 94304
|Attn:
|Legal Counsel
|Phone:
|Email:
|[***]
|22.
|
CONFIDENTIALITY AND DATA PRIVACY.
22.1. Confidential Information. During the Term of the Agreement, a party, its affiliates, or the agents of any of the foregoing (collectively, the “Recipient”) may receive or have access to certain information of the other party, its affiliates or the agents of any of the foregoing (collectively, the “Discloser”) that is identified as Confidential Information. “Confidential Information” means all non-public information disclosed by Discloser to Recipient that is (i) in tangible or intangible form or disclosed orally and which is marked or otherwise designated or identified as “Confidential” or “Proprietary,” (ii) which by its nature under the circumstances of disclosure, would be deemed confidential or proprietary by a reasonable business person. Confidential Information includes, without limitation (a) non-public information relating to the Discloser’s or its affiliate’s technology, customers, vendors, business plans, introduced and non-introduced products, promotional and marketing activities, finances and other business affairs, (b) third-party information that the Discloser is obligated to keep confidential, and (c) the terms of this Agreement and any discussions or negotiations between the parties. All Confidential Information will remain the exclusive property of the Discloser. Any pricing, volume, forecast and similar financial information which is provided by OEM and all OEM software, technical manufacturing information and forecasts are deemed the Confidential Information of OEM. Product roadmaps, schematic diagrams, designs, drawings, formulas, Gerber data, bill of materials, manufacturing processes, shop-floor processes, technique, test data, and pricing are deemed the Confidential Information of Supplier.
22.2. Use and Protection of Confidential Information. As a Recipient, each party agrees: (i) to use the Discloser’s Confidential Information solely for the purposes and transactions set forth in this Agreement; (ii) to use the same standard of care to protect the Confidential Information as it uses to protect its own similar information but in no event less than reasonable and prudent care; (iii) to hold the Confidential Information in confidence and, except as otherwise expressly provided herein, not to disclose the same to any third party without the prior written authorization of the Discloser; (iv) to restrict circulation and disclosure of the Confidential Information to its and its affiliates’ employees, contractors, professional advisors, customers (collectively “Personnel”) who (a) have a need to know the Confidential Information in connection with the parties’ business relationship and in order to enable the parties to perform their respective obligations under this Agreement, and (b) have executed written nondisclosure agreements or are subject to professional obligations requiring them to protect the Confidential Information of the Recipient; and (v) at the Discloser’s option and request, to promptly return or destroy the Discloser’s Confidential Information, including materials prepared in whole or in part based on such Confidential Information, and all copies thereof in whatever medium, and certify to the Discloser that the Recipient no longer has in its possession or under its control any such Confidential Information, provided that the Recipient may retain copies of Confidential Information and materials prepared in whole or in part based on such Confidential Information for evidencing compliance with this Agreement and for prudent record-keeping purposes. Receiving Party will not, in connection with the obligations herein, be required to identify or delete Confidential Information held electronically in archive or back-up systems in accordance with its back-up and data retention policies, provided that such information is not accessed or used for any purposes and remains subject to Section 22.
22.3. Exclusions. The foregoing confidentiality obligations will not apply to any information that is (i) already known by Recipient prior to its first disclosure by Discloser and not otherwise subject to a duty of confidentiality, (ii) independently developed by Recipient prior to or independent of the disclosure without use of Discloser’s Confidential Information, (iii) publicly available through no fault of Recipient, (iv) rightfully received from a third party with no duty of confidentiality, or (v) disclosed by Recipient with Discloser’s prior written approval; provided, however, any information that is lawfully required to be disclosed to any court or tribunal or regulatory or governmental agency or is required to be disclosed by law, may be disclosed by Recipient provided that before making such disclosure the Recipient promptly notifies Discloser to give the Discloser an opportunity to object or to assure confidential treatment of the Confidential Information.
22.4. Duration of Confidentiality Obligations. The foregoing confidentiality obligations are intended to apply to Confidential Information received by the Recipient both prior to the Effective Date and during the Term of this Agreement. The parties agree that the Recipient’s obligations with respect to the Confidential Information will survive for a period of [***] following termination of this Agreement; except that obligations under this Agreement with respect to trade secrets will remain in effect for as long as such information will remain a trade secret under applicable law.
22.5. Data Security. Supplier will comply with all applicable laws and regulations (including the California Consumer Privacy Act of 2018 (“CCPA”) and General Data Protection Regulation 2016/679) and OEM’s data security requirements set forth in Exhibit G while utilizing or processing any personally identifiable information collected, generated, used or processed in connection with the this Agreement or OEM’s Confidential Information (collectively, with any derivative or aggregated data thereof “OEM Data”) including, but not limited to, those related to data privacy, international communications, the transmission of technical or personal data and export control laws and regulations, and maintain commercially reasonable administrative, physical and technical safeguards to protect the security, confidentiality and integrity of OEM Data. Supplier will not decrease its security and privacy standards during the Term or so long as Supplier maintains OEM Data. Supplier will maintain a formal security and privacy program in compliance with all applicable industry standards that is designed to (i) ensure the privacy, security and integrity of OEM Data and the Products, (ii) protect against threats or hazards to the security, privacy or integrity of OEM Data and the Products and (iii) prevent unauthorized access to OEM Data or the Products in Supplier’s possession. Supplier will only use or process OEM Data for the specific purpose as specified in this Agreement and with OEM’s explicit instruction. Upon notice, Supplier will immediately cease and remediate any unauthorized utilization or processing of OEM Data. Supplier will use commercially reasonable efforts to assist OEM in responding to any requests by individuals regarding notice, choice, access, and privacy-related complaints. Supplier will process any personally identifiable information (as defined under applicable law) included within OEM Data in accordance with the privacy, data protection and security requirements specified in OEM’s Data Protection Agreement set forth in Exhibit H. Upon written notice, OEM may reasonably inspect or audit Supplier’s facilities, systems and relevant books and records to confirm compliance with the obligations herein and any related applicable data protection laws and regulations. In the event of any known or suspected material breach of security with respect to OEM Data or if Supplier violates or can no longer satisfy its aforementioned obligations with respect to OEM Data for any reason (“Data Privacy Breach”), Supplier will, at its own expense, (a) notify OEM immediately at [***] (in any event no longer than [***] after discovery of such Data Privacy Breach), (b) take immediate action to remedy any Data Privacy Breach and mitigate the effects of such Data Privacy Breach and cooperate fully with all of OEM’s reasonable requests for information regarding such Data Privacy Breach, (c) investigate the actual or suspected security breach and provide OEM with a reasonable remediation plan, approved by OEM, to address the Data Privacy Breach, (d) remediate the effects of the Data Privacy Breach and comply with such remediation plan, (e) cooperate with OEM and any law enforcement or regulatory official investigating such Data Privacy Breach; and (f) provide regular updates regarding the investigation and corrective actions taken including a post-mortem report of the Data Privacy Breach, which will include a description of the remediation efforts, an action plan to prevent the reoccurrence of such Data Privacy Breach and any other information reasonably requested by OEM. In the event that any OEM Data is lost, damaged or destroyed as a consequence of a Data Privacy Breach, Supplier will promptly restore such OEM Data to the last available backup. In the event of a Data Privacy Breach, OEM may terminate this Agreement immediately with written notice. When this Agreement is terminated in the event of a Data Privacy Breach or for any reason, Supplier will return or destroy all OEM Data from its records and archives. If Supplier transfers OEM Data to third parties or provides access to third parties, Supplier will ensure such third parties will be bound by the aforementioned obligations. Supplier will indemnify and hold OEM harmless from and against all claims, damages and expenses arising in connection with Supplier’s breach of the obligations in this Section 22.5.
22.6. Background Checks. To the extent permitted by local law, Supplier will perform background checks of its employees, contractors, vendors, and other parties (“Supplier Personnel”) that have access to OEM Data or OEM’s systems (at a minimum, Supplier will conduct criminal, credit, education, and adverse party background checks and any other background checks normally conducted by companies in the parties’ industry). Prior to being provided with access to OEM Data, all Supplier Personnel must successfully pass a background check. If such background checks raise any issues concerning the fitness of any Supplier Personnel to have access to OEM Data, Supplier will notify OEM of such and will obtain OEM’s approval of such Supplier Personnel prior to such Supplier Personnel having any access to OEM Data.
22.7. No Other Use of OEM Data. Supplier will not use, process, analyze, aggregate, deidentify, collect, share, retain or otherwise exploit any OEM Data except as necessary to perform its obligations under this Agreement, including taking any action that would cause any transfers of OEM Data to or from Supplier to qualify as “selling personal information” under the CCPA.
|23.
|
INTELLECTUAL PROPERTY.
23.1. Except as expressly set forth in this Agreement, neither party hereto acquires any right to any of the other party’s trademarks, patents, service marks, trade names, copyrights, commercial symbols, processes, goodwill, or other form of intellectual or commercial property, nor any physical media on which it is delivered or stored regardless of location. Neither party may use such property or rights in any manner other than as explicitly set forth herein. OEM will retain all right, title and interest in any tools and equipment it provides to Supplier pursuant to this Agreement.
23.2. Software Products. Each party acknowledges that any software products provided to it by the other party hereunder (“Software Product”) constitutes only discrete copies of software, the media in which it is stored, and related documentation. Nothing herein transfers any right, title or interest in the software or any intellectual property rights therein from one party to the other. Supplier’s use or distribution of OEM’s Software Products requires and is subject to a separate software license agreement. Further, Supplier agrees that it will make no use of any software provided to Supplier by OEM other than to install such software in the Products.
|24.
|
[***]
|24.1.
|
[***]
|24.2.
|
[***]
|24.3.
|
[***]
|24.4.
|
[***]
|24.5.
|
[***]
|24.6.
|
[***]
|24.7.
|
[***]
|24.8.
|
[***]
|24.9.
|
[***]
|25.
|
PRODUCT DISCONTINUANCE; END OF LIFE.
25.1. [***] OEM may continue to place Orders and purchase Products from Supplier during the [***] according to the terms and conditions, including but not limited to pricing, Orders, and delivery dates, available prior to the [***].
25.2. Supplier may discontinue the availability of third party supplied components (such as drives and memory) and will make reasonable efforts to provide OEM with [***] prior written notice or as soon as reasonably possible (in any case within [***]) after Supplier receives notice from its suppliers (an “End of Life Notice”). OEM may continue to place Orders and purchase Products from Supplier after receipt of the End of Life Notice according to the terms and conditions, including but not limited to pricing, Orders, and delivery dates, available prior to the End of Life Notice, subject to restrictions imposed by third party component vendors. Additionally, OEM may place Orders to ensure adequate inventory of components being discontinued are reserved for the Products (“Last Time Buy”), which shall be Non-Cancelable and Non-Refundable Orders. The specific terms for the Last Time Buy will be mutually agreed upon by the parties at the time of the Last Time Buy.
|26.
|
ARBITRATION.
The parties will settle any controversy arising out of this Agreement by arbitration in Santa Clara County, California in accordance with the rules of the American Arbitration Association. A panel of three arbitrators will be agreed upon by the parties or, if the parties cannot agree upon the arbitrators within [***], then the parties agree that the arbitrators will be appointed by the American Arbitration Association. The arbitrators may award attorneys’ fees and costs as part of the award. The award of the arbitrators will be binding and may be entered as a judgment in any court of competent jurisdiction. Notwithstanding anything to the contrary, nothing in this Section will prevent either party from seeking specific performance, including but not limited to injunctive relief in a court of competent jurisdiction.
|27.
|
TERMINATION.
27.1. Term. The term of this Agreement will commence on the Effective Date and continue for a period of three years (“Initial Term”) and will thereafter be automatically renewed for additional [***] periods unless either party gives written Notice of termination at least [***] before the anniversary of the Initial Term or of any renewal term, as applicable.
27.2. Termination for Cause. Either party may terminate this Agreement at any time (i) upon the commencement of a proceeding that will lead to the dissolution of the other party’s corporate entity or the cessation of its business operations without an assignment to a surviving entity, (ii) if the other party commits a material breach of this Agreement which remains uncured more than [***] after written notice of such breach from the non-breaching party, or (iii) if the other party commits a breach of a material obligation hereunder which by its nature is incurable.
27.3. Termination for Convenience. OEM may terminate this Agreement for convenience upon [***] prior written notice to Supplier.
27.4. Effect of Termination or Expiration. In the event of a termination or expiration of this Agreement, the provisions of this Agreement will continue to apply to all Orders placed by OEM and accepted by Supplier prior to the effective date of such termination of expiration, except for any Order, or portion thereof, canceled pursuant to “Termination for Cause”. Termination or expiration of this Agreement will not, however, relieve or release either party from making payments which may be owing to the other party under the terms of this Agreement.
|28.
|
APPLICABLE LAWS.
28.1. Export Regulation Compliance. Supplier and OEM will all times comply with all applicable laws and regulations, including, without limitation, all privacy laws, export laws and regulations and the U.S. Foreign Corrupt Practices Act (including, without limitation, not offering any inducement, whether money or goods or services, to any government official, employee, candidate or party). Supplier and OEM understand that the Products are subject to U.S. export control laws, including the Export Administration Regulations, of the Bureau of Industry and Security (“BIS”), U.S. Department of Commerce; and the economic sanctions administered by the Office of Foreign Assets Control (“OFAC”), of the U.S. Department of the Treasury. Both parties agree to comply strictly with all such laws and regulations as they relate to the Products, and, to the extent consistent with this Agreement, to obtain any necessary license or other authorization to export, reexport, or transfer the Products. Without limiting the foregoing, each party agrees (i) not to export, re-export, provide, or transfer the Products to Crimea, Cuba, Iran, North Korea, Sudan, or Syria; to the governments of these countries, wherever located; to any person or entity identified on BIS’s Denied Persons, Entity, or Unverified List or OFAC’s Specially Designated Nationals List or List of Consolidated Sanctions (the “Lists”); to any end user with knowledge or reason to know that the Products will be used for nuclear, chemical, or biological weapons proliferation, or for missile-development purposes; or to any person with knowledge or reason to know that they will export, re-export, provide, or transfer the Products other than in compliance with the foregoing restrictions as updated from time to time, (ii) to screen all intended transfers against these requirements, including but not limited to screening any intended end users against the Lists and (iii) to promptly notify the other party of any potential matches found in the course of such screening. Both parties will use best efforts to promptly address any match found.
28.2. Foreign Corrupt Practices Act (FCPA). Each party agrees to abide by the Foreign Corrupt Practices Act of 1977 (15 U.S.C. 77dd-1 et seq.) (the “FCPA Act”) which prohibits any payment or offer of payment to a foreign official for the purpose of influencing that official to assist in obtaining or retaining business for a company. The FCPA Act includes, but is not limited to, not only the payment of money but also an offer, promise or authorization for the payment of money and an offer, gift, promise or authorization of the giving of anything of value.
28.3. Anti-Kickback. Each party agrees to abide by the Anti-Kickback Act of 1986 (41 U.S.C. 51-58) which prohibits any person from (i) providing or attempting to provide or offering to provide any Kickback; (ii) soliciting, accepting, or attempting to accept any Kickback; or (iii) including, directly or indirectly, the amount of any Kickback in the contract price. “Kickback” as used in this clause, means any money, fee, commission, credit, gift, gratuity, thing of value, or compensation of any kind which is provided, directly or indirectly to either Party, its employee, subcontractor, or subcontractor employee for the purpose of improperly obtaining or rewarding a favorable treatment in connection with a contract with the party.
|29.
|
RELATIONSHIP OF PARTIES.
The relationship of Supplier and OEM established by this Agreement is that of independent contractor. Nothing contained in this Agreement may be construed to (i) give either party the power to direct and control the day to day activities of the other, (ii) constitute the parties as partners, joint ventures, co-owners or otherwise participants in a joint or common undertaking, or (iii) allow either party to create or assume any obligation on behalf of the other party for any purpose whatsoever. All financial obligations associated with OEM’s business are the sole responsibility of OEM.
|30.
|
GOVERNING LAW.
This Agreement will be governed by and construed and enforced in accordance with the laws of the State of California, excluding its conflict of law rules and principles. The United Nations Convention on Contracts for International Sale of Goods does not apply to this Agreement.
|31.
|
ASSIGNMENT.
No party may assign or otherwise transfer its rights or obligations under this Agreement without prior written consent of the other party, which will not be unreasonably withheld; provided, however, this Agreement may be assigned by OEM, without the Supplier’s prior written consent, (i) to an affiliate or (ii) in connection with a merger, reorganization, acquisition or other transfer of all, or substantially all, of the business or assets of OEM.
|32.
|
INSURANCE.
Supplier will, at its own cost and expense, maintain in full force and effect throughout the Term the insurance policies listed in Exhibit F. HOWEVER, THE PARTIES AGREE THAT THE FACT THAT SUPPLIER HOLDS SUCH INSURANCE HAS NO EFFECT ON THE EXCLUSIONS AND LIMITATION OF LIABILITY IN THIS AGREEMENT.
|33.
|
SEVERABILITY.
The terms of this Agreement are severable. If any term is held invalid, illegal, or unenforceable for any reason whatsoever, such term will be enforced to the fullest extent permitted by applicable law, and the validity, legality, and enforceability of the remaining terms will not in any way be affected or impaired thereby.
|34.
|
ENTIRE AGREEMENT.
This Agreement and its Exhibits constitute the entire agreement of the parties with respect to the subject matter hereof and supersede and replace all prior oral or written agreements, representations and understandings of the parties with respect to such subject matter. Except as expressly provided for herein, this Agreement may be changed only by written amendment signed by the parties.
|35.
|
SURVIVAL.
The following Sections will survive any expiration or termination of this Agreement: Section 16 (Representations, Warranties, Covenants and Disclaimer), Section 17 (Limitation of Liability), Section 18 (Indemnification), Section 22 (Confidentiality and Data Privacy), Section 23 (Intellectual Property), Section 26 (Arbitration), Section 27 (Termination), Section 29 (Relationship of Parties), Section 30 (Governing Law), Section 31 (Assignment), Section 33 (Severability), Section 34 (Entire Agreement), and Section 35 (Survival).
[SIGNATURE PAGE FOLLOWS]
IN WITNESS WHEREOF, the parties have executed this agreement effective as of the date last signed below.
|Supplier:
|OEM:
|SUPER MICRO COMPUTER, INC
|RUBRIK, INC.
|By:
|/s/ Don Clegg
|By:
|/s/ Melinda Wu
|Name:
|Don Clegg
|Name:
|Melinda Wu
|Title:
|SVP of WW Sales
|Title:
|VP Product Operations
|Date:
|November 19, 2020
|Date:
|November 19, 2020
EXHIBIT A
PRODUCTS
[***]
EXHIBIT B
SERVICES
|1.
|
SERVICES. Supplier will provide Services in connection with the Products as requested by OEM from time to time. The Services will be as specified in one or more statements of work executed by the parties from time to time hereunder (each, a “Statement of Work”). Except as otherwise provided in this Agreement or a Statement of Work, Supplier is responsible for providing all personnel, facilities, equipment, software, tools and supplies that are required to perform the Services.
|2.
|
FEES. Fees for the Services will be set forth on the applicable Statement of Work.
EXHIBIT C
WARRANTY AND RMA POLICY
|1.
|
Eligible Items: Products set forth on Exhibit A, as updated from time-to-time.
|2.
|
Warranty Period:
|a.
|
[***]
|b.
|
[***]
|c.
|
[***]
|d.
|
[***]
|3.
|
Supplier Standard Warranty Coverage (coverage dates calculated from date of invoice):
|a.
|
Labor coverage includes any labor costs incurred for repairs by Supplier during coverage period. Coverage excludes repairs resulting from customer caused damage.
|b.
|
Parts coverage includes any material and parts costs incurred for repairs by Supplier during coverage period. This warranty excludes repairs related to any failure(s) or defect(s) caused by OEM, including misuse, accident, abnormal use, improper handling, neglect, abuse, alteration, improper installation, unauthorized repair or modification, improper testing; or causes external to the product such as, but not limited to, excessive heat or humidity, power failures, power surges or acts of God. This warranty excludes repairs related to screw holes created by OEM or damage caused by a party other than Supplier. In the event that third party components have been discontinued or supply is no longer available, Supplier will have the option to replace defective components with refurbished or comparable (functionally equivalent and part of OEM’s bill of materials) components. If the only comparable component available is not part of OEM’s bill of materials, OEM will either qualify and add such available comparable component to its bill of materials or release Supplier from its warranty obligations with respect to the discontinued or unavailable third-party component.
|c.
|
[***]
|d.
|
[***] (“RMA”)[***]
|e.
|
Section 14 of the Agreement will apply to any Product found to be DOA.
|4.
|
RMA Procedure
|a.
|
In the event that a Product needs to be returned to Supplier for warranty service or is DOA, OEM must first obtain an RMA number from Supplier. Products returned by OEM must be in Supplier’s standard packaging or comparable packaging and the RMA number clearly printed on the outside of the packaging in which the Product is returned. Supplier will not accept any RMA shipment without the RMA number. The RMA number will become void, and OEM will be required to obtain a new RMA number, if the associated Product is not received by Supplier within [***] after the RMA number is issued.
|b.
|
OEM may request an RMA from Supplier via https://www.supermicro.com/support/rma/, or any other method mutually agreed by the parties.
|c.
|
Upon receipt of failed, non-conforming components from OEM, Supplier will make reasonable efforts to repair such components (“Refurbished Components,”) and will maintain Refurbished Components in Supplier inventory, for use in correcting Product non-conformance.
|5.
|
Technical Support. During the Warranty period, Supplier will provide fixes, bug fixes, patches, releases and updates that are generally available to Supplier’s other customers at no additional charge to OEM.
|6.
|
Out-of-Warranty Products. Supplier has no obligation to repair or replace parts beyond the [***] warranty period; however, upon OEM’s request, Supplier will repair or replace such Products, subject to any additional charges set forth in the applicable SOW and in accordance with Exhibit B (Services).
EXHIBIT D
AUTHORIZATION LETTER
[DATE]
Super Micro Computer Inc.
[ADDRESS]
Attn: [ ]
Re: Authorization to Purchase Rubrik Hardware (“Authorization”)
Dear [ ],
RUBRIK, INC., a Delaware corporation having its principal place of business at [ADDRESS] (“Rubrik”), authorizes [_____] to purchase from SUPER MICRO COMPUTER INC. (“Super Micro”) the Rubrik-specific hardware manufactured by Super Micro and set forth in Appendix 1 of this letter, for the purposes of manufacturing products for Rubrik. This Authorization will remain in effect until terminated by notice from Rubrik.
Sincerely,
[ ]
Rubrik, Inc.
Appendix 1
[***]
EXHIBIT D-1
AUTHORIZED SYSTEMS
[***]
EXHIBIT E
NON-STANDARD MATERIAL
[***]
Exhibit F
INSURANCE
Supplier will provide, pay for and maintain in full force and effect the following insurance at not less than the prescribed minimum limits of liability, covering Supplier’s activities, those of any and all subcontractors, or anyone directly or indirectly employed by any of them, and anyone for whose acts any of them may be liable:
1. Commercial General Liability Insurance (Primary and Umbrella/Excess) with limits of not less than [***] per occurrence and in the aggregate for bodily injury, personal injury and property damage. Coverages must include the following: Blanket Contractual liability, products and completed operations, independent contractors, severability of interest and waiver of subrogation against all parties described as additional insureds. OEM and its affiliates are to be named as additional insureds.
2. Workers’ Compensation Insurance in compliance with statutory limits and Employer’s Liability Insurance with limits of not less than [***].
At OEM’s written request in each case Supplier will furnish to OEM true and correct copies of the certificates of insurance maintained in compliance with this Exhibit prior to the Effective Date of the Agreement, and on each anniversary of that Effective Date, as evidence that these policies are in full force and effect.
The amount of insurance to be carried by Supplier beyond the minimums set forth in this Exhibit is to be determined in Supplier’s discretion.
All insurance will be written through companies having an A.M. Best’s rating of at least A VII or otherwise be reasonably acceptable to OEM.
[***]
EXHIBIT G
DATA SECURITY REQUIREMENTS
[***]
-2-
EXHIBIT H
DATA PROTECTION AGREEMENT
This Data Protection Agreement (“DPA”) amends or supplements any existing and currently valid agreement(s) and any agreements entered into in the future (each an “Agreement”) made between SUPER MICRO COMPUTER INC. (“Supplier”), a Delaware corporation having its principal place of business at 980 Rock Avenue, San Jose, CA 95131 and RUBRIK, INC. (“OEM”), a Delaware corporation having its principal place of business at 1001 Page Mill Road, Building 2, Palo Alto, CA, 94304, United States. If there is any inconsistency or conflict between this DPA and any Agreement, then this DPA will govern and will survive termination of the Agreement. This DPA will be effective as of _______________, 20___ (“Effective Date”) and will remain in effect until Supplier no longer has possession of or access to OEM Personal Data. OEM and Supplier agree as follows:
|1.
|
Definitions.
|(a)
|
“Applicable Law” means all applicable laws, rules, regulations, orders, ordinances, regulatory guidance, and industry self-regulations including the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); (iii) any national laws made under or pursuant to (i) or (ii) (in each case, as superseded, amended or replaced); (iii) the Federal Data Protection Act of 19 June 1992 (Switzerland), as superseded, amended or replaced; (iv) any United Kingdom law replacing or succeeding (i) or (ii); (v) the California Consumer Privacy Act, and (vi) any other U.S. state or federal privacy laws that may take effect during the term of the Agreement.
|(b)
|
“OEM Personal Data” means personal data that is provided to or collected by Supplier in the provision of the Services or otherwise in the context of the relationship between OEM and Supplier.
|(c)
|
“Information Security Program” means information security policies and procedures comprising appropriate administrative, technical and organizational safeguards to ensure the security and confidentiality of OEM Personal Data and to prevent unauthorized or unlawful processing of OEM Personal Data and any loss, destruction of or damage to OEM Personal Data.
|(d)
|
“Personal Data” means any information relating to a data subject that alone, or in combination with other information, is considered “personal data,” “personal information” or an equivalent term under Applicable Law.
|(e)
|
“Security Breach” means any unauthorized access to or interference with Supplier’s facilities, networks or systems where OEM Personal Data resides or any misuse or unlawful or accidental loss, destruction, alteration or unauthorized processing of OEM Personal Data.
|(f)
|
“Services” means those services provided by Supplier pursuant to an Agreement.
|(g)
|
The terms “data subject,” “process,” “processor,” and “supervisory authority” as used in this DPA will have the meanings ascribed to them in the General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, and any amendment or replacement to it.
|2.
|
Personal Data. In connection with performing its obligations under the Agreement, Supplier will process OEM Personal Data on behalf of OEM. Specific categories of OEM Personal Data that Supplier will process in connection with the Agreement and OEM’s instructions with respect to how Supplier shall process such personal data are set forth in Schedule 1. As between OEM and Supplier, all OEM Personal Data is the sole and exclusive property of OEM. The parties acknowledge and agree that: (a) OEM is a controller of OEM Personal Data under the Applicable Law; and (b) Supplier is a processor of or service provider with respect to OEM Personal Data under the Applicable Law.
|3.
|
Supplier Responsibilities. Supplier is fully responsible for any authorized or unauthorized processing of OEM Personal Data. Supplier will:
|(a)
|
process OEM Personal Data solely for the purpose of performing the Services and will not collect, use, disclose, release, disseminate, transfer, or otherwise communicate or make available to a third party any OEM Personal Data except as necessary to perform the Services;
|(b)
|
not rent or sell OEM Personal Data;
-3-
|(c)
|
process OEM Personal Data solely in accordance with OEM’s documented instructions, including those set forth in this DPA and the Agreement;
|(d)
|
process OEM Personal Data in accordance with Applicable Law;
|(e)
|
treat all OEM Personal Data as the confidential information of OEM;
|(f)
|
except as permitted under Section 4 of this DPA, not disclose or otherwise make available in any form any OEM Personal Data to any third party. Supplier may disclose OEM Personal Data to government authorities when required by law but must first notify OEM of the anticipated disclosure (to provide OEM the opportunity to oppose the disclosure and obtain a protective order or seek other relief) except to the extent prohibited by Applicable Law;
|(g)
|
amend, correct or erase OEM Personal Data at OEM’s request and ensure that all OEM Personal Data processed by Supplier is accurate and up-to-date;
|(h)
|
immediately notify OEM in writing of any third-party request to (i) restrict the processing of OEM Personal Data, (ii) port OEM Personal Data to a third party, or (iii) access, rectify or erase OEM Personal Data. Supplier will further assist OEM, at OEM’s request, in complying with OEM’s obligations to respond to requests and complaints directed to OEM with respect to OEM Personal Data processed by Supplier;
|(i)
|
at the direction of OEM, cooperate and assist OEM in conducting a data protection impact assessment and related consultations with any supervisory authority, if applicable, to ensure OEM’s secure processing of OEM Personal Data;
|(j)
|
assist OEM in responding to any inquiry from any data subject or any supervisory authority concerning the processing of OEM Personal Data, as reasonably requested by OEM;
|(k)
|
immediately inform OEM if Supplier is aware or reasonably suspects that OEM’s instructions regarding the processing of OEM Personal Data may breach any Applicable Law;
|(l)
|
ensure the reliability of all personnel who process OEM Personal Data, including by performing background checks upon such personnel (where permissible under Applicable Law), assigning specific and necessity-based access privileges to such personnel, ensuring that such personnel have undergone training in data protection and privacy and ensuring that such personnel are bound by obligations of confidentiality at least as protective as those imposed on Supplier under this DPA; and,
|(m)
|
keep all OEM Personal Data compartmentalized or otherwise logically distinct from, and in no way commingled with, other information of Supplier or its personnel, suppliers, customers or other third parties.
|4.
|
Subcontractors. Supplier will not subcontract or delegate the processing of OEM Personal Data or the performance of any Services under the Agreement to any person or entity other than those persons or entities listed on Schedule 2 (the “Approved Subcontractors”) without prior written consent of OEM. OEM has the right to grant or withhold such consent in its sole discretion and may subsequently revoke such consent if the subcontractor’s performance, in the reasonable judgment of OEM, has been unacceptable. Supplier will remain fully responsible for fulfillment of its obligations under this DPA and will remain the primary point of contact regarding any processing of OEM Personal Data or the performance of any Services that have been subcontracted or delegated. Supplier will be responsible for the acts and omissions of its subcontractors and anyone else to which the processing of OEM Personal Data or performance of the Services has been delegated. Supplier will impose contractual obligations on its subcontractors that are at least equivalent to those obligations imposed on Supplier under this DPA, including a right for OEM to audit subcontractors as set forth in Section 7, through entering into an agreement with its subcontractors with provisions materially and substantially similar to those set forth in this DPA.
|5.
|
Data Transfers. Supplier will not transfer, or cause to be transferred, any OEM Personal Data from one jurisdiction to another without OEM’s prior written consent. Where OEM consents to such transfer, the transfer will be in accordance with all Applicable Law and will not cause OEM to be in breach of any Applicable Law. If OEM is in the European Economic Area (“EEA”) and transfers personal data to Supplier in a country that has not been deemed to provide an adequate level of protection, then such transfers shall be governed by the Controller to Processor Standard Clauses, which are incorporated herein by reference. For purposes of the Controller to Processor Standard Clauses, (i) the party transferring from the EEA will be referred to as the “Data Exporter” and
-4-
|(ii) the other party will be referred to as the “Data Importer.” Appendix A to this DPA will apply as Appendix 1 of the Controller to Processor Standard Clauses. Appendix B to this DPA will apply as Appendix 2 of the Controller to Processor Standard Clauses. “Controller to Processor Standard Clauses” in relation to the processing of Personal Data pursuant to this DPA means the standard clauses for the transfer of Personal Data to processors established in third countries as updated, amended replaced or superseded from time to time by the European Commission, the approved version of which in force at present is that set out in the European Commission’s Decision 2010/87/EU of 5 February 2010, available at: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087.
|6.
|
Security Safeguards. Supplier will implement, maintain and monitor a comprehensive written Information Security Program. The Information Security Program will be appropriate to the nature of the Personal Data Supplier Processes and will meet or exceed industry best practices. Without limiting the foregoing, such Information Security Program will include: (a) adequate physical security of all premises in which Personal Data will be processed and/or stored; (b) reasonable precautions taken with respect to the employment of, access given to, and education and training of any and all personnel furnished or engaged by Vender to perform any part of the Services; (c) appropriate access controls and data integrity controls, including without limitation, ensuring that (i) authentication credentials have an expiration period that allows time for the transfer of data, but are not continuously left open; (ii) password complexity standards are implemented to protect Personal Data from malicious access; (iii) a process is implemented to log individual access to Personal Data; (iv) encryption and pseudonymization of Personal Data, where appropriate; and (v) testing and auditing of all controls; and (d) appropriate corrective action and incident response plans including the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident. Supplier will regularly test, assess, and evaluate the effectiveness of the Information Security Program for ensuring the secure processing of Personal Data. Supplier will provide OEM with the results of all tests and any other audit, review or examination relating to its Information Security Program and take appropriate steps to protect against identified risks. Supplier will comply with its Information Security Program and represents and warrants that its Information Security Program is and will be in compliance with all Applicable Law. Supplier will deliver separate certifications of such compliance upon OEM’s reasonable request. [Note: This section contains general security. If OEM has its own security requirements now or develops them going forward, those provisions can be attached as an addendum to this DPA and referenced in this Section.]
|7.
|
[***]
|8.
|
Security Breach. If Supplier has notice of any actual or suspected Security Breach, Supplier will take any necessary action to stop the active breach or similar recurring breaches and immediately (and in any event within [***]) (a) notify OEM of the Security Breach and any third-party legal processes relating to the Security Breach, (b) help OEM investigate, remediate and take any other action OEM deems necessary regarding the Security Breach and any dispute, inquiry, investigation or claim concerning the Security Breach; and (c) provide OEM with assurance satisfactory to OEM that such Security Breach will not recur. The notification required under (a) above must include, at a minimum:
|(a)
|
a description of the Security Breach, including the number and categories of data subjects concerned, a summary of the incident that caused the Security Breach, the date and time of the relevant incident, the categories and number of data records concerned and the nature and content of the OEM Personal Data affected;
|(b)
|
a description of the circumstances that led to the Security Breach (e.g., loss, theft, copying);
|(c)
|
a description of recommended measures to mitigate any adverse effects of the Security Breach;
|(d)
|
a description of the likely consequences and potential risk that the Security Breach may have towards the affected data subjects;
|(e)
|
a description of the measures proposed or taken by Supplier to address the Security Breach; and
|(f)
|
any other information required by Applicable Law or necessary to allow data subjects who may be affected by the Security Breach to understand the significance of the Security Breach and to take steps to reduce their risk of harm.
[***]
-5-
|9.
|
Representations and Warranties. Supplier represents and warrants the following:
|(a)
|
Supplier is not aware of any previous Security Breaches or, if a Security Breach has occurred, Supplier has disclosed in writing each such Security Breach to OEM and remedied all related security vulnerabilities and taken appropriate measures to prevent similar Security Breaches from occurring again; and
|(b)
|
Supplier is not, and has not been, a party to any current, pending, threatened or resolved enforcement action of any government agency, or any consent decree or settlement with any governmental agency or private person or entity, regarding any Security Breach or otherwise regarding privacy or information security, or if it has been a party to any such enforcement actions, consent decrees or settlements, it has disclosed in writing all such enforcement actions, consent decrees or settlements to OEM and taken appropriate measures to comply with any requirements imposed in connection therewith.
|10.
|
Return or Destruction of Personal Data. Either upon request by OEM or when Supplier no longer is required to process OEM Personal Data to fulfill its obligations under the Agreement, Supplier will (a) cease all use of OEM Personal Data; and (b) return all OEM Personal Data and all copies thereof to OEM or, at OEM’s option, destroy all OEM Personal Data and all copies thereof and certify such destruction in writing, except to the extent that Supplier is required under Applicable Law to keep a copy of OEM Personal Data for a specified period of time. After such time, Supplier will immediately destroy all OEM Personal Data.
|11.
|
Records. Supplier will keep at its normal place of business detailed, accurate and up-to-date records relating to the processing of OEM Personal Data by Supplier and Supplier’s performance under this DPA. Supplier will make such records available to OEM upon request.
|12.
|
Indemnification. Supplier will indemnify, defend, and hold harmless OEM and its parent, subsidiaries, affiliates, agents and suppliers, and their respective officers, directors, shareholders and personnel, from and against any claims, suits, hearings, actions, damages, liabilities, fines, penalties, costs, losses, judgments or expenses (including reasonable attorneys’ fees) arising out of or relating to its failure to comply with this DPA. [***]
|13.
|
Noncompliance; Remedies. If Supplier can no longer meet its obligations under this DPA, including its obligations under Section 5, it will immediately notify OEM. Supplier will take reasonable and appropriate steps to stop and remediate, and will cooperate with OEM’s reasonable requests regarding, any unauthorized processing of OEM Personal Data by Supplier. A breach of any provision of this DPA may result in irreparable harm to OEM, for which monetary damages may not provide a sufficient remedy, and therefore, OEM may seek both monetary damages and equitable relief. [***]. In the event Supplier breaches any of its obligations under this DPA, OEM will have the right to terminate the Agreement, or suspend Supplier’s continued processing of any OEM Personal Data, without penalty immediately upon notice to Supplier. [***].
The authorized representatives of the parties have executed and delivered this Data Protection Agreement as of the Effective Date.
|OEM: RUBRIK, INC.
|SUPPLIER: SUPER MICRO COMPUTER INC.
|By:
|By:
|Name:
|Name:
|Title:
|Title:
|Date:
|Date:
-6-
SCHEDULE 1
Scope of Processing
Subject Matter, Nature, and Purpose of Processing: OEM instructs Supplier to process OEM Personal Data to build and ship Products to OEM and its end users.
Duration of Processing: As needed to provide the Services requested by OEM, during the Term of the Agreement.
Types of Personal Data: [***].
Categories of Data Subjects: OEM affiliates, partners, vendors, end users and employees.
SCHEDULE 2
Approved Subcontractors
|
Name of Subcontractor:
|
Purpose of subcontracting
|
Location of
|
Mechanism for
|[***]
|[***]
|[***]
|[***]
APPENDIX A
APPENDIX 1 TO THE CONTROLLER TO PROCESSOR STANDARD CLAUSES
Data exporter
The data exporter is: Rubrik, Inc. or its customers or affiliates.
Rubrik, Inc.
1001Page Mill Road, Building 2
Palo Alto, CA 94304
[***]
Data importer
The data importer is: Super Micro Computer Inc. or its customers or affiliates.
980 Rock Avenue
San Jose, CA 95131
Attn: Data Protection Officer (DPO)
Data subjects
The personal data transferred concern data subjects residing in the European Economic Area and Switzerland.
Categories of data
The personal data transferred concern the following categories of data: [***].
Special categories of data (if appropriate)
The personal data transferred does not concern special categories of data.
Processing operations
The personal data transferred will be subject to the following basic processing activities: Building and shipping Products to OEM and its end users.
APPENDIX B
APPENDIX 2 TO THE CONTROLLER TO PROCESSOR STANDARD CLAUSES
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document attached):
Supplier will, at a minimum comply with the requirements in Section 6 of this DPA. Additionally, Supplier will:
[***]