Vendor Risk Management Addendum

This Vendor Risk Management Addendum (“VRM Addendum”) sets forth the additional terms and conditions that apply solely to the extent Client elects to purchase the Vendor Risk Management Solution (“VRM Solution”) offered by the Resilience entity identified in the applicable Software Order Form (“SOF”).

By executing a SOF that includes the Vendor Risk Management Solution, Client agrees to be bound by this VRM Addendum, which is incorporated by reference into and forms part of the Software as a Service Agreement (“Agreement”).  Capitalized terms used but not defined in this Addendum have the meanings set forth in the Agreement.

1. Description of Services

The Vendor Risk Management Solution (“VRM Solution”) is part of the Software and provides tools to help Client to assess, prioritize, and manage cybersecurity risks associated with its third-party suppliers, contractors, or service providers (collectively, “Vendors”).  The specific scope and features of the VRM Solution will be set forth in the applicable SOF.

2. Client Authorization and Responsibilities  

Client represents and warrants that it has all rights, consents, and authority necessary to provide Company with information about its Vendors, including contact details and other relevant data, and to authorize Company to use such information to deliver the VRM Solution and to contact Vendors as necessary and in accordance with the Agreement and this Addendum. Client further represents that providing such information and authorizations does not violate any confidentiality obligations, contractual restrictions, or applicable laws. Client is solely responsible for the accuracy and completeness of any Vendor information it provides or causes to be provided through the VRM Solution, including any responses submitted by by Client and for its own evaluation and use of any recommendations, analyses, or other outputs provided through the VRM Solution. 

3. Use of Vendor Information

Company will use Vendor information to deliver the VRM Solution and to perform its obligations under the Agreement in accordance with the Agreement, this VRM Addendum, and the DPA. Company will not be responsible for independently verifying the accuracy of Vendor information provided.

4. Vendor Outreach

Company and Client will jointly determine the nature and scope of communications and materials provided to Vendors in connection with the VRM Solution.  Company may contact Vendors directly on Client’s behalf to distribute questionnaires or other communications as agreed by the parties.  The form, content, and frequency of such outreach will be agreed upon between the parties and may be documented separately. 

5. Vendor Access to Software

Company may provide certain Vendors with full or limited access to the Software in connection with the VRM Solution.  The terms and scope of such Vendor access, including any separate agreements with Vendors, will be set forth in the applicable SOF between Company and Client.

6. Vendor Responsiveness

Client acknowledges that Company does not control and is not responsible for the actions or inactions of any Vendor, including any failure by a Vendor to respond to outreach, access the Software, or otherwise participate in the VRM Solution.  Company has no obligation to notify Client of, or take any action in response to, such Vendor failures.  Company makes no guarantees regarding Vendor cooperation or the completeness, accuracy, or timeliness of information provided by Vendors.

7. Limitation of Liability 

The VRM Solution is designed to support Client’s vendor risk management activities by offering analysis, notifications, and related insights derived from available data. While Company endeavors to provide information that is timely, relevant, and useful, the quality and effectiveness of the VRM Solution may be influenced by factors outside of Company’s control, including the accuracy and completeness of information provided by Client and its Vendors. Due to the nature of cybersecurity risk, no solution can prevent all incidents or anticipate every threat. Given the evolving and unpredictable nature of cybersecurity and third-party risk, Client acknowledges that the VRM Solution is not intended to guarantee any particular outcome or level of risk reduction. Client is responsible for evaluating and determining how to use the information provided through the VRM Solution. Except as expressly stated in the Agreement, Company disclaims liability for Client’s use of or reliance on such information. 

8. Conflicts

All other terms and conditions of the Agreement apply to the VRM Solution except to the extent expressly modified by this Addendum. In the event of any conflict between this Addendum and the Agreement, the terms of this Addendum will control solely with respect to the VRM Solution.