Master Subscription Agreement

    Version 1.0 · Last updated February 12, 2026

    Download PDF

    1. Definitions

    In this Agreement, unless the context requires otherwise, the following terms have the meanings set out below:

    "Customer" means the entity identified in an Order Form that subscribes to the Service.

    "Customer Data" means any data, content, code, or materials that Customer provides, uploads, or makes accessible to the Service, including source code, repository metadata, vulnerability scanner outputs, and runtime traces.

    "Service" means Konvu's AI-powered vulnerability management platform, including all features, integrations, APIs, and any updates or enhancements made generally available by Konvu during the Subscription Term, as further described in the applicable Order Form and Section 4.

    "Service Outputs" means the analytical results, assessments, reports, and other outputs generated by the Service from Customer Data.

    "Konvu Technology" means the Service, Konvu's proprietary exploitability knowledge base, AI models, algorithms, agent orchestration, software, documentation, and all related intellectual property.

    "Order Form" means a mutually executed ordering document or online subscription that references this Agreement and specifies the scope, fees, and term of Customer's subscription.

    "Subscription Term" means the period specified in the applicable Order Form during which Customer is authorized to use the Service.

    "DPA" means the Data Processing Agreement executed between the parties.

    "Sub-processor" means any third-party processor engaged by Konvu to process Customer Data on Konvu's behalf in connection with the Service.

    "Confidential Information" means any non-public information disclosed by one party to the other, whether orally, in writing, or electronically, that is designated as confidential or that a reasonable person would understand to be confidential given the nature of the information and circumstances of disclosure. Customer Data and the terms of any Order Form are Confidential Information of Customer. Konvu Technology, pricing, and security architecture details are Confidential Information of Konvu.

    "LLM Provider" means any third-party large language model provider engaged by Konvu for AI inference in connection with the Service.

    2. Access and Use Rights

    2.1 License Grant

    Subject to Customer's compliance with this Agreement and payment of applicable fees, Konvu grants Customer a non-exclusive, non-transferable, non-sublicensable right to access and use the Service during the Subscription Term, solely for Customer's internal business purposes and in accordance with the scope specified in the applicable Order Form.

    2.2 Authorized Users

    Customer may permit its employees and contractors ("Authorized Users") to access the Service, provided that Customer is responsible for their compliance with this Agreement. Customer shall not exceed the number of Authorized Users specified in the Order Form.

    2.3 Restrictions

    Customer shall not: (a) sublicense, sell, resell, transfer, or distribute the Service; (b) modify, create derivative works of, or reverse-engineer the Service; (c) access the Service to build a competitive product or service; (d) use the Service to process data on behalf of third parties unless authorized in the Order Form; or (e) circumvent any technical limitations or usage controls in the Service.

    2.4 Customer Responsibilities

    Customer is responsible for: (a) the accuracy and legality of Customer Data; (b) ensuring it has all necessary rights and authorizations to provide Customer Data to the Service; (c) maintaining the security of its account credentials; and (d) its Authorized Users' compliance with this Agreement.

    3. Trial Period

    3.1 Trial Availability

    Konvu may, at its discretion, offer Customer a trial of the Service at no charge ("Trial Period"). The scope and configuration of the Trial Period shall be set forth in the applicable Order Form, trial agreement, or written communication between the parties.

    3.2 Trial Term

    The Trial Period commences on the date Customer first accesses the Service and continues for the duration specified in the applicable Order Form or trial agreement. The Trial Period shall terminate upon the earlier of: (a) expiration of the agreed trial duration; (b) the parties execute an Order Form converting to a paid Subscription Term ("Conversion"); or (c) either party provides written notice of termination, effective immediately upon receipt. For the avoidance of doubt, neither party is obligated to convert a Trial Period into a paid Subscription Term.

    3.3 Conversion

    Conversion to a paid Subscription Term requires the mutual written agreement of both parties, evidenced by the execution of an Order Form. Upon Conversion, the terms of this Agreement (excluding this Section 3) shall govern the paid Subscription Term, and all Customer Data and Service Outputs generated during the Trial Period shall carry over.

    3.4 Trial Warranty Disclaimer

    DURING THE TRIAL PERIOD, THE SERVICE IS PROVIDED "AS-IS" AND "AS-AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, OR STATUTORY, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, AND NON-INFRINGEMENT. KONVU MAKES NO REPRESENTATIONS OR GUARANTEES REGARDING THE AVAILABILITY, RELIABILITY, OR PERFORMANCE OF THE SERVICE DURING THE TRIAL PERIOD.

    3.5 Trial Limitation of Liability

    TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, KONVU'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THE TRIAL PERIOD SHALL NOT EXCEED ONE HUNDRED DOLLARS ($100) OR THE EQUIVALENT IN LOCAL CURRENCY. CUSTOMER ACKNOWLEDGES THAT IT USES THE SERVICE DURING THE TRIAL PERIOD AT ITS OWN RISK AND THAT THE TRIAL PERIOD IS PROVIDED WITHOUT CHARGE.

    3.6 Surviving Obligations During Trial

    Notwithstanding the warranty disclaimers and liability limitations above, the following provisions of this Agreement shall apply in full during the Trial Period:

    (a) Section 5.3 (No Training on Customer Data) --- Konvu shall not use Customer Data to train, fine-tune, or improve any machine learning model during the Trial Period;

    (b) Section 7 (Confidentiality) --- all mutual confidentiality obligations remain in effect;

    (c) Section 9 (Artificial Intelligence Terms) --- including LLM Provider commitments and ephemeral data processing;

    (d) Section 6 (Intellectual Property) --- Customer owns Service Outputs generated during the Trial Period; and

    (e) The DPA (Exhibit A) --- including sub-processor obligations and data protection commitments.

    3.7 Trial Data

    Customer Data processed during the Trial Period is subject to the same data handling, retention, and deletion commitments set forth in Section 5. Upon termination of the Trial Period without Conversion, Konvu shall delete or return Customer Data within thirty (30) days of Customer's written request, in accordance with Section 5.4.

    4. Service Description

    4.1 Service Overview

    The Service is an AI-powered vulnerability management platform that assists Customer's security and engineering teams in identifying, assessing, and prioritizing software vulnerabilities. The specific features, integrations, data access requirements, and capabilities available to Customer are as described in the applicable Order Form and Konvu's then-current documentation.

    4.2 Service Availability

    Konvu shall use commercially reasonable efforts to make the Service available. If an Order Form specifies service level commitments (including uptime targets, support response times, or service credits), those commitments shall govern Service availability for the applicable Subscription Term. The Service may be temporarily unavailable for scheduled maintenance (with reasonable advance notice) or due to circumstances beyond Konvu's reasonable control. Scheduled maintenance windows shall not count against any uptime commitments specified in an Order Form.

    5. Customer Data and Data Rights

    5.1 Ownership

    Customer retains all right, title, and interest in and to Customer Data, including all intellectual property rights therein. Konvu acquires no right, title, or interest in Customer Data except for the limited license expressly granted in Section 5.2. Konvu acknowledges that Customer Data constitutes valuable proprietary assets of Customer and agrees that nothing in this Agreement or any Order Form shall be construed to transfer, assign, or otherwise convey any ownership interest in Customer Data to Konvu.

    5.2 License to Customer Data

    Customer grants Konvu a limited, non-exclusive, worldwide license to access, use, and process Customer Data solely as necessary to provide the Service, comply with applicable law, and enforce this Agreement. This license terminates upon the earlier of deletion of Customer Data or termination of this Agreement.

    5.3 No Training on Customer Data

    Konvu shall not use Customer Data to train, fine-tune, or improve any machine learning model, including any LLM or Konvu's proprietary knowledge base. Customer Data is processed solely at inference time to produce Service Outputs for Customer's benefit and is not retained by any LLM Provider beyond the duration of the inference request. Where the Service accesses Customer source code, such code is temporarily processed in an isolated environment and deleted upon completion of analysis; only Service Outputs are retained.

    5.4 Data Retention and Deletion

    Service Outputs and associated metadata are retained for the duration of the Subscription Term. Upon termination or expiration, Konvu shall delete or return Customer Data (including Service Outputs) within thirty (30) days of Customer's written request, except: (a) as required by applicable law or regulation; (b) data embedded in backup systems subject to automatic deletion in the ordinary course, provided such backups are deleted no later than ninety (90) days following termination; or (c) data reasonably required to enforce this Agreement or establish compliance therewith. Any Customer Data retained under this Section shall remain subject to the confidentiality and data protection obligations of this Agreement. Konvu will provide written confirmation of deletion upon request.

    5.5 Data Processing

    To the extent that Konvu processes personal data on behalf of Customer, the parties shall comply with the DPA, which is incorporated into and forms part of this Agreement. The DPA governs sub-processor management, data transfer mechanisms, and the parties' respective obligations under applicable data protection laws.

    6. Intellectual Property

    6.1 Konvu Technology

    Konvu and its licensors retain all right, title, and interest in and to the Konvu Technology, including all patents, copyrights, trade secrets, trademarks, and other intellectual property rights therein, and all improvements, enhancements, modifications, and derivative works thereof, whether or not developed in connection with this Agreement. No license or right is granted to Customer by implication, estoppel, or otherwise, except for the limited use rights expressly set forth in Section 2. Customer shall not acquire any ownership interest in the Konvu Technology under this Agreement or any Order Form.

    6.2 Service Outputs

    As between the parties, Customer owns all Service Outputs generated from Customer Data. Konvu retains no rights in Service Outputs except as necessary to deliver the Service during the Subscription Term. For clarity, Customer's ownership of Service Outputs does not extend to or encumber the underlying Konvu Technology, algorithms, models, knowledge base, or methodologies used to generate such outputs, all of which remain the exclusive property of Konvu.

    6.3 Feedback

    If Customer provides suggestions, feature requests, or other feedback regarding the Service ("Feedback"), Customer grants Konvu a perpetual, irrevocable, non-exclusive, worldwide, royalty-free, fully paid-up license to use, reproduce, modify, and incorporate such Feedback into the Service and Konvu Technology without restriction or obligation to Customer.

    6.4 Aggregated and Anonymized Data

    Konvu may generate aggregated, anonymized, and de-identified data derived from Customer's use of the Service that does not identify Customer or any individual ("Aggregated Data"). As between the parties, Konvu owns all right, title, and interest in Aggregated Data. Konvu may use Aggregated Data to improve the Service, develop new products and features, produce industry benchmarks, and for other lawful business purposes without restriction. For the avoidance of doubt, Aggregated Data does not include Customer source code or any data from which Customer or its users could reasonably be identified.

    7. Confidentiality

    7.1 Obligations

    Each party (the "Receiving Party") shall: (a) hold the other party's (the "Disclosing Party") Confidential Information in strict confidence; (b) not disclose Confidential Information to any third party except as permitted herein; and (c) use Confidential Information only for the purposes of exercising its rights or performing its obligations under this Agreement. The Receiving Party shall protect Confidential Information using at least the same degree of care it uses to protect its own confidential information, but in no event less than reasonable care.

    7.2 Permitted Disclosures

    The Receiving Party may disclose Confidential Information to its employees, contractors, and professional advisors who have a need to know and are bound by confidentiality obligations at least as protective as those in this Section. Konvu may disclose Customer Data to sub-processors in accordance with the DPA.

    7.3 Exclusions

    Confidential Information does not include information that: (a) is or becomes publicly available through no fault of the Receiving Party; (b) was known to the Receiving Party prior to disclosure; (c) is independently developed by the Receiving Party without use of the Disclosing Party's Confidential Information; or (d) is rightfully received from a third party without restriction on disclosure.

    7.4 Compelled Disclosure

    If the Receiving Party is compelled by law, regulation, or legal process to disclose Confidential Information, it shall (to the extent legally permitted) provide the Disclosing Party with prompt written notice and cooperate with the Disclosing Party's efforts to seek a protective order or other appropriate remedy.

    7.5 Duration

    Confidentiality obligations under this Section survive termination of this Agreement for a period of three (3) years, except that obligations with respect to trade secrets shall continue for as long as such information qualifies as a trade secret under applicable law.

    8. Security

    8.1 Security Measures

    Konvu shall maintain administrative, technical, and organizational security measures appropriate to the nature of Customer Data and designed to protect it against unauthorized access, disclosure, alteration, or destruction. Konvu's current security measures are described in Konvu's Security Documentation, available at Konvu's trust center or upon written request. Konvu may update its security measures from time to time, provided that such updates do not materially diminish the overall level of protection afforded to Customer Data.

    8.2 Compliance and Audit

    Konvu shall maintain industry-standard security certifications and shall make its most recent audit reports and certifications available to Customer upon written request, subject to confidentiality obligations.

    8.3 Incident Notification

    In the event of a confirmed security incident involving unauthorized access to Customer Data ("Security Incident"), Konvu shall: (a) notify Customer without undue delay and in any event within seventy-two (72) hours of confirmation; (b) provide Customer with available details of the Security Incident, including the nature of the data affected and remedial measures taken or planned; and (c) cooperate with Customer in investigating and mitigating the Security Incident.

    9. Artificial Intelligence Terms

    9.1 LLM Infrastructure

    The Service uses third-party large language model providers ("LLM Providers") for AI inference. Konvu shall ensure that Customer Data is not used by any LLM Provider for model training or improvement, whether through contractual restrictions, API configurations that prevent data retention, or equivalent technical measures. Customer Data submitted for inference is processed ephemerally and is not retained by any LLM Provider beyond the duration of the inference request. The identity of LLM Providers and any material changes thereto are governed by the DPA.

    9.2 Accuracy

    Service Outputs are generated by AI and represent probabilistic assessments. While Konvu designs the Service to maximize accuracy, Konvu does not guarantee that Service Outputs are error-free. Customer acknowledges that Service Outputs are intended to assist, not replace, Customer's security team's professional judgment.

    10. Fees and Payment

    10.1 Fees

    Customer shall pay the fees specified in the applicable Order Form. Unless otherwise stated in the Order Form, fees are quoted in U.S. dollars and are due within thirty (30) days of the invoice date.

    10.2 Taxes

    All fees are exclusive of taxes, levies, and duties. Customer is responsible for all applicable taxes, except for taxes based on Konvu's net income.

    10.3 Late Payment

    Overdue amounts shall accrue interest at the lesser of 1.5% per month or the maximum rate permitted by law. If any invoice is overdue by more than thirty (30) days, Konvu may suspend access to the Service upon ten (10) days' written notice.

    10.4 Price Changes

    Konvu may adjust fees for any renewal Subscription Term by providing at least thirty (30) days' prior written notice before the start of the applicable renewal period. Unless otherwise specified in the Order Form, fee adjustments take effect at the start of the next renewal Subscription Term.

    11. Term and Termination

    11.1 Term

    This Agreement commences on the date of the first Order Form and continues until all Order Forms have expired or been terminated.

    11.2 Subscription Renewal

    Unless otherwise stated in the Order Form, each Subscription Term shall automatically renew for successive periods equal to the initial Subscription Term, unless either party provides written notice of non-renewal at least thirty (30) days prior to the end of the then-current Subscription Term.

    11.3 Termination for Cause

    Either party may terminate this Agreement or any Order Form: (a) if the other party materially breaches this Agreement and fails to cure such breach within thirty (30) days of written notice; or (b) if the other party becomes insolvent, makes an assignment for the benefit of creditors, or becomes subject to bankruptcy proceedings.

    11.4 Effect of Termination

    Upon termination or expiration: (a) Customer's access to the Service shall cease; (b) each party shall return or destroy the other party's Confidential Information upon request; (c) Konvu shall delete or return Customer Data in accordance with Section 5.4; and (d) Sections 1, 5.1, 5.3, 6, 7, 8.3, 9, 10, 12, 13, 14, and 15 shall survive.

    12. Representations and Warranties

    12.1 Mutual Warranties

    Each party represents and warrants that: (a) it has the legal power and authority to enter into this Agreement; and (b) this Agreement constitutes a valid and binding obligation enforceable in accordance with its terms.

    12.2 Konvu Warranties

    Konvu warrants that: (a) the Service will perform materially in accordance with its published documentation; (b) Konvu will provide the Service in a professional and workmanlike manner consistent with generally accepted industry standards; (c) Konvu will not introduce any known malicious code into the Service; and (d) to Konvu's knowledge, the Service does not infringe the intellectual property rights of any third party.

    12.3 Disclaimer

    EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION, THE SERVICE IS PROVIDED "AS IS" AND KONVU DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. KONVU DOES NOT WARRANT THAT THE SERVICE WILL BE ERROR-FREE OR UNINTERRUPTED.

    13. Limitation of Liability

    13.1 Cap on Liability

    EXCEPT FOR THE EXCLUDED CLAIMS SET FORTH BELOW, EACH PARTY'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT SHALL NOT EXCEED THE TOTAL FEES PAID OR PAYABLE BY CUSTOMER TO KONVU IN THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

    13.2 Exclusion of Consequential Damages

    IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR ANY LOSS OF PROFITS, REVENUE, DATA, OR BUSINESS OPPORTUNITY, ARISING OUT OF OR RELATED TO THIS AGREEMENT, REGARDLESS OF THE THEORY OF LIABILITY, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

    13.3 Excluded Claims

    Notwithstanding Sections 13.1 and 13.2, each party's total aggregate liability for the following categories of claims ("Excluded Claims") shall not exceed three (3) times the total fees paid or payable by Customer to Konvu in the twelve (12) month period immediately preceding the event giving rise to the claim: (a) either party's breach of confidentiality obligations under Section 7; (b) either party's indemnification obligations under Section 14; or (c) liability arising from a party's fraud, gross negligence, or willful misconduct. For the avoidance of doubt, Customer's payment obligations under this Agreement are not subject to any cap on liability.

    14. Indemnification

    14.1 Konvu Indemnification

    Konvu shall defend, indemnify, and hold harmless Customer and its officers, directors, employees, and agents from and against any third-party claim, loss, damage, or expense (including reasonable attorneys' fees) arising from allegations that the Service infringes a third party's intellectual property rights. If the Service becomes, or in Konvu's opinion is likely to become, the subject of an infringement claim, Konvu may, at its option: (i) obtain the right for Customer to continue using the Service; (ii) modify the Service to be non-infringing; or (iii) terminate the affected Order Form and refund prepaid fees for the unused portion of the Subscription Term.

    14.2 Customer Indemnification

    Customer shall defend, indemnify, and hold harmless Konvu and its officers, directors, employees, and agents from and against any third-party claim, loss, damage, or expense (including reasonable attorneys' fees) arising from: (a) Customer Data or Customer's use of the Service in violation of this Agreement; (b) Customer's breach of its representations under Section 2.4; or (c) any allegation that Customer Data infringes a third party's rights.

    14.3 Indemnification Procedure

    The indemnifying party's obligations are conditioned on: (a) prompt written notice of the claim (provided that failure to give prompt notice shall not relieve the indemnifying party except to the extent it is materially prejudiced); (b) sole control of the defense and settlement; and (c) reasonable cooperation from the indemnified party at the indemnifying party's expense.

    15. General Provisions

    15.1 Governing Law

    This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of laws principles. The parties consent to the exclusive jurisdiction of the state and federal courts located in Delaware.

    15.2 Entire Agreement

    This Agreement, together with all Order Forms, the DPA, and any exhibits, constitutes the entire agreement between the parties and supersedes all prior or contemporaneous agreements, proposals, or representations relating to its subject matter. In the event of a conflict between this Agreement and an Order Form, the Order Form shall prevail to the extent of the conflict.

    15.3 Amendments

    No amendment to this Agreement shall be effective unless in writing and signed by both parties. Notwithstanding the foregoing, Konvu may update its security measures from time to time in accordance with Section 8 and the DPA.

    15.4 Assignment

    Neither party may assign this Agreement without the other party's prior written consent, except that either party may assign this Agreement to an affiliate or in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided the assignee agrees to be bound by the terms of this Agreement.

    15.5 Notices

    All notices under this Agreement shall be in writing and delivered by email (with confirmation of receipt) or recognized overnight courier to the addresses specified in the Order Form. Notices to Konvu shall be sent to legal@konvu.com. Notices are deemed received on the date of confirmed delivery.

    15.6 Force Majeure

    Neither party shall be liable for any failure or delay in performance due to causes beyond its reasonable control, including acts of God, natural disasters, pandemics, government actions, or failures of third-party infrastructure providers, provided that the affected party gives prompt notice and uses commercially reasonable efforts to mitigate the impact.

    15.7 Severability

    If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the parties' original intent.

    15.8 Waiver

    No failure or delay by either party in exercising any right under this Agreement shall constitute a waiver of that right.

    15.9 Relationship of the Parties

    The parties are independent contractors. Nothing in this Agreement creates a partnership, joint venture, agency, or employment relationship.

    15.10 Export Compliance

    Customer shall comply with all applicable export control and sanctions laws and regulations in connection with its use of the Service.

    15.11 Publicity

    Subject to the terms of this Agreement, Customer grants Konvu a non-exclusive, royalty-free right to use Customer's name and logo to identify Customer as a user of the Service in Konvu's marketing materials, website, and customer lists. Konvu shall use Customer's name and logo in accordance with any brand guidelines provided by Customer. Customer may revoke this right at any time upon written notice. Any press releases or case studies referencing the other party require prior written approval.

    15.12 Subcontractors

    Konvu may use subcontractors and cloud infrastructure providers to perform its obligations under this Agreement, provided that Konvu remains fully responsible for such subcontractors' performance and compliance with the terms of this Agreement. The engagement of sub-processors for the processing of personal data is governed exclusively by the DPA.

    15.13 Anti-Bribery and Anti-Corruption

    Each party represents and warrants that it has not, and covenants that it will not, in connection with this Agreement, directly or indirectly offer, promise, give, or authorize the giving of any money, gift, or anything of value to any government official, political party, or any other person for the purpose of influencing any act or decision to obtain or retain business or secure any improper advantage. Each party shall comply with all applicable anti-bribery and anti-corruption laws, including the U.S. Foreign Corrupt Practices Act and the UK Bribery Act 2010, to the extent applicable. Each party shall promptly notify the other if it becomes aware of any breach or suspected breach of this Section.

    15.14 Audit

    Upon reasonable written request and no more than once per twelve (12) month period, Konvu shall provide Customer with a summary of its security program and any then-current third-party audit reports (e.g., SOC 2 Type II) to the extent available, subject to confidentiality obligations. If Customer reasonably requires an on-site audit, the parties shall mutually agree on the scope, timing, and confidentiality terms in advance, and such audit shall not unreasonably interfere with Konvu's operations. To the extent required under applicable data protection laws, Konvu shall make available to Customer such information as is reasonably necessary to demonstrate compliance with the DPA, subject to the confidentiality obligations of this Agreement and any additional confidentiality terms agreed by the parties in connection with such audit.