Standard SaaS Agreement

ONESTREAM SOFTWARE LLC (“OneStream”) has created this Standard SaaS Agreement (“Agreement”) to facilitate transactions between a solution publisher (“Publisher”) and a customer (“Customer”) on OneStream’s Solution Exchange. This Agreement between Customer and Publisher governs Customer’s use of Publisher’s offerings (the “Service(s)”) accessed through the OneStream Platform. Both parties acknowledge that OneStream is not a party to this Agreement and has no responsibility or liability for the parties’ actions or obligations hereunder. OneStream’s relationship with each party is governed solely by its own agreements. Access to or use of the OneStream Platform or any OneStream Services must be contracted directly with OneStream.

1. DEFINITIONS

  • Applicable Term – the Service term stated in an Order Form.
  • Authorized User – an employee or agent of Customer or a Permitted Entity authorized to access the Service.
  • Customer Data – information that Customer provides for storage or processing by the Service(s).
  • Documentation – current user guides and manuals for the Service(s).
  • Order Form – a Publisher ordering document executed by the parties that specifies, among other items, the Applicable Term, fees, and the level of Support Services (Basic or Premium).
  • Permitted Entity – any entity controlling, controlled by, or under common control with Customer.
  • Service – a Publisher SaaS product identified in an Order Form.
  • Support Services – the customer support provided by Publisher as described in Exhibit 1 – Support Services, attached hereto and incorporated herein.
  • Update – a release, version, or bug fix that Publisher makes available at no additional charge.

2. STRUCTURE

This Agreement consists of (a) this Standard SaaS Agreement, (b) all executed Order Forms, and (c) Exhibit 1 – Support Services. In the event of conflict, the Order Form controls, followed by this Agreement, then the Exhibit.

3. SERVICE

Publisher will, during the Applicable Term, make the Service(s) available to Customer and its Permitted Entities solely for their internal business operations. Customer is responsible for all actions and omissions of Authorized Users and Permitted Entities.

4. USE RESTRICTIONS

Except as expressly permitted herein, Customer may not, and may not allow any third party to:
(i) decompile, disassemble, decrypt, or reverse-engineer any Service;
(ii) remove proprietary notices;
(iii) sell, lease, lend, or make any Service available to another party except as authorized;
(iv) modify or create derivative works of a Service; or
(v) use the Service in a manner inconsistent with this Agreement or the Documentation.

5. SUPPORT SERVICES

Publisher will provide to Customer the level of Support Services (Basic or Premium) set forth in the applicable Order Form and described in Exhibit 1 – Support Services. Support Services relate solely to the InfinitySPM application within the OneStream Platform; OneStream is solely responsible for platform-level hosting, uptime, and related infrastructure operations.

6. TERM

The Applicable Term commences as specified on each Order Form and continues for that period. Unless either party gives written notice of non-renewal at least sixty (60) days before the end of the then-current term, the Service(s) will automatically renew for an additional one-year term. Publisher may increase pricing for any renewal by up to the percentage increase in the U.S. Consumer Price Index (CPI) for the prior twelve months.

7. PAYMENT TERMS AND TAXES

Publisher shall invoice fees annually in advance unless otherwise stated in the Order Form. All undisputed amounts are due thirty (30) days from invoice. Late payments accrue interest at the lower of 1 % per month or the maximum allowed by law. Customer is responsible for all applicable sales, use, VAT, GST, or similar taxes (excluding taxes on Publisher’s income). Payments must be made without deduction for withholding taxes unless required by law, in which case Customer shall provide evidence of payment to the taxing authority. Administrative requirements such as purchase-order numbers shall not delay or limit Customer’s payment obligations.

8. TERMINATION

Either party may terminate an Order Form if the other party:
(i) materially breaches this Agreement and fails to cure within thirty (30) days (ten (10) days for payment breaches) after written notice; or
(ii) becomes insolvent or ceases normal business operations.

Upon termination or expiration:
(a) all Customer rights to use the Service cease; and
(b) upon request within thirty (30) days, Publisher will provide Customer a copy of Customer Data in industry-standard electronic form.

If Customer terminates for Publisher’s uncured breach, Publisher will refund any prepaid, unearned fees. Sections 1, 7, and 9–15 survive termination.

9. WARRANTY

Publisher warrants that, during the Applicable Term, the Service will conform in all material respects to the Documentation. The warranty does not apply to (i) misuse, (ii) unauthorized modifications, or (iii) failure to use offered Updates. Publisher’s sole liability and Customer’s exclusive remedy for breach is repair, replacement, or, if impractical, refund of prepaid, unearned fees. EXCEPT AS EXPRESSLY STATED, PUBLISHER DISCLAIMS ALL OTHER WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. PUBLISHER DOES NOT WARRANT UNINTERRUPTED OR ERROR-FREE OPERATION.

10. INTELLECTUAL PROPERTY INDEMNITY

Publisher will defend and indemnify Customer from third-party claims that the Service infringes patents, copyrights, or trademarks, or misappropriates trade secrets, provided Customer promptly notifies Publisher and allows sole control of the defense and settlement. Publisher’s obligations do not apply to claims arising from (i) unauthorized use or combination with other products, (ii) modifications not approved by Publisher, or (iii) use of outdated versions when infringement would be avoided by an Update. If infringement is found likely, Publisher may obtain the right for Customer to continue using the Service, replace or modify it to become non-infringing, or, if not commercially reasonable, refund unearned fees. This Section states the sole remedy for third-party IP claims.

11. CONFIDENTIALITY

Each party shall keep the other’s Confidential Information confidential, use it only for purposes of this Agreement, and disclose it only to personnel bound by similar obligations. Confidentiality obligations do not apply to information that is public, independently developed, received lawfully from a third party, or required to be disclosed by law (with notice to the discloser). Obligations continue for five (5) years after termination or as long as the information remains a trade secret. Either party may seek injunctive relief for breach of this Section.

12. INTELLECTUAL PROPERTY RIGHTS

Publisher owns all rights, title, and interest in the Service(s) and related IP. Customer owns all rights and title to its Customer Data. No rights are granted except as expressly stated.

13. LIMITATION OF LIABILITY

Except for (i) gross negligence, willful misconduct, or fraud; (ii) Publisher’s indemnity under Section 10; or (iii) breach of confidentiality obligations:
(a) Publisher’s aggregate liability under this Agreement is limited to the fees paid by Customer for the Service during the twelve (12) months preceding the claim; and
(b) Publisher is not liable for lost profits or any indirect, incidental, special, or consequential damages. OneStream has no liability whatsoever under or related to this Agreement. These limitations apply regardless of the form of action and even if a remedy fails its essential purpose.

14. COMPLIANCE WITH LAWS

Each party will comply with all applicable laws, including data-protection, anti-bribery, and export-control laws. Where Publisher processes personal data on Customer’s behalf, the parties will execute a data-processing agreement consistent with applicable privacy laws. Customer represents that neither it nor its Authorized Users are listed on any restricted or sanctioned-party list and will not access the Service from an embargoed country.

15. GENERAL

This Agreement is governed by the laws of the State of New York, excluding conflicts-of-law rules. Any action shall be brought in the state or federal courts located in Manhattan, New York. Notices must be in writing and are effective upon (i) personal delivery, (ii) confirmed courier delivery, or (iii) email with no delivery failure notice within four (4) hours. Publisher may collect and use aggregated, anonymized usage data for analytics and improvement. Neither party may assign this Agreement except to an affiliate or successor by merger or asset transfer. If any provision is unenforceable, the remainder remains in effect. Neither party is liable for failure to perform due to a force majeure event. This Agreement is the entire understanding between the parties and supersedes prior proposals or agreements on the subject matter. Amendments or waivers must be in writing signed by both parties.

Exhibit 1 – Support Services

(Incorporated by reference in Section 5 above.)

1. Overview

Publisher provides two levels of support for the InfinitySPM Service:

  • Basic Support – included with all subscriptions unless otherwise specified.

  • Premium Support – available as an optional upgrade subject to additional fees in the applicable Order Form.

Support covers only the InfinitySPM application operating within the OneStream Platform. Platform hosting, uptime, backups, and related infrastructure are the responsibility of OneStream Software LLC under its own agreements.

2. Definitions

  • Help Desk Support – Publisher’s function that receives and manages Customer inquiries or incident reports.

  • Subscriber Contact – Customer’s designated individual(s) authorized to communicate with Publisher regarding support matters.

  • Severity Levels – classification of incident impact, defined in Section 3.2.

3. Basic Support

3.1 Availability

Help Desk Support is available Monday–Friday, 9:00 a.m.–8:00 p.m. Eastern Time, excluding U.S. federal holidays.
Requests may be submitted by phone or email through Publisher’s support channel.

3.2 Incident Classification and Response Objectives
SeverityDescriptionInitial AcknowledgmentTarget Response / WorkaroundResolution Effort
A – SevereService substantially non-functional or inoperative1 hourContinuous efforts to restore or work aroundHighest priority
B – MediumMaterial degradation of performance or functionality1 hourContinuous efforts to resolveHigh priority
C – MinorOperation differs from Documentation without material impact2 business daysScheduled with maintenanceNext update cycle
3.3 Maintenance and Updates

Publisher may provide Updates or maintenance releases from time to time. Routine maintenance is scheduled outside business hours, with notice for downtime expected to exceed 30 minutes.

3.4 Customer Responsibilities

Customer shall provide sufficient information and access to reproduce and diagnose reported issues. Support obligations apply only when the Service is used per the Agreement and Documentation.

3.5 Escalation

If a Severity A issue is not progressing within expected timeframes, Customer may escalate to Publisher’s Support Manager or designated executive contact.

4. Premium Support

Customers purchasing Premium Support receive all Basic Support features plus:

  1. 24 × 7 Availability – Help Desk access at any time, including weekends and holidays.

  2. Expedited Response – Priority handling for Severity A and B issues with a 15-minute acknowledgment target and continuous triage until resolution.

  3. Designated Technical Contact – Access to a named InfinitySPM Support Lead familiar with Customer’s configuration.

  4. Proactive Monitoring – Early detection and notification of data or process errors within the application where supported.

  5. Quarterly Health Review – Optional remote session to review configuration health, usage, and optimization recommendations.

  6. Enhanced Communication – Advance notice of product releases, maintenance windows, and OneStream Platform updates that may impact environments.

Premium Support terms and fees are specified in the applicable Order Form or SOW.

5. Platform Availability

Customer acknowledges that the Service operates on the OneStream Platform. All infrastructure-level operations—including hosting, uptime, performance monitoring, backups, disaster recovery, and security—are provided solely by OneStream Software LLC. Publisher is responsible only for the application-level functionality and support of the InfinitySPM solution within that environment.

6. Exclusions

Support Services do not include:
(i) issues caused by Customer’s systems, integrations, or third-party software;
(ii) issues attributable to the OneStream Platform or infrastructure; or
(iii) customizations or modifications not developed or approved in writing by Publisher.

Exhibit 2 – Data Processing Addendum (DPA)

(This Exhibit is incorporated into and forms part of the InfinitySPM Standard SaaS Agreement between Customer and Publisher.)

  1. Purpose and Scope

This Data Processing Addendum (“DPA”) forms part of the Agreement between Customer and Publisher. For purposes of this DPA, “Publisher” means the entity identified as Publisher in the Agreement and includes InfinitySPM (“Publisher (InfinitySPM)”).

This DPA governs the Processing of Customer Data by Publisher (InfinitySPM) in connection with Customer’s use of the Service.

Publisher (InfinitySPM) acts as Processor and Customer acts as Controller (or Processor where Customer processes on behalf of its own controller).

This DPA applies solely to Processing within the InfinitySPM application. Hosting, infrastructure security, availability, backup, disaster recovery, and platform-level operations are performed by OneStream under its separate agreement with Customer.

  1. Definitions

Capitalized terms not defined in this DPA have the meanings set out in the Agreement.

“Applicable Data Protection Law” means all applicable privacy, data protection, and security laws, including the EU GDPR, UK GDPR, CCPA/CPRA, PIPEDA, and similar global laws.

“Personal Data” means any information relating to an identified or identifiable natural person contained within Customer Data.

“Processing” means any operation performed on Personal Data, including collection, storage, access, use, disclosure, or deletion.

“Subprocessor” means any third party engaged by Publisher (InfinitySPM) to Process Personal Data on Customer’s behalf.

“EU SCCs” means the Standard Contractual Clauses adopted by the European Commission on 4 June 2021.

“UK Addendum” means the UK Information Commissioner’s Office Addendum to the EU SCCs.

  1. Roles and Responsibilities
3.1 Customer Responsibilities

Customer shall:

  • determine the purposes and means of Processing;
  • ensure it has a lawful basis for Processing Personal Data;
  • ensure the accuracy and legality of Customer Data;
  • comply with all obligations of a Controller or Processor under Applicable Data Protection Law.
3.2 Publisher Responsibilities

Publisher (InfinitySPM) shall:

  • Process Personal Data only on documented instructions from Customer;
  • ensure personnel with access to Personal Data are under confidentiality obligations;
  • maintain application-level security controls consistent with industry standards;
  • not sell or share Personal Data nor retain, use, or disclose Personal Data except as permitted by the Agreement.
  1. Details of the Processing

Subject matter: Personal Data contained within Customer Data processed by the InfinitySPM application.
Duration: For the term of the Agreement and 30 days thereafter.
Purpose: To provide and support the Service.
Categories of Data Subjects: Employees, contractors, sales personnel, and other individuals whose data is supplied by Customer.
Types of Personal Data: Names, emails, roles, compensation and incentive data, performance data, territory data, and other fields defined by Customer.

  1. Security Measures

Publisher (InfinitySPM) shall implement technical and organizational measures to protect Personal Data, including:

  • role-based access controls, MFA where supported;
  • authentication and authorization safeguards;
  • encryption of data in transit;
  • activity logging;
  • secure development practices;
  • application-level incident management.

Customer acknowledges that OneStream maintains and controls platform-level security, including encryption at rest, physical security, infrastructure logging, network segmentation, backup, and disaster recovery.

  1. Subprocessors

6.1 Authorized Subprocessors

Customer authorizes Publisher (InfinitySPM) to use the Subprocessors identified in Annex A.

6.2 Subprocessor Obligations

Publisher (InfinitySPM) shall:

  • ensure Subprocessors are bound by written agreements no less protective than this DPA;
  • remain responsible for Subprocessors’ performance.

6.3 Subprocessor Changes

Publisher (InfinitySPM) will notify Customer at least 30 days in advance of adding or replacing a Subprocessor.

Customer may object on reasonable data protection grounds. If unresolved, Customer may terminate the affected Service.

  1. Data Subject Requests

Publisher (InfinitySPM) will assist Customer, to the extent technically feasible, in responding to Data Subject requests relating to Personal Data processed by Publisher.

Publisher will not respond to a Data Subject request directly unless required by law.

  1. Personal Data Breach Notification

Publisher (InfinitySPM) shall notify Customer without undue delay, and no later than 48 hours after becoming aware of a Personal Data Breach affecting Customer Data.

Publisher will provide Customer with sufficient detail to meet its breach reporting obligations.

  1. International Transfers

Where Personal Data is transferred outside the EEA/UK/Switzerland, Publisher (InfinitySPM) shall:

  • rely on the EU SCCs (Module 2: Controller → Processor);
  • rely on the UK Addendum for UK personal data transfers;
  • implement supplementary measures as required under Applicable Data Protection Law.

Completed SCC details are provided in Annex B.

  1. Audit and Assistance

Upon Customer request, Publisher (InfinitySPM) shall:

  • provide available documentation (including OneStream platform audit reports where permissible);
  • provide responses to Customer’s reasonable security and privacy inquiries;
  • permit application-level audits, subject to confidentiality and reasonable scheduling.

Infrastructure-level audits must be performed directly with OneStream.

  1. Return or Deletion of Customer Data

Within 30 days following termination or expiry of the Agreement, Customer may request a copy of Customer Data in an industry-standard electronic format.

After 30 days, Publisher (InfinitySPM) will delete Customer Data from the InfinitySPM application, subject to OneStream’s platform-level retention and backup policies.

  1. Liability

Liability under this DPA is subject to the limitation of liability in the Agreement, except where prohibited by Applicable Data Protection Law.

  1. Conflict

In case of conflict between this DPA and the Agreement, this DPA shall prevail with respect to Processing of Personal Data.