Skip to main content

PELOTON CORPORATE WELLNESS PROGRAM TERMS AND CONDITIONS

These Terms and Conditions, together with the exhibits hereto and any order form (an “Order Form”) entered into between the customer entity named in the applicable Order Form (“you” or “Company”) and Peloton Interactive, Inc. or its affiliate(s) named in the Order Form (“Peloton”) (these Terms and Conditions and the Order Form together, the “Agreement”) govern your use of the Program (as defined below). By executing an Order Form that references these Terms and Conditions, you agree to be bound by these Terms and Conditions. These Terms and Conditions were last updated on March 10, 2023 and are effective between Company and Peloton as of the Agreement Effective Date set out in the Order Form (the “Effective Date”).

1. Program Offering; Eligibility.

  • 1.1 Program Offering.

(a) From the Program Launch Date through the end of the Term, and subject to Company’s payment of the Annual Subscription Fee (as defined below), Peloton shall (i) make available to Company the ability to purchase and/or subsidize Peloton membership subscriptions as described in the applicable Order Form and as defined in Peloton’s Membership Terms (available at (https://www.onepeloton.com/membership-terms) or a successor website as may be updated by Peloton from time to time) (each, a “Membership” and collectively, the “Memberships”) for Eligible Users within the Territory (as defined in the applicable Order Form) and/or (ii) make available to Company and Eligible Users the ability to purchase Peloton connected-fitness products within the Territory (“Equipment”), in each case, at the prices set forth on the Order Form (the foregoing clauses (i) and (ii) collectively, the “Program”). Equipment names and specifications, including Peloton Tread, Bike, and Bike+, are as described on Peloton’s website.
(b) Throughout the Term, Peloton may offer Company the ability to access supplemental services in support of the Program. Provision of such supplemental services shall be pursuant to a separately executed services addendum, which shall be subject to the terms of the Agreement. Additionally, Peloton may make new types of Memberships and Equipment available for purchase by Eligible Users from time to time at its sole discretion; provided, that the availability of such Memberships and Equipment shall otherwise be subject to the terms and conditions of the Agreement in all respects, unless otherwise agreed to by the parties in writing.
(c) Company acknowledges and agrees that Peloton is not providing any Membership or Equipment to Company (unless otherwise specified on the Order Form).

  • 1.2 Eligibility.

(a) Company may determine the criteria by which individuals will be eligible to participate in the Program (the “Eligible Users”). In addition to any eligibility criteria determined by Company, all Eligible Users must (at the time of determining if such person is an Eligible User): (i) be 18 years old (or if the age of majority in his/her/their jurisdiction is older than 18 years old, the age of majority in such jurisdiction), (ii) be employed or engaged by Company, and (iii) reside in the Territory.
(b) Peloton provides several options to validate Eligible Users. In the event that Company elects to determine and validate eligibility via a file listing the Eligible Users to Peloton (the “Eligibility File”), the following terms apply:
(i) Company shall provide the Eligibility File to Peloton from time to time during the term in accordance with the technical requirements set forth on Exhibit A to the Order Form, to Peloton for the purpose of administering the Program. Company represents and warrants that any Eligibility File provided to Peloton will be accurate and complete and obtained in compliance with applicable law, including Data Protection Laws (as defined in the Data Processing Addendum) and that Company has obtained any necessary consents from Eligible Users. If the Territory includes the United States, Company (A) acknowledges that Peloton is not a Business Associate or subcontractor (as those terms are defined in the Health Insurance Portability and Accountability Act and related amendments and regulations as updated or replaced “HIPAA”), (B) shall not submit to Peloton any “protected health information” as defined in 45 CFR §160.103, in connection with the Program, including in any Eligibility File, and (C) agrees that Peloton shall have no liability under these Terms and Conditions for any such information received from Company, notwithstanding anything to the contrary herein.
(ii) Promptly following the Agreement Effective Date, but in any event no later than ten (10) business days before the Program Launch Date, Company agrees to provide Peloton an initial Eligibility File for testing purposes (the “Test Eligibility File”). Company shall cooperate with Peloton to address any technical issues that arise with respect to the Test Eligibility File. No later than five (5) days prior to the Program Launch Date, Company shall provide Peloton with an updated, final Eligibility File to be used for the Program Launch Date. The parties acknowledge and agree that Peloton may make reasonable adjustments to the Program Launch Date in its reasonable discretion with prior notice to Company.
(iii) Following the Program Launch Date and throughout the remainder of the Term, Company agrees to provide Peloton with updates to the Eligibility File on a monthly basis, and no later than five (5) days prior to the end of the then-current month. Company acknowledges and agrees that Peloton shall be entitled to rely on the most-recently provided version of the Eligibility File to determine the Eligible Users. Peloton reserves the right to pause the Program at any time with written notice to Company due to any technical or other errors arising from the Eligibility File provided by Company.

  • 1.3 Program Participation. To participate in the Program, each Eligible User must enroll for a Membership or purchase Equipment directly with Peloton by following the instructions provided by Peloton via Company to such Eligible User. No Eligible User will be able to redeem a Membership offered pursuant to the Program directly through Company or any third party, including through the Google Play Store or the Apple App Store.
  • 1.4 No Exclusivity. Nothing in the Agreement shall prevent Peloton or any of its affiliates or subsidiaries from providing similar products or services to any third party. The terms of the Agreement shall be non-exclusive and “most favored nation” pricing will not apply, nor does Peloton provide any minimum guarantees with respect to the Program.

2. Membership and Equipment Purchases.

  • 2.1 Pricing. If the Territory is the United States or Canada, Equipment and Membership prices do not include applicable Taxes (as defined below); if the Territory is the United Kingdom, Membership prices include applicable Taxes; if the Territory is Australia, Equipment and Membership prices do not include applicable Taxes except as otherwise set out in Section 4.2. Equipment and Membership prices do not include any other Peloton product or service. Equipment prices do not include monthly All-Access Membership subscription fees.
  • 2.2 Equipment Purchases.

(a) No more than one unit of each type of Equipment may be redeemed by any Eligible User. For the purposes of illustration only, an Eligible User could purchase a Peloton Bike and Peloton Bike+ through the Program (each of which would require its own All-Access Membership), but could not purchase multiple Peloton Bikes through the Program. For the avoidance of doubt, an Eligible User may purchase only one Membership through the Program but will not be prohibited from purchasing a Membership or Equipment at full price from Peloton directly. The purchase of any Equipment is while supplies last and subject to availability, delivery and radius restrictions and limitations. Subject to Sections 2.2(c) and 9, all Equipment purchases are subject to Peloton’s then-current terms and conditions, including but not limited to Peloton’s return and home trial policies available on Peloton’s website, which may be updated from time to time by Peloton in its sole discretion. All sales of refurbished Equipment, to the extent included in the Program, are final, except where prohibited by law.
(b) Subject to Sections 2.2(c) and 9, a limited one-year warranty is included with each purchase of Equipment by an Eligible User, and extended warranties or service plans may also be available at time of a new Equipment purchase. If the Territory is the United Kingdom, service plans are not available for refurbished Equipment purchases.
(c) If the Territory is Australia, this Section 2.2 is not intended to alter any rights you may have as a consumer that cannot be excluded under applicable law, including any of the non-excludable requirements of the Australian Consumer Law (as defined below).

  • 2.3 Member Agreements. Memberships shall only be provided to Eligible Users who register for such Membership pursuant to an end-user agreement between the Eligible User and Peloton (each such person, a “Member”), including: Peloton’s Terms of Service, Membership Terms, and any other agreement or arrangement between Peloton and any Member (collectively, the “End-User Agreements”). The End-User Agreements shall govern the relationship between a Member and Peloton, and Company shall have no right to enforce the rights of any Member under any End-User Agreement. Peloton shall be responsible for making available to each Member Peloton’s then-effective End-User Agreements.

3. Proprietary Property; Marketing

  • 3.1 Proprietary Property.

(a) Company acknowledges and agrees that Peloton owns all rights, title and interest in its property, including but not limited to the names, logos, trademarks, service marks, and trade names of Peloton (“Peloton Marks”) and any text (including without limitation any email), artwork, imagery, video, and similar property provided to Company by Peloton in connection with these Terms and Conditions (all of the foregoing, including without limitation the Peloton Marks, together with Feedback, the “Peloton Property”). To the extent Company makes any adaption, alternation, modification, derivative work, enhancement or improvement to any Peloton Property (together “Improvements”) such Improvements shall be owned by Peloton and Company assigns to Peloton all rights, title and interest, and all intellectual property rights, in and to such Improvements. Without limiting the foregoing, Company agrees that Peloton shall, subject to Section 6 below, be entitled to use and exploit without restriction all feedback, suggestions, improvements, comments and ideas Company provides to Peloton regarding the Program or any Peloton product or service (collectively, “Feedback”).
(b) Peloton acknowledges and agrees that Company owns all rights, title and interest in its property, including but not limited to the names, logos, trademarks, service marks, and trade names of Company (“Company Marks”) and any text, artwork, imagery, video, and similar property provided to Peloton by Company in connection with the Agreement (all of the foregoing, including without limitation the Company Marks, the “Company Property”). For the purposes of the Agreement, the term “Property” may be used to refer to Peloton Property and/or Company Property, as applicable.

  • 3.2 Licenses.

(a) Subject to Section 3.3(a), Peloton hereby grants to Company a limited, non-exclusive, revocable, non-transferable, non-sublicensable, royalty-free license to use the Peloton Property, in the form and format provided by Peloton, solely for purposes of marketing the Program to Eligible Users during the Term. Company agrees that all goodwill arising from its use of the Peloton Marks shall inure to the benefit of and be on behalf of Peloton. Company shall only use the Peloton Marks in a manner such that it creates a separate and distinct impression from any other trademark, trade name or service mark.
(b) Subject to Section 3.3(a), Company hereby grants to Peloton a non-exclusive, revocable, non-transferable, non-sublicensable, royalty-free license to use the Company Property solely for the purposes of (i) marketing the Program to Eligible Users during the Term and (ii) identifying Company as a Peloton Corporate Wellness client in general marketing materials, press releases and public-facing statements and posting a pre-approved Company logo on Peloton’s website identifying Company as a Peloton Corporate Wellness client, in each case unless Company requests by written notice not to be so identified. Peloton agrees that all goodwill arising from its use of the Company Marks shall inure to the benefit of and be on behalf of Company. Peloton shall only use the Company Marks in a manner such that it creates a separate and distinct impression from any other trademark, trade name or service mark.

  • 3.3 Approvals and Marketing Guidelines.

(a) Except as mutually agreed by the parties or as otherwise explicitly permitted by the Agreement, neither party shall make or disseminate or cause to be made or disseminated, whether directly or indirectly, any external marketing materials (including to promote a challenge, membership, equipment or offering), statement, press release, claim, representation, or other public announcement to any third-party relating to the Agreement or the underlying products or services or the existence of a business relationship between the parties. Each party may withdraw its permission for the other party to use such party’s Property at any time at its sole discretion.
(b) Company must receive Peloton’s prior written approval for each use of any Peloton Property. Company will request approval of any materials used by Company to market the Program to Eligible Users (including, any email or other communication that includes Peloton Property), whether internal or external (collectively, the “Program Marketing Materials”), by submitting a draft to Peloton for review at least ten (10) business days in advance of when Company desires to first use such Program Marketing Materials. Peloton will have the right to accept or reject the Program Marketing Materials as proposed by Company. If rejected, Company shall revise the Program Marketing Materials to incorporate Peloton’s feedback and address Peloton’s concerns and Company will then resubmit the revised Program Marketing Materials to Peloton for approval or rejection. The foregoing process will be repeated until Peloton has issued final written approval of the Program Marketing Materials. Peloton reserves the right to withhold or revoke approval of any use of the Peloton Property in its sole discretion. Notwithstanding the foregoing, Company shall not be required to obtain prior written approval from Peloton pursuant to this Section 3.3(b) solely to the extent Company uses the Peloton Property to list Peloton with at a minimum of one other offerings in any communication that is primarily intended to inform Company's employees and/or personnel of the benefits it generally makes available to Eligible Users (a “General Benefits Communication”).
(c) Any approval provided by Peloton with respect to the Peloton Property shall be conditioned upon Company complying with all guidelines provided by Peloton to Company during the Term, which include (i) Peloton’s Commercial Marketing Guidelines (available at https://commercial.onepeloton.com/Peloton-Commercial-Marketing-Guidelines-2020.pdf or such successor website as Peloton may designate from time to time); and (ii) Peloton’s Media Press Kit (available at https://press.onepeloton.com/ or such successor website as Peloton may designate from time to time), each of which may be updated by Peloton from time to time. Company may also provide to Peloton written guidelines regarding the use of the Company Property from time to time.
(d) In the event that either party’s use of the other party’s Property does not comply with any written guidelines provided to such party, the other party may inform the non-complying party of any such failure and such non-complying party shall, at its expense, promptly take such action as is necessary to align its use of such Property with such guidelines.
(e) Company shall not, without the prior written consent of Peloton, (i) directly or indirectly, integrate the Program or any other Peloton product, service or offering with any third-party product, service or offering, or (ii) externally market or promote any Peloton product, service, or offering together with any competing program, service, or offering. For the avoidance of doubt, the foregoing shall not prohibit Company from a making a General Benefits Communication.

  • 3.4 Program Marketing Obligations. Company shall: (i) use the Program Marketing Materials to market the Program (A) to all Eligible Users as they become eligible to participate in the Program and (B) in all communications and documentation about Company’s health or wellness offering or initiative; (ii) send at least one (1) communication about the Program every three (3) months to all Eligible Users; and (iii) prominently display details of the Program on its internal benefits site or intranet.

4. Payments.

  • 4.1 Company Fees.

(a) Company agrees to pay Peloton all fees specified on the Order Form, and if applicable, the Reconciliation Fee (collectively, the “Company Fees”) in accordance with this Section 4. If the Territory is the United States or Canada, all Company Fees listed on the Order Form are exclusive of applicable Taxes; if the Territory is the United Kingdom, all Company Fees listed on the Order Form include applicable Taxes; if the Territory is Australia, all Company Fees listed on the Order Form are exclusive of applicable Taxes, except as otherwise set out in Section 4.2. The Annual Subscription Fee is not inclusive of any subscription fees for the Membership of any Eligible Users. Peloton may increase the Company Fees for any upcoming Renewal Term by informing Company of such increase no less than sixty (60) days prior to the expiration of the then-current Term.
(b) If during the Initial Term or any subsequent Renewal Term, the number of Eligible Users increases by more than ten percent (10%) from the number of Eligible Users at the start of the then-current Term (the “Starting Eligible Users”), Peloton may charge to Company an additional fee equal to the product of: (i) (A) the Annual Subscription Fee set forth on the Order Form divided by (B) the number of Starting Eligible Users multiplied by (ii) the number of Eligible Users that exceed the Starting Eligible Users (the “Reconciliation Fee”). Peloton will only charge the Reconciliation Fee to Company once annually.

  • 4.2 Taxes. Except as otherwise set out in this Section 4.2, Company shall be solely responsible for all taxes, duties, and other governmental assessments, including sales, use, value-added, goods, services, excise, wage, property, business or service, and other transactional taxes (and all interest and penalties associated with any of the foregoing), arising in connection with the Agreement (all of the foregoing, collectively, “Taxes”), except for taxes assessed on Peloton’s net income. Notwithstanding the foregoing, if the Territory includes Australia, the amounts specified in this Agreement are inclusive of goods and services tax ("GST"). If GST is or will be payable on a supply made under or in connection with this Agreement, and the relevant amount has not been specified as inclusive as GST, then in addition to paying the fees or other amount payable under this Agreement, Company must pay to Peloton an amount equal to any GST on any supply by Peloton under or in connection with this Agreement, without deduction or set off of any other amount, as and when the fees or other amount or part of it must be paid or provided.
  • 4.3 Invoicing and Payment Terms. Based on the final day of each calendar month during the Term, Peloton will calculate the number of Eligible Users who are enrolled in a Membership at any time during such month. Based on the foregoing, Peloton will issue an invoice to Company on a monthly basis for the applicable Company Fees listed on the Order Form. Memberships can only be billed in monthly increments. Invoices will be due and payable by Company within thirty (30) days after the date of the invoice.

5. Term and Termination.

  • 5.1 Term. The Agreement commences on the Agreement Effective Date and, unless otherwise specified on the Order Form, shall continue in full force and effect for a period of one-year from the Program Launch Date listed on the Order Form (the “Initial Term”). Thereafter, the Agreement shall automatically renew for successive 12-month periods (each a “Renewal Term”, and all Renewal Terms, together with the Initial Term, the “Term”), unless either party elects not to renew the Agreement by notifying the other party thereof at least ninety (90) days prior to the end of the then-current Term.
  • 5.2 Termination for Cause. If either party is in material breach of any provision of the Agreement, including breach of any payment obligation, and such breach is not cured within 30 days after written notice is given to the breaching party, the non-breaching party may, by giving written notice thereof to the breaching party, terminate the Agreement. Notwithstanding the foregoing, Peloton may, at its option, immediately terminate the Agreement or suspend Memberships in the event Company has failed to pay any fees or expenses when due hereunder and such non-payment has not been cured within ten business days after written notice of such non-payment is sent to Company.
  • 5.3 Transition Period.

(a) Commencing upon notice of termination by either party until the effective date of termination (the “Transition Period”), no new Eligible Users may enroll to participate the Program; provided, that Peloton will continue to support the Memberships of already-enrolled Eligible Users and fulfill any Equipment orders place prior to such time. Company shall cooperate with Peloton to provide reasonable transition assistance during the Transition Period including: (i) communication of the upcoming termination to Eligible Users and (ii) the completion of all accounting or other financial reconciliations. For the avoidance of doubt, nothing herein shall prohibit any Eligible User from purchasing, accessing, using, or receiving a Membership and/or Equipment at full price following the expiration of the Transition Period.

(b) Company will continue to pay the Company Fees in accordance with Section 4 of these Terms and Conditions for any services performed by Peloton in connection with the Agreement until the expiration of the Transition Period.

  • 5.4 Effect of Termination. Upon expiration or termination of the Agreement: (a) each party shall return or certify the destruction of the other’s Confidential Information (as defined below) in accordance with the Agreement; (b) Company shall pay Peloton all unpaid balances for all Company Fees incurred prior to termination or expiration of the Agreement; and (c) the licenses granted hereunder shall automatically terminate and each party shall cease any current or future use of the other party’s Property.

6. Confidentiality.

  • 6.1. Confidentiality Obligations. Prior to the date hereof, and during the Term of the Agreement, from time to time, either party (the “Disclosing Party”) may disclose or make available to the other party (the “Receiving Party”), whether orally, electronically or in physical form, confidential or proprietary information concerning the Disclosing Party and/or its business, products or services in connection with the Agreement (“Confidential Information”). Confidential Information includes, without limitation, business plans, acquisition plans, systems architecture, information systems, technology, data, computer programs and codes, processes, methods, operational procedures, finances, budgets, policies and procedures, customer or employee information, vendor information (including agreements, software and products), product plans, projections, analyses, plans or results, the existence of any business dealings or agreements between Company and Peloton, and any other information which should reasonably be considered confidential. Notwithstanding the foregoing, the parties agree that all information provided by prospective Members attempting to enroll in a Membership or otherwise relating to Members that is not contained in an Eligibility File shall not be Confidential Information of Company. Each party agrees that during the Term and thereafter: (a) it will use Confidential Information belonging to the Disclosing Party solely for the purpose(s) of the Agreement; and (b) it will not disclose Confidential Information belonging to the Disclosing Party to any third party (other than the Receiving Party’s and, as applicable its subsidiaries’ and affiliates’, employees, contractors and/or professional advisors who are bound by obligations of non-disclosure and limited use at least as stringent as those contained herein) without first obtaining the Disclosing Party’s written consent. Upon the expiration or termination of the Agreement or upon the written request by the Disclosing Party, the Receiving Party will return or destroy (at Receiving Party’s option) all copies of any Confidential Information to the Disclosing Party, and in the case of the destruction of all copies of any Confidential Information, provide written certification of such destruction.
  • 6.2 Confidentiality Exclusions. For purposes hereof, Confidential Information will not include any information that the Receiving Party can establish by convincing written evidence: (a) was independently developed by the Receiving Party without use of or reference to any Confidential Information belonging to the Disclosing Party; (b) was acquired by the Receiving Party from a third party having the legal right to furnish such information to the Receiving Party without disclosure restrictions; or (c) was at the time in question (whether at disclosure or thereafter) generally known by or available to the public (through no fault of the Receiving Party).
  • 6.3 Required Disclosures. Section 6.1 will not restrict any disclosure required by order of a court or any government agency, provided that the Receiving Party, to the extent permitted by law, gives prompt notice to the Disclosing Party of any such order and reasonably cooperates with the Disclosing Party at the Disclosing Party’s request and expense to resist such order or to obtain a protective order.
  • 6.4 Injunctive Relief. The parties acknowledge and agree that the disclosure of Confidential Information in breach of this Section 6 may result in irreparable harm for which there is no adequate remedy at law. The parties therefore agree that the Disclosing Party may be entitled to seek an injunction in the event the Receiving Party violates or threatens to violate this Section 6 and that no bond will be required. Any such injunctive relief will be in addition to any other remedy available at law or equity.

7. Privacy and Security.

  • 7.1 Information Security.

Peloton shall implement and comply with standards and processes set forth in Annex I (Information Security Schedule) to these Terms and Conditions.

  • 7.2 Data Privacy and Security. Each party shall comply with the terms of the Data Processing Addendum attached as Annex II (Data Processing Addendum) to these Terms and Conditions.

8. Relationship of the Parties.

  • 8.1 Independent Contractor. The relationship of the parties is that of independent contractors. Nothing in the Agreement authorizes either party or any of its employees, agents or contractors to act as the other party’s agent or representative. None of either party’s employees, agents or contractors shall, under any circumstances, be construed to be an employee, agent or contractor of the other party.
  • 8.2 No Third-Party Beneficiaries. The Agreement is entered into solely between, and may be enforced only by, Company and Peloton. The Agreement will not be deemed to create any rights for any third party or any obligation of a party to any third party whether under the Contracts (Rights of Third Parties) Act 1999 or otherwise, to the extent applicable.
  • 8.3 Non-Circumvention. Company acknowledges and agrees that during the Term and for a period of three (3) months thereafter, Company will not enter into, or seek to enter into, any agreement or arrangement of any kind with any fitness instructor employed, engaged, or contracted by Peloton (any such arrangement, an "Instructor Engagement" and any such fitness instructor, an “Instructor”) without the express written consent of Peloton, which may be withheld in its sole discretion. In the event that Peloton authorizes an Instructor Engagement, Peloton, Instructor and Company will (or if permitted by Peloton, Instructor and Company will) enter into a separate agreement with respect to the terms and conditions of such Instructor Engagement.

9. Representations, Warranties and Disclaimers.

  • 9.1 Mutual Warranties. Each party represents and warrants that: (a) it is duly incorporated and validly existing under applicable laws and in good standing in applicable business locations as required; (b) it has all necessary right, title, license and authority to enter into and perform its obligations under the Agreement; (c) the person signing the Order Form on its behalf has full authority to bind such party to the terms and conditions hereof and (d) its performance of its obligations under the Agreement shall comply with all applicable laws, including Data Protection Laws.
  • 9.2 Disclaimers. EXCEPT AS SPECIFIED IN SECTION 9.1, TO THE MAXIMUM EXTENT PERMITTED BY LAW AND IF THE TERRITORY IS AUSTRALIA, SUBJECT TO SECTION 9.3, PELOTON PROVIDES THE PROGRAM ON AN “AS IS” AND “AS AVAILABLE” BASIS AND HEREBY DISCLAIMS AND COMPANY WAIVES ALL REPRESENTATIONS, CONDITIONS AND WARRANTIES (WHETHER EXPRESS, IMPLIED, OR STATUTORY), INCLUDING ANY WARRANTY OR CONDITION (A) OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, TITLE, SATISFACTORY QUALITY, ACCURACY, COMPLETENESS, APPROPRIATENESS, OR QUIET ENJOYMENT, OR (B) ARISING FROM ANY COURSE OF DEALING, COURSE OF PERFORMANCE, OR USAGE IN THE INDUSTRY. Company acknowledges that no guarantee or assurance has been made as to results that may be obtained from the use of any Membership or Equipment by any Eligible User whether used singly or in combination with any other product or service.
  • 9.3 Australian Consumer Law. If the Territory is Australia, applicable law, including the Australian Consumer Law in Schedule 2 of the Competition and Consumer Act 2010 (Cth) (the "Australian Consumer Law"), may imply warranties or conditions or impose obligations which cannot be excluded, restricted or modified except to a limited extent. This Agreement must in all cases be read subject to these applicable laws. The disclaimer in Section 9.2 and the limitations in Section 10.1 do not purport to limit liability or alter any rights you may have as a consumer that cannot be excluded under applicable law, including any of the non-excludable requirements of the Australian Consumer Law. If Peloton is liable to you under the Australian Consumer Law, to the extent to which Peloton is entitled to do so, Peloton limits its liability in respect of any claim under those provisions to, at Peloton's option, the supply of the relevant services again, or the payment of the cost of resupplying the services.

10. Limitation of Liability; Indemnification.

  • 10.1 Limitation of Liability. TO THE MAXIMUM EXTENT PERMITTED BY LAW, SUBJECT TO SECTION 9.3, PELOTON’S SOLE LIABILITY, AND COMPANY’S EXCLUSIVE REMEDY, IN CONNECTION WITH THE AGREEMENT, REGARDLESS OF THE FORM OF ACTION OR LEGAL THEORY, WILL BE STRICTLY LIMITED TO PELOTON’S OBLIGATIONS AS SPECIFICALLY AND EXPRESSLY PROVIDED HEREIN. TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT WILL PELOTON, ANY OF ITS AFFILIATES, OR ANY OFFICER, DIRECTOR, EMPLOYEE, OR AGENT OF ANY OF THE FOREGOING HAVE ANY LIABILITY TO COMPANY ARISING OUT OF OR IN CONNECTION WITH THE AGREEMENT OR ANY TRANSACTION CONTEMPLATED BY THE AGREEMENT IN AN AMOUNT IN EXCESS OF AMOUNT(S) ACTUALLY RECEIVED BY PELOTON FROM COMPANY DURING THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO SUCH LIABILITY. IN NO EVENT WILL PELOTON, ANY OF ITS AFFILIATES OR SUBSIDIARIES, OR ANY OF ITS OR THEIR OFFICERS, DIRECTORS, EMPLOYEES, OR AGENTS HAVE ANY LIABILITY, OBLIGATION OR RESPONSIBILITY FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR EXEMPLARY DAMAGES ARISING IN ANY WAY IN CONNECTION WITH ANY MEMBERSHIP OR EQUIPMENT OR THE AGREEMENT, INCLUDING DAMAGE TO PROPERTY, INJURY TO ANY PERSON, LOSS OF USE, DATA OR PROFITS, OR ANY DELAY OR INCONVENIENCE, EVEN IF COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF ANY SUCH DAMAGE. IF THE TERRITORY IS THE UNITED KINGDOM, THEN NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED HEREIN, NOTHING IN THE AGREEMENT SHALL LIMIT OR EXCLUDE EITHER PARTY’S LIABILITY TO THE OTHER FOR: FRAUD OR FRAUDULENT MISREPRESENTATION; DEATH OR PERSONAL INJURY CAUSED BY THAT OTHER PARTY’S NEGLIGENCE; OR ANY OTHER LIABILITY WHICH CANNOT BE EXCLUDED OR LIMITED BY LAW. To the extent applicable law in a jurisdiction does not allow a limitation or exclusion of liability set forth above, such limitation or exclusion shall not apply to Company.
  • 10.2 Indemnification. Company will defend, indemnify and hold harmless Peloton, its affiliates and subsidiaries, and each of its and their respective partners, officers, shareholders, directors, employees, agents, representatives and personnel from and against any and all liability, damages, losses, claims, demands, actions, proceedings (including arbitration), judgments, costs and expenses of every nature and kind asserted (including reasonable attorneys’ and experts’ fees), commenced or threatened by a third party, including but not limited to the U.S. Federal Trade Commission or other regulatory entity, whether actual or alleged, arising out of: (a) Peloton’s communications with any Eligible Users at the direction of Company, (b) Company’s failure to provide the Personal Data that is contained in the Eligibility File ("Eligibility File Personal Data") to Peloton in compliance with its obligations under applicable Data Protection Law, and (c) Company’s use of a Member’s Personal Data accessible through the Program, including in connection with any employment-related action.

11. Force Majeure.

Except for the obligation to pay monies due and owing, neither party shall be liable to the other for any delay or failure in performing its obligations under the Agreement to the extent that such delay or failure is caused by an event or circumstance that is beyond the reasonable control of that party.

12. Assignment.

Company may not assign these Terms and Conditions or any right or duty hereunder or thereunder (except the right to receive any payment) without the prior written consent of Peloton. Peloton may assign these Terms and Conditions freely.

13. Notices.

Any notices sent pursuant to the Agreement will be via (a) hand, (b) certified mail, return receipt requested, or (c) a nationally recognized overnight courier, or (d) email with receipt confirmed within one (1) business day, and, if applicable, will be delivered to the addresses set forth in the Order Form.

14. Severability; Waiver.

If any provision of the Agreement is held to be invalid or unenforceable by a court of competent jurisdiction, then such provision will be limited or modified to the limited extent necessary to most closely reflect the parties’ intent and render the remainder of the Agreement in full force and effect and enforceable. The waiver by either party of any right provided under the Agreement shall not constitute a subsequent or continuing waiver of such right or of any other right under the Agreement, nor will any delay or omission to exercise any right or remedy operate as a waiver.

15. Governing Law and Jurisdiction.

(a) If the Territory is the United States of America or Canada, the following Section 15(a) applies: The validity, interpretation, and performance of the Agreement and the transactions contemplated herein shall be controlled by and construed under the laws of the state of New York, as if performed wholly within the state of New York and without giving effect to the principles of conflicts of law. The parties agree that the state and federal courts located in New York County, New York shall have exclusive jurisdiction over any claim or litigation arising under the Agreement. In any action to enforce the Agreement, the prevailing party will be entitled to recover its reasonable attorneys’ fees and other costs incurred in connection with that action, in addition to any other relief to which such party may be entitled. The Uniform Commercial Code, the Uniform Computer Information Transaction Act, and the United Nations Convention of Controls for International Sale of Goods shall not apply.
(b) If the Territory is Canada, the following Section 15(b) applies: Each party accepts and approves the English version of the Agreement signed by both parties as controlling in any dispute between the parties arising from or related to the Agreement. Les parties aux présentes confirment leur volonté expresse que cette entente soient rédigées en langue anglaise seulement.
(c) If the Territory is the United Kingdom, the following Section 15(c) applies: The Agreement shall be governed by and construed in accordance with the laws of England and Wales without regard to the conflicts of laws provisions thereof. Exclusive jurisdiction and venue for any action arising under the Agreement shall be in the courts of England and Wales, and the parties hereby consent to such jurisdiction and venue for this purpose.
(d) If the Territory is Australia, the following Section 15(d) applies: The validity, interpretation, and performance of this Agreement and the transactions contemplated herein shall be controlled by and construed under the laws of the State of New South Wales without giving effect to the principles of conflicts of law. The parties agree that the State and Federal courts located in the State of New South Wales shall have exclusive jurisdiction over any claim or litigation arising under this Agreement.

16. Interpretation; Construction.

The terms “include,” “includes,” and “including,” whether or not capitalized, mean “include, but are not limited to,” “includes, but is not limited to,” and “including, but not limited to,” respectively and are to be construed as inclusive, not exclusive. In the event an ambiguity or question of intent or interpretation arises, the Agreement shall be construed as if drafted jointly by the parties and no presumption or burden of proof shall arise favoring or disfavoring any party by virtue of the authorship of any of the provisions of the Agreement.

17. Export Control.

Company will comply with the U.S. Foreign Corrupt Practices Act (regarding, among other things, payments to government officials) and all other anti-bribery and corruption legislation including but not limited to the Canada Foreign Corrupt Practices Act, the UK Bribery Act 2010 (where applicable), Chapter 4 and Part 7.6 of the Australian Criminal Code Act 1995 (Cth) and equivalent State and Territory laws in Australia (where applicable), and all export laws and restrictions and regulations of the U.S. Department of Commerce, the U.S. Department of Treasury Office of Foreign Assets Control, the UK Department for International Trade, the UK Export Control Joint Unit, or other United States, or foreign agency or authority and not export or re-export, or allow the export or re-export, of any Membership or Equipment in violation of any such restriction, law or regulation.

18. Survival.

Any provision of the Agreement which, either by its terms or to give effect to its meaning, must survive, including, Sections 3.1, 4, 5.4, 6, 7, 8 9.2, and 10-19 shall survive the cancellation, expiration or termination of the Agreement.

19. Entire Agreement.

The Agreement, including any exhibits attached hereto, constitutes the complete agreement between the parties concerning the subject matter of the Agreement and shall replace all prior oral or written communications between the parties concerning the subject matter of the Agreement. There are no conditions, understandings, agreements, representations, or warranties expressed or implied, that are not specified herein. The parties confirm that it is their express wish that the Agreement be drawn in the English language only. If any purchase order or any other communication from Company contains provisions inconsistent with the provisions hereof, the Agreement will prevail and Peloton hereby notifies Company of its objection to and rejection of any such provisions that are in conflict with, inconsistent with, or in addition to those contained in the Agreement. These Terms and Conditions and any exhibits hereto may be modified by Peloton from time to time by posting an updated version at the same or a successor URL, as determined by Peloton in its sole discretion, and any such updates shall be effective as of the date of such updated terms are made available.

ANNEX I:

INFORMATION SECURITY SCHEDULE

This information security schedule including any attachment hereto (“Information Security Schedule”) is subject to the Terms and Conditions. Notwithstanding anything to the contrary in this Information Security Schedule, all of Peloton’s obligations under this Information Security Schedule shall apply only with respect to Eligibility File Personal Data and Peloton’s systems that process Eligibility File Personal Data or Peloton’s processes to the extent that they apply to the Eligibility File and those systems. Nothing in this Information Security Schedule shall apply to any other data or systems, including those that relate to Peloton’s member products and services.

1. INFORMATION SECURITY REQUIREMENTS

1.1 Where Peloton discovers a confirmed accidental or unauthorized loss, destruction, acquisition, disclosure, access, manipulation, use or other form of compromise of the Eligibility File on Peloton systems (a “Security Incident”), Peloton will notify Company’s point of contact, designated in writing by Company promptly following the execution of an Order Form, in writing promptly, and in any event within forty-eight (48) hours following such discovery and reasonably cooperate with Company in any breach investigation or remediation efforts in a manner that does not interfere with Peloton’s incident response. If Company notifies Peloton of a security vulnerability or incident that is identified by Company or a third-party to Company relating to processing of the Eligibility File on Peloton systems, Peloton will, in good faith, address the security vulnerability or incident without undue delay in accordance with Peloton’s vulnerability management policies. For the purposes of this Information Security Schedule: “Peloton Services” includes the process (including any systems) utilized by Peloton by which Peloton confirms whether an individual is an Eligible User by using the Eligibility File under the Agreement.

1.2 Peloton represents and warrants that it shall implement reasonable technical and organizational security measures, based on current Industry Standards. “Industry Standards” means commercially reasonable security measures in all applicable equipment, software systems, services and platforms that Peloton uses to access, process and/or store the Eligibility File, that are designed to protect the security, integrity, and confidentiality of the Eligibility File, and to protect against any Security Incident(s). Further, Peloton will comply with applicable laws and regulatory requirements applicable to Peloton so that the Eligibility File is not destroyed (except as expressly permitted under the Agreement), lost, altered corrupted or otherwise impacted such that it is not readily usable in a manner that would violate those laws or regulatory requirements. Upon Company’s request, the Eligibility File shall be immediately provided or otherwise made accessible to Company by Peloton, either, at Company’s option, using the Peloton Services or in an Industry Standard format agreed upon by the parties.

2. SECURITY ASSESSMENT

2.1 Security Assessment. If requested in writing by Company, Peloton will complete, in a timely and accurate manner, a reasonable information security questionnaire provided by Company to Peloton, on an annual basis, in order to verify Peloton’s compliance with its security-related obligations in the Agreement. (“Security Assessment”). A third-party or Company shall not undertake any form of security or vulnerability testing or assessments independently without previous agreement in writing by Peloton

2.2 Security Issues and Remediation Plan. Security issues identified by Company during a Security Assessment will have a mutually agreed upon assigned risk rating and an agreed-upon timeframe to remediate. Peloton shall remediate all material security issues identified within the agreed remediation timeframes.

2.3 Compliance. Peloton shall review on an annual basis or after a substantial architecture or engineering design changes the technical and organizational controls implemented to protect Eligibility File Personal Data. Peloton shall provide an executive summary of this internal audit upon request.

3. INFORMATION SECURITY CONTROLS

3.1 Policies for Information Security. Peloton’s policies for information security shall be documented by Peloton, approved by Peloton’s management, published and communicated to Peloton’s personnel, contractors, agents and relevant external third parties. The written information security policy will (a) address the information security risks and controls identified through Risk Assessments for each area of information security (i.e., user access, system development and change, business continuity, etc.) and supplemental policies should be developed and implemented as appropriate; (b) reflect the requirements of applicable law; (c) apply to all Peloton employees, contractors, agents and authorized third parties (collectively, “Peloton Personnel”); and (d) undergo annual reviews and be updated to address (i) relevant organizational changes, (ii) identified threats or risks to information assets, and (iii) relevant changes in applicable law.

3.2 Information Security Management Program. Peloton shall implement a business-approved information security management program that (a) is composed of qualified information security specialists; (b) develops and maintains the written information security policy and any supplemental requirements; and (c) identifies Peloton Personnel responsible for the execution of information security activities.

3.3 Background Screening. Unless prohibited by applicable law, Peloton shall perform background verification checks on its employees upon hire to verify each individual’s (i) identity; (ii) criminal history; (iii) employment history; and (iv) education.

3.4 Information Security Training. Peloton shall train Peloton Personnel on information security awareness upon hire or initiation of engagement and annually thereafter. Peloton shall update that training to include changes in its organizational policies and procedures and shall address (a) Peloton Personnel’s specific job functions; (b) disciplinary actions when Peloton Personnel commit or cause a suspected or actual Personal Data Breach; (c) specific training for the processing of Eligibility File Personal Data in accordance with applicable Data Protection Law; and (d) annual phishing awareness.

3.5 Peloton Personnel Confidentiality Obligations. Peloton shall require Peloton Personnel with access to Eligibility File Personal Data to adhere to a binding, management-approved written information security policy designed to preserve and protect the confidentiality and privacy of Eligibility File Personal Data.

3.6 Information Security Officer. Peloton shall designate an individual responsible for information security within its organization (the “Information Security Officer”). Peloton shall provide the name and contact information of its designated Information Security Officer upon request.

4. ASSET MANAGEMENT

4.1 Asset Inventory. Peloton shall maintain an asset inventory of all media and equipment where the Eligibility File is stored and the ownership of those storage assets. Access to such media and equipment shall be restricted to authorized personnel of Peloton. Peloton will ensure that no software or hardware that is past is no longer supported by its provider or manufacturer, as applicable will be used in the scope of Peloton Services without a mutually agreed risk management process for such items.

4.2 Asset Handling. Peloton shall have a formal policy and supporting practices for classifying information within its organization. Peloton shall classify the Eligibility File so that it is properly identified and access to the Eligibility File shall be appropriately restricted.

4.3 Asset Use. Peloton shall document policies for the acceptable use and handling of assets that are agreed to by its Peloton Personnel. Peloton shall ensure that assets are returned by Peloton Personnel upon termination of employment or engagement, and Peloton shall track and verify those returned assets.

4.4 Preventing Unauthorized Access. In order to restrict unauthorized access to Eligibility File Personal Data, Peloton shall (a) enable its printers to require authentication controls of its Peloton Personnel; (b) implement controls to protect equipment, information and assets located off-premises, including during remote access sessions, such as teleworking or remote administration; (c) publish, implement and enforce policies governing teleworking, mobile device and removable media devices; (d) encrypt remote access communications to systems or applications containing Eligibility File Personal Data; (e) require a minimum of multi-factor authentication Virtual Private Networking (VPN) device access or equivalent; and (f) require restricted ports and protocols.

4.5 Personal Devices. Peloton’s policies shall prohibit Peloton Personnel from using personal media devices and accessing or storing Eligibility File Personal Data on any personally owned and managed equipment. Peloton shall control Bring Your Own Device (BYOD) models, such as mobile devices and tablets, and implement controls commensurate with those on corporate-owned devices. Peloton shall reasonably prohibit the use of removable media devices, such as USB drives, memory sticks and Bluetooth storage devices.

5. ACCESS CONTROL

5.1 Peloton shall maintain an appropriate access control policy that is designed to restrict access to the Eligibility File and Peloton assets to authorized personnel, agents and contractors.

5.2 Peloton shall maintain and enforce an enterprise password policy that (a) prohibits the reuse of passwords for at least 4 previous versions; (b) enforces account lock-out after 10 failed login attempts; (c) requires a minimum of 15 alphanumeric characters and includes a mix of upper and lowercase characters with at least one numeric and one special character; (d) includes the use of multi-factor authentication; and (e) stores passwords using a one-way encryption mechanism.

5.3 Peloton shall maintain and enforce a password policy to protect access to the portal to share the Eligibility File with Peloton that (a) requires a minimum of 8 alphanumeric characters and includes a mix of upper and lowercase characters with at least one numeric and one special character; (b) stores passwords using a one-way encryption mechanism; (c) prevents password reuse per-user; (d) disallows common passwords; and (e) disallows passwords that include things like the user’s name, username, etc.

5.4 Peloton shall restrict access to Peloton systems involved in providing Peloton Services, to only those individuals who require such access to perform their duties using the principle of least privilege access.

5.5 Peloton will perform periodic access reviews for systems and applications that are required to support Peloton Services.

5.6 Accessibility. With respect to Peloton Personnel whose have access to the Eligibility File Personal Data, Peloton shall (a) restrict access to Peloton Personnel with clear business needs; (b) appropriately segregate (e.g., code migration, security administration, audit log permissions, production support administration, etc.); (c) capture and periodically review system logs; and (d) enable access using multi-factor authentication.

5.7 Disabling Accounts. Peloton shall disable accounts on systems and applications processing Eligibility File Personal Data upon 90 days of inactivity. Peloton shall remove Peloton Personnel’s user access rights to systems and applications processing Eligibility File Personal Data (a) within 24 hours upon termination of employment or termination of engagement, and (b) within one week, upon change of employment or engagement.

6. CRYPTOGRAPHY

6.1 Peloton shall maintain policies and standards regarding the use of cryptographic controls that are implemented to protect the Eligibility File.

6.2 Key Management. Peloton shall segregate management duties from usage of cryptographic keys. Additionally, Peloton shall generate and implement cryptographic key management procedures that include the following: (a) approved key lengths; (b) secure distribution, activation, storage, recovery, replacement and update of cryptographic keys; (c) allocation of defined cryptographic key activation and deactivation dates; (d) restriction of cryptographic key access to Peloton Personnel; and (e) compliance with applicable law.

7. PHYSICAL AND ENVIRONMENTAL SECURITY

7.1 Peloton relies on third party service providers to develop and maintain Industry Standard controls to prevent unauthorized physical access to onsite facilities and data centers including: Video camera surveillance at the entry and exit points, log containing the visitor entry and exit times, badged access for high-sensitive areas (i.e., server rooms), and guards/manned traps at the entry and exit points.

8. PELOTON CORPORATE OFFICE ENVIRONMENTS

8.1 Peloton shall implement physical access control mechanisms (e.g., electronic access control) to ensure only authorized individuals can obtain physical access to Peloton corporate facilities.

8.2 Peloton shall ensure that its personnel within Peloton’s corporate facilities (e.g., employees, visitors, contractors) are able to be immediately identified (e.g., using identification badges, visual recognition or other means).

9. OPERATIONS SECURITY

9.1 Logging and Monitoring of Events. Peloton shall generate administrator and event logs for systems and applications that store, allow access to, or process Eligibility File Personal Data. The administrator and event logs shall (a) be archived for a minimum of 180 calendar days; (b) capture key security event types (e.g., critical files accessed, user accounts generated, multiple failed login attempts); and (c) logs will be monitored by the SOC and followed up on if an event is triggered.

9.2 Service Management. Peloton shall define capacity requirements and monitor service availability.

9.3 Protections from Malware. Peloton shall maintain anti-malware controls that are designed to protect systems from malicious software, including malicious software that originates from public networks. Peloton shall maintain software at the then current major release for Peloton owned anti-malware software and provide maintenance and support for new releases and versions of such software.

9.4 Secure Destruction. Peloton shall implement procedures to ensure that the Eligibility File and all logical copies are securely destroyed, within 90 days, when no longer needed for the purposes authorized by Company or at the expiration or termination of the Agreement. For purposes herein, Peloton shall (a) secure and confirm the erasure of Eligibility File Personal Data from its systems and servers, including any physical or electronic copies, prior to asset destruction and disposal; (b) maintain records of destruction of that Eligibility File Personal Data; and (c) require that any third parties engaged to process Eligibility File Personal Data securely dispose of the information when no longer needed for the Services.

9.5 Change Management. Peloton shall maintain and implement change control procedures to ensure that only approved and secure versions of code, configurations, systems, utilities and applications will be deployed for use and related to Peloton Services. Peloton shall, in a timely matter and where practicable with reasonable notice in advance, communicate to Company if any scheduled downtime to manage Eligibility File is expected.

9.6 Secure Development. Peloton shall establish, document and integrate secure system engineering and coding practices within the system development life cycle (SDLC), and require developers to periodically attend secure system development training.

9.7 Peloton shall implement automated static source code analysis as part of SDLC.

9.8 Independent Environments. Peloton shall have separate environments for development, testing and production. Peloton shall restrict and track Peloton Personnel access to program source code.

9.9 Non-Production Environment Restrictions. Peloton and its Peloton Personnel shall not use Eligibility File Personal Data meant for production within a non-production environment.

9.10 Testing. Peloton shall test system and application changes, including relevant security controls. The system and application changes shall be required to meet defined acceptance criteria defined by Peloton prior to implementation.

9.11 Encryption of Eligibility File Personal Data at Rest. Peloton shall encrypt Eligibility File Personal Data at rest using current Industry Standard encryption solutions.

10. COMMUNICATIONS SECURITY

10.1 Information Transfer and Storage. Peloton shall encrypt Eligibility File Personal Data (a) in transit across networks, including transmission across untrusted networks, such as public networks and (b) in transit between the internet, the cloud environment and the Company network.

10.2 Peloton shall obtain certificates from an authorized certification authority certifying encryption in transit. The encryption of Eligibility File Personal Data during internal transmission within the cloud environment shall occur between each application tier and between interfacing applications.

10.3 Peloton shall use platform and data-appropriate encryption (e.g., AES-256) in non-deprecated, open and validated formats and standard algorithms.

11. SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE

11.1 Workstation Encryption. Peloton will require full hard disk encryption on all workstations and/or laptops used by personnel, contractors and agents where such personnel are accessing or processing Eligibility File Personal Data.

11.2 Application Hardening. Peloton will reasonably maintain and implement secure application development policies, procedures, and standards that are aligned to Industry Standard practices such as the SANS Top 25 Software Errors and the OWASP Top Ten project. This applies to web application, mobile application, embedded software, and firmware development as appropriate.

11.3 Patching. Peloton will implement Industry Standard patching tools and processes for systems and applications related to Peloton Services.

11.4 Infrastructure Vulnerability Scanning. Peloton shall use Industry Standard and up-to-date products to scan its internal and external environment (e.g., servers, network devices, etc.) related to Peloton Services on a monthly basis. Peloton shall have a defined process to remediate findings.

11.5 Peloton targets addressing critical and high severity issues identified via coordinated vulnerability disclosure within 120 days or earlier depending on threat conditions.

11.6 Unattended Sessions. Peloton shall protect unattended sessions and equipment by (a) automatically terminating or revalidating its system and application sessions after a maximum of (i) fifteen (15) minutes for systems and applications handling Company’s Confidential Information and (b) enforcing a clear desk and clear screen policy.

11.7 System Hardening. Peloton shall implement and document system hardening procedures and baseline configurations and shall not include unsupported software or hardware.

11.8 Penetration Testing. Peloton shall perform annual penetration testing for systems and applications that process Eligibility File Personal Data, including during significant system and application changes. Upon Company’s request, Peloton shall provide an executive summary of the testing results, including (a) the scope and methodology utilized; (b) the number of critical, high, and medium severity findings; (c) status of the findings and remediation timeline; (d) the name of the third-party tester; and (e) the date of the third-party testing.

12. PELOTON RELATIONSHIPS

12.1 Where other third-party applications or services are engaged by Peloton to process Eligibility File Personal Data, Peloton’s contract with any third-party must clearly state reasonable security requirements consistent with Industry Standards.

12.2 Third-party Access to Eligibility File Personal Data. Peloton shall provide third-parties access to Eligibility File Personal Data solely when necessary to perform the Services. In those cases, Peloton shall (a) provide Company a list of third parties with access to Eligibility File Personal Data; and (b) limit third party access to Eligibility File Personal Data only as necessary to perform the Services as contractually agreed to between the third parties and Peloton.

12.3 Peloton shall ensure non-disclosure agreements are in place with any contractor, subcontractor, and other related parties who have access to Peloton’s internal networks and/or will store, process or transmit Eligibility File Personal Data.

13. INFORMATION SECURITY INCIDENT MANAGEMENT

13.1 Peloton shall maintain a record of Security Incidents noting the description of the Security Incident, the applicable time periods, the impact, the person reporting and to whom the Security Incident was reported, and the procedures to remediate the incident.

13.2 In the event of a Security Incident identified by Peloton, Company, or other third-party, Peloton will: (a) promptly investigate the Security Incident; (b) promptly provide Company with reasonable detailed information as reasonably requested by Company about the Security Incident; and (c) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.

13.3 Peloton shall track disclosures of the Eligibility File, including what type of Eligibility File Personal Data was disclosed, to whom, and the time of the disclosure if and when feasible and permitted by applicable laws.

13.4 Incident Management Policy. Peloton shall implement a formally documented incident management policy that includes: (a) clearly defined management and user roles and responsibilities; (b) a reporting mechanism for suspected vulnerabilities and events affecting the security of Eligibility File Personal Data, including the reporting of suspected unauthorized or unlawful access, disclosure, loss, alteration and destruction of Eligibility File Personal Data; (c) procedures for risk assessments and risk treatments implemented within a reasonable timeframe and proportionate to the nature of the security incident and the harm, or potential harm, caused; (d) procedures for notification to relevant authorities as required by applicable law and the company member network firms; (e) procedures for forensic investigation of a security incident; and (f) processes for incident and resolution analysis designed to prevent the same, or similar, incidents from repeating.

13.5 Incident Tracking System. Peloton shall maintain a security incident tracking system for Eligibility File Personal Data that documents the following: (a) incident type, including how and where the incident occurred; (b) any unauthorized or unlawful access, disclosure, loss, alteration or destruction of Eligibility File Personal Data; (c) the Eligibility File Personal Data affected by the incident, including the categories of any personal data affected; (d) the time when the incident occurred, or is estimated to have occurred; and (e) remediation actions taken to prevent the same, or similar, incidents from happening again. Peloton shall review the incident documentation on a quarterly basis to validate incident response and resolution.

13.6 Investigations. In the event of an incident involving the Eligibility File Personal Data, Peloton will provide Company with analysis including full forensic details.

14. BUSINESS CONTINUITY

14.1 Implementing the Business Continuity Disaster Recovery Plan. A “Disaster” means any event that causes the unplanned interruption, inaccessibility, or unavailability of the eligibility service platform for 5 hours or longer. In the event of a Disaster, Peloton shall (a) notify Company within 1 hour of the Disaster, (b) implement a business continuity and disaster recovery plan (the “BCDR Plan”) within 2 hours of the Disaster, and (c) exercise its reasonable efforts to partially restore the Services within 12 hours of the Disaster and fully restore the Services within 24 hours of the Disaster. In the case of a Service Provider who undergoes a Disaster, Peloton shall continue to provide updates as it relates to Peloton’s dependency, in whole or in part, on such Service Provider to deliver the Peloton Service. Peloton shall provide Company with no less resource allocation priority than Peloton’s other customers. Peloton may not charge any additional fees or expenses for implementation of the BCDR Plan.

14.2 General. Peloton shall include (a) availability requirements for Peloton Services, (b) agreed upon recovery points (RPO) and recovery time objectives (RTO); (c) clearly defined roles and responsibilities; (d) multi-regional storage supporting availability requirements; and (e) backup and restoration procedures that include sanitation, disposal, or destruction of data stored between regional locations.

14.3 Root Cause Analysis. Following each Disaster after the Services have been fully restored, Peloton shall conduct a root cause analysis and provide a comprehensive report that describes, at a minimum, (i) the cause or causes of the Disaster, (ii) efforts taken to mitigate the consequences and resolve the Disaster, and (iii) the remedial actions to be implemented by Peloton in order to avoid future Disasters.

14.4 Backup Procedures and Media. Peloton shall follow industry best practices to make regular, encrypted backups of database and repository files of Eligibility File Personal Data to a secured location separate from the primary data center, on a timeframe mutually agreed to by the parties. Information backup procedures and media shall include (a) strong encryption technology; (b) integrity validation on a quarterly or bi-annual basis; and (c) secure multi-regional storage supporting availability requirements. Peloton shall exercise its reasonable efforts to restore any corrupted files using the most current backup available.

15. NETWORK SECURITY

15.1 Network Security. Peloton shall secure Eligibility File Personal Data in its network systems by implementing the following: (a) segregation of network systems containing Eligibility File Personal Data from network systems supporting internal or other activity; (b) segregation of Company's physical file within a shared service environment, and (c) securing network segments from external entry points where Eligibility File Personal Data is accessible.

15.2 Network Perimeters.Secured Perimeter” means a physical or logical subnetwork that contains and exposes an organization’s external-facing services to an untrusted network (e.g., the Internet). An external network node can only access what is exposed in the Secured Perimeter while the rest of the network is firewalled. Peloton shall implement hardened configured external network perimeters to prevent unauthorized traffic, including termination of the external network perimeters in a Secured Perimeter. Additionally, Peloton shall: (a) limit communications to systems strictly allowed; (b) limit ports and protocols to those with a specific business purpose; and (c) synchronize system clocks on network servers to a universal time source (e.g., UTC) or network time protocol (NTP).

15.3 Internet Rules. Peloton shall implement internet filtering procedures to protect end user workstations from malicious websites.

ANNEX II:

DATA PROCESSING ADDENDUM

The intent of this data processing addendum (this “Addendum”) is to set forth the subject, scope, nature, purpose and obligations that govern the exchange of Personal Data from Company to Peloton in connection with the Program. This Addendum is supplemental to, and forms an integral part of, the Agreement. This Addendum reflects the parties’ commitment to abide by Data Protections Laws concerning the Processing of Personal Data in connection with the execution of the Agreement. Capitalized terms not otherwise defined in this Addendum will have the meaning as set forth in the Agreement. In the event of any conflict between the terms of the Agreement and the terms of this Addendum, the terms of this Addendum shall control.

1. Definitions

a. "Controller" means an entity that alone or jointly with others determines the purposes and means of Processing of Personal Data. For purposes of this Addendum, a Controller includes a “business” as such term is defined by the CCPA / CPRA, or a similar designation under Data Protection Laws. b. "Data Protection Laws" means all applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Company Personal Data are subject. “Data Protection Laws” may include, but shall not be limited to, US Data Protection Laws, the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK Data Protection Laws, and/or the Australian Privacy Act 1998 (Cth), as applicable. c. "Personal Data" shall have the meaning assigned to the terms “personal data”, “personally identifiable information” and/or “personal information” under Data Protection Laws. d. "Process," “Processes,” “Processing,” “Processed” means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

e. "Processor" means an entity that Processes Personal Data on behalf, and in accordance with the instructions, of a Controller. For purposes of this Addendum, a Processor includes a "service provider" as such term is defined by the CCPA / CPRA, or any similar or analogous designation under Data Protection Laws.

f. "Restricted Transfer" means: (i) where the GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject to an adequacy determination based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.

g. "Security Incident(s)" means any actual breach of security leading to the accidental or unlawful destruction, loss, alteration, disclosure or use of, or access to, Company Personal Data in the possession or control of Peloton.

h. "Services" means any and all services performed by Peloton for Company under the Agreement.

i. "Standard Contractual Clauses" means: (i) where the GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, the "International Data Transfer Addendum to the EU Commission Standard Contractual Clauses" issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 ("UK Addendum").

j. "Sub-processor" means Peloton’s authorized contractors, agents, vendors and third party service providers (i.e., sub-processors) that Process Company Personal Data.

k. "UK Data Protection Laws" means the Data Protection Act 2018 and the UK GDPR.

l. "UK GDPR" means retained Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018.

m. "US Data Protection Laws" means all laws and regulations applicable in the United States, including (i) the California Consumer Privacy Act (the “CCPA”), as amended by the California Privacy Rights Act ("CPRA") when effective, as well as any regulations and guidance that may be issued thereunder; and, where applicable, (ii) the Virginia Consumer Data Protection Act ("CDPA") when effective; (iii) the Colorado Privacy Act ("CPA") when effective; (iv) the Utah Consumer Privacy Act when effective (“UCPA”); (v) the Connecticut Data Privacy Act ("CTDPA") when effective; in each case as may be amended or superseded from time to time.

2. Data Privacy.

Each party shall comply with applicable Data Protection Laws relating to the use, collection, disclosure, transfer and processing of any information that relates to Personal Data of an Eligible User by that party. The parties shall reasonably assist each other in meeting their respective obligations under Data Protection Laws and make available all information necessary to demonstrate compliance with Data Protection Law. Peloton shall promptly notify Company in writing if it believes that it can no longer meet its obligations under any Data Protection Laws. Except as explicitly permitted by the Agreement, Company shall not use any Personal Data obtained in connection with the Program for any purpose, including any employment-related action. Peloton will obtain the consent of each Eligible User who participates in the Program as a Member to share such Member’s Personal Data with Company solely as necessary for the purpose of determining such Member’s enrollment to allow Company to (i) pay the Company Fees and any applicable Taxes, and (ii) to administer such Member's enrollment to comply with applicable obligations in the field of employment and tax law. Peloton may also share with Company fully aggregated, anonymized data regarding its Eligible Users who are Members consistent with its then-current End-User Agreements. Except as explicitly specified in this Section 2, Peloton will not share any other Personal Data of a Member with Company without the mutual written agreement of the parties and the explicit consent of such Member as required by applicable Data Protection Law.

3. Data Use and Processing.

a. Processing Purposes. Peloton shall receive and maintain the Personal Data provided by Company to Peloton on behalf of Company and shall only use such Personal Data in accordance with the Agreement for purposes of providing the Program and as instructed by Company (the “Processing Purposes”). Throughout the Term, Company shall obtain and maintain all rights, consents, and authority required by applicable Data Protection Law to disclose the Personal Data to Peloton and allow Peloton to process the Personal Data for the Processing Purposes. Peloton shall not retain, use, or disclose Personal Data provided by Company to Peloton for any purpose other than providing, supporting, and promoting the Program in accordance with the Agreement, including the Processing Purposes.

b. Eligibility File Personal Data. In the event that Company provides an Eligibility File to Peloton, Peloton shall receive and maintain the Personal Data that is contained in the Eligibility File (“Eligibility File Personal Data”) on behalf of Company and Company authorizes Peloton on behalf of Company to use, process and disclose Eligibility File Personal Data for the purposes of: (i) sending email communications to Eligible Users regarding the availability of the Program, (ii) confirming the eligibility of an Eligible User who seeks to participate in the Program, (iii) administering the Program, (iv) conducting analytics, and (v) billing for the Company Fees (each of (i) through (v) shall be included in the Processing Purposes).

c. Processor and Controller. Company acknowledges and agrees that for purposes of Data Protection Law, to the extent applicable, and with respect to the Personal Data solely, Peloton is acting as a Processor and Company is acting as Controller. Notwithstanding the foregoing, with respect to any Eligible User who becomes a Member or seeks to enroll in a Membership, any Personal Data provided by or regarding that Member will be processed by Peloton as an independent controller or, for purposes of U.S. law (as applicable), a business under applicable Data Protection Law, and the Personal Data of such Member shall not be considered Personal Data provided by Company to Peloton subject to this Addendum; provided that such Personal Data will remain subject to Peloton’s obligations set forth in Section 2.

d. UK Processor Relationship. If the Territory is the United Kingdom, the following subsection applies. For the purposes of this Section 3 and its subparts, the terms "controller", "data subjects", "personal data breach", "processor" and "process" shall have the meaning given to them under the GDPR or UK GDPR, as applicable. For the avoidance of doubt, Data Protection Laws shall include GDPR and UK GDPR.

e. Processing Terms. The parties agree that this Section 3 and its subparts will apply in such circumstances where Peloton is acting as a Processor under Data Protection Law in connection with the processing of the Personal Data for the Processing Purposes.

i. Categories of Personal Data Transferred: The Eligibility File Personal Data that Peloton processes on behalf of Company will include names, contact details (such as email address), and the data subjects to whom the Personal Data relates are Eligible Users; no sensitive data is anticipated to be transferred.

ii. Period Retained: Duration of the processing is for the Term, as defined in the Agreement.

iii. Processing Purposes: As defined in Section 3(a) above.

iv. Nature of Processing: Eligibility File will be Processed in accordance with the Agreement (including this Addendum) and may be subject to the following activities:

  1. Storage and other Processing necessary to provide, maintain and improve the Services; and/or
  2. Disclosure in accordance with the Agreement (including this     Addendum) and/or as compelled by applicable laws.

v. Frequency of Transfers: As needed to ensure the ongoing eligibility of Company Eligible Users.

f. Processing Restrictions. Peloton agrees that it shall:

i. Only process Personal Data on documented instructions from Company as set forth in the Agreement, unless otherwise required by applicable law. Peloton will notify Company if it is unable to comply with such instructions or it believes that the instructions infringe Data Protection Law, unless informing Company is prohibited by law on the basis of important grounds of public interest;

ii. Implement appropriate technical and organizational security measures (including confidentiality obligations applicable to its personnel) to provide a level of security appropriate to the risks that are presented by Personal Data. In case of a Security Breach which may affect Personal Data provided by Company, Peloton will notify Company without undue delay after becoming aware of it;

iii. Note: (1) sell Personal Data provided by Company to Peloton, as the term "sell" is defined by US Data Protection Laws, (2) share Personal Data provided by Company to Peloton, as the term “share" is defined by the CPRA; (3) disclose or transfer Personal Data provided by Company to Peloton to a Sub-processor or any other parties that would constitute “selling” as the term is defined by US Data Protection Laws or "sharing" as the term is defined by the CPRA; (4) unless otherwise permitted by US Data Protection Laws, retain, use, disclose or otherwise process Personal Data provided by Company to Peloton for any purpose other than the Processing Purposes; or (5) use the Personal Data provided by Company to Peloton outside the direct relationship between Company and Peloton; and

iv. Delete all Eligibility File Personal Data within ninety (90) days after termination of the Agreement unless otherwise provided by law.

4. Sub-processors.

a. Use. Company acknowledges and agrees that Peloton may retain its affiliates and other third parties as Sub-processors in connection with the processing of the Eligibility File Personal Data having imposed on such Sub-processors substantially the same data protection obligations as are imposed on Peloton under this Section and its subparts. Peloton will be liable to Company for the performance of the Sub-processors' obligations.

b. Notice. Upon Company’s written request, Peloton shall advise Company of any Sub-processors that may process the Eligibility File Personal Data. Any such Sub-processors shall be subject to appropriate privacy obligations commensurate with Peloton’s privacy obligations, as required by applicable law. If Company has legitimate objections to the appointment of any new Sub-processor, the parties will work together in good faith to resolve the grounds for the objection for no less than thirty (30) days, and failing any such resolution, Company may terminate the part of the Service performed under the Agreement that cannot be performed by Peloton without use of the objectionable Sub-processor.

c. Confidentiality. Any person or Sub-processor authorized to Process the Personal Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality.

5. Remediation.

Both parties have the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data. In particular, parties have the right to take reasonable and appropriate steps to ensure that uses of Personal Data collected pursuant to the Agreement in a manner that is consistent with a business’s obligations under the CPRA and other Data Protection Laws.

6. Personal Data Inquiries and Requests.

Peloton agrees to provide reasonable assistance and comply with all reasonable instructions from Company related to any requests from individuals exercising their rights in Personal Data granted to them under Data Protection Laws.

7. International Transfers.

a. EEU/UK. To the extent that the processing of Personal Data under this Section and its subparts involves the transfer of such Personal Data from the European Economic Area or United Kingdom to a territory that does not provide an adequate level of protection, the parties agree to take all steps required to ensure that the transfer of Personal Data meets the requirements of Data Protection Law, including entering into the relevant standard contractual clauses adopted by the European Commission or the UK Information Commissioner's Office and the UK Secretary of State (as applicable). In the event of any conflict between any terms in the Standard Contract Clauses, this DPA and the Agreement, the Standard Contract Clauses shall prevail.

b. SCCs. In relation to data that is protected by the GDPR, the EU SCCs will apply. In relation to data that is protected by the UK GDPR, the UK Addendum will apply completed as follows: (1.) Module Two will apply; (2.) in Clause 7, the optional docking clause will apply; (3.) in Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes shall be as set out in Section 3.e of this Addendum; (4.) in Clause 11, the optional language will not apply; (5.) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by German law; (6.) in Clause 18(b), disputes shall be resolved before the courts of Berlin, Germany; (7.) Annex I of the EU SCCs shall be deemed completed with the information set out in Section 3(d) above; (8.) Annex II of the EU SCCs shall be deemed completed with the information set out in Section 3(d)(i) above; and (9.) in relation to data that is protected by the UK GDPR, the UK Addendum will apply completed as set out above in clause (2). This Section 8.b shall also apply to transfers of such data, subject Tables 1 to 3 of the UK Addendum, which shall be deemed completed with the relevant information from the EU SCCs, as set out above, and the options "neither party" shall be deemed checked in Table 4. The start date of the UK Addendum (as set out in Table 1) shall be the date of this Addendum.

c. Australian Privacy Laws. If the Territory is Australia, without limiting its obligations under the Agreement, Company shall obtain all necessary consents and authorizations for, and provide all relevant notices to, each applicable Member to ensure that each party's dealings with Personal Data collected, held used or disclosed pursuant to this Agreement comply with their obligations under applicable Data Protection Laws.

d. Onward Transfers. Peloton shall not participate in (nor permit any Sub-processor to participate in) any other Restricted Transfers of Personal Data provided by Company to Peloton (whether as an exporter or an importer of the Personal Data) unless: the Restricted Transfer is made in full compliance with Applicable Data Protection Law and pursuant to Standard Contractual Clauses implemented between the exporter and importer of the Personal Data provided by Company to Peloton.

8. Data Security.

Each party shall implement and maintain reasonable technical, physical and administrative safeguards, which shall be documented in an information security program, designed to protect the confidentiality, privacy and security of the Confidential Information of the other party and Eligibility File Personal Data in accordance with Applicable Data Protection Laws.

9. Notice of Breach.

Each party shall provide written notice to the other in the event that it becomes aware of any breach of its obligations with respect to Personal Data. Peloton shall provide such notice in accordance with Annex I (Information Security Schedule) to the Agreement. In such event, the non-breaching party may, without interfering with the other party’s operations or systems, take reasonable and appropriate steps to remediate any unauthorized use, disclosure, or access to Personal Data and ensure processing is consistent with the other party’s legal obligations.

10. Audit.

Up to once annually on at least thirty (30) days’ prior written notice to Peloton, Company may, solely to the extent required to confirm Peloton’s compliance with the terms of the Agreement, conduct monitoring activities as reasonably required to confirm Peloton’s compliance with the terms of this Addendum and Data Protection Laws, which may include reviews of Peloton security documentation and report summaries, audits, or technical and operational assessments (an “Audit”). Any Audit shall be: (i) conducted in cooperation with Peloton’s security and/or privacy team and in accordance with Peloton’s reasonable security/privacy requirements, (ii) subject to Company’s confidentiality obligations, and (iii) conducted in a manner so as not to unreasonably interfere with Peloton’s business operations. Upon Peloton’s request, after conducting an audit, Company shall notify Peloton of the manner in which Peloton does not comply with any of the applicable security, confidentiality or privacy obligations or Data Protection Laws herein and the parties shall meet to discuss and mutually agree on a risk rating and reasonable remediation timeline. Following such meeting and in accordance with the parties’ mutual agreement, Peloton shall make any necessary changes to ensure compliance with such obligations at its own expense and without unreasonable delay and shall notify Company when such changes are complete. For the avoidance of doubt, Company shall not undertake any form of security or vulnerability testing or assessments with respect to Peloton’s systems without Peloton’s prior written consent in each instance.