Effective date: 10 June 2025 · Red Rift, Inc. d/b/a Stribely · 2252 Keylon Dr, West Bloomfield, MI 48324 USA
These Terms of Service (“Agreement”) govern access to and use of the Stribely payroll and vendor transparency platform, related mobile applications, APIs, and professional services (collectively, the “Services”) provided by Red Rift, Inc., a Delaware corporation doing business as Stribely (“Stribely,” “we,” “us,” or “our”). By executing an order form, statement of work, or other ordering document that references this Agreement (each, an “Order”), or by accessing or using the Services, the organization identified in the Order (“Customer”) agrees to be bound by this Agreement.
If Customer is entering into the Agreement on behalf of an employer or other legal entity, Customer represents that it has authority to bind that entity. The Services are intended solely for business customers; individuals may not use the Services for personal, family, or household purposes.
Capitalized terms used but not defined elsewhere in this Agreement have the meanings set out below.
Stribely will make the Services available during the subscription term specified in the applicable Order. The Services include the features and functionality described in the Documentation. Stribely may modify the Services, provided that we do not materially reduce their core functionality during an active subscription term. The Services provide analytics, transparency, and workflow tooling based on Customer Data; Stribely does not serve as the system of record for payroll, vendor payments, or invoicing, and Customer remains responsible for validating all outputs prior to acting on them.
Stribely will provide the Services in accordance with this Agreement, the Order, and applicable laws. We will maintain systems, security measures, and personnel resources consistent with generally accepted industry standards for enterprise SaaS platforms that process payroll and vendor-payment information.
Any implementation, configuration, migration, or advisory services (“Professional Services”) will be described in an Order or mutually executed statement of work. Unless expressly stated otherwise, Professional Services are provided on a time-and-materials basis, do not constitute works made for hire, and any deliverables are licensed for Customer’s internal business purposes subject to this Agreement. Customer will provide timely access to systems, personnel, and information reasonably required for Professional Services.
From time to time Stribely may make pre-release, pilot, beta, or sandbox features (“Beta Services”) available. Customer may use Beta Services at its discretion and acknowledges that Beta Services are provided “as is,” may be modified or discontinued at any time, and are not subject to the support, uptime, or indemnification commitments in this Agreement. Stribely will clearly identify Beta Services in the Documentation or user interface.
Evaluation or trial access (if offered) is for the term specified by Stribely. Unless Customer purchases a subscription to the evaluated Services before the trial ends, Customer must stop using the Services and delete any copies of software or Documentation at the end of the evaluation period.
For deployments where Customer elects to run the Services (in whole or in part) within Customer-controlled infrastructure, including on-premises environments, private cloud environments, or whitelabel offerings provided to Customer’s affiliates or end clients (“Self-Managed Deployments”), Customer acknowledges that Stribely’s obligations are limited to delivering the software, Documentation, and agreed Professional Services. Customer is solely responsible for provisioning and maintaining hosting resources, operating systems, network connectivity, firewalls, backups, business continuity, and physical and logical security controls required for Self-Managed Deployments. Any Stribely service level commitments apply only to Stribely-hosted environments unless expressly stated in an Order. Stribely is not liable for outages, data loss, performance degradation, or security incidents arising from Customer’s infrastructure, configuration, or change management in Self-Managed Deployments.
The Services include workflow features that allow Customer to collect attestations, approvals, and issue tracking from employees, managers, contractors, and vendors (collectively, “Accountability Workflows”). Customer determines how Accountability Workflows are configured, the legal significance of any acknowledgement or signature, and any downstream enforcement between Customer and its personnel or vendors. Stribely is not a party to those relationships, does not assume responsibility for resolving underlying disputes, and does not provide legal, payroll, tax, or employment advice in connection with Accountability Workflows.
Each Order is subject to this Agreement and will describe the Services purchased, subscription start and end dates, permitted usage parameters, fees, and any unique commercial terms. If there is any conflict between this Agreement and an Order, the Order controls as to that Services purchase.
Customer is responsible for configuring and maintaining administrative accounts, authorizing authorized users, and safeguarding credentials. Customer will promptly notify Stribely of any unauthorized account access or other security incidents involving the Services.
Customer will:
Customer will not, and will ensure its users do not:
Stribely may suspend access to the Services immediately if we reasonably determine that Customer’s use violates this Section, provided we will notify Customer and work in good faith to resolve the concern.
Customer will pay all fees set forth in each Order. Fees may be invoiced monthly or annually in advance, as stated in the Order. Except as expressly provided in this Agreement, fees are non-refundable and non-cancellable.
Invoices are due net thirty (30) days from the invoice date. Late payments may accrue interest at 1.5% per month (or the highest rate permitted by law, if lower) plus reasonable collection costs. Stribely may suspend the Services for overdue amounts upon ten (10) days’ prior notice, provided Customer has not cured the delinquency.
Fees are exclusive of applicable taxes, duties, or governmental assessments (collectively, “Taxes”). Customer is responsible for paying all Taxes associated with its purchases, excluding taxes based on Stribely’s net income.
All amounts paid to Stribely are non-refundable. If Customer believes it is legally entitled to a refund under applicable US law, Customer must notify Stribely in writing within thirty (30) days of the charge at issue and provide supporting documentation. Stribely will evaluate the request solely to the extent required by law and may, at its discretion, offer alternative remedies (such as billing adjustments or extensions) where permitted. Requests submitted after the thirty (30) day period are deemed waived unless a longer period is mandated by non-waivable law. Nothing in this Agreement limits any statutory refund rights that may not be waived under applicable law.
Stribely will provide enterprise support and incident response in accordance with the support plan identified in the Order. Unless otherwise specified, Stribely will use commercially reasonable efforts to achieve at least 99.5% monthly uptime for the production Services, excluding planned maintenance (with at least 48 hours’ advance notice) and circumstances described in Section 24 (Force Majeure). Service level commitments apply only to Stribely-hosted production environments; for Self-Managed Deployments Stribely provides commercially reasonable remote assistance but is not responsible for the availability or performance of Customer’s infrastructure.
Support is available via designated channels during the hours specified in the Order and includes access to release notes, knowledge base resources, and incident tracking. Stribely will provide Customer with a dedicated technical point of contact for escalations involving data integrity, payroll releases, or banking handoffs.
If Stribely fails to meet the uptime commitment in this Section and Customer submits a written request within thirty (30) days after the end of the affected month, Stribely will provide a written incident report detailing root cause, remediation steps, and preventive measures. The parties will confer in good faith regarding reasonable accommodations, which may include extended support coverage, rescheduling of deliverables, or mutually agreed billing adjustments. These accommodations constitute Customer’s sole and exclusive remedy for failure to meet uptime commitments unless otherwise agreed in writing.
Stribely may suspend Customer’s access to the Services: (a) to address a security threat or prevent harm to the Services or third parties; (b) if Customer materially breaches Section 6 (Acceptable Use) or Section 7 (Fees); or (c) if required by law or governmental request. Stribely will limit suspensions to the minimum scope and duration necessary, notify Customer promptly, and restore access once the underlying issue is resolved.
Stribely will maintain an information security program aligned with the control requirements underlying SOC 2 Type II and ISO/IEC 27001 frameworks, including administrative, technical, and physical safeguards designed to protect Customer Data against unauthorized access, disclosure, alteration, or destruction. Safeguards include, at minimum, encryption of data in transit and at rest, role-based access controls, vulnerability management, intrusion detection, incident response plans, and security awareness training. As of 1 November 2025, Stribely is undergoing formal SOC 2 Type II and ISO/IEC 27001 audits and will notify Customer upon completion or material changes to its certification status.
Stribely will notify Customer without undue delay and, in any event, within seventy-two (72) hours after confirming a security incident involving Customer Data. Each notification will describe the nature of the incident, the categories of data affected (to the extent known at the time), mitigation steps taken or planned, and recommendations for Customer’s own response obligations. Stribely will provide regular updates as material information becomes available, including root-cause analysis and remediation plans.
Upon request, Stribely will reasonably cooperate with Customer in preparing notifications to regulators, end users, and other stakeholders, participating in joint incident reviews, and documenting lessons learned. Stribely will maintain incident records consistent with its security program and make summaries available for Customer’s audit purposes.
Stribely maintains business continuity and disaster-recovery plans that include redundancy of critical systems, data backups, and periodic testing. Upon written request, Stribely will provide high-level summaries of these plans.
For purposes of US state privacy laws, Stribely acts as a “service provider” or “processor” with respect to Customer Data. The commitments in this Section 10 and in Exhibit A (Data Protection Addendum) are incorporated into the Agreement and govern the parties’ respective privacy and data security obligations.
Customer retains all right, title, and interest in Customer Data. Stribely will process Customer Data solely to provide, secure, and support the Services, to comply with Customer’s documented instructions, and to fulfill legal obligations expressly applicable to the Services. Stribely will not sell Customer Data, use it for targeted advertising, or disclose it to third parties except as authorized in writing, permitted under this Agreement, or required by law. If we are legally required to process Customer Data contrary to Customer’s instructions, we will notify Customer (unless legally prohibited) before complying.
Stribely will ensure that its personnel who access Customer Data are subject to appropriate confidentiality obligations and receive continuing privacy and security training. Stribely will promptly inform Customer if we determine that an instruction infringes applicable data protection law and will work with Customer in good faith to address the concern.
Stribely’s technical and organizational measures are described in Section 9 and Exhibit A. At Customer’s request, Stribely will provide reasonable assistance with data protection impact assessments, records of processing, and consultations with regulators related to the Services. Responses to written compliance questionnaires will be provided within ten (10) business days, subject to applicable confidentiality obligations.
Stribely will notify Customer without undue delay (and no later than five (5) business days) after receiving a request from a data subject, governmental authority, or other third party seeking access to or information about Customer Data. Stribely will not respond to such requests except to acknowledge receipt and direct the requester to Customer, unless legally required to do otherwise. The parties will collaborate in good faith to fulfill verified data subject requests and regulatory inquiries in accordance with applicable law and the timelines specified by the relevant authority.
Customer may export or request a copy of Customer Data at any time during the subscription term. Upon expiration or termination, Stribely will, upon written request received within thirty (30) days, make Customer Data available for secure download in a commonly used format. After the retrieval window, Stribely will delete Customer Data from active systems within sixty (60) days and from encrypted backups within ninety (90) days, unless longer retention is required by law. Stribely will certify deletion upon Customer’s written request.
Stribely maintains an up-to-date list of subprocessors at https://stribely.com/subprocessors. Stribely will provide Customer with at least thirty (30) days’ advance notice (which may be via email or dashboard notification) of any new subprocessor that will process Customer Data. Customer may object to the new subprocessor on reasonable data protection grounds within that period; if the parties cannot resolve the objection within thirty (30) days, Customer may terminate the affected Services with a prorated refund of prepaid fees. Stribely will impose written obligations on subprocessors that are at least as protective as those in this Agreement.
Stribely will ensure that transfers of Customer Data originating outside the United States are protected by appropriate safeguards, such as the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, or other lawful transfer mechanisms agreed in writing. Stribely will self-certify and maintain compliance with the EU-US Data Privacy Framework (and applicable extensions) before relying on those programs and will notify Customer of any change in certification status. Upon request, the parties will execute additional transfer documentation reasonably required for Customer’s compliance obligations.
Stribely will notify Customer of any third-party legal requests for Customer Data (such as subpoenas) unless prohibited by law, and will provide reasonable cooperation so Customer can seek protective remedies. If Customer receives a request from a data subject or regulator regarding Customer Data processed by Stribely, the parties will collaborate in good faith to fulfill the request in accordance with applicable laws and contractual commitments.
“Confidential Information” means non-public information disclosed by one party (“Discloser”) to the other (“Recipient”) that is marked or reasonably understood to be confidential. Customer Data is Confidential Information of Customer. Stribely’s security documentation, product roadmap, and pricing are Confidential Information of Stribely.
Recipient will protect Confidential Information using at least the same degree of care it uses for its own information of similar importance (and no less than a reasonable degree of care). Recipient may use Confidential Information only to fulfill its obligations under the Agreement. Recipient may disclose Confidential Information to its Affiliates, employees, agents, and professional advisors who have a need to know and are bound by obligations no less protective. These obligations survive for three (3) years after disclosure, except that obligations relating to trade secrets and Customer Data survive as long as such information remains confidential.
Stribely and its licensors retain all right, title, and interest in the Services, Documentation, and associated intellectual property. No rights are granted to Customer other than those expressly stated in this Agreement.
Customer grants Stribely a non-exclusive, worldwide, royalty-free license to use Customer Data solely to provide and support the Services. Stribely may generate Platform Metrics and may use, disclose, and retain Platform Metrics for benchmarking, analytics, and improving the Services, provided Platform Metrics do not identify Customer or any natural person.
If Customer or its users submit feedback, suggestions, or enhancement requests (“Feedback”), Stribely may use and incorporate such Feedback without restriction and without obligation to Customer.
The Services may support integrations with third-party applications, systems, or services (“Third-Party Products”). Customer’s access to Third-Party Products is governed solely by the terms between Customer and the third-party provider. Stribely is not responsible for Third-Party Products and disclaims all liability arising from their use. If Customer enables a Third-Party Product integration, Customer authorizes Stribely to share Customer Data as necessary to facilitate the integration.
Each party will comply with all laws applicable to its performance under this Agreement, including anti-bribery laws, economic sanctions, anti-money laundering regulations, and employment laws. Customer represents that it is not listed on any US government denied-party list.
Customer will not export or re-export the Services or any related technical data in violation of US export control laws. Customer is responsible for obtaining any required export licenses or authorizations.
The Agreement remains in effect for as long as an Order is active. Either party may terminate for cause if the other party materially breaches the Agreement and fails to cure within thirty (30) days after written notice, or immediately if the breach is incapable of cure.
Either party may terminate the Agreement upon written notice if the other party: (a) ceases business operations without a successor; (b) becomes insolvent, makes an assignment for the benefit of creditors, or is subject to a petition in bankruptcy that is not dismissed within sixty (60) days; or (c) experiences a change in control resulting in a direct competitor gaining control, provided notice is given within thirty (30) days of learning of the change.
Upon termination or expiration of an Order, Customer will stop using the Services and ensure users do the same. Customer will pay all fees owed through the effective termination date. Sections that by their nature should survive (including Sections 6, 7, 9 through 23, and 26 through 30) will remain in effect.
Within thirty (30) days after termination, Customer may request that Stribely return or delete Customer Data as described in Section 10. After that period, Stribely may delete Customer Data from active systems, subject to applicable law. Backup copies will be purged during standard retention cycles.
Each party represents that:
Stribely warrants that:
For any breach of this Section, Customer’s exclusive remedy is for Stribely to use commercially reasonable efforts to correct the non-conformity. If Stribely cannot correct the non-conformity within thirty (30) days after notice, Customer may terminate the affected Order and receive a prorated refund of prepaid fees covering the remainder of the subscription term after the termination date.
Except as expressly provided in Section 18, the Services are provided “as is.” Stribely disclaims all other warranties, express or implied, including implied warranties of merchantability, fitness for a particular purpose, and non-infringement. Stribely does not warrant that the Services will be uninterrupted or error-free or that the Services will meet Customer’s regulatory requirements absent express written agreement.
Customer acknowledges that Stribely does not provide legal, tax, accounting, payroll, or employment advice. Customer remains solely responsible for confirming the accuracy of all data, calculations, and decisions produced through the Services and for determining whether the Services meet Customer’s contractual, statutory, or regulatory obligations.
For Self-Managed Deployments, Stribely makes no representation regarding the suitability, performance, or security of Customer’s hosting environment and has no obligation to remediate outages, vulnerabilities, or data loss arising from Customer’s infrastructure or third-party providers engaged by Customer.
Stribely will defend Customer against third-party claims that the Services infringe or misappropriate any US intellectual property right and will indemnify Customer for damages, costs, and reasonable attorneys’ fees finally awarded against Customer to the extent arising from such claims. If a claim arises, Stribely may (i) modify the Services to avoid infringement; (ii) procure rights to continue using the Services; or (iii) terminate the affected Services and refund prepaid fees for the remainder of the term. Stribely’s obligations do not apply to claims arising from Customer Data, Third-Party Products, unauthorized modifications, or Customer’s combination of the Services with items not provided by Stribely, except where Stribely directed that combination in writing.
Customer will defend Stribely and its Affiliates against third-party claims to the extent arising from (i) Customer Data; (ii) Customer’s use of the Services in violation of this Agreement or applicable law; or (iii) Customer’s Self-Managed Deployments or combination of the Services with non-Stribely products not directed in writing by Stribely, and will indemnify Stribely for resulting damages, costs, and reasonable attorneys’ fees. This obligation does not apply to the extent a claim results from Stribely’s failure to comply with its express obligations under this Agreement. Customer remains responsible for payroll, compensation, vendor-payment, and invoicing decisions based on Customer Data and for addressing any disputes or regulatory matters that arise from those decisions.
The indemnified party will promptly notify the indemnifying party of the claim, provide reasonable cooperation, and grant sole control of the defense and settlement. The indemnifying party will not settle a claim without the indemnified party’s prior written consent if the settlement imposes a payment obligation or admission of liability on the indemnified party.
To the maximum extent permitted by law, neither party will be liable for any indirect, incidental, special, consequential, punitive, or exemplary damages, including lost profits, revenue, goodwill, or data loss, even if advised of the possibility of such damages.
Except for (a) a party’s indemnification obligations; (b) Customer’s payment obligations; (c) breaches of Section 6 (Acceptable Use) or Section 11 (Confidentiality); and (d) a party’s gross negligence, willful misconduct, or fraud, each party’s aggregate liability under this Agreement will not exceed the total fees paid or payable by Customer under the applicable Order in the twelve (12) months preceding the event giving rise to the claim. In no event will Stribely be liable for wages, payroll withholdings, employment-related penalties, vendor payments, tax liabilities, infrastructure failures, data loss, or other obligations arising from Customer’s internal policies, decisions, or the accuracy of Customer Data, including circumstances where Customer personnel override warnings or proceed with incomplete or corrupted records. Customer acknowledges that all calculations, analytics, and alerts are derived from Customer Data and must be validated by Customer prior to execution.
During the term of the Agreement, Stribely will maintain the following insurance coverage with financially sound carriers: (a) commercial general liability with limits of at least $1,000,000 per occurrence; (b) technology errors and omissions (including network security and privacy liability) with limits of at least $5,000,000 in the aggregate; (c) workers’ compensation as required by applicable law; and (d) cyber liability coverage suitable for hosted payroll and financial data services. Certificates of insurance will be provided upon reasonable written request.
Upon reasonable written notice and no more than once per year, Customer may review Stribely’s then-current SOC 2 Type II report or equivalent independent audit report under a mutual non-disclosure agreement. Customer may also request responses to reasonable security questionnaires. On-site audits are available where required by law or regulation and will occur during normal business hours without unreasonable disruption.
Neither party is liable for failure to perform caused by events beyond its reasonable control, including acts of God, natural disasters, pandemics, labor disputes, supplier failures, power outages, or governmental actions. Each party will use commercially reasonable efforts to mitigate the impact of a force majeure event.
The Services and Documentation are “commercial items” as defined in FAR 2.101. If Customer is a US Government agency or instrumentality, the Services are provided subject to the restrictions set forth in FAR 52.227-19 and DFARS 227.7202 or successor provisions. Use, duplication, or disclosure by the Government is subject to the restrictions of this Agreement.
The parties will attempt in good faith to resolve any dispute arising under the Agreement through executive-level discussions within thirty (30) days after notice of the dispute. If the dispute is not resolved, either party may bring an action in accordance with Section 27. This Section does not prevent either party from seeking urgent injunctive or equitable relief.
The Agreement is governed by the laws of the State of New York, excluding conflicts-of-law rules. The parties consent to the exclusive jurisdiction and venue of the state and federal courts located in New York County, New York, for any action not subject to binding arbitration or injunctive relief. The United Nations Convention on Contracts for the International Sale of Goods does not apply.
All notices must be in writing and will be deemed given when delivered by hand, sent by recognized overnight courier with tracking, or emailed with confirmation of receipt. Notices to Stribely must be sent to Attn: Legal, Red Rift, Inc., 2252 Keylon Dr, West Bloomfield, MI 48324, or legal@stribely.ai. Notices to Customer will be addressed to the contact specified in the Order.
Neither party may assign the Agreement without the other party’s prior written consent, except that either party may assign the Agreement to an Affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of substantially all assets, provided the assignee agrees in writing to be bound by the Agreement. Any prohibited assignment is void.
This Agreement, together with all Orders and documents incorporated by reference, constitutes the entire agreement between the parties and supersedes all prior discussions or agreements relating to its subject matter. If any provision is held unenforceable, the remainder will remain in effect. No failure or delay in exercising any right is a waiver of that right. Nothing in the Agreement creates a partnership, joint venture, or agency between the parties.
Stribely may update this Agreement by providing at least thirty (30) days’ prior notice. Updates will apply at the start of the next renewal term unless an Order specifies otherwise. For multi-year subscriptions, updates will not apply until renewal unless agreed in writing.
Neither party may issue press releases or use the other party’s name or logo without prior written consent, except that Stribely may include Customer’s name and logo in a list of customers or case studies with Customer’s prior approval. Each party is an independent contractor and there are no third-party beneficiaries to this Agreement.
Any modifications to an Order or to this Agreement must be in writing and signed (including electronically) by both parties. Emails and purchase order terms that purport to modify this Agreement have no force unless expressly agreed in writing. In the event of a conflict between this Agreement and an Order, the Order controls solely with respect to the Services purchased thereunder.
Questions about this Agreement may be directed to legal@stribely.ai or mailed to Red Rift, Inc., 2252 Keylon Dr, West Bloomfield, MI 48324 USA.
This Exhibit forms part of the Agreement between Customer and Stribely and applies whenever Stribely processes Customer Data on Customer’s behalf. Capitalized terms not defined here have the meanings given in the Agreement.
The subject matter of the processing is the Customer Data described in the Agreement. Processing will continue for the duration of the Agreement and any post-termination obligations described in Section 10.4. Stribely will process Customer Data solely for the purposes set forth in the Agreement.
Customer Data may include personal information relating to Customer’s employees, contractors, vendors, approvers, and other personnel whose data Customer submits to the Services, including identifiers, employment information, payroll and compensation data, vendor payment instructions, and supporting documents and communications.
Customer is responsible for determining the lawfulness of the processing, providing required notices, and obtaining all necessary consents. Customer will not submit Customer Data that is subject to sector-specific regulations (such as HIPAA, GLBA, or CJIS) unless expressly agreed in writing.
Stribely’s security measures include, at a minimum: encryption in transit and at rest; logical access controls and multifactor authentication for privileged accounts; segregation of environments; security event monitoring; routine vulnerability scanning and penetration testing; secure software development lifecycle practices; background checks for employees with elevated access; and documented incident response, business continuity, and disaster recovery plans that are reviewed at least annually.
No more than once in any twelve (12) month period (unless required by law or following a confirmed security incident), Customer may audit Stribely’s compliance with this Exhibit. Audits may consist of reviewing publicly available reports (such as Stribely’s SOC 2 Type II report, when available), responses to reasonable security questionnaires, or an on-site visit conducted during normal business hours with reasonable notice. Customer will bear its own costs and any third-party auditor must be bound by written confidentiality obligations. Audit findings will be shared with Stribely and used solely to confirm compliance.
To the extent Customer Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that does not provide an adequate level of protection, the parties agree that the applicable Standard Contractual Clauses (and UK or Swiss addenda, as relevant) will apply, are incorporated by reference, and will be executed upon Customer’s written request. Each party will comply with its respective obligations under those clauses, and Stribely will promptly notify Customer if it can no longer comply.
Upon expiration or termination of the Agreement, Stribely will return or delete Customer Data as described in Section 10.4. Where deletion is not feasible, Stribely will continue to protect Customer Data in accordance with the Agreement and this Exhibit and will not actively process it further.
The limitations of liability in Section 21 of the Agreement apply to this Exhibit. Each party remains responsible for damages only to the extent caused by its breach of this Exhibit or applicable data protection law.