TERMS AND CONDITIONS
FOR BENEFITS UNDER
INTERNET SECURITY ASSESSMENT -
SECURITY SERVICES WITH PIP PROMOTION
External Risk Assessment Report Under Security Management Program Service
The External Risk Assessment Report provided under this promotion is provided by Cybertrust, Inc. (“Cybertrust”) subject to the following terms and conditions, and the ISA SOW (once completed and fully executed).
2. Deliverable. Company will provide Customer as a deliverable an External Risk Assessment Report. This report documents the findings from the External Risk Assessment including summary results, analysis, and action plan, as well as appendices with more detailed data and results.
3 Intellectual Property Rights. Each party agrees that except as provided below, it acquires no right, title or interest in or to the other party's information, data base rights, data, tools, processes or methods, or any copyrights, trademarks, service marks, trade secrets, patents or any other intellectual or intangible property or property rights of the other party by virtue of the provision of SMP or materials delivered pursuant to this Service Attachment. Customer retains all right title and interest in and to the underlying factual data gathered through the provision of SMP. Cybertrust owns all right title and interest in and to Cybertrust’s trade secrets, confidential information or other proprietary rights in any creative or proprietary ideas, information or other material used by Cybertrust or presented to Customer (each, a “Technical Element”), including, but not limited to: data, software, modules, components, designs, utilities, databases, subsets, objects, program listings, tools, models, methodologies, programs, systems, analysis frameworks, leading practices, report formats, manner of data expression and specifications. Cybertrust grants Customer a nonexclusive, royalty-free license to use each Technical Element integrated into any deliverable solely for Customer’s internal business purposes. Customer may disclose a Technical Element integrated into a deliverable to a third party as long as such third party is subject to a written nondisclosure agreement, requiring such third party to maintain the confidentiality of such Technical Element and use such Technical Element only for the benefit of Customer. Notwithstanding anything contained in this Service Attachment to the contrary, Customer is prohibited from creating derivative works of all or any portion of a Technical Element. Each deliverable Cybertrust creates uniquely for Customer’s sole use (each, a “Custom Material”) in accordance with this Service Attachment shall not constitute a Technical Element. Each Custom Material shall be deemed a “Work Made For Hire” under the Copyright Act of 1976.
4 Network Scanning. Customer understands that network scanning, including, without limitation, the scanning of applications, and the technology associated with it (collectively “Network Scanning”), have substantial inherent risks, including, but not limited to, the loss, disruption, or performance degradation of the Customer’s or a third party’s business processes, telecommunications, computer products, utilities, or data (the “Scanning Risks”). Customer acknowledges that it understands and accepts the Scanning Risks associated with SMP Services that involve Network Scanning, and authorizes Cybertrust to perform those SMP Services when ordered. Cybertrust shall take reasonable steps to mitigate these Scanning Risks; however, Customer understands that these Scanning Risks cannot be eliminated. Customer agrees to indemnify, defend and hold harmless Cybertrust and its affiliates, officers, agents, successors or assigns (each, a “Cybertrust Indemnified Party”) from and against any and all loss, damages, liabilities, costs and expenses (including legal expenses and the expenses of other professionals) incurred by Cybertrust, resulting directly or indirectly from any claim attributable to or arising out of Cybertrust’s use of “Network Scanning Technology” (each, a “Scanning Claim”), including, without limitation, the use by Cybertrust of “Network Scanning Technology” to analyze assets that are not controlled directly by Customer (e.g., servers hosted by third parties). The obligation of Customer to indemnify, defend and hold a Cybertrust Indemnified Party harmless in connection with a Scanning Claim will not apply to the extent that the Scanning Claim is based on Cybertrust’s gross negligence or willful misconduct.
5. Warranty and Limitation of Liability for Cybertrust Services
5.1 IN NO EVENT MAY EITHER PARTY’S AGGREGATE LIABILITY FOR ANY CLAIM OR ACTION RELATING TO OR ARISING OUT OF THIS SERVICE ATTACHMENT, REGARDLESS OF THE FORM OF ACTION (INCLUDING, WITHOUT LIMITATION, CONTRACT, TORT, PRODUCTS LIABILITY OR STRICT LIABILITY) EXCEED THE SERVICE FEES PAID TO CYBERTRUST BY CUSTOMER FOR THE SERVICE GIVING RISE TO SUCH CLAIM OR ACTION DURING THE SERVICE PERIOD IN WHICH SUCH SERVICE WAS PROVIDED. The foregoing does not limit Customer’s payment obligations under this Agreement.
5.2 WITH REGARD TO SERVICES WHICH PROVIDE INFORMATION SHARING AND/OR INDUSTRY ALERTS, CYBERTRUST DISCLAIMS ANY LIABILITY TO CUSTOMER, AND CUSTOMER ASSUMES THE ENTIRE RISK FOR (A) INFORMATION FROM THIRD PARTIES PROVIDED TO CUSTOMER WHICH TO THE BEST OF CYBERTRUST’S INFORMATION, KNOWLEDGE AND BELIEF DID NOT CONTAIN FALSE, MISLEADING, INACCURATE OR INFRINGING INFORMATION; (B) CUSTOMER’S ACTIONS OR FAILURE TO ACT IN RELIANCE ON ANY INFORMATION FURNISHED AS PART OF THE SERVICES; AND (C) THE USE OF ANY THIRD PARTY LINKS, PATCHES, UPDATES, UPGRADES, ENHANCEMENTS, NEW RELEASES, NEW VERSIONS OR ANY OTHER REMEDY SUGGESTED BY ANY THIRD PARTY AS PART OF THE SERVICES.
5.3. THE INFORMATION CONTAINED IN, OR DERIVED FROM, SMP SERVICES ARE NOT INTENDED TO, AND DOES NOT, ENSURE THAT CUSTOMER IS COMPLIANT WITH SPECIFIC GOVERNMENT REGULATIONS OR SECURITY STANDARDS. CYBERTRUST DOES NOT WARRANT THAT THE INFORMATION CONTAINED IN SMP REPORTS IS ERROR-FREE OR THAT DEFECTS WILL BE CORRECTED. CYBERTRUST DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE OF SMP REPORT INFORMATION IN TERMS OF CORRECTNESS, ACCURACY, RELIABILITY, OR OTHERWISE. BY USING THIS INFORMATION, THE CUSTOMER ACKNOWLEDGES ITS UNDERSTANDING OF THESE TERMS AND AGREES TO ASSUME THE ENTIRE RISK AND COST OF ANY NECESSARY EXPENSES, DAMAGES, OR LIABILITY ARISING FROM SUCH USE.
5.4 Except as otherwise stated herein, the SMP Services and the deliverables provided by Cybertrust are provided "AS IS”. For services provided to Customer from third parties and third party products (such as tokens) , Customer receives only the warranties offered by such third party to the extent Cybertrust may pass through such warranties to Customer.
6. Confidential Information
6.1 Methods; Systems; Reports. Customer acknowledges that the following information constitutes “Confidential Information” under the Agreement: (a) the methods, systems, data and materials used or provided by Cybertrust in connection with the provision of the Services; and (b) the results of Cybertrust’s assessment of Customer and all reports issued by Cybertrust in connection with such results. The term “Confidential Information” does not include information that is (a) expressly excluded from the definition of “Confidential Information” under the Agreement; or (b) comprised of statistical information, or other aggregated information regarding security vulnerabilities, security configurations and the like insofar as such information does not identify Customer or Customer’s computer network or computer systems.
6.2 Permitted Use. Cybertrust has the right to disclose Customer’s Confidential Information to a “Qualified Consultant.” For purposes of this Service Attachment, “Qualified Consultant” means a consultant who (a) is engaged by Cybertrust to assist Cybertrust in connection with the provision of the Services, (b) agrees in writing to use Customer’s Confidential Information only in connection with the provision of the Services, and (c) agrees in writing to be bound by substantially the same terms and conditions contained in the Agreement regarding the use, disclosure and the protection from disclosure of Customer’s Confidential Information.
7 Customer Information. Customer is responsible for, and Cybertrust may rely upon, the accuracy, timeliness and completeness of all data, reports and other information Customer supplies. Customer will make available to Cybertrust its computer programs, data and documentation required by Cybertrust to perform the Services. Customer shall obtain all governmental approvals, licenses, and permits necessary for completion of the Services, if any. Customer shall prepare any installation site in accordance with Cybertrust’s instructions to ensure that any equipment that interfaces with Customer’s computer system operates in accordance with the manufacturer’s specifications. If Customer fails to make any preparations required by this Service Attachment and this failure causes Cybertrust to incur costs during the implementation or provision of the Services, then Customer agrees to reimburse Cybertrust promptly for these costs.
Virtual Discovery and Classification Service and 1 Day of Professional Security Services
1. Scope of Services. The Virtual Discovery and Classification Service and one day of Professional Security Services provided under this promotion are described in the ISA SOW (once completed and fully executed) and provided subject to the following terms and conditions (“SOS”).
1.1 Service Provider. The Virtual Discovery and Classification Service and one day of Professional Security Services provided under this promotion are provided by Cybertrust, Inc.
1.2 PS Services and Equipment. Cybertrust will provide the technical and consultative services, as well as deliver any reports or other deliverables (collectively, “Deliverables”), specified in the SOW agreed to under this SOS. Such services and Deliverables are collectively referred to in this SOS as the “PS Services;” the PS Services under a particular SOW are referred to as a “Project”.
1.3 Engagement Management and Methodology. Cybertrust will perform the PS Services under the oversight of an engagement manager responsible for quality control, schedule and budget. The methodologies to be used for each Project will be based on Cybertrust’s security expertise, research, applicable best practices, and the Customer’s particular circumstances. A general description of common elements of Cybertrust PS engagements follows, although the particular details of each will vary by Project, as specified in the SOW.
1.3.1 Plan. Each PS engagement starts with a conference call to review and document of the parties’ common understanding of the following subjects:
· Points of contact (e.g., the engagement team and Customer project coordinator)
· Customer requirements and Project scope
· Methods (e.g., interviews, observation, testing, walk-throughs)
· Resources needed, including documentation (e.g., prior work papers, policies, standards, work flows, process flows, architecture diagrams), people (e.g., information security, business owners, applications owners, operations, information technology, human resources), access (e.g., physical, LAN, systems access)
· Schedule (e.g., expected person-hours to be spent, interview schedule, dates for deliverables)
1.3.2 Investigation, Status Reports and Feedback. Cybertrust will investigate the matters specified in the SOW, communicate regularly on its work status and findings, and request Customer feedback as appropriate.
1.3.3 Analysis and Preliminary Findings Report. Cybertrust will analyze the data obtained through the steps noted above, report its preliminary findings and recommendations, and request Customer feedback. Cybertrust will also submit its preliminary report to internal peer and management review.
1.3.4 Final Report. Cybertrust will analyze the additional information received and provide a final written report, including an executive summary, findings, and recommendations). Cybertrust will present and discuss key aspects of that report with Customer either face-to-face or by conference call.
1.3.5 Implementation (where applicable). If an SOW includes it, Cybertrust will implement the security solution specified in the SOW (including training where appropriate).
1.4 SOWs and Terms & Conditions. The SOW, as supplemented by this SOS, and the master services agreement, which may be a Security Services Agreement (“SSA”), a Verizon Business Service Agreement (“VSA”) or other Verizon or Cybertrust master services agreement (collectively “Master Terms”) of which it is a part (collectively, the “Agreement”) sets forth the terms and conditions for each Project. To the extent there is any conflict between the SOW, the SOS and the Master Terms, the order of precedence is (a) SOS, (b) Master Terms and (c) SOW. The SOW must be in writing, follow the format of the standard SOW template (including all required information and Conditions, as defined below), be signed by an authorized representative of each party, and refer to the Agreement by number or by title and date. The SOW may include Customer purchase orders as part of its documentation but any terms and conditions contained in purchase orders are rejected, void and have no force or effect.
1.5 Performance. Cybertrust controls the means, methods, places and time of its performance of the PS Services (including the use of subcontractors and consultants); references to “Cybertrust” or “Verizon” in this Agreement include all Cybertrust/Verizon agents and contractors. While working on a Customer site, Cybertrust will abide by Customer’s stated security rules for the site. Except to the extent an SOW specifies otherwise, delivery of any CPE and licensed software will be F.O.B. point of origin and risk of loss will pass to Customer at that time. The SOW will specify the acceptance process and criteria, if any. Except as stated otherwise in an SOW, the PS Services will be deemed completed and accepted no later than 10 days after the date of Cybertrust’s last invoice for the Project.
2. Customer Obligations. Customer agrees to provide working space and facilities and any other assistance and support that Cybertrust may reasonably request in order to perform the PS Services. Customer will (a) make any systems to be tested as part of the PS Services available through the duration of the testing period; (b) ensure that any systems to be tested will have normal operating throughput; (c) make any systems to be tested available from the Internet, or provide alternative means of connectivity to the Cybertrust testing laboratory; (d) provide all systems, policy, process and other documentation reasonably requested, (e) make available all necessary personnel (including Customer customers, business partners, and vendors, as appropriate) to Cybertrust during the period of performance; (f) provide Cybertrust with a list of appropriate contact personnel including after-hours emergency contact numbers; and (f) participate in meetings requested by Cybertrust as may be reasonably required to perform the PS Services. Customer shall comply with all obligations set forth in this service attachment and related SOWs and Master Terms, including all obligations set forth in any end user software licenses for software provided by Cybertrust. Cybertrust is not responsible for any failure or delay resulting from Customer’s failure to fulfill its obligations under the Agreement in a timely manner.
3. Confidentiality. Cybertrust may disclose Confidential Information to subcontractors and consultants for the purpose of performing the PS Services.
4. Customer’s Use of Deliverables.
4.1 License to use Deliverables. Cybertrust grants to Customer a non-exclusive, nontransferable, license to use any Deliverables solely for Customer’s internal business purposes during the term of any related Cybertrust service, including the right to make a reasonable number of copies of such Deliverable, if applicable, except as otherwise agreed to in an SOW.
4.2 Ownership and Confidentiality of Deliverables. As between Cybertrust and Customer, all right, title and interest in any Deliverable is owned by Cybertrust and/or its suppliers and any information, materials, methodologies or know-how used by Cybertrust in connection with any Deliverable, is the Confidential Information of Cybertrust and/or its suppliers or subcontractors, except for (a) any Customer-owned information or materials that pre-existed the signing of this Agreement and/or that may be embedded in any Deliverable, and (b) as otherwise agreed to in the SOW.
4.3 Cybertrust Reservation of Rights. Except as expressly granted herein, Customer receives no ownership, license, or other interest in any intellectual property created or delivered by Cybertrust, whether in connection with its performance of this Agreement or otherwise.
5. Warranties and Disclaimers.
5.1 Cybertrust Warranty. Cybertrust disclaims all warranties with respect to the PS Services.
5.2 Customer Warranty. Customer warrants that it owns all right, title, and interest in and to, or has the license for and the right to grant Cybertrust access to, any programs, systems, data, materials or other information furnished by Customer to Cybertrust for the purpose of enabling Cybertrust to perform the PS Services. Customer warrants that it owns and/or has the authority to engage Cybertrust to perform the PS Services on any IP addresses or domain provided by Customer to Cybertrust. Customer hereby assumes the sole responsible for the accuracy of the IP addresses and domains provided to Cybertrust.
5.3 Cybertrust’s Disclaimer of Warranties. The disclaimer of warranties in the Master Terms applies to this SOS (without limitation). Customer acknowledges in particular that (a) PS Services are only one component of Customer’s overall security program and are not a comprehensive security solution; (b) there is no guarantee that PS Services will be uninterrupted or error-free, that networks or systems relying on or otherwise related to PS Services will be secure, or that PS Services will meet any Customer requirements not specified in the applicable SOW; and (c) there is no guarantee that any communications relying on or otherwise related to PS Services will be private. Customer acknowledges that it is not relying on any representations or warranties made by a manufacturer except for those warranties expressly made in a software end user license agreement (if applicable to Customer). This provision does not limit any rights in elements of Deliverables granted to Customer by an equipment manufacturer or other third party through separate license or warranty agreement which pass through to the Customer.
6. Limitation of Liability.
6.1 Third Party Products and Services. Cybertrust may direct Customer to third parties having products or services which may be of interest to Customer for use in conjunction with the PS Services. Notwithstanding any Cybertrust recommendation, referral or introduction, Customer will independently investigate and test third-party products and services and will have sole responsibility for determining suitability for use of third-party products and services, and for any contracts Customer enters into with third parties. Cybertrust has no liability with respect to claims related to or arising from use of third-party products and services. This provision does not apply to the work of subcontractors or other agents that is done on Cybertrust’s behalf.
6.2 Disclaimer of Liability. Without limiting the liability disclaimers in the Master Terms, Cybertrust is not liable for any loss of or damage to Customer data. Customer is responsible for backing up all data.
6.3 Extent of Cybertrust’s Liability. Without limiting the liability disclaimers in the preceding subsection and the Master Terms, in light of the fact that Cybertrust is not charging for the PS Services, Cybertrust has no liability whatsoever in connection with the PS Services
7. Network Scanning. Customer understands that network scanning, and the technology associated with it (collectively “Network Scanning”), have substantial inherent risks, including, but not limited to, the loss, disruption, or performance degradation of the Customer’s or a third party’s business processes, telecommunications, computer products, utilities, or data (the “Scanning Risks”). Network Scanning refers to the activities, and associated technology, for identifying and analyzing networked devices. Customer acknowledges that it understands and accepts the Scanning Risks associated with Services that involve Network Scanning, and authorizes Cybertrust to perform those Services when ordered. Cybertrust shall take reasonable steps to mitigate these Scanning Risks; however, Customer understands that these Scanning Risks cannot be eliminated. Customer agrees to indemnify, defend and hold harmless Cybertrust and its affiliates, subcontractors, directors, officers, employees, agents, successors or assigns (each, a “Cybertrust Indemnified Party”) from and against any and all loss, damages, liabilities, costs and expenses (including legal expenses and the expenses of other professionals) incurred by Cybertrust, resulting directly or indirectly from any claim attributable to or arising out of Cybertrust’s “Network Scanning” (each, a “Scanning Claim”), including, without limitation, “Network Scanning” to analyze assets that are not controlled directly by Customer (e.g., servers hosted by third parties). The obligation of Customer to indemnify, defend and hold a Cybertrust Indemnified Party harmless in connection with a Scanning Claim will not apply to the extent that the Scanning Claim is based on Cybertrust’s gross negligence or willful misconduct.
8. Independent Contractors. The parties are independent contractors to one another, and nothing in this Agreement creates an agency, partnership, or joint venture relationship between them. Nothing in this Agreement creates an employer-employee relationship between Customer and either Cybertrust or any employee or agent of Cybertrust.
9. Geographic Limitations; Export and Legal Compliance. PS Services are offered and will be provided only within the United States, for use in the United States, by customers incorporated in the United States, under an Agreement governed by the laws of one of the United States Customer acknowledges that certain equipment, software and technical data which may be provided under this Schedule may be subject to export and re-export controls under the U.S. Export Administration Regulations and/or similar regulations of the U.S. or any other country. Customer shall not export, re-export, transfer, retransfer, release, download, transmit or otherwise divert any such equipment, software, technical data or any direct product thereof in violation of any such laws. Customer shall comply with all laws and regulations, including but not limited to import and custom laws and regulations.