The Security Services offering by Phoenix NAP provides Clients with a scalable information security solution, capable of detecting and notifying on potential security threats against a Client’s environment. This proprietary set of systems and processes utilizes state of the art hardware, software, and security industry professionals to observe and monitor Client network(s), endpoint(s), and other related events to detect anomalous actions and security threats.
PNAP will examine the Client’s current computer networking platform, its hosting, and data security requirements to the extent Client has provided PNAP access, and confirms that the agreed upon Service(s) may interact and operate with the Client’s platform and provide a secure environment in accordance with the specifications, and in accordance with industry standards set forth in the agreed upon Statement of Work (SOW).
If the agreement between PNAP and the Client is terminated or expires, Client shall have the option to either renew the agreement or replace the PNAP Security Services with a third-party provider of its choosing. Upon request, PNAP shall undertake commercially reasonable efforts to transition Client to the new provider as quickly, economically and efficiently as possible and if possible, will do so in a way that provides the most seamless and secure transition with minimal business interruptions to Client.
|Threat Management Platform||This product offering utilizes Client provided security event logs from different sources (such as firewalls, switches, and servers) and correlates those logs with threat signatures and behavioral analytics to identify activity that may signal the operators of a potential threat event. These threat behavior patterns are gathered from, and updated based on subscribed industry threat intelligence feeds, proprietary threat intelligence, or other data provided by the Client.|
|Patch Management||This offering is the process of using an automated tool to regularly scan systems against a known list of available operating system patches, hotfixes, and/or updates to determine if these should be applied on those systems. If the scans determine that patches are needed, the Patch Management Solution will identify the patch and will schedule the patch installation through a change control process. This product is limited in scope to PNAP currently supported operating systems.|
|Critical Environment Recovery||The Critical Environment Recovery component of the service will make use of the same disaster recovery services already provided by PNAP through its other service offerings. Critical Environment Recovery will be a required component of all security service offerings and packages but will be limited in scope to client servers defined in the agreed upon Statement of Work (SOW).|
|Firewall Switch Management||Many organizations do not have the skill and/or expertise on industry best practices to appropriately manage their firewalls and switches. Especially for companies using more advanced layer 7 firewalls, internal personnel may not have the necessary training or resources to effectively maintain and monitor these devices as designed. Additionally, when internal administrators do make changes to their firewalls and switches, they frequently do so without keeping adequate history of the changes, therefore not having the proper documentation required for compliance reasons. PNAP’s Firewall/Switch Management offering will include both the appropriate management of the firewalls and switches, as well as the necessary documentation, including managing and tracking the authentication for users making changes, as well as tracking the prior configurations to allow for the roll-back of changes if needed.|
|Vulnerability Assessment||The Vulnerability Assessment offering scans Client approved internal and external networks using automated tools that utilize known threat vectors to test for vulnerabilities. In cases where a Certified Scanning Vendor’s services are necessary, PNAP will engage one of its partners to perform these services on their behalf, at a pre-negotiated frequency as agreed to with the client and their compliance requirements.|
|Performance Monitoring||Performance Monitoring includes reporting on performance trends, proactive monitoring of alerts, and conducting analyses on performance metrics; such as up/down frequency & bandwidth usage, processors, memory, and storage utilization. Reporting method and frequency will be defined in the associated Statement of Work (SOW).|
|End Point Security||The End Point Security Service manages the security of server and end-user devices, such as PC workstations and laptops, by using anti-malware software. This service offering will monitor, maintain, and manage the endpoint agents, ensuring they are up-to-date and functional.|
PNAP shall implement the following best practices with regard to development and deployment of the Products and Services. PNAP shall maintain appropriate systems security for the PNAP’s Service in accordance with commercially reasonable industry standards and practices designed to protect all data and information provided by or on behalf of Client that is input into, displayed on or processed by the PNAP’s Service and all output therefrom (“Client Data”) from theft, unauthorized disclosure and unauthorized access. Such systems security includes, among other things: (1) implementation of application vulnerability tests and mitigation processes; (2) direct all PNAP-Client electronic communications via a secure web portal, a secure file share, or encrypted email; and (3) the following safeguards:
PNAP shall implement and maintain an intrusion detection monitoring process at the network and host level to protect PNAP Services and to detect unwanted or hostile network traffic. PNAP shall update its intrusion detection software continuously, on a scheduled basis following the availability of updates by the chosen software provider. PNAP shall implement measures to ensure that PNAP is alerted when the system or service detects unusual or malicious activity. PNAP shall notify Client within twenty four (24) hours of any significant intrusion that involves a breach of customer’s data.
PNAP shall conduct penetration tests at least once per year on its Client-wide computing environment through a 3rd party Qualified Security Assessor (QSA), and appropriately dispose of the risks identified. Due to the high-risk nature of these reports, the reports and findings will not be publicly disclosed, or made available for client inspection. PNAP will however make available upon request, a letter from the QSA of satisfactory disposition of identified threat concerns. Clients will not be authorized to conduct vulnerability scans, assessments, or penetration tests against the PNAP service infrastructure.
PNAP shall configure the infrastructure (e.g., servers and network devices) and platforms (e.g., OS and web servers) to be secure following these best practices:
In addition to the third-party vulnerability assessments described above, PNAP shall implement commercially reasonable processes designed to protect Client Data from system vulnerabilities, including:
PNAP utilizes an industry standard methodology for platform hardening and secure configuration, in order to reduce attack scope and surface. Through the use of micro-segmentation techniques, lateral communication is further restricted to known communication pairs and patterns.
PNAP shall maintain security incident management policies and procedures, including detailed security incident escalation procedures. In the event of a breach of PNAP’s security or confidentiality obligations, impacting a client's environment or data, PNAP agrees to notify affected Client(s) by telephone and email of such an event within twenty-four (24) hours of discovery. PNAP will also promptly perform an investigation into the breach, take appropriate remedial measures, and assign a Single-Point-of-Contact (SPoC). This SPoC or their designee, will be available for security questions or concerns twenty-four (24) hours per day, seven (7) days per week, during the scope of PNAP’s investigation.
PNAP shall use a patch management process and tool set to keep all servers up to date with appropriate security and feature patches.
PNAP shall use a documented remediation process designed to timely address all identified threats and vulnerabilities with respect to the PNAP Service.
PNAP shall maintain a written information security policy that is approved annually by PNAP and published and communicated to all PNAP employees and relevant third parties. PNAP shall maintain a dedicated security and compliance function to design, maintain and operate security in support of its “trust platform” in line with industry standards. This function shall focus on system integrity, risk acceptance, risk analysis and assessment, risk evaluation, risk management and treatment statements of applicability and PNAP management.
PNAP shall ensure, at no expense to Client, that all PNAP employees and Clients complete relevant training required to operationalize the procedures and practices outlined herein, including security awareness training, on at least an annual basis.
PNAP and Client may meet at least once annually to discuss: (1) the effectiveness of the PNAP’s security platform; and (2) any updates, patches, fixes, innovations or other improvements made to electronic data security by other commercial providers or for other customers of PNAP that PNAP or Client believe will improve the effectiveness of the PNAP’s security platform for Client.
PNAP shall maintain policies, practices and procedures sufficient to comply with the Payment Card Industry Data Security Standard, as the same may be amended from time to time, with respect to the PNAP’s Service.
PNAP shall conduct application vulnerability assessments at least annually. These assessments will be conducted with a 3rd party Qualified Security Assessor (QSA). Due to the high-risk nature of these reports, the reports and findings will not be publicly disclosed, or made available for client inspection. PNAP will however make available upon request, a letter from the QSA of satisfactory disposition of identified threat concerns. Clients will not be authorized to conduct vulnerability scans, assessments, or penetration tests against the PNAP application platforms.
PNAP shall limit access to its facilities utilized in performing the PNAP’s Service to employees and authorized visitors using commercially reasonable industry standard physical security methods. At a minimum, such methods shall include visitor sign-ins, restricted access key cards and locks for employees; limited access to server rooms and archival backups; and burglar/intrusion alarm systems.
PNAP shall have a business continuity plan in place for the restoration of critical processes and operations of the PNAP’s Service at the location(s) from which the PNAP’s Service is provided. PNAP shall also have an annually tested plan in place to assist PNAP in reacting to a disaster in a planned and tested manner. PNAP shall provide Client with a copy of its then-current plan promptly following Client’s written request for same.
Client has the right to, or to engage a third party on its behalf to, at its own expense, visit PNAP’s offices once per calendar year in order to conduct due diligence and auditing procedures on PNAP’s business operations related to the PNAP’s Service in terms of technical infrastructure, systems interaction, organization, quality, quality control, personnel involved with services for customers, and general resources in terms of skills and personnel. Understanding the proprietary and intellectual property nature of this access, Client agrees to execute and abide by a Non-Disclosure Agreement, and limit the documentation or removal of this information from PNAPs premises.
Client shall document and promptly report all errors or malfunctions of a system covered under this agreement to PNAP. PNAP shall provide all necessary spare parts and/or other hardware to maintain equipment owned by it necessary to the fulfillment of any service under this Schedule.
Client shall not use anything whether tangible or intangible which is appurtenant to and/or provided by this agreement for any unlawful purpose or for any purpose which is prohibited by PNAP’s Network Abuse Policy and/or Acceptable Use Policy as is posted on its website.
Customer acknowledges that PhoenixNAP performance and delivery of the Services are contingent upon: (A) Customer providing safe and hazard-free access to its personnel, facilities, equipment, hardware, network and information, and (B) Customer’s timely decision-making and provision of timely, accurate and complete information and reasonable assistance, including, granting of approvals or permissions, as (A) and (B) are deemed reasonably necessary and reasonably requested for PhoenixNAP to perform, deliver and/or implement the Services. Customer will promptly obtain and provide to PhoenixNAP any required licenses, approvals or consents necessary for PhoenixNAP’s performance of the Services. PhoenixNAP will be excused from its failure to perform its obligations under this Addendum to the extent such failure is caused solely by Customer’s delay in performing or failure to perform its responsibilities under this MSA and/or the Service Order/SOW.
A Statement of Work (“SOW”) and Responsibility Matrix (“RM”) shall be used to specify the specific duties, scope, locations, deliverables, standards, activities, and general requirements for any Information Security Service offered by PNAP to a Client.
PNAP makes no express or implied warranties of product merchantability or fitness for any particular purpose. While all services are designed to be resilient, it is up to the Client to plan for disasters and it is always recommended to keep an off-site backup of critical data in event of critical failure or disaster.
PNAP WILL NOT BE LIABLE FOR ANY LOSS OR DAMAGE CAUSED BY A DISTRIBUTED DENIAL-OF-SERVICE ATTACK, VIRUSES OR OTHER TECHNOLOGICALLY HARMFUL MATERIAL THAT MAY INFECT YOUR COMPUTER EQUIPMENT, COMPUTER PROGRAMS, DATA NETWORK OR OTHER PROPRIETARY MATERIAL RESULTING FROM YOUR USE OF THE SERVICES, PHOENIX NAP’S WEBSITE OR THE SERVICE OR ITEMS PURCHASED OR OBTAINED THROUGH THE WEBSITE OR THE SERVICE OR TO YOUR DOWNLOADING OF ANY MATERIAL POSTED ON IT, OR ON ANY WEBSITE LINKED TO IT. NEITHER PHOENIX NAP NOR ANY PERSON ASSOCIATED WITH PHOENIXNAP MAKES ANY WARRANTY OR REPRESENTATION TO ANY USER WITH RESPECT TO THE COMPLETENESS, SECURITY, RELIABILITY, QUALITY, FUNCTIONALITY OR AVAILABILITY OF THE SERVICES. WITHOUT LIMITING THE FOREGOING, NEITHER PHOENIX NAP NOR ANYONE ASSOCIATED WITH PHOENIXNAP REPRESENTS OR WARRANTS THAT THE SERVICE WILL BE RELIABLE, ERROR-FREE, INTRUSION PROOF OR UNINTERRUPTED, THAT DEFECTS WILL BE CORRECTED, FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS OR THAT THE SERVICES WILL OTHERWISE MEET THE NEEDS OR EXPECTATIONS OF CLIENTOR ANY USER. EXCEPT FOR THE WARRANTY SET FOR ABOVE, PHOENIXNAP PROVIDES THE SERVICE, AND ALL ON AN “AS IS” AND “AS AVAILABLE” BASIS, WITHOUT ANY WARRANTIES. PHOENIX NAP HEREBY DISCLAIMS ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR PARTICULAR PURPOSE.
PHOENIX NAP’S AGGREGATE LIABILITY (WHETHER IN CONTRACT, TORT OR OTHERWISE) FOR ALL CLAIMS OF LIABILITY ARISING OUT OF, OR IN CONNECTION WITH, THE AGREEMENT SHALL NOT EXCEED THE AMOUNTS PAID BY CLIENTFOR THE SERVICES GIVING RISE TO A CLAIM FOR LIABILITY. THE FOREGOING DOES NOT AFFECT ANY WARRANTIES WHICH CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW. THIS SECTION SHALL SURVIVE ANY EXPIRATION OR TERMINATION OF THE AGREEMENT.
IN NO EVENT WILL PHOENIX NAP, ITS AFFILIATES OR THEIR LICENSORS, SERVICE PROVIDERS, EMPLOYEES, AGENTS, OFFICERS OR DIRECTORS BE LIABLE FOR DAMAGES OF ANY KIND, UNDER ANY LEGAL THEORY, ARISING OUT OF OR IN CONNECTION WITH YOUR USE, OR INABILITY TO USE, THE SERVICES OR ANY WEBSITES ASSOCIATED WITH IT, INCLUDING ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO, PERSONAL INJURY, PAIN AND SUFFERING, EMOTIONAL DISTRESS, LOSS OF REVENUE, LOSS OF PROFITS, LOSS OF BUSINESS OR ANTICIPATED SAVINGS, LOSS OF USE, LOSS OF GOODWILL, LOSS OF DATA, AND WHETHER CAUSED BY TORT (INCLUDING NEGLIGENCE), BREACH OF CONTRACT OR OTHERWISE, EVEN IF FORESEEABLE. THE FOREGOING DOES NOT AFFECT ANY LIABILITY WHICH CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW.
PNAP is not liable for any loss or corruption of data. Clients are always encouraged to retain a copy of data. In the event of loss or destruction of or damage to Client data, PNAP will provide notification to Client via e-mail to an address provided by the Client. Client must ensure that the e-mail address is valid.
By entering this Agreement and by using the Services, Client consents to, and hereby agrees that Phoenix NAP may access Client’s networks and computer systems including the access to and use, disclosure, interception, transmission, receipt, analysis, processing, copying, editing, encryption, decryption, and storage of Client information and that of its employees, agents and those it authorizes to use the Services, whether encrypted or in clear text (“Client’s Information”) for the purpose of providing the Services, including, without limitation, analyzing Client’s network traffic, and for storage and retention of Client’s Information for future reference and analysis. Client represents and warrants that it complies with all applicable data collection and transfer laws and regulations of the countries in which it operates and that it has duly obtained all consents, permits or licenses, in writing or electronically that may be necessary under applicable laws from its employees, agents, and those it authorizes to use the Services in order to enable Phoenix NAP to provide the Services under the Agreement. Prior to using the Services, or at any other time reasonably determined by Phoenix NAP, Client will provide Phoenix NAP true and correct copies of such consents.
Client shall defend, indemnify and hold harmless the Phoenix NAP Indemnified Parties from and against any damages, orders, decrees, judgments, liabilities, claims, actions, lawsuits, costs and expenses (including, without limitation, costs of litigation and attorneys’ fees) (“Claims”) incurred by the Phoenix NAP Indemnified Parties or finally adjudicated against the Phoenix NAP Indemnified Parties arising out of or resulting from: (i) infringement of intellectual property rights, including, without limitation, copyright, trademark, trade secret, patent, and common law rights in connection with Client’s Information, networks, or computer systems; (ii) violation of applicable laws or policies by Client, including, without limitation in connection with Client Information, networks, or computer systems; (iii) failure by Client to secure all necessary consents, permits, and licenses, including without limitation, in connection with Customer’s Information, networks, or computer systems; (iv) breach of warranty by Client; (v) breach of this Agreement by Client; (vi) use of Services by Client or Client Affiliates; (vii) negligence, intentional misconduct or other wrongful acts or omissions by Customer; and (viii) Claims alleging that Phoenix NAP was not authorized to provide Services requested by Customer.
This Section states each party’s exclusive remedies for any third-party claim or action, and nothing in this Agreement or elsewhere will obligate either party to provide any greater indemnity to the other.
Phoenix NAP may assign, subcontract or delegate in whole or in part this Agreement, or any rights, duties, obligations or liabilities under this Agreement, by operation of law or otherwise, provided that Phoenix NAP shall remain responsible for the performance of Services under this Agreement. Otherwise, neither party may assign this Agreement without the permission of the other party, which permission shall not be unreasonably withheld, conditioned or delayed.
The subsections of this section define the recurring and non-recurring charges and fees pursuant to this schedule.
The Initial Monthly Recurring Charges are the initial monthly fees charged for this Schedule. This fee may be modified by mutual agreement of Client and Provider based on changes to the initial configurations, covered devices, or other similar environment variables.
The non-recurring services and fees associated with this Schedule include but are not limited to any Out-of-Scope fees and/or the fees for any associated labor and other services provided under a Statement of Work or for the migration/installation/implementation of Client’s production environment from its current state to Provider’s Cloud/Hosting environment or for other purposes agreed to by Provider and Client, including, but not limited to, those defined in a Statement of Work as one time or non-recurring fees or services whether created at the time of or subsequent to the execution of this agreement.
The initial setup fees and charges for this Schedule are the one-time non-recurring fees associated with the initial setup of Client’s services. This fee may be modified by mutual agreement of Client and Provider based on changes to the initial configurations, scope, covered devices or other similar environment variables. Initial Setup Fees do not include the charges for Data Migration. Data Migration Fees will be specified and covered under a separate Statement of Work or Project.