Security Services Addendum

1. INTRODUCTION

The Security Services offering by Phoenix NAP provides Clients with a scalable information security solution, capable of detecting and notifying on potential security threats against a Client’s environment. This proprietary set of systems and processes utilizes state of the art hardware, software, and security industry professionals to observe and monitor Client network(s), endpoint(s), and other related events to detect anomalous actions and security threats.

2. AGREEMENT

This Security Services Addendum (“SSA”) sets forth the specific terms and conditions under which Phoenix NAP (“PNAP”) shall supply Information Security Services to Client. The Master Service Agreement entered into between PNAP and Client, fully incorporates the terms herein and provides that this SSA, and Client’s execution of the Master Services Agreement constitutes acceptance of the terms and conditions stated herein. Capitalized terms used but not defined herein shall have the meanings set forth in the Master Services Agreement. The Initial Term length for this Service is set forth on the applicable Service Order Form (“SOF”), executed by PNAP and Client, referring to these Services. As referred to herein, “Agreement” means this Security Services Addendum, together with the MSA and all policies and addenda that are incorporated herein by reference, including the Statement of Work (SOW), Responsibility Matrix (“RM”), Service Level Agreement (SLA), Acceptable Use Policy (“AUP”), and Privacy Policy (“PP”). This Agreement sets forth the terms and conditions that apply to the Security Services Addendum.

3. GENERAL

PNAP will examine the Client’s current computer networking platform, its hosting, and data security requirements to the extent Client has provided PNAP access, and confirms that the agreed upon Service(s) may interact and operate with the Client’s platform and provide a secure environment in accordance with the specifications, and in accordance with industry standards set forth in the agreed upon Statement of Work (SOW).

If the agreement between PNAP and the Client is terminated or expires, Client shall have the option to either renew the agreement or replace the PNAP Security Services with a third-party provider of its choosing. Upon request, PNAP shall undertake commercially reasonable efforts to transition Client to the new provider as quickly, economically and efficiently as possible and if possible, will do so in a way that provides the most seamless and secure transition with minimal business interruptions to Client.

4. SERVICES AND FEATURES

Service Description
Threat Management Platform This product offering utilizes Client provided security event logs from different sources (such as firewalls, switches, and servers) and correlates those logs with threat signatures and behavioral analytics to identify activity that may signal the operators of a potential threat event. These threat behavior patterns are gathered from, and updated based on subscribed industry threat intelligence feeds, proprietary threat intelligence, or other data provided by the Client.
Patch Management This offering is the process of using an automated tool to regularly scan systems against a known list of available operating system patches, hotfixes, and/or updates to determine if these should be applied on those systems. If the scans determine that patches are needed, the Patch Management Solution will identify the patch and will schedule the patch installation through a change control process. This product is limited in scope to PNAP currently supported operating systems.
Critical Environment Recovery The Critical Environment Recovery component of the service will make use of the same disaster recovery services already provided by PNAP through its other service offerings. Critical Environment Recovery will be a required component of all security service offerings and packages but will be limited in scope to client servers defined in the agreed upon Statement of Work (SOW).
Firewall Switch Management Many organizations do not have the skill and/or expertise on industry best practices to appropriately manage their firewalls and switches. Especially for companies using more advanced layer 7 firewalls, internal personnel may not have the necessary training or resources to effectively maintain and monitor these devices as designed. Additionally, when internal administrators do make changes to their firewalls and switches, they frequently do so without keeping adequate history of the changes, therefore not having the proper documentation required for compliance reasons. PNAP’s Firewall/Switch Management offering will include both the appropriate management of the firewalls and switches, as well as the necessary documentation, including managing and tracking the authentication for users making changes, as well as tracking the prior configurations to allow for the roll-back of changes if needed.
Vulnerability Assessment The Vulnerability Assessment offering scans Client approved internal and external networks using automated tools that utilize known threat vectors to test for vulnerabilities. In cases where a Certified Scanning Vendor’s services are necessary, PNAP will engage one of its partners to perform these services on their behalf, at a pre-negotiated frequency as agreed to with the client and their compliance requirements.
Performance Monitoring Performance Monitoring includes reporting on performance trends, proactive monitoring of alerts, and conducting analyses on performance metrics; such as up/down frequency & bandwidth usage, processors, memory, and storage utilization. Reporting method and frequency will be defined in the associated Statement of Work (SOW).
End Point Security The End Point Security Service manages the security of server and end-user devices, such as PC workstations and laptops, by using anti-malware software. This service offering will monitor, maintain, and manage the endpoint agents, ensuring they are up-to-date and functional.

5. BEST PRACTICES

PNAP shall implement the following best practices with regard to development and deployment of the Products and Services. PNAP shall maintain appropriate systems security for the PNAP’s Service in accordance with commercially reasonable industry standards and practices designed to protect all data and information provided by or on behalf of Client that is input into, displayed on or processed by the PNAP’s Service and all output therefrom (“Client Data”) from theft, unauthorized disclosure and unauthorized access. Such systems security includes, among other things: (1) implementation of application vulnerability tests and mitigation processes; (2) direct all PNAP-Client electronic communications via a secure web portal, a secure file share, or encrypted email; and (3) the following safeguards:

  1. Authentication
    • All access is authenticated, communication secured using industry best practices, and logged.
    • Systems identity is tied to an individual user by the use of credentials and by a second factor authentication mechanism.
    • Reasonable authentication controls that conform to industry recognized standards are provided.
  2. Authorization
    • Ensure that authorized users are only allowed to perform actions within their privilege level.
    • Control access to protected resources based upon role or privilege level.
    • Mitigate and defend against privilege escalation attacks as feasible, to available technology standards and best practices.
  3. Password and Account Management
    • Passwords conform to best practices, including:
      • Encrypting passwords using “hashing” and “salting” techniques.
      • Enforcing password complexity.
      • Limiting failed attempts before account lockout.
      • Not allowing storage and transmittal of passwords in clear text.
      • Password reset does not send credentials.
    • Where appropriate, PNAP shall securely log (with time and date) commands requiring additional privileges to enable a complete audit trail of activities.
  4. Data Security
    • Data at Rest
      • Client Data is encrypted using industry best practices.
      • Backups of Client Data have the same controls as production data.
    • Data in Transit
      • Client Data in transit to or from Client will be encrypted (e.g., SSL, VPN, SFTP, certificate-based authentication).
    • Client Data sent over browser should use SSLv3 or better.
  5. Multi-Tenancy
    • In a multi-tenant environment, PNAP shall provide appropriate security controls and robust cryptographic methods to protect and isolate Client Data from other tenants.
  6. Administrative Access and Environmental Segregation
    • Applying Principle of Least Privilege: Proper controls should be in place to ensure that access is limited to personnel who must see Client Data in order to fulfill their job functions.
    • Where possible, confidential data should be masked with one-way hashing algorithms.
    • Client Data should not be replicated to non-production environments.
  7. Threat Management
    • Intrusion Detection

      • PNAP shall implement and maintain an intrusion detection monitoring process at the network and host level to protect PNAP Services and to detect unwanted or hostile network traffic. PNAP shall update its intrusion detection software continuously, on a scheduled basis following the availability of updates by the chosen software provider. PNAP shall implement measures to ensure that PNAP is alerted when the system or service detects unusual or malicious activity. PNAP shall notify Client within twenty four (24) hours of any significant intrusion that involves a breach of customer’s data.

    • Penetration Tests

      • PNAP shall conduct penetration tests at least once per year on its Client-wide computing environment through a 3rd party Qualified Security Assessor (QSA), and appropriately dispose of the risks identified. Due to the high-risk nature of these reports, the reports and findings will not be publicly disclosed, or made available for client inspection. PNAP will however make available upon request, a letter from the QSA of satisfactory disposition of identified threat concerns. Clients will not be authorized to conduct vulnerability scans, assessments, or penetration tests against the PNAP service infrastructure.

    • Infrastructure Security

      • PNAP shall configure the infrastructure (e.g., servers and network devices) and platforms (e.g., OS and web servers) to be secure following these best practices:

      • Audit Logging: Client authorizes PNAP to collect, use, store, transfer, monitor and otherwise process logs from all systems subscribed to PNAP’s Service. These log types include, but is not limited to, security logs, web server logs, application logs, system logs and network event logs. PNAP monitors its networks 24/7 using the latest SIEM and behavioral analytics technologies. The Client acknowledges that these logs can contain source and destination IP addresses, user accounts used, bad passwords attempted, click and screen entries, and other personally identifiable data elements.
      • Duplicate copies of these logs will be maintained, and an offsite archival copy will reduce risk of loss due to tampering.
    • Network Security
      • PNAP shall comply with industry standards, separating perimeter networks from endpoints hosted in the private network using industry standard firewalls or micro-segmentation techniques based on Software Defined Networking technologies. PNAP shall update and maintain its infrastructure using an industry standard maintenance and change control methodology.
      • PNAP shall monitor and test its perimeter devices on a regular basis, and, if deficiencies are discovered, PNAP shall promptly troubleshoot and remediate these deficiencies.
    • Vulnerability Management

      • In addition to the third-party vulnerability assessments described above, PNAP shall implement commercially reasonable processes designed to protect Client Data from system vulnerabilities, including:

      • Perimeter Scanning: PNAP shall perform perimeter scanning through the use of embedded sensors within PNAP’s infrastructure providing information to our centralized SIEM tool.
      • Internal Infrastructure Scanning: PNAP shall perform internal infrastructure scanning through the use of embedded sensors within PNAP’s infrastructure providing information to our centralized SIEM tool.
      • Malware Scanning: Where possible PNAP utilizes an advanced behavior and signature based anti-virus/anti-malware (APT) tool, along with application whitelisting techniques to protect its infrastructure from the threat of unauthorized malicious software.
    • Secure Configuration

      • PNAP utilizes an industry standard methodology for platform hardening and secure configuration, in order to reduce attack scope and surface. Through the use of micro-segmentation techniques, lateral communication is further restricted to known communication pairs and patterns.

  8. Security Procedures
    • Incident Response

      • PNAP shall maintain security incident management policies and procedures, including detailed security incident escalation procedures. In the event of a breach of PNAP’s security or confidentiality obligations, impacting a client's environment or data, PNAP agrees to notify affected Client(s) by telephone and email of such an event within twenty-four (24) hours of discovery. PNAP will also promptly perform an investigation into the breach, take appropriate remedial measures, and assign a Single-Point-of-Contact (SPoC). This SPoC or their designee, will be available for security questions or concerns twenty-four (24) hours per day, seven (7) days per week, during the scope of PNAP’s investigation.

    • Patch Management

      • PNAP shall use a patch management process and tool set to keep all servers up to date with appropriate security and feature patches.

    • Documented Remediation Process

      • PNAP shall use a documented remediation process designed to timely address all identified threats and vulnerabilities with respect to the PNAP Service.

  9. Employee Termination Procedures
    • PNAP shall promptly terminate all credentials and access to privileged password facilities, such as Identity and Access Management Systems, upon termination of employment.
  10. Governance
    • Security Policy

      • PNAP shall maintain a written information security policy that is approved annually by PNAP and published and communicated to all PNAP employees and relevant third parties. PNAP shall maintain a dedicated security and compliance function to design, maintain and operate security in support of its “trust platform” in line with industry standards. This function shall focus on system integrity, risk acceptance, risk analysis and assessment, risk evaluation, risk management and treatment statements of applicability and PNAP management.

    • Security Training

      • PNAP shall ensure, at no expense to Client, that all PNAP employees and Clients complete relevant training required to operationalize the procedures and practices outlined herein, including security awareness training, on at least an annual basis.

    • Security Reviews

      • PNAP and Client may meet at least once annually to discuss: (1) the effectiveness of the PNAP’s security platform; and (2) any updates, patches, fixes, innovations or other improvements made to electronic data security by other commercial providers or for other customers of PNAP that PNAP or Client believe will improve the effectiveness of the PNAP’s security platform for Client.

    • Third-Party Audits and Compliance Standards
      • PNAP shall provide Client with a copy of SOC2 or similar audit results, in no more than thirty (30) days after PNAP receives the results or reports. Client has the right to, or to engage a third party on its behalf to, visit PNAP’s offices up to four (4) times per calendar year in order to conduct due diligence and auditing procedures on PNAP’s business operations related to the PNAP’s Service in terms of technical infrastructure, system interaction, organization, quality, quality control, personnel involved with services for Client, and general resources in terms of skills and personnel.
      • PNAP will furnish evidence of a successful SSAE No. 18 audit upon Client request to the extent permitted by law and subject to applicable regulatory restrictions and confidentiality obligations. PNAP must verify that the audit certifies all infrastructure and applications that support and deliver services to Client Data.
      • PCI-DSS Compliance

        • PNAP shall maintain policies, practices and procedures sufficient to comply with the Payment Card Industry Data Security Standard, as the same may be amended from time to time, with respect to the PNAP’s Service.

      • Vulnerability Assessments

        • PNAP shall conduct application vulnerability assessments at least annually. These assessments will be conducted with a 3rd party Qualified Security Assessor (QSA). Due to the high-risk nature of these reports, the reports and findings will not be publicly disclosed, or made available for client inspection. PNAP will however make available upon request, a letter from the QSA of satisfactory disposition of identified threat concerns. Clients will not be authorized to conduct vulnerability scans, assessments, or penetration tests against the PNAP application platforms.

  11. Physical Security

    12. PNAP shall limit access to its facilities utilized in performing the PNAP’s Service to employees and authorized visitors using commercially reasonable industry standard physical security methods. At a minimum, such methods shall include visitor sign-ins, restricted access key cards and locks for employees; limited access to server rooms and archival backups; and burglar/intrusion alarm systems.

  12. Business Continuity

    13. PNAP shall have a business continuity plan in place for the restoration of critical processes and operations of the PNAP’s Service at the location(s) from which the PNAP’s Service is provided. PNAP shall also have an annually tested plan in place to assist PNAP in reacting to a disaster in a planned and tested manner. PNAP shall provide Client with a copy of its then-current plan promptly following Client’s written request for same.

  13. PNAP Internal Systems Backup Management
    • PNAP shall perform full backups of internal systems and database(s) containing Client Data no less than once per day without interruption of the PNAP Service. PNAP shall also provide off-site archival storage on no less than a weekly basis of all backups of the internal systems and database(s) containing Client Data on secure server(s) or other commercially acceptable secure media. Such data backups will be encrypted, sent off-site to a secure location each business day and stored/retained for seven (7) years.
    • In order to recover from a Datacenter failure Incident, the required backed-up data will be replicated over at least two (2) geographically dispersed data centers at any point in time. Backup snapshots may be periodically sent to another data center. Data retention for an in-datacenter failure Incident will utilize twenty-four (24) hourly snapshots, fourteen (14) daily backups and three (3) monthly backups. This backup policy is designed to support both a partial or full recovery of the system expediently.
  14. Right to Audit

    15. Client has the right to, or to engage a third party on its behalf to, at its own expense, visit PNAP’s offices once per calendar year in order to conduct due diligence and auditing procedures on PNAP’s business operations related to the PNAP’s Service in terms of technical infrastructure, systems interaction, organization, quality, quality control, personnel involved with services for customers, and general resources in terms of skills and personnel. Understanding the proprietary and intellectual property nature of this access, Client agrees to execute and abide by a Non-Disclosure Agreement, and limit the documentation or removal of this information from PNAPs premises.

6. CLIENT RESPONSIBILITIES

Client shall document and promptly report all errors or malfunctions of a system covered under this agreement to PNAP. PNAP shall provide all necessary spare parts and/or other hardware to maintain equipment owned by it necessary to the fulfillment of any service under this Schedule.

Client shall not use anything whether tangible or intangible which is appurtenant to and/or provided by this agreement for any unlawful purpose or for any purpose which is prohibited by PNAP’s Network Abuse Policy and/or Acceptable Use Policy as is posted on its website.

Customer acknowledges that PhoenixNAP performance and delivery of the Services are contingent upon: (A) Customer providing safe and hazard-free access to its personnel, facilities, equipment, hardware, network and information, and (B) Customer’s timely decision-making and provision of timely, accurate and complete information and reasonable assistance, including, granting of approvals or permissions, as (A) and (B) are deemed reasonably necessary and reasonably requested for PhoenixNAP to perform, deliver and/or implement the Services. Customer will promptly obtain and provide to PhoenixNAP any required licenses, approvals or consents necessary for PhoenixNAP’s performance of the Services. PhoenixNAP will be excused from its failure to perform its obligations under this Addendum to the extent such failure is caused solely by Customer’s delay in performing or failure to perform its responsibilities under this MSA and/or the Service Order/SOW.

7. STATEMENT OF WORK; RESPONSIBILITY MATRIX

A Statement of Work ("SOW") and Responsibility Matrix (“RM”) shall be used to specify the specific duties, scope, locations, deliverables, standards, activities, and general requirements for any Information Security Service offered by PNAP to a Client.

8. SERVICE LEVEL AGREEMENT (SLA)

The following PhoenixNAP Service Level Agreement ("SLA") is a policy governing the use of the PNAP Security Services under the terms of the Master Service Agreement (the "MSA") between PNAP, LLC., and Clients of PNAP. Unless otherwise provided herein, this SLA is subject to the terms of the MSA and capitalized terms will have the meaning specified in the Agreement. We reserve the right to change the terms of this SLA in accordance with the MSA.

  1. Service Types, Priority, and Response Times

    2. Priority


     Acknowledge  Time


     Notification  Time

    Description

    Examples

    1. Priority (Critical)

    20 Minutes

    2 Hours

    Significant impact to the business or Client data; the problem is of a major impact and highly visible to business and/or their business operations; there is no workaround available.

    Widespread, Prolonged DDOS

    Critical asset compromise / Critical data loss

    Impacts to customer brands (in the news)

    Customer data loss

    Malware Activity related to ransom activity (e.g. CryptoLocker)

    Security monitoring service interruption

    2. Priority (High)

    1 Hour

    4 Hours

    A large percent of the business is affected; the problem is of high impact or highly visible to the client and/or their business operations; a tried and a proven workaround is available.

    Activity against known threat indicators

    Malware Callback, or Command and Control, activity

    Compliance

    3. Priority (Medium)

    4 Hour

    8 Hours

    A small percent of the Client business is affected, and/or the problem has limited visibility. The system may remain operational, however, in a degraded manner, and/or a tried and proven workaround is available.

    Repeat offenders

    Malware activity related to known, malicious activity but limited in exposure (e.g. Zeus, Coreboot)

    4. Priority (Low)

    1 Business Day

    1 Day

    Customer can still achieve full functionality and normal performance, as long as the workaround is followed.

    Evidence of Port scans or other Reconnaissance activity

    Low level malware/spyware

  2. Service Commitment

    3. PNAP will use commercially reasonable efforts to make Security Services available with a Monthly Uptime Percentage of 100%, excluding scheduled and pre-acknowledged maintenance periods where alternative procedures are in place for continuous monitoring. As described in section A: Service Types, Priority, and Response Times, PNAP, on receipt of an alert, will "acknowledge" (either through email or telephonically), in the described timeframes, the impact of the incident and the actions that should be taken to mitigate the concern.

    In the event PNAP does not meet the Monthly Uptime Percentage commitment, Client will be eligible to receive a Service Credit as described below.

  3. Service Credits

    4. If the Monthly Uptime Percentage for a Client drops below 100% during a Service Month, that Client is eligible to receive one (1) 10% Service Credit, for every thirty (30) minute period that Security Services was Unavailable, up to a maximum amount equal to one full month’s billing. For the purposes of determining Service Credits, Client will only be eligible for Service Credits related to the unavailability of:

    1. InfraSentry: Monitor Threat Detection Service
    2. InfraSentry: Sophos related "Advanced Persistent Threat" tools

    Whichever Service was least available during the Service month, PNAP will apply any Service Credits only against future payments otherwise due from Client, provided that:

    1. PNAP may issue the Service Credit to the Client account for the Service Month in which the Unavailability occurred, and
    2. Client is current with all payment obligations set forth in the Agreement.

    Service Credits shall not entitle Client to any refund or other payment from PNAP. Service Credits may not be transferred or applied to any other account. Unless otherwise provided in the Agreement, Service Credits are Client's sole and exclusive remedy for any unavailability or non-performance of Services.

  4. Credit Request and Payment Procedures
    To receive a Service Credit, Client must submit a request by sending an e-mail message to noc@phoenixnap.com. To be eligible, the credit request must:

    1. Include SLA Service Credit Claim in the subject of the e-mail message;
    2. Include, in the body of the e-mail, Client’s Organization name, or Client ID, along with the dates, times, and length of each Unavailability Period that Client claims to have experienced;
    3. Include any documentation that corroborates Client’s claimed Unavailability; and
    4. Be received by PNAP within thirty (30) calendar days of the last day reported in the Unavailability claim.

    If the Monthly Uptime Percentage of such request is confirmed by PNAP and is less than 100% for the Service Month, then PNAP will issue the Service Credit to Client within one Service Month following the month in which the request has been confirmed. Client’s failure to provide the request and other information as required above will disqualify Client from receiving a Service Credit. PNAP's data and records will be the sole factor for validating claims due to Unavailability.

  5. Exclusions
    The Service Commitment does not apply to any unavailability, suspension or termination of Security Services, or any other performance issues:

    1. That result from Service Suspensions described in the following sections of the Agreement: Term and Termination, and Default Events and Remedies;
    2. Caused by factors outside of the reasonable control of PNAP, including any force majeure event or Internet access or related problems beyond the PNAP Network Demarcation Point;
    3. That result from any actions or inactions of Client or any third party;
    4. That result from Client equipment, software or other technology and/or third party equipment, software or other technology (other than third party equipment within PNAP’s direct control);
    5. That result from failures of individual functions, features, infrastructure, and network connectivity Unavailability; or
    6. Arising from PNAP’s suspension and termination of Client's right to use Security Services in accordance with the Agreement.

    If availability is impacted by factors other than those explicitly listed in this agreement, PNAP may issue a Service Credit considering such factors in our sole discretion.

  6. Disclaimer
    If PNAP misses the SLA goal because of problems with Client’s behavior or the performance or failure of Client’s equipment, facilities, or applications, PNAP can't give Client credit. Additionally, extenuating circumstances beyond PNAP’s reasonable control such as (without limitation) acts of any governmental body, acts of terrorism, war, insurrection, sabotage, embargo, fire, flood, strike or other labor disturbance, interruption of or delay in transportation, unavailability of interruption or delay in telecommunications or third party services (including DNS propagation), failure of third party software or hardware or inability to obtain raw materials, supplies, or power used in or equipment needed for provision of Client’s services could cause some hang-ups that PNAP cannot be liable for.

9. DISCLAIMERS

  1. No Product Warranty

    2. PNAP makes no express or implied warranties of product merchantability or fitness for any particular purpose. While all services are designed to be resilient, it is up to the Client to plan for disasters and it is always recommended to keep an off-site backup of critical data in event of critical failure or disaster.

  2. Disclaimer of Warranty

    3. PNAP WILL NOT BE LIABLE FOR ANY LOSS OR DAMAGE CAUSED BY A DISTRIBUTED DENIAL-OF-SERVICE ATTACK, VIRUSES OR OTHER TECHNOLOGICALLY HARMFUL MATERIAL THAT MAY INFECT YOUR COMPUTER EQUIPMENT, COMPUTER PROGRAMS, DATA NETWORK OR OTHER PROPRIETARY MATERIAL RESULTING FROM YOUR USE OF THE SERVICES, PHOENIX NAP’S WEBSITE OR THE SERVICE OR ITEMS PURCHASED OR OBTAINED THROUGH THE WEBSITE OR THE SERVICE OR TO YOUR DOWNLOADING OF ANY MATERIAL POSTED ON IT, OR ON ANY WEBSITE LINKED TO IT. NEITHER PHOENIX NAP NOR ANY PERSON ASSOCIATED WITH PHOENIXNAP MAKES ANY WARRANTY OR REPRESENTATION TO ANY USER WITH RESPECT TO THE COMPLETENESS, SECURITY, RELIABILITY, QUALITY, FUNCTIONALITY OR AVAILABILITY OF THE SERVICES. WITHOUT LIMITING THE FOREGOING, NEITHER PHOENIX NAP NOR ANYONE ASSOCIATED WITH PHOENIXNAP REPRESENTS OR WARRANTS THAT THE SERVICE WILL BE RELIABLE, ERROR-FREE, INTRUSION PROOF OR UNINTERRUPTED, THAT DEFECTS WILL BE CORRECTED, FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS OR THAT THE SERVICES WILL OTHERWISE MEET THE NEEDS OR EXPECTATIONS OF CLIENTOR ANY USER. EXCEPT FOR THE WARRANTY SET FOR ABOVE, PHOENIXNAP PROVIDES THE SERVICE, AND ALL ON AN “AS IS” AND “AS AVAILABLE” BASIS, WITHOUT ANY WARRANTIES. PHOENIX NAP HEREBY DISCLAIMS ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR PARTICULAR PURPOSE.

    PHOENIX NAP’S AGGREGATE LIABILITY (WHETHER IN CONTRACT, TORT OR OTHERWISE) FOR ALL CLAIMS OF LIABILITY ARISING OUT OF, OR IN CONNECTION WITH, THE AGREEMENT SHALL NOT EXCEED THE AMOUNTS PAID BY CLIENTFOR THE SERVICES GIVING RISE TO A CLAIM FOR LIABILITY. THE FOREGOING DOES NOT AFFECT ANY WARRANTIES WHICH CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW. THIS SECTION SHALL SURVIVE ANY EXPIRATION OR TERMINATION OF THE AGREEMENT.

    IN NO EVENT WILL PHOENIX NAP, ITS AFFILIATES OR THEIR LICENSORS, SERVICE PROVIDERS, EMPLOYEES, AGENTS, OFFICERS OR DIRECTORS BE LIABLE FOR DAMAGES OF ANY KIND, UNDER ANY LEGAL THEORY, ARISING OUT OF OR IN CONNECTION WITH YOUR USE, OR INABILITY TO USE, THE SERVICES OR ANY WEBSITES ASSOCIATED WITH IT, INCLUDING ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO, PERSONAL INJURY, PAIN AND SUFFERING, EMOTIONAL DISTRESS, LOSS OF REVENUE, LOSS OF PROFITS, LOSS OF BUSINESS OR ANTICIPATED SAVINGS, LOSS OF USE, LOSS OF GOODWILL, LOSS OF DATA, AND WHETHER CAUSED BY TORT (INCLUDING NEGLIGENCE), BREACH OF CONTRACT OR OTHERWISE, EVEN IF FORESEEABLE. THE FOREGOING DOES NOT AFFECT ANY LIABILITY WHICH CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW.

  3. Limitation on Time to File Claims

    4. Any cause of action or claim You may have arising out of or relating to these terms of use, the service or the website must be commenced within one (1) year after the cause of action accrues, otherwise, such cause of action or claim is permanently barred.

  4. Notice of Loss

    5. PNAP is not liable for any loss or corruption of data. Clients are always encouraged to retain a copy of data. In the event of loss or destruction of or damage to Client data, PNAP will provide notification to Client via e-mail to an address provided by the Client. Client must ensure that the e-mail address is valid.

10. CONSENT

By entering this Agreement and by using the Services, Client consents to, and hereby agrees that Phoenix NAP may access Client’s networks and computer systems including the access to and use, disclosure, interception, transmission, receipt, analysis, processing, copying, editing, encryption, decryption, and storage of Client information and that of its employees, agents and those it authorizes to use the Services, whether encrypted or in clear text (“Client’s Information”) for the purpose of providing the Services, including, without limitation, analyzing Client’s network traffic, and for storage and retention of Client’s Information for future reference and analysis. Client represents and warrants that it complies with all applicable data collection and transfer laws and regulations of the countries in which it operates and that it has duly obtained all consents, permits or licenses, in writing or electronically that may be necessary under applicable laws from its employees, agents, and those it authorizes to use the Services in order to enable Phoenix NAP to provide the Services under the Agreement. Prior to using the Services, or at any other time reasonably determined by Phoenix NAP, Client will provide Phoenix NAP true and correct copies of such consents.

11. INDEMNITY

Client shall defend, indemnify and hold harmless the Phoenix NAP Indemnified Parties from and against any damages, orders, decrees, judgments, liabilities, claims, actions, lawsuits, costs and expenses (including, without limitation, costs of litigation and attorneys’ fees) (“Claims”) incurred by the Phoenix NAP Indemnified Parties or finally adjudicated against the Phoenix NAP Indemnified Parties arising out of or resulting from: (i) infringement of intellectual property rights, including, without limitation, copyright, trademark, trade secret, patent, and common law rights in connection with Client’s Information, networks, or computer systems; (ii) violation of applicable laws or policies by Client, including, without limitation in connection with Client Information, networks, or computer systems; (iii) failure by Client to secure all necessary consents, permits, and licenses, including without limitation, in connection with Customer’s Information, networks, or computer systems; (iv) breach of warranty by Client; (v) breach of this Agreement by Client; (vi) use of Services by Client or Client Affiliates; (vii) negligence, intentional misconduct or other wrongful acts or omissions by Customer; and (viii) Claims alleging that Phoenix NAP was not authorized to provide Services requested by Customer.

This Section states each party’s exclusive remedies for any third-party claim or action, and nothing in this Agreement or elsewhere will obligate either party to provide any greater indemnity to the other.

12. SUBCONTRACTING

Phoenix NAP may assign, subcontract or delegate in whole or in part this Agreement, or any rights, duties, obligations or liabilities under this Agreement, by operation of law or otherwise, provided that Phoenix NAP shall remain responsible for the performance of Services under this Agreement. Otherwise, neither party may assign this Agreement without the permission of the other party, which permission shall not be unreasonably withheld, conditioned or delayed.

13. CHARGES

The subsections of this section define the recurring and non-recurring charges and fees pursuant to this schedule.

  1. MONTHLY RECURRING FEES

    2. The Initial Monthly Recurring Charges are the initial monthly fees charged for this Schedule. This fee may be modified by mutual agreement of Client and Provider based on changes to the initial configurations, covered devices, or other similar environment variables.

  2. NON-RECURRING SERVICE FEES

    3. The non-recurring services and fees associated with this Schedule include but are not limited to any Out-of-Scope fees and/or the fees for any associated labor and other services provided under a Statement of Work or for the migration/installation/implementation of Client’s production environment from its current state to Provider’s Cloud/Hosting environment or for other purposes agreed to by Provider and Client, including, but not limited to, those defined in a Statement of Work as one time or non-recurring fees or services whether created at the time of or subsequent to the execution of this agreement.

  3. INITIAL SETUP FEES

    4. The initial setup fees and charges for this Schedule are the one-time non-recurring fees associated with the initial setup of Client’s services. This fee may be modified by mutual agreement of Client and Provider based on changes to the initial configurations, scope, covered devices or other similar environment variables. Initial Setup Fees do not include the charges for Data Migration. Data Migration Fees will be specified and covered under a separate Statement of Work or Project.

v.2; 11152021