License Agreement

CLIENT RELATIONSHIP AGREEMENT

BY DOWNLOADING, INSTALLING, COPYING, ACCESSING, CLICKING ON AN “ACCEPT” BUTTON OR OTHERWISE USING THE PRODUCT, YOU AND YOUR COMPANY (COLLECTIVELY “CLIENT”) AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU ARE ACCEPTING THESE TERMS ON BEHALF OF YOUR COMPANY, YOU REPRESENT AND WARRANT THAT YOU HAVE FULL AUTHORITY TO BIND COMPANY TO THESE TERMS. IF YOU DO NOT AGREE TO THESE TERMS THEN DO NOT USE THE PRODUCT.  YOU MAY ONLY USE THE PRODUCT IF A) YOU ACCEPT THESE TERMS AND B) YOU HAVE A VALID PROOF OF ENTITLEMENT (I.E. A TRANSACTION DOCUMENT) ISSUED BY EITHER RESILIENT OR A RESILIENT AUTHORIZED RESELLER THAT INDICATES CLIENT’S AUTHORIZED USE OF THE PRODUCT. IF YOU ARE BEING GRANTED A LICENSE AS A PROOF OF CONCEPT, YOUR LICENSE TERM IN 30 DAYS FROM LICENSE KEY DELIVERY UNLESS STATED OTHERWISE IN WRITING BY RESILIENT.

Using this agreement, Client may order Programs and Cloud Services (Resilient Products) and third party programs available from Resilient (Non-Resilient Products). Details regarding Products, offerings or orders are provided in Attachments and Transaction Documents (TDs).  This agreement and applicable Attachments and TDs are the complete agreement (Agreement) regarding transactions under this Agreement.

Programs

A Program is a Resilient-branded computer program and related material available for license from Resilient subject to the payment of charges.  Program details are described in an Attachment called License Information (LI). Programs do not include Machine Code or Project Materials as those terms may be defined in an Attachment.  Programs are copyrighted and licensed (not sold).  When Resilient accepts an order for a Program, Resilient grants Client a nonexclusive license to: a) use the Program only up to its authorizations and subject to its LI; b) make and install copies to support such authorized use; and c) make a backup copy.  Programs may be used by Client, its authorized employees and contractors only within Client’s Enterprise for internal business purposes, and not to provide hosting, timesharing or other services to any third party. Client may not sublicense, assign, or transfer the license for any Program.  Additional rights may be available from Resilient for additional fees or under different terms.  Resilient does not grant unrestricted rights to use the Program nor has Client paid for all of the economic value of the Program. Certain Programs may contain third party code licensed under separate agreements identified in the LI.

The license granted for a Program is subject to Client:

  1. reproducing copyright notices and other markings;
  2. ensuring anyone who uses the Program does so only for Client’s authorized use and complies with the license;
  3. not reverse assembling, reverse compiling, translating, or reverse engineering the Program; and
  4. not using any of the elements of the Program or related licensed material separately from the Program.

The metric applicable to a Program license is specified in an Attachment or TD.  All licenses on a server or capacity based metric must be licensed to the full capacity of the server on which the Program is installed, unless sub-capacity usage is available from Resilient and Client complies with the applicable sub-capacity requirements.

Cloud Services

A Cloud Service is a Resilient branded offering hosted or managed by Resilient and made available via a network.  Each Cloud Service is described in an Attachment or a TD, such as a Service Description. Cloud Services are designed to be available 24/7, subject to maintenance. Client will be notified of scheduled maintenance. Technical support and service level commitments, if applicable, are specified in an Attachment or TD.

Client accepts an Attachment or TD by ordering, enrolling, using, or making a payment for the Cloud Service. When Resilient accepts Client’s order, Resilient provides Client the authorizations specified in the TD. The term, including any renewal term, for a Cloud Service is described in an Attachment or TD.

Resilient will provide the facilities, personnel, equipment, software, and other resources necessary to provide the Cloud Services and generally available user guides and documentation to support Client’s use of the Cloud Service. Client will provide hardware, software and connectivity to access and use the Cloud Service, including any required Client-specific URL addresses and associated certificates. An Attachment or TD may have additional Client responsibilities.

Client may access a Cloud Service only to the extent of authorizations acquired by Client and only for internal business purposes and not to provide a service to third parties.  Client is responsible for use of Cloud Services by any user who accesses the Cloud Service with Client’s account credentials.  A Cloud Service may not be used in any jurisdiction for unlawful, obscene, offensive or fraudulent content or activity, such as advocating or causing harm, interfering with or violating the integrity or security of a network or system, evading filters, sending unsolicited, abusive or deceptive messages, viruses or harmful code, or violating third party rights. If there is a complaint or notice of violation, use may be suspended until resolved, and terminated if not resolved promptly. Unless expressly provided in an Attachment or TD, Client is not authorized to use a Cloud Service to provide hosting or timesharing services to any third party.

Data Protection

Each Cloud Service is designed to protect content that Client inputs into the Cloud Service. Except for account data, Client is the sole controller for any personal data included in the content, and appoints Resilient as a processor to process such personal data (as those terms are defined in EU Directive 95/46/EC). Except as specified in an Attachment or TD, Resilient will treat content as confidential by not disclosing content other than to Resilient employees and contractors for use only to the extent needed to deliver the Cloud Service. Resilient will return or destroy it upon the expiration or cancellation of the Cloud Service, or earlier upon Client’s request. Resilient may charge for certain activities performed at Client’s request (such as delivering content in a specific format).

Client is responsible for obtaining all necessary permissions to use, provide, store and process content in the Cloud Service and grants Resilient permission to do the same. Some of Client’s content may be subject to governmental regulation or may require security measures beyond those specified by Resilient for an offering. Client will not input or provide such content unless Resilient has first agreed in writing to implement additional required security measures.

The Attachment or TD for each Cloud Service describes the security functions and features of the Cloud Service. By using the Cloud Service Client acknowledges that it meets Client’s requirements and processing instructions. Resilient will provide Client notice of any unauthorized third party access to Client’s content of which Resilient becomes aware and will use reasonable efforts to remediate identified security vulnerabilities. If Client’s content is lost or damaged, Resilient will assist Client in restoring it to the Cloud Service from the last available backup copy in compatible format.

Resilient may use processors and subprocessors (including personnel and resources) in locations worldwide to deliver the Cloud Services. Resilient may transfer Client’s personal data across country borders including outside the European Economic Area (EEA). A list of countries where content may be processed for a Cloud Service is available upon requestor as described in the Attachment or TD. A list of subprocessors is available upon request.

Upon request by either party, Resilient, Client or their affiliates will enter into additional agreements required by law for the protection of personal data included in content, such as the standard unmodified EU Model Clauses agreement pursuant to EC Decision 2010/87/EU with optional clauses removed. The parties agree (and will procure that their respective affiliates agree) that such additional agreements will be subject to the terms of the Agreement.

Resilient, its affiliates, and their third party suppliers may process, store and use account data wherever they do business to enable product features, administer use, personalize experience, and otherwise support or improve use of the Cloud Service.  Account data is all information (which may be further described in an Attachment or TD) about Client or its users provided to or collected by Resilient (including through tracking and other technologies, such as cookies) which is processed in accordance with the Resilient Online Privacy Statement which is available upon request.

Changes

Resilient may modify a Cloud Service, without degrading its functionality or security features. Any change that affects the commercial terms (e.g. charges) of the Cloud Service will not be effective until the next agreed renewal or extension.

Resilient may withdraw a Cloud Service on 12 months’ notice, unless otherwise stated in an Attachment or TD.  Resilient will either continue to provide the Cloud Service for the remainder of Client’s unexpired term or work with Client to migrate to another Resilient Service.

Since this agreement may apply to many future orders, Resilient may modify this agreement by providing Client at least three months’ written notice. Changes are not retroactive; they apply, as of the effective date, only to new orders, ongoing Products that do not expire, and renewals. For transactions with a defined renewable contract period, Client may request that Resilient defer the change effective date until the end of the current contract period. Client accepts changes by placing new orders or continuing use after the change effective date or allowing transactions to renew after receipt of the change notice.  Except as provided above, all changes to the Agreement must be in writing accepted by both parties.  If there is a conflict, an Attachment or TD prevails over the terms of this agreement.

Warranties and Post Warranty Support

Resilient warrants that Programs used in their specified operating environment conform to their official published specifications.  The warranty period for a Program is one year, or the initial license term if less than one year, unless another warranty period is specified in an Attachment or TD.  During the Program warranty period, Resilient provides Software Subscription and Support (S&S), entitling Client to defect correction information, restrictions, bypasses, and new releases and versions Resilient makes generally available.  If Client elects to continue S&S for a Program at a designated Client site, Client must maintain S&S for all uses and installations of the Program at that site.

If a Program does not function as warranted during its warranty period and Resilient is unable to repair or replace it with a functional equivalent, Client may return it to Resilient for a refund of the amount Client paid (for recurring charges, up to twelve months’ charges) and Client’s license or right to use it terminates.

Resilient warrants that it provides Cloud Services using commercially reasonable care and skill in accordance with the applicable Attachment or TD. The warranty for a Cloud Service ends when the Cloud Service ends.

Resilient does not warrant uninterrupted or error-free operation of a Resilient Product or that Resilient will correct all defects or prevent third party disruptions or unauthorized third party access to a Resilient Product.  These warranties are the exclusive warranties from Resilient and replace all other warranties, including the implied warranties or conditions of satisfactory quality, merchantability, non-infringement, and fitness for a particular purpose.  Resilient warranties will not apply if there has been misuse, modification, damage not caused by Resilient, failure to comply with instructions provided by Resilient, or if otherwise stated in an Attachment or TD. Non-Resilient Products are sold under this Agreement as-is, without warranties of any kind.  Third parties may provide their own warranties to Client.

Charges, Taxes, Payment, and Verification

Client agrees to pay all applicable charges specified by Resilient, charges for use in excess of authorizations, any customs or other duty, tax, levy, or fee imposed by any authority resulting from Client’s acquisitions under this Agreement, and any late payment fees. Amounts are due upon receipt of the invoice and payable within 30 days of the invoice date to an account specified by Resilient. Resilient does not give credits or refunds for any prepaid, one-time charges, or other charges already due or paid.

Client agrees to: i) pay withholding tax directly to the appropriate government entity where required by law; ii) furnish a tax certificate evidencing such payment to Resilient; iii) pay Resilient only the net proceeds after tax; and iv) fully cooperate with Resilient in seeking a waiver or reduction of such taxes and promptly complete and file all relevant documents.

Resilient may change recurring charges, labor rates and minimum commitments on three months’ notice. A change applies on the invoice date or the first day of the charging period on or after the effective date Resilient specifies in the notice.  Resilient may change one-time charges without notice. However, a change to a one-time charge does not apply to an order if i) Resilient receives the order before the announcement date of the increase and ii) within three months after Resilient’s receipt of the order, the Product is shipped or made available to Client.

Client will i) maintain, and provide upon request, records, system tools output, and access to Client’s premises, as reasonably necessary for Resilient and its independent auditor to verify Client’s compliance with the Agreement, including Program licenses and metrics, such as sub-capacity usage, and ii) promptly order and pay for required entitlements (including associated S&S) at Resilient’s then current rates and for other charges and liabilities determined as a result of such verification, as Resilient specifies in an invoice.  These compliance verification obligations remain in effect during the term of any TD and for two years thereafter.

Liability and Indemnity

Resilient’s entire liability for all claims related to the Agreement will not exceed the amount of any actual direct damages incurred by Client up to the amounts paid (if recurring charges, up to 12 months’ charges apply) for the Product that is the subject of the claim, regardless of the basis of the claim.  This limit applies collectively to Resilient, its subsidiaries, contractors, and suppliers.  Resilient will not be liable for special, incidental, exemplary, indirect, or economic consequential damages, or lost profits, business, value, revenue, goodwill, or anticipated savings.

The following amounts, if a party is legally liable for them, are not subject to the above cap: i) third party payments referred to in the paragraph below; ii) damages for body injury (including death); iii) damages to real property and tangible personal property; and iv) damages that cannot be limited under applicable law.

If a third party asserts a claim against Client that an Resilient Product acquired under this Agreement infringes a patent or copyright, Resilient will defend Client against that claim and pay amounts finally awarded by a court against Client or included in a settlement approved by Resilient, provided that Client promptly (i) notifies Resilient in writing of the claim, (ii) supplies information requested by Resilient, and (iii) allows Resilient to control, and reasonably cooperates in, the defense and settlement, including mitigation efforts.

Resilient has no responsibility for claims based, in whole or part, on Non-Resilient Products, items not provided by Resilient, or any violation of law or third party rights caused by Client’s content, materials, designs, specifications, or use of a non-current version or release of an Resilient Program when an infringement claim could have been avoided by using a current version or release.

Termination

Either party may terminate this Agreement: a) without cause on at least one month’s notice to the other after expiration or termination of its obligations under this Agreement; or b) immediately for cause if the other is in material breach of this Agreement, provided the one who is not complying is given notice and reasonable time to comply. Failure to pay is a material breach. Any terms that by their nature extend beyond the Agreement termination remain in effect until fulfilled, and apply to successors and assignees.  Termination of the Agreement does not terminate TDs, and provisions of this Agreement and Attachments as they relate to such TDs remain in effect until fulfilled or otherwise terminated in accordance with their terms. Resilient may terminate Client’s license to use a Program if Client fails to comply with this Agreement. Client will promptly destroy all copies of the Program after either party has terminated the license.

Governing Laws and Geographic Scope

Each party is responsible for complying with: i) laws and regulations applicable to its business and content, and ii) import, export and economic sanction laws and regulations, including those of the United States that prohibit or restrict the export, re-export, or transfer of products, technology, services or data, directly or indirectly, to or for certain countries, end uses or end users. Client is responsible for its use of Resilient and Non-Resilient Products.

Both parties agree to the application of the laws of the State of New York, United States to this Agreement, without regard to conflict of law principles. The rights and obligations of each party are valid only in the country where the transaction is performed or, if Resilient agrees, the country where the Product is placed in productive use, except all licenses are valid as specifically granted.

If any provision of the Agreement is invalid or unenforceable, the remaining provisions remain in full force and effect. Nothing in the Agreement affects statutory rights of consumers that cannot be waived or limited by contract. The United Nations Convention on Contracts for the International Sale of Goods does not apply to transactions under this Agreement.

General

Parties will not disclose confidential information without a separate, signed confidentiality agreement. If confidential information is exchanged in connection with this Agreement, the applicable confidentiality agreement is incorporated into, and subject to, this Agreement.

Client accepts an Attachment or TD by ordering, enrolling, using, or making a payment for, the Product.  Since this Agreement may apply to many future orders, Resilient reserves the right to modify it by providing Client at least three months’ written notice. However, changes are not retroactive; they apply, as of the effective date, only to new orders and renewals. For transactions with a defined renewable contract period, Client may request that Resilient defer the change effective date until the end of the current contract period. Client accepts changes by placing new orders after the change effective date or allowing transactions to renew after receipt of the change notice.  Except as provided above, all changes to the agreement must be in writing signed by both parties.  If there is a conflict, an Attachment or TD prevails over the terms of this agreement.

Resilient is an independent contractor, not Client’s agent, joint venturer, partner, or fiduciary, and does not undertake to perform any of Client’s regulatory obligations, or assume any responsibility for Client’s business or operations.  Resilient Business Partners are independent from Resilient and unilaterally determine their prices and terms. Resilient is not responsible for their actions, omissions, statements, or offerings.

Client is responsible for obtaining all necessary permissions to use, provide, store and process content in Program support, and grants Resilient permission to do the same. Client is responsible for adequate content back-up.  Some of Client’s content may be subject to governmental regulation or may require security measures beyond those specified by Resilient for an offering. Client will not input or provide such content including without limitation personally identifiable or medical information.

Resilient and its affiliates, and their subcontractors, may process and store business contact information of Client personnel in connection with the performance of this Agreement wherever they do business. Resilient may use personnel and resources in locations worldwide and third party suppliers to support the delivery of Products.

Neither party may assign this Agreement, in whole or in part, without the prior written consent of the other. Assignment of Resilient rights to receive payments and by Resilient in conjunction with the sale of the portion of Resilient’s business that includes the Product is not restricted.

All notices under this Agreement must be in writing and sent to the address below, unless a party designates in writing a different address.  The parties consent to the use of electronic means and facsimile transmissions for communications as a signed writing. Any reproduction of the Agreement made by reliable means is considered an original.  The Agreement supersedes any course of dealing, discussions or representations between the parties.

No right or cause of action for any third party is created by this Agreement or any transaction under it.  Neither party will bring a legal action arising out of or related to this Agreement more than two years after the cause of action arose. Neither party is responsible for failure to fulfill its non-monetary obligations due to causes beyond its control.  Each party will allow the other reasonable opportunity to comply before it claims the other has not met its obligations.  Where approval, acceptance, consent, access, cooperation or similar action by either party is required, such action will not be unreasonably delayed or withheld.

The Agreement applies to Resilient and Client and their respective Enterprise companies who avail themselves of the Agreement. The parties shall coordinate the activities of Enterprise companies under this Agreement.  Enterprise companies include (i) companies within the same country that Client or Resilient control (by owning greater than 50% of the voting shares), and (ii) any other entity that controls, is controlled by or is under common control as Client or Resilient and has signed a participation Attachment.

LICENSE INFORMATION – RESILIENT INCIDENT RESPONSE PLATFORM – FOR ON-PREMISE INSTALLATION

This License Information (LI) provides the specific terms under which Client may obtain a license to the Programs listed below.  The specific Programs and quantities licensed to Client are identified in an applicable Transaction Document (TD).  This LI is governed under the terms of the Resilient Client Relationship Agreement or other base agreement referenced in the TD and together with the LI and TD constitutes the “Agreement.”

Programs

  • Resilient IRP Security Module
  • Resilient IRP Action Module
  • Resilient IRP Privacy Module
  • Test/Development Instance for Non-production purposes only

Term License

The Programs are licensed to Client for the term specified in the TD, beginning on the date that Client’s order is accepted by Resilient.  Such term shall automatically renew on term anniversary date for an additional and equal term at Resilient’s then-applicable rates for the Programs unless either party provides at least 30 days’ notice of non-renewal prior to the term’s expiration. If such notice is given, Client’s license to the Programs shall expire at the end of the current applicable term and Client will no longer be permitted to use the Programs.  If no term is specified in the TD, the Programs are licensed on on-going basis unless terminated as set forth in the Agreement.

License Metrics

The Programs are available under the license metrics listed below and/or identified in the TD:

  • User Seat is a unit of measure by which the Program can be licensed. A User is a unique person who is given access to the Program. Client must obtain separate, dedicated User Seat entitlements for each User accessing the Program in any manner directly or indirectly (e.g., via a multiplexing program, device, or application server) through any means. A User Seat entitlement for a User is unique to that User and may not be shared, nor may it be reassigned other than for the permanent transfer of the User Seat entitlement to another person.

Compliance Management Programs

The Programs can be used to help Client meet compliance obligations, which may be based on laws, regulations, standards or practices.  Client acknowledges and agrees that any directions, suggested usage, or guidance provided by the Programs does not constitute legal, accounting, or other professional advice, and Client is cautioned to obtain its own legal, accounting, or other expert counsel.  Client also agrees that it is solely responsible for ensuring that Client and Client’s activities, applications and systems comply with all applicable laws, regulations, standards and practices.  Use of the Programs does not guarantee compliance with any law, regulation, standard or practice.

Open Source Software

The Programs may contain open source software. Such open source software is licensed to Client under the terms of the applicable open source license that is set forth in the ‘About’ section of the Programs. Client’s use of such open source software is subject to the terms and conditions of the applicable open source licenses.  Resilient provides such open source software as is, without any warranties express or implied.

Prohibited Components – Resilient StandardProduct

Notwithstanding any provision in the Agreement, Client may not use the following components, features and functions of the Resilient Standard Product if Client obtains a license to that Program:

  • Configuration import/export
  • Access to threat feeds
  • Support for custom threat feeds
  • Email connector
  • Telephone support, Standard Product support is handled through email and Support hub

LDAP compatibility
Client may also not use the following components, features and functions of the Resilient Standard Product if it has not also obtained a license to the Resilient IRP Action Module:

  • Pre-defined integrations
  • API access

Non-Production Limitation

If the Program is designated as “non-production”, the Program can only be deployed as part of the Client’s internal development and test environment for internal non-production activities, including but not limited to testing, performance tuning, fault diagnosis, internal benchmarking, staging, quality assurance activity and/or developing internally used additions or extensions to the Program using published application programming interfaces.  Client is not authorized to use any part of the Program for any other purposes without acquiring the appropriate production entitlements.

Program Keys

For Programs which require license keys to operate, Client may not have more keys to the Programs in Client’s Enterprise than Client has entitlements.

License Terms delivered with Program Not Applicable

The terms of this Agreement supersede and void any electronic “click through,” “shrinkwrap,” or other licensing terms and conditions included with or accompanying the Program(s) or any purchase order conditions provided by the Client.

Lawful Use of Program

This Program is designed to help Client improve its security environment and data.  Use of this Program may implicate various laws or regulations, including those related to privacy, data protection, employment, and electronic communications and storage.  The Program may be used only for lawful purposes and in a lawful manner.  Client agrees to use the Program pursuant to, and assumes all responsibility for complying with, applicable laws, regulations and policies.  Client represents that it will obtain or has obtained any consents, permissions, or licenses required to enable its lawful use of the Program.

SERVICE DESCRIPTION – RESILIENT INCIDENT RESPONSE PLATFORM – FOR SAAS

This Service Description describes the Cloud Service Resilient provides to Client.  The specific Cloud Service and quantities are detailed in an applicable Transaction Document (TD). This Service Description is governed under the Resilient Cloud Services Agreement or other base agreement referenced in the TD and together with the SD and TD constitutes the “Agreement.” Client means the company and its authorized users and recipients of the Cloud Service.

  1. Cloud Service

The Resilient Incident Response Platform provides dynamic action plans for more than 18 different specific incident types (from malware to DDoS to lost devices) and best practices for responding to all incident generally. This knowledgebase leads a Client team through an effective response and may be configured to Client’s unique operating procedures.

Incident response teams can manage and collaborate on their response directly within the Incident Response Platform. Unlike ticketing systems and other general-purpose IT tools, the Resilient Incident Response Platform is fully configurable and purpose-built for incident response. Comprehensive analysis, customizable dashboards, and robust reporting features allow senior leadership to access key information when they need it.

The Resilient Incident Response Platform is designed for organizations of various sizes and complexity. The Resilient Enterprise Incident Response Platform is built for large, varied systems of major enterprises. The Resilient Standard Product is an economical, yet powerful, incident response solution for mid-sized organizations. It has the functionality that a mid-sized organization needs to achieve reliable response capability, and provides the ability to upgrade as needed.

The Resilient Incident Response Platform is a cloud-based platform composed of separately orderable modules Client may select based on their requirements for incident response activities.  The modules are as follows:

  • Resilient IRP Privacy Module

The privacy module streamlines incident response and privacy response management, providing:

  1. A knowledgebase of breach notification regulations – which is tracked, updated, and interpreted by an internal legal team and certified privacy professionals;
  2. Data breach response plans that map to the latest regulations. These plans provide tracking privacy breach legislation, industry regulations, company-specific obligations, third-party requirements, and industry best practices;
  3. Curated regulatory information from external privacy professionals and the community of Resilient users; and
  4. Notification of new regulations – providing context and assurance of Client organizations’ ongoing regulatory status.
  • Resilient IRP Security Module

The security module offers a foundation for response planning, management, and mitigation for organizations and incident types. The module features:

  1. Fast and easy incident creation and tracking, to allow incidents to be captured and followed through to resolution;
  2. Response plans based on industry standards and best practices;
  3. Incident simulation and reporting capabilities for testing response plans, identifying gaps, and refining the response process;
  4. Central collaboration to allow units across the organization – including IT, legal, marketing, HR, and the executive team – to understand their role when needed in a response;
  5. Incident simulations and reporting – enabling teams to test response plans, identify gaps, and refine response processes; and
  6. Incident and artifact enrichment through built-in integration with a wide range of cyber threat intelligence feeds, such as IBM X-Force.
  • Resilient IRP Action Module

The action module provides an automated, fast, and flexible way for organizations to act on incidents by:

  1. Synthesizing data from existing security and IT systems (including endpoint security tools, SIEMs, and ticketing systems) to provide critical, real-time information;
  2. Automating a wide range of tasks – such as user identification via LDAP, asset enrichment or discovery via CMDB integration, cyber threat intelligence lookup;
  3. Orchestrating response processes by making alerts actionable and streamlining remediation tasks; and
  4. Allowing security teams to automate and fine-tune response processes and workflows, without the need for custom development or specialized programming skills.
  • Resilient Standard Product

This product is a scaled back version of the Incident Response Platform that is designed to fit the incident response needs of mid to small enterprises.

  • Test/Development Instance for Non-Production purposes only

A separate instance of the Incident Response Platform that client may only use for internal non-production activities, including but not limited to testing, performance tuning, fault diagnosis, internal benchmarking, staging quality assurance activity and/or developing internally used additions or extensions to the Cloud Service using published application programming interfaces.

  1. Security Description

This Cloud Service follows the data security and privacy principles for SaaS offerings that are available at https://www.ibm.com/cloud/resourcecenter/content/80 and any additional terms provided in this section.  Any changes to these data security and privacy principals will not degrade the security of the Cloud Service.

This Cloud Service is not designed to any specific security requirements for regulated content, such as personal information or sensitive personal information. Client is responsible for determining if this Cloud Service meets Clients needs with regard to the type of content Client uses in connection with the Cloud Service.

  1. Technical Support

Technical support for the Cloud Service is provided via email, online forums, and an online problem reporting system. Technical support is offered with the Cloud Service and is not available as a separate offering. Technical support is available during the regular business hours of 9:00 AM to 6:00 PM Eastern Time excluding holidays.

Severity 1:

Severity Definition: Critical business impact/service down: Business critical functionality is inoperable or critical interface has failed. This usually applies to a production environment and indicates an inability to access services resulting in a critical impact on operations.  This condition requires an immediate solution.

Response Time Objectives During Support Hours: Within 1 hour

Severity 2:

Severity Definition: Significant business impact: A service feature or function is severely restricted in its use or Client is in jeopardy of missing business deadlines.

Response Time Objectives During Support Hours: Within 2 business hours

Severity 3:

Severity Definition: Minor business impact: Indicates the service or functionality is usable and it is not presenting a critical impact on operations.

Response Time Objectives During Support Hours: Within 4 business hours

Severity 4:

Severity Definition: Minimal business impact: An inquiry or non-technical request.

Response Time Objectives During Support Hours: Within 1 business day

  1. Entitlement and Billing Information
    • Charge Metrics

The Cloud Service is available under the charge metric specified in the Transaction Document:

  1. User Seat is a unit of measure by which the Cloud Service can be obtained. A User is a unique person who is given access to the Cloud Service.  Client must obtain separate, dedicated User Seat entitlements for each user accessing the Cloud Service in any manner directly or indirectly (e.g., via a multiplexing program, device, or application server) through any means.  A User Seat entitlement for a User is unique to that User and may not be shared, nor may it be reassigned other than for the permanent transfer of the User Seat entitlement to another person.
  1. Term and Renewal Options

The term of the Cloud Service begins on the date Resilient notifies Client of their access to the Cloud Service, as documented in the TD.

Unless Client provides written notice not to renew at least 30 days prior to the term expiration date, the Cloud Service will automatically renew for the term specified in the TD at Resilient’s then-current renewal charges.

  1. Additional Terms for Resilient Standard Product

If Client has obtained access to the Resilient Standard Product Cloud Service, Client may not use the following components, features and functions of that Cloud Service:

  • Configuration import/export
  • Threat feeds
  • Email connector
  • LDAP compatibility

If Client has not also obtained access to the Resilient IRP Action Module Cloud Service, Client may not use the following components, features, and functions of the Resilient Standard Product:

  • Pre-defined integrations
  • API access

Additionally, telephone support and support for custom threat feeds are not included in the Technical Support that Resilient provides for the Resilient Standard Product Cloud Service.

  1. Compliance Management Cloud Service

The Cloud Service can be used to help Client meet compliance obligations, which may be based on laws, regulations, standards or practices.  Client acknowledges and agrees that any directions, suggested usage, or guidance provided by the Cloud Service does not constitute legal, accounting, or other professional advice, and Client is cautioned to obtain its own legal, accounting, or other expert counsel.  Client also agrees that it is solely responsible for ensuring that Client and Client’s activities, applications and systems comply with all applicable laws, regulations, standards and practices.  Use of the Cloud Service does not guarantee compliance with any law, regulation, standard or practice.

  1. Lawful Use of the Cloud Service

The Cloud Service is designed to help the Client improve its security environment and data.  Use of the Cloud Service may implicate various laws or regulations, including those related to privacy, data protection, employment, and electronic communications and storage.  The Cloud Service may be used only for lawful purposes and in a lawful manner.  Client agrees to use the Cloud Service pursuant to, and assumes all responsibility for complying with applicable laws, regulations and policies.  Client represents that it will obtain or has obtained any consents, permissions, or licenses required to enable its lawful use of the Cloud Service.

  1. Security Data

As part of this Cloud Service, that includes reporting activities, Resilient will prepare and maintain de-identified and/or aggregate information collected from the Cloud Service (“Security Data”). The Security Data will not identify Client, or an individual except as provided in (d) below. Client herein additionally agrees that Resilient may use and/or copy the Security Data only for the following purposes:

  • publishing and/or distributing the Security Data (e.g., in compilations and/or analyses related to cybersecurity);
  • developing or enhancing products or services;
  • conducting research internally or with third parties; and
  • lawful sharing of confirmed third party perpetrator information.

6-24-16