“Cloud Service” means a Barracuda-hosted service to which a Barracuda customer (“Customer”) subscribes or uses at any time.
SOFTWARE LICENSE AGREEMENT
At all times during the term of Customer’s subscription, and subject to data retention configurations, Customer will have the ability to access and extract Customer Data stored in each Cloud Service. “Customer Data” means all data, including all text, sound, video, or image files, and software, that is provided to Barracuda by, or on behalf of, Customer through its use of the Cloud Service.
Except for free trials, Barracuda will retain Customer Data stored in the Cloud Service in a limited function account for 30 days after expiration or termination of Customer’s subscription so that Customer may extract its data. After the 30-day retention period ends, Barracuda will disable Customer’s account and may delete the Customer Data at its discretion.
The Cloud Service may not support retention or extraction of software provided by Customer. Barracuda has no liability for the deletion of Customer Data as described in this section.
Use of Software with the Cloud Service
Cloud Services contain software. Use of the software by Customer is subject to the following terms:
Barracuda Software License Terms
Customer may install and use the software only for use with the Cloud Service. The Cloud Service may limit the number of copies of the software Customer may use or the number of devices on which Customer may use it. Customer’s right to use the software begins when the Cloud Service is activated and ends when Customer’s right to use the Cloud Service ends. Customer must uninstall the software when Customer’s right to use it ends. Barracuda may disable the software at that time.
Validation, Automatic Updates, and Collection for Software
Barracuda may automatically check the version of any of its software. Devices on which the software is installed may periodically provide information to enable Barracuda to verify that the software is properly licensed. This information includes the software version, the end user’s account information, product ID information, a machine ID, and the Internet protocol address of the device. If the software is not properly licensed, its functionality will be affected. Customer may only obtain updates or upgrades for the software from Barracuda or a Barracuda authorized source. By using the software, Customer consents to the transmission of the information described in this section. Barracuda may, at its discretion, recommend or download to Customer’s devices updates or supplements to this software, with or without notice. Some Cloud Services may require, or may be enhanced by, the installation of local software (e.g., agents, device management applications) (“Apps”). The Apps may collect data about the use and performance of the Apps, which may be transmitted to Barracuda and used for the purposes described in this Cloud Service Terms.
Third-party Software Components
The software may contain third party software components. Unless otherwise disclosed in that software, Barracuda, not the third party, licenses these components to Customer under Barracuda’s license terms and notices.
“Non-Barracuda Product” means any third-party-branded software, data, service, website or product.
Barracuda may make Non-Barracuda Products available to Customer through Customer’s use of the Cloud Services. If Customer installs or uses any Non-Barracuda Product with a Cloud Service, Customer’s use of such Non-Barracuda Product is subject to third party license terms only and customer may not use such Non-Barracuda Product in any way that would subject Barracuda’s intellectual property or technology to additional obligations. For Customer’s convenience, Barracuda may include charges for the Non-Barracuda Product as part of Customer’s bill for Cloud Services. Barracuda, however, assumes no responsibility or liability whatsoever for the Non-Barracuda Product. Customer is solely responsible for any Non-Barracuda Product that it installs or uses with a Cloud Service.
Acceptable Use Policy
Neither Customer nor those that access a Cloud Service through Customer may use a Cloud Service:
To copy or upload files or information unless Customer has a legal right to the files or information;
To probe, scan, or test the vulnerability of any system, or attempt to circumvent any security or authentication measures;
To access, tamper with, or use non-public areas of the Barracuda Cloud, or attempt to access or search the Barracuda Cloud through nonpublic interfaces;
To attempt to disrupt any user or network by sending a virus, malware, overloading, flooding, spamming, or mail-bombing, or otherwise interfering with the use of other users;
To send unsolicited communications, promotions or advertisements, or spam;
To send bulk email, including unsolicited bulk e-mail or unsolicited commercial e-mail;
To attempt to access another user’s account;
To send altered, deceptive or false source-identifying information, including “spoofing” or “phishing”;
To publish anything that is fraudulent, misleading, or infringes another’s rights;
To misrepresent itself or an affiliation with an entity;
To publish or share materials that are offensive, defamatory, or unlawful;
In a way that is prohibited by law, regulation, governmental order or decree;
To violate the rights of others;
To try to gain unauthorized access to or disrupt any service, device, data, account or network;
In a way that could harm the Cloud Service or impair anyone else’s use of it; or
In any application or situation where failure of the Cloud Service could lead to death or serious bodily injury, or to severe physical or environmental damage.
Violation of the terms in this section may result in suspension or cancellation of the Cloud Service. Barracuda may provide reasonable notice before suspending a Cloud Service.
Customer must comply with, and shall not work around, any technical limitations in a Cloud Service that restrict a Customer’s use of the Cloud Service. Customer may not download or otherwise remove copies of software or source code from a Cloud Service except as explicitly authorized by Barracuda.
Compliance with Laws
Barracuda will comply with all laws and regulations applicable to its provision of the Cloud Services, including security breach notification laws. However, Barracuda is not responsible for compliance with any laws or regulations applicable to Customer or Customer’s industry. Barracuda does not determine whether Customer Data includes information that is subject to any specific law or regulation.
Customer must comply with all laws and regulations applicable to its use of Cloud Services, including, but not limited to, laws related to privacy, data protection and the confidentiality of communications. Customer is responsible for implementing and maintaining privacy protections and security measures for components that Customer provides or controls, and for determining whether the Cloud Services are appropriate for storage and processing of information subject to any specific law or regulation. Customer is responsible for responding to any third party request regarding Customer’s use of a Cloud Service, such as a request to take down content under the U.S. Digital Millennium Copyright Act or other applicable laws.
Customer’s use of any tools provided in the Cloud Services that allow for the import or export of data is conditioned upon Customer’s compliance with all instructions provided by Barracuda regarding the preparation, treatment and shipment of physical media containing Customer Data (“Storage Media”). Customer is solely responsible for ensuring the Storage Media and Customer Data are provided in compliance with all laws and regulations. Barracuda has no duty with respect to the Storage Media and no liability for lost, damaged or destroyed Storage Media.
Barracuda may provide Customer with information and notices about Cloud Services electronically, including via email, through the Cloud Service portal, or through a website specified by Barracuda. Notice is considered given as of the date it is made available by Barracuda.
Privacy and Security Terms
General Privacy and Security Terms
The terms in this section apply to all Barracuda Cloud Services.
Use of Customer Data
Customer Data will only be used to provide Customer with the Cloud Services including any purpose that is compatible with providing those services. Barracuda will not use Customer Data or derive information from it for any advertising or similar commercial purpose.
In addition to providing the Cloud Service and day-to-day operations, Barracuda may use Customer Data for the following:
Troubleshooting aimed at preventing, detecting, and repairing problems affecting the operation of Cloud Services;
Ongoing improvement of features, such as those that improve the reliability of Cloud Services, or involve the detection of, and protection against, threats to the Cloud Services or Customer Data (such as malware or spam);
Providing personalized customer experiences; and
Contacting Customer about new products and/or services.
As between the parties, Customer retains all right, title and interest in and to Customer Data. Barracuda acquires no rights in Customer Data, other than the rights Customer grants to Barracuda for the uses set forth above. This paragraph does not affect Barracuda’s rights in any software or services Barracuda licenses to Customer.
Disclosure of Customer Data
Barracuda will not voluntarily disclose Customer Data outside of Barracuda or its controlled subsidiaries and affiliates except (1) as Customer directs; (2) as described in these Cloud Service Terms; or (3) as required by law.
Barracuda does not disclose Customer Data to law enforcement or third parties. In the event Barracuda is required to disclose Customer Data to law enforcement or a third party, Barracuda will do so only to the extent necessary.
Notwithstanding the foregoing, Barracuda may, at its discretion, provide Customer’s basic contact information to a third party.
If Customer is an educational agency or institution to which regulations under the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (“FERPA”) applies, Customer understands that Barracuda may possess limited or no contact information for Customer’s students and the students’ parents. Consequently, Customer will be responsible for obtaining any parental consent for any end user’s use of the Cloud Service that may be required by applicable law and to convey notification on behalf of Barracuda to the students (or, with respect to a student under 18 years of age and not in attendance at a postsecondary institution, to the student’s parent) of any judicial order or lawfully-issued subpoena requiring the disclosure of Customer Data in Barracuda’s possession as may be required under applicable law.
HIPAA Business Associate
Barracuda complies with any portions of HIPAA or the HITECH Act that are directly applicable to Barracuda. In particular, the Barracuda Cloud safeguards data in such a way as to satisfy HIPAA’s Security Rule. Customers wishing to establish a Business Associate relationship with Barracuda per 45 CFR 164.502(e) and 164.504(e) should request a Business Associate Agreement from Barracuda. The Business Associate Agreement defines commitments that Barracuda will make to maintain HIPAA and HITECH compliance.
Barracuda is committed to helping protect the security of Customer information. Barracuda has implemented, and will maintain and follow, appropriate technical and organizational measures intended to protect Customer Data against accidental, unauthorized or unlawful access, disclosure, alteration, loss, or destruction.
Security Incident Notification
If Barracuda becomes aware of any unlawful access to any Customer Data stored on Barracuda’s equipment or in Barracuda’s facilities that results in the loss, disclosure or alteration of Customer Data (each a “Security Incident”), Barracuda will promptly (1) notify Customer of the Security Incident; (2) investigate the Security Incident; and (3) take reasonable steps to mitigate the effects of, and minimize any damage resulting from, the Security Incident.
Security Incidents Notification(s) will be delivered to one or more Customer administrator by a means selected by Barracuda, including via email. It is Customer’s sole responsibility to ensure that its administrators maintain accurate contact information on each applicable Cloud Services portal. Barracuda’s obligation to report or respond to a Security Incident under this section is not an acknowledgement by Barracuda of any fault or liability with respect to a Security Incident.
Customer must notify Barracuda promptly of any possible misuse of its accounts or authentication credentials or any security incident related to a Cloud Service.
Location of Data Processing
Except as described elsewhere in the Cloud Service Terms, Customer Data that Barracuda processes on Customer’s behalf may be transferred to, and stored and processed in, the United States or any other country in which Barracuda or its affiliates or subcontractors maintain facilities. Customer appoints Barracuda to perform any such transfer of Customer Data to any such country and to store and process Customer Data in order to provide the Cloud Services.
Barracuda may offer preview, beta or other pre-release features, data center locations, and services (“Previews”) for optional evaluation. Previews may employ lesser or different privacy and security measures than those typically present in the Cloud Services.
Use of Subcontractors
Barracuda may hire subcontractors to provide services on its behalf. Any such subcontractor will be permitted to obtain Customer Data only to deliver the services Barracuda has retained them to provide and will be prohibited from using Customer Data for any other purpose. Barracuda remains responsible for its subcontractors’ compliance with Barracuda’s obligations in the Cloud Service Terms. Customer consents to Barracuda’s transfer of Customer Data to subcontractors.
How to Contact Barracuda
If Customer believes that Barracuda is not adhering to its privacy or security commitments, Customer may contact customer support or use Barracuda’s privacy web form located at https://www.barracuda.com/company/contact
Location of Customer Data at Rest
Barracuda will store Customer Data at rest within secure data centers in the United States, Canada, Europe and APAC.
Barracuda does not control or limit the regions from which Customer or Customer’s end users may access or move Customer Data.
Customer Data Deletion or Return. Barracuda aims to maintain its Cloud Services in a manner that protects information from accidental or malicious destruction. Barracuda is not obligated to immediately delete residual copies from its active servers and may not remove information from its backup systems.
Barracuda Personnel. Barracuda personnel are granted access to confidential information only when necessary under management oversight. Barracuda personnel will use Customer Data only for purposes compatible with providing Customer the Cloud Services, which can include customer support and troubleshooting the Cloud Service and are obligated to maintain the security and confidentiality of any Customer Data. This obligation continues even after the end of a Customer’s use of the Cloud Services.
Subcontractor Transfer. Barracuda may hire subcontractors to provide certain limited or ancillary services on its behalf. Any subcontractors to whom Barracuda transfers Customer Data, even those used for storage purposes, will have entered into written confidentiality agreements with Barracuda. Customer has previously consented to Barracuda’s transfer of Customer Data to subcontractors as described in the Cloud Service Terms.
General Practices. For its Cloud Services, Barracuda has implemented and complies with the following security measures:
Organization of Information Security
Security Ownership. Barracuda has appointed one or more managers responsible for coordinating and monitoring the security rules and procedures.
Security Roles and Responsibilities. Barracuda personnel with access to Customer Data are subject to confidentiality obligations.
Human Resources Security
Barracuda informs its personnel of relevant security procedures and their respective roles. Barracuda also informs its personnel of possible consequences of breaching the security rules and procedures.
Physical and Environmental Security
Physical Access to Facilities. Barracuda limits access to facilities where information systems that process Customer Data are located to identified authorized individuals.
Protection from Disruptions. Barracuda uses a variety of industry standard systems to protect against loss of data due to power supply failure or line interference.
Component Disposal. Barracuda uses industry standard processes to delete Customer Data.
Communications and Operations Management
Operational Policy. Barracuda maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Customer Data.
Data Recovery Procedures.
Malicious Software. Barracuda has anti-malware controls to help prevent malicious software from gaining unauthorized access to Customer Data, including malicious software that originates from public networks.
Data Beyond Boundaries. Barracuda encrypts, or enables Customers to encrypt, Customer Data that is transmitted over public networks.
Event Logging. Barracuda logs, or enables Customers to log, access and use of information systems containing Customer Data, registering the access ID, time, authorization granted or denied, and relevant activity.
Access Policy. Barracuda maintains a record of security privileges of individuals having access to Customer Data.
Least Privilege. Barracuda restricts access to Customer Data to only individuals who require such access to perform their job function.
Integrity and Confidentiality.
Business Continuity Management
Cloud Services Information Security Policy
The following services are certified as follows:
|Cloud Service||Audit Type|
SSAE 16 SOC 2 Type II
SSAE 16 SOC 1 Type II
Subject to non-disclosure obligations, Barracuda will make product specific security overviews available to Customer.
Customer is solely responsible for reviewing each Security Overview and making an independent determination as to whether it meets Customer’s needs.
Barracuda Review of Cloud Services
Barracuda will review the security of the computers, computing environment and physical data centers that it uses in processing Customer Data (including personal data) as follows:
Where a standard or framework provides for audits or reviews, a review of such control standard or framework will be initiated at least annually for each Cloud Service.
Each review will be performed according to the standards and rules of the regulatory or accreditation body for each applicable control standard or framework.
Barracuda will promptly remediate issues raised in any Barracuda review.
Revised October 2016