1. Company
  2. Legal
  3. TERMS AND CONDITIONS
  4. Schedule 9: Additional Terms for Managed XDR Services

Legal Terms and Conditions

Schedule 9: Additional Terms for Managed XDR Services

In addition to the General Terms, the following terms govern the provisioning, use, and delivery of the Managed XDR Services (“Managed XDR”  formerly known as “SKOUT Managed XDR”).

1.     Customer is responsible for licensing and providing any access to any third-party products or services required by Barracuda to perform the Services.     

2.     The Services are committed for the Term. The Term shall automatically renew at the then-current Unit Price for additional term of equal length to the expiring term unless either party, at least 30 days before the end of the Term, provides written notice to the other party of its intention to not to renew the Term. The Term is not cancellable, and all payments are non-refundable. Pricing is specific to quantities ordered.

3.     Quantity & True-Ups: The quantity ordered is the maximum number of Units that may be monitored by the Services without incurring additional charges. In the event that the quantity of Units increases during the Term or any renewal term, Customer will be invoiced for the additional Units on the first day of the calendar month immediately following the increase at a current price, and on the first day of each month thereafter that the quantity of Units monitored exceeds the amount ordered.

4.     Customer acknowledges that Barracuda has no liability or responsibility for any cyber incident caused by a third party, and that the Services are not intended or designed to prevent or block all possible breaches or attacks. Customer is solely responsible for any failure in its infrastructure or human error which results in a breach, loss of data, ransomware attack, or any other loss. Customer understands and accepts this allocation of risk, and Customer will indemnify and hold Barracuda harmless from any loss or damages resulting from a third party incident or breach.

5.     Exhibits. The following Exhibits set forth additional terms applicable to the Services and are hereby incorporated by reference.

a.      Exhibit A – Services Description

b.     Exhibit B - Service Limitations and Exclusions

c.      Exhibit C - Additional Terms Applicable to End Point Security (SentinelOne)

d.     Exhibit D - Additional Terms Applicable to Network and Log Monitoring (ElasticSearch)

 

Exhibit A
Service Descriptions

Subject to the payment in full thereof, Barracuda shall perform Managed XDR Services for Customer and provide Deliverables (as defined below), according to the following terms.  Customer, You, or Your shall mean the end user whose network and devices are being monitored and not the service delivery partner (“Managed Service Provider” or “MSP”), if any, involved in the procurement or delivery process.

1.0  Monitoring Service

The Monitoring Service provides proactive monitoring of Customer’s Network, Cloud and Endpoint infrastructure as described below to identify potential security threats. Barracuda will monitor the Customer’s infrastructure for which the Monitoring Service is purchased

Once the Monitoring Service is installed and enabled Barracuda will:

  • Work with Customer to identify the assets within Customer’s infrastructure.
  • Have the ability to collect log and other information as mutually agreed from Customer’s infrastructure for analysis and alerting. 
  • Respond to events and alerts, notifying Customer of action(s) to take to facilitate the remediation of such events.
  • Provide threat intelligence along with detections mapped to MITRE ATT&CK framework as part of alert notification enrichment. 
  • Provide quarterly summary reports.

Barracuda may monitor different aspects of Customer’s environment as follows:

XDR Network Security:

XDR Network Security is a managed security service that provides network monitoring which is enabled with the installation of either a dedicated physical or virtual sensor, agent or via API capabilities to monitor and analyze logs provided by Customer’s security infrastructure for attacks.  Suspected threats are correlated for analysis using XDR’s analytics platform, SOAR, threat intelligence, and Security Operations Center. When suspicious activities are validated, XDR Network Security will provide alerts and remediation guidance via ticket to Customer’s designated email contact(s).

Deliverables:

  • Ongoing alerting and reporting on potential network intrusions by pattern matching abnormal activity against known indicators of compromise.
  • Support for custom alerting and self-service reports. 
  • Visibility to threat activity in the XDR Dashboard (user interface). 
  • Detections mapped to MITRE ATT&CK framework.
  • 24x7x365 SOC support and updates.
  • Logs are maintained for a rolling 90-day period solely to use for Barracuda to deliver the service, and are not available to Customer for download or through the XDR Dashboard.

XDR Cloud Security:

XDR Cloud Security is a managed security service that provides monitoring for malicious activity in the cloud to find potential identity, privilege, and assets risks such as unauthorized access to cloud mailboxes and infrastructure, admin changes in the environment, inbox rules, impossible logins, and brute force attacks. Customers enable XDR Cloud Security with the installation of either a virtual sensor, agent or via API capabilities to monitor and analyze the Customer’s cloud infrastructure for attacks. When suspicious activities are validated, XDR Cloud Security will provide alerts and remediation guidance via ticket to Customer’s designated email contact(s).

Deliverables:

  • Ongoing Alerting and reporting on potential cloud intrusions by pattern matching abnormal activity against known indicators of compromise.
  • Support for custom alerting and self-service reports. 
  • Visibility to threat activity in the XDR Dashboard (user interface),
  • All Detections mapped to MITRE ATT&CK framework to understand attack tactics and techniques.
  • 24x7x365 SOC support and remediation guidance. 
  • Logs are maintained for a rolling 90-day period solely to use for Barracuda to deliver the service, and are not available to Customer for download or through the XDR Dashboard.

XDR Endpoint Security Managed:

XDR Endpoint Security is a managed solution, backed by SentinelOne and includes its licensing. XDR Endpoint Security Managed offering provides centralized visibility to all managed endpoints in Barracuda XDR Dashboard. It unifies and extends detection capability to the laptops, desktops, and servers within a network, protecting against most endpoint malware. Customers enable XDR Endpoint Security managed service by installing the agent on their Windows, Mac, Linux servers, desktops, and laptops available via Barracuda XDR Dashboard. 

The XDR Endpoint Security Managed offering also includes the services found in the Monitor Only service (noted below).

Deliverables:

  • Monitoring and management of SentinelOne agents on Customer’s endpoint devices. Supports Windows, Mac, and Linux devices.
  • Ongoing Alerting and reporting on potential endpoint risks against known indicators of compromise.
  • Support for custom alerting and self-service reports. 
  • Visibility to threat activity in the XDR Dashboard (user interface). 
  • All Detections mapped to MITRE ATT&CK framework.
  • 24x7x365 SOC support and remediation guidance. 
  • Logs are maintained for a rolling 90-day period solely to use for Barracuda to deliver the service, and are not available to Customer for download or through the XDR Dashboard.

XDR Endpoint Security Monitor Only:

XDR Endpoint Security Monitor Only service is a managed service that provides monitoring for malicious activity in the endpoints. This Service allows Customers to bring their own EDR solution and extends detection capability to the laptops, desktops, and servers within a network, Customers enable XDR Endpoint Security monitoring with the installation of either a virtual sensor, agent or via API capabilities to monitor and analyze the Customer’s endpoints for attacks. When suspicious activities are validated, XDR Endpoint Security will provide alerts and remediation guidance via ticket to Customer’s designated email contact(s).

Deliverables:

  • Ongoing Alerting and reporting on potential endpoint risks against known indicators of compromise.
  • Support for custom Alerting and self-service reports. 
  • Visibility to threat activity in the XDR Dashboard (user interface). 
  • All Detections mapped to MITRE ATT&CK framework.
  • 24x7x365 SOC support and remediation guidance. 
  • Logs are maintained for a rolling 90-day period solely to use for Barracuda to deliver the service, and are not available to Customer for download or through the XDR Dashboard.

XDR Server Security:

XDR Server Security is a managed security service that provides monitoring for malicious activity for critical Windows and Linux machines including password sprays, brute-force attacks, and privilege escalation. Customers enable XDR Server Security with the installation of either a physical or virtual sensor or to monitor and analyze the Customer’s Windows and Linux machines for attacks. When suspicious activities are validated, XDR Server Security will provide alerts and remediation guidance via ticket to Customer’s designated email contact(s).

Deliverables: 

  • Ongoing Alerting and reporting on Windows and Linux risks against known indicators of compromise.
  • Support for custom Alerting and self-service reports. 
  • Visibility to threat activity in the XDR Dashboard (user interface). 
  • All Detections mapped to MITRE ATT&CK framework.
  • 24x7x365 SOC support and remediation guidance. 
  • Logs are maintained for a rolling 90-day period solely to use for Barracuda to deliver the service, and are not available to Customer for download or through the XDR Dashboard.

XDR Email Security:

XDR Email Security is a managed security service which offers email protection monitoring that includes gateway security, account takeover, phishing, and inbox rules, to reduce the impact an attack can have on Customer’s environment. Customers enable XDR Email Security monitoring with the installation of either a virtual sensor, agent or via API capabilities to monitor and analyze the Customer’s email protection software for threats and attacks. When suspicious activities are validated, XDR Email Security will provide alerts and remediation guidance via ticket to Customer’s designated email contact(s).

Deliverables:

  • Ongoing management, alerting and reporting of email protection software monitoring against spam, malware, viruses, phishing and other email-based threats.
  • Support for custom Alerting and self-service reports. 
  • Visibility to threat activity in the XDR Dashboard (user interface). 
  • All Detections mapped to MITRE ATT&CK framework.
  • 24x7x365 SOC support and remediation guidance. 
  • Logs are maintained for a rolling 90-day period solely to use for Barracuda to deliver the service, and are not available to Customer for download or through the XDR Dashboard.

XDR Email Security Managed:

XDR Email Security Managed is a managed solution and a managed security service, backed by Inky and includes its licensing. It offers email protection monitoring. Customers enable XDR Email Security monitoring with the installation of either a virtual sensor, agent or via API capabilities to monitor and analyze the Customer’s email for threats and attacks. When suspicious activities are validated, XDR Email Security will provide alerts and remediation guidance via ticket to Customer’s designated email contact(s).  

Deliverables:

  • Monitoring and management of Inky email protection on Customer’s email servers.
  • Ongoing Alerting and reporting on potential email risks against known indicators of compromise.
  • Support for custom alerting and self-service reports. 
  • Visibility to threat activity in the XDR Dashboard (user interface). 
  • All Detections mapped to MITRE ATT&CK framework.
  • 24x7x365 SOC support and remediation guidance. 
  • Logs are maintained for a rolling 90-day period solely to use for Barracuda to deliver the service, and are not available to Customer for download or through the XDR Dashboard.

XDR Log Security:

XDR Log Security is a managed security service that provides monitoring of a variety of assets both on-premise and in the cloud. It is enabled with the installation of either a dedicated physical or virtual sensor, agent or via API capabilities to monitor and analyze logs provided by Customer’s security infrastructure for attacks.   When suspicious activities are validated, XDR Log Security will provide alerts and remediation guidance via ticket to Customer’s designated email contact(s).

Deliverables:

  • Ongoing alerting and reporting on potential on-premise and cloud risks against known indicators of compromise.
  • Support for custom alerting and self-service reports. 
  • Visibility to threat activity in the XDR Dashboard (user interface). 
  • Detections mapped to MITRE ATT&CK framework.
  • 24x7x365 SOC support and updates.
  • Logs are maintained for a rolling 90-day period solely to use for Barracuda to deliver the service, and are not available to Customer for download or through the XDR Dashboard.

XDR O365 Security:

XDR O365 Security is a managed security service that provides monitoring for malicious activity in Microsoft 365 to find potential identity, privilege, and assets risks. Customers enable XDR O365 Security with the installation of either a virtual sensor, agent or via API capabilities to monitor and analyze the Customer’s Microsoft 365 for attacks. When suspicious activities are validated, XDR Cloud Security will provide alerts and remediation guidance via ticket to Customer’s designated email contact(s).

Deliverables:

  • Ongoing Alerting and reporting on potential Microsoft 365 risks against known indicators of compromise.
  • Support for custom alerting and self-service reports. 
  • Visibility to threat activity in the XDR Dashboard (user interface). 
  • All Detections mapped to MITRE ATT&CK framework to understand attack tactics and techniques.
  • 24x7x365 SOC support and remediation guidance. 
  • Logs are maintained for a rolling 90-day period solely to use for Barracuda to deliver the service, and are not available to Customer for download or through the XDR Dashboard.

XDR Extended Retention:

XDR Extended Retention enables Barracuda to retain logs for 1 year (12 months) for service purposes. This does not grant Customer access to the logs for download or through the XDR Dashboard.   

Deliverables:

  • Logs are maintained for a rolling 1-year period solely to use for Barracuda to deliver the service, and are not available to Customer for download or through the XDR Dashboard (user interface).

2.   Implementation Phases  

The Services are integrated into Customer’s environment:

  • Information Gathering - Managed XDR will designate an enablement manage to work with Customer to scope requirements and commence implementation.  Customer must designate points of contact and provide requested information for Barracuda to better understand and help design the solution for the Customer’s enterprise. Information will be provided by Customer pre-implementation kick off call.
  • Schedule Creation - The enablement manager with assistance from the Customer will develop a schedule of events for installation, implementation, and on-going Services.
  • Solution Design - Design of the Services and their integration within Customer’s environment will be performed by Barracuda in consultation with Customer to design the integration of the Services within Customer’s enterprise.
  • Installation – Utilities will be installed remotely with the assistance by the Customer.  The Services utilize existing Customer network connectivity as part of the Service delivery
  • Integration - Once the services are successfully installed, Barracuda will work with the Customer to determine what assets are within Customer’s infrastructure. Managed XDR will require specific log administration access to pull logs to actively monitor the devices selected within Your infrastructure. 
  • Tuning - This will be conducted ongoing throughout the lifecycle of the Services.  If the security alert is determined to be legitimate traffic or a false- positive, it will be tuned out of future alerts and added to the false-positive tracking database. If the security alert is determined to be an active infection or warrants a response, then Customer will be notified via the proper escalation paths. Recommendations may be given to better tune Customer’s environment and security controls to send the more robust data for collection.

3.   Customer Responsibilities

  • Customer agrees to:
    • Ensure subscribed services are fully installed and implemented within Customer’s infrastructure
    • Provide adequate space, power, and network ports required by Managed XDR for secure data collection.
    • Forward all security relevant logs with enriched data for analysis.
    • Configure\enable Security Audit logging relevant to the targeted security controls.
    • Ensure logs are operational and always forwarding to Managed XDR.
    • Acknowledges Managed XDR alerts.

 

Exhibit B
Service Limitations and Exclusions

1. Barracuda shall perform only the Services set forth in the Order executed by Customer or MSP and accepted by Barracuda in writing. As to these and to all the Services Barracuda shall perform for Customer, Barracuda warrants only that it will perform the Services using personnel of required skill, experience, and qualifications, and in a professional and workmanlike manner, in accordance with generally accepted industry standards for similar services, and will devote adequate resources to meet its obligations under this Agreement.  EXCEPT AS EXPRESSLY STATED ABOVE, BARRACUDA MAKES NO OTHER WARRANTIES, EXPRESS OR IMPLIED, CONCERNING THE QUALITY, PERFORMANCE, MERCHANTABILITY, FITNESS   FOR A PARTICULAR PURPOSE, TITLE OR NON-INFRINGEMENT OF THE SERVICES, OR THE RESULTS TO BE OBTAINED THEREFROM.

2. Certain Services that Barracuda performs for its customers follow a defined methodology, rather than being driven by a specific end result or deliverable. Accordingly, Barracuda cannot guarantee the outcome of its monitoring, testing, assessment, forensics, or remediation methods as all such methods have reliability limitations including but not limited to: (i) results produced differing from initial Customer expectation; (ii) missing certain compliance gaps; and (iii) missing certain security gaps. Barracuda cannot guarantee that every system weakness, noncompliance issue or vulnerability will be discovered during the performance of the contracted engagement.  Barracuda uses industry accepted sampling methodology which attempts to reduce the cost to the Customer while minimizing the impact to the accuracy and reliability of the results. Customer acknowledges and accepts that limitations and inherent risks exist from approaches used by Barracuda to deliver the Services.

3. Customer understands that Barracuda may use various methods and software tools to probe IT assets for security-related information and to detect actual or potential security flaws and vulnerabilities. Customer authorizes Barracuda to perform such Services (and all such tasks and tests reasonably contemplated by or reasonably necessary to perform the Services or otherwise approved by Customer from time to time) on IT assets identified by Customer. Customer represents that, if Customer does not own such IT assets, it will have obtained consent and authorization from the applicable third party, in form and substance satisfactory to Barracuda, to permit Barracuda to provide the Services. Customer shall perform services during a timeframe mutually agreed upon with Customer. Customer acknowledges that the Services described herein could possibly result in service interruptions or degradation regarding the Customer’s systems and accepts those risks and consequences, regardless of Barracuda’s actions or inactions, including but not limited to Barracuda’s gross negligence. Customer hereby consents and authorizes Barracuda to provide any or all the Services with respect to the Customer’s systems. Customer further acknowledges it is the Customer’s responsibility to restore network computer systems if a failure occurs resulting from Barracuda’s testing not due, in whole or in part. to Barracuda’s intentional misconduct.

4. The obligations of Barracuda to perform Services are dependent on Barracuda’s ability to connect directly to the Customer devices on the Customer’s network from Barracuda’s secure operations center. If and to the extent that Barracuda is required to connect to Customer devices via Customer’s VPN or other non-standard means, then to the extent that Barracuda is required to make adds, moves, or changes to or otherwise access such devices in connection with any incident response or help desk request, Barracuda (i) can make no guarantees or give any assurances of compliance with any Service Level Agreements with respect thereto, and (ii) shall have no responsibility or liability for any failure to perform or delay in  performing  its obligations or meeting its agreements hereunder to the extent such failure or delay is caused by such indirect access.

5. As a part of any penetration testing that may be part of the Services, Barracuda may, among other things, (a) scan Customer’s network and systems for ports, services and other entry points that can be exploited; and (b) probe those entry points in an effort to gain access to Customer’s network and systems in an effort to determine the severity of the vulnerability. Customer will provide to Barracuda certain information required for performing its tests, including a description and location (e.g., an IP address) of the systems and networks to be tested. Customer represents and warrants that all information provided is true and accurate and that Customer owns or is authorized to represent the owners of the systems and networks described in connection with the penetration testing. Customer may inform all or a selected group of its employees, contractors, and other third parties about any penetration testing to be undertaken by Barracuda. In the event that Customer decides not to inform anyone of the penetration testing, Customer understands that people may spend time and money on behalf of Customer in detecting, blocking, investigating or responding to activities of Barracuda. IN LIGHT OF THE POSSIBILITY THAT SUCH ACTIONS MAY BE TAKEN AND EXPENDITURES MAY OCCUR, CUSTOMER SHOULD CONSULT WITH CUSTOMER’S LEGAL COUNSEL AND/OR A MEMBER OF EXECUTIVE MANAGEMENT PRIOR TO ANY SUCH ZERO KNOWLEDGE ENGAGEMENTS. Customer may also want to consider contacting such third-party service providers as Customer’s telecommunications carrier to alert them to the testing. CUSTOMER UNDERSTANDS THAT, ALTHOUGH BARRACUDA TAKES PRECAUTIONS TO AVOID DAMAGE TO CUSTOMER’S NETWORK AND SYSTEMS, DISRUPTIONS, OUTAGES AND/OR DATA LOSS MAY OCCUR AS A RESULT OF ANY PENETRATION TESTING.

6. Customer acknowledges that user data contained on systems that are scanned or accessed in providing Managed XDR Services may be accessible to Barracuda and Barracuda may download portions of such data (e.g., as proof of access). Barracuda is not responsible for obtaining any necessary consent and Customer warrants that it has obtained all legally necessary consent for Barracuda to provide the Managed XDR Services.

7. Customer understands that, although Barracuda’s Services may discuss or relate to legal issues, Barracuda does not provide legal advice or services, none of such Services shall be deemed, construed as or constitute legal advice and that Customer is ultimately responsible for retaining its own legal counsel to provide legal advice. Furthermore, any written summaries or reports provided by Barracuda in connection with any Services shall not be deemed to be legal opinions and may not and should not be relied upon as proof of evidence or any guarantee or assurance as to Customer’s legal or regulatory compliance, although Barracuda acknowledges that Customer has the right to rely on any written summaries or reports for the intended purposes of those summaries and reports.

8. Customer understands that Barracuda’s Services do not constitute any guarantee or assurance that security of Customer’s systems, networks, and assets cannot be breached or are not at risk. These Services are an assessment, as of a particular point in time, of the performance of Customer’s systems, networks and assets, and any compensating controls. Furthermore, Barracuda is not responsible for updating its reports and assessments or enquiring as to the occurrence or absence of such, in light of subsequent changes to Customer’s systems, networks, and assets after the date of Barracuda’s final report.

9. Customer (i) will use the Services for Customer’s internal security purposes only, and (ii) will not, for itself, any Affiliate of Customer or any third party (a) sell, rent, license, assign, distribute, or transfer any of the work product related to the Services ("Product"); (b) decipher, decompile, disassemble, reconstruct, translate, reverse engineer, or discover any source code of the software utilized in the Services ("Software"); (c) copy any Software or related documentation ("Documentation"), except that Customer may make a reasonable number of copies of the Documentation for its internal use (provided Customer reproduces on such copies all proprietary notices of Barracuda or its suppliers); or (d) remove from any Software, Documentation or equipment provided by Barracuda in performance of the Services ("Equipment") any language or designation indicating the confidential nature thereof or the proprietary rights of Barracuda or its suppliers. In addition, Customer will not, and will not permit third parties to, (i) use any Software or Equipment on a time-sharing, outsourcing, service bureau, hosting, application service provider or managed service provider basis; (ii) alter any aspect of any Software or Equipment, except as expressly permitted under this Agreement; or (iii) except as may otherwise be permitted in this Agreement, assign, transfer, distribute, or otherwise provide access to any of the Products to any third party or otherwise use any Product with or for the benefit of any third party.

10. Limitation on Liability. Notwithstanding any contrary terms between Customer and MSP, MSP and Barracuda, or Customer and Barracuda, BARRACUDA IS NOT LIABLE OR RESPONSIBLE TO CUSTOMER, MSP, OR ANY THIRD PARTY CLAIMING ON BEHALF OF CUSTOMER OR MSP FOR ANY AMOUNT OF DAMAGES ABOVE THE AGGREGATE DOLLAR AMOUNT PAID TO BARRACUDA FOR THE PURCHASE OF MANAGED XDR SERVICES IN THE SIX (6) MONTHS PRECEDING THE CLAIM. EXCEPT IN CASE OF BODILY INJURY OR DEATH WHERE, AND THEN ONLY TO THE EXTENT THAT, APPLICABLE LAW REQUIRES SUCH LIABILITY, Barracuda SHALL NOT BE LIABLE FOR ANY LOSS OF PROFITS (even if they arise as a direct or immediate consequence of the event that generated the damages), LOSS OF BUSINESS, LOSS OF USE OR LOSS OF DATA, INTERRUPTION OF BUSINESS, NOR FOR INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND WHETHER UNDER THIS AGREEMENT OR OTHERWISE, EVEN IF Barracuda HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS AND NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. In no case will Barracuda be liable for any representation or warranty made by MSP, or any agent of CUSTOMER OR MSP.

 

EXHIBIT C
Additional Terms Applicable to End Point Security

SENTINELONE CUSTOMER SOLUTION(S) TERMS

These SentinelOne Customer Solution(s) Terms (“SentinelOne Terms”) apply only to the SentinelOne Solution(s) (“Solutions”) that are being licensed through Barracuda and used by Customer. Customer’s use of the Solutions is subject at all times to these SentinelOne Terms. If Customer does not unconditionally agree to the foregoing, discontinue the installation or use of the Solutions.

If you proceed with use, you are (i) representing and warranting that you are authorized to bind the Customer, (ii) agreeing to the SentinelOne Terms, and (iii) are obligated to provide and make available to Customer the SentinelOne Terms. In the absence of any of the aforementioned, you will have the Customer directly accept and agree to be bound by the SentinelOne Terms.

If the SentinelOne Terms below conflict with the general Barracuda Terms and Conditions applicable to all Barracuda Products located at (https://www.barracuda.com/company/legal/prd_trm) (“Barracuda Terms and Conditions”) which also govern Customer’s use of the services, then the SentinelOne Terms below will prevail only to the extent it relates to the Solutions.

Except as modified herein for the Solutions, the Barracuda Terms and Conditions remain in effect and at all times govern Customer’s use of Barracuda’s and its licensor’s solutions.

Customer” means any party who uses the Solutions or any component of the Solutions through the MSSP and to whom MSSP provides any component of the Solutions.

Documentation” means the written and/or electronic end user or technical documentation made available by SentinelOne, including but not limited to documents, images, recordings and/or videos specifying the functionalities of the SentinelOne Solutions made available to Customer by MSSP.

Enhancements” means any updates, patches, bug fixes and versions to the Solutions made by SentinelOne and provided to Customer.

MSSP” means an authorized managed security service provider that subscribes to the Solutions and manages the Solutions on behalf of Customers.

Solution(s)” means SentinelOne’s platform including its malware protection, detection and remediation solutions, endpoint detection and response solutions, device discovery and control solutions, and other solutions offered by SentinelOne over time, directly or through a Partner, together with the software underlying such products and services and any Enhancements.

SentinelOne” means the licensor of the Solutions to the MSSP.

“Partner” means Barracuda Networks, Inc.

1.     Limited use. Customer shall only access, use, execute, install (as provided for by the MSSP), store, and display the Solutions (including Enhancements) solely in support of Customer’s (and Customer’s Affiliate(s)) internal business, security and operations, in accordance with the Documentation describing the permissible use of the Solutions and as managed by MSSP. Customer shall agree to accept all Enhancements necessary for the proper function of the Solutions, and further agree that MSSP is not responsible for the proper performance of the Solutions or security issues encountered with the Solutions related to Customer’s failure to accept Enhancements in a timely manner.  All use of the Solutions shall be in accordance with the then-current Documentation.

2.     Restrictions. Customer may not do any of the following: (i) modify, disclose, alter, translate or create derivative works of the Solutions (or any components thereof) or any accompanying Documentation; (ii) license, sublicense, resell, distribute, lease, rent, lend, transfer, assign or otherwise dispose of the Solutions (or any components thereof) or any Documentation; (iii) use the Solutions other than as permitted under this Agreement, as directly related to Customer’s internal business operations and in conformity with the Documentation, and not otherwise use the Solutions for any other commercial or business use, including without limitation, offering any portion of the Solutions as benefits or services to third parties; (iv) use the Solutions in violation of any laws or regulations, including, without limitation, to store or transmit infringing, libelous or otherwise unlawful or tortious material, or material in violation of third-party privacy rights; (v) use the Solutions to store, transmit or test for any viruses, software routines or other code designed to permit unauthorized access, disable, erase or otherwise harm software, hardware or data, or to perform any other harmful actions; (vi) probe, scan or test the efficacy or vulnerability of the Solutions, or take any action in an effort to circumvent or undermine the Solutions, except for the legitimate testing of the Solutions in coordination with MSSP, in connection with considering a subscription to the Solutions as licensed herein; (vii) attempt or actually disassemble, decompile or reverse engineer, copy, frame or mirror any part or content of the Solutions, or otherwise derive any of the Solutions’ source code; (viii) access, test, and/or use the Solutions in any way to build a competitive product or service, or copy any features or functions of the Solutions; (ix) interfere with or disrupt the integrity or performance of the Solutions; (x) attempt to gain unauthorized access to the Solutions or their related systems or networks; (xi) disclose to any third party or publish in any media any performance information or analysis relating to the Solutions; (xii) fail to maintain all copyright, trademark and proprietary notices on the Solutions and any permitted copy thereof; or (xiii) cause or permit any Solutions user or third party to do any of the foregoing.

3.     Ownership and Reservation of Rights. Customer acknowledges that SentinelOne reserves all right, title and interest in and to the Solutions (and any and all modifications to, or derivative works of, the Solutions) and any and all Intellectual Property Rights embodied in the SentinelOne Solutions. “Intellectual Property Rights” means all patents, copyrights, moral rights, trademarks, trade secrets and any other form of intellectual property rights recognized in any jurisdiction, including applications and registrations for any of the foregoing.

4.     Consent. Customer consents and agrees that SentinelOne will (i) store, process and access Customer Data only to the extent reasonably necessary to provide Customer the Solutions and to improve the Solutions and Other SentinelOne Services and Products; and (ii) implement and maintain commercially reasonable technical, physical and organizational measures to protect the security, confidentiality and integrity of Customer Data hosted by SentinelOne or SentinelOne’s authorized third party service providers from unauthorized access, use, alteration or disclosure. “Customer Data” means all data and information associated with Customer, which is uploaded to, processed by, generated by, and/or stored within the Solutions by Customer or through Customer’s use of the Solutions or provided in support tickets, but excluding System Data. Notwithstanding anything to the contrary in this Agreement, SentinelOne may use System Data solely for SentinelOne’s internal business purposes (including, but not limited to, improving the Solutions and creating new features). “System Data” means anonymous data, aggregate statistics and/or data regarding use of the Solutions, bug reports, or any threat or potential threat collected by the Solutions, detections and/or system behavioral information (including without limitation correlative and/or contextual data) triggered by the aforementioned.

5.     Confidentiality.

5.1.   Definition of Confidential Information.  Confidential Information” means any non-public information or data disclosed by either party (as the “Disclosing Party”) to the other party (as the “Receiving Party”) in any form (whether tangible, oral, visual or a different form) in connection with the subject matter of this Agreement, that is marked or otherwise designated as confidential or proprietary, or that should otherwise be reasonably understood to be confidential in light of the nature of the information and the circumstances surrounding disclosure.  Without limiting the foregoing, Confidential Information is agreed and deemed to include without limitation the Solutions, SentinelOne data, Documentation, all source code, specifications, product and software, design and plans, application programming interfaces, templates, user interfaces, designs, plans, and drawings, reliability and performance data, benchmark and evaluation testing and data and associated results and conclusions, data, prototypes and demonstration material, and this Agreement.  The foregoing notwithstanding, Confidential Information shall not include information or materials which (i) were known to the Receiving Party without any breach of law or duty by the party or a third party, without a duty of confidentiality at the time of disclosure, (ii) are or become public knowledge other than as a result of any action or inaction of the Receiving Party, (iii) are obtained by the Receiving Party from an unrelated third party without a duty of confidentiality, or (iv) are independently developed by the Receiving Party, to the extent that such development complies with the terms of this Agreement. The Receiving Party shall not disclose Confidential Information of the Disclosing Party to any third parties nor use such Confidential Information except for the purposes of this Agreement and as permitted hereunder.

5.2.   Permitted Disclosure.  The Receiving Party may disclose Confidential Information of the Disclosing Party only to its employees, those of its Affiliates and their respective contractors, in each case having a “need to know” and who are bound to retain the confidentiality thereof via written instruments containing confidentiality obligations substantially similar to those contained herein.  The Receiving Party shall maintain Confidential Information of the Disclosing Party with at least the same degree of care it uses to protect its own proprietary information of a similar nature or sensitivity, but no less than reasonable care under the circumstances.  Each party shall promptly advise the other party in writing of any misappropriation or misuse of Confidential Information of the other party of which the notifying party becomes aware. The Receiving Party shall be responsible for any breach of this Agreement caused by its employees, those of its Affiliates and their respective contractors to whom the Receiving Party discloses Confidential Information.

5.3.   Legal Obligation to Disclose. This Agreement will not prevent the Receiving Party from disclosing Confidential Information of the Disclosing Party to the extent required by (i) any court or other governmental body acting under authority (provided that the Receiving Party shall, to the extent legally permissible, promptly notify the Disclosing Party and shall reasonably cooperate with the Disclosing Party to contest or minimize the scope of the disclosure (including application for a protective order) at the Disclosing Party’s expense); (ii) in confidence to legal, financial and accounting advisors and affiliates of the parties; and (iii) in confidence, in connection with the enforcement of this Agreement.  No disclosure pursuant to this Section shall entitle the Receiving Party to disclose any Confidential Information of the Disclosing Party except as strictly permitted hereunder.

5.4.   Return of Confidential Information.  Upon the expiration or termination of this Agreement for any reason whatsoever and the Disclosing Party’s written request, each party (as Receiving Party) shall promptly return to the Disclosing Party all Confidential Information of the Disclosing Party embodied in tangible form or certify in writing to the Disclosing Party that all such Confidential Information has been destroyed. The terms of this Section shall survive the expiration or earlier termination of this Agreement.

6.     Warranties.

6.1.   Conformity with Documentation.  MSSP warrants that at any point in time during Customer’s Subscription Term, the Current Release will substantially conform in all material respects with the Documentation.  MSSP’s sole obligation for material non-conformity with this warranty shall be, in its sole discretion, to use commercially reasonable efforts (i) to provide Customer with an error-correction or workaround to the reported non-conformity; (ii) to replace the non-conforming portions of the Solutions with conforming items; or (iii) if SentinelOne reasonably determines it cannot provide such remedies within a reasonable period of time, to terminate this Agreement and refund applicable fees.  The above warranty will not apply: (a) if the Solutions are not used in compliance with the Documentation; (b) if any unauthorized modifications are made to the Solutions by Customer or any third party; (c) to use of releases of the Solutions that are not the Current Release or the Solutions released immediately preceding the Current Release; (d) to defects due to accident, abuse or improper use by Customer; or (e) to Evaluation or Early Adoption use of the Solutions. “Current Release” means the most recent release of the Solutions.

6.2.   Disclaimer.  EXCEPT FOR THE REPRESENTATIONS AND WARRANTIES SET FORTH IN THIS SECTION, EACH PARTY DISCLAIMS ANY AND ALL REPRESENTATIONS OR WARRANTIES (EXPRESS OR IMPLIED, ORAL OR WRITTEN) WITH RESPECT TO THIS AGREEMENT AND THE SOLUTIONS, WHETHER ALLEGED TO ARISE BY OPERATION OF LAW, STATUTE, CUSTOM OR USAGE IN THE TRADE, BY COURSE OF DEALING OR OTHERWISE, INCLUDING ALL WARRANTIES OF MERCHANTABILITY, FITNESS OR SUITABILITY FOR ANY PARTICULAR PURPOSE (WHETHER OR NOT SUCH PARTY KNOWS, HAS REASON TO KNOW, HAS BEEN ADVISED, OR IS OTHERWISE AWARE OF ANY SUCH PURPOSE), ACCURACY, NON-INFRINGEMENT, CONDITION OF TITLE. THIS DISCLAIMER AND EXCLUSION WILL APPLY EVEN IF ANY EXPRESS WARRANTY HEREIN FAILS OF ITS ESSENTIAL PURPOSE. MSSP DOES NOT GUARANTEE OR WARRANT THAT IT WILL FIND, LOCATE, DETECT OR IDENTIFY ALL THREATS, VULNERABILITIES, MALWARE, AND MALICIOUS SOFTWARE, restore control of systems where unauthorized access or control has occurred AND CUSTOMER AND ITS AFFILIATES WILL NOT HOLD MSSP RESPONSIBLE FOR SUCH OR ANY CONSEQUENCES THEREOF.

7.     All Claims between MSSP and Customer. Customer agrees that it will bring all claims under this Agreement against MSSP and will not make claim directly against SentinelOne.

8.     Limitation of Liability.

8.1.    IN NO EVENT WILL MSSP’S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT EXCEED THE FEES PAID OR PAYABLE BY CUSTOMER TO MSSP FOR 6 MONTHS OF THE SOLUTIONS SUBSCRIPTION FEES AT THE TIME OF THE EVENT OR EVENTS LEADING TO THE ALLEGED DAMAGES. IN THE EVENT OF A BREACH OF OR ANY UNAUTHORIZED DISCLOSURE OF CUSTOMER DATA, MSSP’S TOTAL LIABILITY SHALL NOT EXCEED THE FEES PAID OR PAYABLE BY CUSTOMER TO MSSP (OR ITS RESELLER) FOR 12 MONTHS SUBSCRIPTION FEES.

8.2.   IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY OR ANY THIRD PARTY FOR ANY LOSS OF PROFITS, LOSS OF USE, LOSS OF REVENUE, LOSS OF GOODWILL, ANY INTERRUPTION OF BUSINESS, OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, EXEMPLARY, PUNITIVE OR CONSEQUENTIAL DAMAGES OF ANY KIND ARISING OUT OF, OR IN CONNECTION WITH THIS AGREEMENT, WHETHER IN CONTRACT, TORT, STRICT LIABILITY OR OTHERWISE, EVEN IF SUCH PARTY HAS BEEN ADVISED OR IS OTHERWISE AWARE OF THE POSSIBILITY OF SUCH DAMAGES. MULTIPLE CLAIMS WILL NOT EXPAND THIS LIMITATION.  THIS SECTION WILL BE GIVEN FULL EFFECT EVEN IF ANY REMEDY SPECIFIED IN THIS AGREEMENT IS DEEMED TO HAVE FAILED OF ITS ESSENTIAL PURPOSE.

9.     Export Compliance.  The Solutions are subject to U.S. export control and economic sanctions laws.  Customer shall agree to comply with all such laws and regulations as they relate to Customer’s access to and use of the Solutions.  Customer shall not access or use the Solutions if Customer is located in any jurisdiction in which the provision of the Solutions is prohibited under U.S. or other applicable laws or regulations as updated from time to time (a “Prohibited Jurisdiction”) and Customer shall agree not to grant access to the Solutions to any government, entity or individual located in any Prohibited Jurisdiction.  Customer shall represent, warrant and covenant that: (i) Customer is not named on any U.S. government list of persons or entities prohibited from receiving U.S. exports, or transacting with any U.S. person, (ii)Customer is not a national of, or a company registered in, any Prohibited Jurisdiction, (iii) Customer will not permit users to access or use the Solutions in violation of any U.S. or other applicable export embargoes, prohibitions or restrictions, and (iv) Customer will comply with all applicable laws regarding the transmission of technical data exported from the U.S. and the country in which Customer and Customer’s users are located.  Customer shall represent that neither Customer nor any of Customer’s subsidiaries is an entity that (a) is directly or indirectly owned or controlled by any person or entity currently included on the Specially Designated Nationals and Blocked Persons List or the Consolidated Sanctions List maintained by the Office of Foreign Assets Control, US Department of the Treasury (“OFAC”) or other similar list maintained by any governmental entity, or (b) is directly or indirectly owned or controlled by any person or entity that is located, organized, or resident in a country or territory that is, or whose government is, the target of sanctions imposed by OFAC or any other governmental entity.

 

Exhibit D
Additional Terms Applicable to Network & Log Monitoring (ElasticSearch)

The following additional terms will apply where the Customer utilizes Elasticsearch.

1. Definitions

i. Software Agent” means the object code version of an Elastic-produced software agent that Barracuda or Customer may install on a Customer endpoint to facilitate the ingestion of content into a cloud service as part of the Hosted Partner Solution. For purposes of the Agreement and the applicable subscription, the Software Agent shall be deemed part of the applicable Service.

ii. “Hosted Partner Solution” means a product offering by Barracuda as expressly set forth on the Order that combines the features and functions of the applicable Cloud Service with additional software products or services of Barracuda, which have substantial additional value apart from the applicable Cloud Service, the combination of which is made available to Customer.

2. Additional Terms and Conditions Applicable to ElasticSearch

i. Customer shall look solely to Barracuda, and not to Elasticsearch to satisfy any obligations under the Agreement;

ii. Customer shall comply with all laws applicable to its use of the Elasticsearch solution, including data privacy laws and U.S. export control and sanctions laws;

iii. Customer shall not sell, resell, rent, lease, offer any time-sharing arrangement, service bureau or any service based upon the Elastic solution;

iv. Customer shall not make available to any third party any analysis of the results of operation (including benchmarking results) of the cloud service or, if applicable, the Software Agent.

v. The Elasticsearch Software Agent is licensed, not sold, as a component to be managed by Barracuda as part of the Hosted Partner Solution, and is not licensed on a stand-alone basis;

vi. Title to the Software Agent does not pass to the Customer, and Barracuda and its licensors own and retain all intellectual property rights in the Software Agent except those rights expressly granted by Barracuda to Customer under the Agreement;

vii. There are no direct warranties from Elasticsearch to or for the benefit of the Customer;

viii. Each license granted to Customer shall be a non-exclusive license to install and use, in object code form, the Software Agent, solely to the extent necessary for the Software Agent to be managed by Barracuda as part of the Hosted Partner Solution and for the duration of the applicable Term;

ix. Customer acknowledges that the Software Agent, and technologies related thereto are subject to the Export Administration Regulations (“EAR”) (15 C.F.R. Parts 730-774 (2010)) and the economic sanctions regulations and guidelines of the U.S. Department of the Treasury, Office of Foreign Assets Control. Customer is now and will remain in the future compliant with all such export control laws and regulations, and will not export, re-export, otherwise transfer any Elastic goods, software or technology or disclose any Elastic software or technology to any person contrary to such laws or regulations. Customer acknowledges that remote access may in certain circumstances be considered a re-export, and accordingly, may not be granted in contravention of U.S. export control laws and regulations.

x. The Software Agent and related services may provide Product Metadata (defined below) to Elastic. Product Metadata does not include any Customer personal data or any content processed or stored in the Software Agent in connection with use by Customer of the Software Agent. Elastic uses Product Metadata for security, support, product and operations management, and research and development. Elastic does not share Product Metadata with third parties. “Product Metadata” is statistical and other information about a user’s configuration and use of the Software Agent and related services, such as type and version, operating systems and environment, cluster statistics (e.g., node type and counts), performance (e.g., uptime and response times and/or endpoint sensor detection events) and feature usage. Customer will not (i) access or use the Elastic-hosted infrastructure ("Elastic-Hosted Infrastructure") that stores and processes the Product Metadata for the purposes of monitoring its availability or performance or for any other benchmarking or competitive purposes, including, without limitation, for the purpose of designing and/or developing any competitive services; or (ii) interfere with or disrupt the integrity or performance of any Elastic- Hosted infrastructure.

3.     Additional Restrictions Applicable to ElasticSearch:

Customer agrees not to:

i. Reverse engineer or decompile, decrypt, disassemble or otherwise reduce any Software Agent or any portion thereof, in either case, that has not been licensed in source code form by Elastic, to human-readable form except and only to the extent any such restriction is prohibited by applicable law;

ii. Deploy or use the Software Agent on a stand-alone basis or for any purpose other than as a component to be managed by Barracuda as part of the Hosted Partner Solution;

iii. Prepare derivative works from, modify, copy or use the Software Agent in any manner except as expressly permitted in the Customer Agreement;

iv. Transfer, sell, rent, lease, distribute, sublicense, loan or otherwise transfer the Software Agent in whole or in part to any third party;

v. Alter or remove any marks and notices in the Software Agent; or

vi. (a) Access or use any Elastic-hosted infrastructure or related data, systems, or networks (collectively, “Elastic-Hosted infrastructure”) that interface with the Software Agent to monitor the availability or performance of such Elastic-Hosted infrastructure or for any other benchmarking or competitive purposes, including, without limitation, for the purpose of designing and/or developing any competitive services; or (b) Interfere with or disrupt the integrity or performance of any Elastic-Hosted infrastructure.

Revised: November 14, 2022