END USER LICENSE AGREEMENT
BY ACCEPTING THIS END USER LICENSE AGREEMENT (“EULA” or “AGREEMENT”), YOU REPRESENT AND WARRANT THAT YOU HAVE AUTHORITY TO BIND THE INDIVIDUAL OR ENTITY IDENTIFIED IN THE REGISTRATION PROCESS FOR THE SERVICES. THE EFFECTIVE DATE OF THIS AGREEMENT IS THE EARLIER OF THE DATE YOU ACCEPT THIS AGREEMENT OR THE DATE YOU DELIVER AN EXECUTED SERVICE ORDER FOR SERVICES (THE “EFFECTIVE DATE”).
This Agreement constitutes a legally binding agreement between the individual or entity identified on the Service Order that is not the Reseller (also referred to as “You” or “Customer”) and SecureWorks, Inc. (“SecureWorks”). By using the SecureWorks service specified in your order, you agree to be bound by this Agreement, and that you have read, understand and accept all of the terms and conditions of this Agreement. Please retain a copy of this Agreement for your records.
1. Services; Equipment.
1.1 Services. During the term of this Agreement and subject to the terms and conditions herein, SecureWorks agrees to provide (i) managed security services (“MSS Services”) and/or (ii) security risk consulting services (“Consulting Services”) purchased by Customer through the reseller of SecureWorks Products or Consulting Services identified on the Service Order or SOW (“Reseller”) in accordance with the terms of this Section 1.1. The MSS Services and Consulting Services are collectively referred to hereafter as the “Services.” The Services shall be specified in one or more quote (containing Reseller quote number) or other purchase documentation (“Service Order(s)”) or statement(s) of work (“SOW(s)”), whether or not signed. A detailed description of the MSS Services purchased is provided in the service description and service level agreement (“SLA”) for such MSS Services attached to each Service Order and incorporated therein by reference.
1.2 Equipment SecureWorks will provide certain equipment as necessary for Customer to receive the MSS Services (“Equipment”). Upon the earlier of the termination or expiration of this Agreement and/or the applicable Service Order, Customer will return all Equipment to SecureWorks and shall erase, destroy and cease use of all Software (as defined in Section 2 below) located on any Customer equipment. If Customer does not return Equipment, Customer will be responsible for the then-current replacement costs of such Equipment.
2. MSS Services Software; License; Restrictions.
2.1 License to Software, Documentation and Products. SecureWorks will provide Customer with: (i) access and use of the software (in object code format only) (the “Software”) (ii) user IDs, tokens, passwords, digital signatures (“Protected Information”) and (iii) access and use of the SecureWorks customer online portal (details and login details of which shall be provided by SecureWorks to the Customer) (the “Portal”) as necessary for Customer to receive the MSS Services and the applicable written directions and/or policies relating to the MSS Services, which may be in paper or electronic format (the “Documentation” and collectively, with the MSS Services, Software, Equipment, Protected Information and Portal, the “Products”), or a combination thereof, as necessary for Customer to receive the MSS Services. Subject to the terms and conditions of this Agreement (including, without limitation, the restrictions set forth in Section 2.2 below), SecureWorks grants to Customer a limited, non-transferable, non-sublicensable, royalty-free and non-exclusive license to access and use, and for Customer’s Affiliate(s) (as defined below) to access and use, during the term of the MSS Services only, the Products delivered to Customer.
2.2 Restrictions. Customer (i) will use the Products for its internal security purposes only, and (ii) will not, for itself, any Affiliate of Customer or any third party: (a) sell, rent, license, assign, distribute, or transfer any of the Products; (b) decipher, decompile, disassemble, reconstruct, translate, reverse engineer, or discover any source code of the Software; (c) copy any Product, except that Customer may make a reasonable number of copies of the Documentation for its internal use (provided Customer reproduces on such copies all proprietary notices of SecureWorks or its suppliers); or (d) remove from any Product any language or designation indicating the confidential nature thereof or the proprietary rights of SecureWorks or its suppliers. In addition, Customer will not, and will not permit unaffiliated third parties to, (I) use the Products on a time-sharing, outsourcing, service bureau, hosting, application service provider or managed service provider basis; (II) alter or duplicate any aspect of any Product; or (III) assign, transfer, license, distribute, or otherwise provide access to any of the Products to any third party or otherwise use any Product with or for the benefit of any third party.
2.3 Affiliates. As used herein, the term “Affiliate” with respect to a party means any entity that, directly or indirectly, through one or more intermediaries, controls, is controlled by or is under common control with such party. “Customer” shall include Customer’s Affiliate(s) if: (i) such Customer Affiliate(s) are approved by SecureWorks to purchase Services under this Agreement by such Affiliate(s) executing a Service Order/SOW for such Services directly with SecureWorks (“Signing Customer Affiliate(s)”) or by Customer executing a Service Order/SOW for such MSS Services on such Affiliate(s)’ behalf, (ii) such Customer Affiliate(s) are receiving the benefit of the Services through Customer’s purchase of the Services, or (iii) such Customer Affiliate(s)’ data is included, accessed or received by SecureWorks in connection with the performance of the Services for Customer. With respect to such Customer Affiliate(s), Customer hereby represents and warrants that: (A) Customer has obtained the necessary consent from each Customer Affiliate for SecureWorks to access such Customer Affiliate’s networks and data in connection with providing the MSS Services, and (B) each Customer Affiliate agrees to, and is hereby legally bound by, this Agreement as if it were a party hereto. The parties acknowledge and agree that except for any Signing Customer Affiliate(s), Customer Affiliate(s) are not intended to be third party beneficiaries to this Agreement and shall have no direct claim against SecureWorks hereunder. Except for Signing Customer Affiliate(s), Customer shall be fully liable for any breach of the terms of this Agreement by its Affiliate(s) receiving or having access to the Services hereunder.
In addition, in the event that a Customer Affiliate with a location outside of the United States is purchasing Services under this EULA (“Customer International Affiliate”), (i) such Customer International Affiliate shall enter into a Service Order and/or SOW directly with the SecureWorks local Affiliate (“SecureWorks Local Affiliate”) for such Services, and (ii) Customer shall execute a local country addendum specifying any local country required terms on behalf of Customer’s International Affiliate. For the purposes of either party’s Affiliate(s) performing, receiving or purchasing Services hereunder, references to SecureWorks and Customer herein shall be deemed references to such party’s respective Affiliate(s).
3. Customer Responsibilities.
3.1 Customer will provide SecureWorks with the cooperation, access and detailed information reasonably necessary for SecureWorks to implement and deliver the Services, including (i) test time on Customer’s computer systems and networks sufficient for SecureWorks to provide the Services and (ii) one employee who has substantial computer system and network and project management experience reasonably satisfactory to SecureWorks to act as project manager and as a liaison between Customer and SecureWorks. SecureWorks will be excused from any failure to perform its obligations under this Agreement to the extent such failure is caused by Customer’s delay or failure to perform its responsibilities under this Agreement.
3.2 If and to the extent that SecureWorks is providing managed or co-managed MSS Services hereunder, the obligations of SecureWorks to comply with the SLAs applicable to the MSS Services are dependent on SecureWorks’ ability to connect directly to the Customer devices on the Customer’s network through an authenticated server in SecureWorks’ secure operations center. If and to the extent that SecureWorks is required to connect to Customer devices via Customer’s VPN or other indirect or nonstandard means, then to the extent that SecureWorks is required to make adds, moves, or changes to or otherwise access such devices in connection with any incident response or help desk request, SecureWorks (i) can make no guarantees or give any assurances of compliance with the SLAs with respect thereto and (ii) shall have no responsibility or liability for any failure to perform or delay in performing its obligations or meeting its SLAs hereunder.
3.3 In providing the vulnerability assessment service (if purchased by Customer) (the “Vulnerability Assessment Service”), SecureWorks will take all reasonable precautions to minimize negative impact to Customer’s computer systems and network; however, Customer acknowledges that performance of such Vulnerability Assessment Service may temporarily degrade operation of Customer’s computer systems and network. Customer hereby unconditionally and irrevocably releases and acquits SecureWorks and its Affiliates from any and all claims, demands, actions, proceedings, liabilities, obligations, losses, damages, costs, and expenses in connection with any negative impact or degradation to Customer’s computer systems or networks resulting from the Vulnerability Assessment Service.
3.4 Customer acknowledges that SecureWorks’ performance and delivery of the Services are contingent upon: (A) Customer providing safe and hazard-free access to its personnel, facilities, equipment, hardware, network and information, and (B) Customer’s timely decision-making and provision of timely, accurate and complete information and reasonable assistance, including granting of approvals or permissions. Customer (i) has obtained or shall promptly obtain and provide to SecureWorks any required licenses, approvals or consents necessary for SecureWorks’ performance of the Services and (ii) shall perform such actions and tasks, in each case, as may be reasonably requested by SecureWorks to enable SecureWorks to perform the Services in accordance with this Agreement (including, but not limited to, the Customer responsibilities set forth in a Service Order). SecureWorks will be excused from its failure to perform its obligations under this Agreement to the extent such failure is caused by Customer’s delay in performing or failure to perform its responsibilities under this Agreement and/or the applicable Service Order/SOW.
3.5 Customer is responsible for providing timely, accurate and complete information and reasonable assistance to SecureWorks, and Customer acknowledges and agrees that information developed by the Services or advice and recommendations of SecureWorks in connection therewith may be impacted by untimely, inaccurate or incomplete information provided by Customer. Unless otherwise agreed in writing, SecureWorks will not validate or confirm any information or materials provided by Customer.
3.6 Customer is responsible for all management functions and decisions, including establishing and maintaining Customer’s internal controls, evaluating and accepting the adequacy of the Services in addressing Customer’s needs and making decisions whether to proceed with advice and recommendations of SecureWorks.
3.7 If SecureWorks is requested by Customer, or required by government regulation, regulatory agency, subpoena, or other legal process, to produce Customer Reports (as defined in Section 5.3), documentation or SecureWorks personnel for testimony or interview with respect to the Services, Customer will reimburse SecureWorks’ and its counsel’s expenses and professional time incurred in responding to such a request.
4. Term and Termination
4.1 Term of Agreement. The term of this Agreement shall commence on the Effective Date and shall continue until all Service Orders and SOWs hereunder have expired or been terminated.
4.2 Term of Service Orders(s)/SOW(s). The term for the applicable Services will be specified on each Service Order/SOW.
4.3 Effect of Termination. Upon termination or expiration of this Agreement, the license granted to Customer and its Affiliates with respect to the Products will immediately terminate.
5. Proprietary Rights.
5.1 Customer’s Proprietary Rights. Customer represents and warrants that it has the necessary rights, power and authority to transmit Customer Data, including Customer Personal Data (both terms as defined below), to SecureWorks in accordance with this Agreement, including with respect to all national, local, foreign and international laws, rules and regulations applicable to Customer Data (collectively, “Applicable Laws”). Customer represents and warrants that Customer has and shall continue to fulfill all obligations with respect to individuals as required to permit SecureWorks to carry out the terms hereof, including with respect to all applicable laws, regulations and other constraints applicable to Customer Data. As between Customer and SecureWorks, Customer will own all right, title and interest in and to (i) any data provided by Customer and/or its Affiliate(s) to SecureWorks and/or Customer and/or its Affiliate(s)’ data accessed or used by SecureWorks or transmitted by Customer and/or its Affiliate(s) to SecureWorks or SecureWorks Equipment in connection with SecureWorks’ provision of the Services, including, but not limited to, Customer’s and/or its Affiliate(s)’ data included in any written or printed summaries, analyses or reports generated in connection with the Services (Customer and its Affiliate(s)’ data collectively, “Customer Data”), (ii) all intellectual property, including patents, copyrights, trademarks, trade secrets and other proprietary rights and information (collectively, “IP”) of Customer that may be made available to SecureWorks in the course of providing Services under this Agreement, and (iii) all Confidential Information (as defined below) of Customer or its Affiliates, including, but not limited to, Customer Data (including Customer Personal Data), Customer Reports, and other Customer files, documentation and related materials, in each case under this clause (iii), obtained by SecureWorks in connection with this Agreement.
Customer grants to SecureWorks a limited, non-exclusive license to use the Customer Data to perform the Services. SecureWorks may process Security Event Data during and after the term hereof to develop and enhance its products and services. “Security Event Data” means information, collected during SecureWorks’ provision of Services, related to security events. This Agreement does not transfer or convey to SecureWorks or any third party any right, title or interest in or to Customer Data or any associated IP rights, but only a limited right of use as granted in and revocable in accordance with this Agreement.
5.2 SecureWorks’ Proprietary Rights. As between Customer and SecureWorks, SecureWorks will own all right, title and interest in and to the Products and Services. This Agreement does not transfer or convey to Customer, any of its Affiliates, or any third party, any right, title or interest in or to the Products and Services or any associated IP rights, but only a limited right of use as granted in and revocable in accordance with this Agreement. SecureWorks will retain ownership of all copies of the Documentation. SecureWorks agrees to transfer to Customer any and all right, title and interest that it may have in and to any Equipment purchased by Customer (“Customer Purchased Equipment”), excluding any right, title or interest in and to the Software and any other SecureWorks IP loaded onto such Customer Purchased Equipment. In addition, Customer agrees that SecureWorks is the owner of all right, title and interest in all IP in any work, including, but not limited to, all inventions, methods, processes, and computer programs including any source code or object code (and any enhancements and modifications made to any of the foregoing), contained within the Services and/or Products, developed by SecureWorks in connection with the performance of the Services hereunder and of general applicability across SecureWorks’ customer base (collectively, the “Works”), and Customer hereby assigns to SecureWorks all right, title and interest in and to any IP that Customer may have in and to such Works; provided, however, that such Works shall not include Customer’s Confidential Information (as defined in Section 6), Customer Data, or Customer Reports (as defined in Section 5.3). Without limiting the foregoing, SecureWorks will own all right, title and interest in and to all IP in any advisory data, threat data, vulnerability data, analyses, summaries, bulletins and information made available to Customer in SecureWorks’ provision of its counter threat intelligence Services (the “TI Reports”).
During the term of the Services, SecureWorks grants to Customer a limited, non-transferable, non-sublicensable, royalty-free, non-exclusive license to use such Works and TI Reports solely for Customer to receive the Services and for Customer’s or its Affiliate’s internal security purposes only. Customer acknowledges that any license to the Products, Services, Works and TI Reports immediately expires upon the expiration or termination of any individual Service Order/SOW and/or this Agreement.
At all times during the term of this Agreement and thereafter, Customer covenants and agrees not to take any action, either directly or indirectly, to: (i) challenge, question, or attempt to invalidate any of the ownership rights of SecureWorks described in this Section 5.2; or (ii) assert any IP or other rights in or to any of the Products, Services, Works, or TI Reports, other than the limited licenses granted to Customer under this Agreement.
5.3 Customer Reports. Customer shall own all right, title and interest in and to any written summaries, reports, analyses, and findings or other information or documentation prepared uniquely and exclusively for Customer in connection with the MSS Services and as specified in a Service Order/SOW (the “Customer Reports”). For clarity, the Customer Reports do not include the TI Reports, as set forth in Section 5.2 above. The provision by Customer of any Customer Report, any information therein or any other results or output of the Services to any third party shall not entitle such third party to rely on the Customer Report or the contents thereof in any manner or for any purpose whatsoever, and SecureWorks specifically disclaims all liability for any damages whatsoever (whether foreseen or unforeseen, direct, indirect, consequential, incidental, special, exemplary or punitive) to such third party arising from or related to reliance by such third party on any Customer Report or any contents thereof.
In the performance of the Services, Customer and SecureWorks may have access to or be exposed to proprietary or confidential information of the other party, including, but not limited to software, product plans, marketing and sales information, customer lists, “know-how,” and trade secrets, regardless of the form or medium of such information, whether or not such information constitutes a trade secret under Applicable Law, and whether or not such information is marked or identified as “proprietary”, “confidential” or similar designation at the time of access or exposure (collectively, “Confidential Information”). Each party may use and reproduce the other party’s Confidential Information in connection with performing under this Agreement, and not for any other purpose. Neither party may disclose the other party’s Confidential Information to any third parties unless such disclosure is to personnel of SecureWorks or Customer, including employees, agents and subcontractors, on a “need-to-know” basis in connection with its performance obligations pursuant to this Agreement, so long as such personnel have agreed to treat such Confidential Information under terms at least as restrictive as those herein. Each party agrees to take precautions to maintain the confidentiality of the other party’s Confidential Information by using at least the same degree of care as such party employs with respect to its own Confidential Information of a like-kind nature, but in no case less than a commercially reasonable standard of care. The foregoing restrictions shall not pertain to any information which (A) was publicly available at the time such information is disclosed to or obtained by the other party, (B) was already known to the other party at such time, (C) is provided to the other party by a third party that is not subject to any restrictions on disclosure or use, or (D) becomes publicly available without any involvement on the part of the other party or its employees, agents or contractors. The applicability of any of the foregoing exceptions must be evidenced by reasonable documentation. If either party becomes legally compelled to disclose any Confidential Information of the other Party (whether by judicial or administrative order, applicable law, rule or regulation, or otherwise), that party shall use all reasonable efforts to provide the other party with prior notice thereof so that the other party may seek a protective order or other appropriate remedy to prevent such disclosure. If such protective order or other remedy is not obtained prior to the time such disclosure is required, the party required to make the disclosure will only disclose that portion of such Confidential Information which it is legally required to disclose.
During the term of this Agreement and the Services, SecureWorks shall employ and maintain reasonable and appropriate safeguards designed to: (a) reasonably protect all Customer Data in SecureWorks’ possession from unauthorized use, alteration, access or disclosure; (b) detect and prevent against a Security Breach (as defined below); and (c) help ensure that SecureWorks’ employees and agents are appropriately trained to maintain the confidentiality and security of Customer Data in SecureWorks’ possession.
SecureWorks shall not be liable for any breach of this Section 6 (“Confidentiality”) resulting from a hack or intrusion by a third party (except any third-party subcontractor of SecureWorks) into Customer’s network or systems unless the hack or intrusion was through endpoints or devices monitored by SecureWorks and was caused directly by SecureWorks’ gross negligence or willful misconduct.
SecureWorks agrees to notify Customer reasonably promptly upon becoming aware of a confirmed use, accidental or unlawful destruction, loss or unauthorized disclosure of Customer Data or Customer Confidential Information in SecureWorks’ possession or control in violation of this Agreement (a “Security Breach”).
This Section 6 shall survive for three (3) years following any termination or expiration of this Agreement; provided that with respect to any Confidential Information remaining in the receiving party’s possession following any termination or expiration of this Agreement, the obligations under this Section 6 shall survive for as long as such Confidential Information remains in such party’s possession.
7. Warranties; Limitation of Liability and Consulting Services Disclaimer.
7.1 Warranties. SECUREWORKS WARRANTS THAT: (I) ITS PERSONNEL ARE ADEQUATELY TRAINED AND COMPETENT TO PERFORM THE MSS SERVICES AND (II) THE SERVICES SHALL BE PERFORMED IN A PROFESSIONAL MANNER IN ACCORDANCE WITH THE APPLICABLE SERVICE ORDER AND THIS AGREEMENT. EXCEPT AS EXPRESSLY STATED IN THIS SECTION 7.1, SECUREWORKS (INCLUDING ITS AFFILIATES, SUBCONTRACTORS AND AGENTS) AND EACH OF THEIR RESPECTIVE EMPLOYEES, DIRECTORS AND OFFICERS (COLLECTIVELY, THE "SECUREWORKS PARTY(IES)") MAKES NO EXPRESS OR IMPLIED WARRANTIES WITH RESPECT TO ANY OF THE PRODUCTS, CUSTOMER REPORTS OR SERVICES, INCLUDING BUT NOT LIMITED TO, ANY WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, PERFORMANCE, SUITABILITY OR NON-INFRINGEMENT, OR ANY WARRANTY RELATING TO THIRD-PARTY PURCHASES. CUSTOMER UNDERSTANDS THAT SECUREWORKS’ SERVICES DO NOT CONSTITUTE ANY GUARANTEE OR ASSURANCE THAT THE SECURITY OF CUSTOMER’S SYSTEMS, NETWORKS AND ASSETS CANNOT BE BREACHED OR ARE NOT AT RISK.
7.2 Limitation of Liability
7.2.1 NEITHER THE SECUREWORKS PARTIES NOR CUSTOMER WILL BE LIABLE FOR ANY INCIDENTAL, INDIRECT, PUNITIVE, SPECIAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT. THE SECUREWORKS PARTIES SHALL NOT HAVE ANY LIABILITY FOR THE FOLLOWING: (i) DAMAGES FOR LOST OPPORTUNITIES, REVENUE, INCOME, PROFITS, OR SAVINGS, AND (ii) DAMAGES FOR LOST OR CORRUPTED DATA OR SOFTWARE, LOSS OF USE OF SYSTEMS OR NETWORKS, OR THE RECOVERY THEREOF, OR BUSINESS INTERRUPTION OR DOWNTIME, OR FOR ANY CLAIMS AGAINST CUSTOMER OR ITS AFFILIATES BY ANY THIRD PARTY, IN EACH CASE, EVEN IF SECUREWORKS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR CLAIMS.
7.2.2 EXCEPT AS PROVIDED IN SECTIONS 8.1 AND 8.2, THE SECUREWORKS PARTIES’ AND CUSTOMER’S RESPECTIVE AGGREGATE LIABILITY (WHETHER IN CONTRACT, TORT OR OTHERWISE) FOR ALL CLAIMS OF LIABILITY ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT SHALL NOT EXCEED: (A) THE AMOUNTS PAID BY CUSTOMER FOR THE SPECIFIC MSS SERVICE(S) GIVING RISE TO SUCH CLAIM DURING THE PRIOR TWELVE (12) MONTH PERIOD; AND (B) FOR THE CONSULTING SERVICES: THE AMOUNT OF THE SOW THAT IS THE SOURCE OF SUCH LIABILITY.
7.2.3 The foregoing limitations, exclusions and disclaimers shall apply, regardless of whether the claim for such damages is based in contract, warranty, strict liability, negligence, and tort or otherwise. Insofar as applicable law prohibits any limitation, EXCLUSION OR DISCLAIMER herein, the parties agree that such limitation, EXCLUSION OR DISCLAIMER will be automatically modified, but only to the extent so as to make the limitation, EXCLUSION OR DISCLAIMER permitted to the fullest extent possible under such law. The parties agree that the limitations on liabilities set forth herein are agreed allocations of risk constituting in part the consideration for SecureWorks’ provision of MSS Services and/or Products to Customer, and such limitations will apply notwithstanding the failure of essential purpose of any limited remedy and even if a party has been advised of the possibility of such liabilities.
7.2.4 Certain Consulting Services follow a defined sampling methodology, rather than being driven by a specific end result or deliverable. This sampling methodology aims to reduce cost while at the same time minimizing any detrimental impact on the accuracy and reliability of the results. Due to the inherent risks and limitations associated with this methodology, SecureWorks cannot guarantee (i) the outcome of its testing, assessment, forensics, or remediation methods, or (ii) that all weaknesses, noncompliance issues or vulnerabilities will be discovered (clauses (i) and (ii) together, the “Risks and Limitations”) Customer acknowledges and accepts these Risks and Limitations. Depending upon the type of Consulting Services being purchased pursuant to an SOW, Appendix A may apply.
8.1 By Customer. Customer shall defend, indemnify and hold harmless SecureWorks, its Affiliates and subcontractors, and the directors, officers, employees, contractors and agents of each of the foregoing, from and against any and all claims, demands, actions, proceedings, liabilities, obligations, losses, damages, costs and expenses (including, without limitation, reasonable attorney’s fees) (collectively, “Damages”) resulting from or in connection with any third-party claim, demand, action, suit or proceeding (a “Claim”): (i) alleging that that the Customer Data infringes a copyright or misappropriates any trade secrets enforceable in the country(ies) where the Customer Data is accessed, provided to or received by SecureWorks or was improperly provided to SecureWorks in violation of any individual’s rights, Customer’s privacy policies or applicable laws (or regulations promulgated thereunder), (ii) asserting that any action undertaken by SecureWorks in connection with SecureWorks’ performance under this EULA violates law or the rights of a third party, including without limitation claims or allegations related to the decryption, analysis of, collection or transfer of data to SecureWorks, and (iii) by Customer Affiliates (other than Signing Customer Affiliate(s)) arising from or relating to the Services arising from a third party’s reliance on a Customer Report, any information therein or any other results or output of the Services.
The exclusions and limitations of liability set out in Section 7.2.2 do not apply to Customer’s indemnity obligations under this Section 8.1.
8.2 By SecureWorks. SecureWorks shall defend, indemnify, and hold harmless Customer, its Affiliates, and the directors, officers, employees, contractors and agents of each of the foregoing, from any and all Damages resulting from or in connection with any Claim alleging that the Products as provided by SecureWorks infringe any third-party IP rights enforceable in the country or countries in which the Products are provided or delivered by SecureWorks to Customer; provided, however, that the foregoing indemnification obligation of SecureWorks shall not apply to the extent that such third-party claim, demand, action, suit or proceeding arises from or relates to (i) any services, equipment, software or documentation not provided by SecureWorks, or (ii) modifications to the Products made by or at the direction of Customer.
If there occurs a claim of infringement alleging that the Services infringes upon any third party intellectual property rights, or if SecureWorks determines that such claim is likely to occur, SecureWorks will have the right, in its sole discretion, to either: (i) procure for Reseller and its Customers, at no additional cost to Reseller, the right or license to continue to use the infringing material, free of the infringement claim; or (ii) replace or modify the infringing material to make it non-infringing. If these remedies are not available to SecureWorks upon commercially reasonable terms, SecureWorks may, at its option, terminate this Agreement and discontinue the provision of Services to Reseller’s Customers without any additional liability hereunder.
The exclusions and limitations of liability set out in Section 7.2.2 do not apply to SecureWorks’ indemnity obligations under this Section 8.2.
8.3 Indemnification Procedure. A Party seeking indemnification under this Section 8 must (i) promptly notify the other Party of the Claim or threatened Claim, provided any delay in providing such notice will only relieve the indemnifying Party of its obligation hereunder to the extent the defense or settlement of the Claim is materially prejudiced thereby; (ii) at the indemnifying Party’s reasonable request and expense, provide the indemnifying Party with reasonable assistance for the defense of the Claim, and (iii) defer to indemnifying Party to have sole control of the defense and all negotiations for settlement or compromise of the Claim, except that the indemnifying Party will not settle or compromise any Claim without the prior written consent of the indemnified Party.
9. Export. SecureWorks and Customer acknowledge that the Products, Customer Purchased Equipment and/or Services provided under this Agreement may incorporate encryption functionality, and are subject to the customers and export control laws and regulations of the United States and other countries to which the Products, Customer Purchased Equipment and/or Services are delivered. Each party agrees to comply with all customs and export control laws and regulations of the United States and other countries to which the Products, Customer Purchased Equipment and/or Services are delivered applicable to such party in the course of performance of its obligations under this Agreement. This Section 9 shall apply notwithstanding any other terms of this Agreement or any Service Order or SOW. This Section 9 shall survive any expiration or termination of this Agreement.
9.1 SecureWorks Responsibilities. SecureWorks agrees that it is responsible for ensuring that the delivery of Products and any Customer Purchased Equipment to Customer is in compliance with U.S. export regulations, including by applying for and obtaining any required U.S. export licenses. SecureWorks’ acceptance of any order for Products and any Customer Purchased Equipment is contingent upon the issuance of any export license required by the U.S. Government. SecureWorks will not be liable for delays or failure to deliver Products and any Customer Purchased Equipment resulting from the inability to obtain such license.
9.2 Customer Responsibilities. Customer agrees to comply with, and to cause and require its Affiliates to comply with all applicable U.S. export regulations governing the retransfer and use of the Products and any Customer Purchased Equipment purchased from SecureWorks, and neither Customer nor its Affiliates will transfer or re-export the Products without written permission from SecureWorks. Without limiting the generality of the foregoing, Customer agrees that neither it nor its Affiliates will re-export, transfer, or share Products or any Customer Purchased Equipment to or with any Sanctioned Person (defined below) or otherwise allow any Sanctioned Person to benefit from the Products any Customer Purchased Equipment or Services provided by SecureWorks. Customer further agrees that it and its Affiliates are solely responsible for compliance with the applicable laws, rules and regulations governing the importation and use of the Products and any Customer Purchased Equipment in the countries to which Products or any Customer Purchased Equipment will be delivered, including, but not limited to, by making any required customs entry or declaration, paying all duties, taxes and fees owed as a result of the importation or use of Products and any Customer Purchased Equipment by Customer, and obtaining all necessary licenses, permits or other authorizations, including those required under regulations governing the importation and use of encryption products.
10. Cooperation. Customer agrees to cooperate, and to cause and require its Affiliates to cooperate in providing the information necessary for SecureWorks to apply for any required U.S. export licenses. SecureWorks agrees to cooperate with Customer and Customer Affiliates by providing the information necessary for Customer or Customer Affiliates to apply for any required licenses, permits or other authorizations in connection with the importation and use of the Products and Customer Purchased Equipment Notwithstanding the foregoing or any other terms of this Agreement or any Service Order or SOW, under no circumstances shall SecureWorks be required to provide any source code, or proprietary information in connection with the pursuit of any license, permit or other authorization to Customer, Customer Affiliates, or any government authority.
11. OFAC Warranty. Customer represents and warrants that neither it, nor any of its Affiliates nor any of its employees, officers or directors, nor to the knowledge of Customer, any agent, or other person acting on its behalf (i) has been or is designated on the Specially Designated Nationals and Blocked Persons List maintained by the Office of Foreign Assets Control of the United States Department of the Treasury (OFAC), or, to the extent applicable, any similar list of sanctioned persons issued by the United Nations Security Council, the European Union, Her Majesty's Treasury or any other relevant governmental authority administering sanctions, including the U.S. Department of State, (ii) is a national or citizen of, organized under the laws of, or resident or operating in any country or territory which is itself the subject of country-wide or territory-wide sanctions, including, but not limited to, as of the date of this EULA, Iran, Cuba, Syria, Sudan, Crimea, and North Korea, (iii) is a Person owned or controlled by any Persons described in clauses (i) and/or (ii) of this sentence, or (iv) is a person identified on the United States Department of Commerce, Bureau of Industry and Security’s “Denied Persons List” or “Entity List” (persons described in clauses (i), (ii) and/or (iii) collectively, “Sanctioned Persons”). Customer agrees that it will promptly notify SecureWorks in writing if Customer becomes aware of any changes to this warranty or if to Customer’s knowledge any change is threatened. In such event, SecureWorks shall have the ability to terminate this Agreement and all outstanding service orders without affording Customer an opportunity to cure.
12. Government Relations. Customer hereby disclaims, waives and agrees not to assert any right to or claim of sovereign immunity (or other similar statutory, constitutional or other legal right to defense) in any suit, claim, litigation or other proceeding, whether at law, in equity or otherwise, brought by SecureWorks to enforce Customer’s obligations under this Agreement.
If the Products are provided to US Federal Government agencies, other than the supporting Documentation, they are provided with LIMITED RIGHTS, as those terms are defined in the Federal Acquisition Regulation (FAR”) at FAR clauses 52.227-14 and 52.227-19. Use, duplication, or disclosure of restricted rights Products by the Federal Government is subject to the restrictions as set forth in subparagraph “(c)” of the Commercial Computer Software - Restricted Rights clause at FAR 52.227-19. In the event the sale is to a Department of Defense agency, the government’s rights in software, supporting documentation, and technical data are governed by the restrictions in the Technical Data Commercial Items clause at DFARS 252.227-7015 and DFARS 227.7202. In no event shall Customer grant any higher tier contractor or the Federal Government rights in any Products greater than those set forth in this provision.
13. Data Privacy
13.1 Customer authorises SecureWorks to collect, use, store, transfer and otherwise process the personal data SecureWorks obtains from Customer as a result of providing the Services for the purpose of complying with Secureworks’ rights and obligations under this Agreement and for any additional purposes described pursuant to this Agreement.
13.2 Each party expressly agrees that the Data Protection Agreement set out in Appendix B to this Agreement shall apply and govern all activities concerning the processing of personal data for the purposes of this Agreement.
14. Additional Terms.
14.1 Independent Contractor Relationship; Assignment; Subcontracting. The parties are independent contractors. Neither party will have any rights, power or authority to act or create an obligation, express or implied, on behalf of another party except as specified in this Agreement. Neither party will use the other party’s name (except internal use only), trademark, logos, or trade name without the prior written consent of the other party. SecureWorks has the right to assign, subcontract or delegate in whole or in part this Agreement, or any rights, duties, obligations or liabilities under this Agreement, by operation of law or otherwise, provided that SecureWorks shall remain responsible for the performance of the Services under this Agreement. Otherwise, neither party may assign this Agreement without the permission of the other party, which such permission shall not be unreasonably withheld or delayed.
14.2 Entire Agreement; Severability; Section Headings. This Agreement and the Service Orders/SOWs are the entire agreement between SecureWorks and Customer with respect to its subject matter and supersede all prior oral and written understandings, agreements, communications, and terms and conditions attached to or contained within a purchase order issued by Customer in connection with the Services, including, but not limited to, any security or privacy agreements executed by the parties. If any provision of this Agreement is void or unenforceable, the remainder of this Agreement will remain in full force and effect. Section headings are for reference only and shall not affect the meaning or interpretation of this Agreement.
14.3 Force Majeure. SecureWorks shall not be liable to Customer for any failure to perform any of its obligations under this Agreement during any period in which such performance is delayed by circumstances beyond its reasonable control, including, but not limited to, acts of God, earthquake, tsunami, fire, explosion, vandalism, cable cut, storm, flood or other similar occurrences; any law, order regulation, direction, action or request of any other government having or claiming jurisdiction over a party, of any department, agency, commission, bureau, corporation, or other instrumentality of such government, or of any civil or military authority; national emergencies; unavailability of materials or rights-of-way; insurrections; riots; terrorism; wars; or strikes, lock-outs, work stoppages, or other labor difficulties, supplier failures, shortages, breaches or delays.
14.4 Governing Law, Forum and Language
14.4.1 THE PARTIES AGREE THAT THIS AGREEMENT SHALL BE GOVERNED BY THE LAWS OF THE STATE OF GEORGIA, UNITED STATES, WITHOUT REGARD TO ANY CONFLICT OF LAW PRINCIPLES OR CHOICE OF LAW RULES THAT REQUIRE THE APPLICATION OF ANY OTHER LAWS. THE PARTIES EXPRESSLY AGREE THAT THIS AGREEMENT SHALL NOT BE SUBJECT TO THE U.N. CONVENTION ON CONTRACTS FOR THE INTERNATIONAL SALE OF GOODS.
14.5 ANY CASE, CONTROVERSY OR OTHER LEGAL PROCEEDING ARISING BEWEEN THE PARTIES WITH RESPECT TO THIS AGREEMENT SHALL ONLY BE INSTITUTED IN THE COURTS OF DEKALB COUNTY, GEORGIA. EACH PARTY IRREVOCABLY SUBMITS TO THE EXCLUSIVE JURISDICTION OF SUCH COURTS IN ANY SUCH CASE, CONTROVERSY OR OTHER LEGAL PROCEEDING, AND WAIVES ANY OBJECTION TO THE LAYING OF VENUE IN SUCH COURTS AND AGREES NOT TO PLEAD THAT SUCH COURTS ARE AN INCONVENIENT FORUM
14.6 Survival. Sections 5.1, 5.2, 6, 7.2, and 8-14 shall survive any expiration or termination of this Agreement.
Applicable to Security Services: Should an SOW include security scanning, testing, assessment, forensics, or remediation Services (“Security Services”), Customer understands that SecureWorks may use various methods and software tools to probe network resources for security-related information and to detect actual or potential security flaws and vulnerabilities. Customer authorizes SecureWorks to perform such Security Services (and all such tasks and tests reasonably contemplated by or reasonably necessary to perform the Security Services) on network resources with the internet protocol addresses (“IP Addresses”) identified by Customer. Customer represents that, if Customer does not own such network resources, it will have obtained consent and authorization from the applicable third party to permit SecureWorks to provide the Security Services on such third party’s network resources. SecureWorks shall perform Security Services during a timeframe mutually agreed upon with Customer. The Security Services, such as penetration testing or vulnerability assessments, may also entail buffer overflows, fat pings, operating system specific exploits, and attacks specific to custom coded applications but will exclude intentional and deliberate DOS (“Denial of Service”) attacks. Furthermore, Customer acknowledges that the Security Services described herein could possibly result in service interruptions or degradation regarding the Customer’s systems and accepts those risks and consequences. Upon execution of an SOW for such Security Services, Customer consents and authorizes SecureWorks to provide any or all of the Security Services specified in the applicable SOW with respect to the Customer’s systems. Customer further acknowledges that it is the Customer’s responsibility to restore network computer systems to a secure configuration after the completion of SecureWorks’ testing.
Applicable to Compliance Consulting Services: Should an SOW include compliance testing or assessment or other similar compliance advisory Services (“Compliance Services”), Customer understands that, although SecureWorks' Compliance Services may discuss or relate to legal issues, (i) SecureWorks does not provide legal advice or services, (ii) none of such Compliance Services shall be deemed, construed as or constitute legal advice, and (iii) Customer is ultimately responsible for retaining its own legal counsel to provide legal advice. Furthermore, the Customer Reports provided by SecureWorks in connection with any Compliance Services shall not be deemed to be legal opinions and may not and should not be relied upon as proof, evidence or any guarantee or assurance as to Customer’s legal or regulatory compliance.
Applicable to Payment Card Industry Compliance Consulting Services: Should an SOW include payment card industry (“PCI”) compliance auditing, testing or assessment or other similar PCI compliance advisory Consulting Services (“PCI Compliance Services”), Customer understands that SecureWorks' PCI Compliance Services do not constitute any guarantee or assurance that security of Customer’s systems, networks and assets cannot be breached or are not at risk. PCI Compliance Services are an assessment, as of a particular date, of whether Customer’s systems, networks, assets, and any compensating controls meet the applicable PCI standards. Mere compliance with PCI standards may not be sufficient to eliminate all risks of a security breach of Customer’s systems, networks and assets. Furthermore, SecureWorks is not responsible for updating its reports and assessments, or enquiring as to the occurrence or absence of such, in light of changes to Customer’s systems, networks and assets after the date that SecureWorks issues its final Customer Report pursuant to an SOW, absent a Change Order or a separately signed SOW expressly requiring the same.
Data Protection Agreement
This Data Protection Agreement (“DPA”) forms part of the MSA between the Customer and Secureworks and shall apply where the provision of Services by Secureworks to Customer involves the processing of Personal Data (as defined below) which is subject to Privacy Laws. Except as otherwise expressly stated, Customer is the controller and Secureworks is the processor (as defined below) of the Personal Data processed under this MSA. In the event of a conflict between this DPA and the MSA, this DPA shall control with respect to its subject matter.
1. Definitions: References in this DPA to “controller”, “data subject”, “processor” and “supervisory authority” shall have the meanings ascribed to them under Privacy Laws. Capitalised terms that are not defined in this DPA shall have the meaning set out in the MSA. In this DPA:
1.1 "Data Breach"means an actual breach by Secureworks of the security obligations under this DPA leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data transmitted, stored or otherwise processed.
1.2 "Personal Data"means any information relating to an identified or identifiable natural person which is processed by Secureworks, acting as a processor on behalf of the Customer, in connection with the provision of the Services and which is subject to Privacy Laws.
1.3 "Privacy Laws" means any data protection and/or privacy related laws, statutes, directives, or regulations (and any amendments or successors thereto) to which a party to the MSA is subject and which are applicable to the Services including, without limitation, the General Data Protection Regulation 2016/679 when it comes into effect.
1.4 "processing" (and its derivatives) means any operation(s) performed on personal data, whether or not by automated means, including the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.5 "Security Event Data" means information related to security events which is collected during Secureworks’ provision of managed security services.
1.6 "Subprocessor" means a third party engaged by Secureworks (including without limitation an Affiliate and/or subcontractor of Secureworks) in connection with the processing of the Personal Data.
2. Description of processing: a description of the processing activities to be undertaken as part of the MSA and this DPA are set out in Annex 1.
3. Compliance with laws: the parties agree to comply with their respective obligations under Privacy Laws. In particular, Customer warrants and represents (on its behalf and on behalf of each of its Affiliates where applicable) that it has obtained all necessary authorisations and consents required for compliance with Privacy Laws prior to disclosing, transferring, or otherwise making available any Personal Data to Secureworks and that it has provided appropriate notifications to data subjects describing the purpose for which their personal data will be used pursuant to this DPA and MSA.
4. Secureworks obligations
4.1 Instructions: Secureworks shall process the Personal Data only in accordance with Customer’s reasonable and lawful instructions (unless otherwise required to do so by applicable law). Customer hereby instructs Secureworks to process the Personal Data to provide the Services and comply with Secureworks’ rights and obligations under the MSA and this DPA. The MSA and DPA comprise Customer’s complete instructions to Secureworks regarding the processing of Personal Data. Any additional or alternate instructions must be agreed between the parties in writing, including the costs (if any) associated with complying with such instructions. Secureworks is not responsible for determining if Customer’s instructions are compliant with applicable law, however, if Secureworks is of the opinion that a Customer instruction infringes applicable Privacy Laws, Secureworks shall notify Customer as soon as reasonably practicable and shall not be required to comply with such infringing instruction.
4.2 Confidentiality: To the extent the Personal Data is confidential (pursuant to applicable law), Secureworks shall maintain the confidentiality of the Personal Data in accordance with Section 8 of the MSA and shall require persons authorised to process the Personal Data (including its Subprocessors) to have committed to materially similar obligations of confidentiality.
4.3 Disclosures: Secureworks may only disclose the Personal Data to third parties (including without limitation its Affiliates and Subprocessors) for the purpose of:
(a) complying with Customer’s reasonable and lawful instructions
(b) as required in connection with the Services and as permitted by the MSA and/or this DPA, and/or
(c) as required to comply with Privacy Laws, or an order of any court, tribunal, regulator or government agency with competent jurisdiction to which Secureworks, its Affiliates and/or Subprocessors is subject PROVIDED that Secureworks will (to the extent permitted by law) inform the Customer in advance of any disclosure of Personal Data and will reasonably co-operate with Customer to limit the scope of such disclosure to what is legally required.
4.4 Assisting with data subject rights: Secureworks shall, as required in connection with the Services and to the extent reasonably practicable, assist Customer to respond to requests from data subjects exercising their rights under Privacy Laws (including without limitation the right of access, rectification and/or erasure) in respect of the Personal Data. Secureworks reserves the right to charge Customer for such assistance if the cost of assisting exceeds a nominal amount. Secureworks shall notify Customer as soon as practicable of any request Secureworks receives from data subjects relating to the exercise of their rights under applicable Privacy Laws during the Term of the MSA (to the extent such request relates to the Personal Data).
4.5 Security: Taking into account industry standards, the costs of implementation, the nature, scope, context and purposes of the processing and any other relevant circumstances relating to the processing of the Personal Data, Secureworks shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk in respect of any Personal Data in accordance with Secureworks policies. The parties agree that the security measures described in Annex 2 (Information Security Measures) provide an appropriate level of security for the protection of Personal Data to meet the requirements of this clause.
4.6 Subprocessors: Customer agrees that Secureworks may appoint and use Subprocessors (including without limitation those that may be identified on the subcontractor list posted on the Portal, as updated from time to time) to process the Personal Data in connection with the Services PROVIDED that:
(a) Secureworks puts in place a contract in writing with each Subprocessor that imposes obligations that are (i) relevant to the services to be provided by the Subprocessors and (ii) materially similar to the rights and/or obligations granted or imposed on Secureworks under this DPA; and
(b) where a Subprocessor fails to fulfil its data protection obligations as specified above, Secureworks shall be liable to the Customer for the performance of the Subprocessor’s obligations.
4.7 Deletion of Personal Data: Upon termination of the Services (for any reason) and if requested by Customer in writing, Secureworks shall as soon as reasonably practicable delete the Personal Data, PROVIDED that Secureworks may: (a) retain one copy of the Personal Data as necessary to comply with any legal, regulatory, judicial, audit or internal compliance requirements; and/or (b) defer the deletion of the Personal Data to the extent and for the duration that any Personal Data or copies thereof cannot reasonably and practically be expunged from Secureworks’ systems; and for such retention or deferral periods as referred to in subparagraphs (a) or (b) of this clause, the provisions of this DPA shall continue to apply to such Personal Data. Secureworks reserves the right to charge Customer for any reasonable costs and expenses incurred by Secureworks in deleting the Personal Data pursuant to this clause.
4.8 Demonstrating compliance: Secureworks shall, upon reasonable prior written request from Customer (such request not to be made more frequently than once in any twelve month period), provide to Customer such information as may be reasonably necessary to demonstrate Secureworks’ compliance with its obligations under this DPA.
4.9 Audits and inspections: Where Customer reasonably considers the information provided under clause 4.8 above is not sufficient to demonstrate Secureworks’ compliance with this DPA, Customer may request reasonable access to Secureworks’ relevant processing activities in order to audit and/or inspect Secureworks’ compliance with this DPA PROVIDED THAT:
(a) Customer gives Secureworks reasonable prior written notice of at least thirty (30) days before any audit or inspection (unless a shorter notice period is required by Privacy Laws, an order of a supervisory authority, otherwise agreed between the parties or in the event of a Data Breach)
(b) audits or inspections may not be carried out more frequently than once in any twelve month period (unless required more frequently by Privacy Laws, an order of a supervisory authority, otherwise agreed between the parties or in the event of a Data Breach)
(c) Customer submits to Secureworks a detailed audit plan at least two weeks in advance of the proposed audit date describing the proposed scope, duration and start date of the audit. Secureworks shall review the audit plan and provide Customer with any material concerns or questions without undue delay. The parties will then reasonably cooperate to agree a final audit plan
(d) Secureworks may restrict access to information in order to avoid compromising a continuing investigation, violating law or violating confidentiality obligations to third parties. Any access to sensitive or restricted facilities by Customer is strictly prohibited due to regulatory restrictions on access to other customers’ data, although Customer and/or its auditor shall be entitled to observe the security operations center via a viewing window). Customer shall not (and must ensure that its auditor shall not) allow any sensitive documents and/or details regarding Secureworks’ policies, controls and/or procedures to leave the Secureworks location at which the audit or inspection is taking place (whether in electronic or physical form)
(e) Customer carries out the audit or inspection during normal business hours and without creating a business interruption to Secureworks
(f) the audit or inspection is carried out in compliance with Secureworks’ relevant on site policies and procedures
(g) where the audit is carried out by a third party on behalf of the Customer, such third party is bound by similar obligations to those set out in Section 8 of the MSA (Confidentiality) and is not a direct competitor of Secureworks. Secureworks reserves the right to require any such third party to execute a confidentiality agreement directly with Secureworks prior to the commencement of an audit or inspection, and
(h) except where the audit or inspection discloses a failure on the part of Secureworks to comply with its obligations under this DPA, Customer shall pay all reasonable costs and expenses (including without limitation any charges for the time engaged by Secureworks, its personnel and professional advisers) incurred by Secureworks in complying with this clause.
Customer shall provide to Secureworks a copy of any audit reports generated in connection with an audit carried out under this clause, unless prohibited by applicable law. Customer may use the audit reports only for the purposes of meeting its regulatory audit requirements and/or confirming compliance with the requirements of this DPA. The audit reports shall be Confidential Information of the parties.
5. International transfers: Secureworks may, in connection with the provision of the Services, or in the normal course of business, make international transfers of the Personal Data to its Affiliates and/or Subprocessors. When making such transfers, Secureworks shall ensure appropriate protection is in place to safeguard the Personal Data transferred under or in connection with the MSA and this DPA. Where the provision of Services involves the transfer of Personal Data from countries within the European Economic Area (“EEA”) to countries outside the EEA (which are not subject to an adequacy decision under Directive 95/46/EC or the GDPR once in effect) such transfer shall be subject to the following requirements:
5.1 Secureworks has implemented appropriate security measures to adequately protect the transfer of such Personal Data
5.2 Secureworks has in place intra-group agreements with any Affiliates which may have access to the Personal Data, which agreements shall incorporate the EU Commission approved Standard Contractual Clauses (“Standard Contractual Clauses”); and
5.3 Secureworks has in place agreements with its Subprocessors that incorporate the Standard Contractual Clauses (as appropriate).
6. Data Breaches:Where a Data Breach is caused by Secureworks’ failure to comply with its obligations under this DPA, Secureworks shall:
6.1 notify Customer without undue delay after establishing the occurrence of the Data Breach and shall, to the extent such information is known or available to Secureworks at the time, provide Customer with details of the Data Breach, a point of contact and the measures taken or to be taken to address the Data Breach
6.2 reasonably cooperate and assist Customer with any investigation into, and/or remediation of, the Data Breach (including, without limitation and where required by Privacy Laws, the provision of notices to regulators and affected individuals)
6.3 not inform any third party of any Data Breach relating to the Personal Data without first obtaining Customer’s prior written consent, except as otherwise required by applicable law provided that nothing in this clause shall prevent Secureworks from notifying other customers whose personal data may be affected by the Data Breach, and
In the event Customer intends to issue a notification regarding the Data Breach to a supervisoryauthority, other regulator or law enforcement agency, Customer shall (unless prohibited by law) allow Secureworks to review the notification and Customer shall have due regard to any reasonable comments or amendments proposed by Secureworks.
7. Liability and Costs:Neither Secureworks nor any Subprocessor shall be liable for any claim brought by Customer or any third party arising from any action or omission by Secureworks and/or Subprocessors to the extent such action or omission resulted from compliance with Customer’s instructions.
8. Security Event Data: Secureworks will process Security Event Data as part of its provision of Services. Customer acknowledges that Secureworks may also process Security Event Data in order to develop, enhance and/or improve its security services and the products and services it offers and provides to customers. Secureworks shall be the controller in respect of any personal data in the Security Event Data and, for the duration of its processing of such Security Event Data, Secureworks shall (i) comply with applicable Privacy Laws and (ii) safeguard such Security Event Data with security measures that are no less protective than those set out in this DPA. Restrictions on the disclosure and transfer of Personal Data in this DPA shall not apply in connection with Secureworks’ processing of the Security Event Data for the purposes described in this clause, however, Secureworks shall not disclose any Security Event Data that is traceable to Customer to any third parties (other than Affiliates and Subprocessors) unless permitted under the MSA and/or this DPA, or the disclosure is required in order to comply with applicable law or legal process. Secureworks shall not be required to return or delete Security Event Data upon termination of the Services (for any reason). Customer shall ensure its personnel and any other data subjects whose personal data is processed by Secureworks in connection with the Services are appropriately notified of the fact their personal data may be processed in connection with the development, enhancement and/or provision of Secureworks’ products or services as described in this clause. If Customer is compelled by a legally binding order (e.g. of a court or regulatory authority of competent jurisdiction) to have the Security Event Data deleted, then Secureworks agrees, as appropriate, to anonymise, pseudonymise or delete the Security Event Data that is the subject of the binding order as soon as practicable.
9. Privacy Impact Assessments: Secureworks shall provide reasonable cooperation and assistance to Customer, to the extent applicable in relation to Secureworks’ processing of the Personal Data and within the scope of the agreed Services, in connection with any data protection impact assessment(s) which the Customer may carry out in relation to the processing of Personal Data to be undertaken by Secureworks, including any required prior consultation(s) with supervisory authorities. Secureworks reserves the right to charge Customer a reasonable fee for the provision of such cooperation and assistance.
Annex 1 - Processing description
Subject matter and purpose
Subject to the terms of the Agreement, Secureworks provides information security services for the Customer and processes the Personal Data for the purpose of providing such services as set out in applicable Service Orders, SOWs, SLAs, Service descriptions or otherwise
Duration of processing
Secureworks will retain and process the Personal Data for the term of the Agreement and in accordance with the provisions of this DPA regarding the return or deletion of the Personal Data
The Personal Data transferred may concern the following categories of data subjects: past, present and prospective (i) employees and partners, (ii) clients and individuals who use and access Customer information technology systems for which Secureworks provides services, (iii) advisors, consultants, contractors, subcontractors and agents; and (iv) complainants, correspondents and enquirers
Type of personal data
For MSS: any Personal Data contained:
For SRC (Consulting) Services: Personal Data which may be processed by Secureworks if necessary for the provision of the Consulting Services may include any or all of the following:
Annex 2 – Information Security Measures
Secureworks Corporate Global Information Security Overview
Secureworks takes information security seriously. This information security overview applies to Secureworks’ corporate controls for safeguarding personal data which is processed and transferred amongst Secureworks group companies. Secureworks’ information security program enables the workforce to understand their responsibilities. Some customer solutions may have alternate safeguards outlined in the statement of work as agreed with each customer.
Secureworks has implemented corporate information security practices and standards that are designed to safeguard the Secureworks’ corporate environment and to address: (1) information security; (2) system and asset management; (3) development; and (4) governance. These practices and standards are approved by the Secureworks CIO and undergo a formal review on an annual basis.
It is the responsibility of the individuals across the organization to comply with these practices and standards. To facilitate the corporate adherence to these practices and standards, the function of information security provides:
1. Strategy and compliance with policies/standards and regulations, awareness and education, risk assessments and management, contract security requirements management, application and infrastructure consulting, assurance testing and drives the security direction of the company.
2. Security testing, design and implementation of security solutions to enable security controls adoption across the environment.
3. Security operations of implemented security solutions, the environment and assets, and manage incident response.
4. Forensic investigations with security operations, legal, data protection and human resources for investigations including eDiscovery and eForensics.
Asset Classification and Control
Secureworks’ practice is to track and manage physical and logical assets. Examples of the assets that Secureworks IT might track include:
- Information Assets, such as identified databases, disaster recovery plans, business continuity plans, data classification, archived information.
- Software Assets, such as identified applications and system software.
- Physical Assets, such as identified servers, desktops/laptops, backup/archival tapes, printers and communications equipment.
The assets are classified based on business criticality to determine confidentiality requirements. Industry guidance for handling personal data provides the framework for technical, organizational and physical safeguards. These may include controls such as access management, encryption, logging and monitoring, and data destruction.
As part of the employment process, employees undergo a screening process applicable per regional law. Secureworks’ annual compliance training includes a requirement for employees to complete an online course and pass an assessment covering information security and data privacy. The security awareness program may also provide materials specific to certain job functions.
Physical and Environmental Security
Secureworks uses a number of technological and operational approaches in its physical security program in regards to risk mitigation. The security team works closely with each site to determine appropriate measures are in place and continually monitor any changes to the physical infrastructure, business, and known threats. It also monitors best practice measures used by others in the industry and carefully selects approaches that meet both uniqueness’s in business practice and expectations of Secureworks as a whole. Secureworks balances its approach towards security by considering elements of control that include architecture, operations, and systems.
Communications and Operations Management
The IT organization manages changes to the corporate infrastructure, systems and applications through a centralized change management program, which may include, testing, business impact analysis and management approval, where appropriate.
Incident response procedures exist for security and data protection incidents, which may include incident analysis, containment, response, remediation, reporting and the return to normal operations.
To protect against malicious use of assets and malicious software, additional controls may be implemented, based on risk. Such controls may include, but are not limited to, information security practices and standards; restricted access; designated development and test environments; virus detection on servers, desktops and notebooks; virus email attachment scanning; system compliance scans; intrusion prevention monitoring and response; logging and alerting on key events; information handling procedures based on data type, e-commerce application and network security; and system and application vulnerability scanning.
Access to corporate systems is restricted, based on procedures to ensure appropriate approvals. To reduce the risk of misuse, intentional or otherwise, access is provided based on segregation of duties and least privileges.
Remote access and wireless computing capabilities are restricted and require that both user and system safeguards are in place.
Specific event logs from key devices and systems are centrally collected and reported on an exceptions basis to enable incident response and forensic investigations.
System Development and Maintenance
Publicly released third party vulnerabilities are reviewed for applicability in the Secureworks environment. Based on risk to Secureworks’ business and customers, there are pre-determined timeframes for remediation. In addition, vulnerability scanning and assessments are performed on new and key applications and the infrastructure based on risk. Code reviews and scanners are used in the development environment prior to production to proactively detect coding vulnerabilities based on risk. These processes enable proactive identification of vulnerabilities as well as compliance.
The information security, legal, privacy and compliance departments work to identify regional laws and regulations applicable to Secureworks corporate. These requirements cover areas such as intellectual property of the company and our customers, software licenses, protection of employee and customer personal information, data protection and data handling procedures, trans-border data transmission, financial and operational procedures, regulatory export controls around technology, and forensic requirements.
Mechanisms such as the information security program, the executive privacy council, internal and external audits/assessments, internal and external legal counsel consultation, internal controls assessment, internal penetration testing and vulnerability assessments, contract management, security awareness, security consulting, policy exception reviews and risk management combine to drive compliance with these requirements.