SecureWorks | Master Services Agreement United Kingdom
THIS SECURITY SERVICES CUSTOMER MASTER SERVICES AGREEMENT (“MSA”) is entered into by and between SecureWorks Europe Limited (“SecureWorks”) and the customer entity (“Customer”) set forth in a Service Order or Statement of Work as of the Effective Date (as defined by, in respect of a Service Order, the submission to SecureWorks of a Service Order and a purchase order, and in respect of a Statement of Work, the latest date in the signature blocks in a signed Statement of Work). SecureWorks and Customer agree to the following terms and conditions:
1.1 MSS Services and Consulting Services. During the Term (as defined in Section 3.1) and subject to the terms and conditions of this MSA, SecureWorks agrees to provide managed security services (“MSS Services”) and/or security risk consulting services (“Consulting Services”) (collectively, the “Services”) and Customer agrees to purchase such Services. SecureWorks may provide the Services by its Affiliates. “Affiliates” with respect to a party means any entity that, directly or indirectly, through one or more intermediaries, controls, is controlled by or is under common control with such party.
1.2 MSS Services. Specific terms and conditions relating to the MSS Services shall be set forth in one or more service orders (“Service Order(s)”). A detailed description of the MSS Services being purchased shall be provided in the relevant service description and service level agreement (“SLA”) for such MSS Services attached to each Service Order and incorporated by reference.
1.3 Consulting Services. Specific terms and conditions relating to the Consulting Services shall be set forth in one or more statements of work (“SOW”) executed by the parties.
1.4 Service Documents. The Service Order(s) and SLA relating to the MSS Services and SOW relating to the Consulting Services are collectively referred to as “Service Document(s)”. Each Service Document shall be a separate independent agreement which shall incorporate the terms of this MSA by reference.
1.5 Order of priority. In the event of a conflict between the terms of this MSA and a Service Document (including any exhibits or attachments thereto), the terms of the Service Document shall govern.
2. Fees; Taxes; Invoicing and Payment.
2.1 Customer Affiliates. Only Affiliates of the Customer that are located in the United Kingdom shall be entitled to receive the Services, and as such any reference to “Customer Affiliates” in this MSA or Service Document shall be a reference to Affiliates of the Customer that are located in the United Kingdom.
2.2 MSS Service Fees. Customer agrees to pay Secureworks for the MSS Services in accordance with the applicable Service Order. For each Service Order, the MSS Services will commence (the “MSS Service Commencement Date”) on the first day in which SecureWorks: (a) has established communication with the Equipment (as defined in Section 5); and (b) has verified availability of Customer Data (as defined in Section 6.1) on the SecureWorks customer online portal (details and login details of which shall be provided by Secureworks to the Customer) (“Portal”). SecureWorks may invoice Customer for such MSS Services provided on or after the MSS Service Commencement Date.
2.3 Specific MSS Services. If Customer orders Server/Network Infrastructure Monitoring or Security Information and Event Management MSS Services pursuant to a Service Order as detailed in the relevant Service Order, SecureWorks may invoice Customer for such MSS Services applicable to all devices in the tier of MSS Services being purchased (as outlined in the applicable Service Order) on or after the MSS Service Commencement Date of the MSS Services applicable to the initial device(s). If there are devices remaining to be integrated after the MSS Service Commencement Date of the initial device(s), Customer shall be responsible for initiating the integration of such devices via the Portal.
2.4 Consulting Services Fees. Customer agrees to pay SecureWorks for the Consulting Services in accordance with the applicable SOW. For each SOW, the Consulting Services will commence on the date specified in the applicable SOW (the “Consulting Services Commencement Date”) and Secureworks may invoice Customer for such Consulting Services on or after the Consulting Services Commencement Date.
2.5 Change Control. Either party may propose a change to the Services (“Change”) which: (i) would modify or alter the delivery of the Services or the composition of the Services; (ii) would alter the cost to Customer for the Services; or (iii) is agreed by Customer and SecureWorks in writing to be a Change. Any Change to the applicable Service Document shall be documented in writing by a change control note signed by an authorised representative of each party (“Change Order”). Section 2.5 shall not apply where the parties have agreed to quarterly pricing updates, which shall be binding on written notification to the Customer.
2.6 Expenses. If the Services require SecureWorks to attend the Customer’s premises, the Customer shall reimburse SecureWorks for all reasonable expenses, including, but not limited to, travel, hotel and meals, incurred in connection with the implementation, performance or delivery of the Services.
2.7 Taxes. Customer shall be responsible, on behalf of itself and its Customer Affiliates, for the payment of all taxes arising out of this MSA and any Service Documents in any territory in which the Customer receives the Services, including, but not limited to, any sales, use, value-added, or import taxes, customs duties or similar taxes assessed in accordance with applicable law with respect to the provision of the Services or goods received from SecureWorks, except for taxes imposed on SecureWorks’ income or arising from the employment relationship between SecureWorks and its employees and taxes for which the Customer has provided valid and official documentation of its tax exempt status. Should any payments become subject to withholding tax, the Customer will deduct these taxes from the amount owed and pay the taxes to the appropriate tax authority in accordance with applicable tax laws. Customer will promptly provide SecureWorks with receipts or documents evidencing these tax payments. SecureWorks shall not be liable for any withholding tax, penalty or interest due as a result of Customer’s failure to withhold any applicable tax.
2.8 Invoicing; Payment and Disputes. SecureWorks will invoice Customer in accordance with the payment terms set forth and detailed in the applicable Service Document. Unless otherwise provided for in the applicable Service Document: (a) all charges, fees, payments and amounts hereunder will be in pounds sterling; and (b) all amounts due hereunder are payable within thirty (30) days from the date of the invoice (the “Invoice Due Date”). Customer may reasonably and in good faith dispute any portion of any amount claimed by SecureWorks as payable prior to the Invoice Due Date, by promptly paying any undisputed portion of the amount and providing SecureWorks, prior to the Invoice Due Date, written notice specifying the disputed amount and the basis for the dispute in reasonable detail.
2.9 Non Payment. For invoices not paid by the relevant Invoice Due Date, SecureWorks reserves the right, without prejudice to any other remedy to which it may be entitiled, to: (a) charge interest on such overdue amount on a day to day basis from the Invoice Due Date at the rate of four percent (4%) per annum above the Royal Bank of Scotland plc’s base rate from time to time until payment is made in full; (b) suspend the provision of the Services until such time as payment is received, provided that SecureWorks shall not suspend the provision of Services without first providing at least five (5) business days advance notice to Customer; and (c) not accept any additional orders from the Customer. Thereafter Secureworks shall be entitled to terminate this MSA and any Service Document(s) providing five (5) business days advance notice to Customer. Customer shall be responsible for payment of reasonable legal fees incurred by SecureWorks to collect such amounts owed by Customer. SecureWorks shall have no liability to Customer for any such suspension of Services, or non-acceptance of orders.
2.10 Third-Party Products/Services. If Customer is purchasing, or subsequently purchases, any third party products or services through SecureWorks pursuant to any Service Document, then, as applicable, Customer will comply with the terms and conditions attached to or referenced in that Service Document relating to such third party product or service, including without limitation any third party end user agreement.
3. Term of MSA and Service Orders.
3.1 Term of MSA. The term of this MSA shall commence on the Effective Date and shall continue until this MSA is terminated pursuant to the provisions hereof (the “Term”).
3.2 Term of Service Document. The term for the Services to be provided under this MSA will be set out in the applicable Service Document.
4.1 Termination for Breach. Either party may terminate this MSA or any unexpired Service Document in the event that the other party materially defaults in performing any obligation under this MSA: (a) immediately following notice of default if such default is not capable of being remedied; or (b) thirty (30) days following written notice of default if such default continues un-remedied. If this MSA or any unexpired Service Document is terminated for any reason, Customer agrees to pay to SecureWorks: (i) all unpaid Service fees as set forth in the Service Document accrued or performed as of such termination date; plus (in circumstances where termination is for any reason other than Secureworks’ breach) (ii) for MSS Services only, the MSS Service fees that will become due during the remaining term of the applicable Service Order(s). If Customer terminates this MSA or any unexpired Service Document as a result of SecureWorks’ breach, then to the extent that Customer has prepaid any Service fees, SecureWorks shall refund to Customer such prepaid fees on a pro-rata basis to the extent such fees are attributable to the period after such termination date; provided, however, that Customer remains liable to pay to SecureWorks all unpaid Service fees as set forth in the Service Document accrued as of, and attributable to the period prior to, such termination date.
4.2 Termination for Insolvency. This MSA will terminate, effective upon delivery of written notice by either party to the other party upon the following: (a) the institution of insolvency, receivership or bankruptcy proceedings or any other proceedings for the settlement of debts of the other party; (b) the making of an assignment for the benefit of creditors by the other party; or (c) the dissolution of the other party.
4.3 Effects of Termination. Termination or expiration of a Service Document shall not be construed, by implication or otherwise, to constitute termination of this MSA or any other existing Service Document. In the event that this MSA is terminated, any existing Service Document shall also terminate.
5. MSS Services.
5.1 MSS Services Provision. SecureWorks will provide to Customer equipment or hardware (“Secureworks Equipment”), software (in object code format only) (“Software”), user IDs, tokens, passwords, digital signatures (“Protected Information”) and applicable written directions and/or policies (“Documentation”) and access to and use of the Portal, as necessary to enable the Customer to receive the MSS Services, strictly subject to the restrictions and terms set out in this MSA. The Secureworks Equipment, Software and Documentation are collectively referred to as “Products”.
5.2 Use. SecureWorks grants Customer a limited, non-transferable, royalty-free and non-exclusive licence to access and use during the Term the Products delivered to Customer for internal security use subject to the restrictions set out in Section 5.4.
5.3 Equipment. The Customer may purchase the equipment or hardware pursuant to a Service Order (“Customer Equipment”). The SecureWorks Equipment and Customer Equipment are collectively referred to as the “Equipment”. Risk of loss or damage to the Equipment shall pass on delivery. Title to the Customer Equipment shall pass to Customer on payment. Title to the Secureworks Equipment shall remain with SecureWorks and Customer shall return the Secureworks Equipment in good condition and working order within twenty-eight (28) days of the date of termination or expiry of the Service Order and shall cease use of all Software. If the Secureworks Equipment is not returned by Customer within this timeframe or is returned in an unsatisfactory or non-working condition, Customer will pay the full replacement cost of the Secureworks Equipment.
5.4 Restrictions. Customer: (i) will use the Products and Services for its internal security purposes, or for the internal security purposes of Customer Affiliates; and (ii) will not, for itself, or for any Customer Affiliate or any third party: (a) sell, rent, license, assign, distribute, or transfer any of the Products; (b) decipher, decompile, disassemble, reconstruct, translate, reverse engineer, or discover any source code of the Software; (c) copy any Software or Documentation, except that Customer may make a reasonable number of copies of the Documentation for its internal use (provided Customer reproduces on such copies all proprietary notices of SecureWorks or its suppliers); or (d) remove from any Product any language or designation indicating the confidential nature thereof or the proprietary rights of SecureWorks or its suppliers. In addition, Customer will not, and will not permit third parties to: (i) use any Software or Equipment on a time-sharing, outsourcing, service bureau, hosting, application service provider or managed service provider basis; (ii) alter any aspect of any Software or Equipment; or (iii) except as permitted under Section 13.1, assign, transfer, distribute, or otherwise provide access to any of the Products to any third party or otherwise use any Product with or for the benefit of any third party.
5.5 Protected Information. Customer shall treat the Protected Information as Confidential Information in accordance with Section 8.
6. Proprietary Rights.
6.1 Customer’s Proprietary Rights. Customer represents and warrants that it has the necessary rights, power consents and authority to transmit Customer Data (as defined below) to SecureWorks under this MSA. As between Customer and SecureWorks, Customer will own all right, title and interest in and to: (i) any data provided by Customer and Customer Affiliates to SecureWorks and/or Customer data accessed or used by SecureWorks or transmitted by Customer and Customer Affiliates to SecureWorks on the Equipment in connection with SecureWorks’ provision of the Services, including, but not limited to, Customer and Customer Affiliate data included in any written or printed summaries, analyses or reports generated in connection with the Services ( “Customer Data”); (ii) all intellectual property, including patents, copyrights, trademarks, trade secrets and other proprietary information (“IP”) of Customer that may be made available to SecureWorks in the course of providing Services under this MSA; and (iii) all confidential or proprietary information of Customer and Customer Affiliates, including, but not limited to, Customer Data, Customer Reports (as defined in Section 6.4), and other Customer files, documentation and related materials, in each case under this Section 6.1.
6.2 Limited Licence. During the Term, Customer grants to SecureWorks a limited, non-exclusive license to use the Customer Data solely for the purposes contemplated by this MSA and any Service Documents and for SecureWorks to perform the Services as contemplated in this MSA. This MSA does not transfer or convey to SecureWorks or any third party any right, title or interest in or to the Customer Data or any associated IP rights, but only a limited right of use as granted in and revocable in accordance with this MSA.
6.3 SecureWorks’ Proprietary Rights. As between Customer and SecureWorks, SecureWorks will own all right, title and interest in and to the Products and Services. This MSA does not transfer or convey to Customer or any third party any right, title or interest in or to the Products and Services or any associated IP rights, but only a limited right of use as granted in and revocable in accordance with this MSA. Any licence granted by SecureWorks to the Customer shall automatically terminate on the expiry or termination of the relevant Service Document. SecureWorks will retain ownership of all copies of the Documentation. In addition, except as set forth in Sections 6.1 and 6.4, Customer agrees that SecureWorks is the owner of all right, title and interest in all IP in any work, including, but not limited to, all inventions, methods, processes, and computer programs including any source code or object code, (and any enhancements and modifications made thereto) contained within the Services and/or Products (collectively, the “Works”), developed by SecureWorks in connection with the performance of the Services hereunder and of general applicability across SecureWorks’ customer base, and Customer hereby assigns to SecureWorks all right, title and interest in any copyrights that Customer may have in and to such Works. Without limiting the foregoing, SecureWorks will own all right, title and interest in all IP in any advisory data, threat data, vulnerability data, analyses, summaries, bulletins and information made available to Customer in SecureWorks’ provision of its Counter Threat Intelligence Services (“TI Reports”). During the Term, SecureWorks grants to Customer a limited, non-exclusive license to use such Works and TI Reports solely for the Customer to receive the Services hereunder for Customer’s internal security purposes only.
6.4 Customer Reports. Customer shall own all right, title and interest in and to any written summaries, reports, analyses, and findings or other information or documentation prepared uniquely and exclusively for Customer, in connection with the Consulting Services (the “Customer Reports”) and as expressly specified in the relevant SOW. The provision by Customer of any Customer Report or any information therein to any unaffiliated third party shall not entitle such third party to rely on the Customer Report or the contents thereof in any manner or for any purpose whatsoever, and SecureWorks specifically disclaims all liability for any damages whatsoever (whether direct, indirect, or consequential) arising from or related to reliance by any third party on any Customer Report or any contents thereof. Customer agrees to indemnify and hold SecureWorks harmless from and against any claims, costs, expenses (including legal expenses), damages, liabilities and penalties whatsoever affecting SecureWorks as a result of Customer’s provision of any Customer Report or any information therein to any third party.
6.5 Return of Proprietary Information. Upon termination of this MSA, each party will, at the request of the other party and to the extent practicable, return, or upon the other party’s request, destroy, all copies of the other party’s IP and/or Confidential Information, including any Customer Data, in such party’s possession, custody or control, provided, however, that SecureWorks will be entitled to retain one copy of the Customer Data as necessary to comply with any legal, regulatory, judicial, audit, or internal compliance requirements. SecureWorks may defer the return or deletion of Customer Data to the extent and for the duration that any such Customer Data or copies thereof cannot reasonably and practically be expunged from SecureWorks’ systems (e.g. because they are held in backups, archives and/or disaster recovery files that are not readily available) and for such deferred period all of the provisions of this MSA shall continue to apply to such Customer Data.For Customer Equipment, Customer shall erase, destroy and cease use of all Software located on such Customer Equipment upon the expiration or termination of the Term.
7. Customer Responsibilities.
7.1 Cooperation. Customer acknowledges that SecureWorks’ performance and delivery of the Services are contingent upon: (a) Customer providing safe and hazard-free access and use to its personnel, facilities, equipment, hardware, network and information as deemed reasonably necessary for SecureWorks to perform or implement the Services; and (b) Customer’s timely decision-making, providing the requested information and granting of approvals or permissions. Customer will promptly obtain and provide to SecureWorks any required licenses, approvals or consents necessary for SecureWorks’ performance of the Services. SecureWorks will be excused from its failure to perform its obligations under this MSA to the extent such failure is caused by any delay, default, act or omission by Customer, Customer Affiliates, employees, suppliers or representatives. SecureWorks shall be entitled to charge the Customer for any additional costs it incurs in providing the Services arising out of or in connection with any of the events referred to in Section 7.1.
8.1 Confidential Information Customer and SecureWorks may have access to or be exposed to information of the other party not generally known to the public, including, but not limited to software, product plans, marketing and sales information, customer lists, “know-how,” or trade secrets which may be designated as being confidential or which, under the circumstances surrounding disclosure, ought to be treated as confidential (collectively, “Confidential Information”).
8.2 Each party may have access to or be exposed to Confidential Information and any Confidential Information shall: (i) be kept confidential; (ii) only be used in connection with the proper performance of this MSA; and (iii) not be shared with third parties unless such disclosure is to the recipient party’s representatives (including directors, officers, employees, agents, auditors, professional advisers and subcontractors of the recipient party or its Affiliates) strictly on a need-to-know basis in connection with this MSA and provided that such representatives have agreed in writing to treat such Confidential Information under terms consisting of similar obligations as those set out in this Section 8.
8.3 The parties agree that disclosure of the disclosing party’s Confidential Information by the recipient party could cause irreparable harm. In such circumstances, the disclosing party shall be entitled to apply for equitable relief, including injunctive relief in addition to other rights and remedies.
8.4 The restrictions set out in this Section 8 shall not apply to information that: (i) was known by the recipient party receiving Confidential Information from the disclosing party in accordance with this MSA prior to its receipt from the disclosing party; (ii) is or becomes public knowledge through no fault of the recipient party; (iii) is rightfully received by the recipient party from a third party without a duty of confidentiality; or (iv) a recipient party is required or requested to divulge by any court, tribunal or government agency with competent jurisdiction to which either party is subject, wherever situated.
8.5 If a recipient party is required by a court, tribunal or government agency with competent jurisdiction to which either party is subject, wherever situated, to disclose Confidential Information, the recipient party shall, where possible, provide written notice to the disclosing party prior to such a disclosure.
8.6. Subject to legal requirements, each party agrees to return to the other party on request all Confidential Information and any other materials belonging to the other party (including copies), regardless of the media and regardless by whom prepared, and whether held by it or its representatives, within ten (10) days after demand for the materials or in any event within ten (10) days after termination or expiration of this MSA and shall, on request, destroy any other records (including, without limitation, those in machine-readable form) containing Confidential Information.
8.7 This Section 8 shall survive for three (3) years following any termination or expiration of this MSA; provided that with respect to any Confidential Information remaining in the receiving party’s possession following any termination or expiration of this MSA, the obligations under this Section 8 shall survive for as long as such Confidential Information remains in such party’s possession.
9. Limited Warranty and Limitation of Liability.
9.1 Limited Warranty. SecureWorks warrants that the Services shall be performed with reasonable skill and care.
9.1.1 SecureWorks shall not be liable for any action, claim or demand arising from:
(a) any misuse by Customer of the Products;
(b) any alteration, modification, adjustment or repair of the Products by Customer or a third party without SecureWorks’ prior written consent;
(c) any failure by Customer to comply with its obligations in a timely manner;
(d) any failure by Customer to follow SecureWorks’ lawful instructions or recommendations;
(e) SecureWorks acting on any instructions or recommendations made by Customer;
(f) any third party equipment or software provided by SecureWorks, in respect of which Customer shall only be entitled to the benefit of any manufacturer’s warranties, guarantees or service contract terms and conditions applicable to such equipment or software.
For the purposes of this Section 9.1.1, Customer shall be deemed to include the employees, advisers and subcontractors of the Customer and those of Customer Affiliates.
9.1.2 SecureWorks does not warrant that the Software will operate uninterrupted or error free.
9.1.3 All other warranties, conditions and other terms implied by statute or common law are, to the fullest extent permitted by law, excluded.
9.2 Limitation of Liability.
9.2.1 The exclusions and limitations of liability set out in this MSA do not apply to liability arising from: (a) any indemnity under this MSA; (b) death or personal injury resulting from negligence; (c) fraud or fraudulent misrepresentation; and/or (d) anything else that cannot be excluded or limited by law.
9.2.2 Neither party shall be liable to the other party for: (a) loss of profit, income, revenue or savings; (b) loss of use of Customer’s system(s) or networks; (c) loss of goodwill or reputation; (d) loss of, corruption of, or damage to data or software; (e) loss of or recovery of data or programs; (f) loss of business opportunity, business interruption or downtime and/or (g) special, indirect or consequential loss or damages.
9.2.3 SecureWorks’ total liability (whether in contract, tort (including negligence), breach of statutory duty, or otherwise) for all claims arising out of or in connection with any Service Document in any year beginning on the commencement date of such Service Document (and each anniversary thereof) (“Contract Year”) shall not exceed the aggregate of (a) fees paid and payable by the Customer for Services under such Service Document already performed in the relevant Contract Year, and (b) any fees that would have become payable by the Customer for Services not yet performed under such Service Document in the relevant Contract Year.
10. Data Privacy.
10.1 In this Section 10, the terms “data controller”, “data processor”, “personal data” and “processing” shall be as defined in the European Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“Directive”) as amended or superseded from time to time.
10.2 Customer shall, as a data controller, comply with all applicable laws and regulations regarding privacy, data protection and/or the processing of personal data, including without limitation, the Directive (“Privacy Laws”) and shall obtain all necessary authorisations and consents for fair and lawful processing of personal data prior to disclosing such personal data to SecureWorks.
10.3 If the Services involve the processing of personal data by SecureWorks on Customer’s behalf, SecureWorks shall:
10.3.1 process such personal data only in accordance with Customer’s reasonable and lawful instructions;
10.3.2 implement appropriate and reasonable technical and organisational measures to protect the personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access;
10.3.3 limit disclosure of the personal data to the extent necessary to provide the Services or as otherwise permitted under this MSA or by Customer in writing or by any applicable Privacy Laws;
10.3.4 take reasonable steps to ensure the reliability of its personnel that may have access to the personal data and to ensure they are appropriately trained in the handling of personal data; and
10.3.5 promptly notify Customer of any request SecureWorks receives from data subjects relating to the exercise of their rights under applicable Privacy Laws and, if requested to do so by the Customer, provide Customer with reasonable assistance in responding to such requests, subject to the payment by Customer of SecureWorks’ reasonable professional charges for the time engaged by SecureWorks staff in so doing.
10.4 Customer authorises SecureWorks to collect, use, store and transfer the personal data Customer provides to SecureWorks for the purpose of performing SecureWorks’ obligations under this MSA and for any additional purposes described, pursuant to this MSA.
10.5 SecureWorks may, in connection with the provision of the Services or in the normal course of business, make worldwide transfers of Customer Data that may include personal data to its Affiliates and subcontractors. When making such transfers, SecureWorks shall ensure appropriate protection is in place to safeguard any personal data transferred under or in connection with this MSA. Where the provision of Services requires the transfer of personal data (in respect of which Customer is the data controller) from the European Economic Area (“EEA”) to countries outside the EEA (which do not provide an adequate level of protection as required under Article 25 of Directive 95/46/EC), such transfer shall be subject to the following requirements:
(i) SecureWorks has implemented appropriate security measures to adequately protect such personal data which shall include the measures referred to in clause 13.4 below;
(ii) SecureWorks has in place intra-group agreements with any Affiliates which may have access to the personal data, which agreements shall incorporate the European Commission approved Standard Contractual Clauses (“Standard Contractual Clauses”); and
(iii) SecureWorks has in place, where appropriate, agreements with its subcontractors that incorporate the Standard Contractual Clauses.
11.1 SecureWorks shall indemnify Customer and Customer Affiliates from and against all claims, demands, actions, losses, expenses, liabilities, judgments, settlements, damages and costs (including all interest, penalties and legal and other professional costs and expenses) (“Claim(s)”) incurred by Customer arising out of or in connection with any third party claim that SecureWorks branded Products and/or Services (excluding open source software incorporated within them) prepared or produced by SecureWorks and delivered pursuant to this MSA infringe that third party’s IP rights enforceable in the United Kingdom (“IPR Claim”).
11.2 If SecureWorks receives prompt notice of an IPR Claim that, in SecureWorks’ reasonable opinion, is likely to result in an adverse ruling, then SecureWorks shall at its option: (a) obtain a right for Customer to continue using such Products or for SecureWorks to continue performing the Services; (b) modify such Products, and/or Services to make them non-infringing; (c) replace such Products and/or Services with a non-infringing equivalent; or (d) refund any prepaid charges for the allegedly infringing Services that have not been performed or provide a reasonable pro rata refund for the allegedly infringing Products.
11.3 Customer shall: (a) promptly notify SecureWorks in writing of any IPR Claim or the likelihood of any such IPR Claim; (b) provide SecureWorks with the sole right to control the defence and disposition of the IPR Claim; and (c) not use SecureWorks’ name in connection with any IPR Claim without SecureWorks’ prior written consent. SecureWorks shall not be liable for any IPR Claim to the extent that it arises from any matter set out in Section 9.1.1 (a) to (f).
11.4 Sections 11.1 and 11.2 set out the sole and exclusive remedies for any IPR Claim.
11.5 Customer shall (a) be responsible for any acts or omissions of Customer Affiliates who receive the Services as if such acts or omissions were the Customer’s own and (b) indemnify SecureWorks from and against all Claims incurred by SecureWorks, its Affiliates, its officers, agents and subcontractors arising out of or in connection with any breach of the terms of this MSA by any Customer Affiliate receiving or having access to the Services provided herunder.
11.6 Customer hereby represents and warrants that: (A) Customer has obtained the necessary consent from each Customer Affiliate for SecureWorks to access such Customer Affiliate’s networks and data in connection with providing the Services, and (B) each Customer Affiliate agrees to, and is hereby legally bound by, the terms of this MSA.
11.7 Customer shall indemnify SecureWorks and its Affiliates from and against all Claims arising out of or in connection with any of the following: (a) Customer’s or Customer Affiliate’s failure to obtain any licences, consents, or other approvals; (b) Customer’s or Customer Affiliate’s breach of SecureWorks’ IP; (c) any use of Customer Data and/or any use of Customer IP; and (d) Customer’s or Customer Affiliate’s breach of any export laws.
11.8 In respect of any Claim under the indemnities set out in this Section 11, the relevant party shall: (a) mitigate any loss or damage arising from such Claim; (b) provide reasonable cooperation to the other party in the defence of such Claim; and (c) not settle or compromise any indemnity claim or make any admission of liability without the other’s prior written consent.
12.1 Customer acknowledges that the Products and/or Services provided under this MSA (which may include technology and encryption): (a) are subject to U.S. and European customs and export control laws; (b) may be rendered or performed in countries outside the U.S. or Europe, or outside of the borders of the country in which Customer or Customer’s products are located; and/or (c) may also be subject to the customs and export laws and regulations of the country in which the Products and/or Services are rendered or received.
12.2 Under these laws and regulations, Products and/or Services purchased under this MSA may not be sold, leased or otherwise transferred to restricted end users or to restricted countries. Customer agrees to abide by these laws and regulations.
12.3 In addition, the Products and/or Services may not be sold, leased or otherwise transferred to, or utilised by, an end user engaged in activities related to weapons of mass destruction, including but not necessarily limited to, activities related to the design, development, production or use of nuclear materials, nuclear facilities, or nuclear weapons, missiles or support of missile projects, or chemical or biological weapons.
12.4 Customer represents that any software provided by it and used as part of the Products and/or Services contains no encryption or, to the extent that it contains encryption, such software is approved for export without a licence, or the Customer provides evidence to SecureWorks’ satisfaction that appropriate licence terms are in place for such software containing encryption.
12.5 If Customer cannot make the preceding representation, Customer agrees to provide SecureWorks with all of the information needed for SecureWorks to obtain export licences from the U.S. government and/or any other applicable national government and to provide SecureWorks with such additional assistance as may be necessary to obtain such licenses. Notwithstanding the foregoing, Customer is solely responsible for obtaining any necessary licenses relating to the export of software. SecureWorks also may require export certifications from Customer for Software.
12.6 SecureWorks’ acceptance of any Service Document for Products and/or Services is contingent on the issuance of any applicable export license required by the U.S. Government and/or any other applicable national government. SecureWorks shall not be liable for delays or failure to deliver Products and/or Services resulting from Customer’s failure to obtain such licence or to provide such certification.
13. Important Additional Terms.
13.1 Independent Contractor Relationship; Assignment; Subcontracting; Audit. The parties are independent contractors. Neither party will have any rights, power or authority to act or create an obligation, express or implied, on behalf of another party except as specified in this MSA. Neither party will use the other party’s name (except internal use only), trademark, logos, or trade name without the prior written consent of the other party. Customer acknowledges and agrees that SecureWorks has the right to assign, subcontract or delegate in whole or in part this MSA, or any rights, duties, obligations or liabilities under this MSA, or any obligations relating to the processing of Customer Data (including without limitation any personal data) , by operation of law or otherwise, provided that SecureWorks shall remain responsible for the performance of Services under this MSA. Otherwise, neither party may assign this MSA without the permission of the other party.
13.2 Entire Agreement; Amendments. This MSA and the Service Documents represent the entire agreement between SecureWorks and Customer with respect to its subject matter and supersede all prior oral and written understandings, agreements, communications, and terms and conditions attached to or contained within a purchase order issued by Customer in connection with the Services, including, but not limited to, any security or privacy agreements executed by the parties. No amendment to or modification of this MSA, in whole or in part, will be valid or binding unless it is in writing and executed by authorized representatives of both parties; provided, however, that the SLA(s) may be amended from time to time by SecureWorks, as reasonably necessary, in its reasonable discretion as long as such amendments: (a) will have no material adverse impact on the Services, Service levels or Service credits currently being provided to Customer by SecureWorks; and (b) are being effected with respect to other SecureWorks customers.
13.3 Force Majeure. Neither party shall be liable to the other party for any failure to perform any of its obligations (except payment obligations) under this MSA during any period in which such performance is delayed by circumstances beyond its reasonable control including, but not limited to, fire, flood, war, embargo, strike, riot or the intervention of any governmental authority (a “Force Majeure”). In such event, however, the delayed party must promptly provide the other party with written notice of the Force Majeure. The delayed party’s time for performance will be excused for the duration of the Force Majeure, but if the Force Majeure event lasts longer than thirty (30) days, the other party may immediately terminate the applicable Service Document by giving written notice to the delayed party.
13.4 Audit and certifications. Upon a 30-day written request (or shorter notice period where required by applicable law, an order of a supervisory authority, in the event of a data breach or as otherwise agreed between the parties), the Customer (or Permitted Auditor as defined below) has the right to conduct an annual, onsite audit (which must take place during normal business hours) of SecureWorks’ controls for safeguarding Customer Data. Such audit must be limited to those processing activities and facilities which are directly involved in the processing of Customer Data. Any access to sensitive or restricted facilities is strictly prohibited – in accordance with regulatory restrictions on access to other customers’ data (although a Permitted Auditor shall be entitled to observe the security operations center via a viewing window) and Customer shall not (and must ensure that any Permitted Auditor shall not) allow any sensitive documents and/or details regarding SecureWorks’ policies, controls and/or procedures to leave the SecureWorks location at which the audit is taking place (whether in electronic or physical form). Customer must comply at all times with SecureWorks’ relevant on site policies and procedures (as notified to Customer by SecureWorks). The audit should not take longer than three business days, and if the audit exceeds this timeframe, the Customer will be required to pay for resources necessary to complete the audit. In this clause the term “Permitted Auditor” shall mean a third party appointed by the Customer which is bound by equivalent obligations of confidentiality to those set out in this MSA and is not a direct competitor of SecureWorks. SecureWorks reserves the right to require any Permitted Auditor to execute a confidentiality agreement with SecureWorks prior to the commencement of an audit.
SecureWorks is ISO/IEC 27007:2013 certified, as well as, ISO 27001 and ISO 9001 certified. SecureWorks, as a managed security service provider aligns with and follows security best practices outlined by COBIT, NIST SP800-53, FFIEC (including GLBA-Security and Privacy), and FIPS (FIPS 140-2 Encryption), as well as entities such as US-CERT (United States Computer Emergency Readiness Team). In addition, a FFIEC examination and SSAE16 (SOC1, Type II) and AT101 (SOC2, Type II) attestation are conducted annually.
13.5 Representations; Severability; Section Headings. The parties agree that no representations, warranties, undertakings or promises have been given (express or implied) in respect of the subject matter of this MSA, other than those which are expressly stated in this MSA. Neither party shall have any remedy in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) not set out in this MSA upon which it relied in entering into this MSA. Nothing in this MSA shall limit or exclude any liability for fraud. If any provision of this MSA is void or unenforceable, the remainder of this MSA will remain in full force and effect. Section headings are for reference only and shall not affect the meaning or interpretation of this MSA.
13.6 Notices. Notices under this MSA must be in writing and sent by postage prepaid first-class mail or receipted courier service to the other party at the address below or to such other address (incl. facsimile or electronic) as specified in writing and will be effective upon receipt. In the case of the Customer, notices shall be sent to the address set out in the Service Document. In the case of SecureWorks, notices shall be sent to:
Legal Department, SecureWorks Europe Ltd.
Dell House, Cain Road
Bracknell, Berkshire RG12 1LF
This Section 13.6 shall apply for formal contract notices only and shall not limit the parties’ ability to communicate via electronic mail or other methods as agreed to by the parties for routine communications.
13.7 Governing Law, Forum. This MSA and any disputes or claims arising out of or in connection with its subject matter (including non-contractual disputes or claims) are governed by and construed in accordance with English law. The parties irrevocably agree that the English courts shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this MSA including disputes relating to non-contractual obligations.
13.8 Third Party Rights. Except as expressly set out in this MSA, any person who is not a party to this MSA or who has not entered into a Service Document directly with SecureWorks for Services shall have no right under the Contracts (Rights of Third Parties) Act 1999 to enforce against the parties to this MSA any term of this MSA. Notwithstanding Section 2(1) of the Contracts (Rights of Third Parties) Act 1999, the parties may in writing vary, rescind or terminate this Agreement (whatever the nature of such variation, rescission or termination) without seeking the consent of any third party on whom this Section 13.7 confers rights.
13.9 Dispute Resolution. The parties will attempt to resolve any claim, or dispute or controversy (whether in contract, tort or otherwise) arising out of or relating to this MSA or any Service Dcoument (a “Dispute”) through face-to-face negotiation with persons fully authorized by the relevant parties to resolve the Dispute. The existence or results of any such negotiation will be treated as confidential. In the event the parties are unable to resolve the Dispute within thirty (30) days of notice of the Dispute to the other party, the parties shall be free to pursue all remedies available at law or equity.
13.10 Limitation Period. Neither party may institute any action in any form arising out of or in connection with this MSA more than two (2) years after the cause of action has arisen except where Section 8.7 applies.
13.11. Survival. All Sections shall survive the expiration or termination of this MSA or any Service Document: except for Sections 3 and 10.
This Appendix applies to the Services set out below
Applicable to Security Services: Should an SOW include security scanning, testing, assessment, forensics, or remediation Services (“Security Services”), Customer understands that SecureWorks may use various methods and software tools to probe network resources for security-related information and to detect actual or potential security flaws and vulnerabilities. Customer authorizes SecureWorks to perform such Security Services (and all such tasks and tests reasonably contemplated by or reasonably necessary to perform the Security Services) on network resources with the internet protocol addresses (“IP Addresses”) identified by Customer. Customer represents that, if Customer does not own such network resources, it will have obtained consent and authorization from the applicable third party to permit SecureWorks to provide the Security Services on such third party’s network resources. SecureWorks shall perform Security Services during a timeframe mutually agreed upon with Customer. The Security Services, such as penetration testing or vulnerability assessments, may also entail buffer overflows, fat pings, operating system specific exploits, and attacks specific to custom coded applications but will exclude intentional and deliberate DOS (“Denial of Service”) attacks. Furthermore, Customer acknowledges that the Security Services described herein could possibly result in service interruptions or degradation regarding the Customer’s systems and accepts those risks and consequences. Upon execution of an SOW for such Security Services, Customer consents and authorizes SecureWorks to provide any or all of the Security Services specified in the applicable SOW with respect to the Customer’s systems. Customer further acknowledges that it is the Customer’s responsibility to restore network computer systems to a secure configuration after the completion of SecureWorks’ testing.
Applicable to Compliance Consulting Services: Should an SOW include compliance testing or assessment or other similar compliance advisory Services (“Compliance Services”), Customer understands that, although SecureWorks' Compliance Services may discuss or relate to legal issues: (i) SecureWorks does not provide legal advice or services; (ii) none of such Compliance Services shall be deemed, construed as or constitute legal advice; and (iii) Customer is ultimately responsible for retaining its own legal counsel to provide legal advice. Furthermore, the Customer Reports provided by SecureWorks in connection with any Compliance Services shall not be deemed to be legal opinions and may not and should not be relied upon as proof, evidence or any guarantee or assurance as to Customer’s legal or regulatory compliance.
Applicable to Payment Card Industry Compliance Consulting Services: Should an SOW include payment card industry (“PCI”) compliance auditing, testing or assessment or other similar PCI compliance advisory Consulting Services (“PCI Compliance Services”), Customer understands that SecureWorks' PCI Compliance Services do not constitute any guarantee or assurance that security of Customer’s systems, networks and assets cannot be breached or are not at risk. PCI Compliance Services are an assessment, as of a particular date, of whether Customer’s systems, networks, assets, and any compensating controls meet the applicable PCI standards. Mere compliance with PCI standards may not be sufficient to eliminate all risks of a security breach of Customer’s systems, networks and assets. Furthermore, SecureWorks is not responsible for updating its reports and assessments, or enquiring as to the occurrence or absence of such, in light of changes to Customer’s systems, networks and assets after the date that SecureWorks issues its final Customer Report pursuant to an SOW, absent a Change Order or a separately signed SOW expressly requiring the same.
Risk and Limitations: Certain Consulting Services follow a defined sampling methodology, rather than being driven by a specific end result or deliverable. This methodology aims to reduce cost while at the same time minimizing any detrimental impact on the accuracy and reliability of the results. Due to the inherent risks and limitations associated with this methodology, SecureWorks cannot guarantee: (i) the outcome of its testing, assessment, forensics, or remediation methods; and/or (ii) that all weaknesses, noncompliance issues or vulnerabilities will be discovered (sub-sections (i) and (ii) together collectively referred to as the “Risks and Limitations”). Customer acknowledges and accepts these Risks and Limitations.