STANDARD TERMS AND CONDITIONS FOR PRODUCT VENDOR MEMBERSHIP

In consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:

I.  Definitions.

Affiliate means any corporation, firm, limited liability company, partnership or other entity that directly or indirectly controls or is controlled by or is under common control with a Party. Affiliate excludes any entity that is located in or organized under the laws of the People’s Republic of China, including the Hong Kong Special Administrative Region.

CIS Benchmarks means consensus based secure configuration guidelines applicable to a variety of operating systems, middleware and software applications, and network devices.

CIS Benchmark Certification means the granting from CIS of a certification mark and corresponding permissions as set forth at section II(D). 

CIS Controls means the CIS Critical Security Controls.

CIS SecureSuite means the cybersecurity configuration and remediation membership offerings provided by CIS, as set forth in this Agreement.

CIS SecureSuite Products includes any or all of the following: CIS Benchmarks and CIS Controls in any format provided, CIS-CAT Pro (including CIS-CAT Pro Assessor and CIS-CAT Pro Dashboard), CSAT Pro, CIS Workbench community site, product guides, CIS Build Kits and other products offered by CIS from time to time, as set forth at https://www.cisecurity.org/cis-securesuite/benefits/

II.  Membership Benefits.

Under the terms and conditions set forth in this Agreement, CIS grants to Customer a Product Vendor Membership that entitles Customer to the following benefits:

      A.  Organizational Use

          1.  Access to and use of the CIS SecureSuite Products and the right to distribute the CIS SecureSuite Products within and among Customer’s Affiliates.

          2.  Unlimited access to and use of the CIS Workbench site (a community site where SecureSuite resources are developed) for access to CIS SecureSuite Products, including forums for information sharing, user support, and discussions among members, developers, and CIS staff. Individual users of the CIS Workbench site shall be required to acknowledge terms of service as a condition to accessing the site.

          3.  Electronic notification of updates to the CIS SecureSuite Products.

          4.  CIS SecureSuite Products support from CIS staff and developers.

          5.  At Customer’s option, listing of Customer on the dedicated CIS SecureSuite Member pages of the CIS public website and in other promotional materials.

          6.  The right to use the CIS SecureSuite Membership logo as set forth in the CIS Logos, Trademark and Intellectual Property Use Policy set forth at https://www.cisecurity.org/cis-logos-and-trademark-use-policy/, as such Policy may be amended from time to time.

          7.  Updates or improvements of existing CIS SecureSuite Products that are made in the ordinary course of business and provided pursuant to this Agreement.

          8.  The ability to edit/modify CIS Benchmarks for use within Customer’s organization based upon Customer’s unique internal specifications and requirements (a “Customized Benchmark”). Once a Customized Benchmark is created, Customer is prohibited from labeling or identifying such Customized Benchmark as a “CIS Benchmark.” Such Customized Benchmark shall not be considered a “derivative work” pursuant to section VII(E) of this Agreement.

      B.  Consulting Use

          1.  For onsite consulting engagements, the right for Customer to download, install, and use the CIS SecureSuite Products on Customer Clients’ computer network or environment, including any third-party network or cloud environment hosting Customer Clients’ data, for the sole purpose of providing information security consulting and auditing services to those Customer Clients, provided that, at the end of each consulting/auditing engagement, Customer must remove all copies of any CIS SecureSuite Products from Customer Clients’ computers, networks, systems, and organizational environments that have been installed or provided to those Customer Clients.

          2.  For remote consulting engagements, the right for Customer to be given direct access to a time-limited version of CIS-CAT Pro, for the sole purpose of providing information security consulting and auditing services to those Customer Clients, provided that Customer Client agrees to use CIS-CAT Pro time-limited version only to assess Customer Client’s internal system.

          3.  Notwithstanding any license terms for the CIS Controls to the contrary, CIS hereby provides Customer a non-exclusive, non-transferable worldwide license to use the CIS Controls in the context of any consulting engagement, including developing Customized Policies as defined below.

          4.  The right for Customer to assist Customer Clients in developing security configuration and/or security metrics policies that are specifically customized to meet Customer Clients’ information security needs (“Customized Policies”), provided that Customer Clients agree to:

               a.  use any Customized Policies only for securing Customer Clients’ internal systems or Customer Clients’ data hosted in a third-party network or cloud environment; and

               b.  not distribute any Customized Policies beyond Customer Clients’ organizations.

Once a Customized Policy is created by Customer, Customer may represent to Customer Clients that such Customized Policy leverages one or more CIS SecureSuite Products but not that it incorporates any CIS SecureSuite Product(s). Customer is not required to remove Customized Policies from Customer Clients’ computers, networks, systems, and organizational environments at the end of consulting/auditing engagements.

          5.  CIS agrees that Customer may charge Customer Clients for training, installation, programming and other services, even if those services relate to the CIS SecureSuite Products.

          6.  The right for Customer to use the CIS SecureSuite Logo as set forth at https://www.cisecurity.org/cis-logos-and-trademark-use-policy/ as such Policy may be amended from time to time.

      C.  Organizational and Consulting Use Restrictions

          1.  Customer may not charge Customer Clients directly for the CIS SecureSuite Products and neither Customer nor any Customer Clients may sell, resell, or distribute the CIS SecureSuite Products.

          2.  Customer agrees not to provide CIS with any personal information, as defined under the Personal Information Protection Law of the People’s Republic of China (“PIPL”), of individuals who are citizens of China, including the Hong Kong Special Administrative Region.  Failure to comply with the restriction in this Section II.C.2 shall be a material breach of this Agreement.  

      D.  CIS Benchmark Certification, Use, and Distribution

          1.  The right to integrate the CIS Benchmarks into Customer’s security product(s) for the purpose of submitting said product(s) to CIS for CIS Benchmark Certification (“Certification”) with no limit on Certifications per Term.

          2.  The right to apply for Certification via the process set forth on the CIS website at https://www.cisecurity.org/cis-securesuite/pricing-and-categories/product-vendor/and thereby earn the right to mark Customer’s product(s) with the applicable CIS Benchmark Certification mark. Customer shall be required to identify which type of certification it is seeking. A product may be submitted for one or multiple certifications. Pursuant to such application, Customer hereby warrants and represents that any and all information submitted to CIS is true, accurate, and complete, can be relied upon by CIS, for all purposes, including but not limited to, in granting or denying a Certification application and does not infringe upon the rights of any other Party, including intellectual property rights.

          3.  The right to distribute the CIS Benchmarks to Customer’s client(s) for use solely in conjunction with Customer’s CIS Benchmark Certified Products (“CIS Certified Products”) and permission to utilize the CIS Benchmarks Certification mark and applicable CIS Certification mark in accordance with the terms and conditions of the CIS Logos, Trademark and Intellectual Property Use Policy set forth at https://www.cisecurity.org/cis-logos-and-trademark-use-policy/ as such Policy may be amended from time to time. 

      E.  CIS Controls Use and Distribution

          1.  The right to integrate the CIS Controls into Customer’s security product(s). The integration of the CIS Controls alone or in addition to integration of the CIS Benchmarks as permitted in section II(D) above, do not require certification beyond the process set forth therein. However, CIS shall have the right of inspection of Customer’s security product(s) to review the integration of the CIS Controls. Customer is prohibited from modifying the CIS Controls without prior written consent of CIS.

          2.  The right to distribute the CIS Controls to Customer’s client(s) for use solely in conjunction with Customer’s security products incorporating the CIS Controls.

     F.  CIS Benchmark and CIS Controls Use and Distribution Restrictions

          1.  Customer shall be prohibited from utilizing the names “Center for Internet Security, Inc.” or “CIS” in the product name, other than to refer to the product as a “CIS Certified Product” as set forth in section II(D)(3).

          2.  CIS is not selling, transferring, licensing or in any way granting Customer a right to extend any rights granted herein to Customer’s end-user customers. Nothing herein shall be interpreted as CIS permitting such end-user customer to resell or claim any CIS certification and Customer shall take reasonable commercial steps to ensure that its end-user customers are made aware of such restrictions.

III.  Membership Fees.

      A.  Product Vendor Initial Membership Fee. In exchange for the rights granted by CIS to Customer in Section II of this Agreement, Customer agrees to pay CIS a membership fee (“Membership Fee”) as set forth in an Order which shall be incorporated and made a part of this Agreement, which shall be due and payable within thirty (30) days of the Effective Date. Membership Fee payment may be made by: (i) EFT transfer; (ii) check made payable to Center for Internet Security and mailed to CIS Accounts Receivable, 31 Tech Valley Drive, East Greenbush, NY 12061; or (iii) credit card transaction according to the instructions provided to Customer by CIS. The amount of the Membership Fee to be paid by Customer to CIS pursuant to this section shall not be reduced by any amount of any taxes or fees to be collected by a taxing jurisdiction, financial institution or payment processor incidental to the payment of Membership Fee by Customer to CIS.

      B.  Product Vendor Renewal Membership Fee. If the Parties renew this Agreement pursuant to section IV(A), Customer’s renewal membership fee (“Renewal Membership Fee”) will be set forth on an Order that is provided to Customer no less than thirty (30) days prior to the expiration of any Term of this Agreement. This fee shall be due to CIS no later than the first day of the Membership renewal term, using any of the methods described in section III(A) above. CIS in its sole discretion and as a courtesy to Customer may elect to permit continued usage of the CIS SecureSuite Products after the termination date and while the parties negotiate renewal terms in good faith. In such event, the terms of this Agreement shall not be deemed to have renewed but shall only continue until either a new Agreement is executed or agreed to between the Parties or the agreement is terminated by denying continued access as set forth in section III(D) below.

      C.  Non-Payment of Membership Fee or Renewal Membership Fee. In the event of non-payment of any undisputed Membership Fee or Renewal Membership fee by Customer, CIS reserves the right to restrict Customer’s access to the CIS SecureSuite Products until such time as payment has been rendered.

      D.  Accounts Payable Contact Information. Customer shall designate a point of contact for accounts payable regarding this Agreement.

IV.  Term and Termination.

      A.  Term. This Agreement will commence on the Effective Date and, unless earlier terminated as provided for in IV(B), below, will continue for the term set forth in an Order, which shall be incorporated and made a part of this Agreement (the “Initial Term”). Thereafter, this Agreement shall not automatically renew and may be renewed upon mutual written agreement of both Parties.

      B.  Right to Terminate. Both CIS and Customer shall have the right to terminate this Agreement for convenience or nonperformance by the other Party, by providing at least thirty (30) days written notice to the other Party. Both CIS and Customer shall have the right to terminate this Agreement immediately in the event of the other Party’s material breach of this Agreement. Material breach shall include any Party’s violation of applicable law, and Customer’s failure to comply with the data restriction set forth in Section II.C.2 of this Agreement. Customer will cease use of the CIS SecureSuite Products as of the date of such termination. 

          Except in the case of a termination for material breach, for a period of ninety (90) from the date of termination, Customer shall be permitted to continue selling, using, and distributing its products as set forth in Sections II(D) and (E) (“Wind Down Period”). Upon the end of the “Wind Down Period,” Customer shall be prohibited from the further sale, use or distribution of any product or service that continues to incorporate or is built upon any CIS SecureSuite Product, regardless of whether such product or service has been previously certified as a “CIS Certified Product” and will cease from engaging in any reference to CIS, use of the CIS logo or any other CIS marks in relation to a product previously certified or permitted pursuant to this Agreement. Upon CIS request, following the conclusion of any Wind Down Period, Customer shall verify in writing to CIS that the CIS Controls and all CIS trademarks or logos have been removed from its products, pursuant to the requirements of this section. For clarity and per the license rights set forth in sections II(D) and (E) above, CIS acknowledges that Customers’ end users will be entitled to continue to use the results from use of the Combined Services perpetually.

          In the event of termination by CIS for nonperformance or material breach by Customer, or for convenience by Customer, Customer will not be entitled to a refund of any Membership Fee or Renewal Membership Fee that has been paid by Customer to CIS. In the event of termination by Customer for nonperformance or material breach by CIS, or for convenience by CIS, Customer will be entitled to a prorated refund of any unused Membership Fee or Renewal Membership Fee that has been paid by Customer to CIS.

V.  CIS SecureSuite Products Provided As Is.

CIS makes reasonable efforts to utilize and maintain the most secure programs available to screen and protect CIS’s computer programs, websites, and computer infrastructure from malware. However, Customer understands and agrees that CIS is providing the CIS SecureSuite Products “as is” and “as available” without any representations, warranties, or covenants of any kind whatsoever.

VI.  Ownership Rights of Intellectual Property and CIS SecureSuite Products Reserved.

Customer is not acquiring any title or ownership rights in or to any of the CIS SecureSuite Products or associated intellectual property, and full title and all ownership rights to the CIS SecureSuite Products and associated intellectual property remain the exclusive property of CIS. Customer further understands and agrees that the use of Trademarks in connection with this Agreement does not create any right, title or interest in or to the use of Trademarks and that all such use and goodwill associated with Trademarks will inure to the sole benefit of CIS. Customer further agrees that it will comply with the terms and conditions of the CIS Logos, Trademark and Intellectual Property Use Policy, set forth at www.cisecurity.org/cis-logos-and-trademark-use-policy/ as such Policy may be amended from time to time. All rights to the CIS SecureSuite Products not expressly granted in this Agreement are hereby reserved.

VII.  Restrictions.

Customer acknowledges and agrees that except as otherwise expressly permitted in this Agreement, Customer may not: (A) decompile, disassemble, alter, reverse engineer, or otherwise attempt to derive the source code for any CIS SecureSuite Product (except to the extent that such product is already in the form of source code); (B) distribute or redistribute, sell, rent, lease, sublicense or otherwise transfer or exploit any rights to any CIS SecureSuite Product in any way or for any purpose including, without limitation, creating an image incorporating any CIS Benchmark or derivative content (including without limitation remediation content) and offering or using that image as a product or service made available to a third party; (C) post any CIS SecureSuite Product on any website, bulletin board, ftp server, newsgroup, or other similar mechanism or device; (D) remove from or alter the terms of use or any proprietary notice placed on any CIS SecureSuite Product; (E) create any derivative work based directly on an CIS SecureSuite Product or any component thereof; (F) represent or claim a particular level of compliance or consistency with any CIS SecureSuite Product; (G) provide CIS, through Workbench (or otherwise), with personal information that is protected under the PIPL; or (H) facilitate or otherwise aid other individuals or entities in violating this Agreement.

U.S. Export Control and Sanctions Laws - Regarding Customer’s use of the SecureSuite Products with any non-U.S. entity or country, Customer acknowledges that it is its responsibility to understand and abide by all U.S. sanctions and export control laws as set from time to time by the U.S. Bureau of Industry and Security (BIS) and the U.S. Office of Foreign Assets Control (OFAC).

VIII.  Customer’s Responsibility to Evaluate Risks.

Customer acknowledges and agrees that: (A) no network, system, device, hardware, software, or component can be made fully secure; and (B) Customer has the sole responsibility to evaluate the risks and benefits of the CIS SecureSuite Products to Customer’s particular circumstances and requirements including, without limitation, the decision to implement or not to implement one or more Benchmark configuration recommendations.

IX.  Customer Indemnification of CIS.

Customer agrees to indemnify, defend, and hold CIS and all of CIS's employees, officers, directors, agents and other service providers harmless from and against any against any third-party claim, suit or proceeding (including reasonable attorneys’ fees) brought against any of them in connection with Customer’s material breach of this Agreement.

X.  CIS Indemnification of Customer.

CIS shall indemnify, defend, and hold Customer harmless against any third-party claim, suit or proceeding (including reasonable attorneys’ fees) brought against Customer alleging that the CIS SecureSuite Products infringe any patent, copyright, or enforceable trade secret, provided that Customer: (A) gives CIS prompt written notice of any such claim; (B) allows CIS to control the defense and settlement of such claim; (C) refrains from entering into any settlement or compromise of such claim without CIS’s prior written consent; and (D) provides all assistance reasonably requested by CIS in the defense or settlement of such claim, at CIS’s expense. THIS SECTION SETS FORTH CIS’S SOLE AND EXCLUSIVE LIABILITY, AND CUSTOMER’S SOLE AND EXCLUSIVE REMEDY FOR CIS’S INFRINGEMENT OF THIRD-PARTYRIGHTS OF ANY KIND.

XI.  Limitation of Liability.

Except as otherwise specified in this Agreement, neither Party will be liable for any indirect, incidental, special, consequential or punitive damages, including without limitation, damages for lost profits, data or use, incurred under this Agreement, whether in an action in contract or tort, even if that Party has been advised of the possibility of such damages.

XII.  Confidential Information.

      A.  Confidential Information. Each Party acknowledges that by reason of its relationship with the other Party hereunder, such Party (the “Receiving Party”) might receive access to certain confidential and proprietary information and materials concerning the other Party (the “Disclosing Party”). “Confidential Information" means oral or written non-public information that the Disclosing Party designates as being confidential or which, under the circumstances surrounding disclosure, ought to be treated as confidential, whether provided to the Receiving Party before, on or after the date hereof. "Confidential Information" includes, without limitation, information relating to the Disclosing Party’s software and hardware products, specifications, databases. networks, systems design, file layouts, tool combinations and development methods, and information relating to the Disclosing Party's business or financial affairs, such as business methods, marketing strategies, pricing, product development strategies and methods, customer lists and financial results. "Confidential Information" also includes information received from others that the Disclosing Party is obligated to treat as confidential. "Confidential Information" includes all tangible materials which contain Confidential Information including, without limitation, written or printed documents, computer disk storage, and other magnetic or optical storage media, whether user- or machine­readable.

      B.  Exclusions. Confidential Information does not include any information that the Receiving Party can reasonably demonstrate: (i) was known to the Receiving Party prior to its disclosure hereunder by the Disclosing Party; (ii) was independently developed by the Receiving Party; (iii) is or becomes publicly known through no wrongful act of the Receiving Party; (iv) has been rightfully received from a third-party whom the Receiving Party has reasonable grounds to believe is authorized to make such disclosure without restriction; or (v) has been approved for public release by the Disclosing Party's prior written authorization. Confidential Information may be disclosed pursuant to applicable law, regulations or court order or similar proceeding, provided that the Receiving Party provides, where reasonably possible and legally permissible, prompt advance notice thereof to enable the Disclosing Party to seek a protective order or otherwise prevent such disclosure.

      C.  Use. The Receiving Party acknowledges and agrees that the Disclosing Party’s Confidential Information is of substantial value to the Disclosing Party, which value would be harmed if such information were disclosed to third parties. The Parties agree that, commencing on the Effective Date and thereafter, they will not: (i) use the Disclosing Party's Confidential Information in any way, except in the performance of obligations under this Agreement; or (ii) disclose the Disclosing Party’s Confidential Information to any third party, except to the Receiving Party’s employees who need to know such information, provided such employees have a signed confidentiality agreement with terms no less restrictive than the terms in this Agreement. The Parties will not publish, in any form, the other Party's Confidential Information beyond any descriptions published by said other Party.

      D.  Ownership of Information. The Parties expressly agree that the Disclosing Party shall retain all ownership in its Confidential Information.

      E.  Return of Information.  In the event of any termination or expiration of this or any other agreement between the Parties: (i) upon the written request of the Disclosing Party, the Receiving Party shall return or destroy all copies of Confidential Information to the Disclosing Party; and (ii) except to the extent the Receiving Party is advised in writing by counsel that there is a legal prohibition on so doing, the Receiving Party will also promptly destroy all written material, memoranda, notes and other writings or recordings whatsoever prepared by it or its representatives based upon, containing or otherwise reflecting any Confidential Information of the Disclosing Party.  Any Confidential Information that is not returned or destroyed including, without limitation, any oral Confidential Information, shall remain subject to the confidentiality obligations set forth in this Agreement.  The Receiving Party may return the Confidential Information, or any part thereof, to the Disclosing Party at any time.

      F.  Duration.  All obligations to protect Confidential Information set forth in this Agreement shall apply during the time of the relationship between the parties and thereafter, without limitation.

      G. Data Privacy.  Both Parties agree to comply with all applicable data privacy laws and regulations, including as applicable, the General Data Protection Regulation.  The Parties further acknowledge the Standard Contractual Terms found at https://www.cisecurity.org/standard-gdpr-clauses/, which are incorporated herein and are made a part hereof, and by signing this Agreement agree to abide by its terms, to the extent applicable.

XIII.  Additional Terms

      A.  Jurisdiction. Customer acknowledges and agrees that: (A) this Agreement will be governed by and construed in accordance with the laws of the State of New York; and (B) any action at law or in equity arising out of or relating to this Agreement shall be filed only in the courts located in the State of New York. Customer hereby consents and submits to the personal jurisdiction of such courts for the purposes of litigating any such action.

      B.  Counterparts. This Agreement may be executed in separate counterparts each signed by a Party and such counterparts deemed an executed whole with the full force and effect. Signatures may be exchanged by email or electronic signature and such signatures will be deemed original.

      C.  Entire Agreement; Purchase Orders. This Agreement, including any exhibits referenced herein, constitutes the entire agreement of the Parties with respect to the subject matter hereof, and supersedes all previous written, and all previous or contemporaneous oral negotiations, understandings, arrangements, and agreements. This Agreement may be amended only by a written amendment signed by both Parties.
      For the avoidance of doubt, and whether or not CIS is deemed under applicable law to have accepted an offer by Customer , CIS objects to and rejects all additional and/or inconsistent terms contained in a Purchase Order (PO) or similar document submitted by Customer to CIS. Any such terms which are not specifically addressed or referenced in this Agreement are hereby rejected and not agreed to nor consented to by CIS, absent express written acceptance.

      D.  Advertising or Publicity. Except as provided for in Sections II(A)(6) and (7), neither Party shall use the other Party’s name, service marks, or trademarks, or refer to or identify the other Party in any advertising, publicity releases (including references on any customer lists or posting on websites), or promotional or marketing correspondence to others without the prior written approval of the other Party.

      E.  Notices. All notices, requests, demands and determinations made under this Agreement (other than routine operational communications) shall be in writing and shall be deemed duly given (A) when delivered personally (against a signed receipt), (B) on the designated day of delivery (other than a weekend or Federal holiday) after being timely given to an express overnight courier with a reliable system for tracking delivery, or (C) six (6) days after the day of mailing, when sent by first class United States mail, postage prepaid and return receipt requested, to the address set forth below. Legal notices shall also be delivered via email to CIS at [email protected]. Delivery via email alone shall not constitute compliance with this section unless expressly agreed to by CIS.

       F.  Order of Precedence. Except as otherwise agreed to between the Parties, in the event of a conflict between the terms of this Agreement and any other document executed between the Parties, the following order of precedence shall apply: (1) The terms contained in this Product Vendor Membership Agreement including any CIS policies referenced herein; (2) An Order or Invoice provided by CIS to Customer; and (3) Any other document executed and/or agreed to in writing between the Parties.

Contract Version Date: 2/20/2024