CIS Vulnerability and Web Application Assessment Service Terms and Conditions

The following terms and conditions apply to vulnerability assessment services (the “Vulnerability Services”) provided by CIS to Customer, as specified in the applicable Statement of Work (SOW).

I. CIS Responsibilities

A. CIS will provide the Vulnerability Assessment Services specified in the SOW.

B. CIS will schedule scans of Customer’s systems in the portal operated by a third-party provider in accordance with the number and frequency of assessments specified in the SOW.

C. IS will provide Customer with reports following the vulnerability scan as specified in the SOW that includes the number and type of vulnerabilities ranked in order of severity, and will provide recommendations for mitigation of vulnerabilities. For web application scans, due to likelihood of false positives being included in the initial third party assessment, CIS conducts a manual analysis of identified vulnerabilities and provides a subsequent report on its analysis and recommendations for mitigation. For the most serious vulnerabilities, CIS will open a ticket on the matter and will review subsequent scans to determine whether the vulnerability is still present and will work with Customer to effect mitigation measures.

II. Customer Obligations

A. Network IPs and Domain Information

  1. In order to perform the Services, Customer will provide CIS with either a list of live IPs used by Customer, if known, or the entire network range of public IPs used by Customer in assessment(s), Customer will also provide CIS with a list of what domains it owns or uses and if known, its subdomains.
  1. If Customer is using a third-party provider to host its domain(s), Customer shall obtain the approval of that third-party provider for CIS to conduct scans as part of the Vulnerability Services prior to CIS commencing the Vulnerability Services.
  1. If the Vulnerability Services are being provided in response to a particular incident, Customer shall supply CIS with the particular IP or domain affected.

B. Customer acknowledges that CIS utilizes a third-party provider to assist with the network and web application assessments and consents to use of such third party by CIS in performing the Vulnerability Services. In addition to the scheduled scans analyzed by CIS as part of the Vulnerability Services, Customer will be given access to the third-party’s portal and may run unlimited additional scans on its own during the term of the Services.  The third-party provider will provide a limited scan report, which does not include the level of analysis and prioritization of vulnerabilities provided by CIS in its reports to Customer, and CIS makes no representation as to the accuracy and suitability of such third party reports.

III. Payment Terms

Unless otherwise specified in the SOW, CIS shall bill Customer for the Services on a per scan basis, in arrears, at the frequency and amount specified in the SOW.

IV. Additional Terms and Conditions From Third-Party Provider

A. Customer acknowledges that part of the Vulnerability Services includes provision of a web-based security assessment and policy compliance suite of services provided by Qualys, Inc. (“Qualys”), designed to identify and analyze the security level and vulnerabilities of Internet connections and computer networks (the “Qualys Service”).

B. Ownership.

  1. Qualys retains all ownership and intellectual property rights to the design and function of the Qualys Service and the reports generated pursuant to the Qualys Service (the “Reports”), other than the specific factual data gathered from Customer’s network IP addresses.
  1. Customer acknowledges that the Qualys Service, the software that provides the Qualys Service and its structure, organization, and source code constitute valuable trade secrets of Qualys and Customer agrees not to: reverse engineer, decompile, disassemble or otherwise attempt to derive the source code of the software that provides the Qualys Service; or use the Qualys Service, and/or data or information contained therein, except for the purpose of vulnerability management with regard to Customer’ IP addresses.

C. Customer acknowledges and agrees that Qualys is an intended third party beneficiary to this Statement of Work and as such may assert any applicable rights set forth herein as may be necessary to protect its intellectual property or other confidential or proprietary material.

D. Customer shall keep confidential its username and password for access to the QualysGuard Enterprise Suite.

E. If requested as part of the Vulnerability Services, Qualys will provide customized reports designed to evaluate Customer’s compliance with the criteria of the PCI Security Standards Council (the “Card Program”). Customer acknowledges and agrees that third part payment card organizations, and not Qualys, establish the security criteria and other terms and conditions of the Card Program.

F. Confidentiality. During the term of this Statement of Work, either Customer or Qualys (the “Disclosing Party”) may disclose to the other party (the “Receiving Party”) certain information, which the Disclosing Party considers proprietary or confidential.  “Confidential Information” means analytical information provided in reports and any other confidential information or either party, including software, source code, software tools, trade secrets, know-how, inventions, processes, schematics, software source documents, query fields, testing criteria, user names, passwords and financial information and any other confidential information of the parties. Confidential Information shall not include information that is already in the public domain through no fault of the Receiving Party, or was already known to the Receiving Party through no breach of a confidentiality obligation to the Disclosing Party.  Without limitation of the foregoing: (1) all data and information contained within the Qualys Service or the Reports (other than the individual factual data gathered from Customer’s network IP addresses), and all information concerning or materially relating to the Hardware, are Confidential Information of Qualys; and (2) all data regarding Customer’s IP addresses or network characteristics (including data that Qualys obtains as a result of its provision of the Service hereunder), is Confidential Information of Customer.  The Receiving Party will not use any Confidential Information of the Disclosing Party for any purpose not expressly permitted by the Statement of Work, and will disclosure the Confidential Information of the Disclosing Party only to those employees under a duty of confidentiality no less restrictive than the Receiving Party’s duty hereunder or is required to be disclosed by law, provided that the Receiving Party shall be required to make reasonable efforts, consistent with applicable law, to limit the scope and nature of such required disclosure.  The Receiving party will protect the Disclosing Party’s Confidential Information from unauthorized use, access, or disclosure in the same manner as the Receiving Party protects its own confidential information of a similar nature, and with no less than reasonable care.  Each party will return all Confidential Information to the other party after the other party requests that it be returned, or after this Statement of Work expires or is terminated.

G. LIMITATION OF LIABILITY. IN NO EVENT WILL QUALYS BE LIABLE TO CUSTOMER FOR ANY LOST PROFITS, LOSS OR CORRUPTION OF DATA, EQUIPMENT OR NETWORK DOWNTIME, OR FOR ANY CONSEQUENTIAL, INDIRECT, SPECIAL, EXEMPLARY, OR INCIDENTAL DAMAGES, WHETHER IN CONTRACT, TORT, OR OTHERWISE, ARISING FROM OR RELATING TO THIS AGREEMENT OR THE USE OF THE HARDWARE, QUALYS SERVICE OR REPORTS, EVEN IF QUALYS HAS BEEN ADVISED OF THE POSSIBILITY OR SUCH DAMAGES.

Rev. 05/13/2020