CIS Endpoint Security Services via CrowdStrike Terms & Conditions
The following terms and conditions (“TCS”) apply to CIS Endpoint Security Services (the “Services”) provided by Center for Internet Security, Inc. (“CIS”) to Customer, as specified in the attached Customer Order Form (the “Order”).
Security Operation Center (SOC) – 24 X 7 X 365 watch and warning center that provides cybersecurity infrastructure monitoring, dissemination of cyber threat warnings and vulnerability identification and mitigation recommendations.
Endpoint Security Services or ESS – Endpoint Security Services (ESS) is comprised of the following services:
- Next Generation Antivirus (NGAV). A solution deployed on endpoint devices to prevent cyber-attacks with the following capabilities:
- Detect malicious activity using signature-based and behavior-based threat detection methods with the capability to automate prevention (block attacks);
- Deny/allow indicators list management to include anomalous behavior-based indicators;
- Endpoint and file quarantine functionality;
- Threat notification and alerts; and
- Web-based management interface with a cloud-based data administration component for enterprise deployment.
- Endpoint Detection & Response (EDR). Deployment and maintenance of an EDR software agent on Customer’s identified endpoint devices, which will (a) block malicious activity at a device level if agreed to by the Customer; (b) remotely isolate compromised systems after coordination with the Customer; (c) identify threats on premise, in the cloud, or on remote systems; (d) inspect network traffic in a decrypted state on the endpoint for the limited purpose of identifying malicious activity; and (e) identify and remediate malware infections.
- Centralized management of ESS data to allow system administration, event analysis and reporting by CIS SOC. Additionally, Customer will be able to interact with its own ESS data through the management system
- Additional Endpoint Security Services. CIS may offer additional services under this Agreement from time to time as ESS. Purchase and receipt of such services will be subject to a separate Order.
Parties shall mean CIS and Customer; each a Party.
II. Selection of ESS
CIS hereby agrees to supply Entity with ESS as set forth in the attached Order. ESS for additional endpoints may be ordered by Entity during the Term (as defined herein below) by submitting a written request to CIS. The Service Start Date of subsequent Orders for ESS shall be the date of the approved Order but shall terminate as of the end of the applicable Term. Additional services may also be ordered from CIS by Entity by separate agreement with CIS.
The Order will become effective on the date the Order is accepted by both Parties (the “Effective Date”), and shall continue in full force and effect for the period specified in the Order (the “Term”).
A. Initial ESS Purchase
In consideration for receipt of ESS, Entity agrees to purchase the specified ESS at the purchase price set forth in the Order in US Dollars (USD), which shall be due and payable within thirty (30) days of the Effective Date. Payment may be made by: (i) EFT transfer; (ii) check made payable to Center for Internet Security and mailed to CIS Accounts Receivable, 31 Tech Valley Drive, East Greenbush, NY 12061; or (iii) credit card transaction according to the instructions provided to Entity by CIS. The amount of the purchase price to be paid by Entity to CIS pursuant to this section shall not be reduced by any amount of any taxes or fees to be collected by a taxing jurisdiction, financial institution or payment processor incidental to the payment to CIS.
B. Purchase of ESS for Subsequent Terms
At least sixty (60) days prior to the expiration of any Term. CIS will provide Entity an Order setting forth pricing for a subsequent Term. Payment for ESS for a subsequent Term shall be due to CIS no later than the last day of the then-current Term, using any of the methods described in section IV(A) above. In the event that such payment is not made prior to the end of the applicable Term, ESS shall not be renewed for a subsequent Term.
V. Amendments to the Order
The Order may only be amended as agreed to in writing by both Parties.
VI. Responsibilities of the Parties
A. Customer Responsibilities
Customer acknowledges and agrees that CIS’s ability to perform the Endpoint Security Services provided by CIS for the benefit of Customer is subject to Customer fulfilling certain responsibilities listed below. Customer acknowledges and agrees that neither CIS nor any third-party provider shall have any responsibility whatsoever to perform the Endpoint Security Services in the event Customer fails to meet its responsibilities described below. Customer further acknowledges and agrees that the scope of this Agreement is limited to the number of endpoint devices identified in the Order Form. In the event that Customer installs the ESS software agent on a greater number of endpoint devices beyond those identified in the Order Form, Customer will be charged for those additional endpoints, including any associated additional charges, and that those additional endpoint devices will be subject to the requirements of this Agreement. Customer will ensure the correct functioning and maintenance of the endpoint devices receiving Endpoint Security Services.
- Customer shall provide the following to CIS prior to commencement of the Endpoint Security Services and at any time during the Term if the information changes:
- A completed PIQ, the form of which will be provided to Customer by CIS, which will identify the number and types of endpoints to be monitored during the Term, including identification of the operating systems used in the endpoints. The PIQ will need to be revised whenever there is a change that would affect CIS’s ability to provide the Endpoint Security Services;
- Each endpoint device will have access to a secure Internet channel for ESS management and monitoring by CIS;
- Accurate and up-to-date information, including the name, email, landline, mobile, and pager numbers for all designated, authorized Point of Contact(s); and
- Customer will be responsible for installing the ESS software agent on its endpoints; CIS will provide Customer with a link to the ESS software agent.
- During the Term, Customer shall provide the following:
- Written notification to CIS SOC ([email protected]) at least thirty (30) days in advance of replacement of an existing endpoint device with another similar device and/or changes in operating systems for the endpoint devices that would affect CIS’s ability to provide Endpoint Security Services;
- Written notification to CIS SOC ([email protected]) at least twelve (12) hours in advance of any scheduled Internet outages affecting the endpoint devices;
- A completed Escalation Procedure Form in the PIQ including the name, e-mail address and 24/7 contact information for all designated Points of Contact (POC). Revised information must be submitted when there is a change in status for any POC;
- Sole responsibility for maintaining current maintenance and technical support contracts with Customer’s software and hardware vendors for any endpoint device covered by ESS; and
- Active involvement with CIS SOC to resolve any tickets requiring Customer input or action.
B. CIS Responsibilities
- CIS shall be responsible for purchase of a commercial ESS capability provided by Crowdstrike, to be incorporated into the Endpoint Security Services, and for providing a link for the ESS software agent to Customer for Customer to install on their endpoints.
- CIS will be responsible for the management and monitoring of the Endpoint Security Services to Customer’s identified endpoint devices, including provision of the link for installation of the applicable ESS agent for the operating system of the endpoint devices, as identified by Customer in the PIQ.
- CIS will provide the following as part of the Endpoint Security Services:
- Analysis of logs from monitored security devices for attacks and malicious traffic;
- Analysis of security events;
- Correlation of security data/logs/events with information from other sources;
- Notification of security events per the Escalation Procedures provided by Customer; and
- Ensuring that all upgrades, patches, configuration changes and signature upgrades of the ESS agent are applied to Customer’s endpoint devices receiving ESS.
- CIS Security Operation Center. CIS will provide 24/7 telephone (1-866-787-4722) availability for assistance with events detected by the Endpoint Security Services.
- Upon termination of ESS, CIS shall be responsible for the cancellation of the Endpoint Security Services. Customer will be responsible for removal of the ESS agent installed on Customer’s endpoint devices.
C. Third Party Provider Terms and Conditions
Customer acknowledges and agrees that as part of providing ESS, CIS has contracted with the third-party provider, CrowdStrike, Inc. (“Crowdstrike”). Customer further acknowledges and agrees that in return for receipt of ESS, it agrees to the following terms and conditions (“Crowdstrike End User Terms”) as an end user of CrowdStrike services as specified in the Order:
- Access & Use Rights. Subject to these TCS, Customer has a non-exclusive, non-transferable, non-sublicensable license to access and use the Products in accordance with any applicable Documentation solely for Customer’s Internal Use. The Product includes a downloadable object-code component (“Software Component”); Customer may install and run multiple copies of the Software Components solely for Customer’s Internal Use. Customer’s access and use is limited to the quantity and the period of time specified on the Order.
- Restrictions. The access and use rights do not include any rights to (i) employ or authorize any third party (other than Partner) to use or view the Offering or Documentation; (ii) alter, publicly display, translate, create derivative works of or otherwise modify an Offering; (iii) sublicense, distribute or otherwise transfer an Offering to any third party; (iv) allow third parties to access or use an Offering (except for Partner as expressly permitted herein); (v) create public Internet “links” to an Offering or “frame” or “mirror” any Offering content on any other server or wireless or Internet-based device; (vi) reverse engineer, decompile, disassemble or otherwise attempt to derive the source code (if any) for an Offering (except to the extent that such prohibition is expressly precluded by applicable law), circumvent its functions, or attempt to gain unauthorized access to an Offering or its related systems or networks; (vii) use an Offering to circumvent the security of another party’s network/information, develop malware, unauthorized surreptitious surveillance, data modification, data exfiltration, data ransom or data destruction; (viii) remove or alter any notice of proprietary right appearing on an Offering; (ix) conduct any stress tests, competitive benchmarking or analysis on, or publish any performance data of, an Offering (provided, that this does not prevent Customer from comparing the Products to other products for Customer’s Internal Use); (x) use any feature of CrowdStrike APIs for any purpose other than in the performance of, and in accordance with, the Order; or (xi) cause, encourage or assist any third party to do any of the foregoing. Customer agrees to use an Offering in accordance with laws, rules and regulations directly applicable to Customer and acknowledges that Customer is solely responsible for determining whether a particular use of an Offering is compliant with such laws.
- Third Party Software. CrowdStrike uses certain third-party software in its Products, including what is commonly referred to as open source software. Under some of these third party licenses, CrowdStrike is required to provide Customer with notice of the license terms and attribution to the third party. See the licensing terms and attributions for such third-party software that CrowdStrike uses at: https://falcon.crowdstrike.com/opensource.
- Installation and User Accounts. For those Products requiring user accounts, only the individual person assigned to a user account may access or use the Product. Customer is liable and responsible for all actions and omissions occurring under Customer’s user accounts for Offerings.
- Ownership & Feedback. The Offerings are made available for use or licensed, not sold. CrowdStrike owns and retains all right, title and interest (including all intellectual property rights) in and to the Offerings. Any feedback or suggestions that Customer provides to CrowdStrike regarding its Offerings (e.g., bug fixes and features requests) is non-confidential and may be used by CrowdStrike for any purpose without acknowledgement or compensation, provided, Customer will not be identified publicly as the source of the feedback or suggestion.
- Crowdstrike Disclaimer. PARTNER, AND NOT CROWDSTRIKE, IS RESPONSIBLE FOR ANY WARRANTIES, REPRESENTATIONS, GUARANTEES, OR OBLIGATIONS TO CUSTOMER, INCLUDING REGARDING THE CROWDSTRIKE OFFERINGS. CUSTOMER ACKNOWLEDGES, UNDERSTANDS, AND AGREES THAT CROWDSTRIKE DOES NOT GUARANTEE OR WARRANT THAT IT WILL FIND, LOCATE, OR DISCOVER ALL OF CUSTOMER’S OR ITS AFFILIATES’ SYSTEM THREATS, VULNERABILITIES, MALWARE, AND MALICIOUS SOFTWARE, AND CUSTOMER AND ITS AFFILIATES WILL NOT HOLD CROWDSTRIKE RESPONSIBLE THEREFOR. CROWDSTRIKE AND ITS AFFILIATES DISCLAIM ALL OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE. TO THE MAXIMUM EXTENT PERMITTED UNDER APPLICABLE LAW, CROWDSTRIKE AND ITS AFFILIATES AND SUPPLIERS SPECIFICALLY DISCLAIM ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGMENT WITH RESPECT TO THE OFFERINGS. THERE IS NO WARRANTY THAT THE OFFERINGS WILL BE ERROR FREE, OR THAT THEY WILL OPERATE WITHOUT INTERRUPTION OR WILL FULFILL ANY OF CUSTOMER’S PARTICULAR PURPOSES OR NEEDS. THE OFFERINGS ARE NOT FAULT-TOLERANT AND ARE NOT DESIGNED OR INTENDED FOR USE IN ANY HAZARDOUS ENVIRONMENT REQUIRING FAIL-SAFE PERFORMANCE OR OPERATION. THE OFFERINGS ARE NOT FOR USE IN THE OPERATION OF AIRCRAFT NAVIGATION, NUCLEAR FACILITIES, COMMUNICATION SYSTEMS, WEAPONS SYSTEMS, DIRECT OR INDIRECT LIFE-SUPPORT SYSTEMS, AIR TRAFFIC CONTROL, OR ANY APPLICATION OR INSTALLATION WHERE FAILURE COULD RESULT IN DEATH, SEVERE PHYSICAL INJURY, OR PROPERTY DAMAGE. CUSTOMER AGREES THAT IT IS CUSTOMER’S RESPONSIBILITY TO ENSURE SAFE USE OF AN OFFERING IN SUCH APPLICATIONS AND INSTALLATIONS. CROWDSTRIKE DOES NOT WARRANT ANY THIRD PARTY PRODUCTS OR SERVICES.
- Customer Obligations. Customer, along with its Affiliates, represents and warrants that: (i) it owns or has a right of use from a third party, and controls, directly or indirectly, all of the software, hardware and computer systems (collectively, “Systems”) where the Products will be installed or that will be the subject of, or investigated during, the Offerings, (ii) to the extent required under any federal, state, or local U.S. or non-US laws (e.g., Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq., Title III, 18 U.S.C. 2510 et seq., and the Electronic Communications Privacy Act, 18 U.S.C. § 2701 et seq.) it has authorized CrowdStrike to access the Systems and process and transmit data through the Offerings in accordance with the Order and as necessary to provide and perform the Offerings, (iii) it has a lawful basis in having CrowdStrike investigate the Systems, process the Customer Data and the Personal Data; (iv) that it is and will at all relevant times remain duly and effectively authorized to instruct CrowdStrike to carry out the Offerings, and (v) it has made all necessary disclosures, obtained all necessary consents and government authorizations required under applicable law to permit the processing and international transfer of Customer Data and Customer Personal Data from each Customer and Customer Affiliate, to CrowdStrike.
- Falcon Platform. The Falcon Endpoint Protection Platform (“Falcon EPP Platform”) uses a crowd-sourced environment, for the benefit of all customers, to help customers protect themselves against suspicious and potentially destructive activities. CrowdStrike’s Products are designed to detect, prevent, respond to, and identify intrusions by collecting and analyzing data, including machine event data, executed scripts, code, system files, log files, dll files, login data, binary files, tasks, resource information, commands, protocol identifiers, URLs, network data, and/or other executable code and metadata. Customer, rather than CrowdStrike, determines which types of data, whether Personal Data or not, exist on its systems. Accordingly, Customer’s endpoint environment is unique in configurations and naming conventions and the machine event data could potentially include Personal Data. CrowdStrike uses the data to: (i) analyze, characterize, attribute, warn of, and/or respond to threats against Customer and other customers, (ii) analyze trends and performance, (iii) improve the functionality of, and develop, CrowdStrike’s products and services, and enhance cybersecurity; and (iv) permit Customer to leverage other applications that use the data, but for all of the foregoing, in a way that does not identify Customer or Customer’s Personal Data to other customers. Neither Execution Profile/Metric Data nor Threat Actor Data are Customer’s Confidential Information or Customer Data.
- Processing Personal Data. Personal Data may be collected and used during the provisioning and use of the Offerings to deliver, support and improve the Offerings, comply with law, or otherwise in accordance with these TCS. Customer authorizes CrowdStrike to collect, use, store, and transfer the Personal Data that Customer provides to CrowdStrike as contemplated in this Agreement.
- Compliance with Applicable Laws. Both CrowdStrike and Customer agree to comply with laws directly applicable to it in the performance of the ESS in accordance with the Order.
- Definitions. For purposes of these Crowdstrike End User Terms, the following terms shall have the meaning as set forth below:
“CrowdStrike Data” shall mean the data generated by the CrowdStrike Offerings, including but not limited to, correlative and/or contextual data, and/or detections. For the avoidance of doubt, CrowdStrike Data does not include Customer Data.
“Customer Data” means the data generated by the Customer’s Endpoint and collected by the Products.
“Documentation” means CrowdStrike’s end-user technical documentation included in the applicable Offering.
“Endpoint” means any physical or virtual device, such as, a computer, server, laptop, desktop computer, mobile, cellular, container or virtual machine image.
“Execution Profile/Metric Data” means any machine-generated data, such as metadata derived from tasks, file execution, commands, resources, network telemetry, executable binary files, macros, scripts, and processes, that: (i) Customer provides to CrowdStrike in connection with the Order or (ii) is collected or discovered during the course of CrowdStrike providing Offerings, excluding any such information or data that identifies Customer or to the extent it includes Personal Data.
“Internal Use” means access or use solely for Customer’s own internal information security purposes. By way of example and not limitation, Internal Use does not include access or use: (i) for the benefit of any person or Customer other than Customer, or (ii) in any event, for the development of any product or service. Internal Use is limited to access and use by Customer’s employees and Partner solely on Customer’s behalf and for Customer’s benefit.
“Offerings” means, collectively, any Products or Product-Related Services.
“Partner” means Center for Internet Security, Inc.
“Personal Data” means information provided by Customer to CrowdStrike or collected by CrowdStrike from Customer used to distinguish or trace a natural person’s identity, either alone or when combined with other personal or identifying information that is linked or linkable by CrowdStrike to a specific natural person. Personal Data also includes such other information about a specific natural person to the extent that the data protection laws applicable in the jurisdictions in which such person resides define such information as Personal Data.
“Product” means any of CrowdStrike’s cloud-based software or other products provided to Customer through Partner, the available accompanying API’s, the CrowdStrike Data, any Documentation.
“Product-Related Services” means, collectively, (i) Falcon OverWatch, (ii) Falcon Complete Team, (iii) the technical support services for certain Products provided by CrowdStrike, (iv) training, and (v) any other CrowdStrike services provided or sold with Products.
“Threat Actor Data” means any malware, spyware, virus, worm, Trojan horse, or other potentially malicious or harmful code or files, URLs, DNS data, network telemetry, commands, processes or techniques, metadata, or other information or data, in each case that is potentially related to unauthorized third parties associated therewith and that is collected or discovered during the course of CrowdStrike providing Offerings, excluding any such information or data that identifies Customer or to the extent that it includes Personal Data.
The Endpoint Security Services include use of software that is licensed to CIS by Crowdstrike. All title and ownership rights of the software shall remain with Crowdstrike. Customer shall own all right, title and interest in its data that is provided to CIS pursuant to these TCS. Customer hereby grants CIS a non-exclusive, non-transferable license to access and use such data as is necessary to provide the Endpoint Protection Services specified in of the Order.
VIII. No Third Party Rights
Except as otherwise specifically provided herein, nothing in these TCS shall create or give to third parties any claim or right of action of any nature against Customer or CIS.
IX. Warranty; Disclaimer
CIS warrants to Entity during the applicable Term that: (i) the Endpoint Security Services operate without Error; and (ii) industry standard techniques have been used to prevent the ESS at the time of installation from injecting malicious software viruses into Entity’s endpoints covered by this Agreement. Entity must notify CIS of any warranty claim during the Term. Entity’s sole and exclusive remedy and the entire liability of CIS for its breach of this warranty will be for CIS, at its own expense, to do at least one of the following: (a) use commercially reasonable efforts to provide a work-around or correct such Error; or (b) terminate the Order and Entity’s access to and use of ESS and refund the prepaid fee prorated for the unused period of the Term. CIS shall have no obligation regarding Errors reported after the applicable Term. For purposes of this Section VIII, “Error” means a reproducible failure of ESS to perform in substantial conformity with its applicable Documentation (as defined herein below), as supplied by Crowdstrike.
The express warranties do not apply if the ESS (i) has been modified, except by CIS or Crowdstrike, or (ii) has not been installed, used, or maintained in accordance with this Agreement or Documentation.
EXCEPT FOR THE EXPRESS WARRANTIES IN THIS SECTION VIII, CIS MAKES NO OTHER WARRANTIES RELATING TO THE ESS, EXPRESS, IMPLIED OR STATUTORY, INCLUDING WITHOUT LIMITATION ANY WARRANTIES OF NON-INFRINGEMENT OF THIRD-PARTY RIGHTS, FITNESS FOR A PARTICULAR PURPOSE, OR MERCHANTABILITY.
ENTITY ACKNOWLEDGES, UNDERSTANDS AND AGREES THAT CIS DOES NOT GUARANTEE OR WARRANT THAT USE OF ESS WILL FIND, LOCATE OR DISCOVER ALL SYSTEM THREATS, VULNERABILITIES, MALWARE, AND MALICIOUS SOFTWARE, AND WILL NOT HOLD CIS RESPONSIBLE THEREFOR. ENTITY AGREES NOT TO REPRESENT TO ANY THIRD PARTY THAT CIS HAS PROVIDED SUCH GUARANTEE OR WARRANTY.
X. Confidentiality Obligation
CIS acknowledges that information regarding the infrastructure and security of Customer’s information systems, assessments and plans that relate specifically and uniquely to the vulnerability of Customer information systems, Personal Data (as defined herein below), specific vulnerabilities identified as part of the Endpoint Security Services or information otherwise marked as confidential by Customer (“Confidential Information”) may be provided by Customer to CIS in connection with the services provided under the Order. The Customer acknowledges that it may receive from CIS trade secrets and confidential and proprietary information (“Confidential Information”). Both Parties agree to hold each other’s Confidential Information in confidence to the same extent and the same manner as each party protects its own confidential information, but in no event will less than reasonable care be provided and a party’s information will not be released in any identifiable form without the express written permission of such party or as required pursuant to lawfully authorized subpoena or similar compulsive directive or is required to be disclosed by law, provided that the Customer shall be required to make reasonable efforts, consistent with applicable law, to limit the scope and nature of such required disclosure. CIS further agrees that any third party involved in providing Endpoint Security Services shall be required to protect Customer’s Confidential Information to the same extent as required under these TCS. CIS shall, however, be permitted to disclose relevant aspects of such Confidential Information to its officers, employees, agents and CIS’s cyber security partners, including federal partners, provided that such partners have agreed to protect the Confidential Information to the same extent as required under these TCS. The Parties agree to use all reasonable steps to ensure that Confidential Information received under this Agreement is not disclosed in violation of this Section X. These confidentiality obligations shall survive the termination of the Order.
Notices shall be provided to those persons identified on the Order. Notice shall be deemed to have been given either at the time of personal delivery or, in the case of expedited delivery service or certified or registered United States mail, as of the date of first attempted delivery at the address and in the manner provided herein, or in the case of facsimile transmission or email, upon receipt. The Parties may, from time to time, specify any new or different contact information as their address for purpose of receiving notice under the Order by giving fifteen (15) days written notice to the other Party sent in accordance herewith. The Parties agree to mutually designate individuals as their respective representatives for the purposes of receiving notices under this Agreement. Additional individuals may be designated in writing by the Parties for purposes of implementation and administration, resolving issues and problems and/or for dispute resolution.