CIS Managed Detection and Response (MDR) via CrowdStrike Terms and Conditions

This CIS MANAGED DETECTION AND RESPONSE SERVICES (MDR) AGREEMENT (“Agreement”) by and between the Center for Internet Security, Inc. (“CIS”), located at 31 Tech Valley Drive, East Greenbush, NY 12061-4134, and Customer (“Entity”) for CIS Managed Detection and Response (MDR)™ services (“CIS MDR”), as defined in this Agreement (CIS and Entity each a “Party”, and collectively referred to as the “Parties”).

In consideration of the mutual covenants contained herein, the Parties agree as follows:

I. Purpose

This Agreement describes the CIS MDR™ service offerings and sets forth the mutual understanding of the Parties concerning CIS’s provision of CIS MDR to the Entity.

II. Definitions

Capitalized terms used in this Agreement and not otherwise defined shall have the following meanings:

Add-on Services. Additional services that supplement CIS MDR, which CIS may offer from time to time. Entity may purchase one or more Add-on Services for an additional fee, either beginning on the Effective Date or later in the Term. 

CIS Managed Detection and Response (MDR) or CIS MDR. CIS MDR is a managed and monitored service offered by CIS for strengthening an organization’s cybersecurity program. Unless otherwise specified, references to CIS MDR include any Add-on Services purchased by Entity under this Agreement.   

Documentation. CIS’s technical specifications, online content, user manuals, or similar materials pertaining to the implementation, operation, access, and use of CIS MDR services, which CIS provides to the Entity and may be revised by CIS from time to time.

Entity Data. Data, content, or communications in any format that are provided or made accessible through provision of CIS MDR to Entity, including data generated by Entity’s Managed Endpoints.

Error. A reproducible failure of CIS MDR to perform in substantial conformity with the Documentation.

Managed Endpoint. Any of Entity’s servers, laptops, mobile devices or desktop computers, as to which CIS has agreed to provide CIS MDR under this Agreement. 

Order. A document CIS issues to the Entity listing key elements of a transaction contemplated under this Agreement, including: the parties, the number of Managed Endpoints to be serviced, price, and corresponding dates of service. 

Provider. Third party company Crowdstrike, Inc., whose cloud-based software and products will be deployed to Entity’s Managed Endpoints as part of the CIS MDR services.  The Provider’s terms and conditions, attached as Appendix B hereto, are  hereby incorporated by reference.

Security Operation Center or SOC. The 24 X 7 X 365 watch and warning center operated by CIS that provides cybersecurity infrastructure monitoring, dissemination of cyber threat warnings and vulnerability identification and mitigation recommendations.  

III. Scope of CIS MDR Services

A. Description of CIS MDR

When deployed on the Entity’s Managed Endpoints, CIS MDR identifies, detects, responds to, and remediates security events. The service offers host-level protection and response services provided by the CIS SOC, and provides active defense against known (signature-based) and unknown (behavioral-based) malicious activity. CIS MDR includes the following core features and capabilities:

1. Next Generation Antivirus (NGAV): A solution aimed at preventing cyber attacks that is deployed on Managed Endpoints and has the following capabilities:

• Detects malicious activity using signature-based and behavior-based threat detection methods with the capability to automate prevention (block attacks);
• Deny/allow indicators list management to include anomalous behavior-based indicators;
• Managed Endpoint and file quarantine functionality;
• Threat notification and alerts; and
• Web-based management interface with a cloud-based data administration component for enterprise deployment.

2. Endpoint Detection & Response (EDR): Deployment and maintenance of an EDR software agent on Entity’s Managed Endpoints, which is intended to:

• Block malicious activity at a device level, if chosen by the Entity;
• Remotely isolate compromised systems after coordination with the Entity;
• Identify threats on premise, in the cloud, or on remote systems;
• Inspect network traffic in a decrypted state on the Managed Endpoint for the limited purpose of identifying malicious activity; and
• Identify and remediate malware infections.

3. Advanced Capabilities:

Asset Inventory: Continuously monitor organizational assets to ensure compliance with applicable regulations and internal policies; facilitate the maintenance of compliance status, and identify unauthorized or rogue devices.

Application Inventory: Conduct comprehensive scans to detect all deployed software applications, verify version integrity, and identify unauthorized, outdated, or potentially malicious software.

User Account Monitoring: Monitor user account activity for anomalies, track the use of administrative credentials, and evaluate adherence to password management and update policies.

Rogue Device Detection: Identify and flag unauthorized or unmanaged devices connected to the network, assess associated security risks, and support enforcement of access control policies to prevent potential breaches or data exfiltration.

4. Data Management: Centralized management of MDR data to allow system administration, event analysis and reporting by the CIS SOC. Additionally, Entity will be able to interact with its own CIS MDR data through the management system.

CIS will provide the following services in addition to and in connection with the above core features and capabilities. The following are not applicable to any Add-on Services:

1. Analysis of logs from monitored security devices for attacks and malicious traffic;
2. Analysis of security events;
3. Correlation of security data/logs/events with information from other sources;
4. Notification of security events according to the Escalation Procedures provided by Entity in the PIQ; and
5. 24/7 telephone availability (at: 1-866-787-4722) for assistance with events detected through the CIS MDR services.

B. Limitations and Restrictions

Entity acknowledges and agrees that it is required, as a condition to CIS’s provision of the CIS MDR services, to fulfill the obligations listed in Appendix A, which is attached hereto and incorporated herein. CIS provides CIS MDR to the Entity subject to the following limitations and restrictions, in addition to those described in Appendix A:

1. CIS MDR may only be used by the Entity, for purposes of its own internal information security.
2. CIS shall be responsible for providing CIS MDR services only with respect to those Managed Endpoints identified in the relevant Order(s).
3. From time to time, CIS and/or the Provider may perform scheduled maintenance to update the servers, software, and other technology that are used to provide CIS MDR, and will use commercially reasonable efforts to provide prior notice of such scheduled maintenance whenever possible. Entity acknowledges that in certain situations emergency maintenance may be required, causing a disruption in the CIS MDR services without prior notice.

C. Add-on Services

CIS may offer Add-on Services to supplement the CIS MDR services described above. If Entity purchases any Add-on Service, that purchase and Entity’s use of the Add-on Service shall be governed by this Agreement. Regardless of whether an Add-on Service is purchased on the Effective Date or a later date, the service term will run concurrently with the Term of this Agreement. Add-on Services may include, but are not limited to, the following offerings:

• CIS MDR Mobile offers device-level protection to mobile devices. CIS MDR Mobile monitors and records activities taking place on Android and iOS devices including phones and tablets, using endpoint detection and response technology enabling security teams to have visibility into malicious, unwanted, or accidental access to sensitive corporate data in mobile devices. It provides phishing and network prevention including detecting and preventing malicious connections; blocking URLs, IP addresses, and domains with poor reputations; including links sent via SMS, email, apps, and QR codes and offering extensive threat-hunting capabilities for mobile devices.
• CIS MDR Spotlight leverages the cloud-native power of the CrowdStrike Falcon Platform to bring together endpoint detection and response (EDR) with vulnerability management to provide real-time visibility into vulnerabilities and exposures. CIS MDR Spotlight enables SLTT government entities to consolidate key components of their security stacks to reduce costs and increase protection by creating a single view of their vulnerability exposure.
• CIS MDR Multi-tenancy is geared toward organizations that oversee numerous sub-organizations. It provides a unified view of all endpoint security activity among each of these sub-organizations. Under CIS MDR Multi-tenancy, larger organizations can visualize their own endpoints along with the endpoints of their sub-organizations. Meanwhile, sub-organizations can still only see their own endpoints in their dashboard.

D. Additional Endpoints

During the Term, Entity may request to purchase CIS MDR for additional endpoints by submitting a written request to CIS. If Entity’s request is accepted, the service start date for the additional Managed Endpoints will be the date of the approved Order. Notwithstanding the fact that all of Entity’s Managed Endpoints will not, in this case, share the same service start date, all CIS MDR services supplied under all Orders will terminate together, at the end of the Term.

If Entity installs the CIS MDR software agent on additional endpoints beyond the total number permitted under the applicable Orders, CIS shall invoice Entity with respect to the additional endpoints, as of the date of installation. In this case, Entity agrees to pay all associated additional charges. Once payment is received, CIS will provide CIS MDR services to those additional Managed Endpoints, subject to all other terms and conditions of this Agreement.

IV. Agreement Term and Payment

A. Term

This Agreement begins on the date it is signed by both Parties (the “Effective Date”), and continues for the period specified in the accompanying Order (the “Initial Term”). The Agreement may be extended beyond the Initial Term by written agreement of the Parties (each a “Renewal Term” and, together with the Initial Term, the “Term”).

B. Payment

Entity shall pay CIS the full amount listed in all Orders under this Agreement promptly when due, and no payment shall be reduced by any taxes or fees to be collected by a taxing jurisdiction, financial institution or payment processor incidental to payment.

1. Initial Purchase. In consideration for receipt of CIS MDR services during the Initial Term, Entity agrees to pay CIS the amount stated in the applicable Order, within thirty (30) days after the Effective Date. Payment shall be made according to the instructions in the Order. If Add-On Services are selected after the Effective Date, payment shall be made according to the instructions in the relevant Order.
2. Renewal Term Pricing. Approximately sixty (60) days before expiration of the Initial Term and each Renewal Term, CIS will issue an Order listing pricing for the next Renewal Term. Payment associated with any Renewal Term shall be due on the first day of the Renewal Term.
3. Late Payments. If Entity fails to make any undisputed payment when due then, in addition to all other remedies that may be available, CIS may charge interest on the past due amount at the rate of 2% per month calculated daily and compounded monthly, or the highest rate permitted under applicable law, if lower. CIS shall have the right, but not the obligation, to disable Entity’s access to CIS MDR until Entity’s account with CIS is current.

V. Warranty

CIS offers Entity the following warranty (the “Warranty”), as limited by the conditions and exclusions below: (i) CIS MDR will operate without Error, and consistent with the Documentation in all material respects; and (ii) industry standard techniques have been used to prevent CIS MDR, at the time of installation, from injecting malicious software viruses into the Managed Endpoints. Entity’s sole and exclusive remedy, and CIS’s entire liability, for any breach of the Warranty is for CIS, at CIS’s option, to: (a) use commercially reasonable efforts to provide a work-around or correct the Error; or (b) terminate this Agreement and Entity’s access to and use of CIS MDR, and refund Entity a prorated portion of any prepaid fee.

A. Warranty Conditions, Disclaimers and Exclusions

1. The Warranty is non-transferable and confers no rights to any affiliated entity, successor in interest, assignee or other beneficiary.
2. The Warranty does not apply if: (i) the software or other offerings provided in connection with CIS MDR have been modified, except by CIS; (ii) the software or other offerings provided in connection with CIS MDR have not been installed, used, or maintained in accordance with this Agreement; (iii) the Entity or any third party has turned off or disabled any functionality of CIS MDR; or (iv) the claim relates to a systemic failure or error impacting users on a significant, large-scale basis.
3. The Warranty does not apply with respect to any period during which: (i) CIS MDR services have been suspended; (ii) routine or emergency maintenance is being performed by CIS or Provider; (iii) the services cannot be provided due to unforeseen circumstances or causes beyond CIS’s reasonable control, including but not limited to war, strike, riot, crime, acts of God, or shortage of resources; (iv) the services cannot be provided because of a legal prohibition, including but not limited to, passing of a statute, decree, regulation, or legal order; or (v) Entity is in breach of the Agreement, including for non-payment.

B. Filing a Warranty Claim

To be valid, a claim under the Warranty (“Claim”) must be made consistent with Section IX, during the Term in which the Error occurred, and must be received by CIS within fifteen (15) business days of the event giving rise to the Claim. Claims must be approved in writing by CIS, and the Entity must cooperate with CIS in the investigation and resolution of the Claim.

VI. Limitations

While CIS MDR implements commercially reasonable technologies and processes, Entity agrees and acknowledges that neither CIS nor Provider makes any guarantee that CIS MDR will detect, prevent, or mitigate all threats or events of compromise or unauthorized access to Entity’s systems. Entity shall not represent that CIS or Provider has provided such a guarantee or warranty.

EXCEPT FOR THE EXPRESS WARRANTY IN SECTION V, CIS GRANTS NO WARRANTY HEREUNDER, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF NON-INFRINGEMENT, FITNESS FOR A PARTICULAR PURPOSE, OR MERCHANTABILITY. IF ANY LIMIT GIVEN ABOVE IS OR BECOMES INVALID UNDER APPLICABLE LAW IN ANY TERRITORY WHERE CIS MDR IS PROVIDED, THE WARRANTY IN SECTION V SHALL BE NULL AND VOID.

VII. Confidentiality

CIS acknowledges that Entity may provide or make available information regarding the infrastructure and security of its information systems, assessments and plans that relate specifically and uniquely to the vulnerability of its information systems, sensitive or personal data, or specific vulnerabilities identified by CIS MDR (“Confidential Information”). Entity acknowledges that it may receive from CIS trade secrets and other sensitive or proprietary information (“Confidential Information”).

The Parties agree to hold each other’s Confidential Information in confidence, to the same extent and in the same manner as each Party protects its own confidential information, but in no event with less than reasonable care. No Party will release the other’s Confidential Information in any identifiable form without the written permission of the other Party, unless pursuant to a lawfully authorized subpoena or similar compulsive directive, or if required to be disclosed by law; provided that the disclosing Party shall make reasonable efforts to limit the scope and nature of any such required disclosure. CIS further agrees that any third party involved in the CIS MDR services shall be required to protect Entity’s Confidential Information as required under this Agreement. Notwithstanding the foregoing, CIS shall be permitted to disclose relevant aspects of Entity’s Confidential Information to its officers, employees, agents, the Provider, and to CIS’s cyber security partners, including any federal partners, provided that such partners have agreed to protect the Confidential Information to the same extent as required under this Agreement.

VIII. Miscellaneous

A. Amendments

This Agreement may only be amended in a writing signed by both Parties.

B. No Third Party Rights

Nothing in this Agreement shall create or give to third parties any claim or right of action of any nature against the Provider or CIS.

C. Data Ownership

The Entity shall own all right, title and interest in the Entity Data. Entity hereby grants CIS a non-exclusive, royalty-free license to access and use Entity Data, and to share Entity Data to the extent reasonably necessary for CIS and Provider to provide the CIS MDR services and otherwise fulfill their obligations and exercise their rights with respect to the subject matter of this Agreement.

D. No Assignment

Neither Party may transfer or assign its rights or obligations under this Agreement without the other Party’s prior written consent.

IX. Notices

All notices permitted or required under this Agreement shall be in writing and shall be transmitted either by: (1) first class mail or expedited delivery service; or (2) email with acknowledgement of receipt. Such notices shall be addressed as follows, unless otherwise specifically provided:

CIS
Address: CIS Services
Center for Internet Security, Inc.
31 Tech Valley Drive
East Greenbush, NY 12061-4134
Telephone: (518) 880-0766
E-Mail: [email protected]
with cc to: [email protected]

The Parties may, from time to time, specify new or different contact information for the purpose of receiving notice under this Agreement by giving fifteen (15) days written notice to the other Party, sent in accordance herewith.

Contract version date : 07/25/25 

Appendix A - Entity Responsibilities

CIS’s ability to provide the CIS MDRTM services described in the Agreement is dependent upon Entity completing certain tasks and fulfilling a number of continuing obligations. Entity acknowledges and agrees that CIS shall not be responsible for failure to provide the CIS MDR services as described, or for any failure of the CIS MDR services to function as intended, if and to the extent that delivery of the services is compromised, or rendered impractical or impossible, due to Entity’s failure to timely and accurately fulfill its responsibilities described in the Agreement and/or below. At all times during the Term, Entity shall be solely responsible for the following:

1. Provide CIS with a completed PIQ, which is necessary to enable account setup and designation of authorized users. Complete any other actions required for onboarding.
2. Ensure the correct functioning and maintenance of the Managed Endpoints, and that each has access to a secure Internet channel for CIS MDR management and monitoring.
3. Promptly and correctly install the CIS MDR software agent on Managed Endpoints, using the instructions provided by CIS. Entity is responsible for choosing the installation mode that best suits its needs (either full or passive installation) and for enabling protection mode as appropriate, noting that this selection must be made as to each Managed Endpoint.
4. Employ the most currently supported version of its chosen operating system software for each Managed Endpoint. For CIS MDR Mobile only: Entity is responsible for using a Mobile Device Management (MDM) application that is supported by CIS and Provider to complete installation.
5. Provide CIS the following up-to-date information: the name, email, phone numbers for all designated, authorized points of contact. Promptly correct or update this information as needed.
6. Provide written notification to the CIS Central Support team ([email protected]) at least thirty (30) days before: (i) replacing an existing Managed Endpoint with another device, and/or (ii) changes in operating systems for any Managed Endpoint that might affect CIS MDR services.
7. Provide written notification to the CIS Central Support team ([email protected]) at least twelve (12) hours in advance of any scheduled Internet outage affecting the Managed Endpoints.
8. Provide a completed Escalation Procedure Form in the PIQ including the name, email address and 24/7 contact information for all designated points of contact (POC). Revised information must be submitted to the CIS Central Support team ([email protected]) whenever there is a change in status for any POC.
9. Maintain current maintenance and technical support contracts with Entity’s software and hardware vendors for all Managed Endpoints.
10. Use reasonable means to protect account information and credentials (including passwords and devices or information used for multi-factor authentication purposes) used by Entity to access and manage the CIS MDR service offerings.
11. Notify CIS of suspected security breaches or unauthorized use, copying, or distribution of the CIS MDR service offerings. Engage with CIS to resolve tickets requiring Entity input or action.

Appendix B – Provider’s Additional Terms

Third party Crowdstrike, Inc. (“Crowdstrike” or the “Provider”) provides cloud-based software and other products will be deployed to Entity’s Managed Endpoints as part of the CIS MDR services. Capitalized terms not defined in the Agreement shall have the following meanings within this Appendix B:

“CrowdStrike Data” shall mean the data generated by the CrowdStrike Offerings, including but not limited to, correlative and/or contextual data, and/or detections. For the avoidance of doubt, CrowdStrike Data does not include Entity Data.

“Entity Data” means the data generated by the Entity’s Endpoint and collected by the Products.

“Documentation” means CrowdStrike’s end-user technical documentation included in the applicable Offering.

“Execution Profile/Metric Data” means any machine-generated data, such as metadata derived from tasks, file execution, commands, resources, network telemetry, executable binary files, macros, scripts, and processes, that: (i) Entity provides to CrowdStrike in connection with this Agreement or (ii) is collected or discovered during the course of CrowdStrike providing Offerings, excluding any such information or data that identifies Entity or to the extent it includes Personal Data.

“Internal Use” means access or use solely for Entity’s own internal information security purposes. By way of example and not limitation, Internal Use does not include access or use: (i) for the benefit of any person or entity other than Entity, or (ii) in any event, for the development of any product or service. Internal Use is limited to access and use by Entity’s employees and Partner solely on Entity’s behalf and for Entity’s benefit.

“Offerings” means, collectively, any Products or Product-Related Services.

“Partner” means Center for Internet Security, Inc.

“Personal Data” means information provided by Entity to CrowdStrike or collected by CrowdStrike from Entity used to distinguish or trace a natural person’s identity, either alone or when combined with other personal or identifying information that is linked or linkable by CrowdStrike to a specific natural person. Personal Data also includes such other information about a specific natural person to the extent that the data protection laws applicable in the jurisdictions in which such person resides define such information as Personal Data.

“Product” means any of CrowdStrike’s cloud-based software or other products provided to Entity through Partner, the available accompanying API’s, the CrowdStrike Data, any Documentation.

“Product-Related Services” means, collectively, (i) Falcon OverWatch, (ii) Falcon Complete Team, (iii) the technical support services for certain Products provided by CrowdStrike, (iv) training, and (v) any other CrowdStrike services provided or sold with Products.

“Threat Actor Data” means any malware, spyware, virus, worm, Trojan horse, or other potentially malicious or harmful code or files, URLs, DNS data, network telemetry, commands, processes or techniques, metadata, or other information or data, in each case that is potentially related to unauthorized third parties associated therewith and that is collected or discovered during the course of CrowdStrike providing Offerings, excluding any such information or data that identifies Entity or to the extent that it includes Personal Data.

Entity acknowledges and agrees that the following terms and conditions, required by the Provider, shall apply to Entity’s receipt of CIS MDR services under this Agreement:

• A.  Access & Use Rights. Subject to the terms and conditions of this Agreement, Entity has a non-exclusive, non-transferable, non-sublicensable license to access and use the Products in accordance with any applicable Documentation solely for Entity’s Internal Use. The Product includes a downloadable object-code component (“Software Component”); Entity may install and run multiple copies of the Software Components solely for Entity’s Internal Use. Entity’s access and use is limited to the quantity and the period of time specified in this Agreement.
• B. Restrictions. The access and use rights do not include any rights to (i) employ or authorize any third party (other than Partner) to use or view the Offering or Documentation; (ii) alter, publicly display, translate, create derivative works of or otherwise modify an Offering; (iii) sublicense, distribute or otherwise transfer an Offering to any third party; (iv) allow third parties to access or use an Offering (except for Partner as expressly permitted herein); (v) create public Internet “links” to an Offering or “frame” or “mirror” any Offering content on any other server or wireless or Internet-based device; (vi) reverse engineer, decompile, disassemble or otherwise attempt to derive the source code (if any) for an Offering (except to the extent that such prohibition is expressly precluded by applicable law), circumvent its functions, or attempt to gain unauthorized access to an Offering or its related systems or networks; (vii) use an Offering to circumvent the security of another party’s network/information, develop malware, unauthorized surreptitious surveillance, data modification, data exfiltration, data ransom or data destruction; (viii) remove or alter any notice of proprietary right appearing on an Offering; (ix) conduct any stress tests, competitive benchmarking or analysis on, or publish any performance data of, an Offering (provided, that this does not prevent Entity from comparing the Products to other products for Entity’s Internal Use); (x) use any feature of CrowdStrike APIs for any purpose other than in the performance of, and in accordance with, this Agreement; or (xi) cause, encourage or assist any third party to do any of the foregoing. Entity agrees to use an Offering in accordance with laws, rules and regulations directly applicable to Entity and acknowledges that Entity is solely responsible for determining whether a particular use of an Offering is compliant with such laws.
• C. Third Party Software. CrowdStrike uses certain third party software in its Products, including what is commonly referred to as open source software. Under some of these third party licenses, CrowdStrike is required to provide Entity with notice of the license terms and attribution to the third party. See the licensing terms and attributions for such third party software that CrowdStrike uses at: https://falcon.crowdstrike.com/opensource.
• D. Installation and User Accounts. For those Products requiring user accounts, only the individual person assigned to a user account may access or use the Product. Entity is liable and responsible for all actions and omissions occurring under Entity’s user accounts for Offerings.
• E. Ownership & Feedback. The Offerings are made available for use or licensed, not sold. CrowdStrike owns and retains all right, title and interest (including all intellectual property rights) in and to the Offerings. Any feedback or suggestions that Entity provides to CrowdStrike regarding its Offerings (e.g., bug fixes and features requests) is non-confidential and may be used by CrowdStrike for any purpose without acknowledgement or compensation, provided, Entity will not be identified publicly as the source of the feedback or suggestion.
• F. CrowdStrike Disclaimer. PARTNER, AND NOT CROWDSTRIKE, IS RESPONSIBLE FOR ANY WARRANTIES, REPRESENTATIONS, GUARANTEES, OR OBLIGATIONS TO ENTITY, INCLUDING REGARDING THE CROWDSTRIKE OFFERINGS. ENTITY ACKNOWLEDGES, UNDERSTANDS, AND AGREES THAT CROWDSTRIKE DOES NOT GUARANTEE OR WARRANT THAT IT WILL FIND, LOCATE, OR DISCOVER ALL OF ENTITY’S OR ITS AFFILIATES’ SYSTEM THREATS, VULNERABILITIES, MALWARE, AND MALICIOUS SOFTWARE, AND ENTITY AND ITS AFFILIATES WILL NOT HOLD CROWDSTRIKE RESPONSIBLE THEREFOR. CROWDSTRIKE AND ITS AFFILIATES DISCLAIM ALL OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE. TO THE MAXIMUM EXTENT PERMITTED UNDER APPLICABLE LAW, CROWDSTRIKE AND ITS AFFILIATES AND SUPPLIERS SPECIFICALLY DISCLAIM ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGMENT WITH RESPECT TO THE OFFERINGS. THERE IS NO WARRANTY THAT THE OFFERINGS WILL BE ERROR FREE, OR THAT THEY WILL OPERATE WITHOUT INTERRUPTION OR WILL FULFILL ANY OF ENTITY’S PARTICULAR PURPOSES OR NEEDS. THE OFFERINGS ARE NOT FAULT-TOLERANT AND ARE NOT DESIGNED OR INTENDED FOR USE IN ANY HAZARDOUS ENVIRONMENT REQUIRING FAIL-SAFE PERFORMANCE OR OPERATION. THE OFFERINGS ARE NOT FOR USE IN THE OPERATION OF AIRCRAFT NAVIGATION, NUCLEAR FACILITIES, COMMUNICATION SYSTEMS, WEAPONS SYSTEMS, DIRECT OR INDIRECT LIFE-SUPPORT SYSTEMS, AIR TRAFFIC CONTROL, OR ANY APPLICATION OR INSTALLATION WHERE FAILURE COULD RESULT IN DEATH, SEVERE PHYSICAL INJURY, OR PROPERTY DAMAGE. ENTITY AGREES THAT IT IS ENTITY’S RESPONSIBILITY TO ENSURE SAFE USE OF AN OFFERING IN SUCH APPLICATIONS AND INSTALLATIONS. CROWDSTRIKE DOES NOT WARRANT ANY THIRD PARTY PRODUCTS OR SERVICES.
• G. Entity Obligations. Entity, along with its Affiliates, represents and warrants that: (i) it owns or has a right of use from a third party, and controls, directly or indirectly, all of the software, hardware and computer systems (collectively, “Systems”) where the Products will be installed or that will be the subject of, or investigated during, the Offerings, (ii) to the extent required under any federal, state, or local U.S. or non-US laws (e.g., Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq., Title III, 18 U.S.C. 2510 et seq., and the Electronic Communications Privacy Act, 18 U.S.C. § 2701 et seq.) it has authorized CrowdStrike to access the Systems and process and transmit data through the Offerings in accordance with this Agreement and as necessary to provide and perform the Offerings, (iii) it has a lawful basis in having CrowdStrike investigate the Systems, process the Entity Data and the Personal Data; (iv) that it is and will at all relevant times remain duly and effectively authorized to instruct CrowdStrike to carry out the Offerings, and (v) it has made all necessary disclosures, obtained all necessary consents and government authorizations required under applicable law to permit the processing and international transfer of Entity Data and Entity Personal Data from each Entity and Entity Affiliate, to CrowdStrike.
• H. Falcon Platform. The Falcon Endpoint Protection Platform (“Falcon EPP Platform”) uses a crowd-sourced environment, for the benefit of all customers, to help customers protect themselves against suspicious and potentially destructive activities. CrowdStrike’s Products are designed to detect, prevent, respond to, and identify intrusions by collecting and analyzing data, including machine event data, executed scripts, code, system files, log files, dll files, login data, binary files, tasks, resource information, commands, protocol identifiers, URLs, network data, and/or other executable code and metadata. Entity, rather than CrowdStrike, determines which types of data, whether Personal Data or not, exist on its systems. Accordingly, Entity’s endpoint environment is unique in configurations and naming conventions and the machine event data could potentially include Personal Data. CrowdStrike uses the data to: (i) analyze, characterize, attribute, warn of, and/or respond to threats against Entity and other customers, (ii) analyze trends and performance, (iii) improve the functionality of, and develop, CrowdStrike’s products and services, and enhance cybersecurity; and (iv) permit Entity to leverage other applications that use the data, but for all of the foregoing, in a way that does not identify Entity or Entity’s Personal Data to other customers. Neither Execution Profile/Metric Data nor Threat Actor Data are Entity’s Confidential Information or Entity Data.
• I. Processing Personal Data. Personal Data may be collected and used during the provisioning and use of the Offerings to deliver, support and improve the Offerings, comply with law, or otherwise in accordance with this Agreement. Entity authorizes CrowdStrike to collect, use, store, and transfer the Personal Data that Entity provides to CrowdStrike as contemplated in this Agreement.
• J. Compliance with Applicable Laws. Both CrowdStrike and Entity agree to comply with laws directly applicable to it in the performance of this Agreement.