Service Specific Terms Addendum

Last Updated: July 29, 2024

 

This Service Specific Terms Addendum sets forth additional terms and conditions that apply to Your use of the applicable Services listed below. Unless otherwise noted, capitalized terms not defined in these terms have the meaning given to them in the Cloud Terms and Conditions.

1.1 Webroot Business Endpoint Protection (“WEP”), DNS Protection (“DNSP”), and Security Awareness Training (“SAT”). Your purchase and use of WEP, DNSP and SAT are subject to the additional terms available at https://www.webroot.com/us/en/legal/licensing-definition-guidelines.

 

1.2 Webroot Secure File Share (formerly known as Zix Secure File Share). You are responsible for establishing the data retention settings for Your Content via a support request. In no event will Your Content be retained for longer than four (4) years.

 

1.3 Webroot Email Threat Protection Service (formerly known as Zix Email Threat Protection). This Service filters no more than 3,600 messages per hour inbound, 30 messages per minute outbound, or 10,000 messages per day per user. OT will make commercially reasonable efforts to notify You if any action has or will be taken.

 

1.4 Webroot Advanced Email Encryption (formerly known as Zix Email Encryption). Unless otherwise agreed in writing, the Services shall not be used to encrypt application-generated (bulk) emails. Additionally, OT reserves the right to display a short message on all outbound encrypted messages.

The CDR Services consist of cloud-based, managed services that enable: (a) ongoing availability of Your information technology operations and (b) recovery of mission-critical applications, servers, and data in the cloud after a Disaster (as defined below).

 

2.1 Performance. 

a. OT will provide to You a disaster recovery plan (a “DR Plan”) as set forth in the Order Documentation. The Order Documentation and DR Plan will identify the service level purchased (e.g., 1 hour recovery, 24-hour recovery or 48-hour recovery), the Fees to be paid, the equipment covered by the CDR Services (the “Covered Equipment”) and the premises where the Covered Equipment is located (the “Covered Site”). OT will provide the CDR Services solely in connection with the Covered Equipment as configured at the Covered Site and as described in the DR Plan. Equipment and devices not identified in the DR Plan or not accurately described and/or configured in accordance with the DR Plan fall outside the scope of the CDR Services. If the Covered Equipment and/or configurations identified in the DR Plan are different than the Covered Equipment and configuration in the Order Documentation, and OT is required to expend greater resources to provide the CDR Services, OT will require You to enter into amended Order Documentation that accurately reflects the CDR Services to be provided in accordance with the DR Plan.

 

b. In the event that You: (i) are unable to use the Covered Equipment in a production environment at the Covered Site for its intended computer processing and related business production purposes (a “Disaster”); and (ii) provide OT notice of such Disaster in accordance with the OT procedures then in effect; then OT will provide You with remote access to an OT-hosted environment that duplicates the functionality of the Covered Equipment at the Covered Site as described in the DR Plan (the “Duplicate Environment”) and Your Content as hosted in the Duplicate Environment, subject further to the terms herein. OT will continue to operate the Duplicate Environment until You have informed OT via email that You are again able to use the Covered Equipment in a production environment at the Covered Site, and that the Disaster has ended (“Covered Site Restoration”).

 

2.2 Individuals Designated to Declare a Disaster. A Disaster may be declared only by the individuals authorized by You in the respective Order Documentation, DR Plan or otherwise identified by You in writing. You may change the designated individuals by written notice to OT.

 

2.3 Disaster Fees. In addition to the monthly fees for the CDR Services are set forth in the applicable Order Documentation, in the event of a Disaster, You will pay the additional Disaster specific fees then in effect. These include a per-server fee for each Disaster declaration.

 

2.4 Your Materials. You hereby grant to OT a non-exclusive, worldwide, royalty-free, right and license to reproduce and use the software, applications, and Your Content necessary for OT to create and maintain the Duplicate Environment (the “Your Materials”) solely as necessary to perform the CDR Services. You represent and warrant that: (a) it has all the rights necessary to grant the foregoing license and (b) that OT’s reproduction and use of Your Materials will not infringe the rights of any third party, including any intellectual property and/or privacy rights. You shall indemnify, defend, and hold harmless OT for any claims, damages, losses, and expenses (i) relating to the use of Your Materials or (ii) arising from a third party’s claim that Your Materials infringe on such third party’s intellectual property rights.

 

2.5 Your Obligations. 

 

a. General. You shall: 

 

1. Notify OT as soon as reasonably practicable of any changes to Your Covered Equipment or Covered Site and update Your portal accordingly. Changes to Your Covered Equipment or Covered Site include without limitation, adding servers or changes to servers;
2. Determine whether the service level selected by You and specified in the applicable Order Documentation is sufficient to meet Your requirements for continuing its information processing activities in the event of a Disaster;
3. Comply with OT’s policies and procedures, including such policies related to declaring a Disaster and confirming Covered Site Restoration;
4. Perform Your obligations identified in the DR Plan or otherwise agreed upon by the parties and related to the CDR Services;
5. Maintain the Covered Equipment at the Covered Site in accordance with operational requirements, and to the extent that any Covered Equipment is third-party equipment, in accordance with the requirements of the third-party equipment manufacturer;
6. Provide to OT a SAVSYS tape, or SAVSYS optical media if the CDR Services are used in an IBM environment, prior to commencement of the CDR Services, each time the operating system on the Covered Equipment is upgraded, and as otherwise may be requested by OT;
7. Create and monitor the traffic on the tunnel if an Internet Protocol Security (“IPsec”) tunnel is required (OT only provides the end target for the IPsec tunnel);
8. Provide a site edge device to be supported by Cisco for IPsec tunneling to initiate the IPsec tunnel.
9. Maintain and monitor the status and health of the domain controller;
10. Conduct disaster recovery testing as provided in Section 2.5(b) below; and
11. Support and maintain Your Materials in the Duplicate Environment in accordance with the Service Documentation and create and maintain a domain controller in the Duplicate Environment in connection with CDR Services with a 1-hour service level.

 

b. Testing. In accordance with the DR Plan and the CDR policies and procedures then in effect (“CDR Policies”), You will conduct disaster recovery testing (a “CDR Test”). During a CDR Test, You shall provide to OT Your encryption key(s) and the required accounts necessary for operating system access to recover machines, i.e. local administrator, domain administrator, root or (sudo), or QSECOFR. You shall remain responsible for all configurations of any third-party software according to third-party vendor specifications. You will perform the CDR Test, within a reasonable amount of time after purchase, in accordance with OT’s instruction. A CDR Test will be completed using Your actual servers, server application sets and server count, as defined in the DR Plan. OT will provide You with access to a Duplicate Environment in order to conduct a CDR Test, subject to the number of tests permitted under the level of CDR Services purchased by You, as set forth in the applicable Order Documentation. If You require additional CDR Tests, a Duplicate Environment may be available to You at OT’s then-current fees. You will schedule CDR Tests with at least sixty (60) days advanced written notice to OT and in accordance with the CDR Policies. Priority for use of the Duplicate Environment is given to customers that have a declared Disaster. Accordingly, OT reserves the right to reschedule CDR Tests. If during a CDR Test OT is unable to activate and operate the Duplicate Environment in material compliance with the DR Plan (the “CDR Test Target), OT reserves the right to troubleshoot and re-conduct the CDR Test. If after reasonable efforts OT is unable to meet the CDR Test Target, either party may terminate the CDR Services (and the applicable portion of any Order Documentation) and OT will refund to You any prepaid but unused fees as Your sole and exclusive remedy. Each party’s right of termination under Section 2.5(b) must be exercised by written notice of its intention to terminate the CDR Services within forty-five (45) days of the failed CDR Test or such right of termination will be waived.

 

c. Disaster. At any time between the date that You declare a Disaster and the date of Covered Site Restoration (the “Disaster Recovery Period”), You will:

 

1. Provide assistance and otherwise perform the obligations as set forth herein.
2. Comply with all CDR Policies, including that You will provide OT encryption keys as necessary to activate the Duplicate Environment;
3. Re-route all external IP addresses and aliases to the IP addresses associated with the Duplicate Environment;
4. Make available any equipment, software, workspace, supplies, and personnel and/or telecommunications services needed to activate and operate the Duplicate Environment, including those not specifically identified in the DR Plan;
5. Provide Your own equipment, such as laptops, in order to access and use the Duplicate Environment; 
6. Provide the appropriate skills and knowledge required to recover, support, and maintain the business applications being recovered in the Duplicate Environment;
7. Work diligently to install applications on the Covered Equipment at the Covered Site with the intent of obtaining Covered Site Restoration;
8. Be responsible for all configurations of any third-party software according to third party vendor specifications; and
9. Provide the required accounts necessary for operating system access to recover the machines, i.e., local administrator, domain administrator, root or (sudo) or QSECOFR.

 

d. Remedy. You may, as the sole and exclusive remedy for OT’s material breach of this Section 2 of the Service Specific Terms Addendum: (i) terminate the Agreement within five (5) days advance notice; and (ii) receive a refund equal to the fees paid to OT for the three (3) month period immediately preceding the Disaster. This remedy does not apply to (i) Your breach of Your obligations under the Agreement or any other cause beyond OT’s reasonable control, (ii) any self-service Disaster declarations, tests, or failovers, or (iii) any period of time outside of the Disaster Recovery Period.

3.1 Definitions.

 

a. Defined Terms.  For the purposes of this Section 3 of the Service Specific Terms Addendum, the following terms shall be defined as follows:

 

1. “Third Party Sources” means sources that the Archiving Services receive Your data from including, but not limited to, third party: (i) services; (ii) software; (iii) platforms; (iv) applications; (v) websites; (vi) social media sites; (vii) telecommunication carriers; and (viii) APIs.
2. “Third Party Limitations” means limitations beyond the control of OT that could impact the ability of the Archiving Services to capture, archive, and/or forward information, including, but not limited to, local, state, or federal laws as well as third party: (i) website policies, privacy settings, and data encryption; (ii) limitations of the third party website application programming interface; (iii) website restrictions on capture of third party data; (iv) website site data storage or access failures; (v) access controls such as passwords or other security measures; (vi) website discovery; and (vii) non-standard website programming.

 

3.2 Website Content Capture and Archiving. OT will make commercially reasonable efforts to capture and archive Your publicly accessible third-party website content. OT’s responsibility to complete such capture shall be subject to the conditions and disclaimers described in this Agreement. Subject to the limitations (including, but not limited to, Third Party Limitations set forth in this Agreement that may be updated from time to time), OT agrees to provide Archiving Services to You for the unique website addresses provided by You (for example https://www.domain.com). Such website capture will not be provided for any 3rd level or external website(s) (for example https://sub.domain.com).

 

3.3 Third Party Platforms and Websites.  The Archiving Services receive Your data from Third Party Sources. Third Party Sources are not offered, controlled, or provided by OT, and OT is not responsible for how Third Party Sources transmit, access, process, store, use or provide data for, or to, OT.  You acknowledge that OT’s ability to capture, archive and/or forward information from Third Party Sources will be restricted by Third Party Limitations.  OT shall have no obligation, or liability, for failure to capture any communications or data on Third Party Sources due to these Third Party Limitations. Notwithstanding the foregoing, in the event any Third Party Sources deny access to OT for purposes of capturing, archiving and/or forwarding such electronic data or communications, OT shall use reasonable endeavors to amend the Archiving Services to comply with such Third Party Limitations.  Applicable Third Party Limitations may include, without limitation, the following terms:

 

YouTube terms and conditions: https://www.youtube.com/t/terms

 

Google services privacy: https://policies.google.com/privacy?hl=en-GB

https://security.google.com/settings/security/permissions

 

Facebook terms and conditions: https://developers.facebook.com/terms

 

LinkedIn terms and conditions: https://www.linkedin.com/legal/l/api-terms-of-use

 

Your Content sent on removable media to OT for import into the Archiving Services may be subject to import fees.

 

3.4 Data Retention.  You are responsible for using the Archiving Services in accordance with applicable law, third party email service terms and conditions, and Your own internal retention requirements. In order for Your Content to be retained, after the Subscription Term to Archiving Services has expired, You must purchase extended data retention at an additional charge at the end of the Subscription Term (or upon termination, if earlier). The Archiving Services allow You to download archived information, and professional data exportation may be available at an additional charge by signing a separate Order Documentation.

 

3.5 FINRA/SEC Archiving Obligations.  This Agreement does not relieve You from any applicable responsibilities You may have under SEC Rules 17a-3 and 17a-4. If You elect to cease using the Archiving Services for some or all of Your records preservation, the obligation to maintain and preserve books and records reverts back to You and You must provide written instructions to OT in order to transfer Your records to an alternative recordkeeping service.

 

3.6 Your Obligations.  Notwithstanding any of Your other obligations with respect to the Archiving Services, You are also responsible for: (i) configuring applicable third party platforms or systems to transmit Your Content to the Archiving Services, including without limitation in accordance with industry standards, and applicable laws and regulations, (ii) providing assistance to OT to investigate and resolve issues, (iii) obtaining any necessary consents from each individual end user in accordance with applicable law and any Third Party Limitations and (iv) immediately reporting to OT any issue which could compromise the stability, service or security of any user or system connected to or utilizing the Archiving Services to allow OT to provide the Archiving Services.

4.1 Access to Data. Other than for the purposes of performing the Cloud-to-Cloud Backup Services, or for other services performed with Your consent, and subject to applicable law, OT will not access Your Content without Your permission, and Your Content will be decrypted only per Your authorization when You view, index, virus scan, export or restore such data. OT reserves the right to impose limits on abusive or excessive use, as determined by OT, in OT’s sole discretion. OT may set reasonable storage limits in the future. Upon termination of the Cloud-to-Cloud Backup Services, OT will use reasonable commercial efforts to send notification of such termination to the email address provided by You, informing You that Your access to the Cloud-to-Cloud Backup Services will be discontinued, and Your Content will be deleted after 14 days without a recovery option. OT will have no liability if You fail to receive the email or act in accordance with the email, or if Your Content is deleted following such period.

 

4.2 Limitation. You agree not to use or launch any automated system, including without limitation, “robots,” “spiders,” and “offline readers,” that accesses the Cloud-to-Cloud Backup Services, or any site or portal used to provide them, in a manner that sends more request messages to our servers in a given period of time than a human can reasonably produce in the same period by using a conventional online web browser. OT reserves the right to revoke these exceptions either generally or in specific cases.

 

4.3 OT Default Storage Provider. The OT Default Storage Provider (as defined below) for the Cloud-to-Cloud Backup Services is Amazon S3 Storage. Current terms and conditions for Amazon S3 Storage are available at https://aws.amazon.com/agreement/.

You acknowledge that an integral function of certain Services is performed through a third-party cloud storage provider.  

 

5.1 Cloud Storage Provider. If You elect to utilize Your own cloud storage provider (“Your Cloud Storage Provider”), You acknowledge that OT cannot warrant and hereby disclaims any responsibility with respect to the integrity, reliability, security, quality, and compatibility with Your systems, availability of the services provided by Your Cloud Storage Provider and their effect on the applicable Services and/or Your Content. Accordingly, You shall release OT from any liability relating to failure or lack of availability of the Services relating to Your Cloud Storage Provider.

 

You acknowledge that Your use and access of the services provided by Your Cloud Storage Provider and all legal rights and remedies related to Your use of Your Cloud Storage Provider’s services are governed by the applicable terms entered into between You and Your Cloud Storage Provider (“Your Cloud Storage Provider EULA”) and You shall indemnify OT from any claims arising from a breach by You of Your Cloud Storage Provider EULA.

 

5.2 Default Storage Provider. If You do not request to use Your Cloud Storage Provider, OT shall select a default cloud storage provider as specified in this Service Specific Terms Addendum (the “Default Storage Provider”) as applicable. You acknowledge that Your use and access of the services provided by the Default Storage Provider is governed by the Agreement together with the applicable terms of the Default Storage Provider, including (without limitation) any acceptable use policy and privacy policy (the “Default Storage Provider EULA”) that reasonably apply to end users (i.e., the appropriate ways for end users to use the Default Storage Provider’s service), which You hereby acknowledge and agree to abide by. Accordingly, You shall indemnify OT from any claims arising from a breach by You of the Default Storage Provider EULA and such breach shall entitle OT to immediately suspend or terminate the Services or any part thereof (including, without limitation, Your access to the Default Storage Provider service).

 

Your Content shall be stored and handled by the Default Storage Provider in accordance with the Default Storage Provider EULA to which You hereby agree to adhere. You further acknowledge that You have no rights and remedies against the Default Storage Provider, and that all claims relating thereto should be directed to OT, and shall be subject exclusively to the terms of the Agreement and this Service Specific Terms Addendum.

6.1 Sensitive Data. In the event that Your use of the Services involves the processing of personal data subject to the DPA or U.S. State Privacy Addendum incorporated into the Agreement between OT and Customer (as defined in the DPA or U.S. State Privacy Addendum) as set out in Section 6 of the Cloud Terms and Conditions, the Parties acknowledge that the use of certain of the Services may further involve (but not require) the processing of Sensitive Data (as such is defined in the DPA or U.S. State Privacy Addendum), which Customer may provide or make available to OT, the extent of which is determined and controlled by the Customer in its sole discretion. Accordingly, the Parties agree that, with respect to the Services, the “Sensitive Data” section of Appendix 2 to the DPA, or the “Sensitive Data” section of Appendix 1 to the U.S. State Privacy Addendum, shall be amended to replace “None” with the following: 

 

The use of the Services may involve (but not require) the processing of Sensitive Data which Customer may provide or make available to OT, the extent of which is determined and controlled by the Customer in its sole discretion. Due to the nature of the Services, the exact types of personal data cannot be conclusively established by OT and may vary depending on the exact use case of the Services by Customer. However, such special categories of data may include, but may not be limited to, information revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning an individual’s health or sex life.

 

Except as specifically modified or amended above, the DPA and/or U.S. State Privacy Addendum and all provisions contained in it are, and will continue, in full force and effect. 

 

6.2 Third Party Platforms.  You may, at Your option, obtain services from a third party and manage certain aspects of the Services from Your designated third party’s platform which interoperate with the Services (each, a “Third Party Platform”).  If You utilize a Third Party Platform for use and/or management of the Services, You grant OT permission to allow the provider of such Third Party Platform (“Third Party Provider”) to access Your data or information (including but not limited to Your Content) as required for the interoperation of the Services with such Third Party Platform and You hereby release OT from and waive any and all claims relating thereto.  Your use of a Third Party Platform, including but not limited to any exchange of data between You and a Third Party Provider, shall solely be between You and such Third Party Provider.   You shall be responsible for any change to your Services by a Third Party Platform utilizing your OT credentials. Any use of the Services by You within a Third Party Platform remains subject to the applicable OT terms and conditions for such Service and OT does not warrant, and shall have no liability whatsoever in connection with, the performance of any Third Party Platform that interacts with the Services, including, but not limited to, any disclosure, modification, or deletion of Your Content. OT may cease to provide any Service features or functionality within a Third Party Platform and will have no liability to You relating thereto.