1.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with either party hereto. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the economic interests of the subject entity.
1.2 “Authorized Users” means individual employees or contractors of Customer who are authorized by Customer to access and use the Services and who are registered by Customer with Veeam as an authorized user of the Services.
1.3 “Customer” means an individual or entity entering into this Agreement with Veeam.
1.4 “Customer Data” means Customer’s data that is input, processed, maintained, stored or transmitted by, in or through the Services. As set forth in more detail in the relevant Statement of Work, to the extent any Customer Data includes Personal Data, as that term is defined in applicable laws, either Customer or Veeam may be the “data controller” or “business” with respect to such Customer Data, depending on the specific activities and purposes for which Customer Data is being processed.
1.5 “Customer POC Data” means personal data of Customer employees, contractors, or directors which Customer provides Veeam to enable Veeam’s administration of this Agreement and the provision of the Services set forth in the Statement of Work. Veeam is always a “data controller” or “business”, as those terms are used in relevant laws and regulations, with respect to such Data, and its collection, processing, disclosure, and use of such Data is set forth in Veeam’s Privacy Policy, available at https://www.veeam.com/legal/privacy-notice.html, which Veeam may update from time to time.
1.6 “Deliverables” means the outcome of the Services provided by Veeam to Customer in accordance with a Statement of Work.
1.7 “Description of Services” (“DOS”) means a document that describes the packaged set of Services purchased by Customer and provided by Veeam under this Agreement.
1.8 “Documentation” means Veeam’s user guides and other end user documentation for the Services, as may be made available by Veeam to Customer on Veeam’s website. Documentation may be updated from time to time upon Veeam’s sole discretion; Customer agrees that it will monitor Veeam’s website for relevant updates to Documentation.
1.9 “Services” means the services purchased by Customer and provided by Veeam, as specified in the relevant Statement of Work.
1.10 “Statement of Work” (“SOW”) means a document that describes Services purchased by Customer and provided by Veeam under this Agreement.
1.11 “Veeam Technology” means all computer hardware, software, equipment, data, models, analytics, algorithms, processes, formulae and any other technology, content, materials or proprietary information used by Veeam to perform the Services.
2.1 Orders
A legally binding agreement between Customer and Veeam will only be established upon the execution of a SOW or DOS that details the specific services to be performed by Veeam.
2.2 Grant of Use
Veeam grants to Customer and its Authorized Users a limited, non-sublicensable, non-exclusive, non-transferable right during the Term to use the Deliverables resulting from Services in accordance with the Documentation, solely for Customer’s internal business purposes.
2.3 Customer’s Obligations
Customer shall designate in writing one of its employees as its principal contact for communicating with Veeam and shall provide all Customer POC Data as may be necessary for Veeam to provide the Services. Customer is responsible for acquiring and maintaining technology and procedures for maintaining the security of its link to the Services via the Internet. Customer shall be responsible for all use of the Services by Authorized Users. Customer shall use the Services in compliance with applicable laws and shall not: (i) copy, rent, sell, lease, distribute, pledge, assign, or otherwise transfer, or encumber rights to the Services, or any part thereof, or make it available to anyone other than its Authorized Users and Affiliates; (ii) fraudulently use the Services; (iii) process or permit to be processed the data of any third party, except as may be expressly authorized in this Agreement or in writing by Veeam; (iv) send or store viruses, worms, time bombs, Trojan horses or other harmful or malicious code, files, scripts, agents or programs through, in or to the Services; (v) attempt to gain unauthorized access to, or disrupt the integrity or performance of, the Services or the data contained therein; (vi) modify, copy, decompile, disassemble or create derivative works from, or otherwise attempt to derive the source code of, the Services, or any portion thereof; (vii) access, alter, or destroy any data or information of Veeam or any other customer of Veeam by any means or device, or attempt or permit any other person to do any of the foregoing; (viii) access the Services for the purpose of building a competitive product or service or copying its features or user interface; or (ix) delete, alter, add to or fail to reproduce in and on the Services the name of Veeam and any copyright or other notices appearing in or on the Services or which may be required by Veeam at any time.
Any use of the Services in breach of this Agreement, the Documentation or the SOW/DOS by Customer or Authorized Users that in Veeam’s judgment threatens the security, integrity or availability of the Services, in whole or in part, may result in Veeam immediately suspending Customer’s and its Authorized Users’ access to or use of the Services.
2.4 Subcontractors
Veeam may, in its sole discretion, use subcontractors to perform or provide the Services, in whole or in part, and shall be responsible for the acts and omission of its subcontractors.
3.1 Veeam shall use commercially reasonable efforts to: (i) maintain appropriate administrative, physical, and technical safeguards to protect the security and integrity of the Services and the Customer Data; (ii) protect the confidentiality of the Customer Data; and (iii) access and use the Customer Data solely to perform its obligations in accordance with the terms of this Agreement and as otherwise permitted in this Agreement or as permitted or required under applicable laws; provided, however, that unless resulting from the failure of Veeam to perform the forgoing obligations, the parties agree that Veeam shall not be responsible or liable for situations where data or transmissions are accessed by third parties through illegal or illicit means, or where the data or transmissions are accessed through the exploitation of security gaps, weaknesses, or flaws unknown to Veeam at the time. Veeam will report to Customer any unauthorized access to Customer Data promptly upon discovery by Veeam, and Veeam will use diligent efforts to promptly remedy any breach of security that permitted such unauthorized access. The Services shall be operated in an environment where (a) all Customer Data shall be stored separate from other customers of Veeam, or (b) all files containing Customer Data are partitioned sufficient to protect the security of Customer Data. Customer acknowledges and agrees that Veeam may monitor Customer’s use of the Services. To the extent Veeam is a “data processor” or “service provider”, as those terms are defined in applicable law, with respect to any Customer Data, Veeam and Customer shall enter into a Data Processing Agreement, in conjunction with the SOW, governing Veeam’s processing of such Customer Data.
4.1 Each party (“Recipient”) may, during the course of its provision or use of the Services, receive, have access to, or acquire knowledge from discussions with the other party (“Discloser”) which may not be accessible or known to the general public, including technical and business information concerning hardware, software, designs, specifications, techniques, processes, procedures, research, development, projects, products or services, business plans or opportunities, business strategies, finances, costs, vendors and security information (collectively, “Confidential Information”). Confidential Information shall not include, and shall cease to include, information or materials that (a) were generally known to the public on the Effective Date; (b) become generally known to the public after the Effective Date, other than as a result of the act or omission of the Recipient; (c) were rightfully known to the Recipient prior to its receipt thereof from the Discloser; (d) are or were disclosed by the Discloser generally without restriction on disclosure; (e) the Recipient lawfully received from a third party without that third party’s breach of any agreement or obligation of trust; or (f) are independently developed by the Recipient without use of or access to Discloser’s Confidential Information, in each case, as shown by documents and other competent evidence in the Recipient’s possession. For clarity, the parties acknowledge and agree that the Customer Data and Customer POC Data constitutes Customer’s Confidential Information and the Veeam Technology constitutes Veeam’s Confidential Information. The Recipient shall not: (i) use any Confidential Information of the Discloser for any purpose outside the scope of this Agreement, except with the Discloser’s express prior written permission, or (ii) disclose or make the Discloser’s Confidential Information available to any person or entity, except those of its employees, contractors, and agents that have signed an agreement containing non-disclosure and non-use provisions no less strict than those set forth herein and have a “need to know” in order to carry out the purpose of this Agreement. Each party agrees to protect the confidentiality of the Confidential Information of the other party in the same manner that it protects the confidentiality of its own proprietary and confidential information of like kind, but in no event shall either party exercise less than reasonable care in protecting such Confidential Information. The obligations set forth in Section 3 and not this Section 4 apply to Customer Data.
5.1 Customer Data
Customer owns the Customer Data and hereby grants to Veeam, its Affiliates, and applicable contractors a worldwide, non-exclusive license to use, process, host, collect, copy, store, transmit, display, modify and create derivative works of the Customer Data: (a) as reasonably necessary for Veeam to provide the Services in accordance with this Agreement and (b) to analyze the use of and make improvements to the Services and develop new services and models, including through machine learning. Subject to the rights and licenses granted in this Section 5.1, Veeam acquires no right, title or interest from Customer in or to any Customer Data. Unless otherwise agreed in writing by the parties, Customer shall be responsible for the accuracy, quality and legality of Customer Data and the means by which Customer acquired Customer Data.
6.1 Service Fees
The parties acknowledge and agree that the Services are procured via the Veeam channel. Therefore, all pricing and payment terms and related invoicing are between Customer and their selected Veeam partner, except as may be set forth in a specific Statement of Work.
6.2 Taxes
Fees do not include any local, state, federal or foreign taxes, levies, duties or similar governmental assessments of any nature, including value-added, use or withholding taxes (collectively, “Taxes”). To the extent that amounts are withheld by Customer under applicable law, these amounts shall be remitted to the local tax authority, and receipts will be provided to the seller. The parties will make reasonable efforts to minimize withholding taxes on the payments referenced in this agreement. Customer is responsible for paying all Taxes associated with its purchases hereunder (excluding taxes based on Veeam’s net income or property) unless Customer provides Veeam with a valid resale certificate authorized by the appropriate taxing authority.
7. Warranties and Disclaimers
7.1 Veeam Warranties
Veeam warrants that: (i) Veeam shall use reasonable endeavors to provide Services and, if applicable, deliver the Deliverables to Customer, in accordance with a Statement of Work in all material respects and (ii) Veeam will employ then-current, industry-standard measures to test software delivered by Veeam via the Services, as appropriate, to detect and remediate viruses, Trojan horses, worms, logic bombs, or other harmful code or programs designed to negatively impact the operation or performance of the Services. As Customer’s exclusive remedy and Veeam’s entire liability for a breach of the warranties set forth in this Section 7.1, Veeam shall use commercially reasonable efforts to correct the non-conforming Services at no additional charge to Customer, and in the event Veeam fails to successfully correct the Services within a reasonable time of receipt of written notice from Customer detailing the breach, then Customer shall be entitled to terminate the applicable Services and get pro-rated refund, but only for the non-conforming Services under a specific SOW. The remedies set forth in this subsection shall be Customer’s sole remedy and Veeam’s sole liability for breach of these warranties. The warranties set forth in this Section shall apply only if the applicable Services have been utilized in accordance with the Documentation, this Agreement and applicable law.
7.2 Customer Warranties
Customer represents and warrants that (i) it has full legal right, power and authority to execute, deliver and perform its obligations under this Agreement and the Services contemplated hereby, (ii) the performance of its obligations and use of the Services (by Customer, its Affiliates and Authorized Users) will not violate any applicable laws or regulations, (ii) it will not cause a breach of any agreements with any third parties or unreasonably interfere with the use by other Veeam customers of the Services, and (iii) the information it, its Affiliates and/or Authorized Users transmit with respect to the Services complies with all applicable laws and regulations, whether now in existence or hereafter enacted and in force and, to the best of Customer’s knowledge, is true, accurate and complete in all material respects and there are no restrictions on Customer’s authorization or ability to disclose or publish such data and information. Customer acknowledges that Veeam does not monitor the content of the information passing through the Services. In the event of any breach by Customer of any of the foregoing representations or warranties, in addition to any other remedies available at law or in equity, Veeam will have the right to suspend immediately any Services if deemed reasonably necessary by Veeam to prevent any harm to Veeam, the Services, any other services, its other customers or its business. Veeam will provide notice to Customer and an opportunity to cure, if practicable, depending on the nature of the breach. Once cured, including the reimbursement of any damages or liability caused by any such breach, Veeam will promptly restore the Services.
7.3 Disclaimers
(a) EXCEPT FOR THE EXPRESS WARRANTIES SET FORTH UNDER SECTION 7.1, VEEAM AND ITS SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, RELATING TO THE SERVICES OR OTHER SUBJECT MATTER OF THIS AGREEMENT INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT OF THIRD-PARTY RIGHTS OR TITLE. CUSTOMER ACKNOWLEDGES AND AGREES THAT IT IS NOT RELYING AND HAS NOT RELIED ON ANY REPRESENTATIONS OR WARRANTIES WHATSOEVER REGARDING THE SUBJECT MATTER OF THIS AGREEMENT, EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES EXPRESSLY SET FORTH UNDER SECTION 7.1. VEEAM MAKES NO WARRANTY THAT THE SERVICES WILL BE UNINTERRUPTED OR ERROR FREE OR REGARDING ANY NON-VEEAM APPLICATION WITH WHICH THE SERVICES MAY INTEROPERATE.
(b) Veeam does not and cannot control the flow of data to or from the Services and other portions of the Internet. Such flow of data depends on the performance of Internet services provided or controlled by third parties. At times, actions or inactions of such third parties can impair or disrupt Customer’s connections to the Internet (or portions thereof) and/or the Services. Although Veeam will use commercially reasonable efforts to take all actions it deems appropriate to remedy and avoid such events, Veeam cannot guarantee that such events will not occur. VEEAM DISCLAIMS ANY AND ALL LIABILITY RESULTING FROM OR RELATED TO THE PERFORMANCE OR NON-PERFORMANCE OF INTERNET SERVICES PROVIDED OR CONTROLLED BY THIRD PARTIES.
8.1 IN NO EVENT WILL VEEAM OR ANY OF ITS AFFILIATES BE RESPONSIBLE OR LIABLE WITH RESPECT TO ANY SUBJECT MATTER OF THIS AGREEMENT OR ANY TERMS OR CONDITIONS RELATED HERETO UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY (A) FOR ERRORS OR INTERRUPTION OF USE, LOSS OR INACCURACY OR CORRUPTION OF DATA, (B) FOR COST OF PROCUREMENT OF SUBSTITUTE GOODS, SERVICES, RIGHTS, OR TECHNOLOGY, (C) FOR ANY LOST PROFITS OR REVENUES, OR (D) FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR SIMILAR DAMAGES, WHETHER OR NOT VEEAM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
8.2 IN NO EVENT SHALL THE AGGREGATE LIABILITY OF VEEAM OR ANY OF ITS AFFILIATES ARISING OUT OF OR RELATED TO THIS AGREEMENT EXCEED THE ANNUALIZED SERVICE FEES PAID BY CUSTOMER AND ITS AFFILIATES UNDER THE SPECIFIC SOW AND FOR THE SPECIFIC SERVICES UNDER WHICH THE LIABILITY AROSE DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE FIRST INCIDENT FROM WHICH SUCH LIABILITY AROSE. THE FOREGOING LIMITATION SHALL APPLY WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY. ANY CLAIM ARISING UNDER THIS AGREEMENT SHALL BE BROUGHT WITHIN TWO (2) YEARS FROM THE LATER OF THE DATE ON WHICH THE EVENTS GIVING RISE TO THE CLAIM AROSE OR THE DATE ON WHICH THE PARTY BRINGING THE CLAIM FIRST BECAME AWARE OF THE EVENTS GIVING RISE TO THE CLAIM. CUSTOMER ACKNOWLEDGES AND AGREES THAT THIS LIMITATION REPRESENTS A REASONABLE ALLOCATION OF RISK AND, IN THE ABSENCE OF THESE LIMITATIONS OF LIABILITY, THE TERMS OF THIS AGREEMENT WOULD BE SUBSTANTIALLY DIFFERENT.
9.1 Veeam Indemnification Obligation
Subject to Section 9.3, Veeam will indemnify and defend Customer, its Affiliates and its and their respective officers, directors, employees and agents (“Customer Indemnitees”) from any and all claims, demands, suits or proceedings (“Claims”) brought against any Customer Indemnitee by a third party alleging that the Services or Deliverables, as provided by Veeam to Customer or any of its Affiliates under this Agreement infringe any patent, copyright, or trademark or misappropriate any trade secret of any third party (each, an “Infringement Claim”). Veeam will indemnify Customer Indemnitees for all damages, costs and reasonable attorneys’ fees finally awarded by a court of competent jurisdiction or paid to a third party in accordance with a settlement agreement signed by Veeam, in connection with an Infringement Claim. In the event of any such Infringement Claim or if Veeam believes that the Services or any Veeam Technology may become the subject of a claim of intellectual property infringement or misappropriation, Veeam may, at its sole option and expense: (i) obtain the right to permit Customer and its Affiliates, as applicable, to continue using the Services, (ii) modify or replace the relevant portion(s) of the Services with a non-infringing or non-misappropriating alternative within a reasonable period of time, or (iii) terminate this Agreement as to the infringing Services and make a pro-refund to Customer or its Affiliates, as applicable, for the Services. Notwithstanding the foregoing, Veeam will have no liability for any Infringement Claim of any kind to the extent that it results from: (1) modifications to the Services made by a person or entity other than Veeam, (2) the combination of the Services with other products, processes or technologies not provided by Veeam (where the infringement would have been avoided but for such combination), or (3) any Customer Indemnitee’s use of the Services other than in accordance with the Documentation and this Agreement. The indemnification obligations set forth in this Section 9.1 are Veeam’s sole and exclusive obligations, and Customer Indemnitee’s sole and exclusive remedies, with respect to infringement or misappropriation of third party intellectual property rights of any kind.
9.2 Customer Indemnification Obligation
Subject to Section 9.3, Customer will indemnify and defend Veeam, its Affiliates and its and their respective officers, directors, employees and agents (“Veeam Indemnitees”) from any and all Claims brought against any Veeam Indemnitee by a third party (i) based on Customer’s use of the Services other than in accordance with the Documentation and this Agreement or (ii) any allegation of violation of a third party’s rights arising from Customer’s provision and processing of the Customer Data, including its disclosure of Customer Data to Veeam. Customer will indemnify Veeam Indemnitees for all damages, costs, reasonable attorneys’ fees finally awarded by a court of competent jurisdiction, or paid to a third party in accordance with a settlement agreement signed by Customer.
9.3 Indemnity Requirements
The party seeking indemnity under this Section 9 (“Indemnitee”) must give the other party (“Indemnitor”) the following: (a) prompt written notice of any Claim for which the Indemnitee intends to seek indemnity, (b) all cooperation and assistance reasonably requested by the Indemnitor in the defense of the Claim, at the Indemnitor’s sole expense, and (c) sole control over the defense and settlement of the Claim, provided that the Indemnitee may participate in the defense of the claim at its sole expense and the Indemnitor may not settle any Claim without the Indemnitee’s prior written consent if such settlement includes an admission of wrongdoing on the part of any Indemnitee or any payment obligation on any Indemnitee that is not fulfilled in its entirety by the Indemnitor.
Veeam may use Customer’s name and logo to fulfil any obligations under this Agreement including any SOW or DOS. Veeam agrees that any such use shall be subject to compliance with any written guidelines that Customer has made Veeam aware of in writing regarding such use.
11.1 Term
This Agreement is effective during all active and open SOW or DOS executed between parties and shall continue unless terminated as set forth below.
11.2 Termination
Either party may terminate this Agreement by written notice to the other party in the event that (a) such other party materially breaches this Agreement and does not cure such breach within thirty (30) days of such notice, or (b) in the event the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors that is not dismissed within sixty (60) days. Notwithstanding the foregoing, in the event Customer breaches any restrictions or limitations on its right to access or use the Services or any of its confidentiality or payment obligations hereunder, Veeam may immediately suspend Customer’s right and ability to access or use the Services without notice and/or terminate this Agreement with immediate effect on notice to Customer.
11.3 Retrieval of Customer Data
Upon request by Customer at any time during the Term and for a period of thirty (30) days thereafter, Veeam will make available to Customer, at no cost, for download a file of Customer Data (exclusive of Extorted Property under the Coveware Addendum below). If Customer has not made such a request and retrieved its Customer Data within thirty (30) days after the termination of this Agreement, Veeam shall have no obligation to maintain or provide any Customer Data and shall, unless legally prohibited, be entitled to delete all Customer Data; provided, however, that Veeam will not be required to remove copies of the Customer Data from its backup media and servers until such time as the backup copies are scheduled to be deleted in the normal course of Veeam’s business; provided further that in all cases Veeam will continue to protect the Customer Data in accordance with its obligations under this Agreement.
11.4 Effect of Termination
Upon termination of this Agreement for any reason, all rights and subscriptions granted to Customer will immediately terminate and Customer will cease using the Services and Veeam’s Confidential Information. Termination of this Agreement will not affect any open and active SOW. Termination for any reason, other than termination for cause by Customer pursuant to Section 11.2 or termination by Veeam for end of life pursuant to Section 11.2, shall not relieve Customer of the obligation to pay all future amounts due under all SOWs. The sections titled “Definitions,” “Confidentiality,” “Data Ownership and Feedback,” “Fees, Expenses and Taxes,” “Warranty Disclaimer,” “Limitation of Liability,” “Indemnification,” “Term and Termination” and “General” shall survive any termination of this Agreement.
12.1 Assignment
Neither the rights nor the obligations arising under this Agreement are assignable or transferable by Customer without Veeam’s prior written consent. Notwithstanding the foregoing, Customer may assign this Agreement in its entirety (including all SOWs), upon notice and without the consent of Veeam, to its successor in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets, provided that all fees owed and due have been paid and Customer is not otherwise in breach of this Agreement. Veeam may assign this Agreement upon written notice to Customer.
12.2 Negotiation Between Executives
The parties shall attempt in good faith to resolve any dispute arising out of or relating to this Agreement promptly by negotiation between executives of the parties. If the executives are unable to reach a mutually acceptable resolution within thirty (30) days after one party gives the other party written notice of the dispute, then the parties will subject themselves to the mediation procedures set forth below, at the request of either party, before seeking any other means of resolving the dispute.
12.3 Controlling Law, Attorneys’ Fees and Severability
Unless otherwise stated in the applicable DOS or SOW, this Agreement and any disputes arising out of or related hereto shall be governed by and construed in accordance with the laws of the State of New York, without giving effect to its conflicts of laws rules or the United Nations Convention on the International Sale of Goods. Subject to Section 12.2 and Section 12.6, with respect to all disputes arising out of or related to this Agreement, the parties consent to exclusive jurisdiction and venue in the state and Federal courts located in New York County, New York, USA. In any action to enforce this Agreement the prevailing party will be entitled to costs and attorneys’ fees. In the event that any of the provisions of this Agreement shall be held by a court or other tribunal of competent jurisdiction to be unenforceable, such provisions shall be limited or eliminated to the minimum extent necessary so that this Agreement shall otherwise remain in full force and effect and enforceable.
12.4 Notices
All legal notices hereunder shall be in writing and given upon (i) personal delivery, in which case notice shall be deemed given on the day of such hand delivery, (ii) by overnight courier, in which case notice shall be deemed given one (1) business day after deposit with a recognized courier for U.S. deliveries (or three (3) business days for international deliveries), or (iii) by email, in which case notice will be deemed given upon confirmation of receipt, in each case, to the address of the party set forth in the preamble to this Agreement (or, with respect to notices sent by email, to the email address of the party set forth on the applicable SOW) and addressed to the signatory for such party to this Agreement or to such other address and/or signatory specified in a notice provided under this Section 12.3.
12.5 Force Majeure
If the performance of this Agreement or any obligation hereunder (other than obligations of payment) is prevented or restricted by reasons beyond the reasonable control of a party, including computer related attacks, hacking, pandemics or other public health emergencies (whether or not declared), changes in applicable law, acts of governmental authorities, acts of God or acts of terrorism (each, a “Force Majeure Event”), the party so affected shall be excused from such performance and liability to the extent of such prevention or restriction but shall be obligated to use its commercially reasonable efforts to mitigate and remove any such Force Majeure Event and recommence performance hereunder as soon as reasonably practicable.
12.6 Equitable Relief
Either party is entitled to seek injunctive and other appropriate equitable relief in addition to any other remedies available to it, without the requirement of posting a bond in the event that the other party breaches its obligations hereunder.
12.7 No Duplication; No Double Recovery
Nothing in this Agreement or any ancillary agreement is intended to confer to or impose upon any of the parties a duplicative right, entitlement, obligation or recovery with respect to any matter arising out of the same facts and circumstances.
12.8 Independent Contractors
The parties shall be independent contractors under this Agreement, and nothing herein shall constitute either party as the employer, employee, agent, or representative of the other party, or both parties as joint venturers or partners for any purpose. Except as expressly set forth in Section 9 with respect to Customer Indemnitees and Veeam Indemnitees, there are no third-party beneficiaries under this Agreement.
12.9 Export Compliance
The Services and/or the Deliverables may be subject to export or import regulations in various countries, including, but not limited to, U.S. and E.U. export control laws, as well as U.S., E.U., U.K., and U.N. sanctions (“Export Regulations”). Customer must comply with all Export Regulations and agree to be solely responsible for determining whether Customer may export, re-export, or import the Services and/or the Deliverables in compliance with legal requirements. Further, Customer confirms that there will be no use of the Services and/or the Deliverables for any prohibited purposes under Export Regulations. By using the Services and/or the Deliverables, Customer confirms they are not (i) included on any sanctions-related list of designated persons maintained by the U.S. Department of Treasury’s Office of Foreign Assets Control, the U.S. Department of State, the U.S. Department of Commerce, the European Union, His Majesty’s Treasury of the United Kingdom, the United Nations, or any other relevant governmental authority; (ii) organized under the laws of, or residing in, a country or region that is itself subject to any sanctions; or (iii) owned or controlled, directly or indirectly, individually or in the aggregate, by any person or persons specified in (i) or (ii).
12.10 Anti-Corruption
Customer agrees that it has not received or been offered any illegal or improper bribe, payment, gift, or thing of value from any of Veeam employees or its agents in connection with this Agreement. If Customer learns of any violation of the above restriction, Customer will use reasonable efforts to promptly notify Veeam.
12.11 Interpretation
The definitions of terms herein shall apply equally to the singular and plural forms of the terms defined. The words “include,” “includes” and “including” shall be deemed to be followed by the phrase “without limitation.”
12.12 Entire Agreement
This Agreement, together with any SOW or DOS and any attachments or schedules constitutes the entire agreement between the parties pertaining to the subject matter hereof, and any and all prior or contemporaneous written or oral agreements existing between the parties and related to the subject matter are expressly canceled. The parties agree that any term or condition stated in any purchase order or other document issued or provided by Customer is void and of no effect. In the event of any conflict or inconsistency among the following documents, the order of precedence shall be: (1) this Agreement, (2) the applicable SOW or DOS (unless a term or condition in such SOW or DOS expressly supersedes a specific term or condition in this Agreement). No modification, amendment or waiver of any provision of this Agreement will be effective unless in writing and signed by both parties hereto. Any failure to enforce any provision of this Agreement shall not constitute a waiver thereof or of any other provision.
This Addendum to the Professional Services Agreement sets forth additional terms and conditions applicable to Customer’s use and access to the Coveware Cyber Extortion Services (as further described in the applicable Statement of Work (“SOW” or Description of Services (“DOS”)). Capitalized terms used in this and not otherwise herein defined shall have the respective meanings set forth in the Agreement. This Addendum shall govern in the event of a conflict between this Addendum and the Agreement.
For purposes of the Coveware Cyber Extortion Retainer services, Affiliates must have an information security department that is under the control of Customer’s information security department and are subject to review and approval by Veeam at the time of Incident (defined below) to ensure compliance with current legal and regulatory restrictions.
Customer hereby engages Veeam to provide the Coveware Cyber Extortion Services. Customer further authorizes Veeam to act on its behalf with regard to a Customer-specified Incident subject to the oversight and direction by Customer (or Customer’s legal counsel, as the case may be). Subject to the terms of this Agreement and an applicable SOW or DOS, Veeam shall use commercially reasonable efforts to assist Customer in recovery of Customer’s Extortion Property (defined below), including but not limited to researching free decryption tools, researching commercial decryption tools, authorized negotiations with a Threat Actor (defined below) and if authorized, facilitation of a Settlement Payment (defined below) to the Threat Actor for a decryption tool.
3.1. “Coveware Cyber Extortion Services” refers to the one-time services of Veeam with respect to a specific Incident (as further described below). Retained Coveware Cyber Extortion Services refers to an arrangement whereby a Customer retains Veeam’s commitment to provide prioritized Coveware Cyber Extortion Services in the event of a future Incident (as further described below). Retained Incident Response Services are subject to the terms of a fully executed Agreement, which may include limitations on the number of Incident responses per 12-month period.
3.2. “Incident” refers to the unlawful encryption or extortion of Customer property (“Extortion Property”) by an unauthorized third party (“Threat Actor”).
3.3. Coveware Cyber Extortion Services consist of triage and analysis, cyber extortion negotiations, cryptocurrency settlement, and decryption support (in cases of ransomware encryption). Coveware Cyber Extortion Services for Retained Customers commence upon Customer notification of an Incident.
3.4. Subject to the terms of the Agreement , Coveware Cyber Extortion Services include:
3.4.1. Onboard Information: Veeam will engage with Customer to have Customer complete an onboarding process, including identifying Authorized Agent(s).
3.4.2. Incident Information: Veeam will engage with Customer at time of Incident to complete the Incident Information, update any Onboard Information and identify any changes to Authorized Agent(s).
3.4.3. Research & Assessment: Following receipt of the complete Incident Information, Veeam will research the type of encryption software, its signatures, and the Threat Actor responsible for the Incident. The intent of this research is to assist Customer in determining the optimal strategy to take in order to maximize the likelihood of recovering Extorted Property, in the shortest amount of time, at the lowest possible cost. If Veeam Tools are included in Customer’s selection on the applicable Order Form, and such tools are applicable to the Incident, Veeam may also provide the Recon Agent Tool for Customer’s use in the research and assessment process.
3.4.4. Extortion Negotiations: Subject to Customer’s authorization, Veeam will directly facilitate communications and negotiations with the Threat Actor on Customer’s behalf. Customer will advise on timeline and Settlement Payment thresholds/budget prior to commencing negotiations. Veeam will provide regular transcripts of the communications to Customer’s Authorized Representatives.
3.4.5. Settlement Payment: If authorized by Customer, Veeam will facilitate transmission of a Settlement Payment (defined below) to the Threat Actor in order to procure the tools from the Threat Actor to decrypt Extorted Property.
3.4.6. Decryption Support: Using the information and experience available to it, Veeam will provide written documentation (subject to availability) regarding any decryption tools provided, as well as phone and email to support for Authorized Agents within Customer’s IT department. If Coveware Tools are included in Customer’s Order Form and such tools are applicable to the Incident, Veeam may also provide the Unidecrypt Tool for Customer’s use in the decryption process. Threat Actors and methods are continually evolving and as such, decryption keys and tools may not be readily available. Veeam will utilize its data and experience to support Customer’s decryption of the Extorted Property.
3.4.7. Coveware Recon Agent Tool: In addition to utilization of this Coveware Tool during an active Incident in which Veeam is performing Incident Response, Veeam may provide the Coveware Tool and reasonable assistance to help Customer quickly gather information on minor Incidents.
3.4.8. Post Incident Reporting: Upon request by Customer’s Counsel, Veeam will provide Customer a written summary following resolution of the Incident (successful or otherwise). Veeam shall use reasonable efforts to provide those reports in the form designated by Customer‘s Counsel for purposes of regulatory, insurance or related documentation. Reporting will be consistent with compliance with OFAC regulations and include a detailed description of the Incident and transcripts of the negotiations.
3.4.9. Estimated Accelerated Incident Response Times:
Initial Response
• 15-minute response time following Veeam’s notification of an Incident
• 24 hours per day, 7 days per week 365 days per year
Research and Assessment
• As soon as practicable following receipt of Customer’s completed Incident Information
Extortion Negotiations
• Transcripts of negotiations provided to Authorized Agent(s) at a minimum interval of every 12 hours.
• Negotiations continue 24/7 and do not pause or stop until completed unless otherwise directed by Customer.
Customer hereby confirms that the individual(s) identified to Veeam as its authorized contact(s) during the onboarding intake process are in fact the authorized agent(s) of Customer ("Authorized Agent(s)"). Customer further confirms that Veeam is authorized to act upon the oral and written instructions of all Authorized Agents. In the case of any and all notices, instructions, confirmations, or other communications to be provided or delivered by or on behalf of Customer via email hereunder, Veeam shall only honor and act upon those emails sent by the Authorized Agents identified in the applicable authorization documentation provided during onboarding, or as updated from time to time in writing to Veeam. If requested, Customer shall confirm in writing oral instructions given to Veeam, as soon as practicable. Veeam shall not be liable or responsible for acting or failing to act upon any instructions that conflict with a written confirmation or that conflict with prior or subsequent instructions or that are given, in Veeam’s sole discretion, by an unauthorized person. In the event Veeam becomes aware of such a conflict or potentially unauthorized instruction, it shall use reasonable efforts to seek clarification of such instructions.
Following receipt of Customer’s initiation for Cyber Extortion Services, Veeam shall work with Customer to ascertain information related to the Incident (“Incident Information”). Customer will promptly and accurately complete and deliver Veeam’s questionnaire requesting such Incident Information. Unless otherwise modified in the Incident Information, Veeam shall rely upon the originally identified Authorized Agents as Customer’s authorized representative for the duration of Cyber Extortion Services. Customer acknowledges that complete Incident Information may require Customer to disclose certain information and documents regarding Customer, Authorized Agent(s), its business, and employees which is reasonably necessary to perform the Services and comply with applicable legal and regulatory requirements, including without limitation anti-money laundering regulations and U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) regulations.
Accuracy of the Incident Information, including but not limited to information provided as part of the onboarding process and information provided by or related to the Incident and Threat Actor, is the sole responsibility of Customer. While Veeam will also utilize its own data and resources to provide the Services, Customer acknowledges and agrees that Veeam will rely on information, facts and assumptions that Customer furnishes, and that Veeam may use data, material, and other information furnished by Customer without any independent investigation or verification. Veeam shall not be obligated to make any inquiry as to the authority, capacity, existence, or identity of any person purporting to be an Authorized Agent, nor shall Veeam be responsible for reperforming Services to the extent required due to inaccurate or incomplete Incident Information.
Customer agrees to indemnify, defend and hold harmless Veeam, Veeam its employees and representatives from any and all costs, claims, damages or expenses incurred (including reasonable attorneys' fees), by an actual or threatened third party court action, as well as amounts awarded in a settlement arising out of (i) Customer’s or counsel’s willful misconduct, fraud or negligence, incomplete, missing, withheld, incorrect, misleading or fraudulent information, (ii) unauthorized communications or instructions provided by or on behalf of Customer with respect to the Incident (including the Incident Information or other information or representations provided by or on behalf of Customer its employees, representatives or agents), and (iii) the Incident, to the extent the claim is not due to Veeam breach of this Agreement, including claims concerning Customer’s or counsel’s actions with respect to Settlement Payment(s) and expenses incurred by Veeam or its Affiliates as a result of subpoena or order to appear as a witness.
8.1. “Settlement Payment” refers to the amount payable to a Threat Actor as well as any exchange, wire, transaction expenses or the like. Upon Customer’s authorization of purchase from a Threat Actor of a means to decrypt the Extortion Property, Customer, as promptly as practicable, shall remit payment of the Settlement Payment and any outstanding Service Fees and expenses applicable to the Incident. Veeam will convert the Settlement Payment to cryptocurrency and transfer the payment to the Threat Actor on Customer’s behalf.
8.2. Considering the urgent nature of an Incident, Settlement Payments are communicated to Customer via an emailed invoice and are not subject to standard procurement procedures.
8.3. Veeam will not remit any Settlement Payments to a Threat Actor until Veeam has received the Settlement Payment funds in full from Customer (including the exchange, and/or transaction expenses) and Veeam’s bank has confirmed availability of funds or alternative mutually agreeable arrangements have been made.
8.4. Settlement Payments are subject to Veeam’s anti-money laundering review.
8.5. Customer may remit Settlement Payments (and any outstanding balances) via the following methods:
8.5.1. As a cash payment of immediately available funds via wire transfer to Veeam’s designated account, or
8.5.2. Authorizing a charge by Veeam against Customer’s credit card.
8.6. Customer is responsible for the following transaction expenses associated with the Settlement Payment, as applicable to Customer’s method of payment:
8.6.1. Cryptocurrency orders are subject to an exchange fee (determined at the time of order based on current market rates);
8.6.2. Wire transactions incur fees established by each party’s respective financial institutions (passed through to Customer without markup); and
8.6.3. There is a $50,000 limit on credit card transactions (may be waivable) and credit card transactions incur an additional transaction expense (determined at the time of transaction based on current market rates).
8.7. The transfer of a Settlement Payment is subject to, and limited by, each party’s legal and regulatory obligations and is subject to risk. Customer is advised to consult with legal counsel before engaging in a Settlement Payment transaction. Veeam requires all Service Fees and authorized Settlement Payments to be paid to Veeam in full, up front, before a Settlement Payment obligations is incurred or paid out by Veeam. If not used for the authorized purpose, the Settlement Payment will be refunded to Customer, less transaction expenses and conversion losses.
9.1. “Coveware Tools” refers to certain Coveware tools, including but not limited to the Recon Agent Tool or Unidecrypt Tool (collectively or individually). Customer understands that the Coveware Tools are continually under development in response to the evolving methods of Threat Actors. Each Coveware Tool is Incident specific, not intended for future use. The Coveware Tools rely upon software and information provided by Threat Actors and could require Incident specific adjustments and coordination of the tool to gain the desired result. Notwithstanding Veeam’s efforts to mitigate risks and use industry standard practices, Customer agrees that any use of the Coveware Tools is at Customer’s own risk. Customer agrees to backup data and take other appropriate measures to protect programs and data.
9.2. Veeam, on behalf of itself, Coveware and its Affiliates, retains all rights and ownership in materials provided in the course of the Services. Veeam’s rights are exclusive of materials and Confidential Information provided by Customer in the course of the Services (“Customer Materials”). Customer retains all right, title and interest in Customer Materials. Upon payment in full of the fees for the Services designed on the applicable Order Form Supplement, Veeam hereby grants to Customer a perpetual, nonexclusive license to use materials provided in the course of the Services solely for Customer’s internal use. Customer may not overbrand or remove Veeam copyrights or legends. Minimal adjustments to content will be accommodated for Customer’s internal use, such as to provide an introduction to Veeam’s services or to incorporate a message from Customer.
The Services are continually evolving and improving for the benefit of Customers and law enforcement. Such improvements are benefited by the aggregation of data related to the identity, methods and targets of Threat Actors. As such, Customer acknowledges that, subject to its confidentiality obligations, Veeam and its Affiliates may aggregate data generated by Customer with other learnings, logs, and data regarding use of the Services so that individual identities have been removed and results are non-personally identifiable and not linked or reasonably linkable to Customer or any individual (“Aggregated Anonymous Data”). Customer agrees that Veeam and its Affiliates have the right to generate Aggregated Anonymous Data and that Aggregated Anonymous Data is the property of Veeam and its Affiliates, which may be used for any purpose related to the Coveware Cyber Extortion Services during or after the term of this Agreement (including without limitation to develop and improve products and services, support law enforcement and create and distribute reports and other materials).
Veeam may also suspend Coveware Cyber Extortion Services (in whole or in part) and ultimately terminate this retainer at any time upon notice to Customer, without incurring any resulting obligation or liability, in the event any action under this Addendum is a violation of applicable legal, judicial, governmental or other regulatory requirement (including the associated compliance requirements of local, state, federal or international government agencies).