Guaranteed Managed Qualys Terms & Conditions
Subject to the terms of this Guarantee, in the event AsTech fails to report a Covered Vulnerability (as defined below) to the Customer and such Covered Vulnerability is exploited against Customer’s Perimeter Server Infrastructure (as defined below) by a third-party to cause Material Harm (as defined below), Customer will be eligible for (i) a refund of the remaining, unused portion of the fees paid to AsTech that correspond to the services known as “AsTech Vigilance: Guaranteed Managed Qualys” at the time of execution of this Guarantee that is covered by a subscription to the “AsTech Perimeter Security Guarantee,” as specifically identified in the applicable ordering document entered into by the parties; and (ii) reimbursement of actual expenses that directly result from such Material Harm up to a maximum amount not to exceed One Million Dollars U.S. dollars ($1,000,000) for each incident contained within a two hundred (200) day period of time. The refund and reimbursement described in subsections (i) and (ii) in the foregoing sentence shall be further described below and referred to collectively herein as the "Payments." To qualify for the Payments, the identified Perimeter Infrastructure must be covered by an AsTech Perimeter Security Guarantee at the time the Material Harm occurs. For the purposes of this Agreement, Customer’s “Perimeter Server Infrastructure” means the mutually agreed upon assets for which AsTech will provide the AsTech Vigilance: Guaranteed Managed Qualys service as set forth on Exhibit A. If Customer wishes to add to the Perimeter Server Architecture set forth on Exhibit A, Customer must send an email to the SME (as defined below) and the SME must accept such change in writing.
Subject to the terms of this Guarantee, for each purchased subscription to the AsTech Vigilance: Guaranteed Managed Qualys service that is covered by a subscription to the AsTech Perimeter Security Guarantee, Customer may be eligible for the Payments and, during the term of such subscriptions, shall receive the following for Customer’s Perimeter Server Infrastructure:
An AsTech subject matter expert (“SME”) will be assigned to Customer to act as a liaison with Customer’s internal resources. A prioritization report will be created weekly by the assigned SME (“Report”). The Report shall include any vulnerabilities identified by both the AsTech/Qualys VM scan and the Agent Vulnerability Analysis for the Perimeter Server Infrastructure (collectively “Scans”). AsTech will provide the Report within ten (10) business days after the Scans are completed. The Customer is responsible for performing the recommended remediation steps within the Report. If Customer complies with the foregoing and the security of the Perimeter Server Infrastructure suffers a security breach despite such actions (“Incident”), Customer may be eligible to receive a Payment in accordance with the terms of this Guarantee. To qualify for the Payments following an Incident, Customer must suffer a Material Harm as the direct result of AsTech failing to report a Covered Vulnerability to Customer prior to the occurrence of such Incident. For the purposes of this Agreement, a “Material Harm” must include at least one of the following:
(i) breach of a security system as defined under Delaware Code tit. 6 Sect. 12B-101 et seq;
(ii) public disclosure of confidential business information; or
(iii) an end-user account take over.
To apply for a Payment, Customer must submit to AsTech’s customer support and SME a valid, written incident report that describes the Incident and the Material Harm (the “Incident Report”). In order to be valid, all Incident Reports must be submitted to AsTech within thirty (30) days after the date the Customer first discovers the Incident. A separate Incident Report must be submitted for each Incident. In order to be valid, the Incident Report must also be in compliance with the forensics framework described in the National Institute of Standards and Technology’s “Computer Security Incident Handling Guide” (NIST 800-61 rev2) found here: http://dx.doi.org/10.6028/NIST.SP.800-61r2, or a comparable control in an industry accepted framework such as (i) PCI 12.10, (ii) ISO IEC 27002:2013 – Chapter 16, or (iii) COBIT PO9. AsTech, at its sole discretion, may reject any Incident Reports not formatted in one of such three (3) frameworks.
Prior to making or being responsible for any Payments AsTech shall have the right, at its own expense, to (i) have an incident response investigation performed regarding the Incident by an independent third-party firm; and/or (ii) conduct its own investigation regarding the Incident. Customer agrees to provide reasonable assistance to AsTech or its designated third-party firm during any such investigation, as requested by AsTech.
Customer agrees to use reasonable commercial efforts to notify AsTech within forty-eight (48) hours after Customer becomes aware of an Incident. In the event of an Incident (and in addition to any other requirements set forth herein), in order to be eligible for the Payments: (a) Customer must be in compliance with the terms and conditions of the Service Agreement applicable to the AsTech Vigilance: Guaranteed Managed Qualys subscription for the compromised Perimeter Server Infrastructure; and (b) the Incident must (i) be the result of exploitation of a Covered Vulnerability against which AsTech is able to perform the Scans and prepare a Report and (ii) not be the result of (A) a Covered Vulnerability that has been intentionally concealed within a covered Perimeter Server Infrastructure by Customer or its personnel, or (B) the gross negligence or willful misconduct of Customer or its personnel.
If the alleged Incident is confirmed by AsTech or its appointed independent third-party firm, or AsTech decides (in its sole discretion) not to perform an incident response investigation for the Incident (“Confirmed Incident”) and all other requirements set forth herein are met, then for each active subscription that involves a Confirmed Incident, Customer shall be eligible for the Payments as follows:
Subscription Fee Refund: If desired by Customer, a refund of the remaining, unused portion (as of the date of a Confirmed Incident) of the AsTech Vigilance: Guaranteed Managed Qualys subscription fee paid by Customer for the compromised Perimeter Server Infrastructure. Such refund may be redeemed as a refund of such fees, or a credit applied toward future AsTech services. Fee refunds will be processed within thirty (30) days after the date a Confirmed Incident has been validated by AsTech and credits will be applied to the next invoice for AsTech services. If such refund is requested, the Customer’s subscription to AsTech Vigilance: Guaranteed Managed Qualys will be terminated as of the Confirmed Incident date.
Expense Reimbursement: Reimbursement of expenses incurred as a direct result of a Material Harm following a Confirmed Incident, up to a maximum amount not to exceed One Million Dollars U.S. dollars ($1,000,000) for each Confirmed Incident may be requested by Customer following a Confirmed Incident (“Expense Reimbursement Request”). Any such reimbursement will require Customer to provide AsTech with copies of applicable proof of payment (e.g. canceled checks and/or receipts) for the Expense Reimbursement Request, and AsTech has the right to contact the recipient of such payments and perform (at its own expense) an audit of Customer’s records related to any Expense Reimbursement Request. Customer may submit no more than one Expense Reimbursement Request for each Confirmed Incident during the term of an AsTech Vigilance: Guaranteed Managed Qualys subscription covering such affected Perimeter Server Infrastructure.
Customer’s sole and exclusive remedy for any Confirmed Incidents and Material Harm will be the Payments described herein. Payments made to Customer pursuant to this Guarantee shall not be considered an admission of responsibility for an Incident or any further liability. Customer is responsible for complying with all laws and regulations applicable to an Incident and AsTech will not be responsible for any liability or expense related to such laws and regulations. A claim submitted by Customer pursuant to this Guarantee will have no impact on the Service Agreement. Customer acknowledges and agrees that each AsTech Perimeter Security Guarantee subscription will terminate at the end of the subscription period referenced on the applicable Service Agreement unless Customer has requested a Subscription Fee Refund, in which case the subscription will terminate automatically on the date of such request.
For the purposes of this Guarantee, “Covered Vulnerabilities” shall be all Qualys QIDs available at the date of the Incident. The Qualys QID creation date must be, at a minimum, two (2) weeks prior to the beginning (initial reconnaissance) of the Incident. At AsTech’s discretion, a third party review of the QID must conclusively prove the QID would detect the vulnerability in the Perimeter Server Infrastructure that caused the Incident at the time of the Incident in order for the vulnerability to be considered a Covered Vulnerability.