THIS SECUREWORKS MASTER SERVICES AGREEMENT (“MSA”) is entered into by and between SecureWorks Australia Pty Limited (“SecureWorks”) or one of SecureWorks’ Affiliates (as defined below) and the customer entity (“Customer”) set forth in a Service Order or Statement of Work, as of the Effective Date (as defined by the latest date in the signature blocks in a Service Order or Statement of Work). “Customer” may include Customer’s Affiliates approved by SecureWorks to receive Services (as defined in Section 1) under this MSA. As used in this MSA, the term “Affiliates” with respect to a party means a Party or its related bodies corporate as defined under Section 50 of the Corporations Act 2001 (as amended or substituted from time to time). SecureWorks and Customer agree to the following terms and conditions:
1. Services
During the Term (as defined in Section 3.1) and subject to the terms and conditions of this MSA, SecureWorks agrees to provide the Services and Customer agrees to purchase such Services. Specific terms and conditions relating to the managed security services (“MSS Services”) will be described in the service order(s) (“Service Order(s)”) executed by the parties and specific terms and conditions relating to the consulting services (“Consulting Services”) will be described in one or more statements of work (“Statement(s) of Work”) executed by the parties. The MSS Services and Consulting Services are collectively referred to as the “Services”. The MSS Service(s) are described in one or more attachments to each Service Order and the performance by SecureWorks of the MSS Services will be in accordance with such attachments (the “Service Level Agreements”), subject to the terms and conditions in them. For the purposes of either party’s Affiliates performing or purchasing Services pursuant to a Service Order and/or Statement of Work, references to SecureWorks and Customer are deemed to be references to such respective Affiliate(s).
Except for equipment purchased by Customer pursuant to a Service Order (“Customer Purchased Equipment”), Customer must return to SecureWorks any equipment or hardware provided by SecureWorks (“Equipment”) for Customer’s use during the Term of this MSA and the applicable Service Order and/or Statement of Work, on the expiration or termination of the Term. If such Equipment is not returned by Customer, Customer is responsible for the then-current replacement costs of such Equipment. Risk of loss or damage to the Equipment and Customer Purchased Equipment shall pass on delivery. Title to the Equipment shall remain with SecureWorks.
In the event of a conflict between the terms of the MSA and a Service Order and/or Statement of Work, the terms of these documents will be interpreted according to the following order of precedence: (1) Service Orders/Statements of Work and (2) the MSA.
2. Fees; Taxes; Invoicing and Payment
2.1 Ordering with Local Affiliates. In the event that a Customer Affiliate with a location outside of Australia wishes to purchase Services under this MSA (“Customer International Affiliate”), such Customer International Affiliate will enter into a Service Order and/or Statement of Work directly with the SecureWorks Affiliate local entity (“SecureWorks Local Entity”) for such Services. The SecureWorks Local Entity will invoice the Customer International Affiliate, as per the billing address provided by the Customer and agreed by SecureWorks, in the applicable local currency and the Customer International Affiliate must make payments directly to the SecureWorks Local Entity. All references in the MSA to SecureWorks and Customer will be deemed to refer to SecureWorks Local Entity and Customer International Affiliate, respectively for the purposes of ordering between Customer International Affiliate and the SecureWorks Local Entity. The terms and conditions of this MSA must be incorporated by reference into the applicable Service Order and/or Statement of Work by and signed between the Customer International Affiliate and the SecureWorks Local Entity. In addition, the Customer International Affiliate and the SecureWorks Local Entity may sign an Addendum to this MSA stating that they each agree to be bound by the terms of this MSA for the purposes of receipt of Services by Customer International Affiliate located outside of Australia from a SecureWorks Local Entity.
2.2 MSS Service Fees. SecureWorks’ fees for the MSS Services are set forth on each Service Order. For each Service Order, the MSS Services ordered will commence on the first day in which SecureWorks: (a) has established communication with the contracted Customer device(s) and/or SecureWorks provided Equipment; and (b) has verified availability of Customer Data (as defined in Section 6.1) on the SecureWorks customer portal, (the “Service Commencement Date”), and SecureWorks may invoice Customer for such MSS Services on or after the Service Commencement Date. SecureWorks has the unilateral right to cancel any Service Order, or portion thereof, as to Services that are not implemented within six (6) months after execution of the Service Order. Customer may add or exchange certain MSS Services and/or devices at any time during any Term (as defined in Section 3.1) of this MSA. Customer will notify SecureWorks of its intention to add or exchange certain MSS Services and/or devices and SecureWorks will work with Customer to provide pricing to Customer for such additions and/or exchanges. In order for such Services and/or devices to be added to this MSA, Customer and SecureWorks will execute a Service Order outlining the price, payment and Term for such MSS Services and/or devices.
If Customer orders Server/Network Infrastructure Monitoring and/or Security Information and Event Management MSS Services under a Service Order, Customer will be billed for the entire number of devices in the tier being purchased (as outlined in the applicable Service Order) on the Service Commencement Date for the initial device. If there are any devices remaining to be integrated thereafter, Customer is responsible for initiating the integration of such devices via the SecureWorks network portal.
2.3 Consulting Service Fees. Customer agrees to pay SecureWorks for the Consulting Services in accordance with the applicable Statement of Work. The fees specified in any Statement of Work are the total fees and charges for the Consulting Services, but are subject to changes resulting from agreed changes in the scope of Consulting Services to be provided pursuant to a Statement of Work change order executed by the parties.
2.4 Work on Customer Premises. Only in the event implementation, performance or delivery of the Services requires SecureWorks to be present at the Customer’s facilities, then, upon receiving travel approval from Customer as indicated by Customer’s execution of a Service Order/SOW with terms indicating that travel is required, subject to SecureWorks’ adherence to the SecureWorks travel reimbursement policy, or other travel reimbursement guidelines set forth in the applicable Service Order/SOW, Customer shall reimburse SecureWorks for all reasonable and actual out-of-pocket travel expenses, including, but not limited to, hotel, airfare and meals, incurred in connection with the implementation, performance or delivery of the Services as such travel shall be reasonably described in the applicable Service Order or Statement of Work and travel is pre-approved by Customer as indicated by the execution of the applicable Service Order or Statement of Work.
2.5 Additional Fees; Taxes. Customer is responsible, on behalf of itself and its Affiliate(s), for the payment of all taxes and fees assessed or imposed on the Services provided or the amounts charged under this MSA in any country or territory in which the Customer receives the benefit of the Services, including any sales, use, excise, value-added, or comparable taxes, but excluding taxes for which the Customer has provided a valid resale or exemption certificate. If Customer is required by law to withhold or deduct an amount from payments due to SecureWorks under this MSA, Customer shall include such additional amount to SecureWorks with its payment to ensure that SecureWorks receives, after such withholding or deduction, the amount that it would have been paid had no withholding or deduction been required.
2.5.1 In this Section 2.5.1, a word or expression defined in the New Tax System (Goods and Services Tax) Act 1999 (Cth) has the meaning given to it in that Act.
(a) Any consideration to be paid or provided for a supply made under or in connection with this MSA, unless specifically described in this MSA as GST inclusive, does not include an amount on account of GST.
(b) If a party (Supplier) makes a supply under or in connection with this MSA on which GST is imposed (not being a supply the consideration for which is specifically described in this MSA as GST inclusive):
(i) the consideration payable or to be provided for that supply under this MSA but for the application of this clause (GST exclusive consideration) is increased by, and the recipient of the supply (Recipient) must also pay to the Supplier, an amount equal to the GST payable by the Supplier on that supply; and
(ii) the amount by which the GST exclusive consideration is increased must be paid to the Supplier by the Recipient without set off, deduction or requirement for demand, at the same time as the GST exclusive consideration is payable or to be provided.
(c) If a payment to a party under this MSA is a reimbursement or indemnification, calculated by reference to a loss, cost or expense incurred by that party, then the payment will be reduced by the amount of any input tax credit to which that party is entitled for that loss, cost or expense.
2.6 Invoicing; Payment and Disputes. SecureWorks will invoice Customer in accordance with the payment terms set forth and detailed on the applicable Service Order or Statement of Work. All charges, fees, payments and amounts hereunder will be in Australia dollars. Unless otherwise provided for in the applicable Service Order or Statement of Work, amounts due pursuant to the MSA are payable within thirty (30) days from the date of the invoice (the “Invoice Due Date”). Customer has the right to reasonably and in good faith dispute any portion of any amount claimed by SecureWorks as payable prior to the Invoice Due Date, by paying any undisputed portion of the amount in a timely manner by the Invoice Due Date and providing SecureWorks, prior to the Invoice Due Date, written notice specifying the disputed amount and the basis for the dispute in reasonable detail.
2.7 Non Payment. For invoices not paid within thirty (30) days of the Invoice Due Date, SecureWorks reserves the right to charge Customer a late payment interest of one and a half percent (1.5%) per month applied against undisputed overdue amounts, or the maximum rate permitted by law, whichever is less. In addition, SecureWorks, without waiving any other rights or remedies to which it may be entitled, has the right to suspend or terminate the Services until such payment is received and may decide not to accept additional orders from Customer and/or to seek collection of all amounts due, including reasonable legal fees and costs of collections. SecureWorks is not liable to Customer for any such suspension or termination of Services, or non-acceptance of orders.
2.8 Purchases by Affiliates. Unless otherwise agreed in writing, Customer will procure that any Affiliate who submits an order to SecureWorks or a SecureWorks Local Entity for Services agrees to abide by the terms of this MSA and Customer is liable for any failure to comply or other breach of the MSA by any such Affiliate. SecureWorks, in its sole discretion, may discontinue selling Services to any Affiliate or may require additional payment and/or credit conditions for such Affiliate.
2.9 Third-Party Product Purchases. If Customer is purchasing, or subsequently purchases, any third-party products or services (“Third-Party Purchases”) through SecureWorks as specified on a Service Order or SOW, then, as applicable, Customer will comply with any flow down terms and conditions, applicable to Third Party Purchases including but not limited to, any third-party end-user license agreement incorporated into an applicable SLA or referenced in or attached to the Service Order or SOW (or similar document) relating to such Third-Party Purchases.
3. Term of Agreement; Service Orders and Statements of Work.
3.1 Term of MSA. The term of this MSA will commence on the Effective Date and continue until all Service Orders and Statements of Work have expired or been terminated, or until this MSA is terminated pursuant to its provisions (the “Term”).
3.2 Term of Service Orders/Statements of Work. The term for the applicable Services to be provided under this MSA will be set forth on the applicable Service Order and/or Statement of Work.
4. Termination
4.1 Termination for Breach. Either party may terminate this MSA or any unexpired Service Order and/or Statement of Work in the event that the other party materially defaults in performing any material obligation under this MSA and such default continues un-remedied for a period of thirty (30) days following written notice of default. If this MSA or any unexpired Service Order and/or Statement of Work is terminated for any reason other than SecureWorks’ breach, Customer agrees to pay to SecureWorks: (i) all unpaid Service fees as set forth on the Service Order and/or Statement of Work accrued or performed as of such termination date; plus (ii) for MSS Services only, termination fees equal to the MSS Service fees that will become due during the remaining term of the applicable Service Order(s). If Customer terminates this MSA or any unexpired Service Order and/or Statement or Work as a result of SecureWorks’ breach, then to the extent that Customer has prepaid any Service fees, SecureWorks will refund to Customer such prepaid fees on a pro-rata basis to the extent such fees are attributable to the period after such termination date; provided, however, that Customer remains liable to pay to SecureWorks all unpaid Service fees as set forth in the Service Order and/or Statement of Work accrued as of, and attributable to the period prior to, such termination date.
4.2 Termination for Insolvency. This MSA will terminate, effective on delivery of written notice by either party to the other party on the any of the following events occurring: (a) the institution of insolvency, receivership or bankruptcy proceedings or any other proceedings for the settlement of debts of the other party; (b) the making of an assignment for the benefit of creditors by the other party; or (c) the dissolution of the other party.
4.3 Effects of Termination. Termination or expiration of a Service Order or Statement of Work will not be construed, by implication or otherwise, to constitute termination of this MSA or any other existing Service Order and/or Statement of Work. In the event that this MSA is terminated, any open Service Orders or Statements of Works will also terminate.
This Section 4 will survive any expiration or termination of this MSA.
5. MSS Service Software; Restrictions
SecureWorks will provide to Customer all user IDs, tokens, passwords, access, use of the software (in object code format only), and digital signatures necessary to receive the MSS Services (the “Software”) and the applicable written directions and/or policies relating to the MSS Services, which may be in paper or electronic format (the “Documentation” and collectively, with the MSS Services, SecureWorks customer portal, Equipment and the Software, the “Products”), or a combination of them, as required by the Customer to receive the MSS Services. SecureWorks grants Customer a limited, non-transferable, royalty-free and non-exclusive license to access and use, and for Customer’s Affiliates to access and use, during the Term, the Products delivered to Customer, subject to the restrictions set forth below.
Customer (i) must use the Services and Products for its internal security purposes, or for the internal security purposes of Customer’s Affiliates purchasing Services pursuant to this this MSA and (ii) must not, for itself, any Affiliate of Customer or any third party: (a) sell, rent, license, assign, distribute, or transfer any of the Products, except as permitted under Section 12.1; (b) decipher, decompile, disassemble, reconstruct, translate, reverse engineer, or discover any source code of the Software; (c) copy any Software or Documentation, except that Customer may make a reasonable number of backup copies of the Software (to the extent applicable) or copies of Documentation for its internal use (provided Customer reproduces on such copies all proprietary notices of SecureWorks or its suppliers); or (d) remove from any Software, Documentation or Equipment any language or designation indicating its confidential nature or the proprietary rights of SecureWorks or its suppliers. In addition, Customer will not, and will not permit third parties to, (I) use any Software or Equipment for resale or re-bundling of the Services on a time-sharing, outsourcing, service bureau, hosting, application service provider or managed service provider basis; (II) alter any aspect of any Software or Equipment; or (III) except as permitted under Section 12.1, assign, transfer, distribute, or otherwise provide access to any of the Products to any third party or otherwise use any Product with or for the benefit of any third party.
This Section 5 will survive any expiration or termination of this MSA.
6. Proprietary Rights
6.1 Customer’s Proprietary Rights. Customer represents and warrants that it has the necessary rights, power and authority to transmit Customer Data (as defined below) to SecureWorks under this MSA and that Customer has and shall continue to fulfill all obligations with respect to individuals as required to permit SecureWorks to carry out the terms hereof, including with respect to all applicable laws, regulations and other constraints applicable to Customer Data. As between Customer and SecureWorks, Customer will own all right, title and interest in and to (i) any data provided by Customer to SecureWorks and/or Customer data accessed or used by SecureWorks or transmitted by Customer to SecureWorks or to SecureWorks Equipment in connection with SecureWorks’ provision of the Services, including, but not limited to, Customer data included in any written or printed summaries, analyses or reports generated in connection with the Services (“Customer Data”), (ii) all intellectual property, including patents, copyrights, trademarks, trade secrets and other proprietary information (“IP”) of Customer that may be made available to SecureWorks in the course of providing Services under this MSA, and (iii) all confidential or proprietary information of Customer or Customer Affiliates, including, but not limited to, Customer Data, Customer Reports (as defined in Section 6.3), and other Customer files, documentation and related materials, in each case under this sub-clause (iii), obtained by SecureWorks in connection with this MSA.
Customer grants to SecureWorks a limited, non-exclusive license to use the Customer Data to perform the Services. SecureWorks may process Security Event Data during and after the term hereof to develop and enhance its products and services. “Security Event Data” means information, collected during SecureWorks provision of Services, related to security events. Customer grants to SecureWorks a limited, non-exclusive, perpetual, worldwide, irrevocable license to use and otherwise process the Security Event Data during and after the term hereof to develop, enhance and/or improve its security services and the products and services it offers and provides to customers. To the extent such Security Event Data includes information about individuals, SecureWorks will be the controller. This MSA does not transfer or convey to SecureWorks or any third party any right, title or interest in or to the Customer Data or any associated IP rights, but only a limited right of use as granted in and revocable in accordance with this MSA.
6.2 SecureWorks’ Proprietary Rights. As between Customer and SecureWorks, SecureWorks will own all right, title and interest in and to the Software, Equipment and Documentation. This MSA does not transfer or convey to Customer or any third party any right, title or interest in or to the Software, Equipment or Documentation or any associated IP rights, but only a limited right of use as granted in and revocable in accordance with this MSA. SecureWorks will retain ownership of all copies of the Documentation. SecureWorks agrees to transfer all right, title and interest to any Customer Purchased Equipment (not including any SecureWorks IP loaded onto such equipment) purchased by Customer pursuant to a Service Order. In addition, except as set forth in Sections 6.1 and 6.3, Customer agrees that SecureWorks is the owner of all right, title and interest in all IP in any work, including, but not limited to, all inventions, methods, processes, and computer programs including any source code or object code, (and any enhancements and modifications made to them) contained within the Services and/or Products, collectively, the “Works”), developed by SecureWorks in connection with the performance of the Services and of general applicability across SecureWorks’ customer base, and Customer assigns to SecureWorks all right, title and interest in any copyright that Customer may have in and to such Work; provided, however, that such Work will not include information or data belonging, referencing, or pertaining to Customer or Customer Affiliates. Without limiting the foregoing, SecureWorks will own all right, title and interest in all IP in any advisory data, threat data, vulnerability data, analyses, summaries, bulletins and information made available to Customer in SecureWorks’ provision of its Counter Threat Intelligence Services (the “TI Reports”). During the Term, SecureWorks grants to Customer a limited, non-exclusive license to use such Works and TI Reports solely to receive the Services for Customer’s or Customer’s Affiliate’s internal security purposes. Customer acknowledges that any license to the SecureWorks Products, Services, Works and TI Reports expires or terminates upon the expiration or termination of any individual Service Order/SOW and/or this MSA.
6.3 Customer Reports. Customer will own all right, title and interest in and to any written summaries, reports, analyses, and findings or other information or documentation prepared exclusively for Customer in connection with the Consulting Services (the “Customer Reports”). The provision by Customer of any Customer Report or any information in it to any unaffiliated third party does not entitle such third party to rely on the Customer Report or its contents in any manner or for any purpose, and SecureWorks disclaims all liability for any damages (whether foreseen or unforeseen, direct, indirect, consequential, incidental, special, exemplary or punitive) arising from or related to reliance by any third party on any Customer Report or its contents.
6.4 Return of Proprietary Information. On termination of this MSA, each party will, at the request of the other party and to the extent practicable, return, or on the other party’s request, destroy, all copies of the other party’s IP and/or Confidential Information, including any Customer Data, in such party’s possession, custody or control. For Customer Purchased Equipment, Customer must erase, destroy and cease use of all Software located on such Customer Purchased Equipment on expiry or termination of the Term.
This Section 6 will survive any expiration or termination of this MSA.
7. Customer Responsibilities
7.1 Cooperation. Customer acknowledges that SecureWorks’ performance and delivery of the Services are contingent upon: (A) Customer providing safe and hazard-free access to its personnel, facilities, equipment, hardware, network and information as deemed reasonably necessary for SecureWorks to perform or implement the Services, and (B) Customer’s timely decision-making, providing the requested information and granting of approvals or permissions. Customer must promptly obtain and provide to SecureWorks any required licenses, approvals or consents necessary for SecureWorks’ performance of the Services. SecureWorks will be excused from its failure to perform its obligations under this MSA to the extent such failure is caused solely by Customer’s delay in performing or failure to perform its responsibilities under this MSA.
7.2 Connecting to Managed Devices. If and to the extent that SecureWorks is providing managed or co-managed MSS Services, the obligations of SecureWorks to comply with the Service Level Agreements applicable to the MSS Services are dependent on SecureWorks’ ability to connect directly to the Customer devices on the Customer’s network through an authenticated server in SecureWorks’ secure operations centre. If SecureWorks is required to connect to Customer devices via a non-standard means, such as Customer’s VPN or other indirect connection, then, to the extent that SecureWorks’ provision of MSS Services requires access to such managed or co-managed devices in connection with any incident response or help desk request, SecureWorks (i) can make no guarantees or give any assurances of compliance with the Service Level Agreements , and (ii) has no responsibility or liability for any failure to perform or delay in performing its obligations or meeting its Service Level Agreements to the extent such failure or delay is caused by such indirect access.
8. Confidentiality and Data Privacy
8.1 Confidentiality. In the performance of the Services, Customer and SecureWorks may have access to or be exposed to information of the other party not generally known to the public, including, but not limited to software, product plans, marketing and sales information, customer lists, “know-how,” or trade secrets which may be designated as being confidential or which, under the circumstances surrounding disclosure, ought to be treated as confidential (collectively, “Confidential Information”). Confidential Information may not be shared with third parties unless such disclosure is to personnel of SecureWorks or Customer, including employees, agents and subcontractors, on a “need-to-know” basis in connection with its performance of this MSA, so long as such personnel have agreed to treat such Confidential Information under terms at least as restrictive as those in this MSA. Each party agrees to take the necessary precautions to maintain the confidentiality of Confidential Information by using at least the same degree of care as such party employs with respect to its own Confidential Information of a like-kind nature, but in no case less than a commercially reasonable standard of care to maintain confidentiality. The foregoing does not include information, which, (A) was known by one party prior to its receipt from the other or is or becomes public knowledge without the fault of the recipient, (B) is received by the recipient from a source other than a party to this MSA, (C) is independently developed by a party without causing a breach of the terms of the MSA, or (D) a party is required to disclose in response to an order by a court or governmental agency, provided that, to the extent permitted by applicable law, advance notice of the disclosure is provided to other party. The obligations with respect to Confidential Information will continue for three (3) years from the date of disclosure.
8.2 Data Privacy. Each party agrees to comply with its obligations under all applicable laws relating to privacy and protection of the Customer’s Personal Data (as defined in Appendix B to this MSA) obtained by or disclosed to it pursuant to this MSA.
8.3 The Customer warrants to SecureWorks that it has complied with, and will continue to comply with, all applicable laws in its processing of the Customer Personal Data including its collection, use, disclosure, storage and handling of such Customer Personal Data that is disclosed to SecureWorks pursuant to this MSA.
8.4 Each party expressly agrees that the Data Protection Agreement set out in Appendix B to this MSA shall apply and govern all activities concerning the processing of personal data for the purposes of this MSA.
8.5 SecureWorks will not be liable for any claim brought by the Customer arising from any action or omission by SecureWorks to the extent that such action or omission resulted from compliance by SecureWorks with the Customer’s instructions.
8.6 SecureWorks will on an annual basis, have an audit conducted by a reputable and experienced accounting firm in accordance with the Statement on Standards for Attestation Engagements (“SSAE”), Reporting on Controls at a Service Organization, developed by the American Institute of Certified Public Accountants (“AICPA”), (the “Security Audit”) and have such accounting firm issue a Service Organization Control (“SOC”) 2 Type II Report (or substantially similar report in the event the SOC 2 Type II Report is no longer the industry standard) which will cover, at a minimum, the security policies, procedures and controls required by this MSA (the “Audit Report”). Upon Customer’s request, SecureWorks will provide Customer a copy of SecureWorks’ then current Audit Report. Customer acknowledges that the Audit Report, and/or any other information provided by SecureWorks pertaining to SecureWorks’ security controls, policies, procedures, etc. are considered Confidential Information of SecureWorks and shall be treated by Customer in accordance with the terms and conditions of this MSA, including, but not limited to, this Section 8.
8.7 SecureWorks will maintain information security policies and procedures for Personal Data, consistent with prevailing Australia industry standards.
This Section 8 will survive any expiration or termination of this MSA.
9. Limited Warranty and Limitation of Liability; High-Risk Disclaimer; Consulting Services Disclaimer
The provisions of this Section 9 will apply to the maximum extent permitted by law.
9.1 Limited Warranty. SecureWorks warrants that the Services will be performed in a good and workmanlike manner. Except as expressly stated in the preceding sentence and to the maximum extent permitted by law, SecureWorks, including its Affiliates, subcontractors and agents and each of their respective employees, directors and officers (collectively, the SecureWorks Parties) make no express or implied warranties, guarantees, representations or conditions with respect to any of the Products, Services or Customer Reports, including, but not limited to, any warranty of merchantability, fitness for a particular purpose, performance, suitability or non-infringement or any warranty relating to third party products or third party services.
9.2 Limitation of Liability.
9.2.1 Neither the SecureWorks Parties nor the Customer will be liable for any incidental, indirect, punitive, special or consequential damages, arising out of or in connection with the Services or Products provided by SecureWorks. Neither party will have liability for the following, whether direct or indirect: (A) loss of revenue, income, profit or savings; (B) lost or corrupted data or software, loss of use of system(s) or network, or the recovery of such; (C) loss of business opportunity; (D) business interruption or downtime; or (E) SecureWorks’s Products, Services or third party products not being available for use by the Customer.
9.2.2 Except as provided in Section 10, the SecureWorks Parties’ and Customer’s respective aggregate liability (whether in contract, tort or otherwise) for all claims of liability arising out of or in connection with any Service or Product provided pursuant to this MSA will not exceed (A) the amounts paid by Customer for the specific Service(s) giving rise to such claim during the prior twelve (12) month period with respect to the MSS Services; and (B) the amount of the Statement of Work that is the source of such liability with respect to Consulting Services.
Each party acknowledges that these limitations apply even if a party has been advised of the possibility of such damages or essential purpose of the remedies fails and that, without these limitations, the fees for the Services provided would be higher. The liability of a party (Party A) for any damage incurred by another party (Party B) will be reduced proportionately to the extent that:
(a) any negligent act or omission of Party B (or of its subcontractors or personnel); or
(b) any failure by Party B to comply with its obligations and responsibilities under the MSA, contributed to the damage, regardless of whether legal proceedings are brought by Party A for negligence or breach of contract.
The liability of a party for breach of the MSA, or in tort, or for any other common law or statutory cause of action arising out of the operation of the MSA, will be determined under the relevant law in Australia that is recognised, and would be applied, by the High Court of Australia.
9.2.3 The foregoing limitations, exclusions and disclaimers will apply, regardless of whether the claim for such damages is based in contract, warranty, strict liability, negligence, tort or otherwise. Insofar as applicable law prohibits any limitation in this MSA, the parties agree that such limitation will be automatically modified, but only to the extent so as to make the limitation permitted to the fullest extent possible under such law. The parties agree that the limitations on liabilities set forth in the MSA are agreed allocations of risk constituting in part the consideration for SecureWorks’s sale of Services and/or Products to Customer, and such limitations will apply notwithstanding the failure of essential purpose of any limited remedy and even if a party has been advised of the possibility of such liabilities.
9.2.4 Certain Consulting Services that SecureWorks performs for its customers follow a defined methodology, rather than being driven by a specific end result or deliverable. Due to this inherent property of these certain Consulting Services, SecureWorks cannot guarantee the outcome of its testing, assessment, forensics, or remediation methods as all such methods have reliability limitations including, but not limited to, (i) results produced differing from initial customer expectation; (ii) missing certain compliance gaps; and (iii) missing certain security gaps. SecureWorks cannot guarantee that a weakness, non-compliance issue or vulnerability will be discovered if evidence of such is not encountered during the performance of the contracted engagement. SecureWorks uses a sampling methodology which attempts to reduce the cost to its customers while minimizing the impact to the accuracy and reliability of the results. Customer acknowledges and accepts that limitations and inherent risks exist from approaches used by SecureWorks to deliver the Consulting Services. Depending on the type of Consulting Services being purchased by Customer pursuant to a Statement of Work, Appendix A will apply, if applicable.
This Section 9 will survive any expiration or termination of this MSA.
10. Indemnification
SecureWorks will defend, indemnify and hold harmless Customer from any third-party claim or action that the Products, Services or any Customer Reports (excluding third party products) prepared or produced by SecureWorks and delivered pursuant to this MSA infringe or misappropriate any third party’s patent, copyright, trade secret, or other intellectual property rights enforceable in the country(ies) in which the Products, Services or any Customer Reports are performed or prepared for Customer by SecureWorks (“Indemnified Claims”). If a claim of infringement or misappropriation under this Section 10 occurs, or if SecureWorks determines that a claim is likely to occur, SecureWorks will, at its option: (A) obtain a right for Customer to continue using such Product, Service or Customer Reports; (B) modify such Product, Service or Customer Report to make it non-infringing; (C) replace such Product, Service or Customer Report with a non-infringing equivalent; or (D) refund any pre-paid fees for the allegedly infringing Product, Services or Customer Report that have not been performed. Notwithstanding the foregoing, SecureWorks has no obligation under this Section 10 for any claim resulting or arising from (A) modifications of the Products, Services or Customer Reports that were not performed by or on behalf of SecureWorks; or (B) the combination, operation or use of the Product, Service or Customer Reports in connection with a third-party product or service (the combination of which causes the infringement).
Customer will defend, indemnify and hold SecureWorks harmless from, any third-party claim or action: (i) alleging that the Customer Data infringes an Australian or United States copyright or misappropriates any trade secrets enforceable under the laws of Australia or of the United States or was improperly provided to SecureWorks in violation of Customer’s privacy policies or applicable laws (or regulations promulgated under them), (ii) alleging that the Customer is using the Products, Services and/or Customer Reports in a manner prohibited under this MSA, (iii) relating to tax liabilities that are the Customer’s responsibility pursuant to Section 2.5, or (iv) relating to a third party’s reliance on a Customer Report, any information therein or any other results or output of the Services. In addition and without prejudice to the foregoing, Customer shall indemnify the Secureworks Indemnified Parties from and against all Claims by Customer Affiliates (other than Customer Affiliate(s) who have signed a Service Order and/or Statement of Work with Secureworks or a SecureWorks Local Entity).
The provisions of Section 10 state the sole and exclusive obligations of either party for intellectual property rights infringement or misappropriation.
Each party agrees to indemnify and hold harmless the other party from any third-party claim or action for personal bodily injuries, including death, resulting from the indemnifying party’s gross negligence or wilful misconduct resulting from the Services (excluding third party products). This Section 10 states each party’s exclusive remedies for any third-party claim or action, and nothing in this MSA or elsewhere will obligate either party to provide any greater indemnity to the other.
This Section 10 will survive any expiration or termination of this MSA.
11. Export
11.1 Secureworks and Customer acknowledge that Products, Customer Purchased Equipment and/or Services provided under this MSA may incorporate encryption, functionality, and are subject to the customs and export control laws and regulations of the United States, Australia and other countries to which the Products, Customer Purchased Equipment and/or Services are delivered. Each party agrees to comply with all customs and export control laws and regulations of the United States, Australia and other countries to which the Products, Customer Purchased Equipment and/or Services are delivered applicable to such party in the course of performance of its obligations under this MSA. This Section 11 shall apply notwithstanding any other terms of this MSA or any Service Order or SOW issued hereunder. This Section 11 shall survive any expiration or termination of this MSA.
11.2 Secureworks Responsibilities. Secureworks agrees that it is responsible for ensuring that the delivery of Products and any Customer Purchased Equipment to Customer is in compliance with U.S. export regulations, including by applying for and obtaining any required U.S. export licenses. Secureworks’ acceptance of any order for Products and any Customer Purchased Equipment is contingent upon the issuance of any export license required by the U.S. Government. Secureworks will not be liable for delays or failure to deliver Products and any Customer Purchased Equipment resulting from the inability to obtain such license.
11.3 Customer Responsibilities. Customer agrees to comply with, and to cause and require its Affiliates to comply with all applicable U.S., Australian and local export regulations governing the retransfer, re-export and use of the Products and any Customer Purchased Equipment purchased from Secureworks. During the Term of the MSA neither Customer nor its Affiliates will transfer or re-export the Products without written permission from Secureworks. Without limiting the generality of the foregoing, Customer agrees that neither it nor its Affiliates will re-export, transfer, or share Products or any Customer Purchased Equipment to or with any Sanctioned Person (defined below) or otherwise allow any Sanctioned Person to benefit from the Products, Customer Purchased Equipment or Services provided by Secureworks. Customer further agrees that it and its Affiliates are solely responsible for compliance with the applicable laws, rules and regulations governing the importation and use of the Products and any Customer Purchased Equipment in the countries to which Products and any Customer Purchased Equipment will be delivered, including, but not limited to, by making any required customs entry or declaration, paying all duties, taxes and fees owed as a result of the importation or use of Products or any Customer Purchased Equipment by Customer, and obtaining all necessary licenses, permits or other authorizations, including those required under regulations governing the importation and use of encryption products.
11.4 Cooperation. Customer agrees to cooperate, and to cause and require its Affiliates to cooperate in providing the information necessary for Secureworks to apply for any required U.S. export licenses. Secureworks agrees to cooperate with Customer and Customer Affiliates by providing the information necessary for Customer or Customer Affiliates to apply for any required licenses, permits or other authorizations in connection with the importation and use of the Products and any Customer Purchased Equipment. Notwithstanding the foregoing or any other terms of this MSA or any Service Order or SOW issued hereunder, under no circumstances shall Secureworks be required to provide any source code, or proprietary information in connection with the pursuit of any license, permit or other authorization to Customer, Customer Affiliates, or any government authority. For the purposes of this clause Sanctioned Person shall mean any agent, or other person that (i) has been or is designated on the Specially Designated Nationals and Blocked Persons List maintained by the Office of Foreign Assets Control of the United States Department of the Treasury (“OFAC”), or, to the extent applicable, any similar list of sanctioned persons issued by the United Nations Security Council, the European Union, Her Majesty's Treasury or any other relevant governmental authority administering sanctions, including the U.S. Department of State, (ii) is a national or citizen of, organized under the laws of, or resident or operating in any country or territory which is itself the subject of country-wide or territory-wide sanctions, including, but not limited to, as of the date of this MSA, Iran, Cuba, Syria, Sudan, Crimea, and North Korea, (iii) is a Person owned or controlled by any Persons described in clauses (i) and/or (ii) of this sentence, or (iv) is a person identified on the United States Department of Commerce, Bureau of Industry and Security’s “Denied Persons List” or “Entity List”.
12. Important Additional Terms
12.1 Independent Contractor Relationship; MSA Assignment; Subcontracting. The parties are independent contractors. Neither party will have any rights, power or authority to act or create an obligation, express or implied, on behalf of another party except as specified in this MSA. Neither party will use the other party’s name (except internal use only), trademark, logos, or trade name without the prior written consent of the other party. SecureWorks has the right to assign, subcontract or delegate in whole or in part this MSA, or any rights, duties, obligations or liabilities under this MSA, by operation of law or otherwise, provided that SecureWorks remains responsible for the performance of Services under this MSA. Otherwise, neither party may assign this MSA without the permission of the other party.
12.2 Entire Agreement; Severability; Section Headings. This MSA and the Service Orders and/or Statements of Work are the entire agreement between SecureWorks and Customer with respect to its subject matter and supersede all prior oral and written understandings, agreements, communications, and Customer terms and conditions attached to a purchase order or agreements, including, but not limited to, any security or privacy agreements executed by the parties. No amendment to or modification of this MSA, in whole or in part, will be valid or binding unless it is in writing and executed by authorized representatives of both parties provided, however that the Service Level Agreements may be amended from time to time by SecureWorks, as reasonably necessary, in its reasonable discretion as long as such amendments (a) will have no material adverse impact on the Services, Service Levels or service credits, (where applicable), currently being provided to Customer by SecureWorks; and (b) are being effected with respect to all similarly situated SecureWorks customers . If any provision of this MSA is void or unenforceable, the remainder of this MSA will remain in full force and effect. Section headings are for reference only and will not affect the meaning or interpretation of this MSA.
12.3 Force Majeure. Neither party will be liable to the other party for any failure to perform any of its obligations (except payment obligations) under this MSA during any period in which such performance is delayed by circumstances beyond its reasonable control including, but not limited to, fire, flood, war, embargo, strike, riot or the intervention of any governmental authority (a “Force Majeure”). In such event, however, the party affected by Force Majeure must promptly provide the other party with written notice of the Force Majeure. The affected party’s time for performance will be excused for the duration of the Force Majeure, but if the Force Majeure events lasts longer than thirty (30) days, the other party may immediately terminate the applicable Service Order and/or Statement of Work by giving written notice to the affected party.
12.4 Notices. Notices to SecureWorks under this MSA must be in writing and sent by postage prepaid standard mail or receipted courier service to the other party at the address below or to such other address (incl. electronic) as specified in writing and will be effective on receipt.
SecureWorks Australia Pty Limited
Attn: Legal Department
Level 46
Tower One - International Towers
100 Barangaroo Avenue, Barangaroo
Sydney NSW 2000
This Section 12.4 applies for formal contract notices only and does not limit the parties’ ability to communicate via electronic mail or other methods as agreed to by the parties for routine communications.
12.5 Governing Law, Forum and Language. The MSA is governed by and is to be construed in accordance with the laws applicable in New South Wales.
Each party irrevocably and unconditionally submits to the non-exclusive jurisdiction of the courts of New South Wales and any courts which have jurisdiction to hear appeals from any of those courts and waives any right to object to any proceedings being brought in those courts.
This MSA will be interpreted and construed in accordance with the English language.
12.6 Dispute Resolution. The Parties will attempt to resolve any claim, or dispute or controversy (whether in contract, tort or otherwise) arising out of or relating to this MSA or any related purchase (a “Dispute”) through face-to-face negotiation with persons fully authorized to resolve the Dispute or through mediation utilizing a mutually agreed mediator, rather than through litigation. The existence or results of any negotiation or mediation will be treated as confidential. Notwithstanding the foregoing, (i) SecureWorks has the right to proceed directly to court in respect of undisputed non-payments due under this MSA and (ii) either party will have the right to apply for a temporary restraining order, preliminary injunction or other equitable relief from a court of competent jurisdiction to preserve the status quo, prevent irreparable harm, avoid the expiration of any applicable limitations period, or preserve a superior position with respect to other creditors, although the merits of the underlying Dispute will be resolved in accordance with this paragraph. In the event the parties are unable to resolve the Dispute within thirty (30) days of notice of the Dispute to the other party, the parties will be free to pursue all remedies available at law or equity.
12.7 Limitation Period. Neither party may institute any action in any form arising out of this MSA more than two (2) years after the cause of action has arisen, or in the case of non-payment, more than two (2) years from the date of last payment.
This Section 12 will survive any expiration or termination of this MSA.
APPENDIX A
Applicable to Security Services. Should a Statement of Work include security scanning, testing, assessment, forensics, or remediation Services (“Security Services”), Customer understands that SecureWorks may use various methods and software tools to probe network resources for security-related information and to detect actual or potential security flaws and vulnerabilities. Customer authorizes SecureWorks to perform such Security Services (and all such tasks and tests reasonably contemplated by or reasonably necessary to perform the Security Services or otherwise approved by Customer from time to time) on network resources with the IP Addresses identified by Customer. Customer represents that, if Customer does not own such network resources, it will have obtained consent and authorization from the applicable third party to permit SecureWorks to provide the Security Services. SecureWorks will perform Security Services during a timeframe agreed with Customer. The Security Services, such as penetration testing or vulnerability assessments, may also entail buffer overflows, fat pings, operating system specific exploits, and attacks specific to custom coded applications but will exclude intentional and deliberate DOS (“Denial of Service”) attacks. Furthermore, Customer acknowledges that the Security Services described could possibly result in service interruptions or degradation regarding the Customer’s systems and Customer accepts those risks and consequences. Customer consents and authorizes SecureWorks to provide any or all of the Security Services with respect to the Customer’s systems. Customer further acknowledges that it is the Customer’s responsibility to restore network computer systems to a secure configuration after SecureWorks’ testing.
Applicable to Compliance Consulting Services. Should a Statement of Work include compliance testing or assessment or other similar compliance advisory Services (“Compliance Services”), Customer understands that, although SecureWorks' Compliance Services may discuss or relate to legal issues, SecureWorks does not provide legal advice or services, none of such Services will be deemed, construed as or constitute legal advice and that Customer is ultimately responsible for retaining its own legal counsel to provide legal advice. Furthermore, the Customer Reports provided by SecureWorks in connection with any Compliance Services will not be deemed to be legal opinions and may not and should not be relied on as proof, evidence or any guarantee or assurance as to Customer’s legal or regulatory compliance.
Applicable to Payment Card Industry Compliance Consulting Services. Should a Statement of Work include payment Card industry (“PCI”) compliance auditing, testing or assessment or other similar PCI compliance advisory Consulting Services (“PCI Compliance Services”), Customer understands that SecureWorks' PCI Compliance Services do not constitute any guarantee or assurance that security of Customer’s systems, networks and assets cannot be breached or are not at risk. These PCI Compliance Services are an assessment, as of a particular date, of whether Customer’s systems, networks and assets, and any compensating controls meet the applicable PCI standards. Mere compliance with PCI standards may not be sufficient to eliminate all risks of a security breach of Customer’s systems, networks and assets. Furthermore, SecureWorks is not responsible for updating its reports and assessments, or enquiring as to the occurrence or absence of such, in light of subsequent changes to Customer’s systems, networks and assets after the date of SecureWorks’ final report; unless a signed Statement of Work expressly requiring the same is signed and entered into between the parties.
Appendix B Data Protection Agreement
This Data Protection Agreement (“DPA”) forms part of the MSA between the Customer and Secureworks and shall apply where the provision of Services by Secureworks to Customer involves the processing of Personal Data (as defined below) which is subject to Privacy Laws. Except as otherwise expressly stated, Customer is the controller and Secureworks is the processor (as defined below) of the Personal Data processed under this MSA. In the event of a conflict between this DPA and the MSA, this DPA shall control with respect to its subject matter.
1. Definitions: References in this DPA to “controller”, “data subject”, “processor” and “supervisory authority” shall have the meanings ascribed to them under Privacy Laws. Capitalised terms that are not defined in this DPA shall have the meaning set out in the MSA. In this DPA:
1.1 “Data Breach” means an actual breach by Secureworks of the security obligations under this DPA leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data transmitted, stored or otherwise processed.
1.2 “Personal Data” means any information relating to an identified or identifiable natural person which is processed by Secureworks, acting as a processor on behalf of the Customer, in connection with the provision of the Services and which is subject to Privacy Laws.
1.3 “Privacy Laws” means any UK and/or European Union data protection and/or privacy related laws, statutes, directives, or regulations (and any amendments or successors thereto) to which a party to the MSA is subject and which are applicable to the Services including, without limitation, the General Data Protection Regulation 2016/679 when it comes into effect.
1.4 “processing” (and its derivatives) means any operation(s) performed on personal data, whether or not by automated means, including the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.5 “Security Event Data” means information related to security events which is collected during Secureworks’ provision of managed security services.
1.6 “Services” means the managed security services and/or professional services provided by Secureworks to Customer.
1.7 “Subprocessor” means a third party engaged by Secureworks (including without limitation an Affiliate and/or subcontractor of Secureworks) in connection with the processing of the Personal Data.
2. Description of processing: a description of the processing activities to be undertaken as part of the MSA and this DPA are set out in Annex 1.
3. Compliance with laws: the parties agree to comply with their respective obligations under Privacy Laws. In particular, Customer warrants and represents (on its behalf and on behalf of each of its Affiliates where applicable) that it has obtained all necessary authorisations and consents required for compliance with Privacy Laws prior to disclosing, transferring, or otherwise making available any Personal Data to Secureworks and that it has provided appropriate notifications to data subjects describing the purpose for which their personal data will be used pursuant to this DPA and MSA.
4. Secureworks obligations
4.1 Instructions: Secureworks shall process the Personal Data only in accordance with Customer's reasonable and lawful instructions (unless otherwise required to do so by applicable law). Customer hereby instructs Secureworks to process the Personal Data to provide the Services and comply with Securework's rights and obligations under the MSA and this DPA. The MSA and DPA comprise Customer's complete instructions to Secureworks regarding the processing of Personal Data. Any additional or alternate instructions must be agreed between the parties in writing, including the costs (if any) associated with complying with such instructions. Secureworks is not responsible for determining if Customer's instructions are compliant with applicable law, however, if Secureworks is of the opinion that a Customer instruction infringes applicable Privacy Laws, Secureworks shall notify Customer as soon as reasonably practicable and shall not be required to comply with such infringing instruction.
4.2 Confidentiality: To the extent the Personal Data is confidential (pursuant to applicable law), Secureworks shall maintain the confidentiality of the Personal Data in accordance with Section 8 of the MSA and shall require persons authorised to process the Personal Data (including its Subprocessors) to have committed to materially similar obligations of confidentiality.
4.3 Disclosures: Secureworks may only disclose the Personal Data to third parties (including without limitation its Affiliates and Subprocessors) for the purpose of:
(a) complying with Customer’s reasonable and lawful instructions
(b) as required in connection with the Services and as permitted by the MSA and/or this DPA, and/or
(c) as required to comply with Privacy Laws, or an order of any court, tribunal, regulator or government agency with competent jurisdiction to which Secureworks, its Affiliates and/or Subprocessors is subject PROVIDED that Secureworks will (to the extent permitted by law) inform the Customer in advance of any disclosure of Personal Data and will reasonably co-operate with Customer to limit the scope of such disclosure to what is legally required.
4.4 Assisting with data subject rights: Secureworks shall, as required in connection with the Services and to the extent reasonably practicable, assist Customer to respond to requests from data subjects exercising their rights under Privacy Laws (including without limitation the right of access, rectification and/or erasure) in respect of the Personal Data. Secureworks reserves the right to charge Customer for such assistance if the cost of assisting exceeds a nominal amount. Secureworks shall notify Customer as soon as practicable of any request Secureworks receives from data subjects relating to the exercise of their rights under applicable Privacy Laws during the Term of the MSA (to the extent such request relates to the Personal Data).
4.5 Security: Taking into account industry standards, the costs of implementation, the nature, scope, context and purposes of the processing and any other relevant circumstances relating to the processing of the Personal Data, Secureworks shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk in respect of any Personal Data in accordance with Secureworks policies. The parties agree that the security measures described in Annex 2 (Information Security Measures) provide an appropriate level of security for the protection of Personal Data to meet the requirements of this clause.
4.6 Subprocessors: Customer agrees that Secureworks may appoint and use Subprocessors (including without limitation those that may be identified on the subcontractor list posted on the Portal, as updated from time to time) to process the Personal Data in connection with the Services PROVIDED that:
(a) Secureworks puts in place a contract in writing with each Subprocessor that imposes obligations that are (i) relevant to the services to be provided by the Subprocessors and (ii) materially similar to the rights and/or obligations granted or imposed on Secureworks under this DPA; and
(b) where a Subprocessor fails to fulfil its data protection obligations as specified above, Secureworks shall be liable to the Customer for the performance of the Subprocessor’s obligations.
4.7 Deletion of Personal Data: Upon termination of the Services (for any reason) and if requested by Customer in writing, Secureworks shall as soon as reasonably practicable delete the Personal Data, PROVIDED that Secureworks may: (a) retain one copy of the Personal Data as necessary to comply with any legal, regulatory, judicial, audit or internal compliance requirements; and/or (b) defer the deletion of the Personal Data to the extent and for the duration that any Personal Data or copies thereof cannot reasonably and practically be expunged from Secureworks’ systems; and for such retention or deferral periods as referred to in subparagraphs (a) or (b) of this clause, the provisions of this DPA shall continue to apply to such Personal Data. Secureworks reserves the right to charge Customer for any reasonable costs and expenses incurred by Secureworks in deleting the Personal Data pursuant to this clause.
4.8 Demonstrating compliance: Secureworks shall, upon reasonable prior written request from Customer (such request not to be made more frequently than once in any twelve month period), provide to Customer such information as may be reasonably necessary to demonstrate Secureworks’ compliance with its obligations under this DPA.
4.9 Audit and inspections: Where Customer reasonably considers the information provided under clause 4.8 above is not sufficient to demonstrate Secureworks’ compliance with this DPA, Customer may request reasonable access to Secureworks’ relevant processing activities in order to audit and/or inspect Secureworks’ compliance with this DPA PROVIDED THAT:
(a) Customer gives Secureworks reasonable prior written notice of at least thirty (30) days before any audit or inspection (unless a shorter notice period is required by Privacy Laws, an order of a supervisory authority, otherwise agreed between the parties or in the event of a Data Breach)
(b) audits or inspections may not be carried out more frequently than once in any twelve month period (unless required more frequently by Privacy Laws, an order of a supervisory authority, otherwise agreed between the parties or in the event of a Data Breach)
(c) Customer submits to Secureworks a detailed audit plan at least two weeks in advance of the proposed audit date describing the proposed scope, duration and start date of the audit. Secureworks shall review the audit plan and provide Customer with any material concerns or questions without undue delay. The parties will then reasonably cooperate to agree a final audit plan
(d) Secureworks may restrict access to information in order to avoid compromising a continuing investigation, violating law or violating confidentiality obligations to third parties. Any access to sensitive or restricted facilities by Customer is strictly prohibited due to regulatory restrictions on access to other customers’ data, although Customer and/or its auditor shall be entitled to observe the security operations center via a viewing window). Customer shall not (and must ensure that its auditor shall not) allow any sensitive documents and/or details regarding Secureworks’ policies, controls and/or procedures to leave the Secureworks location at which the audit or inspection is taking place (whether in electronic or physical form)
(e) Customer carries out the audit or inspection during normal business hours and without creating a business interruption to Secureworks
(f) the audit or inspection is carried out in compliance with Secureworks’ relevant on site policies and procedures
(g) where the audit is carried out by a third party on behalf of the Customer, such third party is bound by similar obligations to those set out in Section 8 of the MSA (Confidentiality) and is not a direct competitor of Secureworks. Secureworks reserves the right to require any such third party to execute a confidentiality agreement directly with Secureworks prior to the commencement of an audit or inspection, and
(h) except where the audit or inspection discloses a failure on the part of Secureworks to comply with its obligations under this DPA, Customer shall pay all reasonable costs and expenses (including without limitation any charges for the time engaged by Secureworks, its personnel and professional advisers) incurred by Secureworks in complying with this clause.
Customer shall provide to Secureworks a copy of any audit reports generated in connection with an audit carried out under this clause, unless prohibited by applicable law. Customer may use the audit reports only for the purposes of meeting its regulatory audit requirements and/or confirming compliance with the requirements of this DPA. The audit reports shall be Confidential Information of the parties.
5. International transfers: Secureworks may, in connection with the provision of the Services, or in the normal course of business, make international transfers of the Personal Data to its Affiliates and/or Subprocessors. When making such transfers, Secureworks shall ensure appropriate protection is in place to safeguard the Personal Data transferred under or in connection with the MSA and this DPA. Where the provision of Services involves the transfer of Personal Data from countries within the European Economic Area (“EEA”) to countries outside the EEA (which are not subject to an adequacy decision under Directive 95/46/EC or the GDPR once in effect) such transfer shall be subject to the following requirements:
5.1 Secureworks has implemented appropriate security measures to adequately protect the transfer of such Personal Data
5.2 Secureworks has in place intra-group agreements with any Affiliates which may have access to the Personal Data, which agreements shall incorporate the EU Commission approved Standard Contractual Clauses (“Standard Contractual Clauses”); and
5.3 Secureworks has in place agreements with its Subprocessors that incorporate the Standard Contractual Clauses (as appropriate).
6. Data Breaches: Where a Data Breach is caused by Secureworks’ failure to comply with its obligations under this DPA, Secureworks shall:
6.1 notify Customer without undue delay after establishing the occurrence of the Data Breach and shall, to the extent such information is known or available to Secureworks at the time, provide Customer with details of the Data Breach, a point of contact and the measures taken or to be taken to address the Data Breach
6.2 reasonably cooperate and assist Customer with any investigation into, and/or remediation of, the Data Breach (including, without limitation and where required by Privacy Laws, the provision of notices to regulators and affected individuals)
6.3 not inform any third party of any Data Breach relating to the Personal Data without first obtaining Customer’s prior written consent, except as otherwise required by applicable law provided that nothing in this clause shall prevent Secureworks from notifying other customers whose personal data may be affected by the Data Breach, and
In the event Customer intends to issue a notification regarding the Data Breach to a supervisory authority, other regulator or law enforcement agency, Customer shall (unless prohibited by law) allow Secureworks to review the notification and Customer shall have due regard to any reasonable comments or amendments proposed by Secureworks.
7. Liability and Costs: Neither Secureworks nor any Subprocessor shall be liable for any claim brought by Customer or any third party arising from any action or omission by Secureworks and/or Subprocessors to the extent such action or omission resulted from compliance with Customer’s instructions.
8. Security Event Data: Secureworks will process Security Event Data as part of its provision of Services. Customer acknowledges that Secureworks may also process Security Event Data in order to develop, enhance and/or improve its security services and the products and services it offers and provides to customers. Secureworks shall be the controller in respect of any personal data in the Security Event Data and, for the duration of its processing of such Security Event Data, Secureworks shall (i) comply with applicable Privacy Laws and (ii) safeguard such Security Event Data with security measures that are no less protective than those set out in this DPA. Restrictions on the disclosure and transfer of Personal Data in this DPA shall not apply in connection with Secureworks’ processing of the Security Event Data for the purposes described in this clause, however, Secureworks shall not disclose any Security Event Data that is traceable to Customer to any third parties (other than Affiliates and Subprocessors) unless permitted under the MSA and/or this DPA, or the disclosure is required in order to comply with applicable law or legal process. Secureworks shall not be required to return or delete Security Event Data upon termination of the Services (for any reason). Customer shall ensure its personnel and any other data subjects whose personal data is processed by Secureworks in connection with the Services are appropriately notified of the fact their personal data may be processed in connection with the development, enhancement and/or provision of Secureworks’ products or services as described in this clause. If Customer is compelled by a legally binding order (e.g. of a court or regulatory authority of competent jurisdiction) to have the Security Event Data deleted, then Secureworks agrees, as appropriate, to anonymise, pseudonymise or delete the Security Event Data that is the subject of the binding order as soon as practicable.
9. Privacy Impact Assessments: Secureworks shall provide reasonable cooperation and assistance to Customer, to the extent applicable in relation to Secureworks’ processing of the Personal Data and within the scope of the agreed Services, in connection with any data protection impact assessment(s) which the Customer may carry out in relation to the processing of Personal Data to be undertaken by Secureworks, including any required prior consultation(s) with supervisory authorities. Secureworks reserves the right to charge Customer a reasonable fee for the provision of such cooperation and assistance.
Annex 1 - Processing description
|
Subject matter and purpose |
Subject to the terms of the MSA, Secureworks provides information security services for the Customer and processes the Personal Data for the purpose of providing such services as set out in applicable Service Orders, SOWs, SLAs, Service descriptions or otherwise |
| Duration of processing |
Secureworks will retain and process the Personal Data for the term of the MSA and in accordance with the provisions of this DPA regarding the return or deletion of the Personal Data |
|
Data subjects |
The Personal Data transferred may concern the following categories of data subjects: individuals who use and access Customer information technology systems for which Secureworks provides services |
| Type of personal data |
For MSS Services: Personal Data may be contained:
For SRC (Consulting) Services: Personal Data which may be processed by Secureworks if necessary for the provision of the Consulting Services may include any or all of the following:
|
Annex 2 – Information Security Measures
Secureworks Corporate Global Information Security Overview
Secureworks takes information security seriously. This information security overview applies to Secureworks’ corporate controls for safeguarding personal data which is processed and transferred amongst Secureworks group companies. Secureworks’ information security program enables the workforce to understand their responsibilities. Some customer solutions may have alternate safeguards outlined in the statement of work as agreed with each customer.
Security Practices
Secureworks has implemented corporate information security practices and standards that are designed to safeguard the Secureworks’ corporate environment and to address: (1) information security; (2) system and asset management; (3) development; and (4) governance. These practices and standards are approved by the Secureworks CIO and undergo a formal review on an annual basis.
Organizational Security
It is the responsibility of the individuals across the organization to comply with these practices and standards. To facilitate the corporate adherence to these practices and standards, the function of information security provides:
- Strategy and compliance with policies/standards and regulations, awareness and education, risk assessments and management, contract security requirements management, application and infrastructure consulting, assurance testing and drives the security direction of the company.
- Security testing, design and implementation of security solutions to enable security controls adoption across the environment.
- Security operations of implemented security solutions, the environment and assets, and manage incident response.
- Forensic investigations with security operations, legal, data protection and human resources for investigations including eDiscovery and eForensics.
Asset Classification and Control
Secureworks’ practice is to track and manage physical and logical assets. Examples of the assets that Secureworks IT might track include:
- Information Assets, such as identified databases, disaster recovery plans, business continuity plans, data classification, archived information.
- Software Assets, such as identified applications and system software.
- Physical Assets, such as identified servers, desktops/laptops, backup/archival tapes, printers and communications equipment.
The assets are classified based on business criticality to determine confidentiality requirements. Industry guidance for handling personal data provides the framework for technical, organizational and physical safeguards. These may include controls such as access management, encryption, logging and monitoring, and data destruction.
Personnel Security
As part of the employment process, employees undergo a screening process applicable per regional law. Secureworks’ annual compliance training includes a requirement for employees to complete an online course and pass an assessment covering information security and data privacy. The security awareness program may also provide materials specific to certain job functions.
Physical and Environmental Security
Secureworks uses a number of technological and operational approaches in its physical security program in regards to risk mitigation. The security team works closely with each site to determine appropriate measures are in place and continually monitor any changes to the physical infrastructure, business, and known threats. It also monitors best practice measures used by others in the industry and carefully selects approaches that meet both uniqueness’s in business practice and expectations of Secureworks as a whole. Secureworks balances its approach towards security by considering elements of control that include architecture, operations, and systems.
Communications and Operations Management
The IT organization manages changes to the corporate infrastructure, systems and applications through a centralized change management program, which may include, testing, business impact analysis and management approval, where appropriate.
Incident response procedures exist for security and data protection incidents, which may include incident analysis, containment, response, remediation, reporting and the return to normal operations.
To protect against malicious use of assets and malicious software, additional controls may be implemented, based on risk. Such controls may include, but are not limited to, information security practices and standards; restricted access; designated development and test environments; virus detection on servers, desktops and notebooks; virus email attachment scanning; system compliance scans; intrusion prevention monitoring and response; logging and alerting on key events; information handling procedures based on data type, e-commerce application and network security; and system and application vulnerability scanning.
Access Controls
Access to corporate systems is restricted, based on procedures to ensure appropriate approvals. To reduce the risk of misuse, intentional or otherwise, access is provided based on segregation of duties and least privileges.
Remote access and wireless computing capabilities are restricted and require that both user and system safeguards are in place.
Specific event logs from key devices and systems are centrally collected and reported on an exceptions basis to enable incident response and forensic investigations.
System Development and Maintenance
Publicly released third party vulnerabilities are reviewed for applicability in the Secureworks environment. Based on risk to Secureworks’ business and customers, there are pre-determined timeframes for remediation. In addition, vulnerability scanning and assessments are performed on new and key applications and the infrastructure based on risk. Code reviews and scanners are used in the development environment prior to production to proactively detect coding vulnerabilities based on risk. These processes enable proactive identification of vulnerabilities as well as compliance.
Compliance
The information security, legal, privacy and compliance departments work to identify regional laws and regulations applicable to Secureworks corporate. These requirements cover areas such as intellectual property of the company and our customers, software licenses, protection of employee and customer personal information, data protection and data handling procedures, trans-border data transmission, financial and operational procedures, regulatory export controls around technology, and forensic requirements.
Mechanisms such as the information security program, the executive privacy council, internal and external audits/assessments, internal and external legal counsel consultation, internal controls assessment, internal penetration testing and vulnerability assessments, contract management, security awareness, security consulting, policy exception reviews and risk management combine to drive compliance with these requirements.