This Security Services Addendum (the “Security Services Addendum”) is by and between Service Provider and Customer and applies to the Security Services (defined below) included in one or more Service Orders between the Parties. To the extent any Security Services are included in a Service Order between the Parties, this Security Services Addendum references and is incorporated into and made a part of the Master Services Agreement between the Parties (the “Master Services Agreement”).

Now, therefore, in consideration of the mutual covenants and agreements set forth in this Security Services Addendum, the Master Services Agreement, and the Additional Terms and Conditions, and for other good and valuable consideration, the receipt and sufficiency of which are acknowledge by the Parties, the Parties agree as follows:

• General Terms. By Customer accessing and using the Security Services, the Parties agree that Customer is bound by this Security Services Addendum. Service Provider may modify this Security Services Addendum at any time and in Service Provider’s sole discretion by sending written notice to Customer. All capitalized terms used but not defined in this Security Services Addendum have the meanings assigned to them in the Master Services Agreement and Additional Terms and Conditions.
• Description of the Offerings. Service Provider shall provide some or all of the following security services based on the package selected by Customer and the services included in the selected package in the applicable Service Order. If included in the applicable Service Orders, Service Provider shall provide the following services at the level indicated by the package selected as indicated in the applicable Service Order:
  • Endpoint Protection. Service Provider will provide Endpoint Detection and Response software to detect and respond to malware.
  • Managed Detection and Response. Service Provider will provide managed detection and response technology and services to monitor Customer’s non-cloud-based systems and respond to threats to Customer’s non-cloud-based systems on a twenty-four (24) hours per day, seven (7) days per week basis subject to Section 3.2 of this Security Services Addendum.
  • Multifactor Authentication. Service Provider will provide Multifactor Authentication technology to Customer to protect Customer’s Microsoft 365 applications from unauthorized logins.
  • Spam/Email Filtering. Service Provider will provide software to scan for and detect spam and other threats in Customer’s inbound emails in real time and filter out the spam and threatening emails, including, but not limited to filtering emails that are or contain spam, whaling and phishing scams, viruses, malware, ransomware, and links to malicious websites.
  • Security Awareness Training. Service Provider will provide regular security awareness training, including, but not limited to, general awareness training, including courses, videos, and quizzes, user-personalized training based on the threat response behaviors of the specific user, automated phishing simulation, and reporting on Customer’s security risk.
• Limitations.
  • Malware. Service Provider will make every reasonable effort to remove viruses and malware from Customer’s systems. However, Service Provider cannot and does not guarantee that all malware and viruses can be removed because some attaches are far more sophisticated than a simple scan or detection monitoring software can handle.
  • Availability of Response. Customer acknowledges and agrees that the managed detection and response technology and services described in Section 2.2of this Security Services Addendum are provided, in whole or in part, by third-party vendors whose monitoring and response commitment is subject to change and outside of Service Provider’s control. Accordingly, the Parties agree that the twenty-four (24) hours per day, seven (7) days per week service level of Service Provider’s third party vendor may change if the third party vendor modifies its service level commitment and that Service Provider is not responsible or liable for any modifications to the third part vendor’s service level nor for supplying or obtaining supplemental, additional, or different services to achieve twenty-four (24) hours per day, seven (7) days per week monitoring and threat detection under Sections 2.2.
• Automatic Reporting. Service Provider’s antivirus protection software may include features that monitor the security status of Customer systems and send Service Provider reports about suspected malware and other unwanted software. Customer acknowledges and agrees that this automatic reporting helps Service Provider quickly detect and respond to new threats, providing better protection for Customer’s systems, and that the automatic reports may include files that contain suspected malware. These types of files are unlikely to contain any of Customer’s personal data, but if Service Provider determines that a suspicious file is likely to contain Customer’s personal data, Service Provider will seek Customer’s permission to send the file. Customer may turn off this automatic reporting from the anti-virus protection software that may be included in the technology provided to Customer under this Security Services Addendum.
• Security Breach; Responsibility for Data. Customer understands that security breaches might involve attacked on Customers data, for example, viruses and other malware might delete, destroy, alter, or encrypt data and files on Customer’s systems. Customer further understands that if a security breach occurs, Customer could lose access to its data and files. Accordingly, Customer acknowledges and agrees that it is Customer’s responsibility to back-up and store all data and files on Customer’s systems so that Customer can safely restore the data and files, if needed. Customer further acknowledges and agrees that Service Provider is not liable for any losses resulting from any security breach, including, but not limited to, loss of or damage to Customer’s data or files, theft of Customer’s data or files, theft of personally identifiable information belonging to Customer or any third party, and interruptions to Customer’s business. The Parties agree that nothing in this Security Services Addendum shall be construed to limit or modify Section 5 of the Additional Terms and Conditions.