SecOps Service Specific Terms
Last modified: May 23, 2024
These SecOps Service Specific Terms are incorporated into the agreement under which Google has agreed to provide SecOps Services (as described at https://cloud.google.com/terms/secops/services) to Customer (the “Agreement”). If the Agreement authorizes the resale or supply of SecOps Services under a Google partner or reseller agreement or program, then all references to Customer in the SecOps Service Specific Terms mean Partner or Reseller (as applicable), and all references to Customer Data in the SecOps Service Specific Terms mean Partner Data. Capitalized terms used but not defined in the SecOps Service Specific Terms have the meaning given to them in the Agreement.
1. Data
a. Improvements. To respond to the evolving threat landscape and provide current and state-of-the-art cybersecurity, as part of providing the Services we process Customer Data to improve the security, threat detection, prevention, and response capabilities of such Services.
b. Location. In the Order Form or by other means if made available by Google, Customer may select to store Customer Data in a specific Region or Multi-Region as detailed in the SecOps Services Locations Page (“Data Location Selection”), and Google will store that Customer Data at rest only in the selected Region/Multi-Region. If a Data Location Selection is not made by Customer, Google may (subject to the Cloud Data Processing Addendum) process and store Customer Data anywhere Google or its agents maintain facilities. The Services do not limit the locations from which Customer or Customer End Users may access Customer Data or to which they may move Customer Data. For clarity, Customer Data does not include resource identifiers, attributes, or other data labels.
2. General Software Terms. The following terms apply to all Software:
a. License. Google grants Customer a royalty-free (unless otherwise stated by Google), non-exclusive, non-sublicensable, non-transferable license during the Term to reproduce and use the Software ordered by Customer on systems owned, operated, or managed by or on behalf of Customer in accordance with (i) the Agreement, and (ii) if applicable, the Scope of Use. Customer may authorize its and its Affiliates' employees, agents, and subcontractors (collectively, “Software Users”) to use the Software in accordance with this section (License), so long as Customer remains responsible. Customer may make a reasonable number of copies of the Software for back-up and archival purposes. For clarity, Software does not constitute Services.
b. Documentation. Google may provide Documentation describing the appropriate operation of the Software, including a description of how Software is properly used, and whether and how the Software collects and processes data. Customer will comply with any restrictions in the Documentation regarding Software use.
c. Compliance With Scope of Use. Within 30 days of Google’s reasonable written request, Customer will provide a sufficiently detailed written report describing its usage in accordance with the applicable Scope of Use of each Software product used by Customer and its Software Users during the requested period. If requested, Customer will provide reasonable assistance and access to information to verify the accuracy of Customer’s Software usage report(s).
d. Other Warranties and Compliance. Each party represents and warrants that it will comply with all laws and regulations applicable to its provision or use of the Software, as applicable. Customer will: (i) ensure that Customer and its Software Users' use of the Software complies with the Agreement and the restrictions in the Agreement applying to Customer's use of the Services; (ii) use commercially reasonable efforts to prevent and terminate any unauthorized access to or use of the Software; and (iii) promptly notify Google of any unauthorized access to or use of the Software of which Customer becomes aware. If the Software contains open source or third-party components, those components may be subject to separate license agreements, which Google will make available to Customer. Customer is solely responsible for complying with the terms of any third-party sources from which Customer elects to migrate its workloads onto the Services, and represents and warrants that such third-party sources permit the use of Software to migrate applications away from such sources. If the Agreement terminates or expires, then Customer will stop using all Software and delete it from Customer's systems.
3. Premium Software Terms. The following terms apply only to Premium Software:
a. Introduction. Google makes certain Software available under the Agreement described as “Premium Software” in an Order Form or as otherwise identified as Premium Software by Google (“Premium Software”). Customer will pay applicable Fees for any Premium Software it obtains as described in the applicable Order Form. Premium Software is Google’s Confidential Information.
b. Software Warranty. Google warrants to Customer that for one year from its delivery, Premium Software will perform in material conformance with the applicable Documentation. This warranty will not apply if (i) Customer does not notify Google of the non-conformity within 30 days after Customer first discovers it, (ii) Customer modifies Premium Software or uses it in violation of the Agreement, or (iii) the non-conformity is caused by any third-party hardware, software, services, or other offerings or materials, in each case not provided by Google.
If Google breaches this warranty, then Google will, in its discretion, repair or replace the impacted Premium Software at no additional charge. If Google does not believe that repairing or replacing would be commercially reasonable, then Google will notify Customer and (A) Customer will immediately cease use of the impacted Premium Software and (B) Google will refund or credit any prepaid amounts for the impacted Premium Software and Customer will be relieved of any then-current commitment to pay for future use of the impacted Premium Software. Without limiting the parties’ termination rights, this section (Software Warranty) states Customer’s sole remedy for Google’s breach of the warranty in this section (Software Warranty).
c. Software Indemnification. Google’s indemnity obligations under the Agreement with respect to allegations of infringement of third-party Intellectual Property Rights apply to Premium Software, and Customer’s indemnity obligations under the Agreement with respect to Customer’s use of the Services apply to Customer’s use of Premium Software. In addition to any other indemnity exclusions in the Agreement, Google’s indemnity obligations will not apply to the extent the underlying allegation arises from modifications to Premium Software not made by Google or use of versions of Premium Software that are no longer supported by Google.
d. Technical Support. Unless otherwise specified by Google, Google will make TSS available for Premium Software for an additional charge, in accordance with the TSS Guidelines.
e. Compliance. Premium Software may transmit to Google metering information reasonably necessary to verify that use of the Premium Software complies with the Scope of Use, as described in the applicable Documentation. Customer will not disable or interfere with the transmission of such metering information.
f. Updates and Maintenance. During the Term, Google will make available to Customer copies of all current versions, updates, and upgrades of Premium Software, promptly upon general availability, as described in the Documentation. Unless otherwise stated in the Documentation for the applicable component of Premium Software, Google will maintain the current release of Premium Software and the two versions immediately preceding the current release, including by providing reasonable bug fixes and security patches. Maintenance for any Premium Software may be discontinued with one year’s notice from Google, except Google may eliminate maintenance for a version and require upgrading to a maintained version to address a material security risk or when reasonably necessary to avoid an infringement claim or comply with applicable law.
4. Pre-GA Offerings Terms. Google may make available to Customer pre-general availability features, services or software that are either not yet listed at https://cloud.google.com/terms/secops/services or identified as “Early Access,” “Alpha,” “Beta,” “Preview,” “Experimental,” or a similar designation in related documentation or materials (collectively, “Pre-GA Offerings”). While Pre-GA Offerings are not Services or Software, Customer’s use of Pre-GA Offerings is subject to the terms of the Agreement applicable to Services (or Software, if applicable), as amended by this Section 4.
Customer may provide feedback and suggestions about the Pre-GA Offerings to Google, and Google and its Affiliates may use any feedback or suggestions provided without restriction and without obligation to Customer.
PRE-GA OFFERINGS ARE PROVIDED “AS IS” WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES OR REPRESENTATIONS OF ANY KIND. Pre-GA Offerings (a) may be changed, suspended or discontinued at any time without prior notice to Customer and (b) are not covered by any SLA or Google indemnity. Except as otherwise expressly indicated in a written notice or the documentation for a given Pre-GA Offering, (i) Pre-GA Offerings may not be covered by TSS, (ii) the Cloud Data Processing Addendum does not apply to Pre-GA Offerings and Customer should not use Pre-GA Offerings to process personal data or other data subject to legal or regulatory compliance requirements, and (iii) Google’s data location commitments set out in these Service Specific Terms will not apply to Pre-GA Offerings. With respect to Pre-GA Offerings, to the maximum extent permitted by applicable law, neither Google nor its suppliers will be liable for any amounts in excess of the lesser of (A) the limitation on the amount of liability stated in the Agreement or (B) $25,000. Nothing in the preceding sentence will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability). Customer's access to and use of any Pre-GA Offering is subject to any applicable Scope of Use. Either party may terminate Customer's use of a Pre-GA Offering at any time with written notice to the other party. Certain Pre-GA Offerings may be subject to additional terms stated below.
5. Benchmarking. Customer may conduct benchmark tests of the Services (each a "Test"). Customer may only publicly disclose the results of such Tests if it (a) obtains Google's prior written consent, (b) provides Google all necessary information to replicate the Tests, and (c) allows Google to conduct benchmark tests of Customer's publicly available products or services and publicly disclose the results of such tests. Notwithstanding the foregoing, Customer may not do either of the following on behalf of a hyperscale public cloud provider without Google's prior written consent: (i) conduct (directly or through a third party) any Test of the Services or (ii) disclose the results of any such Test.
6. Unpaid Trials. Certain Services may be made available to Customer on a trial basis under a trial account (“Trial Account”). The parameters of each trial, including any Scope of Use, may be presented to Customer either through the Order Form, Documentation, email, or as otherwise communicated by Google. Use of a trial indicates Customer’s acceptance of any such parameters. When the trial ends or terminates, Customer will no longer have access to the Services under the Trial Account and any Customer Data in the Services will be deleted unless Customer orders the Services before the end of the trial period. Notwithstanding any other terms in the Agreement, the SLA, Technical Support Services, and Google’s indemnity do not apply to trials or Trial Accounts. During the trial term, the Services are provided “as-is” without any representations or warranties of any kind. Notwithstanding anything to the contrary in the Agreement, Google’s total aggregate Liability for damages arising out of or related to a trial or Trial Account is limited to $25,000.00 USD in the aggregate.
7. Generative AI Features.
a. Disclaimer. Generative AI Features use emerging technology, may provide inaccurate or offensive output, and are not designed for or intended to meet Customer’s regulatory, legal, or other obligations.
b. Prohibited Use Policy. For the purposes of Generative AI Features, the Prohibited Use Policy located at https://policies.google.com/terms/generative-ai/use-policy, as may be updated from time to time, are incorporated into the AUP (if Customer has questions on whether this policy applies to Customer’s business, contact your Google Cloud Sales Representative or Google Cloud Partner).
c. Use Restrictions for Generative AI Features. Customer will not, and will not allow End Users to, use output from the Generative AI Features to: (i) develop models that compete with any Service or Software, or (ii) reverse engineer any Service, Software, or their models (or extract any components of the foregoing).
d. Age Restrictions. Customer will not, and will not allow End Users to, use a Generative AI Feature as part of an online service that is directed towards or is likely to be accessed by individuals under the age of 18.
e. Healthcare Restrictions. Customer will not, and will not allow End Users to, use the Generative AI Features for clinical purposes (for clarity, non-clinical research, scheduling, or other administrative tasks is not restricted), to provide medical advice, or in any manner that is overseen by or requires clearance or approval from any applicable regulatory authority.
f. Suspected Violations. Google may immediately suspend or terminate Customer’s use of a Generative AI Feature based on any suspected violation of subsections (c) or (d) above.
g. Restrictions. The restrictions contained in subsections (d) and (e) above are deemed to be “Restrictions” or “Use Restrictions” under the applicable Agreement.
8. Support. If Customer is not an existing Google Cloud Platform customer, then the following terms apply: To access the Technical Support Services, Customer must login to the Google Cloud Platform admin console (“GCP Admin Console”) and accept the Google Cloud Platform Terms of Service at https://cloud.google.com/terms (“GCP Service Terms”). Access to the GCP Admin Console provides Customer’s administrator with the option (and no obligation) to use certain Google Cloud Platform Services (described at https://cloud.google.com/terms/services (the “GCP Services”). For clarity, Customer has no obligation to purchase or use GCP Services to access or use the Technical Support Services via the GCP Admin Console, and Customer is not bound by the GCP Service Terms provided that Customer’s access to the GCP Admin Console is used only to obtain Technical Support Services.
9. Additional Definitions.
“Generative AI Feature(s)” means any generative AI feature of a Service.
“Multi-Region” means a defined set of Regions.
“Region” means a region from which a particular Service is offered, as identified at the SecOps Services Locations Page.
“Scope of Use” means any limits on installation or usage of Services or Software presented by Google.
“SecOps Services Locations Page” means https://cloud.google.com/terms/secops/data-residency.
As used throughout these Service Specific Terms, “Cloud Data Processing Addendum” (formerly referred to as the Data Processing and Security Terms) has the meaning given in the Agreement or, if no such meaning is given, means the then-current terms describing data processing and security obligations with respect to Customer Data, at https://cloud.google.com/terms/data-processing-addendum.
The following terms apply only to the Service(s) indicated in the section title.
1. Chronicle Security Operations (Chronicle SIEM and Chronicle SOAR) (“Chronicle”)
a. Service Models. Chronicle is available in the following service models, as specified in an Order Form:
i. Data Ingestion (Log Ingest). Customers are charged a flat rate based on data ingestion up to the Data Cap. The following terms apply to this service model:
A. Data Limitations. Chronicle is only to be used for Security Telemetry. Customer agrees that it will not provide any data to Chronicle that is not Security Telemetry.
B. Overages. The applicable Order Form will identify Customer’s Data Cap as the number of Units purchased. In the event Customer consumed in excess of the Units purchased (as determined in Google’s sole discretion), Google will invoice Customer in arrears at the end of each month for any Units that Customer consumes in excess of the Units purchased, which will be charged at the monthly-prorated List Price less the applicable Discount as set forth in the applicable Order Form, unless otherwise agreed by the parties in writing. Customer will pay such invoice by the Payment Due Date. If Customer does not pay such invoice within thirty (30) days of the Payment Due Date, then Google may terminate the applicable Order Form upon written notice to Customer.
ii. Covered Personnel. Customers are charged a flat rate per each Covered Personnel. The following terms apply to this service model:
A. Data Limitations. Chronicle is only to be used for Network Telemetry and Third Party Telemetry. Customer agrees that it will not provide any data to Chronicle that is not Network Telemetry or Third Party Telemetry. Customer further agrees to work with Google to filter Customer Data that does not constitute Network Telemetry or Third Party Telemetry.
B. Overages. The applicable Order Form will identify the number of Covered Personnel as the number of Units purchased. Overages in the number of Covered Personnel are subject to proportional increases in Customer’s Fees during an Order Term based on any ten percent (10%) or more increase in Covered Personnel from the number reported in an Order Form.
C. Compliance. Within 30 days of Google’s reasonable written request, Customer will provide documentation establishing that the number of Covered Personnel providing Customer Data to Chronicle does not exceed the number of Units reported in an Order Form plus ten percent (10%).
b. Service Suspension. Google may Suspend Customer’s access to Chronicle if Customer does not comply with the data limitations provisions in Section 1(a)(i)(A) and Section 1(a)(ii)(A) (as applicable) of these Chronicle Service Terms, and Customer’s non-compliance is not cured following notice from Google within the Data Limitation Notice Period. If Google Suspends Customer’s access to Chronicle under this Section, then (i) Google will provide Customer notice of Suspension without undue delay, to the extent legally permitted, and (ii) the Suspension will be to the minimum extent and for the shortest duration required to resolve the cause for Suspension.
c. Data Period. Subject to and in accordance with the Cloud Data Processing Addendum, (i) Google will maintain Customer Data in Chronicle for the Data Period, and (ii) Customer instructs Google that it may delete Customer Data that is outside the Data Period.
d. Third-Party Terms.
i. Third-Party Offerings. Customer must obtain access to any Third-Party Offerings from the respective provider (a “Third-Party Provider”). To the extent Customer provides access to the Customer’s Account to a Third-Party Offering or Third-Party Provider, Customer explicitly consents and instructs Google to allow the Third-Party Provider of any such Third-Party Offerings to access Customer Data as may be required to interact with Chronicle, including to copy Customer Data into or out of Chronicle. For clarity, Third-Party Providers are not Subprocessors (as defined in the Cloud Data Processing Addendum).
A. Disclaimers. The manner in which Third-Party Offerings and Third-Party Providers transmit, use, store, and disclose Customer Data is governed solely by the policies of such Third-Party Offering and Third-Party Provider. To the extent permitted under applicable law, Google will have no liability or responsibility for:
1. Customer’s use of a Third-Party Offering, including any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such Third-Party Offering, actions or the effect of actions that Customer authorizes Google to take with respect to Third-Party Offerings and a Third-Party Provider’s access to and use of Customer Data;
2. the privacy practices or other actions of any Third-Party Offering or Third-Party Provider; or
3. the accuracy, availability, or reliability of any data, information, content, services, advice, or statements made available in connection with such Third-Party Offering.
B. Representations and Warranties. Customer represents and warrants that nothing in the Agreement, or Customer’s use of Chronicle, will violate any agreement or terms with a third party to which Customer is subject.
ii. Looker and BigQuery. Google uses Looker and BigQuery with Chronicle for dashboarding, reporting, and storage features. Customer may only use Looker and BigQuery as part of Chronicle subject to any deployment, configuration, and use limitations provided or described by Google. Google may make Software available to Customer in connection with Customer’s use of Looker, including third-party Software. Some Software may be subject to third-party license terms, which can be found at https://looker.com/trust-center/legal/notices-and-acknowledgements. If Customer stops using Chronicle, or Looker, then Customer will also stop using the Software. Customer’s access to Looker and/or BigQuery may be terminated by Google, at any time, if Customer is found to be in breach of the Agreement. Notwithstanding anything to the contrary in the Agreement, as used in this Section 1(d)(ii) in these Chronicle Service Terms, the term “Customer Data” means (a) all data in Customer’s databases provided to Looker by Customer or End Users via Chronicle, and (b) all results provided to Customer or End Users for queries executed against such data via Looker. Google’s data location commitments under General Service Terms Section 1 (Data) do not apply to Looker or BigQuery dashboarding, reporting, or storage.
iii. Chronicle SIEM Enterprise Plus. If Customer subscribes to “Chronicle SecOps Enterprise Plus” SKU, such SKU leverages capabilities from and entitles Customer access to a product called “VirusTotal”. Customer’s use of VirusTotal is subject to the additional terms set forth in Section 3 (VirusTotal) below. For avoidance of doubt, VirusTotal is not part of the Audited Services as set forth in the Cloud Data Processing Addendum, and Google’s data location commitments under General Service Terms Section 1 (Data) do not apply to VirusTotal.
e. Build Partners. The following terms apply where Customer purchases Chronicle as a Build Partner:
i. In the following definitions in Section f (Additional Definitions) in these Chronicle Service Terms, all references to Customer will be replaced with End User(s): (A) Covered Personnel, (B) Customer Network, (C) Network Telemetry, and (D) Third Party Telemetry;
ii. Customer may not use Chronicle for internal purposes, unless Customer has a separate Order Form for internal use; and
iii. In General Service Terms Section 2 (General Software Terms): (A) End Users are included in the definition of “Software Users”, and (B) Customer may reproduce and use the Software ordered by Customer on systems owned, operated, or managed by or on behalf of End Users in accordance with (Y) the Agreement, and (Z) if applicable, the Scope of Use, provided that Customer will be liable for the acts and omissions of its End Users.
f. Additional Definitions.
“Covered Personnel” means an employee or contractor of Customer.
“Customer Network” means the network used by Customer for internal business purposes, and all applications, software, services, and physical devices used for internal business purposes that connect to such network.
“Data Cap” means the amount of Customer Data that Customer is permitted to provide to Chronicle through the Account on an annual basis starting from the Service(s) Start Date, as specified in an Order Form as “Unit(s)”.
“Data Limitation Notice Period” means either (a) 72 hours after Google’s notice to Customer of non-compliance or (b) 7 days after Google’s notice if Customer reasonably demonstrates to Google that Customer is taking reasonable steps to remedy the non-compliance.
“Data Period” means the length of time that Customer Data will be available in Chronicle, as specified in an Order Form. The Data Period is calculated on a monthly rolling, lookback basis from the current date using the event date/timestamp of the Customer Data as read by Chronicle. If not specified in an Order Form, the Data Period is 12 months.
“Documentation” means the then-current Chronicle documentation made available by Google to its customers for use with the Services at https://cloud.google.com/chronicle/docs.
“Build Partner” means a Customer that provides its own Customer Applications that complement, enhance, or extend the reach or functionality of Chronicle for use solely by End Users. This would be applicable to Customer’s participation in the Program under the Build Engagement Model.
“Network Telemetry” means Security Telemetry generated by devices that are part of the Customer Network and does not include Security Telemetry generated by anyone other than Covered Personnel; for example Network Telemetry does not include Security Telemetry generated by Customer’s customers or Customer’s partners.
“Program” means the Google Cloud Partner Advantage Program as described in the then-current Google Cloud Partner Advantage Guide, available at https://www.partneradvantage.goog (as may be updated or modified by Google from time to time).
“Security Telemetry” means the metadata or other data that relates to Customer’s or a Customer End User’s security posture and that is produced by security related features, products, or services.
“Third Party Telemetry” means Security Telemetry Customer has received from a third party that Customer uses for purposes of securing the Customer Network.
“Units” means the units by which use of a Service SKU is measured (e.g., Data Cap or Covered Personnel).
2. Mandiant
a. Mandiant Solutions
i. Access to Mandiant Solutions. Subject to the Agreement, payment of all Fees, and any applicable Scope of Use, Customer may access and use the Mandiant Solutions in accordance with the Agreement and any Documentation, solely for its internal business purposes.
1. Mandiant Security Validation Solutions. The Security Validation Solutions may only be used up to the purchased license entitlement listed on the Order Form. Customers purchasing the Validation on Demand version of the Security Validation Solutions are licensed to use 1 actor to conduct 1 assessment, as set forth in the Documentation, and such use must occur within 1 year from the date of the applicable Order Form. The term of the license will begin on or shortly after the Order Form Effective Date (as determined by Google).
2. Mandiant Automated Defense. Customers may only use Mandiant Automated Defense solely for the purpose of analyzing Customer Data and rendering reports of the results of such analysis to Customer.
3. Mandiant Attack Surface Management (ASM). Customers may only use Mandiant ASM up to the purchased license entitlements on the Order Form for the purpose of assessing the security of internet-facing assets in connection with Customer’s business.
4. Intelligence Subscriptions. Customer may purchase different Intelligence Subscriptions, as set forth in the Documentation. Customer’s access to the Intelligence Subscription(s) is provided through access keys or login credentials, which may not be shared between Customer’s End Users. Customer may not establish group accounts. Google reserves the right to limit the number and/or frequency of requests through the Intelligence Subscriptions, as set forth in the Documentation. In addition to any other rights under the Agreement, Google may use technical measures to prevent over-usage or to stop usage after any limitations are exceeded.
5. Digital Threat Monitoring. Customer may use Digital Threat Monitoring solely for the purpose of analyzing Customer’s own security posture and for no other purpose. Google may terminate or suspend Customer’s usage of Digital Threat Monitoring based on a suspected violation of this Section 5 (as determined in Google’s sole discretion).
ii. Security Content.
1. License. Mandiant Solutions may include access to certain defined files, URLs, IP addresses, file hashes, commands, network traffic samples and other artifacts that can be malicious and/or represent real attacker behavior (“Security Content”). Google grants to Customer a limited, non-transferable, non-exclusive license to use the Security Content solely in connection with the applicable Mandiant Solutions and for no other purpose. Any Security Content obtained or licensed from a third party and furnished through Google or which Customer procures on its own will be deemed a Third Party Offering under the Agreement. Google does not warrant that any Security Content made available through Mandiant Solutions will continue to be available throughout the Order Term, and Google may add or remove Security Content from time to time in its sole discretion.
2. Disclaimer. Customer understands that Security Content includes live malware, including ransomware, and that use of the Security Content in ways not strictly described in the Documentation may cause damage to Customer’s environment. Security Content is provided “as-is” and Google makes no representations or warranties regarding the Security Content and does not guarantee or warrant that the Security Content will cover all possible conditions, environments or controls. Security Content is obtained from a variety of sources, which may include known threat actors. To the maximum extent permitted by applicable law, Customer assumes all risk associated with use of the Security Content, and acknowledges that Google has no obligation to ensure Security Content will operate as intended.
3. Submission of Security Content. Mandiant Solutions may allow Customer to submit Security Content or other malware to Google. Customer acknowledges that any Security Content or other malware provided by Customer through the Mandiant Solutions is not Customer Data, and may be used, aggregated, analyzed and shared by Google to enhance the products and services Google provides to its customers.
b. Mandiant Managed Services
i. Managed Services. During the Order Term, Google will provide Managed Services as set forth in the Documentation, according to the volume of entitlements or licenses purchased by Customer set forth in the applicable Order Form. Any services Customer requests that are not described in the Documentation will be performed at mutually agreed upon rates. If the number of entitlements or licenses exceeds the purchased volume reflected in the Order Form, Google will notify Customer in writing, and will issue an invoice for the next higher count at Google’s then-current rates prorated for the remaining portion of the then-current Order Term.
ii. Reseller and Partner Purchases. If Customer receives Managed Services via a Google authorized partner (a “Partner”), Customer agrees that the Managed Services and any output of the Managed Services, including reports, may be delivered to Customer through the Partner. Notwithstanding anything to the contrary in the Agreement, Customer authorizes Google to disclose information related to the Managed Services and Customer Data to Partner.
iii. Customer Responsibilities. Customer acknowledges and agrees that (i) Managed Services are not an alternative to an incident response engagement for an environment that is compromised prior to the start of the Managed Services Order Term, and (ii) Google’s ability to successfully deliver the Managed Services is dependent on the Customer’s ability to meet its responsibilities as outlined in this Section 2(b)(iii). To the maximum extent permitted by applicable law, Google will have no liability for any failure to deliver the Managed Services that may arise due to Customer’s refusal or failure to perform its responsibilities:
1. Installation Requirements. Customer will be responsible for the following: (i) providing network architecture diagrams, physical, and logical access to Customer’s environment for the sole purpose of deploying and configuring any Managed Services supported technology (as may be defined in the Documentation); (ii) upgrading pre-existing technology to the minimum software version as referenced within the Documentation; (iii) providing confirmation that all technology within the Customer’s environment has been successfully configured and connected to its network according to the individual product’s system administration guide and the configurations supported as noted in the relevant product’s support terms; and (iv) providing the ability to establish a persistent connection to the Customer’s network within the designated port range corresponding to the country from which the Managed Services will be delivered.
2. Credential Security. Customer will be responsible for the following: (i) providing accurate information to Google for provisioning access to (and removal of) Customer personnel access to any portals associated with the Managed Services; (ii) implementing and adhering to strong password standards; (iii) providing accurate information to Google for domain whitelisting; and (iv) reporting any security issues related to the Managed Services (including any available portals) to Google immediately.
3. Network Segment Exclusion. Customer will notify Google if specific network segments will not require managed defense monitoring. Customer must provide detailed information regarding the specific network segment range when possible (e.g. guest networks, testing environments).
4. Remediating Known Compromises. Customer will make a reasonable effort to remediate any known compromises reported by Google or third party vendors. Google may choose to suppress alerts generated by known compromised systems until such time as the compromise is remediated.
5. Time and Date Settings. Customers will ensure that all supported technology has accurate time and date settings, to help ensure that time-supported alerts are accurately categorized. Google will not be responsible for reporting on alerts generated by supported technology that does not have up to date time and date settings.
iv. Exclusions. Notwithstanding anything to the contrary in the Agreement, Google will have no obligation to provide the Managed Services for (i) products or services that have been declared end of support or that are not currently supported; (ii) products or services that have no active support in place; (iii) products or services for which updates have not been applied; (iv) products or services that have not been installed and deployed; or (v) products or services that are misconfigured or incorrectly deployed, which prevents the Managed Services from monitoring. Customer acknowledges that to facilitate Google’s efficient performance of the Managed Services, Google may control some features and functionality of the underlying products and services, including by applying updates, and such features or functionality may not be available for Customer’s independent use during the Order Term of the Managed Services.
c. Mandiant Consulting Services
i. Provision of Services. Google will provide Consulting Services, including Deliverables, to Customer, subject to Customer fulfilling its obligations under Section 2(c)(v) (Customer Obligations) below. Deliverables are considered final upon the earlier of Customer’s written or oral confirmation of acceptance, or ten (10) business days after Google makes the Deliverables available to Customer.
ii. Invoices and Payment. Customer will pay all Fees for Consulting Services and some Fees may be non-cancellable, as specified in the Order Form.
iii. Personnel. Google will determine which Personnel will perform the Consulting Services. If Customer requests a change of Personnel and provides a reasonable and lawful basis for such request, then Google will use commercially reasonable efforts to replace the assigned Personnel with alternative Personnel. If provided to Google before the start of the Consulting Services, Google’s Personnel performing the Consulting Services will comply with Customer’s reasonable personnel training policies related to the Consulting Services.
iv. Compliance with Customer’s Onsite Policies and Procedures. Google Personnel performing Consulting Services at Customer’s facilities will comply with Customer’s reasonable onsite policies and procedures made known to Google in writing in advance.
v. Customer Obligations.
1. Cooperation. Customer will provide reasonable and timely cooperation in connection with Google’s provision of the Consulting Services. Google will not be responsible for a delay caused by Customer’s failure to provide Google with the information, materials, consents, or access to Customer facilities, networks, systems, or key individuals required for Google to perform the Consulting Services. If Google informs Customer of such failure and Customer does not cure the failure within 30 days, then Google may terminate any incomplete Consulting Services and Customer will pay actual costs incurred by Google for the canceled Consulting Services.
2. Expenses.
a. General. Customer will reimburse expenses as specified in the applicable Order Form.
b. Litigation Expenses. If Google is requested by Customer or required by applicable law, legal process or government action to produce information, documents or personnel as witnesses with respect to the Consulting Services or the Agreement, Customer will reimburse Google for any time, expenses, and liabilities (including reasonable external and internal legal costs or fines) incurred to respond to the request, unless Google is itself a party to the proceeding or the subject of the investigation.
3. Shipping Media. Customer acknowledges and agrees that Google is not responsible for any damages arising from the shipment and delivery of any media, hardware, and equipment to Google.
4. Information and Systems. Customer is solely responsible for the accuracy and completeness of all information it and its Personnel provide to Google, and Customer represents and warrants that it owns, or is authorized to give Google access to, any systems, facilities, and/or devices that Google is required to access to perform Consulting Services.
vi. Intellectual Property.
1. Background IP. Customer owns all rights, title, and interest in Customer’s Background IP. Google owns all rights, title, and interest in Google’s Background IP. Customer grants Google a license to use Customer’s Background IP to perform the Consulting Services (with a right to sublicense to Google Affiliates and subcontractors). Except for the license rights under Sections 2(c)(vi)(2) (Google Technology) and 2(c)(vi)(3) (Deliverables) below, neither party will acquire any right, title, or interest in the other party’s Background IP under the Agreement. For clarity, Background IP is included in the definition of “Indemnified Materials” for each party.
2. Google Technology. Google owns all rights, title, and interest in Google Technology. To the extent Google Technology is incorporated into Deliverables, Google grants Customer a limited, worldwide, non-exclusive, non-transferable license (with the right to sublicense to Affiliates), for the maximum term permitted by applicable law, to use the Google Technology in connection with the Deliverables for Customer’s internal business purposes. The Agreement (including these Service Specific Terms) does not grant Customer any right to use materials, products, or services that are made available to Google customers under a separate agreement.
3. Deliverables. Google grants Customer a limited, worldwide, non-exclusive, fully-paid, non-transferable license (with the right to sublicense to Affiliates), for the maximum term permitted by applicable law, to use and reproduce the Deliverables for Customer’s internal business purposes.
vii. Warranties and Remedies.
1. Google Warranty. Google will perform the Consulting Services in a professional and workmanlike manner, in accordance with practices used by other service providers performing services similar to the Consulting Services. Google will use Personnel with requisite skills, experience, and qualifications to perform the Consulting Services.
2. Remedies. Google’s entire liability and Customer’s sole remedy for Google’s failure to provide Consulting Services that conform with Section 2(c)(vii)(1) (Google Warranty) will be for Google to, at its option, (a) use commercially reasonable efforts to re-perform the Consulting Services or (b) terminate the Order Form and refund any applicable Fees received for the nonconforming Consulting Services. Any claim that Google has breached the warranty as described in Section 2(c)(vii)(1) (Google Warranty) must be made within 30 days following the date that Google has performed the applicable Consulting Services.
viii. Indemnification.
1. Indemnification Exclusions. The sections of the Agreement titled "Google Indemnification Obligations" and "Customer Indemnification Obligations" will not apply to the extent the underlying allegation arises from (a) modifications to the Google Indemnified Materials or Customer Indemnified Materials (as applicable) by anyone other than the indemnifying party or (b) compliance with the indemnified party’s instructions, design, or request for customized features.
2. Infringement Remedies. The remedies described in the section of the Agreement titled "Remedies" also apply to Deliverables.
ix. Survival. If the Agreement or applicable Order Form expires or terminates, then the following Sections of these Service Specific Terms will survive for purposes of Consulting Services: 2(c)(vi) (Intellectual Property), 2(c)(viii) (Indemnification), 2(c)(ix) (Survival), and 2(f) (Additional Definitions).
x. Insurance. During the term of the Agreement, each party will maintain, at its own expense, appropriate insurance coverage applicable to performance of the party’s respective obligations under the Agreement, including general commercial liability, workers’ compensation, automobile liability, and professional liability.
xi. No Publicity. Notwithstanding anything in the Agreement to the contrary, including the Agreement sections titled "Marketing and Publicity" and "Conflicting Terms", neither party will publicly disclose that Google is providing Mandiant Consulting Services to Customer without the other party's prior written consent in each instance.
xii. Google Cloud Service Data. If Customer also purchases Cloud Services (as defined in the Google Cloud Privacy Notice), then without limiting Google’s obligations under the Google Cloud Privacy Notice with respect to Service Data:
1. Google may access and process such data to provide Consulting Services to Customer, as further described in the SecOps Privacy Notice; and
2. Customer will notify data subjects impacted by such processing as required by applicable law.
d. Expertise On Demand.
i. Expertise On-Demand. Google will provide Customer with the most current version of the Documentation that will describe the Services that are available through the Expertise On-Demand Subscription (“Expertise on Demand Services” or “EOD”). Customer may order any of the Expertise on Demand Services described in the Documentation during the twelve month period beginning on the Order Form Effective Date (the “Covered Period”). All Expertise on Demand Services must commence within the Covered Period, and must be requested within the time frames set forth in the Documentation to allow for scheduling so that Expertise on Demand Services may commence prior to the end of the Covered Period.
ii. Units. Customer will pay a fixed fee (the “Package Fixed Fee”) that entitles Customer to a specific number of Expertise On Demand Units (“EOD Units”), all as set forth on the applicable Order Form (“Unit Package”). The total Package Fixed Fee will be invoiced on or about the Order Form Effective Date. Each Expertise on Demand Service will draw down the number of EOD Units listed for that Expertise on Demand Service in the Documentation. Customer will make each request for Expertise on Demand Services in writing as described in the Documentation. Customer may purchase additional EOD Units (“Additional Units”) during the Covered Period. Additional Units must be used during the Covered Period, and are non-cancelable and non-refundable. EOD Units (including Additional Units) may not be used for any Services not listed in the EOD Documentation. Any technology fees and expenses will be invoiced separately as set forth in the Documentation. EOD Units may be used to pay for such expenses.
iii. Updates to Expertise on Demand Services. Customer acknowledges that Google may update the Documentation from time to time, and that the most current version of the Documentation (including listings of Expertise on Demand Services and Unit values) will apply to the Expertise on Demand Services. Notwithstanding the foregoing, Google will notify Customer at least twelve months in advance of discontinuing any Expertise on Demand Service or increasing the number of EOD Units required for any Expertise on Demand Service.
iv. Incident Response Retainer. Subject to the terms governing Consulting Services, Google will provide incident response services (“Incident Response Services”) during the Covered Period, as set forth in the Documentation. Incident Response Services may include:
1. Computer security incident response support.
2. Forensics, log and advanced malware analysis.
3. Advanced threat actor response support.
4. Advanced threat/incident remediation assistance.
e. Training Services
i. Training Services. Subject to any Training Terms, Customer may order Training Services for use in connection with Mandiant products and services. The parties will mutually agree upon delivery dates and location for Training Services. All Training Services (including rescheduled Training Services) must be scheduled and conducted within one year from the date of the Order Form on which the applicable Training Services were purchased.
1. Private Training. Customer will request rescheduling of private Training Services no less than two weeks in advance of the scheduled start date. Google will use reasonable efforts to reschedule Training Services, subject to availability, and Customer will pay any expenses associated with the rescheduling, including changing of travel plans. Customer may not record any aspect of the Training Services.
2. Public Training. If Customer cancels attendance at any public Training Services, Customer will notify Google no later than two (2) weeks before the date of the public Training Services, and Google will issue Customer a credit for the amount paid for the public Training Services. Customer will notify Google of any substitution of a named attendee for public Training Services. Google reserves the right to refuse admittance to public Training Services to any person, for any reason. If Google refuses admittance, Google will refund the amount paid for that person’s public Training Services. Google does not refund or credit Fees paid for attendees who do not attend Training Services or who leave before Training Services conclude. Google reserves the right to cancel public Training Services and provide a refund for any reason. Customer may not record any aspect of the Training Services.
3. On Demand Training. On-demand Training Services must be completed within ninety days from the date of enrollment. Customer may not share or transfer Access credentials for on-demand Training Services.
f. Additional Definitions.
“Background IP” means all Intellectual Property Rights owned or licensed by a party (a) before the effective date of the applicable Order Form or (b) independent of the Services.
“Deliverables” means written reports that are created specifically for Customer as a result of the Consulting Services provided under the Agreement.
“Documentation” means the then-current Mandiant documentation made available by Google to its customers for use with the Services, as provided by Google upon Customer request.
“Google Cloud Privacy Notice” means the then-current Google Cloud Privacy Notice at https://cloud.google.com/terms/cloud-privacy-notice.
“Google Technology” means (a) Google Background IP; (b) all Intellectual Property and know-how applicable to Google products and services; (c) Indicators of Compromise; and (d) tools, code, algorithms, modules, materials, documentation, reports, and technology developed in connection with the Services that have general application to Google’s other customers, including derivatives of and improvements to Google’s Background IP. Google Technology does not include Customer Background IP or Customer Confidential Information.
"Indicators of Compromise" or "Indicators" means specifications of anomalies, configurations, or other conditions that Google can identify within an information technology infrastructure, used by Google in performing the Services.
“Mandiant Consulting Services” or “Consulting Services” means the then-current Mandiant Consulting Services as described at https://cloud.google.com/terms/secops/services or in an applicable Order Form. Mandiant Consulting Services do not include Training Services.
“Mandiant Managed Services” or “Managed Services” means the then-current Mandiant Managed Services as described at https://cloud.google.com/terms/secops/services or in the applicable Order Form.
“Mandiant Solutions” means the then-current Mandiant Solutions as described at https://cloud.google.com/terms/secops/services or in the applicable Order Form.
“Order Form” means an order form, statement of work, or other document issued by Google under the Agreement, including data sheets associated with Services described in the order form, and executed by Customer and Google, specifying the Services Google will provide to Customer.
“Personnel” means a party’s and its Affiliates’ respective directors, officers, employees, agents, and subcontractors.
“SecOps Privacy Notice” means the then-current SecOps Privacy Notice at https://cloud.google.com/terms/secops/privacy-notice.
“Service Data” has the meaning given in the Google Cloud Privacy Notice.
“Services” means the then-current Mandiant Solutions, Mandiant Managed Services, and/or Mandiant Consulting Services, each as described at https://cloud.google.com/terms/secops/services or in the applicable Order Form. Services do not include Training Services.
“Training Services” means education and certification services related to Mandiant products and services for individual users, as more fully described in an applicable Order Form. Training Services do not include Deliverables.
“Training Terms” means the then-current terms applicable to Training Services provided to Customer by Google.
3. Google Threat Intelligence (“GTI”) and VirusTotal
- License Grant. Subject to the terms of the Agreement during the Order Term, Google grants to Customer a worldwide, nontransferable, nonassignable, nonexclusive, revocable, limited license to use the Samples for the exclusive purpose of protecting Customer’s internal business.
- SLAs. During the applicable Order Term, Google will make the Service available in accordance with the Service Level Agreement at www.virustotal.com/go/sla (“SLA”). Other than as expressly provided in the SLA, Google has no obligation to provide Customer with support for any feature of the Services. The SLA states Customer’s sole and exclusive remedy for any failure to meet the standards of the SLA.
- Free Users of VirusTotal. The SLAs and Google’s indemnity do not apply to free users of the Services. Services provided to free users are not covered by TSSG.
- Samples and Community Content Guidelines.
- To the extent Customer contributes any Sample to the Community, Customer confirms that all content contained in the Sample complies with the Agreement and the VirusTotal Privacy Policy, that Customer is either the original owner of the Sample it submits or that it has the necessary rights and permissions to irrevocably contribute the Sample and share it, and information about it, with the Community.
- Customer understands that if it submits any Sample, the Sample is immediately shared for review by Security Partners, and the resulting intelligence report is shared with Customer and with Security Partners, who use the results to improve their own systems. As such, by contributing a Sample, Customer is contributing to the effort to raise global IT security levels.
- While Customer retains any ownership rights in the original material contained in the Sample, when Customer upload or otherwise submits a copy of the Sample, Customer gives Google (and those we work with) a worldwide, royalty free, perpetual, irrevocable and transferable license to use, edit, host, store, reproduce, modify, create derivative works, communicate, publish, publicly perform, publicly display and distribute all content contained in the Sample.
- CUSTOMER FURTHER AGREES THAT IT WILL ONLY UPLOAD SAMPLES THAT IT WISHES TO PUBLICLY SHARE AND THAT IN ANY CASE, CUSTOMER WILL NOT KNOWINGLY SUBMIT ANY SAMPLE TO THE SERVICE THAT CONTAINS CONFIDENTIAL OR COMMERCIALLY SENSITIVE DATA WITHOUT LAWFUL PERMISSION. FURTHER CUSTOMER AGREES THAT IT WILL NOT SUBMIT ANY SAMPLES TO THE SERVICE THAT CONTAIN PERSONAL DATA.
- Although Google has no obligation to monitor use of the Service, user content or any Samples, Google may monitor the Service to detect and prevent fraudulent activity or violations of the Agreement and retain absolute discretion to remove Samples, content or users from the Service at any time and for any reason without notice. At the same time, to promote the security of the Community and information sharing accountability, accounts and Samples contributed by the Community (for example, comments, posts, etc.) generally will not be removed from the Service, unless they are illegal, violate the lawful rights of an individual, serve any other unethical/malicious purpose, or otherwise violate the Agreement.
- IF CUSTOMER DOES NOT WANT TO PUBLICLY SHARE A SAMPLE IN THE MANNER SET OUT IN THE AGREEMENT OR IN THE PRIVACY POLICY, CUSTOMER WILL NOT SEND IT/CONTRIBUTE IT TO THE SERVICE AS THE SERVICE IS DESIGNED TO WORK THROUGH THE COLLECTIVE AGGREGATION AND SHARING OF THREAT-INTELLIGENCE WITH AND THROUGH THE COMMUNITY.
- Changes in the Services and/or the Site.
- Notwithstanding anything to the contrary in the Agreement, the Service provided by Google is constantly evolving, and the form and nature of the Service that Google provides, including the Site, may change from time to time without prior notice to Customer. Any changes to the Service and the Site, including the release of new Service features, may be subject to additional terms communicated to Customer. In addition, Google may stop (permanently or temporarily) providing the Service or the Site (or any features within the Service) without providing prior notice. Google also retains the right to create limits on Customer’s use of the Service including storage, at Google’s sole discretion, at any time without prior notice to Customer.
- Restrictions.
Customer will not: (a) sublicense, distribute, publicly perform or display, or otherwise share or make accessible, directly or indirectly, any Samples, datafeed, metadata or results from the Services, including without limitation, any API or interface, or portions thereof, to any third party; (b) use the Service to develop, offer, support or enhance products and services competitive with those of Google or its Affiliates.
Customer also agrees that it will not use or attempt to:
- Obtain or use any Samples except as specifically permitted by the Service or use or attempt to use the Service to mine information in any way that could identify individual persons in their private capacity, attempt to access or misappropriate content contained in any Sample, or otherwise use the Service or Samples for any purpose other than to detect and prevent malware in a non-commercial personal or organizational capacity.
- Publicly attribute the intelligence Customer receives through the Service to any Security Partner (including, but not limited to any antivirus vendors, URL scanning engines, file characterization tools, etc.) without the individual Security Partner’s express permission.
- Browser Extension. If you access the Services through a VirusTotal browser extension, we will collect information about how domain names you visit are resolved. Passive Domain Name System Information (“pDNS”) data consists of domain names that your browser requests, along with the IP address resolutions for such domain names. We will make this pDNS data available through the Services to enable members of the Community to better detect malicious domains that might be hosted on a server (contacted on a given IP address) controlled by an attacker. Collected pDNS data is distinct from browsing history and is never tied to a user or used to identify an individual. Existing users of a VirusTotal browser extension will need to opt-in to share pDNS data with the Community. Users downloading the VT extension for the first time may opt-out of this collection in the VirusTotal browser extension’s settings.
- Additional Definitions.
- “Community” means a member of the public, an AV, scanning, sandbox or other Security Partners, security-minded organizations and other licensed users of the Service.
- “Documentation” means the then-current VirusTotal documentation made available by Google to its customers for use with the Services for VirusTotal at https://docs.virustotal.com/ and for GTI at https://gtidocs.virustotal.com/.
- “Samples” means security-related objects and artifacts, which include executable and non-executable files uploaded to or scanned or analyzed by tools on the Site by users of the Service, including associated metadata, comments and/or posts made available to users through the Service. For the avoidance of doubt, Samples is not Customer Data.
- “Site” means the site located at virustotal.com and all associated controlled and VirusTotal branded sites linked from virustotal.com by Google and its Affiliates.
- “Security Partners” means members of the public, an antivirus, scanning, sandbox or other security partner who are using and contributing Samples to the Service.