Last revised: 07/10/23
These Otava Security Services – Product Terms of Use (“Product Terms”) are entered into by and between Otava, LLC (“Otava”) and the Client on the effective date set forth on the Sales Order (“Effective Date”). Client understands that these Product Terms are legally binding upon Client where Client’s Sales Order includes Otava Security Services as a line item, and Client agrees to be bound thereby. These Product Terms are in addition to any Master Agreement entered into by Client and Otava and are not intended to replace any such Master Agreement unless otherwise specifically agreed to in writing by Parties. Otava and Client are referred to herein collectively, as the “Parties” and individually, each a “Party.” The following exhibits are attached hereto and are hereby made part of these Product Terms:
(a) Exhibit A – RACI Matrixes
(b) Exhibit B – Additional Terms for Older MSAs
2.1. “Agreement” means the Master Agreement, as applicable, entered into between Parties, together with these Product Terms, Statements of Work, if any, and all product-specific terms linked to or refenced in the Agreement.
2.2. “Client Personnel” means, collectively and individually, employees, agents, contractors, subcontractors, service providers, and Authorized Contacts. Client Personnel does not include Otava.
2.3. “Deep Security Covered Assets” means those certain servers, virtual machines, and other assets that are In Scope Assets for Deep Security® services.
2.4. “Force Majeure Event” means any occurrence beyond its commercially reasonable control or contingency beyond its commercially reasonable control, including but not limited to, acts of God, earthquake, labor disputes and strikes, riots, war, or governmental requirements.
2.5. “In-Scope Asset” means that certain endpoint device, hardware, server, or other asset that is listed on a Sales Order as an in-scope asset for the relevant Otava Security Services.
2.6. “Master Agreement” means The General Terms of Sale, the Master Service Agreement, or the Master Terms, as applicable, entered into between Parties.
2.7. “Minimum Asset Requirements” means, collectively and individually, (a) the relevant asset is not end of life; (b) the relevant asset is under a then-current support contract from the applicable Third-Party Vendor and, if applicable in light of the Otava Security Services purchased by Client, Client has authorized Otava to use such support contract in connection with such Otava Security Services; and (c) the relevant asset is on Otava’s then-current list of assets eligible for Otava Security Services.
2.8. “Minimum Commitment” means Client’s commitment to pay a minimum charge for the Services, regardless of actual usage or other factors.
2.9. “Otava Cloud” means the infrastructure-as-a-service infrastructure that is controlled and maintained by Otava and which Otava uses to deliver the Otava Security Services. Otava Cloud does not include any equipment, hardware, or software that operates outside of Otava’s premises.
2.10. “Otava Security Services” means those of the following Services that are listed on a Sales Order as a line item: (a) Otava Managed Worry-Free for Endpoints, (b) Otava Managed Deep Security for Servers, (c) Otava Managed Email Security, (d) Otava Managed Vulnerability Scanning, (e) Otava Managed SIEM, and (f) Otava SOC.
2.11. “Portal” means that certain web-based portal that Otava may make available to Client to access and manage the Services, including adding user roles, purchasing additional Services, and submitting service tickets.
2.12. “RACI Matrix” means that certain matrix for the relevant Otava Security Services that identifies the tasks and deliverables for which Client, Otava, or a third party is responsible, accountable, consulted, or informed, and which is attached hereto as Exhibit A.
2.13. “RMM” means remote monitoring and management.
2.14. “RMM System” means that certain remote monitoring software, that certain remote management software, and that certain hardware used by Otava to provide the Otava Security Services.
2.15. “Sales Order” means a separately executed document that describes the Services to be performed by Otava and includes any Services additions, changes, deletions, or modifications made by Client via the Portal. Sales Order also includes those quotes and SOWs signed by an authorized representative of each Party.
2.16. “Services” means the services purchased by Client from Otava as set forth in one or more Sales Orders.
2.17. “SIEM” means that certain security information and event management service.
2.18. “SIEM Covered Assets” means those certain servers, virtual machines, workstations, and other assets that are In-Scope Assets for SIEM services.
2.19. “SOC Covered Assets” means those certain servers, virtual machines, workstations, and other assets that are In Scope Assets for SOC services.
2.20. “Third Party Product Software Agent” means that certain remote software agent used by Otava to provide certain Otava Security Services and made available together with the relevant Otava Security Service without a separate RMM Fee.
2.21. “Trend Micro EULA” means those certain terms and conditions and supplemental terms and conditions set forth at https://www.trendmicro.com/en_us/about/legal.html, as such terms and conditions and website url may be amended by Trend Micro from time to time, including, without limitation, (a) the Global Business Software and Appliance Agreement; and (b) Terms of Service for Trend Micro Cloud Services.
2.22. “Vulnerability Scanning Assets” means those certain servers, virtual machines, workstations, and other assets that are In-Scope Assets for vulnerability scanning services.
2.19. “Worry-Free Covered Assets” means those certain servers, virtual machines, workstations, and other assets that are In-Scope Assets for Worry-FreeTM services.
3.1. General Requirements. The terms in this Section 3.1 apply to all Otava Security Services and are in addition to any Services specific terms that may be set forth in these Product Terms for specific Otava Security Services, provided that such additional terms will be limited to the specific Otava Security Service referenced in the relevant section. Further, terms in this Section 3.1 are in addition to the Otava Security Services exclusions and limitations set forth in Section 4.1 (Security Services Exclusions and Limitations). Client agrees and understands that:
(a) Use of certain Otava Security Services may require Client to purchase licenses to the RMM System, which licenses fees (“RMM Fee”) are in addition to the fees for the Otava Security Services. Client understands that the software for the remote monitoring component of the RMM System may be the same or different from the software for the remote management component of the RMM System and each software component may have its own RMM Fee.
(b) Use of the Otava Security Services may require installation of the RMM System as well as the Third‑Party Product Software Agent in Client’s environment. The RMM System may include both an RMM software agent and hardware. Subject to Client’s payment of the applicable fee, Otava will provide Client with access to the RMM software agent and, if needed, the accompanying hardware. To the extent an Otava Security Service requires installation of a Third‑Party Product Software Agent, the underlying Otava Security Service fee includes the relevant fee for the Third‑Party Product Software Agent. Client will, at its sole cost and expense, provide the RMM System and the Third‑Party Product Software Agent with a sufficient level of access rights to permit for the proper functioning of each of the RMM System and the Third‑Party Product Software Agent. Further, Client will use the license keys issued by Otava for the relevant Otava Security Service deployments, as applicable in light of the Otava Security Services purchased. Client agrees that Otava will have access to Third-Party overview and reporting system.
(c) Client will, at its sole cost and expense, provide Otava with a sufficient level of access rights to permit Otava to perform the applicable Otava Security Services, including, as applicable, to monitor and manage the RMM System and Third‑Party Product Software Agent. If Otava requires access credentials to Client’s environment or resources (“Otava Designated Credentials”) to perform the applicable Otava Security Services, Client will, at its sole cost and expense, provide Otava with such access credentials and such access credentials will be unique to Otava. Client will either exempt the Otava Designated Credentials (including, without limitation, those assigned to the RMM System or the Third‑Party Product Software Agent) from Client’s password reset policy or otherwise coordinate any such password reset with Otava as required by Otava to permit Otava to timely perform the Otava Security Services.
(d) As between the Parties, Client is in the best position to know the assets in Client’s environment and the assets Client requires be in scope to receive the relevant Otava Security Services. Accordingly, Client will provide Otava with prompt written notice via a service ticket of any changes to Client’s assets and Client will expressly identify which assets are in‑scope and out-of-scope for the Otava Security Services. Client understands that the RMM System may automatically identify assets added to Client’s environment and (i) Client will be billed the RMM Fee for all assets in the RMM System as of the date the RMM System adds the assets, unless Client has provided and until Client provides Otava with written notice via a service ticket that such added assets are out-of-scope; and (ii)Otava will deem all such added assets as out-of-scope for purposes of the Otava Security Services unless Client has provided Otava with written notice via a service ticket that such added assets are in‑scope for the Otava Security Services and the Parties have executed a Sales Order for such added assets. Upon execution of such Sales Order, the relevant added assets will become In-Scope Assets. Client agrees that, for purposes of the asset count for calculating the RMM Fee, the RMM System will serve as the source of truth. Upon Client’s written request via a service ticket, Otava will promptly provide Client with a list of the assets captured by the RMM System.
(e) Otava Security Services are only available for those assets that meet the Minimum Asset Requirements when such assets are added as In-Scope Assets. Nothing in the immediately preceding sentence will be interpreted to limit Otava’s right to charge the RMM Fee.
(f) Client must provide Otava with prompt written notice via a service ticket of any changes to Client’s infrastructure (whether on-premise or otherwise) that may impact Otava’s ability to perform the Otava Security Services, including, without limitation, adversely impact the functionality of the RMM System or the Third‑Party Product Software Agent.
(g) Unless otherwise expressly provided in a Sales Order, all Otava Security Services are provided remotely and Otava will have no obligation to perform Otava Security Services on-site at Client’s premises. Client agrees that Client Personnel assigned to work with Otava will be sufficiently knowledgeable and technically skilled to permit Otava to timely complete the Otava Security Services related tasks that require assistance from the assigned Client Personnel.
(h) Otava will have no obligation to provide services to and Otava Security Services do not extend to (i) hardware or any other devices that are personally owned by the individual; (ii) cell phones or tablets, whether owned or leased by Client, the individual, or another third party; or (iii) laptops owned or leased by Client, except for those laptops that Client expressly designates in writing via a service ticket as a workstation and an In‑Scope Asset.
(i) Client is solely responsible for providing Otava with written notice via a service ticket that a user needs to be removed from, such user’s access rights must be suspended in, or such user’s role must be otherwise modified in connection with the Otava Security Services.
(j) Certain alerts sent as part of the Otava Security Services may be sent directly to Client via automated systems, without filtering by Otava, and Client is responsible for monitoring such alerts and escalating relevant issues to Otava by submitting a service ticket.
3.2. Otava Managed Worry-Free for Endpoints. The terms of this Section 3.2 apply only if Client’s Sales Order includes Otava Managed Worry-FreeTM for Endpoints or Trend MicroTM Worry-Free as a line item. Otava will provide Client with those certain deliverables with respect to and perform those certain tasks for the Worry-Free Covered Assets (a) that are expressly enumerated in the Otava Managed Worry-Free for Endpoints RACI Matrix attached hereto as Exhibit A-1, and (b) where Otava is designated as being either “Responsible” or “Accountable” (collectively, the “Otava Managed Worry-Free”, which will be deemed a “Service”). The Otava Managed Worry-Free services include Otava creating certain standard policies for the Worry-Free services and applying them at the organization level for the Worry-Free Covered Assets.
3.3. Otava Managed Deep Security for Servers. The terms of this Section 3.3 apply only if Client’s Sales Order includes Otava Managed Deep Security for Servers or Trend Micro Deep Security as a line item. Otava will provide Client with those certain deliverables with respect to and perform those certain tasks for the Deep Security Covered Assets (a) that are expressly enumerated in the Otava Managed Deep Security for Servers RACI Matrix attached hereto as Exhibit A 2, and (b) where Otava is designated as being either “Responsible” or “Accountable” (collectively, the “Otava Managed Deep Security”, which will be deemed a “Service”). The Otava Managed Deep Security services include: (a) Otava creating certain standard policies for the Otava Managed Deep Security services and applying them at the organization level for the Deep Security Covered Assets; (b) if Client’s Otava Managed Deep Security services include file integrity monitoring, (i) Otava applying a standard template file monitoring definition based on Trend Micro’s recommendations, and (ii) Client identifying any additional files to be monitored and providing Otava with written notice via a service ticket that such files must be added for file integrity monitoring; and (c) if Client’s Otava Managed Deep Security services include log review, (i) Otava applying a standard template for log review definitions based on Trend Micro’s recommendations, and (ii) Client identifying any additional files to be monitored and providing Otava with written notice via a service ticket that such files must be added for log review.
3.4. Otava Managed Email Security. The terms of this Section 3.4 apply only if Client’s Sales Order includes Otava Managed Email Security, Trend Micro Email Security, or Trend Micro Email Security Advanced as a line item. Otava will provide Client with those certain deliverables with respect to and perform those certain tasks (a) that are expressly enumerated in the Otava Managed Email Security RACI Matrix attached hereto as Exhibit A-3, and (b) where Otava is designated as being either “Responsible” or “Accountable” (collectively, the “Otava Managed Email Security”, which will be deemed a “Service”). The Otava Managed Email Security services include Otava applying a standard template for email security definition based on Trend Micro’s recommendations to the domain that Client uses for email. Client understands that Sender Policy Framework (SPF) checking and DomainKeys Identified Mail (DKIM) verification cannot be configured without the cooperation of Client or, if applicable, Client’s domain registrar or webmaster. Notwithstanding anything to the contrary in the Otava Managed Email Security RACI Matrix, (i) if Client’s Otava Managed Email Security services include XDR, then Client is responsible for installing the relevant local plugin or another Third Party Product Software Agent for XDR; and (ii) if Client’s Otava Managed Email Security services include the Data Loss Prevention module and Client uses Microsoft Office 365 or Microsoft 365, then Client is responsible for applying the security keys in the administrative control portal of such Microsoft environment.
3.5. Otava Managed Vulnerability Scanning. The terms of this Section 3.5 apply only if Client’s Sales Order includes Otava Managed Vulnerability Scanning as a line item. Otava will provide Client with those certain deliverables with respect to and perform those certain tasks for the Vulnerability Scanning Assets (a) that are expressly enumerated in the Otava Managed Vulnerability Scanning RACI Matrix attached hereto as Exhibit A-4, and (b) where Otava is designated as being either “Responsible” or “Accountable” (collectively, the “Otava Managed Vulnerability Scanning”, which will be deemed a “Service”). In performing the Otava Managed Vulnerability Scanning Services, Otava will scan Vulnerability Scanning Assets on the schedule set forth in the Sales Order (i.e., daily, monthly, or quarterly), and if no schedule is set forth, then monthly. Client understands that any changes to the frequency of scans may result in Client paying an additional fee. Unless otherwise set forth in the Sales Order, Otava Managed Vulnerability Scanning Services are limited to internal vulnerability scans only. Otava will provide Client with a report that lists and describes the identified vulnerabilities on the schedule set forth in the Sales Order (i.e., daily, monthly, or quarterly), and if no schedule is set forth, then monthly.
3.6. Otava Managed SIEM. The terms of this Section 3.6 apply only if Client’s Sales Order includes Otava Managed SIEM as a line item. Otava will provide Client with those certain deliverables with respect to and perform those certain tasks for the SIEM Covered Assets (a) that are expressly enumerated in the Otava Managed SIEM RACI Matrix attached hereto as Exhibit A-5, and (b) where Otava is designated as being either “Responsible” or “Accountable” (collectively, the “Otava Managed SIEM”, which will be deemed a “Service”). In performing the Otava Managed SIEM services, Otava will collect logs from the SIEM Covered Assets. Client understands that performance of the Otava Managed SIEM services requires the installation of the Third Party Product Software Agent for the SIEM in Client’s environment. Further, Client understands that certain deployments of the Otava Managed SIEM Services will require that Client use a SIEM central collector (“SIEM Hardware”), together with such Third Party Product Software Agent. Subject to Client’s payment of the applicable fee, Otava will provide Client with access to the Third Party Product Software Agent and, if needed, the SIEM Hardware. Client will at its sole cost and expense, (a) provide the Third Party Product Software Agent and, if applicable, the SIEM Hardware, with a sufficient level of access rights to permit for the proper functioning of each of the Third Party Product Software Agent and the SIEM Hardware; and (b) if applicable and if the SIEM Hardware is to be installed at a Client location, sufficiently suitable space for the SIEM Hardware (including, without limitation, space that is of sufficient size, has sufficient bandwidth and power, is properly cooled and secured, and the like).
3.7. Otava SOC. The terms in this Section 3.7 apply only if Client’s Sales Order includes Otava SOC as a line item. Otava will provide Client with those certain deliverables with respect to and perform those certain tasks for the SOC Covered Assets (a) that are expressly enumerated in the Otava SOC RACI Matrix attached hereto as Exhibit A-6, and (b) where Otava is designated as being either “Responsible” or “Accountable” (collectively, the “Otava SOC”, which will be deemed a “Service”). The Otava SOC Service includes machine learning anomaly detection (“MLAD”), which involves use of artificial intelligence to detect abnormal behavior of users and SOC Covered Assets. Client understands that (i) use of MLAD requires Client to purchase and maintain Otava Managed SIEM; (ii) MLAD jobs are created only against the data sources being ingested into the Otava Managed SIEM; (iii) updates or other changes by a Third-Party Vendor may adversely impact the SIEM’s ability to ingest required data; and (iv) use of MLAD does not guarantee that all anomalous behavior will be detected or that behavior that is identified as anomalous is actually anomalous. The Otava SOC service includes purple teaming, which involves launching controlled tests against certain detection rules created as part of the Otava Security Services (or against such other detection rules as the Parties may agree on via a service ticket) to validate that such detection rules operate as expected. Client understands that such validation is limited to the time when the test is performed and that the on-going operation of detection rules may be impacted by, without limitation, Third-Party Vendor software updates and integration with Third-Party Products.
4.1. Security Services Exclusions and Limitations. THE DISCLAIMERS AND LIMITATIONS IN THIS SECTION 4.1 ARE IN ADDITION TO AND NOT IN LIEU OF ANY DISCLAIMERS AND LIMITATIONS SET FORTH IN THE AGREEMENT OR OTHER PARTS OF THESE PRODUCT TERMS. Without limiting the generality of the immediately preceding sentence, Client agrees and understands that:
(a) The services that are in-scope for Otava Security Services are limited to those that are (i) expressly enumerated (1) in these Product Terms for the relevant Otava Security Services, or (2) in a relevant Sales Order as included within the relevant Otava Security Services; and (ii) purchased by Client as indicated by the relevant Otava Security Services being listed as a line item in the Sales Order. All other services are out‑of‑scope for purposes of Otava Security Services, including, without limitation, the following: (A)professional services, including those that would be required to perform proof of concept testing, staging, or migration into production; (B) training of Client Personnel; and (C) maintenance, support, and troubleshooting of Client’s applications (including, without limitation, application configuration and network problems caused by the application). For the avoidance of doubt, as used herein, Client’s applications does not include the RMM System. Further, Client understands that Otava’s monitoring services are limited to alert management of automated alerts.
(b) Subject to Client paying the applicable fees as further set forth in Section 5 (Fees), Otava may provide Client with certain out‑of‑scope services, provided that (i) Otava performing such services do not bring such services in‑scope for Otava Security Services; and (ii) Otava may decline to perform such out‑of‑scope services at any time at Otava’s sole discretion.
(c) Otava’s obligation to perform the Otava Security Services or a component thereof will be limited to the extent that Otava’s ability to perform is limited or adversely impacted by:
(d) By purchasing the Otava Security Services, Client hereby agrees to and will comply with, as applicable based on the Otava Security Services purchased, the Trend Micro EULA. A reference in these Product Terms or the Agreement to Third‑Party EULA includes a reference to the Trend Micro EULA. Client understands that the Trend Micro EULA only applies to Trend Micro products and not to any other Services delivered by Otava. Otava will have no liability for and hereby expressly disclaims any responsibility for any component of the Trend Micro products and services (including, as applicable, the Third‑Party Product Software Agent and any service level obligations of Trend Micro), except and solely to the extent set forth in these Product Terms or the applicable Sales Order. Otava’s service level obligations for the Otava Security Services are set forth in Otava Service Level Agreement, except that the service level obligations, if any, for Trend Micro are set forth in the Trend Micro EULA and Otava will have no liability therefor. Client agrees to take the time to understand the scope and use of the Client Data collected by Trend Micro, and the configurations available for optional features, if any, and will ensure that Client has obtained all third‑party consents to permit such uses.
(e) As between Client and Otava, (i) Client will be responsible for all acts and omissions of the Client Personnel; and (ii)Client will cause the Client Personnel to comply with the applicable provisions of the Agreement and applicable Third‑Party EULA terms. Further, Client agrees and understands that a breach of the Third‑Party EULA by Client or the Client Personnel will be a material breach of the Agreement.
(f) Otava is not responsible or liable for the quality of and does not independently test any patches that may be identified on a relevant RACI Matrix. Further, (i) patches may, from time to time, interfere with the functions and functionality of applications (including those they are intended to patch) and other services running or installed in the Client Systems or other infrastructure; and (ii)patches are pushed out by automated tools and while Otava will use commercially reasonable efforts to monitor such tools, such tools may periodically fail, and Otava will have no liability with respect to any such failures.
(g) Otava reserves the right to reject an Otava Security Services-related change requested by Client. A requested change may be rejected because, without limitation, an asset is out‑of‑scope, the change may cause incompatibility issues, the change may cause compliance issues, or the change is not supported by the vendor device. In the event Otava rejects a change requested by Client, Otava will promptly provide Client with a written explanation, and the Parties will reasonably cooperate to determine an appropriate accommodation, as needed.
(h) Client may not disable or otherwise interfere with the operations of the RMM System, the SIEM Hardware, or the Third‑Party Product Software Agent, including, without limitation, by blocking updates to thereto. Client understands that disabling the RMM System, the SIEM Hardware, the Third‑Party Product Software Agent, or the Otava Designated Credentials does not terminate the Otava Security Services and does not serve as notice of termination to Otava. The Otava Security Services must be terminated in accordance with the Agreement. Client agrees and understands that Client may not access or use the RMM System, the SIEM Hardware, the Third‑Party Product Software Agent, or any other Third‑Party Products for purposes of monitoring their availability, performance, or functionality, unless (i) permitted to do so in the Third‑Party EULA or another contract between Client and the relevant Third-Party Vendor; or (ii) such monitoring is a function of the relevant Third-Party Product and Client is using the function merely as designed and expected. Further, Client agrees and understands that Client may not access or use the RMM System, the SIEM Hardware, the Third‑Party Product Software Agent, or any other Third-Party Products for purposes of benchmarking or competitive purposes, unless permitted to do so in the Third-Party EULA or another contract between Client and the relevant Third-Party Vendor.
(i) OTAVA DOES NOT GUARANTEE OR OTHERWISE REPRESENT OR WARRANT THAT THE OTAVA SECURITY SERVICES, OR OTAVA’S OR A THIRD‑PARTY VENDOR’S RECOMMENDATIONS, CHANGES, PLANS, OR UPDATES AS A RESULT OF THE OTAVA SECURITY SERVICES, WILL (a) RESULT IN THE IDENTIFICATION, DETECTION, CONTAINMENT, ERADICATION OF, OR RECOVERY FROM ALL THREATS, VULNERABILITIES, COMPROMISES, INTRUSIONS, MALICIOUS SOFTWARE, MALWARE, OR ANY OTHER UNAUTHORIZED ACTIVITY, WHETHER INTERNAL OR EXTERNAL, ON CLIENT SYSTEMS, IN CLIENT’S ENVIRONMENT, OR OTHER TECHNOLOGIES USED BY CLIENT OR THE CLIENT PERSONNEL; OR (b) RENDER CLIENT’S NETWORK OR THE CLIENT SYSTEMS SECURE OR INVULNERABLE TO SECURITY INCIDENTS OR VULNERABILITIES. CLIENT WILL NOT REPRESENT TO ANYONE THAT OTAVA OR A THIRD‑PARTY VENDOR HAS PROVIDED SUCH A GUARANTEE OR WARRANTY.
4.2. Interoperability. Client understands and acknowledges that Otava uses Third-Party Products to perform and deliver the Otava Security Services. Otava did not create or design such Third-Party Products and, accordingly, Client agrees that Otava will not be liable for any defects, flaws, inefficiencies, malfunctions, or programming errors in any such Third Party Products, including, without limitation, any bugs in the RMM System, the SIEM Hardware, or the SIEM software. The Third-Party Vendor may change and remove features and functions of the Third Party Products and (a) Client will not be entitled to any refund, credit, or other compensation as a result thereof; (b) Otava may cease providing Otava Security Services features or functions as a result of such Third-Party Vendor changes and Client will not be entitled to any refund, credit, or other compensation as a result thereof; and (c) Otava will not be liable for any such changes or removals or any issues arising therefrom or as a result thereof.
4.3. Trademarks and No Affiliation. TrendMicro® and Worry-FreeTM are trademarks of Trend Micro Incorporated and Deep Security® is a trademark of Trend Micro Kabushiki Kaisha Corporation. Otava is not affiliated with or sponsored by any of the foregoing trademark holders and the Otava Security Services are not authorized, approved, or co-branded by any of such parties. Nothing in these Product Terms grant Client the right to use any of the Third Party Products marks. All other trademarks are the property of their respective owners.
In addition to the fees set forth in the Sales Order for the applicable Otava Security Services, Client understands and agrees that fees paid for Otava Security Services do not cover any of and, except to the extent covered by another Sales Order between the Parties, Otava may charge Client additional fees for: (a) technical support services for out of scope services, including, without limitation, support for applications (including, without limitation, software packages, add-ons, and APIS, whether they are installed on premise or an Otava cloud environment), training, and troubleshooting Client systems, as well as those assets and services that are determined to be out of scope while performing in scope Otava security services; (b) technical support services to the extent the relevant issue was caused by Client, Client personnel, Client Data, or Client systems including, without limitation, for assisting Client to restore data from the services environment in the event Client suffers a ransomware event, and break/fix for a networking or group policy change made by Client or Client Personnel; (c) technical support services to the extent the relevant issue was caused by a deliverable or task (or the related software, hardware, or other assets or services) where a RACI matrix designates Client as being either “responsible” or “accountable”, except to the extent Otava is also designated as being either “responsible” or “accountable”; (d) professional services, including those that would be required to perform proof of concept testing; staging; migration into production; re-configuring resources in accordance with Client’s written request; integration of newly acquired or introduced hardware, software, or networks, or with other formerly non-existent third party resources; (e) any other services that Otava provides (including, without limitation, additional bandwidth, services at other Otava data centers, third-party software licenses, and so forth) and that are not expressly identified as a line item in the Otava Security Services Sales Order or as a line item in another Sales Order in effect between the Parties; (f) equipment, hardware, and parts, except for those purchased by Otava for the Otava Cloud; (g) licensing, software, and software assurance, including renewals and upgrades; (h) courier services, shipping and handling, packaging, and postage; (i) support and services provided by Third Party Vendors, original equipment manufacturer, and other manufacturers; (j) services performed on Client’s premises; and (k) travel, travel time, gas or gas mileage, food, per diem, and accommodations, when applicable, when visiting Client’s premises or any other third party site on Client’s behalf. Unless otherwise set forth in a Sales Order for the relevant Otava Security Services, (1) all such additional fees will be charged to Client at Otava’s then current rates for the relevant services and in the manner generally charged (e.g., per license, based on consumption, direct pass through, and so forth); and (2) any technical support services provided by Otava for out of scope services will be provided on a time and materials basis at Otava’s then current service rates.
In the event these Product Terms expire or are terminated for any reason, in addition to each Party’s obligations under the Agreement, (a) Client agrees and understands that unless otherwise expressly provided by the relevant Third-Party Vendor or on a Third Party EULA or another Sales Order or Addendum then in effect between the Parties, Client’s right, if any, to use the Third Party Products made available to Client as part of the Otava Security Services will automatically expire and Client will, accordingly, cease all use of the applicable Third Party Products, including the RMM System, the SIEM Hardware, and the Third Party Product Software Agent; (b) except to the extent required for another Sales Order or Addendum then in effect between the Parties, Client will promptly return to Otava the RMM hardware and the SIEM Hardware, if any, and if Otava does not receive such hardware within 15 days (or such longer period as mutually agreed by the Parties via a service ticket) of the termination of the relevant Otava Security Services, then Otava may invoice Client and Client will pay the replacement cost for such hardware; and (c) if the Otava Security Services component that is expiring or is being terminated is the Otava Managed SIEM, then, notwithstanding anything to the contrary in the Agreement, (i) if Client desires to have certain SIEM log data transferred to Client or another Client vendor, Client must (1) provide Otava with written notice via a service ticket on or before the expiration or termination date (“SIEM Data Transfer Notice Date”); (2) at Client’s sole cost and expense (including, if applicable, overage charges), provide Otava with either a mutually agreeable external online storage location for Otava to transmit the data to, or provide Otava with a NAS device or such other device for storage and comply with Otava’s storage device mail handling requirements (which may include, without limitation, making a Client designated individual available to personally receive and sign for the device); and (3) Otava may delete the data in accordance with Otava’s normal business practices and policies but, in any event, no less than 30 days, from when Otava completed the transfer to the external online storage location or from when Client received the returned storage device according to the delivery confirmation, provided that Client may request in writing via a service ticket that Otava delete the data earlier than 30 days and Otava may, at its option, request that Client complete a SIEM log data deletion authorization form; or (ii) if Otava does not receive the SIEM log data transfer notice by the SIEM Data Transfer Notice Date, then Otava will delete the data in accordance with Otava’s normal business practices and policies.
The provisions of Sections 4.1(d) (Security Services Exclusions and Limitations, Third Party EULA), 4.1(e) (Security Services Exclusions and Limitations, end users), 4.1(i) (Security Services Exclusions and Limitations, disclaimer), 5 (Additional Fees), 6 (Obligations Upon Termination), and 7 (General Terms) will survive the termination or expiration of these Product Terms until any obligations arising prior to such termination have been satisfied in accordance with the applicable terms.
The terms in this Additional Terms for Older MSAs Exhibit (“Exhibit”) supplement are made part of the Otava Security Services – Product Terms of Use to which this Exhibit is attached only if the Parties entered into an MSA on or before July 1, 2022 or the version of the MSA in effect between the Parties as of the Product Terms Effective Date is an MSA prior to version 2022-2.0. Capitalized terms used in but not otherwise defined in this Exhibit will have the meaning attributed to such terms in the Product Terms.
2.1. “Addenda” means collectively all executed Sales Orders and all applicable addenda or product specific terms linked to or refenced in the Agreement, a Sales Order, or subsequently agreed to by the Parties (each an “Addendum”).
2.2. “Administrator Data” means the information provided to Otava or otherwise received by Otava during sign up, purchase, or administration of the Services for Client. Administrator Data does not include Client Data, Feedback, or Usage Data.
2.3. “Authorized Contact” has the meaning attributed to such term in the MSA, and if not defined, then has the meaning set forth in Section 3.1 (Contacts).
2.4. “Billing Start Date” has the meaning attributed to such term in the MSA, and if not defined, then means the earlier of (a) the date Otava makes the applicable Service(s) available to Client for Client’s use, or (b) 30 days after executing a Sales Order.
2.5. “Client Data” means the data, information, and materials that Client stores, transmits through, or uploads into the application layer of the Services.
2.6. “Client Personnel” has the meaning attributed to such term in the MSA, and if not defined, then means, collectively and individually, employees, agents, contractors, subcontractors, service providers, and Authorized Contacts. Client Personnel does not include Otava.
2.7. “Limitations” means the number of hosts, license types, memory, number of licenses, number of users, purpose, storage, or other usage limits, if any, set forth in an applicable Sales Order.
2.8. “Minimum Commitment” has the meaning attributed to such term in the MSA, and if not defined, then means Client’s commitment to pay a minimum charge for the Services, regardless of actual usage or other factors.
2.9. “Portal” means the certain web based portal that Otava may make available to Client to access and manage the Services, including adding user roles, purchasing additional Services, and submitting service tickets.
2.10. “Support Portal” means https://support.otava.com, or such other url for support issues as Otava may provide.
2.11. “Third Party EULA” has the meaning attributed to such term in the MSA, and if not defined, then has the meaning set forth in Section 4.3 (Third‑Party Products). Third Party EULA includes the Trend Micro EULA.
2.12. “Third Party Product” has the meaning attributed to such term in the MSA, and if not defined, then means any infrastructure, hardware, or software, where such infrastructure, hardware, or software is owned or licensed by a Third Party Vendor, such as Microsoft Corporation or Trend Micro Incorporated.
2.13. “Third-Party Vendor” means a third-party product or service provider that is not identified as a Party to the MSA.
3.1. Contacts. Client will use the Portal to designate, change, and otherwise manage various access roles for Client and the Client Personnel (each an “Authorized Contact”) in connection with the Services. Client agrees that Otava will be permitted to act and rely on the direction and instructions of the Authorized Contact, unless and until Client revokes the relevant individual’s access role. If Client wishes to add or remove an Authorized Contact, or modify an Authorized Contact’s information or authority, Client must do so through the Portal.
3.2. Cooperation. Client understands and acknowledges that Otava cannot perform the Services without the assistance and cooperation of Client Personnel. Accordingly, Client will: (a) cooperate, in good faith, with Otava with respect to activities necessary or reasonably appropriate for Otava to provide Services including, without limitation, cooperating with Otava to schedule maintenance required for major system upgrades as applicable; (b) devote such time as needed to timely review any information provided and timely respond to and advise Otava with respect to activities as they relate to the Agreement, including, without limitation, as applicable in light of the actual Services, timely authorizing operating system upgrades; (c) provide to Otava, at no charge, reasonable access to the Client Personnel to reasonably assist Otava with respect to the activities as they relate to the Services; and (d) reasonably facilitate and hereby authorize the communication between Otava and Client Personnel, as necessary or reasonably appropriate for Otava to deliver the Services. Client understands that for Otava to meet certain audit obligations, maintain compliance certifications, or address software and systems obsolescence, Otava must perform certain patching, updates, and upgrades to systems and technologies managed by Otava, some of which may be included in or otherwise impact Client’s Services. Accordingly, notwithstanding anything to the contrary in this Section 3.2 or any other term in the Agreement, Otava reserves the right to perform any and all patching, updates, and upgrades to the systems and technologies managed by Otava, as determined by Otava in its sole discretion and without further approval from or liability to Client, provided that Otava will provide Client with prompt (as reasonable under the circumstances) written notice (which notice may be provided by email, a service ticket, or by posting in the Portal) of such patches, updates, and upgrades.
3.3. Access to Client Systems. Client agrees and understands that to perform the Services, Client may need to make available to Otava access to Client’s information technology resources, data systems, virtual machines, third-party software and hardware, and related resources from the Client-side environment (collectively, the “Client Systems”). As between Client and Otava, Client will, at its expense, take the necessary steps (including, without limitation, obtaining all authorizations, consents, licenses, and sublicenses) to make available to Otava the Client Systems that Otava may require or reasonably request to provide the Services. As between Client and Otava, Client is solely responsible for the Client Systems’ costs and for obtaining, installing, configuring, and maintaining appropriate equipment and ancillary services needed to connect to, access, and otherwise use the Services, including, without limitation, communication lines, network connectivity, hardware, software licenses, web browsers, and power.
3.4. Configuration, Management, and Monitoring. Otava may provide Client with certain deployment, management, and support Services as described in one or more Sales Orders, provided, however, Client agrees and understands that Client remains solely responsible for (a) understanding Client’s legal and contractual obligations and ensuring that the Services meet Client’s needs; (b) evaluating and understanding the limitations of the Services; (c) determining the scope and type of Services Client must purchase from Otava to meet Client’s operational and compliance requirements, including, without limitation, need for high availability, auditing obligations under applicable privacy and security laws, and retention duration; (d) properly configuring, managing, and monitoring the Client-side components of the Services, including, for example, periodically testing backups if Client’s Services include backup services; (e) properly configuring, managing, updating, and upgrading the applications and related services hosted by Client in the Services environment (including, without limitation, as applicable, using the then-current or supported versions of the programming languages for applications, patching, using genuine and licensed software, and upgrading as needed before end of life is reached for the relevant Client-side system component), and properly administering the Client-side environment to ensure that Client’s compliance objectives are achieved and legal obligations are met; (f) timely reviewing and assessing any alerts, logs files, and reports in accordance with Client’s policies and otherwise properly monitoring the Services and the activities of the Client Personnel and other end users on the Services; and (g) training the Client Personnel on the scope of Otava’s Services and Client’s obligations. Client understands that Client is solely responsible for all actions and activities taken or not taken, as the case may be, under access credentials assigned to Client and the Client Personnel in connection with the Services. Further, Client agrees and understands that Client, and not Otava, is responsible for managing whether the Client Personnel are authorized to access or use the Services and Otava will have no obligations relating thereto.
3.5. Consents and Authorizations. As between the Parties, Client is solely responsible for and will, at Client’s own expense: (a) to the extent required by applicable law, notify applicable end users that their personally identifiable information is accessed, collected, stored, transmitted through, or otherwise used by Otava; (b) respond to and otherwise manage consumer requests, if any, related to the Client Data as required by applicable law; and (c) obtain all third party consents and authorizations with respect to the Client Data as may be necessary or reasonably appropriate for Otava to perform the Services in accordance with the Agreement and to ensure that Otava can comply with all applicable laws in providing the Services. Otava will, at Client’s expense, (i) reasonably assist Client, as needed, to cooperate with and respond to requests from auditors, insurance carriers, regulators, consumers, customers, and others to provide information related to Otava’s processing of the Client Data and use of the Services; and (ii) assist with, respond to, or otherwise support legal holds (such as those that Otava receives from a third party because Otava stores the Client Data), discovery requests, ediscovery, affidavits, subpoenas, and other litigation or legal proceeding support services related to the Administrator Data, Client Data, or the Services (this Section 3.5(i) and (ii), collectively as the “Compliance Support Services”); provided that the Parties agree that, Otava may, in its reasonable discretion and to the extent legally permissible, decline to provide the Compliance Support Services or otherwise limit the scope of such Compliance Support Services. Otava will charge and Client will pay for the Compliance Support Services at Otava’s and, if applicable, Otava’s vendors’ (including, without limitation, attorneys and digital forensics vendors), then current time and materials rates, provided that Otava will provide Client with written notice in advance of charging such fees. Otava may, at its sole discretion, require a deposit or other advance payment before providing the Compliance Support Services.
4.1. Administrator Data. As between Client and Otava, Client owns the right, title, and interest in and to the Administrator Data, except for the limited rights granted in the MSA and subject to applicable third party licensor rights in the Administrator Data. Client hereby grants Otava a fully paid, limited, nonexclusive, royalty-free right and license (a) during the Services Term and for the duration of any transition period, to access, adapt, aggregate, copy, disclose, display, distribute, modify, process, publish, reformat, store, and use the Administrator Data for the purpose of administering and performing the Services and to otherwise fulfill Otava’s obligations under the MSA; and (b) on a perpetual basis, to access, adapt, aggregate, copy, display, modify, process, reformat, store, use, and create derivative works of Administrator Data, metrics, statistics, and other analytics and to aggregate, copy, disclose, distribute, publish, and use such information for Otava’s internal business purposes, legal compliance, and record keeping, including, without limitation, developing anonymized benchmarks and metrics, provided that Otava will use commercially reasonable efforts to ensure that use of Administrator Data does not individually identify Client or any Client employees.
4.2. Client Data. As between Client and Otava, Client owns the right, title, and interest in and to the Client Data, except for the limited rights granted in the Agreement. Client hereby grants Otava a fully paid, limited, nonexclusive, royalty-free right and license during the term of the Agreement and for the duration of any transition period, to copy, display, host, process, store, and transmit the Client Data for the purpose of delivering the Services, including, without limitation, Client’s and Client Personnel’s access and use of the Third Party Products, and to fulfill Otava’s obligations under the Agreement.
4.3. Third-Party Products. Otava may make certain Third-Party Products available to Client in connection with or to use directly with the Services (e.g., Microsoft Server licenses) or use of the Services may require a license to and use of Third-Party Products (e.g., Veeam backup software). Client agrees and understands that Client’s access to use of the Third Party Products is subject to the terms and conditions of an end user license agreement, cloud services agreement, or such other document issued by the applicable Third-Party Vendor (“Third-Party EULA”). Otava does not (a) endorse the Third-Party Products; or (b) control or accept responsibility for the Third Party Products, except to the extent Otava is designated as being either “Responsible” or “Accountable” in an applicable RACI Matrix for the Otava Security Services. Any and all agreements, services, and transactions between Client and such Third-Party Vendor in connection with the Third-Party Products, including but not limited to such Third-Party Vendor’s privacy policies, service level terms, data use terms, and any other terms, conditions, representations, and warranties associated with such agreements, services, or transactions, are solely between Client and such Third-Party Vendor. Client understands that Otava did not design the Third Party Products and, accordingly, Client agrees that Otava will not be liable for any defects, flaws, inefficiencies, malfunctions, or programming errors in any of the Third Party Products. To the extent available to Otava and within Otava’s control, Client will have the right to review the Third-Party EULA for any Third-Party Products upon Client’s request and prior to executing the applicable Sales Order. If the Agreement or an applicable Sales Order is terminated for any reason, Otava will have no responsibility or liability to Client for the cost of any such Third-Party Products. Unless otherwise provided in the Third-Party EULA, the rights granted to Client in the Third Party EULA are solely for Client’s use in connection with the Services and will terminate on the earlier of expiration or termination of (i) the Agreement; (ii) an applicable agreement between Otava and the licensor of the Third Party Products, as applicable; or (iii) the Third-Party EULA. Without limiting the generality of the immediately preceding sentence, Otava may, in its sole discretion and with 30 days’ advance written notice to Client (which notice may be provided by email, a service ticket, or by posting in the Portal), modify or discontinue the availability of any Third-Party Products provided with the Services if the licensor or Third-Party Vendor changes its terms with Otava. By using the Third Party Products, Client grants Otava permission to allow the licensors of such Third-Party Products to access and use the Administrator Data and Client Data as required or reasonably appropriate for the purpose of delivering the Third Party Products to or for Client and the Client Personnel, as applicable, in connection with the Services, and to otherwise enable use of the features and functions of such Third-Party Products. Without limiting Section 3.5 (Consents and Authorizations), Client will, at its own expense, obtain all consents and permissions from its employees and other relevant end users as necessary and appropriate to grant the rights granted in this Section 4.3.
4.4. Otava Proprietary Rights. Client acknowledges and agrees that Client is engaging Otava due to Otava’s expertise, know how, knowledge, materials, special skills, and each of its component parts (including, without limitation, algorithms, analytics, audio visual works, charts, compilations, coherence and methods of operation of systems, conceptions, configurations, data, data center, data center architecture, database structuring techniques, databases, designs, developments, diagrams, formatting, forms, general skills, graphs, ideas, inventions, know how, libraries (code or otherwise), lists, logic, ‘look and feel’, materials, methodologies, metrics, models, network architecture, policies, Portal, procedures, records, reports, schematics, software and its object and source code, system designs, technical documentation, techniques, templates, text, tools, user interfaces, and utilities, and other works of authorship, or any part thereof and any arrangement, coordination, combination, and selection thereof, and any improvement thereto and modifications thereof), and proprietary information, and all intellectual property rights therein (collectively, the “Otava Materials”) that Otava developed or acquired prior to the Agreement or during the Agreement but in connection with performing services for another client. As between Client and Otava, Otava will retain and Client acknowledges that Otava hereby retains all interest, right, and title in and to the Otava Materials and nothing contained in the Agreement will be construed as the relinquishment on the part of Otava of any of Otava’s ownership interest in the Otava Materials. Further, for the avoidance of doubt, Otava may develop certain improvements and modifications to the Otava Materials and other general skills as a result of working with Client. Otava will retain all interest, right, and title of every nature in and to such improvements, modifications, and general skills throughout the universe, whether such rights are now known or hereafter devised, with the right to use the improvements, modifications, and any applicable general skills in perpetuity in any manner Otava desires, in its sole discretion, without any payment to Client or any obligation of accounting.
4.5. Trademarks and Copyrights. Client acknowledges and agrees that all content on the Third-Party Products and the Otava Materials as well as certain content on the Administrator Data (including with respect to each of the Third Party Products, Otava Materials, and Administrator Data, as applicable and without limitation, audio, graphics, graphs, images, sounds, text, user interfaces, and visual interfaces as well as, without limitation, the arrangement, coordination, design, expression, ‘look and feel’, structure, and selection thereof) is the exclusive property of and owned by Otava, the Third Party Products vendors, the Administrator Data vendors, or its and their licensors and are protected by copyright, trademark, and other intellectual property rights and unfair competition laws. Client will not and will not permit any of the Client Personnel to modify, obscure, or delete (including through selectively copying or printing material) any copyright, trademark, trade secret, government restricted rights, or other proprietary or confidentiality notices or legends that are placed or embedded in the Third Party Products, Otava Materials, or Administrator Data. Nothing on or in the Third Party Products, Otava Materials, or Administrator Data will be construed as granting, by implication, estoppel, or otherwise, any license or right to use any logo, service mark, or trademark displayed thereon or therein, without the owner’s prior written permission, except as otherwise described in these Product Terms or, with respect to the Third-Party Products, in a license between Client and such Third-Party Products vendor (including any Third Party EULA).
4.6. Usage Data and Operational Information. Client agrees and understands that certain of the systems and software used to deliver the Services or the Third-Party Products or otherwise used in connection with the Services or the Third-Party Products may, from time to time, collect and automatically report back information related to usage of the Services, the Third Party Products, and related information technology systems (“Usage Data”). Usage Data may include IP addresses, but does not include Client Data. Such Usage Data may be reported to Otava as well as the relevant information technology or software system Third-Party Vendor. Usage Data may be used by Otava and the relevant information technology and software system vendors for any legally permitted purposes, including, without limitation, helping diagnose and resolve technical and performance issues with Otava’s and such vendor’s systems, improving the Services, validating license keys, monitoring for compliance with Limitations (e.g., amount of RAM on server, number of virtual machines, and the like), and developing metrics and analytic algorithms. Client agrees and understands that Otava uses all data collected in connection with its business and operations for the operation and management of its business including, without limitation, (a) creation of operational statistics; (b) creation and inclusion in financial reporting of aggregate statistics regarding services performed; (c) creation and inclusion in marketing materials of aggregate statistics highlighting the Services; and (d) advancing and improving existing products and services, creating new and enhanced products and services, and development and publication of market and industry intelligence and expertise; all of which and any improvements thereto and whether in tangible or intangible form, will be and remain the intellectual property of Otava and Otava will own all intellectual property rights therein.
4.7. Feedback. Client agrees that submission of any corrections to content or documents, ideas, product or service improvements or modifications, or suggestions (collectively, the “Feedback”) to Otava through its feedback form, meetings, suggestion form, or similar means, is at Client’s own risk and that Otava has no obligations (including, without limitation, obligations of use) with respect to such Feedback. Client hereby grants to Otava a fully paid, irrevocable, royalty-free, perpetual, sub licensable, transferable, worldwide, and nonexclusive right and license to adapt, copy, disclose, display, distribute, modify, perform, reformat, use, create derivative works of, and otherwise exploit any and all Feedback for any legally permitted purposes.
4.8. Restrictions. Otava and its suppliers retain all interest, rights, and title in and to the Portal and Otava Materials (collectively, the “Licensed Materials”) and all rights to the Licensed Materials not expressly granted to Client in the Agreement are reserved. The Third Party Vendors retain all interest, right, and title in and to their respective Third Party Products. Any unauthorized use of the Licensed Materials, the Third Party Products, or any component thereof is a material breach of the Agreement. Client will not: (a) copy or reproduce the Licensed Materials or the Third Party Products in whole or in part, access or use the Licensed Materials in any way other than as expressly permitted in the Agreement, or, if applicable, access or use the Third Party Products in any way other than as expressly permitted in the Agreement or the Third Party EULA; (b) modify, translate, or create derivative works of the Licensed Materials or Third Party Products or any portion thereof; (c) decompile, decrypt, disassemble, reverse engineer, or otherwise attempt to obtain or perceive the source code from which any component of any software made available to Client hereunder (including, without limitation, the Portal and the Third Party Products) is compiled or interpreted, and Client hereby acknowledges that nothing in the Agreement will be construed to grant Client any right to obtain or use such source code; (d) assign (except together with Client’s business if so permitted by the assignment clause in the MSA), distribute, grant a security interest in, lease, loan, rent, sell, share, sublicense, timeshare, use for service bureau purposes, or otherwise transfer (except together with Client’s business if so permitted by the assignment clause in the MSA) the Licensed Materials or Third Party Products; (e) divert, export, re-export, or transfer any part of the Licensed Materials, Services, or Third Party Products to any country, individual, company, or other entity that is embargoed by the U.S., in violation of any U.S. export law or governmental regulation, or otherwise identified on a list of debarred, prohibited, sanctioned, or denied parties; (f) unless expressly authorized by Otava or an applicable Third Party Vendor in writing, authorize or undertake a penetration test, vulnerability scan, social engineering test, or any other similar activity against the Services, Otava, any of Otava’s Third-Party Vendors, or any of Otava’s employees, agents, or subcontractors; (g) interfere with or attempt to interfere with the proper functioning of the Services, Third-Party Products, Otava, any of Otava’s Third-Party Vendors, or any Otava agent, contractor, or subcontractor, including subverting or attempting to subvert embedded security controls, the reporting mechanisms for reporting and monitoring Limitations, or the mechanisms to validate license keys; or (h) authorize, assist, or cause any third party, including any of the Client Personnel, to do any of the foregoing. Client agrees and understands that the restrictions in this Section 4.8 apply to (i) any component of the Licensed Materials that is relevant to the restriction; and (ii) to the Third Party Products to the extent such restriction is relevant, unless expressly permitted by the Third-Party EULA or some other arrangement between Client and the owner of such Third Party Product.
4.9. Audits. Otava may audit Client’s use of the Services and may permit relevant Third Party Vendors to audit Client’s use of the Third Party Products and the related Services in connection with Client’s use of such Third Party Products. Client will and, as applicable, will ensure that the Client Personnel, reasonably cooperate with all such auditing activities, including, without limitation, permitting access to and copying of relevant records. Such audit will be conducted during Client’s regular business hours, will not unreasonably interfere with Client’s business activities, and may be conducted at Client’s offices or electronically. Otava reserves the right to require the installation of auditing software to enable automated billing and consumption verification on the Services or any part thereof.
4.10. Suspension for Security. Otava will have the right, in addition to its other rights or remedies, to suspend Client’s and the Client Personnel’s access to the Licensed Materials, Services, and the Third Party Products, without liability to Client, if (a) Otava determines, in its reasonable discretion, that such suspension is necessary or reasonably appropriate to protect the security or integrity of the Licensed Materials, Services, or the Third Party Products or the security of other Otava clients; or (b) Otava does not receive the Usage Data as required, or Client otherwise interferes with the reporting mechanisms for reporting and monitoring Limitations or the mechanisms to validate license keys for the Third Party Products and other software. Such access may remain suspended until Otava reasonably determines that the threat has passed or that Client has taken the appropriate steps, as reasonably determined by Otava, to remedy the identified threat or interference, as applicable. Further, Otava may, without liability to Client, suspend the access credentials of the Client Personnel who violate the Agreement and may terminate the access credentials of Client Personnel who repeatedly violate the Agreement, provided that Otava will provide Client with prompt written notice (which notice may be provided by email, a service ticket, or by posting in the Portal) if Otava suspends or terminates the access credentials.
Notwithstanding anything to the contrary in the MSA, Otava may amend or modify these Product Terms by providing at least 45 days advance written notice to Client of such amendments or modifications. Notice of any such amendments or modifications to these Product Terms will be provided by email to the Authorized Contact, Otava’s primary business contact for Client, service ticket, mail, or by posting in the Portal. If Client determines, in Client’s reasonable discretion, that the proposed change to these Product Terms materially impacts Client in an adverse manner, Client will provide written notice (which notice to be provided by service ticket through the Portal) to Otava (with attention to Contract Manager) with a brief explanation of the adverse impact within 15 days (“Amendment Objection Notice”). If no Amendment Objection Notice is received from Client within such 15-day period, then changes to these Product Terms will become effective without further action by either Party upon expiration of such 45-day period. Upon Otava’s receipt of an Amendment Objection Notice, the Parties will negotiate, in good faith, an appropriate Product Terms accommodation and will document any agreed upon accommodation in a writing that will be signed by an authorized representative of each Party. If the Parties cannot agree upon a mutually acceptable accommodation within 30 days of Otava’s receipt of the Amendment Objection Notice and Otava does not withdraw the Product Terms amendment or modification as against Client, then a Party may, upon 30 days advance written notice to the other Party, terminate the Otava Security Services component impacted by the amendment or modification and Otava will waive any recurring monthly fees remaining under the then current Addendum Services Term for the terminated Otava Security Services component. For the avoidance of doubt, the modified Product Terms will not go into effect for Client during the notice and discussion periods contemplated in this Section 6. The provisions of 3.5 (Consents and Authorizations, limited to Compliance Support Services), 4.3 (Third Party Products), 4.4 (Otava Proprietary Rights), 4.6 (Usage Data and Operational Information), 4.7 (Feedback), and 6 (General Terms) will survive the termination of these Product Terms until any obligations arising prior to such termination have been satisfied in accordance with the applicable terms.
