VA-purchase terms and condition

Services Agreement

Cybersecurity Vulnerability Assessment

CloudPro provides a Cybersecurity Vulnerability Assessment (hereinafter the “Services”) wherebyCloudPro consultants (i) conduct a security vulnerability scan ofcertain components of anorganization’s information technology (“IT”) security controlsand (ii) deliverthe results of the security vulnerability scan, as set forth more specifically in this agreement (the “Agreement”).

ThisAgreement shall commence uponeither (i) a party’s written request to CloudPro to provide the Services and CloudPro’s written acceptance of the party’s request, or (ii) upon the party’s clicking/checking the “I Agree” button or box on the CloudPro website page referencing “Cybersecurity Vulnerability Assessment” and CloudPro’s written acceptance of the party’s request. The party making the request for the Services shall be referred to as the customer (the “Customer”), and CloudPro’swritten acceptance of the Customer’s request shall be the date upon which this Agreement shall become effective (the “Effective Date”).

Upon the Effective Date, the Customerand CloudProagree to be bound by the terms of this Agreement. If the Customer enters this Agreement on behalf of a third-partyto which the Customer has thelegal authority to bind to this Agreement, then the definition of the Customer shall include the third-party.

Scope of the Services
CloudPro’s Services apply reasonable commercial efforts to assess the extent to which the Customer’s information technology (IT) infrastructure is vulnerable to unauthorized access or intrusion. The Servicesmay include any of the following: (i) scanning of the Customer’s internal computing and network hardware and software, (ii) scanning the Customer’s web-based software applicationspublicly exposed via the public Internet (the “Internet”), and (iii) scanning the Customer’s networking software and hardware exposed to the Internet (the “Network Perimeter”), such as firewalls, routers, intrusion detection and prevention systems, email systems, virtual private networking (VPN) systems, the combination of which constitutes a Network Perimeter.

CloudPro may use a combination of commercial and publicly available cybersecurity testing tools, as well as custom software scripts or applications in connection with providing the Services.CloudPro uses commercial scanning tools to help automate the execution of the Services, especially for repetitive tasks that would otherwise be prohibitively time-consuming.

CloudPro’sServices include an initial scope validation phase, followed by the vulnerability scan, which includes an enumeration of vulnerabilities discovered inthe Customer’sIT infrastructureand mapping them to the Common Vulnerabilities and Exposures (CVE) database. After completion of the vulnerability scanning phase of the Services, CloudProprepares and provides documentation of the scan and resultsto the Customer, including a summary of discovered cybersecurity vulnerabilities and risks, which are categorized as High, Medium and Low priority based on multiple factors, including ease and scope of exploitation.The features of the Services include the following:

Scope Validation
During this step,CloudProvalidates the target list of IP addresses provided by the Customer. This is a safety measureand will ensure the accuracy of Services’ subsequent findings. CloudPro may perform such activities as:

• Ping sweeps, port scans and route tracing;
• Footprinting of the publicly exposed network infrastructure;
• Internet domain name registration searches;
• Internet registry number searches; and
• Domain name service (DNS) lookups.

Enumeration and Vulnerability Mapping
Enumerationinvolves actively attempting to identify such things as services running (e.g. over particular Internet protocols), applications used, version numbers and service banners. Scanning in this phase may be at a more noticeable level of activity, which could reveal thatCloudProis performing types of reconnaissance activities that typically precede an attack.

Vulnerability Mapping involves attempting to determineIT vulnerabilities. Some false positive reduction techniques are used to improve accuracy. In addition, manual testing may be performed to further validate the findings.

Vulnerability Ranking
CloudPro’srisk ranking methodology and report is designed to be easy to understand, presenting vulnerability risks as High, Medium and Low priority based onfactorsincluding ease of exploitation, information obtained, or access granted. The types of vulnerabilities detected by this scanning may include the following:

• Various application software vulnerabilities
• Microsoft Windows, Linux, Unix and MacOS, iOS and Android operating system vulnerabilities
• Known and published host application and services vulnerabilities, such as:
  • Apache, Microsoft IIS, IBM WebSphere, and other web servers
  • SMTP (email) Servers
  • Remote access services, such as SSH, Telnet, RDP
  • Other server services (NTP, FTP, DNS, SNMP, SSL wrappers, etc.)
• Network device vulnerabilities, such as Firewalls, VPNs, Routers and Proxy Servers.
• Tens of thousands of other vulnerabilities

Services Delivery Process
Delivery of the Services to the Customer is in accordance with the following process:

1. Customer providesCloudPro with information on IP address targets and/or web-based software applications, including roles, credentials and any other information required for CloudPro’sexecution and delivery of the Services
2. In consultation with Customer, CloudPro schedules the time in which the scope validation and vulnerability scanning phases of the Services will be performed (the “Time Window”).
3. Customer confirms authorization to conduct the Services
4. If applicable, Customer “whitelists”CloudPro‘s IP test addresses available during scope and validation phase and the vulnerability scanning Time Window
5. CloudPronotifiesCustomer on the day of scope and validation scan prior to commencement.
6. Scope and validation scanexecuted during the Time Window.
7. CloudPro contacts Customer on the day of the vulnerability scan prior to commencement.
8. Vulnerability scanexecuted during the Time Window.
9. CloudProuses reasonable commercial efforts to complete theServices report within 14 days ofcompletion of the vulnerability scan and delivers the report to Customer.

Note: CloudPro reserves the right to modify or adapt the above process as necessary for the particular Services being delivered and circumstances.

Excluded Services
Any activities other than those specifically identified in this Agreement are beyond the scope of this Agreement and, therefore, not in-scope. In no case will the total number of IP addresses or software applications evaluatedin connection with the Services exceed the total number of IP’s or web applications specified and agreed upon by CloudPro. For the purpose of evaluation, each in-scope IP is considered to be a separate host.

Customer Responsibilities

Customer agrees to perform its obligations and acknowledges and agrees that CloudPro’sability to perform its obligations under this Agreement are dependent on Customer’s compliance with the following:

• Customer resources, including necessary personnel, are scheduled and made available to CloudPro.
• Customer’s network is made available to CloudProfor testing, including specific IP addresses/range.
• Customer shall reply in a timely manner and in accordance with the delivery dates established during the scheduling phase, to all reasonable document requests and other information necessary for CloudPro to deliver the Services.
• CloudPro will contact Customer’s designated representative within five (5) business days after the execution of this Agreement, and Customer shall reply within five (5) business days after being contacted, to schedule a mutually-agreeable time for the Services to be performed.
• Customer Testing Window will allow adequate time for performance of Services.

Service Terms and Conditions

1. Service

The term of the Services hereunder shall commence on the Effective Date of this Agreement and terminate one (1) year thereafter.

2. Service Fee

CloudPro agrees to provide the Services in exchange for the agreed-upon service fee. The fee does not include any taxes, duties, and other sums which are levied or based upon such fee or on the delivery of the Services. Unless Customer otherwise provides CloudPro with current official documentation of its tax-exempt status, Customer will be responsible for all such taxes, except for taxes imposed on CloudPro’s income. All charges, fees, payments and amounts hereunder will be in United States dollars.

3. Intellectual Property

• Customer’s Proprietary Rights. Customer represents and warrants that it has the necessary rights, power and authority to transmit Customer Data (as defined below) to CloudPro. Customer will own all right, title and interest in and to (i) any data provided by Customer to CloudPro and/or accessed by CloudProfrom Customer or transmitted by Customer to CloudPro in connection with the Services, including but not limited to data included in any written or printed summaries, analyses or reports generated in connection with the Services (“Customer Data”), (ii) all intellectual property, including patents, copyrights, trademarks, trade secrets and other proprietary information (“IP”) of Customer that may be made available to CloudPro in the course of providing the Services, and (iii) all confidential or proprietary information of Customer, including but not limited to Customer Data, Customer Reports (as defined below in Section 3.C.), and other Customer files, documentation and related materials, in each case under this clause (iii), obtained by CloudPro in connection with delivery of the Services.
• CloudPro’s Proprietary Rights.CloudPro is the owner of all right, title and interest in all IP in any work, including but not limited to all inventions, methods, processes, and computer programs (including any source code, object code, enhancements and modifications), developed by CloudPro in connection with the performance of the Services and of general applicability across CloudPro’s customer base, and Customer hereby assigns to CloudPro all right, title and interest in any copyrights that Customer may have in and to such work; provided however, that such work shall not include information or data belonging or pertaining to Customer.
• Use of Customer Reports. Customer shall own all right, title and interest in and to any written summaries, reports, analyses, and findings prepared specifically for Customer in connection with CloudPro’s provision of the Services (the “Customer Reports”). The provision by Customer of any Customer Reports or any information therein to any unaffiliated third-party shall not entitle such third-party to rely on the Customer Reports or the contents thereof in any manner or for any purpose whatsoever, and CloudPro specifically disclaims all liability for any damages whatsoever (whether foreseen or unforeseen, direct, indirect, consequential, incidental, special, exemplary or punitive) arising from or related to reliance by any third-party on any Customer Reports or any contents thereof.

4. Limited Warranty; Disclaimers

1. The Services will be performed in a workmanlike manner and in compliance with all applicable laws and regulations. CLOUDPRO EXPRESSLY DISCLAIMS ALL OTHER WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON- INFRINGEMENT.
2. Limitations of Methods. Customer recognizes and agrees that CloudPro provides no warranty or guarantee as to the outcome of its Services, scanning, testing or assessment methods, that all such methods have reliability limitations, and that such methods cannot guarantee discovery of all weaknesses, noncompliance issues, or vulnerabilities. Customer agrees that it has knowledgeably accepted these limitations and the risks attendant thereon. Customer understands that CloudPro may use various methods and software tools to probe network resources and software applications for security-related information and to detect actual or potential security flaws and vulnerabilities. Customer authorizes CloudPro to perform such Services (and all such tasks and tests reasonably contemplated by or reasonably necessary to perform the Services) on software applications and network resources with the IP addresses identified by Customer or discovered by CloudPro during execution of the Services. Customer represents that, if Customer does not own such network resources, it will have obtained consent and authorization from the applicable third-party, in form and substance satisfactory to CloudPro, to permit CloudPro to provide the Services. Customer acknowledges that the Services could possibly result in service interruptions or degradation regarding the Customer’s systems and accepts those risks and consequences. Customer further acknowledges it is the Customer’s responsibility to restore network computer systems to a secure configuration after provision of the Services.

Customer acknowledges that it maintains a fully recoverable copy of all software applications, data and information residing within all repositories, servers and computers connected either directly or indirectly to its network that are accessible to CloudPro during the execution and delivery of the Services (“Customer Data Backup”).

5. Limitations of Liability 

1. Waiver of Indirect and Consequential Damages. NEITHER PARTY WILL BE LIABLE FOR ANY INCIDENTAL, INDIRECT, PUNITIVE, SPECIAL OR CONSEQUENTIAL DAMAGES, ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT OR THE SERVICES PROVIDED BY CLOUDPRO UNDER THIS AGREEMENT. NEITHER PARTY SHALL HAVE LIABILITY FOR THE FOLLOWING, WHETHER DIRECT OR INDIRECT: (A) LOSS OF REVENUE, INCOME, PROFIT, OR SAVINGS, (B) LOST OR CORRUPTED DATA OR SOFTWARE, LOSS OF USE OF SYSTEM(S) OR NETWORK(S), OR THE RECOVERY OF SUCH, (C) LOSS OF BUSINESS OPPORTUNITY, (D) BUSINESS INTERRUPTION OR DOWNTIME, (E) LOSS OF GOODWILL OR REPUTATION, OR (F) SERVICES NOT BEING AVAILABLE FOR USE OR THE PROCUREMENT OF SUBSTITUTE SERVICES.
2. Limitation on Direct Damages. CloudPro’s liability for all claims arising out of this Agreement will not exceed the fee paid by Customer to CloudPro.The foregoing limitations, exclusions and disclaimers shall apply, regardless of whether the claim for such damages is based in contract, warranty, strict liability, negligence, tort, or otherwise. Insofar as applicable law prohibits any limitation herein, the parties agree that such limitation will be automatically modified, but only to the extent so as to make the limitation permitted to the fullest extent possible under such law. The parties to this Agreement agree that the limitations on liabilities set forth herein are agreed allocations of risk constituting in part the consideration for CloudPro’s sale of Services to Customer, and such limitations will apply notwithstanding the failure of essential purpose of any limited remedy and even if a party has been advised of the possibility of such liabilities.

Customer further acknowledges and agrees that in the event any of Customer’s software applications, data or information is lost, damaged or otherwise impacted in connection with the Services, or in the event that Customer’s business or operations are impacted by the Services, CloudPro ‘s liability shall be limited in accordance with the terms of this Agreement.

6. Confidential Information
A party disclosing confidential information is referred to herein as the “disclosing party” and the party receiving such confidential information is referred to as the “receiving party.” As used herein, “confidential information” shall mean any information that the receiving party knows or has reason to know (either because such information is marked or otherwise identified by the disclosing party orally or in writing as confidential or proprietary, has commercial value, or because it is not generally known in the relevant trade or industry) is confidential information. Confidential information includes, but is not limited to, data, information (including personally identifiable information), ideas, materials, specifications, procedures, schedules, software, technical processes and formulas, source code, product designs, sales, cost and other unpublished financial information, product and business plans, advertising revenues, usage rates, advertising relationships, projections, marketing data and other similar information provided by a disclosing party.
Receiving party will protect the confidentiality of the confidential information in the same manner that it protects the confidentiality of its own proprietary and confidential information and materials of like kind, but in no event less than a reasonable standard of care. Receiving party will use commercially reasonable efforts (and will cause its employees and agents to use commercially reasonable efforts) to avoid inadvertent disclosure of confidential information in receiving party’s possession. Except as otherwise required by law, receiving party agrees not to disclose the confidential information to any third parties or to any of its employees except those persons who have a need to know the confidential information in order for the receiving party to perform its obligations hereunder. The prohibitions contained herein will not apply to information (i) already lawfully known to or independently developed by the receiving party without use of the other party’s confidential information; (ii) disclosed in published materials; (iii) generally known to the public; or (iv) lawfully obtained from any third-party. A party will not be considered to have breached its obligations to the extent confidential information is required to be disclosed by any governmental authority or by applicable law, provided that the disclosing party, to the extent practicable, advises the other party prior to making such disclosure in order that the other party may object to such disclosure, take action to ensure confidential treatment of the confidential information, or take such other action as it considers appropriate to protect the confidential information.

7. Governing Law and Venue
This Agreement and any claim, dispute or controversybetween CloudPro and Customer arising from or relating to this Agreement, its interpretation, or the breach, termination or validity thereof (a “Dispute”) shall be governed by the laws of the State of California without regard to conflicts of law. The parties agree that the UN Convention for the International Sale of Goods will have no force or effect on this Agreement. The parties agree that any Dispute shall be brought exclusively in the state or federal courts located in Santa Clara County, California. Customer and CloudProagree to submit to the personal jurisdiction of the state and federal courts located within Santa Clara County, California and agree to waive any and all objections to the exercise of jurisdiction over the parties by such courts and to venue in such courts.

8. Survival
Section 6 (Confidential Information)above shall survive any termination or expiration of the Services and continue in full force and effect for a period of three (3) years thereafter. Sections 2, 3, 4, 5,7 and 8 shall survive any termination or expiration of the Services and continue in full force and effect.

© 2020 CloudPro Inc. All rights reserved. Trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Specifications are correct at date of publication but are subject to availability or change without notice at any time. CloudProand its affiliates cannot be responsible for errors or omissions in typography or photography.