Security Log Monitoring

Supplemental Terms
 

Revised: May 29, 2020
 

The following Supplemental Terms apply only to the Security Log Monitoring Services (“Services”). In the event of a conflict between the terms of these Supplemental Terms and the terms of the Agreement between Customer and CenturyLink, including applicable Service Attachments, the terms and conditions of these Supplemental Terms apply, but only to the extent of such conflict. Capitalized terms used herein but not defined herein shall have the meanings set forth in the Agreement.

 

1. Universal Security Log Monitoring Supplemental Terms

1. This Service cannot be resold or utilized by any third party for their end users.
2. The Service provided herein is a supplement to Customer’s existing security and compliance frameworks and tools utilized to minimize loss or theft of information and disruption of services, for which CenturyLink is not, and will not be, responsible. While CenturyLink will use reasonable commercial efforts to provide the Services hereunder accurately and completely, the Services are provided “as-is”, except to the extent an applicable SLA or SLO applies. CenturyLink does not and cannot guarantee or warrant that CenturyLink will accurately identify all risks, potential security and/or compliance gaps, or that CenturyLink’s recommendations, assessments, tests, reports or monitoring will be accurate, complete, error-free, or effective in achieving Customer’s security and/or compliance related objectives. Neither CenturyLink or its subcontractors will be liable for any damages which Customer or third parties may incur as a result of Customer’s (i) non-compliance with any standards which apply to Customer, and/or (ii) reliance upon (or implementation of recommendations from) results, reports, tests, or recommendations related to the Services.
3. Customer shall not in any way transfer, modify or copy the software except as permitted as part of the Service.
4. Customer shall not in any way hide, obscure, eliminate, or modify any proprietary notice which appears on or in part of the Service.
5. Customer consents to CenturyLink collecting and compiling system and security event log data to determine trends and threat intelligence.
6. CenturyLink may associate this security event log data with similar data of other Customers so long as such data is merged in a manner that will not in any way reveal the data as being attributable to any specific Customer.
7. CenturyLink is obligated to log backup and storage only during a Customer’s committed Service Term, including renewal terms. If the retention period selected extends beyond the Customer’s Service Term or if Customer or CenturyLink terminate the Services prior to the end of the retention period selected, Customer acknowledges that CenturyLink has not further obligation to back up and store any Customer metrics or data after Agreement expiration or termination and CenturyLink will automatically delete all logs, including backups that constitute Customer data. Customer acknowledges and consents that it is solely Customer’s responsibility to make copies of or obtain the logs and any other Customer data prior to expiration or termination.
8. CenturyLink’s SLA only applies to the respective vendors’ supported configurations at the time SLA support requests are triggered. If any configuration, version, system or third-party software is identified as “unsupported” by a vendor, CenturyLink’s SLA (including availability of Service Credits) will no longer apply and any support by CenturyLink will be reasonable efforts only. In addition, and at CenturyLink’s reasonable discretion: 1) Customer may be required to purchase vendor supported upgrades at an additional cost to allow CenturyLink to continue to provide the Services or; (2) CenturyLink may elect to charge the Customer for any support or additional tasks/work incurred resulting from Customers’ continued use of an unsupported configuration. Customer acknowledges and agrees that it is solely responsible for selecting and ensuring its software and systems are up to date and supportable. Customer’s failure to do so may result in CenturyLink’s inability to provide the Services and CenturyLink shall have no liability therefrom.
9. Customer consents to CenturyLink’s and its affiliates’ or subcontractors’ use and transfer to the United States, or other countries, data or information (including business contact information such as names, phone numbers, addresses and/or email addresses) of the customer for the sole purpose of: (i) providing and managing the Services; (ii) fulfilling its obligations under the Agreement; and (ii) complying with applicable laws. Customer represents that it will ensure that all information provided to CenturyLink is accurate at all times and that any business contact has consented to CenturyLink’s processing of such information for the purposes identified herein.
10. Subject to Section 2 below, CenturyLink’s access to Customer data is generally limited to machine/system generated logs and/or metrics that allows CenturyLink to provide threat intelligence. Certain tools, features, or requests by Customer, including those related to deep packet access may require that CenturyLink have visibility to additional Customer data.
11. If the services provided by CenturyLink and/or its licensors include access to or the use of equipment or software provided by CenturyLink or its licensors ("CenturyLink Equipment"), Customer: (i) will not assert any ownership interest whatsoever in the CenturyLink Equipment; (ii) will keep the CenturyLink Equipment free and clear from all liens, claims and encumbrances; (iii) shall protect and use all CenturyLink Equipment in accordance with the Agreement; and (iv) cooperate with CenturyLink to allow maintenance and, upon termination, removal of the CenturyLink Equipment.
12. Billing:
    1. The Billing Commencement Date for SLM is the day the first actionable logs are received by the SLM Service. This Service is billed on a consumption/usage basis as detailed in the Service Order. There is a committed data ingestion rate in the Service Order, and anything above that committed data ingestion rate may be charged as an overage. The committed ingestion rate is measured in GB per day of raw logs at applicable pricing. If a Customer wishes to avoid paying for overages above the committed ingestion rate, Customer must make this request during onboarding or submit a change request to CenturyLink, and this means logs produced over the consented ingestion rate will not be collected and stored. The foundational level of service does not charge Customers for the first 10 GB per day of raw log ingestion. If CenturyLink determines the Service is no longer financially viable for any Customer with only foundation level service and usage consistently below the 10GB per day ingestion rate, CenturyLink may 1) require that Customer commit to upgraded service features; or 2) change the pricing structure for less than 10 GB per day; or 3) discontinue Service without penalties.
    2. The Billing Commencement Date for Emergency Response Services is the day Customer elects to utilize Emergency Response Services by opening a ticket with SOC. The Emergency Response Service is billed hourly on a time and materials basis at the hourly rate in effect at the time the Emergency Response Services are requested; plus cost reimbursable expenses if on site services are requested and approved. CenturyLink reserves the right to increase the time and materials rate at any time during the Service Term of the SLM service at any time upon thirty days written notice; however the increased rate will not apply to any Emergency Response Services being utilized at the time the new rate goes into effect. For avoidance of doubt, the modified rate will apply to new Emergency Response Services requested going forward.
13. Security Log Monitoring Tuning—Recurring. If Customer elects to purchase the managed service that provides for a remote, but not dedicated, CenturyLink security account manager resource, the following additional terms and conditions will apply:
    1. The resource is available for a minimum 10, 20 or 40 hour monthly commitment as identified in the Service Order. CenturyLink reserves the right to reject any requests for services over the commitment number of hours specified.
    2. The Billing Commencement Date begins on the date the role is made available for Customer activities. The BCD triggers the date on which minimum commitments of hours start accruing even if they aren’t actually consumed. A Customer will receive its first invoice on the first of the month following the BCD. The first invoice will include a pre-pay for that month’s committed hours, the prorated committed hours from the BCD through the end of the immediately preceding month. Committed hours are billed each month regardless of the number of hours of actual usage.
    3. Each CenturyLink resource will perform activities or tasks commensurate with the resource’s skill set. Activities will be performed by CenturyLink between the hours of 8:00 A.M. and 6:00 P.M. in the local time zone of the resource(s) performing the Services, Monday through Friday, excluding local statutory holidays and any additional holidays that CenturyLink grants to its employees, a list of which can be provided to Customer prior to the commencement of the Services upon request. If the Customer requests performance of any Service outside of such hours (non-standard hours), Customer shall be responsible for any additional costs incurred as a result, as may be required by local rules and regulations (including without limitation any overtime pay.
    4. Early Termination Fees. Notwithstanding anything to the contrary, when removing any recurring optional add-on services, an early termination fee of 100% of the add-on monthly fee for the number of months remaining in the current service term will apply.
    5. Notwithstanding any other provision or understanding to the contrary in any document, CenturyLink makes no representation, warranty, or guarantee that any of the activities or tasks performed comply with or satisfy any applicable governmental or industry data security standard. If such activities or tasks include security and/or compliance framework services (advisory or otherwise) provided by CenturyLink, Customer acknowledges that CenturyLink may not identify or accurately identify all possible incidents, vulnerabilities, or potential security and/or compliance gaps and CenturyLink expressly disclaims any responsibility for any unidentified or misidentified incidents, vulnerabilities or gaps. If CenturyLink provides a recommendation, assessment, certification, report, or similar material to Customer hereunder, such material is developed in good faith as to its accuracy at the time of inspection or review by CenturyLink and CenturyLink does not and cannot guarantee that CenturyLink’s recommendations, assessments, tests, reports or monitoring will be accurate, complete, error-free, or effective in achieving Customer’s security and/or compliance related objectives. All managed services are provided AS IS. Customer further acknowledges that it and not CenturyLink is responsible for its overall IT environment and is solely responsible for any buying decision or changes to systems/services. Neither CenturyLink or its subcontractors will be liable for any damages which Customer or third parties may incur as a result of Customer’s (i) non-compliance with any standards which apply to Customer, and/or (ii) reliance upon (or implementation of recommendations from) results, reports, tests, or recommendations related to the Services. Notwithstanding any cap on damages set forth in the underlying Exhibit or Schedule, CenturyLink’s total aggregate liability arising from or related to the Services will be limited to the total charges paid or payable under the applicable Service Order.

2. Data Protection

1. Security Log Data. Through CenturyLink’s provision of the Security Log Monitoring Service, CenturyLink and its vendors, if applicable, may be exposed to personal data, as such term is defined in applicable data protection laws, contained within the security logs ingested through the Service. Customer and CenturyLink acknowledge and agree that in the event the ingestion, analysis, storage and review of any personal data contained within the security logs are deemed processing under applicable data protection logs, such processing activities are not the primary purpose of the Service. The parties further agree:
   1. Customer, as controller, shall be responsible for providing all notices required with respect to such processing;
   2. Customer, as controller, is responsible for obtaining all legally required consents or determining a separate legal basis for the processing;
   3. Customer, as controller, is responsible to ensure that the security log data made available for ingestion by the Service is limited to the information necessary for the performance of the Service;
   4. Customer, as controller, is responsible for ensuring the Customer’s configuration and use of the Service is suitable for its specific use case;
   5. CenturyLink, as processor, shall only process any personal data as described herein in accordance with the Customer’s instructions, which shall be deemed given through Customer’s use of the Service;
   6. CenturyLink will make the security logs ingested by the Service to Customer through the Portal. In the event any such security logs contain personal data, CenturyLink will not use such personal data except as necessary to provide the Service and provide relevant information to Customer. CenturyLink will not undertake any additional security measures for log files containing personal data; and
   7. To the extent legally required, Customer and CenturyLink will enter into separate written agreements required to comply with laws governing the relationship between a controller and processor with respect to the processing of personal data described in this Section, including, without limitation, any agreements required to facilitate necessary cross-border personal data transfers. Customer shall be responsible for notifying CenturyLink whether such written agreements are required.
2. Portal Data. CenturyLink, through its third-party provider, collects a minimal amount of information about Customer personnel that are authorized to access the SLM Portal. The personal data collected and used with respect to the SLM Portal includes portal enrollment information, consisting of name, business email address, administrative authorizations and login credentials, and SLM Portal event data, consisting of high-level information about individual user’s actions within the SLM Portal. CenturyLink will only use this information to provide access to the SLM Portal and provide Customer with information about actions taken within the SLM Portal.
3. Business Contact Information. Customer and CenturyLink acknowledge that it may be necessary to provide the other party with personal data, other than the security log data and portal data described above, necessary for the performance of each party’s obligations as relates to the provision of, in the case of CenturyLink and the use of, in the case of Customer, the Services and in the case of both parties, management of the relationship between Customer and CenturyLink, including, but not limited to and where applicable, employees’ and authorized representatives’ names and business contact information. The parties acknowledge and agree that each is a controller with respect to any such personal data exchanged as contemplated in this Section, and any such personal data is provided on a controller-to-controller basis. Any personal data exchanged in accordance with this Section shall be limited to the extent necessary for the parties to perform their obligations or exercise their rights hereunder.

3. CenturyLink Provided Third Party Services and Software

1. Notwithstanding anything in the Agreement to the contrary, CenturyLink may, in its sole and absolute discretion, subcontract any or all of the work to be performed with respect to the Services, including but not limited to, storage, hosting, and processing, provided that CenturyLink will remain responsible for the performance of CenturyLink’s obligations hereunder. Any applicable IP indemnity in the Agreement does not apply to any third party components provided herein.
2. In conjunction with the Services, you may be allowed to use certain software developed and owned by third parties (“Third Party Software”). The Customer’s election to use the Third Party Software constitutes acceptance of additional terms and conditions identified below or located at an applicable URL to be provided by CenturyLink or its third party. In addition, Customer consents to the installation of Third Party Software on Customer owned and managed systems and agrees to provide appropriate permissions or consent in order for CenturyLink to perform the Services. CenturyLink is not responsible for any hardware issues arising from or related to the installation of Third Party Software.
3. Mobile Access to SLM Services.
   If applicable, Authorized Users may access certain SLM Services through mobile applications obtained from third-party websites such as Android or Apple app store. The use of mobile applications may be governed by the terms and conditions presented upon download/access to the mobile application and not by the terms of the Agreement.
4. Emergency Response Services.
   Customer and not CenturyLink is solely responsible for ensuring that Emergency Response Services remediation efforts and/or recommendations from CenturyLink and/or its third-party vendor are consistent and aligned with its applicable security standards and/or obligations. Customer is further responsible for taking any action necessary to bring the Emergency Response Services into compliance with its requirements or obligations.

   Customer may, acting reasonably, request the replacement of personnel for any lawful reason by notifying CenturyLink in writing designating the personnel to be replaced. Upon receipt of such reasonable written request, CenturyLink will use reasonable efforts to remove such designated personnel if technically feasible under the circumstances and terminate any access such removed personnel had to Customer facilities, premises, equipment, information, networks or systems.

   CenturyLink or its vendor may engage any subcontractors in connection with the provision of Emergency Response Services (each, a "Subcontractor"). CenturyLink and/or its vendor will ensure that any such Subcontractor will be bound by confidentiality and security requirements consistent with the confidentiality obligations of the Agreement. Customer acknowledges that information may be transmitted or processed by CenturyLink’s vendors and/or Subcontractors in connection with providing Emergency Response Service.

4. Emergency Response Services.
The Emergency Response Services are modeled around the NIST Cyber Security Framework and employing Digital Forensics and Incident Response (DFIR) best practices. CenturyLink does not represent, warrant or guarantee that all steps will be implemented or followed during the investigation of an Incident.
CenturyLink or its vendor may deploy Third Party Software to Customer devices to support threat identification, containment and eradication needs. Customer agrees to promptly remove all technologies and tools upon once Emergency Response Services come to a close.
Customer consents to the transfer of Customer information that CenturyLink deems necessary to CenturyLink’s vendor in order to provide the Service.