Symantec Cloud Workload Protection Service Description December 2016 Last revised: 23Feb2016 SYMANTEC PROPRIETARY- PERMITTED USE ONLY Copyright (c) 2016 Symantec Corporation* All rights reserved* Symantec, the Symantec Logo and any other trademark found on the Symantec Trademark List that are referred to or displayed in the document are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U*S* and other countries* Other names may be trademarks of their respective owners* The contents of this document are only for use by existing or prospective customers or partners of Symantec, solely for the use and/or acquisition of the Services described in this document *Service Overview The Symantec Cloud Workload Protection Service (the "Service") provides infrastructure security as a service for workloads on Amazon Web Services ("AWS"), Microsoft Azure ("Azure"), and other cloud platforms * The Service allows businesses to take control of their public cloud infrastructure by providing visibility, security, threat and vulnerability insight from a single console *The Service is designed to eliminate blind spots in public cloud deployment while allowing security organizations to control the behavior of applications and detecting changes to any configuration or application control data in real time * This Service Description, with any attachments included by reference, is part of: (i) any signed agreement between Symantec and Customer that is intended to govern this Service Description; or (ii) if no such signed agreement exists, the Symantec Online Services Agreement or the Symantec Hosted Services Terms, as applicable to your use of the Service Table of Contents *Technical/Business Functionality and Capabilities -Service Features - Customer Use and Responsibilities - Supported Platforms and Technical Requirements -Hosted Service Software Components -Hosted Service Hardware Components -Assistance and Technical Support *Service-Specific Terms -Service Buying Model and Metering -Changes to Subscription or Entitlement -Rights Granted -Service Conditions *Definitions *Data Privacy Notice *EXHIBIT A: EULA for Service Software Symantec Cloud Workload Protection Service Description December 2016 Last revised: 23Feb2016 SYMANTEC PROPRIETARY- PERMITTED USE ONLY Copyright (c) 2016 Symantec Corporation* All rights reserved* Symantec, the Symantec Logo and any other trademark found on the Symantec Trademark List that are referred to or displayed in the document are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U*S* and other countries* Other names may be trademarks of their respective owners* The contents of this document are only for use by existing or prospective customers or partners of Symantec, solely for the use and/or acquisition of the Services described in this document *TECHNICAL/BUSINESS FUNCTIONALITY AND CAPABILITIES Service Features *The Service enables Customer to implement security controls for the public cloud infrastructure* *Customer can access the Service Management Console (SMC) by using a secure password protected login* The SMC provides the ability for Customer to configure and manage the Service, access reports, and view data and statistics when available as part of the Service *The Service is managed on a twenty-four (24) hours/day by seven (7) days/week basis and is monitored for hardware availability, service capacity and network resource utilization* The Service is regularly monitored for service level compliance and adjustments are made as needed *Customer subscribing to the Service has a single pane of glass to define security policies to define host based controls to manage security risks across their AWS and Azure deployments* Customer will be subscribed to the Service with a secure password based authentication to SMC- Optionally, Customer can request and enforce two-factor authentication to the Service *Customer interested in two-factor authentication to access the Service via SMC has a choice to use Symantec VIP (VIP tokens for Administrator)* *Customer must delegate appropriate access to its AWS or Azure deployments to the Service as defined in the Documentation to enable all the capabilities of the Service * The Service gathers appropriate context and metadata about the AWS/Azure instances deployed as seen by the delegated role * This provides instant visibility into the instances *On an instance with the Service Software deployed, the system discovers the deployed applications* This information and the metadata information collected from the cloud platform provide the context to auto recommend appropriate HIPS and HIDS policies *The Service with native integrations into AWS and Azure delivers scale out security for public cloud infrastructure- For example, an instance that belongs to an autoscaling group will be automatically protected at the same level as the other instances in the same autoscaling group* The threat and vulnerability overview allows for quick insight into identifying and managing exploits across the public cloud deployments managed by the Service *The Service collects the Symantec DeepSight threat and vulnerability feeds to correlate with the discovered software in order to provide an accurate picture of the threat and vulnerability exposure to the AWS/Azure deployments *Appropriate remediation tasks are suggested to take an appropriate action as a means of providing compensating controls for detected threats *The Service allows Customer to view the alerts and events generated as a result of the monitoring/enforcement of the policies- The Service further allows the Administrator (or the DevOps individual) to tune the policies in response while reviewing the events *The Service allows for the policy groups defined via the SMC to be automatically available to the instances that are available *Suggested word lists and template rules or policies supplied by Symantec contain words which may be considered offensive *In the event that continued provision of the Service to Customer would compromise the security of the Service, including, but not limited to, hacking attempts, denial of service attacks, mail bombs or other malicious activities either directed at or originating from Customer's domains, Customer agrees that Symantec may temporarily suspend Service to Customer* In such an event, Symantec will promptly inform Customer and will work with Customer to resolve such issues* Symantec will reinstate the Service upon removal of the security threat *Should a Service be suspended or terminated for any reason whatsoever, Symantec shall reverse all configuration changes made upon provisioning the Service and it shall be the responsibility of Customer to undertake all other necessary configuration changes when the Service is reinstated* *Customers shall have access to the Service to download Events and Alerts information for up to 30 days after termination of the Service *Customer Use and Responsibilities Customer may use the Service only in accordance with the use meter or model under which Customer has obtained use of the Service: (i) as indicated in the applicable Subscription Instrument or Order Confirmation; and (ii) as defined in this Service Description or the Agreement. Symantec can only perform the Service if Customer provides required information or performs required actions. If Customer doe s not provide/perform per the following responsibilities, Symantec's performa nce of the Service may be delayed, impaired or prevented, as noted below. *Setup Enablement: Customer must provide information required for Symantec to begin providing the Service. *Adequate Customer Personnel: Customer must provide adequate personnel to assist Symantec in delivery of the Service, upon reasonable request by Symantec. *It is the customer's responsibility to update the AWS settings and/or Azure subscriptions with any changes in the Customer Environment to get the right protections. *Customer Configurations vs. Default Settings: Customer must configure the features of the Service through the SMC, if applicable, or default settings will apply. In some cases, default settings do not exist and no Service will be provided until Customer chooses a setting. Configuration and use of the Service(s) are entirely in Customer's control. Supported Platforms and Technical Requirements *Supported platforms for the Service are defined in the Documentation. Hosted Service Software Components *The Service includes the following Service Software: Symantec Cloud Workload Protection Agent Hosted Service Hardware Components The Service includes the following hardware Service Components, upon payment of the applicable fee: *If the Customer chooses to configure two-factor authentication, Customer may procure such two-factor authentication token from Symantec. Assistance and Technical Support Customer Assistance *Symantec will provide the following assistance a part of the Service, during regional business hours: *Receive and process orders for implementation of the Service *Receive and process requests for permitted modifications to Service features; and *Respond to billing and invoicing questions Technical Support *If a Customer is entitled to receive technical support from a Symantec reseller, please refer to the applicable agreement with that reseller for details regarding such technical support, and the technical support described herein will not apply to the Customer. If a Customer is not entitled to receive technical support from a Symantec reseller, the following technical support ("Support") is included with the Service. *Support available on a twenty- four (24) hours/day by seven (7) days/week basis to assist Customer with configuration of the Service features and to resolve reported problems with the Service. *Whenever a Customer raises a problem, fault or request for Service information via telephone or web or portal submission with Symantec, its priority level is determined and it is responded to per the response targets defined in the table below. Faults originating from Customer's actions or requiring the actions of other service providers are beyond the control of Symantec and as such are specifically excluded from this Support commitment. PROBLEM SEVERITY SUPPORT: Severity1: A problem has occurred where no workaround is immediately available in one of the following situations: (i) Customer's production server or other mission critical system is down or has had a substantial loss of service; or (ii) a substantial portion of Customer's mission critical data is at a significant risk of loss or corruption. SUPPORT (24x7) RESPONSE TARGETS FOLLOWING ACKNOWLEDGEMENT: within 30 minutes Severity 2: a problem has occurred where a major functionality is severely impaired. Customer's operations can continue in a restricted fashion, although long -term productivity might be adversely affected. SUPPORT (24x7) RESPONSE TARGETS FOLLOWING ACKNOWLEDGEMENT: within 2 hours Severity 3: a problem has occurred with a limited adverse effect on Customer's business operations. SUPPORT (24x7) RESPONSE TARGETS FOLLOWING ACKNOWLEDGEMENT: by same time next business day Severity 4: One of the following: a problem where Customer's business operations have not been adversely affected or a suggestion for new features or an enhancement regarding the Service or Service Software SUPPORT (24x7) RESPONSE TARGETS FOLLOWING ACKNOWLEDGEMENT: within the next business day; Symantec further recommends that Customer submit Customer's suggestion for new features or enhancements to Symantec's forums Maintenance. Symantec must perform maintenance from time to time. The following applies to such maintenance: *Planned Maintenance: For Planned Maintenance, Symantec will use commercially reasonable efforts to give Customer seven (7) calendar days notification, via email, SMS, or as posted on the SMC. Symantec will use commercially reasonable efforts to perform Planned Maintenance at times when collective customer activity is low, in the time zone in which the affected Infrastructure is located, and only on part, not all, of the network. If possible, Planned Maintenance will be carried out without affecting the Service. During Planned Maintenance, Service may be diverted to sections of the Infrastructure not undergoing maintenance in order to minimize disruption of the Service. "Planned Maintenance"means scheduled maintenance periods during which Service may be disrupted or prevented due to non-availability of the Service Infrastructure. *Emergency Maintenance: Where Emergency Maintenance is necessary and is likely to affect the Service, Symantec will endeavor to inform the affected parties in advance by posting an alert on the applicable SMC no less than one (1) hour prior to the start of the Emergency Maintenance. "Emergency Maintenance"means unscheduled maintenance periods which during which Service may be disrupted or prevented due to non- availability of the Service Infrastructure or any maintenance for which Symantec could not have reasonably prepared for the need for such maintenance, and failure to perform the maintenance would adversely impact Customer. *Routine Maintenance (SMC). Symantec will use commercially reasonable efforts to perform routine maintenance of SMCs at times when collective Customer activity is low to minimize disruption to the availability of the SMC. Customer will not receive prior notification for these routine maintenance activities. SERVICE-SPECIFIC TERMS Service Buying Model and Metering Pay for Use *Customer pays in arrears for the Service based on what was consumed in the prior month. *The consumption for each instance is calculated based on the number of hours the applicable instance(with Service Software installed) is in "Running"status as indicated on the SMC. *Billing increments are computed by the hour with a minimum of one hour *Customer can run the Service on any number of server instances for any number of hours without a predetermined limit. *Symantec will invoice Customer monthly, based on the calculation described above. Notwithstanding anything to the contrary in the Agreement, Customer acknowledges that the Agreement constitutes legally binding obligation to pay the applicable fees for all committed items as specified herein. *Pay for Use continues until Customer terminates the Service. *Customer can terminate the Service by sending a written request to 3S_Orders@symantec.comat least thirty (30) days before the desired termination date. A notice of termination takes effect upon the later of: (a) at the end of the month after the 30-day notice period is over; or (b) if applicable, the termination of annual subscription. Any notice given according to this procedure will be deemed to have been given when received. Annual Subscription *Customers can reduce the monthly bill by purchasing annual subscriptions and prepaying for a pre-determined capacity. *One annual subscription entitles Customer to protection of one (1) unnamed server for one (1) year. *Annual subscriptions fees must be prepaid. *Customer cannot purchase annual subscriptions alone. In order to cover any potential overage, Customer must maintain an active account for Pay for Use at the same time. *No credit or refund will be due to the Customer for any expired or unused services. Changes to Subscription or Entitlement If a Customer has received Subscription or Entitlement directly from Symantec, communication regarding permitted changes of the applicable Subscription or Entitlement must be sent to the following address: 3S_orders@symantec.com, unless otherwise noted in Customer's agreement with Symantec * Any notice given according to this procedure will be deemed to have been given when received. If you have received your Subscription or Entitlement through a Symantec reseller, please contact your reseller. Service Conditions *Customer may not disclose the results of any benchmark tests or other tests connected with the Service to any third party without Symantec's prior written consent. *The use of any Service Software shall be governed by the license agreement accompanying the software. If no EULA accompanies the Service Software, it shall be governed by the terms and conditions located at (http://www.symantec.com/content/en/us/enterprise/eulas/b-hosted-service-component-eula-eng.pdf). Any additional rights and obligations with respect to the use of such Service Software shall be as set forth in this Service Description. *Except as otherwise specified in the Service Description, the Service (including any Service Software provided therewith) may use open source and other third party materials that are subject to a separate license. Please see the applicable Third Party Notice, if applicable, at http://www.symantec.com/about/profile/policies/eulas/. *Customer shall comply with all applicable laws with respect to use of the Service. In certain countries it may be necessary to obtain the consent of individual personnel. Configuration and use of the Service is entirely in Customer's control, therefore, Symantec is not liable for Customer's use of the Service, nor liable for any civil or criminal liability that may be incurred by Customer as a result of the operation of the Service. Further, Customer shall at all times remain responsible for its implementation of a policy, and Symantec shall not be responsible or liable for Customer's implementation of any such policy. *Symantec may update the Service at any time in order to maintain the effectiveness of the Service. *The Service may be accessed and used globally, subject to applicable export compliance limitations and technical limitations in accordance with the then-current Symantec standards. *Symantec may update the out-of-the-box policies anytime. Similarly, new policies may be made available at any time. *Any templates supplied by Symantec are for use solely as a guide to enable Customer to create its own customized policies and other templates. DEFINITIONS Capitalized terms used in this Service Description, and not otherwise defined in the Agreement or this Services Description, have the meaning given below: "Administrator"means a Customer User with authorization to manage the Service on behalf of Customer. Administrators may have the ability to manage all or part of a Service as designated by Customer. "DevOps"is a role in an organization that combines a traditional engineer, operations and other IT roles involved in deploying and ongoing maintenance of infrastructure and its configuration changes. "Documentation" means the product documentation Symantec provides for use with the Service. "End User License Agreement (EULA)" means the terms and conditions accompanying Software (defined below). "HIDS" means host-based intrusion detection system, which detects an intrusion and/or misuse, and responds by logging this activity and notifying the designated authority. This includes user and admin activity, access to objects including files, folders, registry and directories. "HIPS" means host-based intrusion prevention system, which prevents the known and unknown suspicious activity from executing on the host. "Service Software" means Software (defined below), as may be required by a Service, which must be installed on each Customer computer, in order to receive the Service. Service Software includes the Software and associated documentation that may be separately provided by Symantec as part of the Service. "Software" means each Symantec or licensor software program, in object code format, licensed to Customer by Symantec and governed by the terms of the accompanying EULA, or this Service Description, as applicable, including without limitation new releases or updates as provided hereunder. "Subscription Instrument" means one or more of the following applicable documents which further defines Customer's rights and obligation related to the Service: a Symantec certificate or a similar document issued by Symantec, or a written agreement between Customer and Symantec, that accompanies, precedes or follows the Service. "Symantec Hosted Service Terms"means the terms and conditions located at or accessed through: https://www.symantec.com/about/legal/service-agreements.jsp "Symantec Online Service Terms"means the terms and conditions located at or accessed through: https://www.symantec.com/about/legal/service-agreements.jsp DATA PRIVACY NOTICE *The Service utilizes the LiveUpdate functionality. For the LiveUpdate functionality, please refer to the LiveUpdate privacy notice available at http://www.symantec.com/about/profile/policies/luprivacy.jsp *In connection with Customer's use of the Service, Symantec may collect, retain, disclose and use certain information("Collected Data"). Collected Data may include, but is not limited to, personally identifiable information about Customer, Customer's devices or systems or Customer's software usage. Symantec uses such Collected Data to enable, optimize and provide the Service or technical support to Customer (and may engage third parties to do so as well), to administer and enforce its license agreements with Customer, and to improve Symantec's products and services in general, including by reviewing aggregate data for statistical analyses. By using the Service, Customer agrees to allow Symantec to collect Collected Data as described in this section. Please refer to Symantec's product privacy notices at http://www.symantec.com/about/profile/privacypolicy/ in order to fully understand what information Symantec collects, retains, discloses, and uses from Customer or Customer's devices. Please note that the use of the Service may be subject to data protection laws or regulations in certain jurisdictions. Customer is responsible for ensuring that Customer's use of the Service is in accordance with such laws or regulations. END OF SERVICE DESCRIPTION Symantec Cloud Workload Protection Service Description December 2016 Last revised: 23Feb2016 SYMANTEC PROPRIETARY PERMITTED USE ONLY Copyright 2016 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo and any other trademark found on the Symantec Trademark List that are referred to or displayed in the document are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The contents of this document are only for use by existing or prospective customers or partners of Symantec, solely for the use and/or acquisition of the Services described in this document.