1. DEFINITIONS.
“Affiliate” means an entity: (i) in which Customer owns more than fifty percent (50%) of the issued share capital thereof; or (ii) which is under common ownership with the Customer, and which is thereby indirectly controlled by Customer. As used herein, “control” shall mean the power to direct or cause the direction of the management and policies of an entity. Any such entity shall be considered an Affiliate for only such time as the Customer demonstrably continues to control such entity and own such interest.
“ACV” means Annual Contract Value.
“Customer” means the individual or entity who has a valid license to use the Eligible Solution for its own internal purpose.
“Customer Agreement” means the agreement(s) in place between Veeam and Customer (and, to the extent applicable, any authorized Veeam Reseller) governing Customer’s use of the Eligible Solution, including but not limited to EULA.
“Customer Data” means any data from Customer’s production environment that was backed up using the Eligible Solution.
“Discovery Date” means the date on which Customer first reasonably concludes or should have concluded, as determined by Veeam based on the facts as described by the Third Party Forensic Consultant, that it is the victim of a Ransomware Incident.
“Discovery Time” means the time at which Customer first reasonably concludes or should have concluded that it is the victim of a Ransomware Incident.
“Eligible Solution” means the software and the services associated with, or included in the Veeam Data Platform “Premium Edition”, for a term of no less than three (3) years and a Manufacturers Suggested Retail Price (“MSRP”) of no less than two hundred thousand U.S. dollars ($300,000 ACV) or the equivalent amount in foreign currency (calculated as of the date of the initial subscription), which must cover the entirety of Customer’s production environment. For the avoidance of doubt, any purchase of or subscriptions to the Veeam Data Platform “Premium Edition” with Premier Support for which discounts bring the MSRP below $200,000 ACV will not be considered an Eligible Solution, nor will the use of the Veeam Data Platform “Premium Edition” with Premier Support to host or provide services to Customer’s end customers. The Veeam Data Platform “Premium Edition” consists of all the following product(s): Veeam Backup and Replication, Veeam ONE and Veeam Recovery Orchestrator.
“Event Date” means the date the Ransomware Incident began, as determined by reasonable investigation.
“Payment” means reimbursement of reasonable Recovery Incident Expenses that directly result from a Recovery Incident.
“Pre-existing Incident” means the actual or reasonably suspected presence of Ransomware in the Customer environment(s), as determined by Veeam based on reports or information provided to Veeam by Customer and prepared by a Third Party Forensic Consultant, (i) prior to Customer’s applicable Warranty Period or (ii) during a period of non-compliance with any Veeam Security Assessment Check and/or the Requirements within Customer’s applicable Warranty Period.
“Ransomware Incident” means an incident or event wherein malware from an unauthorized source infects Customer’s systems, and which (1) encrypts a material portion of Customer’s computer systems, files and/or data, rendering them unusable and (2) includes a demand for payment to decrypt the encrypted computer systems, files, and/or data. For avoidance of doubt, a Ransomware Incident does not include any (i) malware directly, intentionally, or by gross negligence introduced by Customer, its employees, agents, Affiliates, or other party authorized to access Customer’s internal systems, to those to Customer internal systems; or (ii) unsuccessful Recovery of Customer Data due to (a) Customer’s lost access credentials (including encryption keys), which Veeam has no obligation to recover, or (b) failure of a cloud service provider or other third-party service provider outside Veeam’s control. A Ransomware Incident that forms part of the same, continuous, related or repeated earlier Ransomware Incident shall be subject to the terms, conditions, exclusions, and Cap in effect on the Event Date of the first discovered Ransomware Incident.
“Recovery Incident” means an unsuccessful Recovery (defined in Section 2.a).
“Recovery Incident Expenses” means solely any fees and expenses reasonably necessary to restore, or recover, Customer Data under the Warranty in effect on the Event Date to the extent such fees and expenses incurred by Customer and paid as a direct result of a Recovery Incident. A fee or expense qualifies as “Recovery Incident Expenses” only if it is: (1) incurred by Customer after obtaining Veeam’s written approval to procure such services or incur such expenses; (2) paid to a third party approved in writing by Veeam; (3) incurred by Customer within one (1) year following the Discovery Date of the applicable Ransomware Incident; and (4) such payment and/or reimbursement does not violate any applicable domestic or foreign law, statute, regulation or rule as determined by Veeam at its sole discretion. Recovery Incident Expenses do not include any (i) third-party payment or ransom demanded or requested in connection with the Ransomware Incident; (ii) third-party restoration, recovery, or recreation attempts not approved in advance by Veeam, (iii) costs related to or resulting from a Pre-Existing Incident, (iv) costs related to the Customer procuring new hardware, infrastructure, or related services, (v) costs of restoration, recovery, or recreation of Customer Data not successfully replicated to the Eligible Solution, (vi) attorney’s fees, (vii) Third Party Forensic Consultant fees, or (viii) fees or costs associated with any Customer data breach notification obligations stemming directly or indirectly from a Ransomware Incident.
“Third Party Forensic Consultant” means any third party firm, vendor, service provider and/or consultant(s), to the extent the foregoing are reputable and established in the industry, designated by Customer for the purposes of conducting an information technology forensic investigation into any actual or suspected Ransomware Incident and/or performing Veeam Security Assessment Checks, and with whom Customer maintains a contractual relationship for the provision of such services. This Warranty Agreement will not take effect until Customer notifies Veeam of the identity of the Third Party Forensic Consultant, and Veeam explicitly approves the Third Party Forensic Consultant, such approval not to be unreasonably withheld. Customer must notify Veeam of any changes to the Third Party Forensic Consultant; and in the event of such change, the Warranty Agreement shall be null and void without Veeam’s prior, explicit approval, such approval not to be unreasonably withheld.
“Veeam ProPartner” means an individual or entity with which Veeam has executed a Veeam ProPartner agreement. For further reference, Customer can find a current list of Veeam ProPartners by visiting Veeam’s homepage, navigating to the “Partners” tab, and then to the “Find a Partner” page.
“Veeam Security Assessment Check” means a periodic, as specified in Section 4.b. below, audit of Customer’s Eligible Solution configurations, performed by Veeam personnel, Veeam ProPartners, and/or the Third Party Forensic Consultant, including but not limited to the requirements set forth in Section 4.c to ensure the Eligible Solution is optimized for data protection, recovery, and restoration operations. This term also includes recommendations provided by Veeam personnel or Veeam ProPartners following such an audit.
“Warranty Period” means the period commencing on the date of the Customer’s initial Veeam Security Assessment Check that confirms the Eligible Solution is configured to meet the Requirements and shall continue for the term of the Eligible Solution’s initial subscription term, unless suspended for Customer’s non-compliance with its obligations under the Warranty Agreement, or terminated earlier in accordance with Section 8.e of the Warranty Agreement or applicable terms of the Customer Agreement.
2. RANSOMWARE RECOVERY WARRANTY.
a. The Warranty. Veeam warrants to Customer that in the event of a Ransomware Incident, as the primary incident, affecting Customer’s systems running the Eligible Solution, with an Event Date during the Warranty Period, the Eligible Solution will enable Customer to materially restore the Customer Data to the last clean and usable backup (“Recovery”). If Recovery of such Customer Data is not successful due to a failure of the Eligible Solution, as determined by Veeam, Customer’s sole and exclusive remedy, and Veeam’s entire liability, subject to the terms herein, will be to reimburse Customer for its Recovery Incident Expenses directly resulting from the Recovery Incident (“Payment”), not to exceed an amount equal to the lesser of the actual, annual amount spent by Customer for the Eligible Solution or five million U.S. dollars ($5,000,000) or the equivalent amount in foreign currency (calculated as of the date of Payment) (“Cap”).
Aggregate Payments for multiple Recovery Incidents with Event Dates in the Warranty Period shall not exceed the Cap. This Warranty extends only to Customer and its Recovery Incident Expenses and does not extend to any third parties (including, but not limited to Customer’s affiliates, suppliers, service providers, clients, customers, employees or agents of Customer) or any of their losses or damages. It is the responsibility of Customer to provide all information necessary for Veeam to determine whether Payment is appropriate.
b. Disclaimer. EXCEPT FOR THE LIMITED WARRANTY PROVIDED IN SECTION 2.a OF THIS WARRANTY AGREEMENT AND ANY WARRANTIES PROVIDED IN THE CUSTOMER AGREEMENT, THE ELIGIBLE SOLUTION IS PROVIDED AS IS.
3. CONDITIONS PRECEDENT TO WARRANTY PAYMENT. Veeam shall only provide Payment to Customer if, based on information furnished to Veeam by Customer (which may include information furnished to Customer by Veeam, Veeam ProPartners or Third Party Forensic Consultant), at the date of the Ransomware Incident and throughout the Warranty Period:
a. Customer has maintained an active subscription for the Eligible Solution for the entire Customer production environment;
b. Customer has deployed the most recent version of the Eligible Solution, as further described in Section 4.c, including the latest security patch available prior to the Event Date of the applicable Ransomware Incident;
c. Customer has completed all Veeam Security Assessment Checks and implemented all Veeam Security Assessment Check recommendations in a timely manner.
d. The Event Date and Discovery Time of the Ransomware Incident occurred, was discovered by Customer, and reported to Veeam during the Warranty Period, and in accordance with Section 5;
e. Customer has remained in compliance with its Customer Agreement, including, without limitation, any payment obligations;
f. Customer has fully cooperated with Veeam, Veeam ProPartners, and/or the Third Party Forensic Consultant, including without limitation by (i) implementing all remedial and security measures required by Veeam including the Requirements, (ii) providing Veeam and/or the Third Party Forensic Consultant with all documentation, permissions, and access to relevant infrastructure required to verify Customer is entitled to a Warranty Payment to include, without limitation, all necessary logs and data required to verify the existence of a Ransomware Incident, and (iii) complying with the Reimbursement Request process set forth in Section 7;
g. Any systems to which Customer seeks to restore Customer Data are free of any malware, bugs, back-doors, viruses, Trojan horses, or other malicious code, and are otherwise secured; and,
h. This Warranty is not restricted or prohibited by applicable law.
4. REQUIREMENTS. Customer acknowledges and agrees that security threats evolve over time, and that Customer is responsible for maintaining the security of its computer systems, files and data (including securing its access credentials) in accordance with the then-current industry best practices. To qualify for the Warranty, in addition to the measures set forth in Section 3, Customer must comply, and demonstrate to Veeam’s satisfaction that is has complied, with the following minimum-security requirements, throughout the Warranty Period (“Requirements”):
a. Data Security Best Practices. Customer must follow the security best practices as defined in the latest version of Veeam Security Best Practices and Veeam Security Assessment Checklist as may be updated from time to time. For the avoidance of doubt, it is the responsibility of Customer to monitor and maintain compliance with Veeam Security Best Practices and Veeam Security Assessment Checklist.
b. Customer Veeam Security Assessment Checks. Customer must agree to conduct the following Veeam Security Assessment Checks, which, for avoidance of doubt, include granting Veeam, Veeam ProPartners, and/or the Third Party Forensic Consultants the necessary access and permissions to conduct the Security Assessment Checks, and to implement Veeam’s resulting recommendations:
i. At initial deployment. Customer must notify Veeam Customer Support before deploying the Eligible Solution in production, and Veeam, Veeam ProPartners, and/or the Third Party Forensic Consultant will conduct an initial deployment Veeam Security Assessment Check to confirm the Eligible Solution is configured properly and meets the applicable Requirements at that time.
ii. On a quarterly basis.
iii. Upon experiencing a Ransomware Incident. Customer will allow Veeam, Veeam ProPartners, and/or the Third Party Forensic Consultant to audit, and will provide to Veeam, Veeam ProPartners, and/or the Third Party Forensic Consultant, as applicable, documentation, permissions, and access to, relevant systems and environments required to verify the required security measures under this Warranty Agreement have remained in place throughout the Warranty Period, as well as to verify that an applicable Ransomware Incident has indeed occurred.
c. Additional Requirements. Customer represents and warrants that no existing Ransomware Incident or any failures, crashes, security breaches or incidents, or other adverse events are affecting, or have affected, Customer Data and/or the Customer environment(s), systems, or software. In addition, Customer must:
i. Implement updates and upgrades to the Eligible Solution as soon as reasonably practicable, in consultation with Veeam; and in no event later than three (3) months after the date of the latest release;
ii. Implement change management best practices and inform Veeam of any planned changes to the Customer environment(s), systems, or software that may affect the security or efficacy of the Eligible Solution; and
iii. Implement such other security measures and best practices as may be required by Veeam from time to time over the course of the Warranty Period, whether or not included and published to the Veeam Security Best Practices and Veeam Security Assessment Checklist.
5. NOTIFICATION OF RANSOMWARE INCIDENT. If Customer discovers a Ransomware Incident during the applicable Warranty Period, Customer must notify Veeam within twelve (12) hours of the Discovery Time of such Ransomware Incident by opening a support ticket through the Veeam support portal available at Veeam Support or directly with Coveware by Veeam incident response team.
6. PERSONAL DATA. This Warranty Agreement shall not require that Customer disclose to Veeam, or that Veeam access, process or store, any Personal Data maintained by Customer on behalf of its customers or clients. As such, for or during the provision of services under this Warranty Agreement, Customer shall not disclose to Veeam, and Veeam disclaims any responsibility for, Personal Data maintained by Customer on behalf of its customers or clients. Any Personal Data inadvertently disclosed to Veeam by Customer shall be promptly deleted or returned, at Veeam’s discretion. Personal Data shall mean the same as “personal data,” “personal information,” or similar terms under applicable laws and regulations. Any Customer Personal Data provided to Veeam, shall be governed by the Customer Agreement and/or the Veeam Privacy Policy, as applicable.
7. REMEDIATION AND REIMBURSEMENT REQUEST PROCESS.
a. Remediation and Reimbursement Request. Subject to this Warranty Agreement, if all remedial measures recommended by Veeam after a Ransomware Incident have been exhausted and Veeam determines a Recovery Incident has occurred, Customer may submit a request for reimbursement of Recovery Incident Expenses (“Reimbursement Request”). Customer must submit such Reimbursement Request to Veeam within six (6) months of Veeam confirming a Recovery Incident and the Reimbursement Request shall include all information available to Customer regarding the Ransomware Incident and Recovery Incident, to include the results and reports of any Veeam or Third-Party Forensic Consultant investigation. Veeam shall review Customer’s Reimbursement Request and Customer shall provide any additional information reasonably requested by Veeam at any time.
b. Payments. Customer shall provide Veeam with evidence of all Recovery Incident Expenses in accordance with Veeam’s instructions. During the Warranty Period, and for a period of three (3) years thereafter, Veeam shall have the right, at its own expense, to inspect, and Customer shall maintain and provide, Customer’s records related to such Recovery Incident Expenses upon reasonable written request during regular business hours. Except to the extent a Reimbursement Request arises out of an event that is later determined (1) not to be a Ransomware Incident, or (2) to relate to a Pre-existing Incident, Veeam hereby waives any and all rights it has or may have to reimbursement of Payments from Customer. Customer shall promptly (but in no event later than 30 days after written notice) reimburse Veeam for all Payments related to a Reimbursement Request that arises out of an event that is later determined not to be a Ransomware Incident or that relates to a Pre-existing Incident. Veeam shall have no obligation to make any Payment that is prohibited by law. Customer must provide Veeam such evidence and assurances that no Payment would be used by Customer to reimburse or pay any person or entity subject to economic sanctions administered or enforced by the U.S. Treasury Department Office of Foreign Assets Control (OFAC), including any such person or entity listed on OFAC’s Specially Designated Nationals and Blocked Persons (SDN) List or otherwise prohibited under relevant law.
8. GENERAL.
a. Entire Agreement. This Warranty Agreement constitutes the entire agreement between Customer and Veeam regarding the Warranty and supersedes any and all prior agreements or communications between the parties with regard to the subject matter hereof. This Warranty Agreement is in addition to and separate from the Customer Agreement; nothing in this Warranty Agreement is intended to supersede, modify or amend the Agreement, including any warranties therein. The confidentiality terms in the Customer Agreement apply to this Warranty including without limitation any communications or information related to a Recovery Incident. In the event of any conflict or inconsistency between the terms of the Warranty Agreement and the Customer Agreement, the Warranty Agreement shall prevail with respect to the subject matter of the Warranty. Veeam may revise the terms and conditions of this Warranty Agreement or terminate the Ransomware Recovery Warranty program at any time without notice and without recourse to Customer; however, such modification or termination will not affect the latest version of the Warranty Agreement electronically accepted by Customer. In the event of a successful Recovery, Customer agrees to participate in a Veeam marketing case study on such Recovery. To the extent Veeam creates such a case study, Veeam and Customer shall agree on any content intended to be publicly available, to include anonymizing such content.
b. Right to Modify or Terminate. In addition to and without limiting Veeam’s rights otherwise set forth herein, Veeam reserves the right to modify or terminate this Warranty Agreement generally or in any jurisdiction, at any time, in its sole discretion, if: (i) the Warranty is construed to be an offer to insure or constitute insurance or an insurance contract or insurance service agreement by any governmental or regulatory authority in any jurisdiction; (ii) Veeam is required to obtain a license or permit of any kind to continue to provide this Warranty in any jurisdiction; or (iii) Veeam determines or a court or arbitrator holds that the provisions of the Warranty or this Warranty Agreement violate applicable law. If Veeam modifies or terminates this Warranty Agreement in accordance with the foregoing, Veeam will process all Reimbursement Requests that Customer submitted prior to or as of the effective date of such modification or termination unless such processing is prohibited by law, regulation, ordinance, order, or decree of any governmental or other authority.
c. Limitation of Liability. IN NO EVENT WILL VEEAM OR ITS SUPPLIERS BE LIABLE (UNDER ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STATUTE, TORT OR OTHERWISE) FOR ANY LOST PROFITS, LOST BUSINESS OPPORTUNITIES, BUSINESS INTERRUPTION, OR SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR LOSSES, OR SUCH DAMAGES OR LOSSES WERE REASONABLY FORESEEABLE; AND IN NO EVENT SHALL VEEAM’S LIABILITY UNDER OR ARISING FROM THIS WARRANTY AGREEMENT EXCEED CUSTOMER’S CAP AS SET FORTH IN SECTION 2.a ABOVE FOR THE WARRANTY PERIOD. Multiple claims or Recovery Incidents shall not expand the limitation specified in the foregoing sentence. Any Payments, damages or losses paid under this Warranty Agreement shall accrue towards any liability cap set forth in the Customer Agreement. If the limitation of liability in this Section 8.c is determined to be invalid under applicable law, this Warranty Agreement shall be deemed null and void.
d. Governing Law. As an addendum to the EULA, this Warranty Agreement shall be governed by and construed in accordance with the governing law as set out in the EULA without applying conflict of law rules. With respect to all disputes and actions arising from or related to this Warranty Agreement, the Parties irrevocably consent to exclusive jurisdiction and venue in the courts set out in the EULA. The United Nations Convention on Contracts for the International Sale of Goods (1980) is hereby excluded in its entirety from application to this Warranty Agreement. Nothing in this Section 16.15 (Governing Law) will limit or restrict either Party from seeking injunctive or other equitable relief from a court of competent jurisdiction.
e. Term and Termination. The term of the Agreement shall be the Warranty Period. Termination of the Customer Agreement shall terminate this Warranty Agreement. Termination of this Warranty Agreement shall not terminate the Customer Agreement. Customer may not assign this Warranty Agreement without the prior written consent of Veeam, except to an Affiliate in connection with a corporate reorganization or in connection with a merger, acquisition, or sale of all or substantially all of its business and/or assets provided Customer provides Veeam with notice of any such assignment no later than thirty (30) days after such assignment or change in control event is public, and provided the assignee demonstrates to Veeam its full and complete compliance with the terms set forth herein. Any assignment in violation of this section shall be void and shall void this Warranty. Subject to the foregoing, all rights and obligations of the parties under this Warranty Agreement shall be binding upon and inure to the benefit of and be enforceable by and against the successors and permitted assigns.
f. This Warranty Agreement is not intended to and shall not be construed to give any third party any interest or rights (including, without limitation, any third party beneficiary rights) with respect to or in connection with any agreement or provision contained herein or contemplated hereby. For the avoidance of doubt, only Customer has the right to enforce this Warranty Agreement or pursue claims relating to it against Veeam.
g. This Warranty is not intended to constitute an offer to insure, does not constitute insurance or an insurance contract, and does not take the place of insurance obtained or obtainable by Customer. Any fees paid by Customer in connection with the Eligible Solution are solely for the use of such Eligible Solution and are not to be construed as an insurance premium.