STANDARD TERMS AND CONDITIONS FOR SERVICES AND CONSULTING CIS CONTROLS MEMBERSHIP
Upon purchase of Membership by Customer, these Terms and Conditions shall constitute an agreement between Center for Internet Security, Inc. (“CIS”) and a Services and Consulting CIS Controls Member (the “Agreement”).
I. Definitions
Affiliate means any corporation, firm, limited liability company, partnership or other entity that directly or indirectly controls or is controlled by or is under common control with a Party. Affiliate excludes any entity that is located in or organized under the laws of the People’s Republic of China, including the Hong Kong Special Administrative Region.
CIS Controls means the CIS Critical Security Controls.
CIS CSAT Pro means the CIS Controls Self-Assessment Tool available through CIS Workbench for assessing and tracking implementation of the CIS Controls.
CIS Workbench means the community website for accessing CIS resources.
II. Membership Benefits
Under the terms and conditions set forth in this Agreement, CIS grants to Consultant a Services and Consulting CIS Controls Membership that entitles Consultant to the following benefits:
A. Organizational Use
1. Access to and use of the CIS Controls and CIS CSAT Pro via CIS Workbench for use within and among Consultant’s Affiliates.
2. Electronic notification of updates to the CIS Controls and CIS CSAT Pro.
3. The right to use the CIS Controls logo on Consultant’s websites and documents in accordance with the terms and conditions of the CIS Logos, Trademark and Intellectual Property Use Policy set forth at https://www.cisecurity.org/cis-logos-and-trademark-use-policy/ as such Policy may be amended from time to time.
B. Consulting Use
1. The right for Consultant to download, install, and use CIS CSAT Pro on Consultant’s customers’ computers, for the sole purpose of providing organizational security consulting services to those customers of Consultant (“Consultant Clients”) provided that, at the end of each consulting/auditing engagement, Consultant must remove all copies of CIS CSAT Pro from Consultant Clients’ computers, networks, systems, and organizational environments that have been installed or provided to those Consultant Clients.
2. Notwithstanding any license terms for the CIS Controls to the contrary, CIS hereby provides Consultant a non-exclusive, non-transferable worldwide license to use the CIS Controls in the context of any consulting engagement, including developing Customized Policies as defined below.
3. The right for Consultant to assist Consultant Clients in developing security configuration and/or security metrics policies that are specifically customized to meet Consultant Clients’ information security needs (“Customized Policies”), provided that Consultant Clients agree to:
a. use any Customized Policies only for securing Consultant Clients’ internal systems; and
b. not distribute any Customized Policies beyond Consultant Clients’ organizations.
Once a Customized Policy is created by Consultant, Consultant may represent to Consultant Clients that such Customized Policy leverages CIS Controls but not that CIS has certified such Customized Policy in the assessment against CIS Controls.
4. The right for Consultant to use the CIS Controls marks on reports and related materials prepared for Consultant Clients, in accordance with the terms and conditions of the CIS Logos, Trademark, and Intellectual Property Use Policy set forth at https://www.cisecurity.org/cis-logos-and-trademark-use-policy/ as such Policy may be amended from time to time.
5. CIS agrees that Consultant Clients may be charged for training, installation, programming and other services, even if those services relate to the CIS Controls and CIS CSAT Pro.
Consultant is not required to remove Customized Policies from Consultant Clients’ computers, networks, systems, and organizational environments at the end of consulting/auditing engagements.
C. Membership Restrictions
1. Consultant agrees that Consultant Clients cannot be charged directly for the CIS Controls and CIS CSAT Pro and that neither Consultant nor any Consultant Clients may sell, resell, or distribute the CIS Controls and CIS CSAT Pro except as expressly permitted in this Agreement.
2. Consultant agrees not to provide CIS with any personal information, as defined under the Personal Information Protection Law of the People’s Republic of China (“PIPL”), of individuals who are citizens of China, including the Hong Kong Special Administrative Region. Failure to comply with the restriction in this Section II.C.2 shall be a material breach of this Agreement.
3. Except as expressly permitted hereunder, nothing in this Agreement shall be construed as conferring any right on Consultant to use in advertising, publicity or other commercial or promotional activities any name, trade name, trademark or other designation of CIS or its products, services or other intellectual property, unless CIS’ express written permission has been obtained in advance of such use.
III. Membership Fee & Term
A. Initial Term. This Agreement will commence on the Effective Date and continue for a preliminary term set forth in an Order, which is hereby incorporated and made a part of this Agreement (the “Initial Term”).
B. Membership Fee. In exchange for the rights granted to Customer during the Initial Term, Consultant agrees to pay CIS the amount stated in the Order (the “Membership Fee”). The Initial Term Membership Fee shall be due and payable within thirty (30) days of the Effective Date. Consultant shall remit the Membership Fee using one of the approved methods listed in the Order.
C. Renewal Term. Following the Initial Term, this Agreement shall automatically renew for successive periods of the same duration as the Initial Term (each a “Renewal Term”) until Consultant gives CIS proper Notice of Cancellation, in accordance with Section III.E, below.
D. Renewal Membership Fee. Sixty (60) days prior to the commencement of each Renewal Term, CIS shall provide Consultant with an Order listing the Membership Fee applicable to the next Renewal Term. If no response, or an affirmative response, is received by CIS on or before the date that is thirty (30) calendar days prior to the commencement of the next Renewal Term, the Agreement shall be deemed renewed. The Renewal Term Membership Fee shall be due and payable thirty (30) days prior to the commencement of the next Renewal Term. Consultant shall pay the Renewal Term Membership Fee using one of the methods listed in the applicable Order.
E. Cancellation. Consultant may cancel this Agreement by providing notice to CIS prior to the commencement of any Renewal Term (a “Notice of Cancellation”). To be effective, such Notice of Cancellation must be in writing, and must be received by CIS on or before thirty (30) days prior to the commencement of the next Renewal Term.
F. Taxes. No Membership Fee payable under this Agreement shall be reduced by any amount for taxes or fees to be collected by a taxing jurisdiction, financial institution or payment processor incidental to Customer’s payment of any Membership Fee.
G. Contact Information. Consultant shall designate a primary point of contact for this Agreement (the “Primary Contact”) and provide CIS with current information, including a valid email address, for this Primary Contact. Consultant is solely responsible for notifying CIS of any changes to the identity or contact details of the Primary Contact. Consultant’s failure to timely update CIS with revised information for its Primary Contact shall not excuse Consultant from the obligation to pay any Renewal Term Membership Fee that would otherwise be charged under this Section.
IV. Termination
A. Right to Terminate for Cause or Convenience. Both CIS and Consultant shall have the right to terminate this Agreement for convenience or nonperformance by the other Party by providing at least thirty (30) days written notice. Both CIS and Consultant shall have the right to terminate this Agreement immediately in the event of the other Party’s material breach of this Agreement. Material breach shall include any Party’s violation of applicable law, and Customer’s failure to comply with the data restriction set forth in Section II.C.2 of this Agreement. Consultant will cease use of the CIS SecureSuite Products as of the date of such termination.
B. Non-Payment of Membership or Renewal Membership Fee. If Consultant fails to timely remit any undisputed Membership Fee, CIS reserves the right to restrict Consultant’s access to the CIS SecureSuite Products until full payment has been received. Should CIS, in its sole discretion, permit continued usage of the CIS SecureSuite Products despite Consultant’s non-payment or partial payment, such action shall not be construed as CIS’ waiver or relinquishment of any rights granted under this Agreement or of the future performance of any such term or condition, and Consultant’s obligations with respect thereto shall continue in full force and effect.
C. Membership Fee Refund.
i. Refund for One-Year Term Agreements. In the event of termination by CIS for nonperformance or material breach by Consultant, or for convenience by Consultant, Consultant will not be entitled to a refund of any Membership Fee that has been paid. In the event of termination by Consultant for nonperformance or material breach by CIS, or for convenience by CIS, Consultant may request a prorated refund of any unused Membership Fee that has been paid.
ii. Refund for Multi-Year Term Agreements. In the event of termination by CIS for nonperformance or material breach by Consultant, or for convenience by Consultant, Consultant will not be entitled to a refund of any Membership Fee that has been paid and is applicable to the current year of the Term or Renewal Term, but will be entitled to a refund of any portion of the Membership Fee applicable to subsequent years within the Term or Renewal Term. In the event of termination by Consultant for nonperformance or material breach by CIS, or for convenience by CIS, Consultant may request a prorated refund of any unused Membership Fee that it has paid for any portion of the Membership Fee applicable to future years within the Term or Renewal Term.
V. CIS Controls and CIS CSAT Pro Provided As Is
CIS makes reasonable efforts to utilize and maintain the most secure programs available to screen and protect CIS’s computer programs, websites, and computer infrastructure from malware. However, Consultant understands and agrees that CIS is providing the CIS Controls and CIS CSAT Pro “as is” and “as available” without any representations, warranties, or covenants of any kind whatsoever. Consultant bears full responsibility for its use of the CIS Controls and CIS CSAT Pro in assessing its clients’ compliance with the CIS Controls.
VI. Ownership Rights of Intellectual Property and CIS Controls and CIS CSAT Pro Reserved
Neither Consultant nor any Consultant Client is acquiring any title or ownership rights in or to any of the CIS Controls or CIS CSAT Pro or associated intellectual property, and full title and all ownership rights to the CIS Controls and CIS CSAT Pro and associated intellectual property remain the exclusive property of CIS. Consultant further understands and agrees that the use of Trademarks in connection with this Agreement does not create any right, title or interest in or to the use of Trademarks and that all such use and goodwill associated with Trademarks will inure to the sole benefit of CIS. Consultant further agrees that it will comply with the terms and conditions of the CIS Logos, Trademark and Intellectual Property Use Policy set forth at www.cisecurity.org/cis-logos-and-trademark-use-policy/ as such Policy may be amended from time to time. All rights to the CIS Controls and CIS CSAT Pro not expressly granted in this Agreement are hereby reserved.
VII. Restrictions
Consultant acknowledges and agrees that except as otherwise expressly permitted in this Agreement, Consultant may not: (A) decompile, disassemble, alter, reverse engineer, or otherwise attempt to derive the source code for CIS CSAT Pro (except to the extent that such product is already in the form of source code); (B) distribute or redistribute, sell, rent, lease, sublicense or otherwise transfer or exploit any rights to the CIS Controls and CIS CSAT Pro in any way or for any purpose; (C) post the CIS Controls and/or make CIS CSAT Pro available on any website, bulletin board, ftp server, newsgroup, or other similar mechanism or device; (D) remove from or alter the terms of use or any proprietary notice placed on the CIS Controls or CIS CSAT Pro; (E) create any derivative work based directly on the CIS Controls and/or CIS CSAT Pro or any component thereof; (F) represent or claim a particular level of compliance or consistency with any CIS Control and/or CIS CSAT Pro; (G) provide CIS, through Workbench (or otherwise), with personal information that is protected under the PIPL; or (H) facilitate or otherwise aid other individuals or entities in violating this Agreement.
U.S. Export Control and Sanctions Laws - Regarding Consultant’s use of the CIS Controls and/or CIS CSAT Pro with any non-U.S. entity or country, Consultant acknowledges that it is its responsibility to understand and abide by all U.S. sanctions and export control laws as set from time to time by the U.S. Bureau of Industry and Security (BIS) and the U.S. Office of Foreign Assets Control (OFAC).
VIII. Consultant’s Responsibility to Evaluate Risks
Consultant acknowledges and agrees that: Consultant has (and has informed Consultant Clients that they have) the sole responsibility to evaluate the risks and benefits of the CIS Controls and CIS CSAT Pro to Consultant’s and Consultant’s Client’s particular circumstances and requirements including, without limitation, the decision to implement or not to implement one or more of the CIS Controls.
IX. Consultant Indemnification of CIS
Consultant agrees to indemnify, defend, and hold CIS and all of CIS's employees, officers, directors, agents and other service providers harmless from and against any third-party claim, suit or proceeding (including reasonable attorneys’ fees) brought against any of them in connection with Consultant’s material breach of this Agreement.
X. CIS Indemnification of Consultant
CIS shall indemnify, defend, and hold Consultant harmless against any third party claim, suit or proceeding (including reasonable attorneys’ fees) brought against Consultant alleging that the CIS Controls and/or CIS CSAT Pro infringe any patent, copyright, or enforceable trade secret, provided that Consultant: (A) gives CIS prompt written notice of any such claim; (B) allows CIS to control the defense and settlement of such claim; (C) refrains from entering into any settlement or compromise of such claim without CIS’s prior written consent; and (D) provides all assistance reasonably requested by CIS in the defense or settlement of such claim, at CIS’s expense. THIS SECTION SETS FORTH CIS’S SOLE AND EXCLUSIVE LIABILITY, AND CONSULTANT’S SOLE AND EXCLUSIVE REMEDY FOR CIS’S INFRINGEMENT OF THIRD-PARTY RIGHTS OF ANY KIND.
XI. Limitation of Liability
Except as otherwise specified in this Agreement, neither Party will be liable for any indirect, incidental, special, consequential or punitive damages, including without limitation, damages for lost profits, data or use, incurred under this Agreement, whether in an action in contract or tort, even if that Party has been advised of the possibility of such damages.
XII. Confidential Information
A. Confidential Information. Each Party acknowledges that by reason of its relationship with the other Party hereunder, such Party (the “Receiving Party”) might receive access to certain confidential and proprietary information and materials concerning the other Party (the “Disclosing Party”). “Confidential Information" means oral or written non-public information that the Disclosing Party designates as being confidential or which, under the circumstances surrounding disclosure, ought to be treated as confidential, whether provided to the Receiving Party before, on or after the date hereof. "Confidential Information" includes, without limitation, information relating to the Disclosing Party’s software and hardware products, specifications, databases, networks, systems design, file layouts, tool combinations and development methods, and information relating to the Disclosing Party's business or financial affairs, such as business methods, marketing strategies, pricing, product development strategies and methods, Consultant lists and financial results. "Confidential Information" also includes information received from others that the Disclosing Party is obligated to treat as confidential. "Confidential Information" includes all tangible materials which contain Confidential Information including, without limitation, written or printed documents, computer disk storage, and other magnetic or optical storage media, whether user- or machinereadable.
B. Exclusions. Confidential Information does not include any information that the Receiving Party can demonstrate: (i) was known to the Receiving Party prior to its disclosure hereunder by the Disclosing Party; (ii) was independently developed by the Receiving Party; (iii) is or becomes publicly known through no wrongful act of the Receiving Party; (iv) has been rightfully received from a third party whom the Receiving Party has reasonable grounds to believe is authorized to make such disclosure without restriction; or (v) has been approved for public release by the Disclosing Party's prior written authorization. Confidential Information may be disclosed pursuant to applicable law, regulations or court order or similar proceeding, provided that the Receiving Party provides, where reasonably possible and legally permissible, prompt advance notice thereof to enable the Disclosing Party to seek a protective order or otherwise prevent such disclosure.
C. Use. The Receiving Party acknowledges and agrees that the Disclosing Party’s Confidential Information is of substantial value to the Disclosing Party, which value would be harmed if such information were disclosed to third parties. The Parties agree that, commencing on the Effective Date and thereafter, they will not: (i) use the Disclosing Party's Confidential Information in any way, except in the performance of obligations under this Agreement; or (ii) disclose the Disclosing Party’s Confidential Information to any third party, except to the Receiving Party’s employees who need to know such information, provided such employees have a signed confidentiality agreement with terms no less restrictive than the terms in this Agreement. The Parties will not publish, in any form, the other Party's Confidential Information beyond any descriptions published by said other Party.
D. Ownership of Information. The Parties expressly agree that the Disclosing Party shall retain all ownership in its Confidential Information.
E. Return of Information. In the event of any termination or expiration of this or any other agreement between the Parties: (i) upon the written request of the Disclosing Party, the Receiving Party shall return all copies of Confidential Information to the Disclosing Party; and (ii) except to the extent the Receiving Party is advised in writing by counsel that there is a legal prohibition on so doing, the Receiving Party will also promptly destroy all written material, memoranda, notes and other writings or recordings whatsoever prepared by it or its representatives based upon, containing or otherwise reflecting any Confidential Information of the Disclosing Party. Any Confidential Information that is not returned or destroyed including, without limitation, any oral Confidential Information, shall remain subject to the confidentiality obligations set forth in this Agreement. The Receiving Party may return the Confidential Information, or any part thereof, to the Disclosing Party at any time.
F. Duration. All obligations to protect Confidential Information set forth in this Agreement shall apply during the time of the relationship between the parties and thereafter, without limitation
G. Data Privacy. Both Parties agree to comply with all applicable data privacy laws and regulations, including as applicable, the General Data Protection Regulation. The Parties further acknowledge the Standard Contractual Terms found at https://www.cisecurity.org/standard-gdpr-clauses/, which are incorporated herein and are made a part hereof, and by signing this Agreement agree to abide by its terms, to the extent applicable.
XIII. Additional Terms
A. Jurisdiction. Consultant acknowledges and agrees that: (A) this Agreement will be governed by and construed in accordance with the laws of the State of New York; and (B) any action at law or in equity arising out of or relating to this Agreement shall be filed only in the courts located in the State of New York. Consultant hereby consents and submits to the personal jurisdiction of such courts for the purposes of litigating any such action.
B. Counterparts. This Agreement may be executed in separate counterparts each signed by a Party and such counterparts deemed an executed whole with the full force and effect. Signatures may be exchanged by email or electronic signature and such signatures will be deemed original.
C. Entire Agreement; Purchase Orders. This Agreement, including any exhibits referenced herein, constitutes the entire agreement of the Parties with respect to the subject matter hereof, and supersedes all previous written, and all previous or contemporaneous oral negotiations, understandings, arrangements, and agreements. This Agreement may be amended only by a written amendment signed by both Parties.
For the avoidance of doubt, and whether or not CIS is deemed under applicable law to have accepted an offer by Consultant, CIS objects to and rejects all additional and/or inconsistent terms contained in a Purchase Order (PO) or similar document submitted by Consultant to CIS, incidental to the Membership purchased herein. Any such terms which are not specifically addressed or referenced in this Agreement are hereby rejected and not agreed to nor consented to by CIS, absent express written acceptance.
D. Advertising or Publicity. Except as provided for in Sections II(A)(5) and (6), neither Party shall use the other Party’s name, service marks, or trademarks, or refer to or identify the other Party in any advertising, publicity releases (including references on any Consultant lists or posting on websites), or promotional or marketing correspondence to others without the prior written approval of the other Party.
E. Notices. All notices, requests, demands and determinations made under this Agreement (other than routine operational communications) shall be in writing and shall be deemed duly given (A) when delivered personally (against a signed receipt), (B) on the designated day of delivery (other than a weekend or Federal holiday) after being timely given to an express overnight courier with a reliable system for tracking delivery, or (C) six (6) days after the day of mailing, when sent by first class United States mail, postage prepaid and return receipt requested, to the address set forth below. Legal notices shall also be delivered via email to CIS at [email protected]. Delivery via email alone shall not constitute compliance with this section.
F. Order of Precedence. Except as otherwise agreed to between the Parties, in the event of a conflict between the terms of this Agreement and any other document executed between the Parties, the following order of precedence shall apply: (1) The terms contained in this End User Organization Membership Agreement, including any CIS policies referenced herein; (2) An Order or Invoice provided by CIS to Consultant; and (3) Any other document executed and/or agreed to in writing between the Parties.
Contract Version Date: 12/29/2023