CIS Organizational Hosting Membership Agreement

Recitals

Whereas, CIS provides consensus-oriented information security products, services, controls, tools, metrics, suggestions, and recommendations as a public service to Internet users worldwide; and

Whereas, the Host Company wishes to obtain an Organizational Hosting membership from CIS to use the CIS SecureSuite Products (as defined below) in the Host Company’s hosting and/or managed services business with the Host Company’s customers and clients (“Host Company Clients”) and CIS desires to grant such a membership to Host Company.

Agreement

Now Therefore, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree as follows:

Definitions

Affiliate means any corporation, firm, limited liability company, partnership or other entity that directly or indirectly controls or is controlled by or is under common control with a Party.

CIS Benchmarks means consensus based secure configuration guidelines applicable to a variety of operating systems, middleware and software applications, and network devices.

CIS Controls means the CIS Critical Security Controls for Effective Cyber Defense, v. 6.0 and later.

CIS SecureSuite means the cybersecurity configuration and remediation membership offerings provided by CIS, as set forth in this Agreement.

CIS SecureSuite Products includes any or all of the following:  CIS Benchmarks and CIS Controls in any format provided, CIS-CAT Pro (including CIS-CAT Pro Assessor and CIS-CAT Pro Dashboard as described below), CIS Workbench community site, product guides, remediation content and other products offered by CIS from time to time.

Membership Benefits

Under the terms and conditions set forth in this Agreement, CIS grants to Host Company a CIS Organizational Hosting Membership that entitles Host Company to the following benefits:

Organizational Use

1. Access to and use of the CIS configuration assessment tool (“CIS-CAT Pro”), including use of the following:
   • CIS CAT Pro Assessor, allowing Host Company to analyze and score the configuration of Host Company’s internal information technology systems and obtain a score between 1-100 for conformity against CIS Benchmarks including CIS Benchmark recommendations annotated with one or more of the CIS Controls and subcontrols; and
   • CIS-CAT Pro Dashboard, allowing Host Company to: analyze multiple CIS Benchmarks in a single view for comparison, multiple device reviews; access a CIS Controls view for any annotated CIS Benchmark content; view individual CIS-CAT Pro assessment results, including the ability to create exceptions and recalculate the CIS-CAT Pro assessment; and create individual reporting in multiple formats.
2. The right to use and distribute the CIS SecureSuite Products within and throughout Host Company’s organization;
3. Unlimited access to and use of the CIS Workbench (a community site where SecureSuite resource are developed) for access to CIS SecureSuite Products, including forums for information sharing, user support, and discussions among members, developers, and CIS staff;
4. Timely electronic notification of updates to the CIS SecureSuite Products;
5. Enhanced CIS SecureSuite Products support from CIS staff and developers;
6. At Host Company’s option, listing of Host Company on the dedicated CIS SecureSuite Member pages of the CIS public website and in other promotional materials;
7. The right to use the CIS SecureSuite membership mark (as set forth on Exhibit A) on Host Company’s websites and documents in accordance with the terms and conditions of the CIS Logos and Trademark Use Policy, a copy of which can be found at https://www.cisecurity.org/cis-logos-and-trademark-use-policy/, as such Policy may be amended from time to time; and
8. Updates or improvements of existing CIS SecureSuite Products that are made in the ordinary course of business and provided pursuant to this Agreement.
9. The ability to edit/modify CIS Benchmarks for use within the Customer’s organization based upon the Customer’s unique internal specifications and requirements (a “Customized Benchmark”). Once a Customized Benchmark is created, Customer is prohibited from labeling or identifying such Customized Benchmark as a “CIS Benchmark.”  Such Customized Benchmark shall not be considered a “derivative work” pursuant to section VII(E) of this Agreement.

Hosting Use

1. The right for the Host Company to download, install, and use the CIS SecureSuite Products for the sole purpose of supporting Host Company’s hosting and/or managed services business; and
2. The right for the Host Company to use the CIS SecureSuite Logo on reports and related materials prepared for Host Company Clients, in accordance with the terms and conditions of the CIS SecureSuite Trademarks Use Policy, a copy of which can be found at https://www.cisecurity.org/cis-logos-and-trademark-use-policy/.

Membership Restrictions

The Host Company agrees that the Host Company may not charge the Host Company Clients directly for the CIS SecureSuite Products and that neither the Host Company nor any of the Host Company Clients may sell, resell, or distribute the CIS SecureSuite Products.

Consulting Use

If the Customer (“Consultant”) has indicated a desire to engage in Consulting Use the “Consulting Use Addendum” is hereby attached.

Membership Fees

Organizational Hosting Membership Fee

In exchange for the rights granted by CIS to Host Company in Section II of this Agreement, Host Company agrees to pay CIS the applicable membership fee (“Hosting Membership Fee”) in U.S. Dollars (USD) plus any applicable US sales tax, which shall be due and payable within thirty (30) days of the Effective Date. Membership Fee payment may be made by: (i) EFT transfer; (ii) check made payable to Center for Internet Security and mailed to CIS Accounts Receivable, 31 Tech Valley Drive, East Greenbush, NY 12061; or (iii) credit card transaction according to the instructions provided to Host Company by CIS. Any taxes or fees to be collected by a taxing jurisdiction, financial institution or payment processor incidental to the payment of Membership Fee by Customer to CIS shall in no way limit the amount of the Membership Fee to be paid by Customer to CIS pursuant to this section.

Organizational Hosting Renewal Membership Fee

Host Company’s renewal membership fee (“Renewal Membership Fee”) will equal the Host Company’s Renewal Fee that is listed for Host Company’s membership category as specified on the CIS website, cisecurity.org, thirty (30) days prior to the expiration of any Term of this Agreement.

Non-Payment of Fee

  In the event of non-payment of the any Membership fee by Host Company, CIS reserves the right to restrict Host Company’s access to the CIS SecureSuite Products until such time as payment has been rendered.

Accounts Payable Contact Information

Host Company shall designate a point of contact regarding this Agreement.

Term and Termination

Term

The term of this Agreement will commence on the Effective Date and, unless earlier terminated as provided for in Section IV.B, below, will continue for a period of year(s) agreed to by the Parties, from the Effective Date (the “Initial Term”).   Thereafter, this Agreement may be renewed for consecutive renewal terms (each a “Renewal Term”) upon CIS’s receipt and acceptance of a Renewal Membership Fee from the Host Company at or before the beginning of each such Renewal Term.  CIS agrees to send Host Company a renewal invoice at least thirty (30) days prior to the expiration of the Initial Term of this Agreement.

Right to Terminate

Both CIS and Host Company shall have the right to terminate this Agreement: (1) if the other party fails to perform a material obligation under this Agreement and fails to cure such nonperformance within thirty (30) days following written notice thereof; or (2) for convenience by providing at least thirty (30) days written notice to the other party. Upon termination, Host Company will cease use of the CIS SecureSuite Products as of the date of such termination.

Membership Fee Refund

• Refund for One Year Term Agreements. In the event of termination by CIS for nonperformance by Customer, or for convenience by Host Company, Host Company will not be entitled to a refund of any Membership Fees or Renewal Membership Fees that have been paid by Host Company to CIS. In the event of termination by Host Company for nonperformance by CIS or for convenience by CIS, Host Company: (i) will be entitled to a prorated refund of any unused Membership Fees or Renewal Membership Fees that have been paid by Host Company to CIS.
• Refund for Multi Year Term Agreements. In the event of termination by CIS for nonperformance by Host Company, or for convenience by Host Company, Host Company will not be entitled to a refund of any Membership Fees or Renewal Membership Fees that have been paid by Host Company to CIS applicable to the current year of the Term or Renewal Term, but will be entitled to full refund of that portion of any Membership Fees or Renewal Membership Fees applicable to any subsequent years within the Term or Renewal Term. In the event of termination by Host Company for nonperformance by CIS, Customer: (i) will be entitled to a prorated refund of any unused Membership Fees or Renewal Membership Fees that have been paid by Host Company to CIS for the remaining part of the current year of the Membership Term or Renewal Term from the initial instance of non-performance, and full refund of that portion of any Membership Fees or Renewal Membership Fees applicable to any subsequent years within the Term or Renewal Term.

CIS SecureSuite Products Provided As Is

CIS makes reasonable efforts to utilize and maintain the most current network security and antivirus protection programs available to screen and protect CIS’s computer programs, websites, and computer infrastructure from malware.  However, Host Company understands and agrees that CIS is providing the CIS SecureSuite Products “as is” and “as available” without any representations, warranties, or covenants of any kind whatsoever.

Ownership Rights of Intellectual Property and SecureSuite Products Reserved

Host Company is not acquiring any title or ownership rights in or to any of the CIS SecureSuite Products or associated intellectual property, including the Trademark, and full title and all ownership rights to the CIS SecureSuite Products and associated intellectual property remain the exclusive property of CIS.  The Host Company understands and agrees that the use of the Trademark in connection with this Agreement does not create any right, title or interest in or to the use of the Trademark and that all such use and goodwill associated with the Trademark will inure to the sole benefit of CIS.  Host Company further agrees that it will comply with the terms and conditions of the CIS Logos and Trademark Use Policy, a copy of which can be found at https://www.cisecurity.org/cis-logos-and-trademark-use-policy/, as such Policy may be amended from time to time. All rights to the CIS SecureSuite Products not expressly granted in this Agreement are hereby reserved.

Restrictions

Host Company acknowledges and agrees that except as otherwise expressly permitted in this Agreement,  Host Company may not: (A) decompile, disassemble, alter, reverse engineer, or otherwise attempt to derive the source code for any CIS SecureSuite Product (except to the extent that such product is already in the form of source code); (B) distribute or redistribute, sell, rent, lease, sublicense or otherwise transfer or exploit any rights to any CIS SecureSuite Product in any way or for any purpose including, without limitation, creating an image incorporating any CIS Benchmark or derivative content (including without limitation remediation content) and offering or using that image as a product or service made available to a third party; (C) post any CIS SecureSuite Product on any website, bulletin board, ftp server, newsgroup, or other similar mechanism or device; (D) remove from or alter the terms of use or any proprietary notice placed on any CIS SecureSuite Product; (E) create any derivative work based directly on an CIS SecureSuite Product or any component thereof; (F) represent or claim a particular level of compliance or consistency with any CIS SecureSuite Product; or (G) facilitate or otherwise aid other individuals or entities in violating this Agreement.

Host Company’s Responsibility to Evaluate Risks

Host Company acknowledges and agrees that: (A) no network, system, device, hardware, software, or component can be made fully secure; and (B) Host Company has the sole responsibility to evaluate the risks and benefits of the CIS SecureSuite Products to Host Company’s particular circumstances and requirements including, without limitation, the decision to not implement one or more Benchmark configuration recommendations.

Host Company Indemnification of CIS

Host Company agrees to indemnify, defend, and hold CIS and all of CIS’s employees, officers, directors, agents and other service providers harmless from and against any third party claim, suit or proceeding (including reasonable attorneys’ fees) brought against any of them in connection with Host Company’s material breach of this Agreement.

CIS Indemnification of Host Company

CIS shall indemnify, defend, and hold Host Company harmless against any third party claim, suit or proceeding (including reasonable attorneys’ fees) brought against Host Company alleging that the CIS SecureSuite Products infringe any patent, copyright, or enforceable trade secret, provided that Host Company: (A) gives CIS prompt written notice of any such claim; (B) allows CIS to control the defense and settlement of such claim; (C) refrains from entering into any settlement or compromise of such claim without CIS’s prior written consent; and (D) provides all assistance reasonably requested by CIS in the defense or settlement of such claim, at CIS’s expense.  THIS SECTION SETS FORTH CIS’S SOLE AND EXCLUSIVE LIABILITY, AND HOST COMPANY’S SOLE AND EXCLUSIVE REMEDY FOR CIS’S INFRINGEMENT OF THIRD PARTY RIGHTS OF ANY KIND.

Limitation of Liability

Except as otherwise specified in this Agreement, neither party will be liable for any indirect, incidental, special, consequential or punitive damages, including without limitation, damages for lost profits, data or use, incurred under this Agreement, whether in an action in contract or tort, even if that party has been advised of the possibility of such damages

Confidential Information

Confidential Information

Each party acknowledges that by reason of its relationship with the other party hereunder, such party (the “Receiving Party”) might receive access to certain confidential and proprietary information and materials concerning the other party (the “Disclosing Party”). “Confidential Information” means oral or written non-public information that the Disclosing Party designates as being confidential or which, under the circumstances surrounding disclosure, ought to be treated as confidential, whether provided to the Receiving Party before, on or after the date “Confidential Information” includes, without limitation, information relating to the Disclosing Party’s software and hardware products, specifications, databases, networks, systems design, file layouts, tool combinations and development methods, and information relating to the Disclosing Party’s business or financial affairs, such as business methods, marketing strategies, pricing, product development strategies and methods, Host Company lists and financial results. “Confidential Information” also includes information received from others that the Disclosing Party is obligated to treat as confidential. Confidential Information includes all tangible materials which contain Confidential Information, including, without limitation, written or printed documents, computer disks or tapes, and other magnetic or optical storage media, whether user- or machine-readable.

Exclusions

Confidential Information does not include any information that the Receiving Party can reasonably demonstrate: (i) was known to the Receiving Party prior to its disclosure hereunder by the Disclosing Party; (ii) was independently developed by the Receiving Party; (iii) is or becomes publicly known through no wrongful act of the Receiving Party; (iv) has been rightfully received from a third party whom the Receiving Party has reasonable grounds to believe is authorized to make such disclosure without restriction; or (v) has been approved for public release by the Disclosing Party’s prior written authorization.  Confidential Information may be disclosed pursuant to applicable law, regulations or court order or similar proceeding, provided that the Receiving Party provides, where reasonably possible, prompt advance notice thereof to enable the Disclosing Party to seek a protective order or otherwise prevent such disclosure.

Use

The Receiving Party acknowledges and agrees that the Disclosing Party’s Confidential Information is of substantial value to the Disclosing Party, which value would be harmed if such information were disclosed to third parties.  The parties agree that, commencing on the Effective Date and thereafter, they will not: (i) use the Disclosing Party’s Confidential Information in any way, except in the performance of obligations under this Agreement; or (ii) disclose the Disclosing Party’s Confidential Information to any third party, except to the Receiving Party’s employees who need to know such information, provided such employees have a signed confidentiality agreement with terms no less restrictive than the terms in this Agreement. The parties will not publish, in any form, the other party’s Confidential Information beyond any descriptions published by said other party.

Ownership of Information

The parties expressly agree that the Disclosing Party shall retain all ownership in its Confidential Information.

Return of Information.

In the event of any termination or expiration of this or any other agreement between the parties: (i) upon the written request of the Disclosing Party, the Receiving Party shall return or destroy all copies of Confidential Information to the Disclosing Party; and (ii) except to the extent the Receiving Party is advised in writing by counsel that there is a legal prohibition on so doing, the Receiving Party will also promptly destroy all written material, memoranda, notes and other writings or recordings whatsoever prepared by it or its representatives based upon, containing or otherwise reflecting any Confidential Information of the Disclosing Party.  Any Confidential Information that is not returned or destroyed including, without limitation, any oral Confidential Information, shall remain subject to the confidentiality obligations set forth in this Agreement.  The Receiving Party may return the Confidential Information, or any part thereof, to the Disclosing Party at any time.

Duration.

All obligations to protect Confidential Information set forth in this Agreement shall apply during the time of the relationship between the parties and thereafter, for a period of five (5) years.

Data Privacy

Both Parties agree to comply with all applicable data privacy laws and regulations, including as applicable, the General Data Protection Regulation.  The Parties further acknowledge the Standard Contractual Terms found at https://www.cisecurity.org/standard-gdpr-clauses/, which are incorporated herein and are made a part hereof, and by signing this Agreement agree to abide by its terms, to the extent applicable.

Additional Terms

Jurisdiction. 

Host Company acknowledges and agrees that: (A) this Agreement will be governed by and construed in accordance with the laws of the State of New York; and (B) any action at law or in equity arising out of or relating to this Agreement shall be filed only in the courts located in the State of New York.  Host Company hereby consents and submits to the personal jurisdiction of such courts for the purposes of litigating any such action.

Counterparts. 

This Agreement may be executed in separate counterparts each signed by a party and such counterparts deemed an executed whole with the full force and effect.  Signatures may be exchanged by email or electronic signature and such signatures will be deemed original.

Entire Agreement.

This Agreement, including any exhibits referenced herein, constitutes the entire agreement of the parties with respect to the subject matter hereof, and supersedes all previous written, and all previous or contemporaneous oral negotiations, understandings, arrangements, and agreements.  This Agreement may be amended only by a written amendment signed by both parties.

Advertising or Publicity.

Except as provided for in Sections II(A)(6) and (7), neither party shall use the other party’s name, service marks, or trademarks, or refer to or identify the other party in any advertising, publicity releases (including references on any Host Company lists or posting on websites), or promotional or marketing correspondence to others without the prior written approval of the other party.

Notices.

All notices, requests, demands and determinations made under this Agreement (other than routine operational communications) shall be in writing and shall be deemed duly given (A) when delivered personally (against a signed receipt), (B) on the designated day of delivery (other than a weekend or Federal holiday) after being timely given to an express overnight courier with a reliable system for tracking delivery, or (C) six (6) days after the day of mailing, when sent by first class United States mail, postage prepaid and return receipt requested, to the address set forth below and to the attention of : for CIS:Attn: Chief Counsel; for Customer: __.

Order of Precedence

Except as otherwise agreed to between the Parties, in the event of a conflict between the terms of this Agreement and any other document executed between the Parties, the following order of precedence shall apply: (1) The terms and conditions contained in this CIS Organizational Hosting Membership Agreement and Consulting Use addendum, if applicable; (2) the CIS SecureSuite Terms of Use (found at https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/); (3) A Purchase Order (PO) or similar document issued by Customer to CIS containing terms and conditions therein; (4) Any other document between the Parties.

 

Exhibit A

CIS SecureSuite Membership Mark

Consulting Use Addendum

Pursuant to section II(D) of the CIS Organizational Hosting Membership Agreement, the Parties hereby agree to permit Consultant to engage in Consulting Use pursuant to the terms and conditions of this Addendum, which are hereby incorporated by reference and made a part of said CIS Organizational Hosting Membership Agreement. CIS grants to Consultant the following permissions:

Consulting Use

1. Access to and use of the CIS SecureSuite Products to secure the Consultant’s internal systems.
2. For onsite consulting engagements, the right for the Consultant to download, install, and use the CIS SecureSuite Products on Consultant Clients’ computer network or environment, including any third party network or cloud environment hosting Consultant Clients’ data, for the sole purpose of providing information security consulting and auditing services to those Consultant Clients, provided that, at the end of each consulting/auditing engagement, the Consultant must remove all copies of any CIS SecureSuite Products from the Consultant Clients’ computers, networks, systems, and organizational environments that have been installed or provided to those Consultant Clients.
3. For remote consulting engagements, the right for Consultant to be given direct access to a time-limited version of CIS-CAT Pro, for the sole purpose of providing information security consulting and auditing services to those Consultant Clients, provided that Consultant Client agrees to use CIS-CAT time-limited version only to assess Consultant Client’s internal system.
4. Notwithstanding any license terms for the CIS Controls to the contrary, the right to use the CIS Controls in the context of any consulting engagement, including developing Customized Policies as defined below.
5. The right for the Consultant to assist the Consultant Clients in developing security configuration and/or security metrics policies that are specifically customized to meet the Consultant Clients’ information security needs (“Customized Policies”), provided that the Consultant Clients agree to:

• • use any Customized Policies only for securing Consultant Clients’ internal systems or Consultant Clients’ data hosted in a third-party network or cloud environment; and
  • not distribute any Customized Policies beyond the Consultant Clients’ organizations.

Once a Customized Policy is created by Consultant, Consultant may represent to Consultant Clients that such Customized Policy leverages one or more CIS SecureSuite Products but not that it incorporates any CIS SecureSuite Product(s).

6. The right for the Consultant to use the CIS SecureSuite Logo on reports and related materials prepared for Consultant Clients, in accordance with the terms and conditions of the CIS Logos and Trademark Use Policy, a copy of which can be found at https://www.cisecurity.org/cis-logos-and-trademark-use-policy/, as such Policy may be amended from time to time.

The Consultant is not required to remove Customized Policies from the Consultant Clients’ computers, networks, systems, and organizational environments at the end of consulting/auditing engagements.

7. Consulting Use Restrictions
   • The Consultant agrees that the Consultant may not charge the Consultant Clients directly for the CIS SecureSuite Products and that neither the Consultant nor any of the Consultant Clients may sell, resell, or distribute the CIS SecureSuite Products.
   • CIS agrees that the Consultant may charge the Consultant Clients for training, installation, programming and other services, even if those services relate to the CIS SecureSuite Products

Membership Fees

Organizational Consulting Membership Fee. 

In exchange for the rights granted by CIS to Consultant pursuant to this Addendum, Consultant agrees to pay CIS the applicable membership fee (“Membership Fee”) in U.S. Dollars (USD), plus any applicable US sales tax, which shall be due and payable within thirty (30) days of the Effective Date. Membership Fee payment may be made by: (i) EFT transfer; (ii) check made payable to Center for Internet Security and mailed to CIS Accounts Receivable, 31 Tech Valley Drive, East Greenbush, NY 12061; or (iii) credit card transaction according to the instructions provided to Consultant by CIS. Any taxes or fees to be collected by a taxing jurisdiction, financial institution or payment processor incidental to the payment of Membership Fee by Customer to CIS shall in no way limit the amount of the Membership Fee to be paid by Customer to CIS pursuant to this section.

Organizational Consulting Renewal Membership Fee.

Consultant’s renewal membership fee (“Renewal Membership Fee”) will equal the Organizational Consulting Membership Fee that is listed for Consultant’s membership category as specified on the CIS website, /cis-securesuite/pricing-and-categories/, thirty (30) days prior to the expiration of any Term of this Agreement.

Non-Payment of Fee.

In the event of non-payment of the Renewal Membership fee by Consultant, CIS reserves the right to restrict Consultant’s access to the CIS SecureSuite Products until such time as payment has been rendered.

Accounts Payable Contact Information.

Customer shall designates a point of contact regarding this Agreement.