This Ransomware Recovery Warranty Agreement (the “Agreement”) is made by and between AvePoint, Inc., a Delaware corporation (“AvePoint”) including if and where applicable its Affiliates (as defined below), and your company or entity (“Customer”), and describes the terms and conditions for the provision of a Ransomware Recovery Warranty (“Warranty”) by AvePoint to Customer for its purchase of an Eligible Solution (defined below). Each party hereto shall be referred to as “Party”; collectively, the “Parties”. This Agreement governs the Warranty, which must be approved by AvePoint and stated in the quote for the Eligible Solution between AvePoint or the authorized AvePoint Partner (defined below) and Customer. Unless expressly defined herein, capitalized terms shall have the meaning ascribed to them in AvePoint’s Master Software License and Subscription Agreement: https://www.avepoint.com/agreements/mslsa. This Agreement is effective immediately upon Customer’s clicking a box indicating acceptance of the Agreement on the respective AvePoint website (the “Effective Date”). The Parties accept and agree to the below terms and conditions and have caused this Agreement to be executed by their respective authorized representatives.
1.1 “Affiliate” means in relation to any of the Parties, any other entity that, directly or indirectly, controls or is controlled by or is under common control with that Party, and for the purpose of this definition, “control” means the power to direct the management and policies of that other entity, directly or indirectly, through the ownership of a majority of voting securities thereof.
1.2 “AvePoint Partner” means a reseller or distributor of AvePoint with which AvePoint is party to an agreement memorializing that relationship accordingly.
1.3 “Customer” means the entity purchasing an Eligible Solution from AvePoint directly or through an authorized AvePoint Partner.
1.4 “Customer Agreement” means the agreement(s) controlling Customer’s use of the Eligible Solution.
1.5 “Customer Data” means any data that is: a) provided to AvePoint by, or on behalf of Customer for use with the Eligible Solution; b) referring to Customer specific configurations in the Eligible Solution that are necessary for its configuration and operation; or c) generated by features of the Eligible Solution and hosted on AvePoint provided storage. Customer Data for an MSP shall be understood to include all data the MSP manages on AvePoint provided storage for end-clients that the MSP has named to AvePoint and to which MSP provides the Eligible Solution.
1.6 “Discovery Time” means the exact time at which the Customer first discovers the Ransomware Incident.
1.7 “Eligible Solution” means a subscription to AvePoint’s Cloud Back-up add-on Ransomware Warranty.
1.8 “Event Date” means the date the Ransomware Incident first occurred; provided, however that each Ransomware Incident that forms part of the same, continuous, related, or repeated Ransomware Incident (“Related Ransomware Incident”) shall be deemed to have the Event Date of the earliest Ransomware Incident or Pre-existing Incident (if applicable) that forms part of the Related Ransomware Incident.
1.9 “Payment” means reimbursement of Recovery Incident Expenses that directly result from a Recovery Incident.
1.10 “Pre-existing Incident” means the actual or reasonably suspected presence of Ransomware in any state in the Customer environment prior to the Customer’s applicable Warranty Period.
1.11 “Ransomware Incident” means a malware software program that infects Customer’s systems from external sources (i.e. in the wild), which installs, persists, and encrypts a material portion of files (“Ransomware”), and continues to demand payment (“Ransom”) in order to decrypt the encrypted files. For clarification, Ransomware does not include any malware introduced by the Customer or any third party to Customer’s internal systems, whether intentionally (i.e. malware testing) or through a breach in the system’s security. A Ransomware Incident should trigger AvePoint’s ransomware detection feature.
1.12 “Recovery Incident” means an unsuccessful Recovery (defined in Section 2.1).
1.13 “Recovery Incident Expenses” means solely (and to the exclusion of all other fees, expenses, losses, settlements, and damages) the reasonable and necessary fees and expenses to restore, recover, or recreate Customer Data under the Warranty to the extent incurred by Customer as a direct result of a Recovery Incident. The foregoing fees and expenses constitute “Recovery Incident Expenses” only if: (1) incurred by Customer after obtaining AvePoint’s prior written approval to procure such services or incur such expenditures; (2) paid to a third-party pre-approved in writing by AvePoint; (3) incurred by Customer within one (1) year following the Discovery Time of the applicable Ransomware Incident; and (4) payment and/or reimbursement does not violate any applicable domestic or foreign law, statute, regulation or rule as determined by AvePoint in its sole discretion. The foregoing fees and expenses incurred by a Customer’s Affiliate as a result of a Recovery Incident, and based on the use of an Eligible Solution by such Customer’s Affiliate, shall, for purposes of this definition only, be deemed expenses incurred by Customer so long as such Customer Affiliate also complies with terms set forth herein. Recovery Incident Expenses do not include any third-party restoration, recovery, or recreation attempts on an AvePoint platform or an AvePoint-hosted cloud platform.
2. RANSOMWARE RECOVERY WARRANTY
2.1 Warranty. AvePoint warrants to Customer that in the event of a Ransomware Incident with an Event Date that occurs during the Warranty Period, the Eligible Solution will enable Customer to materially restore the Customer Data that was successfully backed up using the Eligible Solution software onto an AvePoint hosted cloud platform, during the Warranty Period (“Recovery”). The scope of the warranty provided hereunder is limited to cover data that (i) is the data that Customer provided directly to AvePoint; (ii) that was utilized with the Eligible Solution and (iii) that was compromised by Ransomware. If Customer’s data is not recovered due solely to a failure of the Eligible Solution software as determined by AvePoint, Customers sole and exclusive remedy, and AvePoint’s entire liability subject to the terms herein, will be reimbursement for Customer’s Recovery Incident Expenses directly resulting from the Recovery Incident, in the amount of one U.S. dollar ($1.00) per gigabyte of unrestored Customer Data protected by the Eligible Solution, up to a maximum amount not to exceed one million dollars ($1,000,000.00) (“Cap”), calculated based on the amount of data Customer protects using the Eligible Solution software (i.e., data Customer backs up using products other than the Eligible Solution will not count toward any Payment obligation under this Warranty). Aggregate payments for multiple Recovery Incidents with Event Dates in the Warranty Period shall not exceed the Cap. Except as otherwise provided in this Agreement, this Warranty extends only to Customer and its Recovery Incident Expenses and does not extend to any third parties (including, but not limited to suppliers, service providers, end-clients, and employees or agents of Customer) or any of their losses or damages.
2.2 Pre-existing and Related Ransomware Incidents. This Warranty does not extend to Pre-existing Incidents or Related Ransomware Incidents that include a Pre-existing Incident. Except as set forth in this Section 2.1, all Recovery Incident Expenses resulting from a Related Ransomware Incident shall be subject to the terms, conditions, exclusions, and Cap in effect on the Event Date of the first discovered Ransomware Incident that forms part of the Related Ransomware Incident.
2.3 Disclaimer. EXCEPT FOR THE LIMITED WARRANTY PROVIDED IN SECTION 2.1 OF THIS AGREEMENT AND ANY WARRANTIES PROVIDED IN THE CUSTOMER AGREEMENT, THE ELIGIBLE SOLUTION IS PROVIDED AS-IS.
3. CONDITIONS PRECEDENT TO WARRANTY PAYMENT
3.1 AvePoint shall only provide Payment to Customer if, at the time of the Ransomware Incident and throughout the Warranty Period:
(a) Customer has maintained an active subscription for the Eligible Solution;
(b) The Event Date and Discovery Time of the Ransomware Incident occurred, was discovered by Customer, and reported to AvePoint during the Warranty Period and in accordance with Section 5, and that AvePoint confirms that the Ransomware Incident triggered AvePoint’s ransomware detection feature;
(c) Customer has remained in compliance with its Customer Agreement, including without limitation any payment obligations;
(d) Customer has fully cooperated with AvePoint, including without limitation by (i) implementing all remedial and security measures recommended by AvePoint including the Requirements, (ii) providing all reasonably requested information, and (iii) complying with the Reimbursement Request process set forth in Section 6;
(e) Any systems to which the Customer seeks to restore Customer Data that has been successfully backed up by AvePoint are free of any malware, bugs, back-doors or other malicious code, and are otherwise secured;
(f) Customer Data resides in AvePoint provided storage (i.e., not BYOS); and
(g) This Warranty is not restricted or prohibited by applicable law.
4.1 Customer acknowledges and agrees that security threats evolve over time, and Customer is responsible for maintaining the security (including securing its access credentials) in accordance with the then-current industry best practices. To qualify for the Warranty, in addition to the conditions precedent set forth in Section 3, Customer must comply with the following minimum security requirements throughout the Warranty Period (“Requirements”):
(a) Data Security Best Practices. Customer must follow data security best practices, which includes without limitation the following:
(i) Data Health:
• Ensure back-ups are successful and free from any viruses, and monitor the same.
(ii) User Access:
• Multi-factor authentication for all user accounts.
• Utilize strong passphrase protection.
• Assign user roles with least privilege access
• Regularly review permission settings and audit logs to check unusual activities in AOS
(iii) Data Encryption:
• Secure protocols for third-party systems
(iv) Application Access:
• Create IP whitelisting that limits connections to Customer owned networks only
(v) API Security:
• Secure service accounts.
• Scoped API roles with least privilege
4.2 Additional Requirements. Customer must:
(a) Maintain up-to-date endpoint security, including anti-virus protection;
(b) Implement change management best practices;
(c) Implement such other security measures and best practices as may be recommended by AvePoint from time to time over the course of the Warranty Period; and
(d) Have configured the most recent version of the ransomware detection alert feature.
5. RANSOMWARE INCIDENT NOTIFICATION
5.1 If Customer discovers a Ransomware Incident during the applicable Warranty Period, Customer must notify AvePoint within twenty-four (24) hours of the Discovery Time of such Ransomware Incident by sending an e-mail to Warranty@avepoint.com.
6. REMEDIATION AND REIMBURSEMENT REQUEST PROCESS
Upon initiating a remediation and reimbursement request, Customer shall demonstrate to AvePoint’s reasonable satisfaction that Customer has fully complied with all Requirements provided for in Section 4. Subject to this Agreement, if all remedial measures recommended by AvePoint after a Ransomware Incident have been exhausted and AvePoint determines a Recovery Incident occurred, Customer may submit a request for reimbursement of Recovery Incident Expenses (“Reimbursement Request”) in accordance with AvePoint’s Remediation and Reimbursement procedures, as may be updated from time to time, at: https://cdn.avepoint.com/assets/company/ransomware-warranty-claims-procedure.pdf. Customer must submit such Reimbursement Request to AvePoint within thirty (30) days of AvePoint confirming that Customer’s data could not be restored from a Recovery Incident. The Reimbursement Request shall include all information available to Customer regarding the Ransomware Incident and Recovery Incident. AvePoint shall review Customer’s Reimbursement Request and Customer shall provide any additional information reasonably requested by AvePoint at any time.
6.1 Payments. Customer shall provide AvePoint with evidence of Recovery Incident Expenses in accordance with AvePoint’s instructions. During the Warranty Period, and for a period of three (3) years thereafter, AvePoint shall have the right, at its own expense, to inspect, and Customer shall maintain and provide, Customer’s records related to such Recovery Incident Expenses upon reasonable written request during regular business hours. Customer shall promptly (but in no event later than 30 days after written notice) reimburse AvePoint for all Payments related to a Reimbursement Request that arises out of an event that is later determined not to be a Ransomware Incident or that relates to a Pre-Existing Incident. AvePoint shall have no obligation to make any Payments to Customer if Customer has not fully complied with this Agreement, or where any such Payments are prohibited by law. Customer must provide AvePoint such evidence and assurances that no Payment would be used by Customer to any person or entity subject to economic sanctions administered or enforced by the U.S. Treasury Department Office of Foreign Assets Control (OFAC), including any such person or entity listed on OFAC’s Specially Designated Nationals and Blocked Persons (SDN) List or otherwise prohibited under relevant law.
6.2 Confidentiality. Customer acknowledges that any Ransomware Incident reported by it to AvePoint and any payment pursuant to Customer’s Reimbursement Request are considered confidential, and it is understood that this agreement of confidentiality is part of the consideration for this Agreement. Upon and after the Effective Date of this Agreement, none of the Parties, nor their attorneys, or other representatives, will, directly or indirectly, disclose the existence of a Ransomware Incident or payment pursuant to a Reimbursement Request to any third parties or publicize in the media other than as specified herein, including but not limited to newspapers, magazines, radio, television, or the internet, except: (a) as necessary to enforce this Agreement; (b) as may be required by law, or in order to comply with a lawfully issued subpoena from a court of competent jurisdiction; (c) as reasonably necessary in connection with audits, regulatory or compliance inquiries, or financial or legal due diligence or claims for insurance coverage; or (d) as may be required to the Parties’ attorneys and other professional advisors for the purpose of seeking their advice.
7.1 Entire Agreement. This Agreement constitutes the entire agreement between Customer and AvePoint regarding the Warranty and supersedes any and all prior agreements or communications between the parties with regard to the subject matter hereof. For the avoidance of doubt, this Agreement is in addition to the Customer Agreement and the confidentiality terms in the Customer Agreement apply to this Warranty including without limitation any communications or information related to a Recovery Incident. In the event of any conflict or inconsistency between the terms of this Agreement and the Customer Agreement, this Agreement shall prevail. AvePoint may revise the terms and conditions of this Agreement or terminate the Ransomware Recovery Warranty program at any time without notice and without recourse to Customer; however, such modification or termination will not affect the Agreement in place at the time of a previous purchase of an Eligible Solution by the Customer. In the event of a successful Recovery, Customer agrees to participate in an AvePoint marketing case study on such Recovery. In addition to, and without limitation of, AvePoint’s rights set forth above in the immediately preceding paragraph, AvePoint reserves the right to modify or terminate this Agreement generally or in any jurisdiction, at any time, in its sole discretion, if: (i) the Warranty is construed to be an offer to insure or constitute insurance or an insurance contract or insurance service agreement by any governmental or regulatory authority in any jurisdiction; (ii) AvePoint is required to obtain a license or permit of any kind to continue to provide this Warranty in any jurisdiction; or (iii) AvePoint determines or a court or arbitrator holds that the provisions of this Agreement violate applicable law. If AvePoint modifies or terminates this Agreement in accordance with the foregoing, AvePoint will process all Reimbursement Requests that the Customer submitted prior to or as of the effective date of such modification or termination unless such processing is prohibited by law, regulation, ordinance, order, or decree of any governmental or other authority.
7.2 Limitation of Liability. IN NO EVENT WILL AVEPOINT OR ITS SUPPLIERS BE LIABLE (UNDER ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STATUTE, TORT OR OTHERWISE) FOR ANY LOST PROFITS, LOST BUSINESS OPPORTUNITIES, BUSINESS INTERRUPTION, OR SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR LOSSES, OR SUCH DAMAGES OR LOSSES WERE REASONABLY FORESEEABLE; AND IN NO EVENT SHALL AVEPOINT’S LIABILITY UNDER OR ARISING FROM THIS AGREEMENT EXCEED CUSTOMER’S CAP AS SET FORTH IN SECTION 2.1 ABOVE FOR THE WARRANTY PERIOD. Multiple claims or Recovery Incidents shall not expand the limitation specified in the foregoing sentence. Any Payments, damages or losses paid under this Agreement shall accrue towards any liability cap set forth in the Customer Agreement. If the limitation of liability in this Section 7.2 is determined to be invalid under applicable law, this Agreement shall be deemed null and void.
7.3 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the Commonwealth of Virginia, U.S.A., without applying conflict of law rules. With respect to all disputes and actions arising from or related to this Agreement, the Parties irrevocably consent to exclusive jurisdiction and venue in the state and federal courts located in Virginia. The United Nations Convention of Contracts for the International Sale of Goods (1980) is hereby excluded in its entirety from application to this Agreement. Nothing in this Section 7.3 (Governing Law) will limit or restrict either Party from seeking injunctive or other equitable relief from a court of competent jurisdiction.
7.4 Term and Termination. The Warranty Period shall run concurrently with the Eligible Solution’s initial subscription term, unless terminated earlier in accordance with this Section 7.4 or the Customer Agreement (“Warranty Period”). Termination of the Customer Agreement shall terminate this Agreement. Termination of this Agreement shall not terminate the Customer Agreement. Customer may not assign this Agreement without the prior written consent of AvePoint, except to an Affiliate in connection with a corporate reorganization or in connection with a merger, acquisition, or sale of all or substantially all of its business and/or assets provided Customer provides AvePoint with notice of any such assignment no later than thirty (30) days after such assignment or change in control event is public. Any assignment in violation of this section shall be void and shall void this Warranty. Subject to the foregoing, all rights and obligations of the Parties under this Agreement shall be binding upon and inure to the benefit of and be enforceable by and against the successors and permitted assigns.
7.5 This Agreement is not intended to and shall not be construed to give any third party any interest or rights (including, without limitation, any third-party beneficiary rights) with respect to or in connection with any agreement or provision contained herein or contemplated hereby. For the avoidance of doubt, only the Customer has the right to enforce this Agreement or pursue claims relating to it against AvePoint.
7.6 This Warranty is not intended to constitute an offer to insure, does not constitute insurance or an insurance contract, and does not take the place of insurance obtained or obtainable by the Customer.