Vous êtes sur la page 1sur 8

Arbor Cloud Supplemental Terms and Conditions

These Arbor Cloud Supplemental Terms and Conditions (“Supplemental Terms”) supplement the terms of the License and Arbor Cloud Service Agreement (the “Agreement”) and are incorporated therein. Together, the Agreement and these Supplemental Terms govern your (the “End User”) use of the Arbor Cloud Services. Capitalized terms not otherwise defined in these Supplemental Terms shall have the meaning ascribed to them in the Agreement.

1. SERVICE DEFINITIONS

The following definitions shall apply to the capitalized terms used herein.

1.1 “/24 Prefix” means a block of two hundred fifty four (254) continuous IP addresses.

1.2 “Arbor Cloud Platform” means the network to which internet-based traffic for an Endpoint must be directed

in order to have the Arbor Cloud Services performed.

1.3 “Arbor Cloud Services” means the on-demand, End User-activated, cloud-based, service which “cleans”

or “scrubs” certain internet-based, malicious, attack traffic from a stream of internet based traffic directed at the End User’s Endpoint and, where applicable, any supplemental services set forth on the order Form.

1.4 “Attack” or “Attack Incident” shall mean an event in which malicious traffic (e.g. DDoS), is directed at an

Endpoint which is on the Arbor Cloud Platform. The determination as to whether traffic is Attack traffic shall be determined solely by Arbor.

1.5 “Attack Incident Fee” shall mean the fee applicable to use of the Arbor Cloud Service during an Attack.

1.6 “Clean Traffic” shall mean the 95th percentile peak Mbps of legitimate End User internet traffic going in to

or out of the Arbor Cloud Platform for an Endpoint, which is processed by the Arbor Cloud Service on a per Mitigation

Incident basis.

1.7 “Clean Traffic Overage Fee” means the fee, calculated on a per megabits per second (“Mbps”) basis, that

will apply in the event that amount of Clean Traffic to the Arbor Cloud Platform during a Mitigation Incident exceeds

the amount of traffic contracted for.

1.8 “Content” shall be as defined in Section 6.2.

1.9 “Endpoint(s)”, as used herein, means that part of an End User’s infrastructure subject to protection by the

Arbor Cloud Services and for which End User or Arbor has activated the Arbor Cloud Services by directing traffic to the Endpoint onto the Arbor Cloud Platform.

1.10 “Incident” means an event wherein End User has directed internet-based traffic for an Endpoint to the

Arbor Cloud Platform and shall include both Attack Incidents and Non-Attack Incidents.

1.11 “Location” means router endpoint to terminate GRE (Generic Routing Encapsulation) tunnels connected to

the Arbor Cloud Platform.

1.12 “Mitigation Incident” means either (a) the event commencing when Arbor announces the requested /24

prefix(es) out of the Arbor Cloud Platform and ceases when End User contacts Arbor pursuant to then-current Arbor policies and directs Arbor to cease such announcement(s) or (b) an event where more than twenty-five (25) kilobits

per second (“Kbps”) of traffic flows through the End User’s assigned DNS Redirection VIP address on the Arbor Cloud Platform.

1.13 “Mitigation Incident Fee” shall mean the fee that applies to a Mitigation Incident. The Mitigation Incident

Fee shall cover a period of up to seventy two (72) consecutive hours or any portion thereof. Mitigation Incidents longer in duration than seventy two (72) consecutive hours are subject to Mitigation Incident Fees for each period of consecutive seventy two (72) hours or any part thereof.

1.14 “Monthly Service Package Fee” means the monthly, recurring charge that End User pays for access to the

Arbor Cloud Service.

1.15 “Provisioning Process” means Arbor’s then-current process for provisioning of an Endpoint, a change to

configuration or directing End User traffic to or away from the Arbor Cloud Platform.

1.16 “VIP(s)” or “DNS Redirection VIP(s)” means the Arbor-assigned IP address on the Arbor Cloud Platform

which terminates to only one (1) End User hosted IP address to send Clean Traffic & receive outbound internet traffic.

2. PROVISION OF ARBOR CLOUD SERVICES

2.1 End User acknowledges that deployment on the Arbor Cloud Platform may require configuration which

takes several days and that in such instance, any activation of Arbor Cloud Services on an expedited basis shall

require deployment on the DNS-based platform rather than the BGP-based platform as Arbor, in its reasonable discretion, determines is appropriate.

2.2 Arbor shall calculate the End User’s total amount of used Clean Traffic in Mbps, at the ninety fifth (95th)

percentile during each Mitigation Incident to confirm they are within their total contracted Clean Traffic amount. Clean

Traffic shall be determined by periodically measuring End User’s Clean Traffic bandwidth utilization running through the Arbor Cloud Platform. At the end of a measurement period (Mitigation Incident), the utilization measurements are ordered from highest to lowest and the top five percent (5%) of the traffic measurements discarded. The next highest measurement for the inbound or outbound traffic is considered the ninety fifth (95th) percentile Clean Traffic.

2.3 In the event of a Mitigation Incident, any traffic which is directed to the Arbor Cloud Platform that is not for

a pre-provisioned domain, protocol or port will be blocked. Attack traffic may be mitigated as far “upstream” as possible, including internet network provider access control lists (ACLs). In such event, the End User will not be assessed any Clean Traffic Overage Fees related to the volume of the attack traffic. Clean Traffic Overage Fees

shall only be incurred when the actual quantity of Clean Traffic measured during a Mitigation Incident exceeds the amount of Clean Traffic contracted for.

2.4 The Arbor Cloud Service may be provisioned to protect up to ten (10) ports per domain for standard TCP

based application layer protocols, including: Web (e.g. HTTP, HTTPS), API (e.g. SOAP, XML, REST), Email (e.g.

POP/POP3, SMTP, IMAP/IMAP4), Database (e.g. MySQL, MS SQL, Oracle) & Other (e.g. Telnet, SSH, FTP).

2.5 The Arbor Cloud Service includes Layer 4 rate limiting protection for HTTPS traffic provisioned on the

Arbor Cloud Platform. The Arbor Cloud Service does not open HTTPS packets for “inspection”, “cleaning” or “scrubbing” unless the End User has elected to utilize a packet inspection service, if offered, at the application Layer 7 level on a per domain, per SSL certificate basis. This packet inspection service requires End User to provide Arbor with valid SSL certificates to be loaded on to the Arbor Cloud Platform for the traffic that shall be subject to HTTPS packet inspection.

2.6 Support services for the Arbor Cloud Service are provided in English only.

3. END USER OBLIGATIONS

3.1 End User shall provide all information requested by and pursuant to the Provisioning Process for each

Endpoint prior to activation of the Arbor Cloud Services with respect to that Endpoint and shall inform Arbor of any changes to such information for the duration of the Arbor Cloud Services.

3.2 For BGP-based services, End User must provide BGP and GRE capable device(s) and properly configure

such device(s).

3.3 End User shall provide Arbor with: (i) information on the Endpoints as requested by Arbor and such other

information that Arbor requires in order to provide the Arbor Cloud Services; and (ii) access to the Endpoints in order

to perform the Arbor Cloud Services.

3.4 End User acknowledges that in order for Arbor to provide the Arbor Cloud Services, End User must first

redirect the internet traffic for the Endpoint to the Arbor Cloud Platform.

3.5 End User acknowledges that operation and performance of the Arbor Cloud Services involves repeated

filtering of traffic to the Endpoint and End User expressly consents to the same. End User hereby grants Arbor, for the

Term, a non-exclusive, non-transferable, and royalty-free license to access the Endpoint and the internet traffic flowing thereto and any applications contained therein.

3.6 End User shall be solely responsible for the direction of all internet traffic for an Endpoint by following

Arbor’s procedures then in effect under the Provisioning Process (which may include, by way of example, contacting support and having Arbor announce or cease announcing the requested /24 prefixes or changing DNS to DNS

Redirection VIPs).

3.7 End User shall have a technical contact available during the entirety of a Mitigation Incident that speaks

English to enable End User to interact with Arbor’s support team.

3.8

During a Mitigation Incident, End User shall:

3.8.1

route all traffic for an Endpoint to Arbor

3.8.2

ensure rate limiting is turned off

3.8.3

set DNS TTL (Time to Live) at 300s for all protected infrastructure

3.8.4

set ACLs to drop all traffic not originating from Arbor

3.8.5

whitelist Arbor IP addresses

3.8.6

ensure other mitigation equipment is disabled within End User environment.

3.9

End User shall have documented internal emergency/incident response procedures for DDoS attacks.

3.10

End User acknowledges that the Arbor Cloud Service is an on-demand service for use during Attack

Incidents only and is not meant to be used as an always-on service during periods when an Attack is not occurring.

3.11

End User shall take all such action as is reasonably necessary to enable Arbor to perform the Arbor Cloud

Services.

3.12

End User shall not use, or allow use of, the Arbor Cloud Service in any of the following manners

(“Abuses”): (a) Use of the Arbor Cloud Service in an unlawful manner or for an unlawful purpose, (b) Use of the Arbor

Cloud Service in a manner that, in Arbor’s reasonable discretion, directly or indirectly produces or threatens to produce a negative effect on the Arbor Cloud Service network other than in a manner for which the Arbor Cloud Service network was designed or that interferes with the use of the Arbor Cloud Service network by other customers or authorized end users, including, without limitation, overloading servers or causing portions of the Arbor Cloud Service network to be blocked; or (c) excessive or prolonged use of the Arbor Cloud Service while not actively mitigating a DDoS attack or incident.

3.13 Arbor may suspend an Endpoint or the Arbor Cloud Services, as applicable, if, in Arbor’s reasonable

determination, an Abuse occurs. Such suspension shall remain in effect until End User corrects the applicable Abuse. In the event that, in Arbor’s reasonable determination, an Abuse is critically impacting, or threatens to impact critically, the Arbor Cloud Service network or servers, Arbor may suspend an Endpoint or the Arbor Cloud Service, as applicable, immediately and without prior notice. In the event that an Abuse is not critically impacting the Arbor Cloud

Service network or threatening to do so, Arbor shall give prior notice of any suspension. End User’s failure to correct any Abuse within thirty (30) days after receipt of notice will entitle Arbor to terminate Arbor Cloud Services as provided for in the Agreement.

4. TERM AND TERMINATION

The Arbor Cloud Service shall commence on the date indicated on the Form and shall continue in effect for the term set forth on the Form (“Initial Term”). Upon expiration of the Initial Term, the Arbor Cloud Service will be renewed automatically for successive twelve (12) month periods (“Renewal Term(s)”) unless either party gives written notice of

its intent not to renew the Arbor Cloud Service at least thirty (30) days prior to the end of the Initial Term or the then- current Renewal Term (the Initial Term and any Renewal Terms, collectively the “Term”). End User shall give any notice of non-renewal by sending an e-mail to orders@arbor.net.

5. PAYMENTS AND FEES

5.1 End User shall pay Arbor the service fees set in the Form (“Service Fee”). The Monthly Service Package

Fee shall be charged on a monthly, recurring basis. The Mitigation Incident Fee, Clean Traffic Overage Fee, Emergency Setup Fee and Emergency Setup Change Fee shall be charged on a monthly basis when and if incurred.

5.2 The Monthly Service Package Fee includes the domains, Locations and /24 prefixes indicated on the

Form. Additional domains, Locations and /24 prefixes may be added to the package for an additional fee.

5.3 The “Emergency Setup Fee” shall be incurred in the event that, in response to an End User request,

provisioning of the Arbor Cloud Service is performed within seventy-two (72) hours of Arbor’s approval of End User’s

request. The Emergency Setup Fee shall apply in addition to any related Mitigation Incident Fees and, if applicable any Clean Traffic Overage Fees.

5.4 The “Emergency Setup Change Fee” shall be charged for End User initiated additions, deletions and

updates related to domain names, IP addresses, Locations, ports & protocols made after initial emergency setup performed within seventy-two (72) hours of Arbor’s approval of End User’s request and via the Provisioning Process.

5.5 End User will be charged Clean Traffic Overage Fees if, during a Mitigation Incident, Arbor determines

that the 95th percentile peak clean traffic flowing through the Arbor Cloud Platform exceeds the contracted Clean

Traffic amount. End User will be charged a per Mbps overage fee for the additional, peak Clean Traffic.

5.6 Pricing for any Renewal Term is subject to change, provided Arbor notifies End User of any such price

change at least forty-five (45) days before the commencement of the Renewal Term.

6. WARRANTIES

6.1 Arbor represents that the Arbor Cloud Services will perform as described in the service level agreement

attached hereto at Exhibit A (“SLA”). End User’s sole and exclusive remedy, and Arbor’s sole and exclusive obligation, for a breach of the foregoing representation will be the remedy(ies) set forth in the SLA. A breach of this

representation or the SLA shall not constitute a breach of Your Agreement.

6.2 End User represents and warrants that End User: (a) has all right, title and interest or is the licensee with

right to use and/or access all of the Endpoints, applications and/or content provided to perform the Arbor Cloud Services and all of the content accessed at End User’s direction to perform the Arbor Cloud Services (together, “Content”); (b) If the End User utilizes a packet inspection service, that its provision of the SSL certificate for the HTTPS Packet Inspection service and Arbor’s use thereof for provision of the Arbor Cloud Service does not violate any laws, security policies or regulations or infringe the proprietary or privacy rights of any third party; (c) shall not use

the Arbor Cloud Services for any unlawful purpose; and (d) shall comply with these terms as may be updated by Arbor in writing from time to time.

7. INDEMNITY

7.1 End User will defend at its own expense any action brought against Arbor, its directors, officers, or employees by a third party to the extent that the action is based on a claim, suit, or proceeding arising from or relating to (i) the breach of any representation or warranty set forth herein; (ii) any third party claim that Arbor’s provision of the Arbor Cloud Service to Endpoints designated by End User in connection with performing the Arbor Cloud Services for End User is not authorized or a claim that Arbor has infringed upon any third party’s intellectual property rights in the Content. This Section 7 shall survive termination of the Agreement.

EXHIBIT A

SERVICE LEVEL AGREEMENT FOR ARBOR CLOUD SERVICE

This Service Level Agreement (“SLA”) for the Arbor Cloud Service is subject to the terms of the Arbor Master Purchase Agreement. In the event of a conflict between the terms of the Arbor Master Purchase Agreement and the terms of this SLA, this SLA shall control.

1. Definitions

1.1 “Credit” shall mean the credit issued for a Service Outage and shall be the pro-rated value of one (1) day of

fees determined by dividing the Monthly Service Package Fees by the number of days in the calendar month in which

the Service Outage occurs.

1.2 “Service Outage” shall mean an event where Arbor has failed to meet any of the SLAs in Section 2.2 below and

no exception in 2.3 applies.

1.3 “Arbor Cloud Platform” shall mean the integrated hardware and software combined to form the network

deployed and controlled by Arbor in connection with the provision of the Services, excluding: a) any third party or on-

premise hardware, software or networks not owned, deployed and under the control of Arbor; or b) telecommunications services or infrastructure providing a connection between any Arbor servers used in the provision of the Services.

2. Service Levels

2.1 During the Term, Arbor will provide the Services without a Service Outage.

2.2 A Service Outage shall, subject to Sections 2.3 and 4.2 below, be deemed to occur in the event that the

following Service Levels are not met:

A. Arbor Cloud Platform: 99.999% Availability. The Arbor Cloud Platform shall not be unavailable for more than five (5) consecutive seconds in any calendar month.

B. Standard Setup: 72 Hours. Standard Setup shall be performed within seventy two (72) hours of the following events: (i) for DNS Redirection-based Services, completion of the provisioning call and acceptance of configuration submission by Arbor; (ii) for BGP-Redirection based Services, completion of the provisioning call and acceptance of configuration submission by Arbor.

C. Standard Setup Updates: 72 Hours. Standard Setup Updates shall be performed within seventy two (72) of the following events: (i) for DNS Redirection-based Services, completion of the provisioning call and acceptance of configuration submission by Arbor; (ii) for BGP-Redirection based Services, completion of the provisioning call and acceptance of configuration submission by Arbor.

D. Emergency Setup: 4 Hours. (Only Applies to DNS Based Redirection-Services). Emergency Setup shall be performed within four (4) hours of acceptance of configuration submission by Arbor.

E. Emergency Setup Updates: 4 Hours. Emergency Setup Updates shall be performed within four (4) hours of acceptance of configuration submission by Arbor.

F. Time to Mitigate: 5 Minutes/15 Minutes. Arbor shall begin mitigation within: (i) five (5) minutes for Layer 3 & 4 attacks from the time traffic is redirected to Arbor Cloud Platform and Arbor has detected malicious traffic; and (ii) fifteen (15) minutes for Layer 7 attacks from the time traffic is redirected to Arbor Cloud platform and Arbor has detected malicious traffic. Each attack vector change shall start a new Time to Mitigate. Mitigation shall mean the cleaning of the traffic such that no more than five percent (5%) of dirty/malicious traffic shall be passed to Customer Endpoint(s).

2.3 A Service Outage shall not be deemed to occur when the event is due to any of the following: (a)

Inaccurate and/or insufficient information or configuration information or configuration information provided by Customer; (b) Misuse of the Services by Customer; (c) Traffic redirection delays (e.g. DNS TTLs and BGP route propagation delays) (outside of Arbor control); (d) Non-performance or other negligent or unlawful acts or failure to act by Customer or its agents or suppliers; (e) Network unavailability outside of Customer Endpoint(s), failure to implement ACLs or other documented best practices); (g) Lack of Customer participation in DDoS Mitigation efforts, including Arbor’s inability to reach Customer by phone or Customer’s lack of English-speaking representatives available to coordinate and communicate with Arbor during a DDoS attack); (h) A Customer provisioning request is not accepted by Arbor; (i) Acts of God or events of Force Majeure; (i) Scheduled or emergency maintenance; (j) Suspension or termination of the Services by Arbor in accordance with the terms of the Arbor Master Purchase Agreement; or (k) Customer has not directed all Customer traffic for the Endpoint to the Arbor Cloud Platform.

3. Scheduled Maintenance.

Arbor may perform maintenance on its systems at any time but will be limited to a maximum of six (6) hours of scheduled maintenance during any calendar week. Scheduled Maintenance may result in the Customer’s inability to access (a) client-side web-based and mobile user interfaces, (b) applications programming interfaces (APIs), or other Customer accessible software. Arbor will maintain a standard maintenance window on Sunday beginning at 0400 AM Greenwich Mean Time (GMT), but may initiate an additional maintenance window during a weekday at a time period that is communicated to the Customer at least forty-eight (48) hours in advance. Additionally, Arbor may take an emergency maintenance outage of no more than four (4) hours once per month with four (4) hours advanced notice. Notice of Scheduled Maintenance will be provided to Customer’s designated point of contact by email or by a notification in the Arbor Cloud web based user interface. The Arbor Cloud Platform will continue to be available for mitigation during Scheduled Maintenance.

4. Remedies for Service Outages.

4.1

data. In the event of a Service Outage, the following Credits will apply:

Arbor shall, in good faith, determine whether a Service Outage occurred based on Arbor’s records and

A. For a Service Outage occurring with respect to the SLA provided in 2.2.A: if the Service Outage is greater than five (5) seconds but less than or equal to five (5) minutes, one (1) Credit shall apply; if the Service Outage is greater than five (5) minutes but less than or equal to one (1) hour, five (5) Credits shall apply; if the Service Outage lasts more than one (1) hour, ten (10) Credits shall apply.

B. For any Service Outage occurring with respect to the SLAs provided in 2.2.B and 2.2.C: if the Service Outage is greater than one (1) day but less than or equal to seven (7) days, one (1) Credit per day of Service Outage shall apply; if the Service Outage is greater than seven (7) days, ten (10) Credits shall apply.

C. For any Service Outage occurring with respect to the SLAs provided in 2.2.D and 2.2.E: if the Service Outage is greater than one (1) hour, one (1) Credit per hour of Service Outage shall apply, up to a maximum of ten (10) Credits.

D. For any Service Outage occurring with respect to the SLAs provided in 2.2.F:

a. if the Service Outage for Layer 3/4 is greater than five (5) minutes, but less than or equal to fifteen (15) minutes, one (1) Credit shall apply; if the Service Outage for Layer 3/4 is greater than fifteen (15) minutes, but less than or equal to sixty (60) minutes, two (2) Credits shall apply; if the Service Outage for Layer 3/4 is greater than sixty (60) minutes, but less than or equal to four (4) hours, five (5) Credits shall apply; and if the Service Outage for Layer 3/4 is greater than four (4) hours, ten (10) Credits shall apply.

b. if the Service Outage for Layer 7 is greater than fifteen (15) minutes, but less than or equal to thirty (30) minutes, one (1) Credit shall apply; if the Service Outage for Layer 7 is greater than thirty (30) minutes, but less than or equal to sixty (60) minutes, two (2) Credits shall apply; if the Service Outage for Layer 7 is greater than sixty (60) minutes, but less than or equal to four (4) hours, five (5) Credits shall apply; and if the Service Outage for Layer 7 is greater than four (4) hours, ten (10) Credits shall apply.

4.2 In the event Customer believes a Service Outage has occurred, Customer will provide to Arbor all relevant

details and documentation supporting Customer’s claims of a Service Outage. Any claims for a Credit must be made by Customer within seven (7) days after the alleged Service Outage and will be made to Arbor’s Customer Support organization in writing. Claims made more than seven (7) days after the event will not be eligible for any of the remedies described herein. Arbor will investigate the claim and will respond back to Customer within ten (10) business days of receipt of the notification of a claim from Customer, either (i) accepting Customer’s Service Outage claim, or (ii) with all relevant details and documentation supporting a dispute of Customer’s Service Outage claim, in which case the parties shall resolve any such dispute promptly in good faith. Customer may not accumulate more than fifteen (15) Credits in any calendar month. To make a claim under 2.2.A, Customer must send to Arbor Customer Service proof that the platform was unavailable for mitigation. To make a claim under Section 2.2.F, Customer must submit a packet capture of the traffic to the affected Endpoint of at least an hour of duration. Credits obtained by Customer shall have no cash value but will apply against Monthly Service Fees in future invoices; provided, however, that if the Credits accrue in the last month of the Term and Customer does not renew the Cloud Service, Arbor shall provide such Credits to Customer in the form of a check within thirty days of the end of the Term. Arbor will reflect Credits on invoices issued one calendar month after the occurrence of the Service Outage. Credits shall only apply to Services provided pursuant to the Monthly Service Fee set forth in the Quote and will not apply to any Arbor professional services or any other form of custom development services provided by Arbor. Customer’s sole and exclusive remedy, and Arbor’s sole and exclusive liability, in the event Arbor fails to meet this Service Level Agreement, shall be to receive a Credit in accordance with the terms of this Section 4.