Capitalized terms not defined herein shall have the meaning set forth in the ordering agreement or the Cloud Service Agreement between Customer and BeyondTrust.

1. DATA SECURITY

BeyondTrust shall implement and maintain security procedures and practices appropriate to information technology service providers to protect Customer Data from unauthorized access, destruction, use, modification, or disclosure, as described in the Data Security Guide attached hereto, and incorporated herein by reference.

2. SUPPORT

During the Subscription Term, BeyondTrust or its authorized reseller, as applicable, shall provide support for the Cloud Service as set forth in the Cloud Service Support Guide attached hereto, and incorporated herein by reference.

3. INSURANCE

BeyondTrust agrees to maintain in effect during the Subscription Term, at BeyondTrust’s expense, the following minimum insurance coverage:

(i) Workers’ Compensation Insurance, in accordance with applicable statutory, federal, and other legal requirements and (b) Employers’ Liability Insurance covering employees in an amount of not less than $1,000,000 for bodily injury by accident, $1,000,000 policy limit for bodily injury by disease, and $1,000,000 each employee for bodily injury by disease;

(ii) Commercial General Liability Insurance written on an occurrence form and including coverage for bodily injury, property damage, products and completed operations, personal injury, advertising injury arising out of the services and/or products provided by under this Agreement with minimum limits of $1,000,000 per occurrence/$2,000,000 aggregate;

(iii) Commercial Automobile Liability Insurance providing coverage for hired and non-owned automobiles used in connection with this Agreement in an amount of not less than $1,000,000 per accident combined single limit for bodily injury and property damage;

(iv) Combined Cyber & Technology Errors’ & Omission Policy with a $10,000,000 limit in the aggregate, including: (a) Professional Liability Insurance providing coverage for the services and software in this Agreement. Such coverage to be maintained for at least two (2) years after the termination of this Agreement; and

(v) Excess Liability over Employers’ Liability, Commercial General Liability and Commercial Automobile Liability with a $3,000,000 aggregate limit.

4. AVAILABILITY SERVICE LEVEL

A. Definitions

(1) “Available” means that the Cloud Service can be accessed by authorized users.

“Availability” = ((total minutes in a calendar month – total minutes where Cloud Services are not Available for use by Customer (“Unavailable”)) / total minutes in a calendar month) x 100

(2) “Excused Downtime” means: (i) Maintenance Time of up to two (2) hours per month; and (ii) any time the Cloud Service is not Available due to circumstances beyond BeyondTrust’s control, including without limitation modifications of the Cloud Service by any person other than BeyondTrust or a person acting at BeyondTrust’s direction, a Force Majeure Event, general Internet outages, failure of Customer’s infrastructure or connectivity (including without limitation, direct connectivity and virtual private network (VPN) connectivity to the Cloud Service), computer and telecommunications failures and delays, and network intrusions or denial-of-service or other criminal attacks.

(3) “Maintenance Time” means the time the Cloud Service is not Available due to service maintenance.

(4) “Availability SLA” means the percentage of total time during which Customer’s production instances of the Cloud Service are Available during a calendar month, excluding Excused Downtime as determined using BeyondTrust’s monitoring tools. BeyondTrust’s Availability SLA shall be ninety-nine and nine-tenths percent (99.9%) during a calendar month.

DATA SECURITY GUIDE

SECURITY OVERVIEW

This Data Security Guide describes the measures BeyondTrust takes to protect Customer Data when it resides in the BeyondTrust Cloud. This Data Security Guide forms a part of any legal agreement into which this Data Security Guide is explicitly incorporated by reference (the “Agreement”) and is subject to the terms and conditions of the Agreement. Capitalized terms that are not otherwise defined herein shall have the meaning given to them in the Agreement.

BeyondTrust’s comprehensive approach to security is enabled by the following: (a) BeyondTrust’s Cloud Service infrastructure runs on its own applications and utilizes industry leading technology to automate mission critical functionalities in the Cloud Service; (b) BeyondTrust achieves flexibility and control in its ability to deliver a stable user experience to the customer by having a logical single tenant architecture; (c) BeyondTrust’s application development which has a focus on quality, security, and the user experience is closely connected to the operations of delivering those applications in a reliable and secure cloud environment; and (d) BeyondTrust invests in a compliance strategy that allows its customers to attain their own compliance to applicable laws by obtaining attestations and certifications.

1. BEYONDTRUST’S SECURITY PROGRAM

While providing the Cloud Service, BeyondTrust shall maintain a written information security program of policies, procedures and controls (“Security Program”) governing the processing, storage, and security of Customer Data. The Security Program includes industry standard practices designed to protect Customer Data from unauthorized access, acquisition, use, disclosure, or destruction. BeyondTrust may periodically review and update the Security Program to address new and evolving security technologies, changes to industry standard practices, and changing security threats, provided that any such update does not materially reduce the commitments, protections or overall level of service provided to Customer as described herein.

2. PHYSICAL, TECHNICAL AND ADMINISTRATIVE SECURITY MEASURES

The Security Program shall include the following physical, technical and administrative measures designed to protect Customer Data from unauthorized access, acquisition, use, disclosure, or destruction:

2.1. Physical Security Measures

(a) Data Center Facilities: (i) Physical access restrictions and monitoring that may include a combination of any of the following: multi-zone security, man-traps, appropriate perimeter deterrents (for example, fencing, berms, guarded gates), on-site guards, biometric controls, CCTV, and secure cages; and (ii) fire detection and fire suppression systems both localized and throughout the data center floor.

(b) Systems, Machines and Devices: (i) Physical protection mechanisms; and (ii) entry controls to limit physical access.

(c) Media: (i) Industry standard destruction of sensitive materials before disposition of media; (ii) secure safe for storing damaged hard disks prior to physical destruction; and (iii) physical destruction of all decommissioned hard disks storing Customer Data.

2.2. Technical Security Measures

(a) Access Administration. Access to the Cloud Service by BeyondTrust employees is protected by authentication and authorization mechanisms. User authentication is required to gain access to production and sub-production systems. Access privileges are based on job requirements and are revoked upon termination of employment. Production infrastructure includes appropriate user account and password controls (for example, the required use of virtual private network connections, complex passwords with expiration dates) and is accessible for administration.

(b) Access Controls. BeyondTrust has implemented an access control authentication approach based on need to know and separation of duties. BeyondTrust products are configurable to meet strict access controls and audit requirements for privileged and general users and can be integrated into federated identity and access management solutions.

(c) Encryption. BeyondTrust utilizes secure communications, TLS 1.2, for web-based communications and data collection. BeyondTrust products are configurable to meet data transmission and data at rest requirements.

(d) Password Policies. BeyondTrust adheres to a strict, complex password policy utilizing multi-factor authentication. BeyondTrust products are configured to meet password complexity, periodicity, and versioning requirements, and can be integrated into federated identity and access management solutions.

(e) Pseudonymization. BeyondTrust collects only the minimum data needed to conduct business. BeyondTrust has applied pseudonymization in data collection to support metric collection and analysis efforts.

(f) Firewall System. An industry-standard firewall is installed and managed to protect BeyondTrust internal systems by residing on the network to inspect all ingress connections routed to the BeyondTrust environment.

(g) Vulnerability Management. BeyondTrust conducts periodic independent security risk evaluations to identify critical information assets, assess threats to such assets, determine potential vulnerabilities, and provide for remediation. When software vulnerabilities are revealed and addressed by a vendor patch, BeyondTrust will obtain the patch from the applicable vendor and apply it within an appropriate timeframe in accordance with BeyondTrust's then current vulnerability management and security patch management standard operating procedure and only after such patch is tested and determined to be safe for installation in all production systems.

(h) Antivirus. BeyondTrust updates anti-virus, anti-malware, and anti-spyware software on regular intervals for internal systems and centrally logs events for effectiveness of such software.

(i) Change Control. BeyondTrust ensures that changes to platform, applications and production infrastructure are evaluated to minimize risk and are implemented following BeyondTrust’s standard operating procedure.

2.3. Administrative Security Measures

(a) Personnel Security. BeyondTrust performs background and drug screening on all employees who have access to Customer Data in accordance with BeyondTrust’s then current applicable standard operating procedure and subject to applicable law. (b) Security Awareness and Training. BeyondTrust maintains a security awareness program that includes appropriate training of BeyondTrust personnel on the Security Program.

(c) Vendor Risk Management. BeyondTrust maintains a vendor risk management program that assesses all vendors that access, store, process or transmit Customer Data for appropriate security controls and business disciplines.

BeyondTrust will conduct periodic reviews of the security of its Services and adequacy of its Security Program as measured against industry security standards and its policies and procedures. BeyondTrust will continually evaluate the security of its Services to determine whether additional or different security measures are required.

3. CERTIFICATIONS AND ATTESTATIONS

3.1. Certifications and Attestations. BeyondTrust shall establish and maintain sufficient controls to meet the objectives stated in SOC 2 (or equivalent standards) (collectively, the “Standards”) for the information security management system supporting the Cloud Service. At least once per calendar year, BeyondTrust shall perform an assessment against such Standards (“Assessment”). Upon Customer’s written request, which shall be no more than once per calendar year, BeyondTrust shall provide a summary of the Assessment(s) to Customer. Assessments shall be Confidential Information of BeyondTrust. BeyondTrust maintains certifications with many industry standards such as ISO 27001, AICPA SOC, and CSA.

3.2. Privacy Shield. BeyondTrust shall maintain self-certified compliance under the U.S.-EU and U.S.-Swiss Privacy Shield Frameworks developed by the U.S. Department of Commerce regarding the collection, use and retention of Personal Data (defined in Section 6 below) from European Union member countries and Switzerland.

3.3. If and to the extent the EU-US Privacy Shield is no longer recognized by the European Commission (or the Swiss-US Privacy Shield is no longer recognized by the Swiss Federal Data Protection and Information Commissioner) or other local privacy authorities for Customer Data originating from a country outside the EEA, as an adequate mechanism for the transfer of Personal Data from the EEA, United Kingdom, Switzerland, or other country, as applicable, to the United States, BeyondTrust will abide by another adequate transfer mechanism such as executing the Standard Contractual Clauses where appropriate.

4. DATA PROTECTION.

4.1. Data Centers. BeyondTrust shall host Customer’s instances in primary and secondary SSAE 18 Type II or ISO 27001 certified (or equivalent) data centers in the geographic regions specified on the Order Form for the Subscription Term. Each data center includes full redundancy (N+1) and fault tolerant infrastructure for electrical, cooling and network systems.

5. INCIDENT MANAGEMENT AND BREACH NOTIFICATION

5.1. Incident Monitoring and Management. BeyondTrust shall monitor, analyze and respond to security incidents in a timely manner in accordance with BeyondTrust’s standard operating procedure. Depending on the nature of the incident, BeyondTrust security group will escalate and engage response teams necessary to address an incident. 5.2. Breach Notification. Unless notification is delayed by the actions or demands of a law enforcement agency, BeyondTrust shall report to Customer the unauthorized acquisition, access, use, disclosure or destruction of Customer Data (a “Breach”) promptly following determination by BeyondTrust that a Breach occurred. The initial report shall be made to Customer security contact(s) designated in BeyondTrust’s customer support portal. BeyondTrust shall take reasonable measures to promptly mitigate the cause of the Breach and shall take reasonable corrective measures to prevent future Breaches. As information is collected or otherwise becomes available to BeyondTrust and unless prohibited by law, BeyondTrust shall provide information regarding the nature and consequences of the Breach that are reasonably requested to allow Customer to notify affected individuals, government agencies and/or credit bureaus. Customer is solely responsible for determining whether to notify impacted Data Subjects (defined in 6.1 below) and for providing such notice, and for determining if regulatory bodies or enforcement commissions applicable to Customer or Customer Data need to be notified of a Breach. To assist Customer in relation to any personal data breach notifications Customer is required to make under GDPR, BeyondTrust will include in the notification such information about the Breach as is set out at Article 33(2) of the GDPR, to the extent that such information is reasonably available to BeyondTrust. Where and insofar as BeyondTrust cannot provide all the information relevant to a Breach at the same time, it may provide such information in phases without undue further delay. In accordance with the provisions of Article 34 of the GDPR, Customer is solely responsible for complying with data breach notification laws applicable to the Customer and fulfilling any third-party notification obligations related to any Breach(es). BeyondTrust’s notification of or response to a Breach under this Section is not an acknowledgement by BeyondTrust of any fault or liability with respect to the Breach Notification(s) of a Breach, if any, will be delivered to one or more of Customer’s administrators by any means BeyondTrust selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information with BeyondTrust

5.3. Customer Cooperation. Customer agrees to cooperate with BeyondTrust in maintaining accurate contact information and by providing any information that is reasonably requested to resolve any security incident, identify its root cause(s) and prevent a recurrence.

5.4. Business Continuity Management. BeyondTrust shall maintain a documented business continuity and disaster recovery plan, tested at least annually.

6. DATA PROCESSING GUIDELINES; COMPLIANCE WITH LAWS

6.1. Customer as Data Controller. Customer acknowledges that in relation to Personal Data supplied and/or processed under the Agreement it acts as Controller and it warrants that it will duly observe all of its obligations under all applicable laws and regulations of the European Union, the European Economic Area and their member states regarding the processing of Personal Data (collectively referred to as “Data Protection Laws”) including, without limitation, obtaining and maintaining all necessary notifications and obtaining and maintaining all necessary Data Subject Consents. Customer shall (i) have sole responsibility for the accuracy, quality, integrity, legality and reliability of Personal Data and of the means by which it acquired Personal Data, (ii) ensure that data processing instructions given to BeyondTrust comply with applicable Data Protection Laws, and (iii) comply with all applicable Data Protection Laws in collecting, compiling, storing, accessing and using Personal Data in connection with the Cloud Service. For the purposes of this Data Security Guide, “Personal Data”, “Controller”, “Data Subject” and “Data Subject Consent” shall have the meaning given to these terms in Directive 95/46/EC. For clarity, “process” or “processing” means any operation or set of operations performed upon Customer Data. 6.2. BeyondTrust as Data Processor. BeyondTrust shall Process Customer Data only for the purposes specified in the Agreement, and on behalf of and in accordance with Customer’s documented instructions or as otherwise required by law (subject to BeyondTrust first notifying Customer of the relevant legal requirement unless such notification is itself prohibited by law on important grounds of public interest). The parties agree that this DPA and the Agreement constitute Customer’s documented instructions to BeyondTrust for the Processing of Customer Data. Processing outside of the scope of these instructions (if any) will require prior written agreement between BeyondTrust and Customer. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Customer Data. Customer’s instructions to BeyondTrust for the Processing of Customer Data shall comply with applicable Data Protection Laws and Regulations. BeyondTrust will immediately notify Customer if BeyondTrust believes any of Customer’s instructions relating to Processing of Personal Data breaches applicable Data Protection Laws and Regulations.

6.3. Subcontractors. Customer acknowledges and agrees that BeyondTrust may engage subcontractors for processing Customer Data under the Agreement, provided BeyondTrust shall ensure compliance by such subcontractor(s) with the requirements of this Section 6 by entering into written agreements with such subcontractors which provide that the subcontractor will apply the Privacy Shield principles to the processing of Personal Data or Standard Contractual Clauses, as applicable. BeyondTrust’s use of any subcontractor will not relieve, waive or diminish any obligation BeyondTrust has under the Agreement or this Data Security Guide.

6.4. Where BeyondTrust authorizes any sub-processor as described in Section 6.3, BeyondTrust will restrict sub-processor’s access to Customer Data only to what is necessary to maintain or provide services to Customer.

7. PENETRATION TESTS

7.1. By a Third Party. BeyondTrust contracts with third party vendors to perform a periodic penetration test on the BeyondTrust platform to identify risks and remediation that help increase security.

7.2. By Customer. No more than once per calendar year Customer may request to perform, at its own expense, an application penetration test of its instances of the Cloud Service. Customer shall notify BeyondTrust in advance of any test by submitting a request using BeyondTrust’s online support portal and completing a penetration testing agreement. BeyondTrust and Customer must agree upon a mutually acceptable time for the test; and Customer shall not perform a penetration test without BeyondTrust’s express written authorization. The test must be of reasonable duration and must not interfere with BeyondTrust’s day-to-day operations. Promptly upon completion of the penetration test, Customer shall provide BeyondTrust with the test results including any detected vulnerability. Upon such notice, BeyondTrust shall, consistent with industry standard practices, use all commercially reasonable efforts to promptly make any necessary changes to improve the security of the Cloud Service. Customer shall treat the test results as Confidential Information of BeyondTrust.

8. SHARING THE SECURITY RESPONSIBILITY

8.1. Product Capabilities. The Cloud Service has the capabilities to: (i) authenticate users before access; (ii) encrypt passwords; (iii) allow users to manage passwords; and (iv) prevent access by users with an inactive account. Customer manages each user’s access to and use of the Cloud Service by assigning to each user a credential and set of permissions that controls the level of access to the Cloud Service. 8.2. Customer Responsibilities. BeyondTrust provides the cloud environment that permits Customer to use and process Customer Data in the Cloud Service. Customer shall be responsible for protecting all Customer Data containing sensitive data, including without limitation, credit card numbers, social security numbers, financial and health information, and sensitive personal data. BeyondTrust protects all Customer Data in the BeyondTrust cloud infrastructure equally in accordance with this Data Security Guide, regardless of the classification of the type of Customer Data. Customer shall be responsible for protecting the confidentiality of each user’s login and password and shall manage each user’s access to the Cloud Service.

8.3. Customer Cooperation. Customer shall promptly apply any application upgrade that BeyondTrust determines is necessary to maintain the security, performance or availability of the Cloud Service.

8.4. Limitations. Notwithstanding anything to the contrary in the Agreement or this Data Security Guide, BeyondTrust’s obligations extend only to those systems, networks, network devices, facilities and components over which BeyondTrust exercises control. This Data Security Guide does not apply to: (i) information shared with BeyondTrust that is not data stored in its systems using the Cloud Service; (ii) data in Customer’s network or a third-party network; or (iii) any data processed by Customer or its users in violation of the Agreement or this Data Security Guide.

SUPPORT GUIDE

This BeyondTrust Cloud Service Support Guide (the “Support Guide”) governs the support that BeyondTrust will provide for the Cloud Service. This Support Guide may be updated from time to time.

I. SCOPE

The purpose of Customer Support is to resolve defects that cause the Cloud Service to perform not in substantial conformance to the Product Overview. A resolution to a defect may consist of a fix, workaround or other relief BeyondTrust deems reasonable.

II. SUPPORT AVAILABILITY

A. Hours. BeyondTrust offers support in English during BeyondTrust’s normal business hours

B. Holidays. BeyondTrust observes the following holidays (USA):


C. Severity Level 1 After Hours Support

BeyondTrust provides 24/7 access to a Self-Diagnostic Tool for troubleshooting Severity Level 1 Incidents and, for customers with an active Support contract, a Self-Service Center and Knowledge Base available at BeyondTrust’s Support Portal (beyondtrust.com/myportal)). BeyondTrust additionally offers 24/7 support for Severity Level 1 incidents for BeyondTrust Cloud Service customers. Severity Level 1 incidents reported by email should be followed up by phone call to a published Support Contact number. Calls received outside of normal business hours will be triaged for appropriate Severity Level and escalated to an On-Call Support Engineer based on the determined Severity Level. Once an On-Call Support Engineer is engaged the focus of the engagement is to downgrade the severity of the Incident to Severity Level 2 either through a full resolution or by providing an agreed upon workaround.


III. CONTACTING CUSTOMER SUPPORT

Customer can report incidents to BeyondTrust via the following options:

A. How to Submit a Support Request

Request Submission Channels

Customers with a BeyondTrust product that has a valid maintenance contract have access to our Technical Support services through multiple channels. Regardless of how a support request is initiated, all cases will be triaged on submission to ensure you receive assistance from the appropriate product specialist.

Online Via Customer Portal
beyondtrust.com/myportal

Securely submit and review support cases as well as search our knowledge base and links to technical documentation.

Email
mysupport@beyondtrust.com

All cases submitted via email will be assigned a Severity Level 3.

Phone
USA (866) 652-3177
UK +44 (0) 1628 480 210

Additional local support numbers outside the USA / UK can be found on the Support Portal. Calls may be routed to an answering service for triage and case creation.

Chat
beyondtrust.com/myportal

BeyondTrust Technical Support engineers are available from 2am-7pm Monday-Friday US Central time to provide support through a BeyondTrust chat session. Chat sessions may be started from the Customer Portal.

IV. CLASSIFICATION OF SUPPORT INCIDENTS

The content of an Incident as supplied initially is used to identify the incident Severity Level using Table 1 below as a guide. Severity Levels range from Severity Level 1 (Critical) to Severity Level 3 (Low Priority). In collaboration with the Customer, BeyondTrust will make a reasonable determination of the Severity Level of Customer’s incident and make commercially reasonable efforts to respond accordingly. The Severity Level may also be adjusted as the incident progresses towards resolution.

Severity Levels Basic Description of Incident Severity Reporting Methods and Response Times (Start of Resolution) Roles and Resp. for Incident Solving
Severity Level 1 Production system down and inoperable. The issue cannot be solved by a restart or a bypass or a workaround. Incident must be documented via email and followed up with telephone call. Maximum target time for First Response (start of resolution) is 30 minutes. Maximum target time for Customer Response Time is 30 minutes. Both parties will make all commercially reasonable attempts to focus support resources on Severity Level 1 issues.
Severity Level 2 Production system is operational but impacted due to issue with documented product functionality. Workaround exists for core product functionality. Incident must be reported via email to document the issue and may be followed up via telephone. Maximum target time for First Response (start of resolution) is 8 hours. Maximum target time for Customer Response Time is 8 hours. Both parties will make all commercially reasonable attempts to focus support resources on Severity Level 2 issues during BeyondTrust Technical Support’s normal support hours.
Severity Level 3 Cosmetic impairment. Limited impact to use of system. No immediate resolution required. Request for enhancements and general information. Incident must be reported via email. Maximum target time for First Response (start of resolution) is 24 hours. Solutions provided for cosmetic, enhancements, or other incidents are possibly in future versions, depending on the product roadmap.

Additional Notes:


V. INCIDENT RESOLUTION PROCESS

A. When Customer experiences an incident or requires additional information about BeyondTrust products that Customer is not able to resolve with BeyondTrust’s online resources, BeyondTrust Customer Support is available to assist. Incidents reported outside BeyondTrust normal support hours are considered to be received at the beginning of the next business day.

B. When submitting an incident, the following information is required:

(1) Name and the name of company or organization; and

(2) A detailed description of Customer’s incident.

As a general rule, the more specific details Customer can provide the better BeyondTrust is able to provide a resolution quickly and accurately.

Details to include are:

(3) Supporting Documents. Whenever possible, please provide screenshots and log files.

(4) Support Incident Number. If there is an open support request with BeyondTrust, please provide the incident number. BeyondTrust recommends responding to emails from BeyondTrust Customer Support with “Incident #” in the subject line.

C. When Customer submits an incident or a request:

(a) It will be logged and receive an incident number and a severity rating.

(b) BeyondTrust Customer Support will verify that Customer has a current Support agreement with BeyondTrust and that the person contacting BeyondTrust is an authorized representative of Customer.

If either of these cannot be validated, BeyondTrust will be unable to provide any further support.

If Customer submit multiple items at once, individual incidents may be opened for each item.


D. Support’s Response:

(1) Customer will receive a response to Customer’s incident within the response times designated for the incident’s severity level.

(2) The response Customer receive may include any of the following:

(3) Logged Incidents will be set to a status of ‘Closed’ unless further action is required.

VI. CUSTOMER RESPONSIBILITIES

A. Communication. Customer agrees to receive from BeyondTrust communications via email, phone or through BeyondTrust’s Support Portal regarding the Cloud Service.

B. Authorized Contacts. Customer shall appoint no more than five (5) contacts (“Customer Authorized Contacts”) to engage Customer Support for questions and/or technical issues. Only Customer Authorized Contacts are authorized to contact Customer Support.

C. Maintain Awareness of BeyondTrust Product Updates. Review the Support Portal, the change log and various marketing materials for any available software updates.

D. Backup Procedures. Keep full and current backups of Customer’s BeyondTrust data using the tools

provided. It is extremely important to perform backups prior to the any upgrades or updates.

E. Documentation. Customer is responsible for utilizing the latest documentation we provide via BeyondTrust’s Support Portal, corporate website and/or email for handling and operating the Cloud Service.

F. Compliance with Instructions. Customer will make all commercially reasonable efforts to both comprehend the material and execute any instructions provided.

G. Fault Documentation. Before submitting an incident report, Customer shall document any changes that may have been made, as well as to have made a reasonable attempt to reproduce the reported incident, if appropriate.

H. Access to Qualified Staff. Customer shall make any such staff available at times mutually agreed upon that are required to achieve an efficient resolution.

VII. SERVICES AND LIMITATIONS

BeyondTrust Customer Support does not include services that include or result from:

For services not covered, BeyondTrust and Customer may agree to applicable scopes of works and fees.

VIII. UPGRADES

A. “Upgrades” are BeyondTrust’s releases of the Cloud Service for repairs, enhancements or new features applied by BeyondTrust to Customer’s instances of the Cloud Service at no additional fee during the Subscription Term. BeyondTrust determines whether and when to develop, release and apply any Upgrade to Customer’s instances of the Cloud Service.

B. Notice; Maintenance Downtime

BeyondTrust shall use reasonable efforts to give Customer five (5) days prior notice of any Upgrade to the Cloud Service. BeyondTrust shall use reasonable efforts to give Customer two (2) days prior notice of any Upgrade to the cloud infrastructure network, hardware, or software used by BeyondTrust to operate and deliver the Cloud Service if BeyondTrust in its reasonable judgment believes that the infrastructure Upgrade will impact Customer’s use of its production instances of the Cloud Service. BeyondTrust will use commercially reasonable efforts to limit the period of time during which the Cloud Service is unavailable due to the application of Upgrades to no more than two (2) hours per month. Notwithstanding the foregoing, BeyondTrust may provide Customer with a shorter or no notice period of an Upgrade, if necessary, in the reasonable judgment of BeyondTrust, to maintain the availability, security or performance of the Cloud Service or the ability of BeyondTrust to efficiently provide the Cloud Service. Customer has the ability to install released BeyondTrust software Upgrades when they are made available. Alternately, in Customer’s installation process, if Customer elected to participate in one of two (2) update schedules then these automated upgrade schedule levels apply when an available BeyondTrust software release has not been applied manually before the scheduled time.

Customer may submit a support request for “no Upgrade” not fewer than three (3) days’ prior to a pending Upgrade of the Cloud Service. Customer’s “no Upgrade” request shall be granted, and the Upgrade shall not be applied to Customer’s instances of the Cloud Service. If Customer has requested “no Upgrade” it may nevertheless be required to Upgrade if in the reasonable judgment of BeyondTrust the Upgrade is necessary to maintain the availability, security or performance of the Cloud Service or the ability of BeyondTrust to efficiently provide the Cloud Service.

C. Naming

BeyondTrust uses the combined values of X and Y numerals in X.Y.z to denote a major version (e.g., 17.1). A maintenance version is denoted by Z in x.y.Z (17.1.1). Maintenance versions are subsumed under their corresponding major versions for the purposes of support.

D. Supported Releases

BeyondTrust provides support for any major version of BeyondTrust’s products for a minimum of two years from the generally available (GA) release date. During the life of two years there may be several maintenance versions associated with the active major version. A GA release and all associated maintenance releases will usually be retired after two years.

Customer acknowledges that the current release is the most current feature, availability, performance and security version of the Cloud Service. A Customer that has submitted a “no Upgrade” request may experience defects, for which Customer hereby agrees that BeyondTrust is not responsible, including without limitation those that affect the features, availability, performance and security of the Cloud Service, that are fixed in the most current version of the Cloud Service.

E. Definitions.

The following list of terms and definitions are used throughout this Customer Support Guide.