SUBSCRIPTION TERMS FOR FIREEYE AS A SERVICE
(FAAS) – CONTINUOUS VIGILANCE
In addition to the General Terms Applicable to all Offerings, the
following terms govern the FireEye as a Service (FaaS) – Continuous
Vigilance (CV) Subscription.
1.1. “Alert” means an alert generated by a Product,
ETP Subscription, FireEye Helix Subscription, or TAP Subscription that
FireEye has determined is potentially malicious based on its
characteristics, and that is ingested into the FaaS analysis infrastructure.
1.2. “APT Alert” means an alert generated by a
Product, ETP Subscription, FireEye Helix Subscription, or TAP
Subscription that is identified by FireEye as being associated with a
“targeted threat,” which means advanced persistent threat (APT) actors
or APT activity.
1.3. “APT Only Service” means the Subscription level
in which FireEye will provide investigation and reporting of APT
Alerts. If Customer purchases the APT Only Service, FireEye will
provide investigation and reporting of only APT Alerts, and not any
1.4. “Covered System” means (i) a computing device
(to the extent supported by FireEye) that Customer specifies as within
the scope of the CV Subscription, and if the Customer has purchased
the HX Product or FireEye Helix Subscription, on which a software
agent has been installed to support CV Subscription delivery, or (ii)
a computing device (to the extent supported by FireEye) whose network
traffic is observable to support CV Subscription delivery; (iii) with
respect to ETP Subscriptions or EX Product, mailboxes monitored to
support CV Subscription delivery; or (iv) any computing device that
both Customer and FireEye agree is within scope of the CV Subscription.
1.5. “Enabling Hardware” means additional hardware
appliances that will be used by FireEye in providing the Subscription,
and may include log collection and analysis equipment.
1.6. “FaaS Supported Technology” means the Products,
Subscriptions, and Enabling Hardware monitored through the CV Subscription.
1.7. “Full Coverage Service” means the Subscription
level in which FireEye will process and assess all Alerts other than
1.8. “FaaS Reports” means the written reports
relating to Alerts that FireEye creates and makes available to
Customer through the CV Subscription.
1.9. “Nodes” or “Node Band” refers to number
of Covered Systems within the Customer environment, which is reflected
on the Subscription Order.
1.10. “Suppressed Alerts” means Alerts that are to be
excluded from investigation and reporting because they a) relate to
previously reported incidents that have not been resolved by the
Customer; b) relate to Covered Systems that were identified as
compromised and where required resolution steps have not been
completed by the Customer; c) are not identified as being supported by
FaaS in the FaaS Operations Manual; or d) have been requested to be
excluded by the Customer.
2. Scope of FaaS – Continuous Vigilance (CV)
Services. During the Subscription Term, FireEye will provide
the CV Subscription as set forth in this Section 2, according to the
Subscription level and Node Band purchased by Customer as set forth in
the Subscription Order. If the Subscription Order does not specify the
Subscription level purchased, then Customer will be deemed to have
purchased the APT Only Service. All services Customer requests that
are not described in this Section 2 will be performed at mutually
agreed upon rates as set forth in Statements of Work. If the number
of Nodes exceeds the Node Band reflected in the Subscription Order by
more than ten percent (10%), FireEye will notify Customer in writing,
and will issue an invoice for the next higher Node Band at FireEye’s
then-current rates pro-rated for the remaining portion of the
then-current Subscription Term.
2.1. Subscription Initiation. FireEye will work with
Customer to deploy, connect, and test the FaaS Supported Technology
that will be monitored through the CV Subscription (“Subscription
Initiation”). During Subscription Initiation, FireEye will do the following:
a) Designate a FaaS Transition Manager who will work in
conjunction with the Customer.
b) Create and deliver account details for FaaS Portal
access, conduct training, collect implementation requirements,
establish agreed-upon installation timelines, and provide
Documentation for CV Subscription.
c) Assist Customer with setup and configuration of the FaaS
Supported Technology, and test whether FireEye can receive Alerts with
supporting artifacts, and can monitor the Customer’s Covered Systems.
d) For FaaS Supported Technology that has been appropriately
configured, conduct baseline monitoring activities for up to 14 days.
The intent of the baseline is to identify any Covered Systems known to
be compromised and identify active attacks occurring in the Customer’s
environment, and provide the Customer with any recommended steps to
remediate these issues.
e) Validate monitoring and alerting activity for each FaaS
2.2. Alert Analysis
For each validated FaaS Supported Technology, FireEye will conduct
the following monitoring, investigation and reporting activities:
(a) Classification of Alerts. Alerts are automatically
ingested into the FaaS infrastructure as they are generated by the
applicable FaaS Supported Technology. Once ingested, FireEye will
classify the Alert as requiring further analysis or requiring no
further analysis within thirty (30) minutes of the time the Alert was
ingested into the FaaS infrastructure. FireEye will ingest and
classify the Alerts that correspond with the Subscription level the
Customer purchased. If the Customer purchased the APT Only Service,
FireEye will classify only APT Alerts. If the Customer purchased the
Full Coverage Service, FireEye will classify all Alerts. FireEye has
no obligation to investigate and report on Alerts that fall outside
the purchased Subscription level.
(b) If an Alert is classified as requiring no further
analysis, then a severity level assignment will be applied to the
Alert and FaaS Report will be published to the FaaS Portal within the
times set forth in the table below, based on the severity level.
(c) Initial Investigation. If an Alert is classified as
requiring further analysis, then FireEye will begin analysis of that
Alert promptly. FireEye analysts will perform an initial analysis of
the Customer’s Covered Systems to determine if the Alert is a true or
false positive, benign or suspicious activity.
(d) FaaS Reports. If FireEye’s investigation determines
that the Alert indicates a true compromise, FireEye will assign a
“High” “Medium” or “Low” severity level. FireEye will publish a FaaS
Report to the Portal related to that Alert within the times set forth
in the table below, calculated from the time FireEye assigns the
(e) Alerts that are investigated but are found to be
benign or a false positive will be reported as an Informational report.
(f) Regardless of whether FireEye’s investigation
determines that an Alert indicates a true compromise, FireEye will
publish a FaaS Report on the Alert to the FaaS Portal within the times
set forth in the table below, based on the severity level of the FaaS
Report (High, Medium, Low). Customer acknowledges that in some cases,
when FireEye’s investigation is not complete, a FaaS Report may
provide only an update of current status of the Alert investigation.
FaaS Report Severity Level
Time to Classify Alert as Requiring Further Analysis or No
Further Analysis (from time of ingestion)
Time to Publish FaaS Report (from time FireEye assigns
(g) Extended Investigations; Multiple Related Alerts.
When FireEye has identified a true positive or suspicious activity,
FireEye analysts may perform an extended investigation, and/or may
aggregate and review multiple Alerts from related Covered Systems to
determine the extent of activity related to the Alert. FireEye
analysts may append results from the extended investigation or
subsequent Alert investigations to the initial FaaS Report if FireEye
determines that additional or subsequent Alerts are related, and in
such cases, FireEye will not be required to issue a separate FaaS
Report for each such related Alert.
(h) Non-Remediable Alerts. FireEye has no obligation to
notify the Customer or generate a new FaaS Report on new Alerts that
are directly related to previous investigations or known compromises
where a FaaS Report has been published and FireEye has provided
recommended remediation steps, when the Customer has acknowledged the
FaaS Report but chooses not to or cannot remediate the cause of these Alerts.
(i) Alert Priority. FireEye may re-prioritize Alerts,
regardless of their severity classification, to provide focus to
Alerts that FireEye determines may have the largest impact to the
(j) Continuity of Monitoring. All monitoring,
investigation and reporting activities described in this Section 2.2
will be provided on a 24/7/365 basis.
2.3. Engagement Manager Responsibilities. FireEye
will assign an Engagement Manager to Customer’s account to assist in
the ongoing delivery of the CV Subscription. Engagement Managers will
schedule routine meetings, deliver related documentation and training
specific to the delivery of the CV Subscription. Engagement Managers
have no obligation to engage in activities or respond to inquiries
that are otherwise the responsibility of standard FireEye Support such
as Product-related troubleshooting or configuration questions.
Hunting. FireEye will conduct periodic proactive hunting
techniques on Covered Systems to look for additional indicators of
malicious or attacker activity. When FireEye’s investigation reveals a
compromise, then FireEye will assign a severity classification and
publish a FaaS Report to the FaaS Portal within the time frames set
forth in the table in 2.2 above, according to the severity classification.
2.5. System Health Monitoring and Notification. For
Customers who have purchased the FireEye EX, FX, HX, NX, NX Smart
Sensor, or PX Product, FireEye will provide Customer with notification
of system health issues such as connectivity problems.
2.6. Containment. When the Customer has purchased
the FireEye Helix Subscription or HX Product, FireEye may, when
appropriate, recommend containment of the target Covered System from
the Customer’s network. Containment must be executed by the Customer.
2.7. Portal Access. Appliance Health Monitoring and
FaaS Reports will be provided via an online portal (“FaaS Portal”),
and FireEye will provide login credentials to the Customer to enable
access to the FaaS Portal. Service levels for the FaaS Portal are as
set forth in Section 3 below.
2.8. Incident Response (IR) Services Retainer. During
the Subscription Term, if Customer requires incident response (IR)
Professional Services, Customer will have access to FireEye’s 24/7/365
IR intake procedures. FireEye will provide contact information and
details of this service shortly after the Order Effective Date. If
Customer requires IR Professional Services, FireEye will respond,
triage and determine the need for IR Professional Services, and if
FireEye determines that IR Professional Services are necessary,
FireEye will assign an IR Responder to work with Customer, including,
as necessary, for onsite assistance. All IR Professional Services will
be performed using the FaaS Supported Technology, and will be charged
on a time and materials basis, invoiced monthly in arrears, at agreed
upon hourly rates.
2.9. FireEye iSIGHT Intelligence Portal. During the
Subscription Term, FireEye will provide access to a FireEye iSIGHT
Intelligence Portal (“FIIP”), subject to the following:
a) Permitted Use; Reports. Customer may access, view and
use FIIP and content appearing on FIIP (“FIIP Content”) solely for
internal use. Customer understands and acknowledges that the FIIP
Content available through the CV Subscription is more limited than
that available to customers who purchase a full iSIGHT Subscription.
Some features of FIIP may allow Customer to generate a report (each, a
“FIIP Report”). FIIP Reports and FIIP Content are FireEye Materials.
Subject to Customer’s payment obligations, FireEye grants to Customer
a limited, non-exclusive right to produce FIIP Reports using FIIP, and
reproduce and distribute those FIIP Reports and FIIP Content
internally for Customer’s own business purposes.
b) Additional Use Limitations. Customer may appoint up to
twenty (20) users of FIIP at any time. Each day, all users on
Customer’s account may collectively make up to (A) one hundred twenty
five (125) queries of IP addresses and domain names and (B) one
hundred twenty five (125) queries of malware. Customer may request
additional queries, to be evaluated by FireEye on a case-by-case basis.
c) User Content. “User Content” means any communications,
images, sounds, and all the material and information that Customer or
anyone using Customer’s account contributes to or through FIIP (e.g.,
comments to FIIP Content, suspected malware that Customer uploads to
FIIP). Customer hereby grants FireEye a perpetual, irrevocable,
worldwide, paid-up, non-exclusive, license, including the right to
sublicense to third parties, and right to reproduce, fix, adapt,
modify, translate, reformat, create derivative works from, publish,
distribute, sell, license, transmit, publicly display, publicly
perform, or provide access to electronically, broadcast, display,
perform, and use and practice such User Content as well as all
modified and derivative works thereof. Customer represents that
Customer has all necessary rights to grant the license referenced in
the preceding sentence. FireEye may use and disclose any of the
information it collects about its customers’ use of FIIP to the extent
such information is de-identified.
d) Restrictions. Customer may not access FIIP by any means
other than through the interface that is provided or approved by
FireEye. Customer will not collect any information from or through
FIIP using any automated means, including without limitation any
script, spider, “screen scraping,” or “database scraping” application,
and Customer will not damage, disable, overburden, or impair FIIP or
interfere with any other party’s use and enjoyment of FIIP.
e) Customer acknowledges that some optional features and
content appearing on FIIP may require payment of additional fees.
2.10. Reseller and Partner Purchases. If Customer
receives the Subscription via a FireEye authorized services or support
partner (a “Partner”), Customer agrees that the Subscription and FaaS
Reports may be delivered to Customer through the Partner.
Notwithstanding any other confidentiality obligations between the
parties, Customer authorizes FireEye to disclose information related
to the Subscription and Customer Data to Partner.
2.11. FaaS for ICS. If Customer has purchased the
additional ICS Monitoring feature of the CV Subscription (“ICS
Monitoring Subscription”), the following terms will govern the ICS
Monitoring Subscription: (a) FireEye will, in addition to the services
described in Sections 2.1-2.6 of this Exhibit, monitor Customer’s TAP
Subscription for malicious activity based on custom rules developed by
FireEye in consultation with the Customer; (b) FireEye will perform
additional hunting activities tailored to the Customer’s environment;
(c) Alerts resulting from the activities described in (a)-(b) will be
published to the FaaS Portal as set forth in Section 2.2 above; and
(d) additional Enabling Hardware will be provided (“ICS Enabling
Hardware”). The ICS Enabling Hardware constitutes Third Party
Material, and the hardware components of such ICS Enabling Hardware
must be returned to FireEye or the relevant third party upon
termination or expiration of the CV Subscription Term. Customer
acknowledges that the third party owner of the ICS Enabling Hardware
is a third party beneficiary of the right to enforce the obligation to
return the ICS Enabling Hardware as set forth above. The Subscription
Term for the ICS Monitoring Subscription will be the same as the CV
3. Customer Responsibilities. Customer acknowledges
and agrees that FireEye’s ability to successfully deliver the CV
Subscription is dependent on the Customer’s ability to meet its
responsibilities as outlined herein.
3.1 FireEye will have no liability for any failure to deliver
the CV Subscription as set forth herein that may arise due to
Customer’s refusal or failure to perform its responsibilities.
a) Installation Requirements. Customer will be responsible
for the following: (i) providing network architecture diagrams,
physical, and logical access to Customer’s environment for the sole
purpose of deploying and configuring FaaS Supported Technology; (ii)
upgrading pre-existing FaaS Supported Technology to the minimum
software version as referenced within the FaaS Operations Manual
for each product or service; (iii) providing confirmation
that all FaaS Supported Technology within the Customer’s environment
has been successfully configured and connected to their network
according to the individual Product’s or Subscription’s System
Administration Guide and the configurations supported as noted
in the FireEye Support Portal; (iv) providing the ability to
establish a persistent connection to the Customer’s network within the
designated port range corresponding to the country from which the CV
Subscription will be delivered as referenced within the FaaS Quick
b) Compromised Systems. Customer recognizes that the CV
Subscription is not an alternative to an incident response engagement
for an environment that is compromised prior to the start of the CV Subscription.
c) Credential Security. Customer will be responsible for
the following: (i) providing accurate information to FireEye for
provisioning access to (and removal of) Customer personnel access to
the FaaS Portal; (ii) implementing and adhering to strong password
standards; (iii) providing accurate information to FireEye for domain
whitelisting; and (iv) reporting any security issues related to the
Subscription (including the FaaS Portal) to FireEye immediately.
d) Network Segment Exclusion: Customer must notify FireEye
if specific network segments will not require FaaS monitoring.
Customer must provide detailed information regarding the specific
network segment range when possible. Examples: guest networks, testing
e) Remediating Known Compromises. Customer must make a
reasonable effort to remediate any known compromises reported by
FireEye or third party vendors. FireEye may choose to suppress alerts
generated by known compromised systems until such time the compromise
3.2. Exclusions. Notwithstanding anything else contained in
these Terms to the contrary, FireEye shall have no obligation or
responsibility to provide the CV Subscription for (i) Products that
the Customer (or FireEye or another third party on Customer’s behalf)
has configured with a one-way feed of FireEye’s Dynamic Threat
Intelligence (DTI) Subscription; (ii) FaaS Supported Technology that
has been declared end of support or that are not currently supported;
(iii) FaaS Supported Technology that has no active Support Service in
place; (iv) FaaS Supported Technology for which software updates have
not been applied; (v) Products that have not been installed and
deployed; or (vi) FaaS Supported Technology that is misconfigured or
incorrectly deployed, which prevents the FaaS Supported Technology
from monitoring the Covered Systems. Customer acknowledges that to
facilitate FireEye’s efficient performance of the CV Subscription,
FireEye may control some features and functionality of the FaaS
Supported Technology, and that such features or functionality may not
be available for Customer’s independent use during the Subscription Term.
4. FaaS PORTAL AVAILABILITY
4.1 Uptime. FireEye shall undertake commercially
reasonable efforts to ensure the FaaS Portal availability for 99.9% of
the time during each calendar month.
a) “Service Outage” is where the FaaS Portal is not
available due to a failure or a disruption in the FaaS Portal that is
not the result of Scheduled Maintenance, Emergency Maintenance, a
force majeure event or of the act or omission of Customer.
b) “Scheduled Maintenance Period" is the period during
which weekly scheduled maintenance of the FaaS Portal may be
performed, or a maintenance window otherwise mutually agreed upon by
FireEye and Customer.
c) "Emergency Maintenance" means any time outside
of Scheduled Maintenance that FireEye requires to apply critical
patches or fixes or undertake other urgent maintenance. If Emergency
Maintenance is required, FireEye will notify Customer, to the extent
possible under the circumstances, and provide the expected time frame
of the Emergency Maintenance and availability of the FaaS Portal
during the Emergency Maintenance.
d) "System Availability" means the number of
minutes in any calendar month minus the aggregate number of minutes of
all Service Outages that occur during that calendar month.
a) If the FaaS Portal does not meet the monthly service
availability defined in 4.1, FireEye will provide a credit to the
Customer in accordance to the table below (“Credit”) for a validated
SLA Claim (defined below). The percent of FaaS Portal availability per
calendar month (in the table below) is equal to the result, expressed
as a percentage, of the number of minutes of System Availability in a
calendar month divided by the total number of minutes in the calendar month.
Percent of FaaS Portal Availability per
b) For determining the Credit, the duration of a Service
Outage will be measured as the time starting when Customer experiences
a disruption in availability of the FaaS Portal and ending when a
successful solution or workaround allowing for full restoration of the
FaaS Portal is provided by FireEye to Customer. Customer must notify
FireEye in writing of any Service Outage no later than fifteen (15)
days after the calendar month in which the Service Outage occurred
(“SLA Claim”) to be entitled to a Credit for that Service Outage.
c) Any Credits earned by Customer hereunder will be applied
to the Subscription Fees owed by Customer for the next Subscription
Term for which the Credit applies. If Credits cannot be applied to
future Subscription Fees because the Subscription Term has terminated
for non-renewal or for a material uncured breach by Customer, such
credits shall become null and void. If Credits cannot be applied to
future Subscription Fees because the Subscription Term has terminated
due to a material uncured breach by FireEye, FireEye will promptly pay
Customer the amount of the Credit. Customer shall not be entitled to
receive a Credit that exceeds 10% of its prorated monthly Subscription
Fee for a Service Outage for the applicable calendar month.
Back To Top