As a reminder

The supplier (Harfanglab SAS – RCS n° 839 045 697) has developed software for the detection, investigation and remediation of cyber-attacks (the “Software”). The solution is made up of software agents (the “Agents”), deployed on the endpoints (servers and/or workstations) of the customer’s IT system. The Agents communicate with a central manager (the “Manager”), which sends orders and stores the data reported by the Agents. The Manager operates the detection, investigation and remediation modules. Algorithms and detection engines, integrated into the Software and updated by the Editor, identify suspicious behavior and artifacts, and generate alerts where necessary. The Software also integrates remediation functions to neutralize the threat and prevent its propagation. The Manager can interface with other software via connectors (APIs). The parties hereby agree as follows:

1. Definition

Terms beginning with a capital letter have either the definition given in the text or the following definition:

• Operator: means the legal entity in charge of operating the Software, i.e. either (i) the Partner, if the Partner provides CSIRT or SOC services in addition to Software distribution, or (ii) the Customer, if the Customer operates the Software directly, or (iii) the Customer’s security provider.
• Documentation: means the installation, use and administration manuals, whatever their medium, describing the operation and/or implementation of the Software, communicated or made available by the supplier and which may be updated by the supplier.
• Software: means the Agents and the Manager in object code form and any patches, fixes, enhancements, updates or versions thereof provided by the supplier.
• Maintenance: means the provision by the supplier of Anomaly correction and Software updates, the terms of which are specified herein.
• Deployment Mode: refers to the environment on which the Manager is installed and the manner in which the Software is deployed, i.e. (i) either from the supplier’s cloud or (ii) either on-premises whether in the Partner’s, the Customer’s or the Customer’s third-party provider’s infrastructure.
• Partner: means the legal entity that has entered into a partnership agreement with the supplier for the distribution of the Software.
• Prerequisites: refers to the hardware, software and minimum connection configuration of the Customer’s information system, and to the information to be provided to the supplier that is necessary for the installation, configuration and proper operation of the Software.
• Royalty: means the amount payable for the Software License, Maintenance and Support for a period of twelve (12) months.
• Support: means the supplier’s technical assistance service, the purpose of which is to respond to problems encountered by Users in using the Software, to assist them and to provide a knowledge base, the terms of which are specified herein.
• User: means the person(s) employed by the Operator who uses all or part of the Software as part of its supervision and/or incident response activities.
• Customer: means the legal entity for whose benefit the Software is used and within which the Agents are installed.
• Administrator(s): means the person or persons employed by the Customer who act as the supplier’s contact for Maintenance or Support activities.
• Anomaly: means any reproducible failure, blockage, malfunction or incident, the correction of which is necessary because it prevents or restricts normal use of the Software according to the following levels: o An anomaly is classified as “Blocking” when the Manager is unavailable, the Agent does not start or causes a critical error in the device operating system. o An anomaly is classified as “Non-Blocking” when it induces a disturbance in the use of the Software without preventing security supervision.
• IPR: refers to, but is not limited to, any intellectual property right or right of any kind and all its dismemberments, as well as any object of these rights, including in particular any patent, invention, trademark, trade name, topography, design, model, database, copyright, sui generis right, know-how, whether these rights are registered or not, as well as any application for registration or filing concerning them.
• Production Incident: means a situation where the Software is no longer nominally accessible due to either (i) an error in the configuration of the Software and/or its dependencies, (ii) non-compliance with the Prerequisites, (iii) a failure to supervise and manage the resources used by the Software, or (iv) a hardware, network equipment or server failure.
• Open Source: refers to IT developments included in the Software libraries which are supplied to the Customer under an “Open Source” license.
• Prerequisites: means the hardware, software and minimum connection configuration of the Customer’s information system and the information to be provided to the supplier necessary for the installation, configuration and proper operation of the Software.
• Endpoints: refers to the customer’s servers and/or workstations on which the Agents are installed.

2. Purpose of the General Terms and Conditions

The purpose of these supplier Terms and Conditions (“PTC”) is to define the conditions applicable to (i) the types of licenses (“License”) that may be granted by the supplier for the Software, and (ii) the provision of Support, Maintenance and, where applicable, hosting on the supplier Cloud.

3. Rights granted according to license type

Depending on the type of License planned and/or selected by the Customer, and agreed with the supplier, the latter grants the Customer the following rights, subject to the limitations set forth in this Article :

• User License: The supplier grants the Customer, on a non-exclusive, personal and non-transferable basis, a right to use the Software for internal use and for the scope and duration agreed in the relevant contract. The Operator is authorized to access and use the Software on behalf of the Customer when it provides supervision services (SOC) on behalf of the Customer under the conditions and according to the terms set out above. The Manager may be installed, depending on the Deployment Mode (ii) either in the supplier’s Cloud, (ii) or On-premises.
• CSIRT license: The supplier grants the Customer a non-exclusive, personal and non-transferable right to use the Software for the purpose of resolving security incidents to the exclusion of any other purpose, within the scope of the contract and for a period of three (3) months. The Operator is authorized to access and use the Software on a non-exclusive, personal and non-transferable basis, for internal use only and for a period of three (3) months from the date it is made available. If the incident response mission has not been completed by the end of the initial three (3) month period, rights of use are extended for a further one (1) month.
• Evaluation License : Prior to the conclusion of a Software license agreement, and for the sole purpose of enabling the Customer to evaluate the suitability of the Software for its needs (“Evaluation”), the supplier grants the Customer a non-exclusive right to use the Software for Evaluation purposes, personal and non-transferable, for internal use, for a maximum of 200 endpoints and for a period of two (2) months from the date of availability, in the country where the Customer is domiciled (i.e. where the Agents are installed).

Depending on the type of License planned and/or selected by the Partner, and agreed with the supplier, the latter grants the Partner the following rights, subject to the limitations set forth in this Article :

• Evaluation License : Prior to the conclusion of a partnership agreement, and for the sole purpose of enabling the Partner to evaluate the suitability of the Software for the needs of its customers and/or prospects (“Evaluation”) the supplier grants the Partner a non-exclusive, personal and non-transferable license to use the Software for Evaluation purposes, for a maximum of 200 endpoints and for a period of two (2) months from the date of provision, in the country where the Partner is domiciled (i.e. where the Agents are located).
• Demonstration License: As part of the distribution of the Software, the Partner may present scenarios for the use of the Software to prospective customers (“Demonstration”). The supplier grants the Partner, on a non-exclusive, personal and non-transferable basis, a license for the sole purpose of carrying out demonstrations for the benefit of its customers and prospects for a maximum of 200 endpoints and for the duration of the contract.

Under the Evaluation License and Demonstration License, and to the extent permitted by applicable law, the Software, Documentation and Services are provided on an “as is” basis without warranties of any kind, including those set forth herein.

Limitations: Regardless of the type of license granted, the Customer, the Partner, and the Operator if applicable, acknowledge that the supplier does not grant any ownership rights to the Software, IPR or Open Source but only the right to use them in accordance with the License granted to them. The right to use Open Source derives from the open source license applicable to the software concerned. Information on Open Source may be provided on written request by the Customer or the Partner. The Customer, the Partner and the Operator, as the case may be, therefore undertake not to infringe the relevant IPR and refrain from, without this list being limitative and unless they have obtained express authorization from the supplier, the following behaviors:

• Decompile, disassemble or reverse engineer the Software, except for purposes of interoperability and under the conditions set forth in Article L. 122-6-1 of the French Intellectual Property Code, only after first requesting the necessary information in writing from the supplier and only if the supplier refuses to provide such information;
• Attempt to discover the structure of the source code or any other operational mechanism of the Software;
• Reproduce the Software other than to make a single identical copy for backup purposes in accordance with the provisions of the French Intellectual Property Code;
• Modify, correct, translate, arrange, adapt all or part of the Software or create derivative works from the Software or extract and reuse a qualitatively or quantitatively substantial part of the Software;
• Market, sub-license, distribute, transfer, transmit rights, rent, pledge, broadcast or make available the Software by any means whatsoever or copy all or part of the Software on any public or private network whatsoever other than in accordance with the terms of this agreement;
• Remove or suppress any mention of the supplier’s IPR on the Software or on any packaging or physical support for the Software or Documentation or on any element of which the Software is composed;
• Use the Software for any purpose other than those expressly authorized, on any system or location other than those agreed;
• Reproduce the Documentation in more than the authorized number of copies, which by default is (1) copy.

The Customer, the Partner and the Operator under an Evaluation license and the Partner under a Demonstration license shall refrain from (i) using the Software in a production environment or for production purposes, except with the express prior consent of the supplier, (ii) charging, directly or through a third party, for any access to and use of the Software by a third party or using the Software, directly or indirectly, to generate revenue or commercially exploit the Software in any way whatsoever.

Termination of rights: At the end of the contractually agreed rights period (“Commitment Period”), the Customer may renew the license. If the Evaluation or Incident Response mission gives rise to an order for a User License, the rights are extended for a period of one (1) month, in order to avoid any interruption of service. In the absence of an order or renewal, the Customer undertakes to cease all access to and use of the Software, and to uninstall the Agents or have them uninstalled by the Operator. If the Software is hosted in the supplier’s Cloud, the supplier will deactivate the Operator’s access rights within ten (10) working days of the expiry of the License. The Software will then become inaccessible to Users, and after a period of one (1) month from the end of the License, the supplier will permanently delete the stored data. For other Deployment Modes, the Manager is uninstalled by the Customer or Operator within fifteen (15) days of the License end date. The Customer or Partner undertakes to delete or cause to be deleted any copy of the Software embedded in any other program or stored on any storage space and all information, in particular the supplier’s Confidential Information as defined in Article 7.

4. Software availability

General terms of provision: The Software is made available to the Operator by the supplier according to the Deployment Mode defined between the Parties:

• If the Software is installed in the supplier Cloud, the supplier is responsible for installing the Manager in accordance with the information provided in the order or contract, including but not limited to: the number of Agents and the length of time data will be stored. The Operator, or the Partner where applicable, must inform the supplier in writing prior to placing the order if any special conditions are likely to have an impact on the sizing of the supplier Cloud. The Software is made available to the Customer and the Operator by the provision of access identifiers to the Manager.
• In other Deployment Modes, the Software and associated Documentation will be made available in digital format via a download link.

The Software and Documentation are deemed delivered on the date they are made available.

Specific terms and conditions for CSIRT, Demo and Evaluation licenses: the Manager is installed in the supplier Cloud. For an Evaluation, the supplier sizes the supplier Cloud for 200 endpoints without data retention.

5. Installation procedure

Once the Software has been delivered, the Operator is solely responsible for deploying the Software on its information system, i.e. :

• Agents when the Software is deployed in the Cloud supplier ;
• The Manager and Agents in all other cases.

The infrastructure on which the Software is deployed must meet the Prerequisites at all times. The Requirements are available on the supplier’s support portal and may be updated by the supplier at any time, in particular to take account of changes to the Software.

6. Hosting the Manager in the supplier’s Cloud

In the event of deployment in the supplier’s cloud, the supplier provides a hosting service for the Manager accessible via the Internet (the “supplier Cloud”). The Customer acknowledges that the hosting of the Software and the data generated by its use are entrusted to a subcontractor of the supplier (the “Cloud Provider”). Consequently, hosting is carried out under the following conditions.

Availability of the Software: The Software is accessible 24 hours a day, 7 days a week, with the exception of the periods of unavailability defined below. The supplier’s commitment to availability is subject to compliance with the conditions set out in the contract. The Customer is advised of the technical hazards inherent in the Internet and of any resulting interruptions in access. The supplier cannot be held responsible for any total or partial unavailability or malfunction of the Software resulting therefrom. The supplier, in conjunction with the Cloud Service Provider, takes all necessary steps to ensure that the Software is accessible and usable under the best possible technical conditions. The Software availability rate is 99.5%. This percentage indicator measures the annual availability of the Software in the supplier Cloud. It is calculated by the following formula: total number of minutes in the year minus the number of minutes of unavailability in the year, divided by the total number of minutes in the year. The duration of unavailability excluded from the calculation of the availability rate corresponds to the sum of unavailability linked in particular to the cases described below:

• Interruptions scheduled by mutual agreement with the Operator (in particular, database reorganization, maintenance time slots, cold backups, etc.);
  Interruptions requested by the Operator or made necessary to safeguard the Operator’s information system or that of the hosting environment;
• Application failures caused by the Operator or a third party;
• Malfunction of the customer’s hardware or local network, total or partial interruption of the Internet or private WAN network enabling the customer to access the Software;
• The time required for the physical transfer of any stored data;
• Interruptions related to services provided by a third party other than the Cloud Provider;
• Maintenance operations on the hosting infrastructure or the Software ;
• Malfunctions resulting from the non-application of a recommendation made by the Cloud Service Provider or supplier to maintain the level of service quality or during a Maintenance operation;
• Any period during which the Operator fails to provide the necessary information or access or to cooperate in resolving a Production Incident;
• Any interruptions due to malfunctions on the Operator’s side or failure by the Operator to meet its obligations;
• Cases of force majeure as defined by French case law.

The Operator is responsible for the means of access to the Software, as well as for the administration of rights and Users (in particular for defining identifiers). The Customer is responsible for protecting access to the Manager.

Security and backup: The security measures implemented by the Cloud Service Provider are available at the following address: PS-I – OVH. Backups of stored data are carried out in accordance with the supplier’s continuity and disaster recovery plan.

Reversibility: In the case of a License to Use, the supplier will, at the express request of the Customer, return to the Customer any data of which the Customer does not hold a copy at the end of the contract. The return must be requested from the supplier no later than fifteen (15) days before the last day of the term of the License. Database data will be returned by providing a download link in binary format as supported by the Elastic/OpenSearch backup mechanism; configuration elements will be returned in yaml format. Any other request for assistance in connection with the reversibility or portability of this data will be invoiced separately to the customer, on the basis of the supplier’s price list in force at the time.

7. Warranties

Warranty of Conformity: The supplier warrants that, for a period of thirty (30) days following the date of availability of the Software (the “Warranty Period”), and subject to use in accordance with the provisions of the contract, the Software will operate in conformity with the Documentation. In the event of a written complaint to the supplier describing the non-conformity during the Warranty Period, the supplier will use its best efforts, at its discrSMBon, to correct the non-conformity either by means of a patch or a workaround. If the supplier is unable to correct the non-conformity within thirty (30) days of receipt of the complaint, the parties may terminate the contract, in which case the Customer may request from the Partner or the supplier, depending on who sold him the License, a refund of the amount of the Royalty paid prorata temporis. This guarantee of conformity will not apply if the non-conformity is not reproducible or results from (i) use of the Software not in conformity with the provisions of the contract, (ii) a malfunction of the Operator’s or Customer’s computer system, or (ii) the fact that the Software has become inoperative for reasons beyond the supplier’s control.

Warranty of quiet enjoyment. The supplier warrants that the Software does not infringe or violate any copyright or intellectual property right of any third party. Consequently, the supplier undertakes to pay all damages which the Partner and/or the Customer may be ordered to pay by a final judicial decision as a result of a breach of this warranty. This warranty of eviction only applies on condition that the Partner or Customer: (i) notifies the supplier in writing of any claim, demand or legal action brought by the third party without delay from the date of notification by the said third party; (ii) allows the supplier to take charge of the defense and of any negotiation with a view to an amicable solution, it being specified that the Partner or Customer may also have its interests defended by any lawyer of its choice; (iii) does not execute a judgment or agree to compromise without the supplier’s written consent; and (iv) provides the supplier with all information and assistance necessary to defend its interests. Where the warranty of eviction is invoked, the supplier may, at its option: (i) obtain the right for the Partner or the Customer to continue using the disputed elements; (ii) modify all or part of the disputed elements so that the Software ceases to infringe the intellectual property rights of the third party, while remaining in conformity with the contract; (iii) provide an alternative solution, at isoperimeter; or (iv) terminate the contract and reimburse the Partner or the Customer, as the case may be, the Royalty paid, less the amount of the Royalty corresponding to the period of enjoyment of the Software. However, the supplier shall have no liability under this warranty if the third party’s claim arises from : (i) use of all or part of the Software in combination with any software, hardware, products or other equipment or materials not supplied or approved by the supplier; (ii) use of the Software not in accordance with the supplier’s Documentation; or (iii) modification, maintenance or alteration of the Software not performed or authorized by the supplier. The provisions of this article establish the sole and exclusive obligations and responsibilities of the supplier in the event of infringement of a third party’s IPR. The Parties agree that, insofar as is necessary, the present article shall survive the termination or expiration of the contract.

Guarantee of information: The Software enables alerts to be issued representing potential information system security risks. It is not a solution to guarantee the security of an information system, the resolution or identification of any security incident, or to meet any of the Customer’s specific needs. The Customer remains at all times responsible for implementing all other measures necessary to ensure the IT security of its infrastructures, in particular the backup of its data and the training of its employees on this subject. The supplier cannot be held liable if the Software is used in the context of a response to a security incident at the Customer’s premises, and the Customer or the Operator are unable to put an end to the said incident.

Operator’s warranties: In connection with the use of the Software, the Operator represents and warrants, for the entire duration of the use of the Software:

• That it complies and will comply with all laws applicable to it concerning the use of the Software, in particular the obligations incumbent upon it with regard to its personnel in the context of the processing of their Personal Data, as defined below;
• That it will comply with the Prerequisites and Documentation and refrain from using software packages, software or operating systems not identified as compatible with the Software;
• That any elements supplied or collected by the Software do not infringe or violate any copyright, trademark or other intellectual property or other right of any third party;
• That the Customer acknowledges that the Software is not intended to be used to monitor staff activity, in particular during employee appraisals. The Editor may not be held liable for any decision taken by the Customer on the basis of information provided by the Software. Accordingly, any disputes arising between the supplier and employees or third parties as a result of decisions taken on the basis of feedback provided by the Software will be settled directly between the Customer, the parties concerned and the Partner where applicable, and the supplier will not be involved in the resolution of such disputes.
• In the case of the Customer, that it will inform Users that it is using the Software and that the information feedback provided via the Agents installed on the workstations may give access, for the sole purpose of managing the security of the information system, to all information and documents contained on the workstations, including information, data, files or directories identified as personal by the Users or containing Personal Data.

8. Termination

The End-User License Agreement may be terminated ipso jure by either Party in the event of a breach by the other Party of its obligations which has not been remedied, where possible, within thirty (30) days of formal notice to remedy, it being specified that the letter of formal notice must refer to the present provision. The Customer’s obligations under this article are as follows: (i) compliance with the conditions of access to and use of the Software; (ii) compliance with the supplier’s intellectual property rights and the terms of the license granted; (iii) compliance with the warranties and Prerequisites, (iv) compliance with the confidentiality undertakings and (v) payment of the sums due to the supplier. The obligations of the supplier referred to in this article are as follows: (i) failure to achieve the annual availability rate of the Software, and (ii) compliance with confidentiality undertakings, (iii) compliance with the compliance guarantee, and (iv) compliance with its obligations with regard to the protection of personal data. In the event that the said breach cannot be remedied, the period of thirty (30) days shall operate as a notice period prior to termination.

9. Privacy

Each Party undertakes to maintain the confidentiality of all confidential information of the other Party as defined below (the ” Confidential Information“), to which it may have access or of which it may become aware in the course of negotiating and performing the contract, for the entire duration of the contract, and for five (5) years after termination of the contract (except for Personal Data for which the retention period is longer or shorter),

for any reason whatsoever. The Parties agree that the following shall be considered as Confidential Information: (i) all information, analyses, studies and other documents in any form whatsoever relating to the content of discussions between the Parties or to the contract, (ii) methodologies, products, IT tools and developments, hardware, industrial models, know-how and financial, ethical, economic, technical, commercial or other data such as, in particular, all information relating to business, accounts, management, commercial operations and administrative, financial and markSMBng activities; (iii) other information identified in writing as confidential by one of the Parties; (iv) Software and Documentation. The Parties undertake to treat the Confidential Information of the other Party in the same way as their own Confidential Information and not to disclose the Confidential Information to third parties in any way whatsoever. Notwithstanding the foregoing, insofar as their disclosure is strictly necessary, the Parties are authorized to communicate certain essential Confidential Information to their respective agents, advisors and/or subcontractors (the “Authorized Third Parties”). In any event, the Parties agree that the use and/or disclosure of Confidential Information to an Authorized Third Party is subject to the conclusion of a confidentiality agreement incorporating this provision. Pursuant to Article 1204 of the French Civil Code, the Parties undertake to ensure that Authorized Third Parties comply with this confidentiality obligation. The obligations set out in this article do not apply to Confidential Information:

• Which were known to the Parties prior to the date of signature of the contract;
• Which were in the public domain at the date of their communication;
• Which have been communicated or may be communicated to a Party by a third party without breach of an obligation of confidentiality;
• Which are accessible to the public by publication or any other means of communication, unless this is the result of a breach of the present obligation of confidentiality; or the disclosure of which is required by law or by an administrative or judicial decision;
• Which must be brought to the attention of the Customer for the purposes of making the Software available or using it for the Customer’s benefit.

All physical media containing Confidential Information are and remain the property of the Party communicating them. No reproduction or use whatsoever is authorized without the prior written consent of the Party concerned. Notwithstanding the terms of the present article, the Customer, the Operator and, where applicable, the Partner, are hereby informed that the supplier may transmit any information in its possession which may be legitimately requested by or on the authorization of a judicial or administrative authority, without the supplier being held liable in this respect. In order to set up an Evaluation License, the Customer will be required to sign a confidentiality agreement with the supplier, separate from the supplier’s present General Terms and Conditions. In this event, and in the event of any contradiction between the provisions of the confidentiality agreement and the present confidentiality clause, the Parties acknowledge that the provisions of the confidentiality agreement shall prevail.

10. Personal Data

Each of the Parties reciprocally undertakes to comply with the regulations in force relating to personal data as they result from Regulation (EU) 2016/679 of April 27, 2016 on data protection (“RGPD”), the French Data Protection Act no. 78-17 of January 6, 1978 in its updated version and any relevant recommendations of the CNIL relating to their activity (the “Data Privacy Regulations”). For the purposes of this article and the provisions of the appendices relating to data protection, the terms “Personal Data”, “Processing”, “Data Subject”, “Data Controller” and “Subcontractor” have the same meaning as in this article.
“Subcontractor” have the meaning given to them by the Data Privacy Regulations.

Qualifications of the Parties: The qualifications of the Parties are as follows with regard to the Processing implemented under the contract:

• When using the Software, the Customer systematically acts as the Data Processor and the Operator, if different from the Customer, systematically acts as the Subcontractor on behalf of and on the documented instructions of the Customer.
• When the software is deployed in the supplier Cloud, the supplier is responsible for hosting the Software and acts in this capacity as the Customer’s Subcontractor;
• In the context of Processing relating to the provision of Support and Maintenance services (“Maintenance Processing”) and Processing relating to the improvement of the functionality of the Software (“Enhanced Detection Processing”), the supplier acts as Processor.

supplier’s commitments. In accordance with the Data Privacy Regulations, the supplier, when acting as a Subcontractor of the Customer, undertakes to :

• Process Personal Data only on written instruction from the Customer and inform the Customer if an instruction does not comply with the Data Privacy Regulation, including with regard to any transfers of Personal Data to a third country, unless required to do so under Union law or the law of the Member State to which the supplier is subject; in this case, the supplier shall inform the Customer of this legal obligation prior to Processing, unless the relevant law prohibits such information for important reasons of public interest ;
• Ensure that persons authorized to process Personal Data working at the supplier undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality;
• Implement the measures necessary to guarantee the security and integrity of Personal Data and their processing described in the supplier’s security assurance plan.
• To provide reasonable assistance to the Customer, through appropriate technical and organizational measures, to the fullest extent possible, in fulfilling its obligation to respond to requests made by Data Subjects to exercise their rights (access, delSMBon, etc.) by transferring the request to the Customer without responding to it, unless expressly instructed otherwise, and to provide the same assistance with regard to the Customer’s performance of prior consultations or data protection impact analyses concerning Processing and exclusively within this scope;
• Reasonably assist the Customer in ensuring compliance with its security obligations, taking into account the nature of the Processing and the information available to it in accordance herewith;
• Delete all retained Personal Data unless Union law or Member State law requires retention of Personal Data;
• Make available to the Customer within a reasonable period of time all information necessary to demonstrate compliance with the obligations set forth in this Article and allow for one audit per year, including inspections by the Customer, and contribute to such audits, it being understood that any audit or penetration test shall be subject to prior written agreement on its terms and scope.
• Inform the Customer, as soon as possible and if possible within 48 hours of becoming aware of a breach of Personal Data due to a proven security breach by the supplier or the host of the Personal Data;
• To cooperate in a reasonable manner with the CNIL if necessary, and to cooperate with the Customer in the event of a request made by the CNIL concerning the Processing, which implies, (i) if the request is addressed to the supplier, to inform the Customer as soon as possible, unless such information is prohibited by applicable law, and (ii) if the request is addressed by the CNIL to the Customer, to provide reasonable assistance to enable the Customer to respond to the CNIL;
• Cease all processing of Personal Data as of the termination or expiration of the contract, other than as necessary for the fulfillment of the Personal Data reversibility commitments set forth herein.

Maintenance and Improved Detection Processing: Maintenance and Improved Detection Processing are described in the privacy policy relating to the use of the Software, which is available on request from the supplier. These Processing operations are carried out by the supplier in its capacity as Data Controller. In this capacity, the Customer declares that he/she is aware of the characteristics of this Processing. The supplier declares that the Processing is compatible with the original purpose of the Processing and undertakes to comply with the obligations incumbent upon it in its capacity as Data Controller in accordance with the Data Privacy Regulations.

Subsequent subcontracting by the supplier: The Customer acknowledges that the supplier has recourse to Subcontractors, and in particular to the Cloud Service Provider, to enable it to fulfil certain of its obligations hereunder. The complete list of Subcontractors at the date of signature of the present contract is given below. Signature of the contract implies express acceptance by the Customer of the Subcontractors used by the supplier to perform the services listed below. In the event of a change to this list, the supplier undertakes to provide the Customer and the Partner with the updated list of Subcontractors, so as to enable the latter to object to the appointment of a Subcontractor solely on legitimate and substantiated grounds (i.e. compSMBtor, service provider with whom the Partner has an ongoing dispute), which must be communicated to the supplier in writing. In the absence of a reservation by the Customer or the Partner within ten (10) days of the information being sent, the Customer and the Partner will be deemed to have accepted the new Subcontractors. Should the Partner or the Customer refuse a Subcontractor, the supplier reserves the right to apply prices different from those initially agreed to take account of this refusal. The characteristics of the processing concerned by the subsequent subcontracting are as follows:

• Purpose of processing: Hosting
• Type of processing: Data hosting and storage
• Duration of treatment : Commitment period
• Purposes of Processing: Hosting
• Categories of Data : Telemetry data and name/first name, e-mail address, browsing data
• Categories of Sensitive Data: N/A
• Categories of Data Subjects : Users of the customer’s information system.
• Subcontractor: OVH, located in France

The Customer may request further information. In the case of a supervised service, and in the case of transfers to a recipient or authorized third party located in a country outside the European Union (EU), the Customer authorizes the supplier, if necessary, to sign, in its name and on its behalf, standard contractual clauses with Subcontractors handling the Customer’s Personal Data located outside the EU.

11. Support

Support is offered via an online service accessible at the following address: www.harfanglab.io. It is designed to help the Operator solve problems, and is not intended to replace Administrator training:

• A knowledge base, in principle available 24/7/365 outside the maintenance periods of the platform hosting the said base, offering answers to recurring problems that the Administrator may encounter;
• Various technical documentation on installation and use of the Software ;
• A ticket system enabling Administrators to contact the Editor’s teams. Tickets will be processed by the Help Center team from 9:30 a.m. to 5:30 p.m. Central European Time (GMT+1), Monday to Friday inclusive, excluding public holidays. In the event of unavailability of the support portal, requests should be sent to the following address: support@harfanglab.fr.

Support is organized into the following three levels:

Support is offered via an online service accessible at the following address: www.harfanglab.io. It is designed to help the Operator solve problems, and is not intended to replace Administrator training:

LEVEL 1 ( N1 ) :

• Definition: Requests for information on the Software or requests relating to a malfunction that can be easily remedied.
• Actions :
  • Record request (date, time, reason) ;
  • Carrying out an initial assessment of demand, establishing a diagnosis of demand and proposing recommendations on the basis of information sheets.

LEVEL 2 ( N2 ) :

• Definition: requests relating to a malfunction that may require the Editor to access the Manager.
• Actions :Console access for :
  • Diagnose the fault (if not done in N1) ;
  • Guide the User via videoconference through the complex resolution of the problem.

LEVEL 3 ( N3 ) :

• Definition: Requests relating to an Anomaly requiring a high level of expertise on the Software.
• Actions :
  • Taking into account the request in the Software maintenance service ;
  • Support and best practices on Software operation and feedback.

When acting as an Operator, the Partner is responsible for providing Level 1 and Level 2 Support, failing which the supplier provides the various levels of Support.

12. Maintenance

General provisions: Any patches or updates to the Software are made available to the Operator in the same way as they are delivered. The description of the modifications is available in the Documentation. New versions of the Software are made available on a monthly basis, while bug fixes are made available on a weekly basis, in the form of “hot-fixes” where necessary. These rates are given for information only and may be subject to change. To benefit from Maintenance,
the following conditions must be met:

• The Operator must have appointed at least one Administrator and communicated to the supplier his name, telephone number and e-mail address and any subsequent changes to this information, so that this information is always up to date. The Operator must appoint a new Administrator in the event of absence, sick leave or departure of the current Administrator, so that there is always an Administrator in charge;
• Unless otherwise instructed by the supplier, the Customer and the Operator must use the Support portal to report Anomalies;
• The Customer or the Partner, as the case may be, are up to date with their payment obligations to the supplier;
• If the Software is not deployed in the supplier Cloud, give the supplier remote access to the Manager via the Software’s “EDR Update” module;
• Use a version of the Software still under maintenance at the time of the Support request.

Installing updates : Manager updates are installed bysupplier from the “EDR Update” module. If the customer or operator has deactivated the “EDR Update” module, the operator is responsible for updating the Manager. Installation of Agent updates is the responsibility of the Operator.

Upgrade maintenance: Under upgrade maintenance, the supplier provides the Customer with (i) improvements to the functions and modules covered by the license subscribed to. Upgrade maintenance does not extend to new modules that may be offered by the supplier in the future. The Customer and the Partner accept that the supplier may include any technical protection measure useful for controlling the use of the Software in strict compliance with the license granted. In addition, the Customer and the Operator may request the supplier to make improvements to the Software, and in particular to develop new functions or APIs. The Parties agree that the supplier shall have no obligation to carry out these developments, which constitute additional services, or to integrate them into the Software.

Troubleshooting: Once a ticket for an Anomaly has been opened on the Support portal, the response times are as follows:

• In the case of Evaluation or Demonstration licenses: the recorded anomalies are then corrected as soon as possible;
• In the case of a License to Use, Software Defects are then processed within the following timeframes:

*during Support opening hours, i.e. 9:30 – 17:30 CEST, excluding French public holidays

The Operator and the Customer undertake to cooperate with the supplier in resolving Production Anomalies and Incidents, in particular by :

• Providing sufficient information to the Editor to enable it to reproduce the Anomaly and in particular (i) a clear and precise description of the Anomaly; (ii) the Software component concerned; (iii) the function that was in use when the Anomaly occurred and/or the sequence of instructions that led to the Anomaly; (iv) the error message displayed when the Anomaly occurred, if applicable; (v) sufficient details to enable the supplier to qualify the Anomaly, determine its level and measure its impact on the Customer’s activities; and (vi) any other information concerning the Hosting, the Software or the Anomaly, including in particular a copy of the data contained in the database included in the Software;
• Providing answers to questions and requests for information and guaranteeing the necessary access to their premises, equipment and any necessary information and/or Documentation, as well as, where applicable, the availability of the Users concerned to facilitate the implementation of Support and Maintenance interventions.

The supplier will not be obliged to correct the Anomaly in the following cases: (i) failure of the Operator and/or the Customer to cooperate in resolving the Anomaly and in particular in responding to questions and requests for information, (ii) use of the Software not in accordance with its intended purpose or Documentation, (iii) unauthorized modification or attempted modification of the Software by the Partner, the Customer or a third party, (iv) failure to comply with the Prerequisites, (v) use of any software packages, software or operating system not compatible with the Software, (vi) failure of communication networks. In the event that the supplier accepts or is requested by the Customer to intervene when the Anomaly results directly or indirectly from a failure by the Partner or the Customer to comply with the obligations contained herein, the Operator undertakes to pay the supplier any costs due in this respect for time spent by the supplier’s personnel or its subcontractors.

13. Supplementary benefits

The Operator may order additional services from the supplier which are not included in the contract, such as (the list below is not exhaustive):

• Support for installing and/or updating the Manager when installed on-premises;
• Support for special settings according to specifications ;
• Configuration of connectors to third-party solutions;
  Additional training courses;
• Developments such as new functions, connectors or APIs.

These services will be the subject of a quotation subject to acceptance by the Operator and of an order form separate from the present signed by the Parties.